Storage gateway security model

US 8,639,921 B1
Filed: 06/30/2011
Issued: 01/28/2014
Est. Priority Date: 06/30/2011
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

instantiating a storage gateway in a customer network;

initiating, by the storage gateway, an activation process with a service provider, wherein the service provider implements a storage service that provides a remote data store to customers of the service provider;

receiving, by the storage gateway during the activation process, security credentials from the service provider;

initiating, by the storage gateway, at least one secure connection to the service provider for remotely managing the storage gateway and for storing customer data to the remote data store via the storage service; and

receiving, by the storage gateway via the at least one secure connection to the service provider, configuration instructions from an administrative process on the customer network, wherein the configuration instructions are specified by the administrative process via a console process of the service provider;

wherein the storage gateway operates as an interface between one or more customer processes on the customer network and the storage service to store customer data to the remote data store.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, apparatus, and computer-accessible storage media for implementing a gateway to a remote service provider according to a security model. The gateway serves as an interface between processes on a customer network and the provider, for example to store customer data to a remote data store. The model may include an activation process initiated by the gateway to register with the provider and associate the gateway with a customer account; the gateway is provided with security credentials. The model may also include establishing secure connections to external processes, for example processes of the service provider. The gateway initiates connections; the external processes do not initiate connections. The model may also include the customer managing the gateway through the service provider. The model may also include encrypting communications between the gateway and the provider and the gateway including security credentials in communications to the provider.

Citations

21 Claims

1. A method, comprising:
- instantiating a storage gateway in a customer network;
  
  initiating, by the storage gateway, an activation process with a service provider, wherein the service provider implements a storage service that provides a remote data store to customers of the service provider;
  
  receiving, by the storage gateway during the activation process, security credentials from the service provider;
  
  initiating, by the storage gateway, at least one secure connection to the service provider for remotely managing the storage gateway and for storing customer data to the remote data store via the storage service; and
  
  receiving, by the storage gateway via the at least one secure connection to the service provider, configuration instructions from an administrative process on the customer network, wherein the configuration instructions are specified by the administrative process via a console process of the service provider;
  
  wherein the storage gateway operates as an interface between one or more customer processes on the customer network and the storage service to store customer data to the remote data store.
- View Dependent Claims (2, 3)
- - 2. The method as recited in claim 1, further comprising the storage gateway providing the security credentials obtained from the service provider during the activation process in communications over the secure connection to identify itself to processes of the service provider.
  - 3. The method as recited in claim 2, wherein the storage gateway further operates as an interface between the one or more customer processes on the customer network and the storage service to download customer data from the remote data store, and wherein the storage gateway locally caches frequently accessed customer data.

4. A device, comprising:
- at least one processor; and
  
  a memory comprising program instructions, wherein the program instructions are executable by the at least one processor to implement a gateway process operable to;
  
  initiate an activation process with a service provider, wherein the service provider implements a storage service that provides a remote data store to users of the service provider; and
  
  initiate at least one secure connection to the service provider for remotely managing the gateway process and for storing user data to the remote data store via the storage service;
  
  wherein the gateway process operates as an interface between one or more user processes on a user network and the storage service to store user data to the remote data store.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12)
- - 5. The device as recited in claim 4, wherein the gateway process is further operable to receive, via the at least one secure connection to the service provider, configuration and management instructions from an administrative process on the user network, wherein the configuration and management instructions are specified by the administrative process via a console process of the service provider.
  - 6. The device as recited in claim 4, wherein the gateway process is further operable to encrypt communications sent to the service provider over the at least one secure connection.
  - 7. The device as recited in claim 4, wherein the gateway process is further operable to provide security credentials obtained from the service provider during the activation process in communications over the secure connection to identify itself to processes of the service provider.
  - 8. The device as recited in claim 4, wherein the gateway process is operable to accept inbound connections only to one or more data ports exposed to the user processes on the user network.
  - 9. The device as recited in claim 4, wherein the gateway process further operates as an interface between the user network and the storage service to download user data from the remote data store.
  - 10. The device as recited in claim 9, wherein the gateway process is further operable to locally cache frequently accessed data.
  - 11. The device as recited in claim 4, wherein, during the activation process, the gateway process is identified to the service provider, associated with a user account of the user network, and receives metadata that uniquely identifies the gateway process to the service provider.
  - 12. The device as recited in claim 4, wherein the program instructions are further executable by the at least one processor to implement a virtual machine on the device, and wherein the gateway process is implemented on the virtual machine.

13. A non-transitory computer-accessible storage medium storing program instructions computer-executable to implement a gateway process operable to:
- initiate an activation process with a remote service provider that provides a remote data store;
  
  initiate a secure connection to the remote service provider for remotely managing the gateway process;
  
  receive configuration and management instructions from the remote service provider via the secure connection; and
  
  provide an interface between one or more customer processes on a customer network and the remote service provider to store customer data to the remote data store.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
- - 14. The non-transitory computer-accessible storage medium as recited in claim 13, wherein the configuration and management instructions are initiated by an administrative process on the customer network via a console process of the remote service provider.
  - 15. The non-transitory computer-accessible storage medium as recited in claim 13, wherein the gateway process is further operable to:
    - obtain security credentials from the remote service provider during the activation process; and
      
      include the security credentials in communications over the secure connection to the remote service provider.
  - 16. The non-transitory computer-accessible storage medium as recited in claim 13, wherein the gateway process is further operable to provide an interface between the one or more customer processes on the customer network and the storage service to download customer data from the remote data store.
  - 17. The non-transitory computer-accessible storage medium as recited in claim 16, wherein the gateway process is further operable to locally cache frequently accessed customer data.
  - 18. The non-transitory computer-accessible storage medium as recited in claim 13, wherein, during the activation process, the gateway process receives metadata that uniquely identifies the gateway process to the service provider and that associates the gateway process with a customer account of the customer network.
  - 19. The non-transitory computer-accessible storage medium as recited in claim 13, wherein the gateway process is a virtual appliance that executes within a virtual machine on a device on the customer network.
  - 20. The non-transitory computer-accessible storage medium as recited in claim 13, wherein, to provide an interface between one or more customer processes on a customer network and the remote service provider, the gateway process is operable to:
    - present a data access interface on the customer network;
      
      convert data accesses by the one or more customer processes to the data access interface into service requests according to a service interface of the remote service provider; and
      
      send the service requests to the remote service provider according to the service interface.
  - 21. The non-transitory computer-accessible storage medium as recited in claim 20, wherein, to provide an interface between one or more customer processes on a customer network and the remote service provider, the gateway process is further operable to:
    - receive service responses from the remote service provider according to the service interface;
      
      convert the service responses into responses according to the data access interface; and
      
      send the responses to respective processes on the customer network according to the data access interface.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Sorenson, James Christopher III, Lin, Yun, Salyers, David C., Khetrapal, Ankur
Primary Examiner(s)
Smithers, Matthew

Application Number

US13/174,489
Time in Patent Office

943 Days
Field of Search

713/153, 726/12
US Class Current

713/153
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/0281   Proxies

H04L 63/08   for authentication of entit...

H04L 63/166   at the transport layer

H04L 67/1097   for distributed storage of ...

H04L 67/56   Provisioning of proxy servi...

Storage gateway security model

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Storage gateway security model

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links