Secure processing in multi-tenant cloud infrastructure

US 8,719,590 B1
Filed: 06/18/2012
Issued: 05/06/2014
Est. Priority Date: 06/18/2012
Status: Active Grant

First Claim

Patent Images

1. A method performed in cloud infrastructure of an information processing system, the method comprising the steps of:

receiving a processing job from a tenant;

obtaining a first key specific to the tenant;

determining a second key utilizing information supplied by the tenant; and

encrypting one or more results of the processing job utilizing a combination of the first key and the second key;

wherein at least a portion of the second key is determined by at least one application that is run on at least one virtual machine of the cloud infrastructure in conjunction with performance of the processing job; and

wherein the second key is at least partially hidden within said at least one application.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Cloud infrastructure of an information processing system comprises one or more processing devices implementing a plurality of virtual machines. The cloud infrastructure is configured to receive a processing job from a tenant, to obtain a first key specific to the tenant, to determine a second key utilizing information supplied by the tenant, and to encrypt one or more results of the processing job utilizing a combination of the first key and the second key. At least a portion of the second key is determined by at least one application that is run on at least one virtual machine of the cloud infrastructure in conjunction with performance of the processing job. The encrypted results of the processing job may be stored in a virtual memory of the cloud infrastructure and transmitted to the tenant.

Citations

21 Claims

1. A method performed in cloud infrastructure of an information processing system, the method comprising the steps of:
- receiving a processing job from a tenant;
  
  obtaining a first key specific to the tenant;
  
  determining a second key utilizing information supplied by the tenant; and
  
  encrypting one or more results of the processing job utilizing a combination of the first key and the second key;
  
  wherein at least a portion of the second key is determined by at least one application that is run on at least one virtual machine of the cloud infrastructure in conjunction with performance of the processing job; and
  
  wherein the second key is at least partially hidden within said at least one application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 13)
- - 2. The method of claim 1 wherein said steps are performed by at least one processing device having a processor coupled to a memory.
  - 3. The method of claim 1 further comprising the step of storing the encrypted results of the processing job in a virtual memory of the cloud infrastructure.
  - 4. The method of claim 1 further comprising the step of transmitting the encrypted results of the processing job to the tenant.
  - 5. The method of claim 1 wherein the first key comprises a tenant-specific key generated by a cloud service provider and provided by the cloud service provider to the tenant.
  - 6. The method of claim 1 wherein the second key comprises a private key of the tenant.
  - 7. The method of claim 1 wherein the second key is at least partially hidden within said at least one application by virus-like association of at least a portion of said second key with a binary file of said application.
  - 8. The method of claim 1 wherein the processing job comprises running a plurality of applications on respective virtual machines of the cloud infrastructure.
  - 13. A computer program product comprising a non-transitory processor-readable storage medium having encoded therein executable code of one or more software programs, wherein the one or more software programs when executed cause the cloud infrastructure to perform the steps of the method of claim 1.

9. A method performed in cloud infrastructure of an information processing system, the method comprising the steps of:
- receiving a processing job from a tenant;
  
  obtaining a first key specific to the tenant;
  
  determining a second key utilizing information supplied by the tenant; and
  
  encrypting one or more results of the processing job utilizing a combination of the first key and the second key;
  
  wherein at least a portion of the second key is determined by at least one application that is run on at least one virtual machine of the cloud infrastructure in conjunction with performance of the processing job;
  
  wherein the processing job comprises running a plurality of applications on respective virtual machines of the cloud infrastructure; and
  
  wherein portions of the second key are hidden in respective ones of the applications.
- View Dependent Claims (10, 11)
- - 10. The method of claim 9 wherein a given one of the applications determines the second key by obtaining selected fragments of the second key from respective ones of the other applications and combining its own fragment of the second key with the selected fragments obtained from the respective ones of the other applications so as to thereby reconstruct the second key.
  - 11. The method of claim 10 wherein the selected fragments comprise m fragments randomly selected from respective ones of the applications, where m is less than or equal to n, and where n denotes the total number of applications of the processing job running on respective virtual machines of the cloud infrastructure.

12. A method performed in cloud infrastructure of an information processing system, the method comprising the steps of:
- receiving a processing job from a tenant;
  
  obtaining a first key specific to the tenant;
  
  determining a second key utilizing information supplied by the tenant; and
  
  encrypting one or more results of the processing job utilizing a combination of the first key and the second key;
  
  wherein at least a portion of the second key is determined by at least one application that is run on at least one virtual machine of the cloud infrastructure in conjunction with performance of the processing job; and
  
  wherein the application determines the second key utilizing an application plug-in that is provided by the tenant to the cloud infrastructure in encrypted form using the first key.
- View Dependent Claims (20, 21)
- - 20. The method of claim 12 wherein the first key comprises a tenant-specific key generated by a cloud service provider and provided by the cloud service provider to the tenant.
  - 21. The method of claim 12 wherein the second key comprises a private key of the tenant.

14. An apparatus comprising:
- cloud infrastructure comprising one or more processing devices implementing a plurality of virtual machines, a given such processing device comprising a processor coupled to a memory;
  
  the cloud infrastructure being configured to receive a processing job from a tenant, to obtain a first key specific to the tenant, to determine a second key utilizing information supplied by the tenant, and to encrypt one or more results of the processing job utilizing a combination of the first key and the second key;
  
  wherein at least a portion of the second key is determined by at least one application that is run on at least one of the virtual machines of the cloud infrastructure in conjunction with performance of the processing job; and
  
  wherein the second key is at least partially hidden within said at least one application.
- View Dependent Claims (15, 19)
- - 15. The apparatus of claim 14 wherein the second key is at least partially hidden within said at least one application by virus-like association of at least a portion of said second key with a binary file of said application.
  - 19. An information processing system comprising at least one processing platform which incorporates the apparatus of claim 14.

16. An apparatus comprising:
- cloud infrastructure comprising one or more processing devices implementing a plurality of virtual machines, a given such processing device comprising a processor coupled to a memory;
  
  the cloud infrastructure being configured to receive a processing job from a tenant, to obtain a first key specific to the tenant, to determine a second key utilizing information supplied by the tenant, and to encrypt one or more results of the processing job utilizing a combination of the first key and the second key;
  
  wherein at least a portion of the second key is determined by at least one application that is run on at least one of the virtual machines of the cloud infrastructure in conjunction with performance of the processing job; and
  
  wherein the processing job comprises running a plurality of applications on respective virtual machines of the cloud infrastructure, and wherein portions of the second key are hidden in respective ones of the applications.
- View Dependent Claims (17)
- - 17. The apparatus of claim 16 wherein a given one of the applications determines the second key by obtaining selected fragments of the second key from respective ones of the other applications and combining its own fragment of the second key with the selected fragments obtained from the respective ones of the other applications so as to thereby reconstruct the second key.

18. An apparatus comprising:
- cloud infrastructure comprising one or more processing devices implementing a plurality of virtual machines, a given such processing device comprising a processor coupled to a memory;
  
  the cloud infrastructure being configured to receive a processing job from a tenant, to obtain a first key specific to the tenant, to determine a second key utilizing information supplied by the tenant, and to encrypt one or more results of the processing job utilizing a combination of the first key and the second key;
  
  wherein at least a portion of the second key is determined by at least one application that is run on at least one of the virtual machines of the cloud infrastructure in conjunction with performance of the processing job; and
  
  wherein the application determines the second key utilizing an application plug-in that is provided by the tenant to the cloud infrastructure in encrypted form using the first key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Faibish, Sorin, Tzelnic, Percy
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
SHAIFER HARRIMAN, DANT B

Application Number

US13/525,919
Time in Patent Office

687 Days
Field of Search

713/190
US Class Current

713/190
CPC Class Codes

G06F 21/1066   Hiding content

G06F 21/602   Providing cryptographic fac...

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 63/0428   wherein the data content is...

H04L 67/10   in which an application is ...

H04L 9/085   Secret sharing or secret sp...

H04L 9/0894   Escrow, recovery or storing...

Secure processing in multi-tenant cloud infrastructure

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Secure processing in multi-tenant cloud infrastructure

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links