Security management in a group based environment

US 8,745,384 B2
Filed: 08/11/2011
Issued: 06/03/2014
Est. Priority Date: 08/11/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

sending an authentication registration request from at least one network device configured to encrypt and decrypt data to a management server that maintains different security information, including one or more access control policies and master keys, associated with each of a plurality of access groups for the management server to authenticate the at least one network device and register the at least one network device to a selected one of the access groups;

in response to the authentication registration request, receiving at the at least one network device from the management server security information, including the one or more access control policies and master keys, associated with the selected access group;

intercepting, with the at least one network device, a data file transmitted to cloud storage from a client in an enterprise computing environment;

after the network device has been authenticated by the management server, authenticating, by the at least one network device, the client to ensure the client has permission to write the data to the cloud storage by accessing authentication information stored in the management server; and

converting at the network device, based on the security information including the one or more access control policies and master keys received from the management server, the data file into an encrypted object configured to remain encrypted while at rest in the cloud storage.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are provided for securely storing data files in, or retrieving data files from, cloud storage. A data file transmitted to cloud storage from a client in an enterprise computing environment is intercepted by at least one network device. Using security information received from a management server, the data file is converted into an encrypted object configured to remain encrypted while at rest in the cloud storage.

35 Citations

View as Search Results

24 Claims

1. A method comprising:
- sending an authentication registration request from at least one network device configured to encrypt and decrypt data to a management server that maintains different security information, including one or more access control policies and master keys, associated with each of a plurality of access groups for the management server to authenticate the at least one network device and register the at least one network device to a selected one of the access groups;
  
  in response to the authentication registration request, receiving at the at least one network device from the management server security information, including the one or more access control policies and master keys, associated with the selected access group;
  
  intercepting, with the at least one network device, a data file transmitted to cloud storage from a client in an enterprise computing environment;
  
  after the network device has been authenticated by the management server, authenticating, by the at least one network device, the client to ensure the client has permission to write the data to the cloud storage by accessing authentication information stored in the management server; and
  
  converting at the network device, based on the security information including the one or more access control policies and master keys received from the management server, the data file into an encrypted object configured to remain encrypted while at rest in the cloud storage.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the at least one network device comprises a plurality of distributed secure routers, and further comprising:
    - sending requests by each of the plurality of secure routers to the management server for authentication and registration to an access group; and
      
      receiving, with each of the plurality of distributed secure routers, security information associated with an access group to which each respective network device is registered.
  - 3. The method of claim 1, wherein the data file is requested from the cloud storage by the client through the at least one network device, and further comprising, at the network device:
    - after the network device has been authenticated by the management server, authenticating, by the at least one network device, the client to ensure the client has permission to read the data file from the cloud storage;
      
      obtaining an encrypted object containing the data file from the cloud storage;
      
      decrypting the encrypted object to extract the data file based on the security information including the one or more access control policies and master keys received from the management server; and
      
      providing the data file to the client.
  - 4. The method of claim 3, wherein:
    - the authenticating, by the at least one network device, comprises authenticating the client prior to obtaining the encrypted object by accessing authentication information stored in an access control server configured by the management server.
  - 5. The method of claim 1, wherein the converting at the network device includes:
    - generating a random file encryption key;
      
      encrypting the data file using the random file encryption key;
      
      encrypting the random file encryption key using the master key from the management server; and
      
      attaching a header including at least the encrypted random file encryption key to the encrypted data file to produce the encrypted object.
  - 6. The method of claim 5, wherein the converting at the network device further includes:
    - generating an integrity check value for the data file that allows the network device to validate the data file during a decryption operation; and
      
      attaching the integrity check value to the header of the encrypted object.

7. A system comprising:
- at least one management server configured to maintain different security information, including one or more access control policies and master keys, associated with each of a plurality of access groups; and
  
  at least one network device configured to encrypt and decrypt data and to send to the management server an authentication registration request to register the network device to a selected one of the access groups;
  
  wherein the at least one management server is further configured to, in response to the authentication registration request from the at least one network device;
  
  authenticate the at least one network device and register the at least one network device as a member of the selected access group; and
  
  send the security information, including the one or more access control policies and master keys, associated with the selected access group to the at least on network device; and
  
  wherein the at least one network device is further configured to;
  
  intercept a data file transmitted from a client in an enterprise computing environment to cloud storage external to the enterprise computing environment;
  
  after the network device has been authenticated by the management server, authenticate the client to ensure the client has permission to write the data to the cloud storage by accessing authentication information stored in the management server; and
  
  using the security information including the one or more access control policies and master keys received from the management server, convert the data file into an encrypted object configured to remain encrypted while at rest in the cloud storage.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15)
- - 8. The system of claim 7, wherein the at least one network device comprises a plurality of distributed secure routers each configured to receive security information from the management server.
  - 9. The system of claim 8, wherein the management server is configured to authenticate and register each of the distributed secure routers to one of the different access groups.
  - 10. The system of claim 7, wherein a data file is requested from the cloud storage by the client through the at least one network device, and wherein the at least one network device is configured to:
    - after the network device has been authenticated by the management server, authenticate the client to ensure the client has permission to read the data file from the cloud storage; and
      
      obtain an encrypted object containing the data file and to decrypt and send the data file to the client.
  - 11. The system of claim 10, wherein the at least one network device is configured to authenticate the client by accessing authentication information stored in the management server.
  - 12. The system of claim 10, wherein the at least one network device is configured to authenticate the client by accessing authentication information stored in an access control server configured by the management server.
  - 13. The system of claim 7, wherein the at least one network device is in the enterprise computing environment and is configured to intercept the data file before it exits the enterprise computing environment.
  - 14. The system of claim 7, wherein the at least one management server is external to the enterprise computing environment and is hosted by a cloud storage service provider.
  - 15. The system of claim 7, wherein the at least one management server comprises a plurality of distributed management servers.

16. An apparatus comprising:
- a network interface unit configured to enable communications over a network and encrypt and decrypt data;
  
  a processor coupled to the network interface unit, and configured to;
  
  send an authentication registration request from the network interface unit to a management server that maintains different security information, including the one or more access control policies and master keys, associated with each of a plurality of access groups for the management server to authenticate the apparatus and register the apparatus to a selected one of the one or more access groups;
  
  in response to the authentication registration request, receive via the network interface unit from the management server security information, including one or more access control policies and master keys, associated with the selected access group;
  
  intercept, via the network interface unit, a data file transmitted to cloud storage from a client in an enterprise computing environment; and
  
  after the network interface unit has been authenticated by the management server, authenticate, by the at least one network interface unit, the client to ensure the client has permission to write the data file to the cloud storage by accessing authentication information stored in the management server; and
  
  use the security information including the one or more access control policies and master keys received from the management server to convert the data file into an encrypted object configured to remain encrypted while at rest in the cloud storage.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The apparatus of claim 16, wherein the processor is further configured to intercept a request by the client for a data file, after the network interface unit has been authenticated by the management server, authenticate, by the at least one network interface unit, the client to ensure the client has permission to read the data file from the cloud storage, obtain an encrypted object from the cloud storage that contains the data file, decrypt the encrypted object to extract the data file based on the security information including the one or more access control policies and master keys received from the management server, and provide the data file to the client.
  - 18. The apparatus of claim 17, wherein the processor is further configured to authenticate the client prior to obtaining the encrypted object by accessing authentication information stored in an access control server configured by the management server.
  - 19. The apparatus of claim 16, wherein the processor is further configured to:
    - generate a random file encryption key;
      
      encrypt the data file using the random file encryption key;
      
      encrypt the random file encryption key using the master key from the management server; and
      
      attach a header including at least the encrypted random file encryption key to the encrypted data file to produce the encrypted object.
  - 20. The apparatus of claim 19, wherein the processor is further configured to:
    - generate an integrity check value for the data file that allows the network device to validate the data file during a decryption operation; and
      
      attach the integrity check value to the header of the encrypted object.

21. One or more non-transitory computer readable storage media encoded with software comprising computer executable instructions and when the software is executed operable to:
- send an authentication registration request from at least one network device configured to encrypt and decrypt data to a management server that maintains different security information, including one or more access control policies and master keys, associated with each of one or more access groups for the management server to authenticate the at least one network device and register the at least one network device to a selected one of the one or more access groups;
  
  in response to the authentication registration request, receive at the at least one network device from the management server security information, including the one or more access control policies and master keys, associated with the selected access group;
  
  intercept, with at least one network device, a data file transmitted to cloud storage from a client in an enterprise computing environment;
  
  after the network device has been authenticated by the management server, authenticate the client to ensure the client has permission to write the data to the cloud storage by accessing authentication information stored in the management server; and
  
  convert, based on security information including the one or more access control policies and master keys received from the management server, the data file into an encrypted object configured to remain encrypted while at rest in the cloud storage.
- View Dependent Claims (22, 23, 24)
- - 22. The computer readable storage media of claim 21, wherein the at least one network device comprises a plurality of distributed secure routers, and further comprising instructions operable to:
    - sending requests by each of the plurality of secure routers to the management server for authentication and registration to an access group; and
      
      receive, with each of the plurality of distributed secure routers, security information associated with an access group to which each respective network device is registered.
  - 23. The computer readable storage media of claim 21, wherein the data file is requested from the cloud storage by the client through the at least one network device, and further comprising instructions operable to, at the network device:
    - after the network device has been authenticated by the management server, authenticate, by the at least one network device, the client to ensure the client has permission to read the data file from the cloud storage;
      
      obtain an encrypted object containing the data file from the cloud storage;
      
      decrypt the encrypted object to extract the data file based on the security information including the one or more access control policies and master keys received from the management server; and
      
      provide the data file to the client.
  - 24. The computer readable storage media of claim 23, further comprising instructions operable to:
    - authenticate the client prior to obtaining the encrypted object by accessing authentication information stored in an access control server configured by the management server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Persaud, Andrew, Kamarthy, Kavitha, Murthy, Shree, Fanning, Scott, McGrew, David A., Suresh, Thirunavukkarasu
Primary Examiner(s)
Truong, Thanhnga B

Application Number

US13/207,775
Publication Number

US 20130042106A1
Time in Patent Office

1,027 Days
Field of Search

713/165, 713168-170, 711/163, 726 1- 4, 726/17, 726/21, 726/27
US Class Current

713/165
CPC Class Codes

G06F 21/606   by securing the transmissio...

G06F 21/6272   by registering files or doc...

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/0428   wherein the data content is...

H04L 63/104   Grouping of entities

H04L 9/0822   using key encryption key

H04L 9/083   involving central third par...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/0897   involving additional device...

Security management in a group based environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

35 Citations

24 Claims

Specification

Use Cases

Quick Links

Others

Security management in a group based environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

35 Citations

24 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others