Security management in a group based environment
First Claim
Patent Images
1. A method comprising:
- sending an authentication registration request from at least one network device configured to encrypt and decrypt data to a management server that maintains different security information, including one or more access control policies and master keys, associated with each of a plurality of access groups for the management server to authenticate the at least one network device and register the at least one network device to a selected one of the access groups;
in response to the authentication registration request, receiving at the at least one network device from the management server security information, including the one or more access control policies and master keys, associated with the selected access group;
intercepting, with the at least one network device, a data file transmitted to cloud storage from a client in an enterprise computing environment;
after the network device has been authenticated by the management server, authenticating, by the at least one network device, the client to ensure the client has permission to write the data to the cloud storage by accessing authentication information stored in the management server; and
converting at the network device, based on the security information including the one or more access control policies and master keys received from the management server, the data file into an encrypted object configured to remain encrypted while at rest in the cloud storage.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques are provided for securely storing data files in, or retrieving data files from, cloud storage. A data file transmitted to cloud storage from a client in an enterprise computing environment is intercepted by at least one network device. Using security information received from a management server, the data file is converted into an encrypted object configured to remain encrypted while at rest in the cloud storage.
35 Citations
24 Claims
-
1. A method comprising:
-
sending an authentication registration request from at least one network device configured to encrypt and decrypt data to a management server that maintains different security information, including one or more access control policies and master keys, associated with each of a plurality of access groups for the management server to authenticate the at least one network device and register the at least one network device to a selected one of the access groups; in response to the authentication registration request, receiving at the at least one network device from the management server security information, including the one or more access control policies and master keys, associated with the selected access group; intercepting, with the at least one network device, a data file transmitted to cloud storage from a client in an enterprise computing environment; after the network device has been authenticated by the management server, authenticating, by the at least one network device, the client to ensure the client has permission to write the data to the cloud storage by accessing authentication information stored in the management server; and converting at the network device, based on the security information including the one or more access control policies and master keys received from the management server, the data file into an encrypted object configured to remain encrypted while at rest in the cloud storage. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A system comprising:
-
at least one management server configured to maintain different security information, including one or more access control policies and master keys, associated with each of a plurality of access groups; and at least one network device configured to encrypt and decrypt data and to send to the management server an authentication registration request to register the network device to a selected one of the access groups; wherein the at least one management server is further configured to, in response to the authentication registration request from the at least one network device; authenticate the at least one network device and register the at least one network device as a member of the selected access group; and send the security information, including the one or more access control policies and master keys, associated with the selected access group to the at least on network device; and wherein the at least one network device is further configured to; intercept a data file transmitted from a client in an enterprise computing environment to cloud storage external to the enterprise computing environment; after the network device has been authenticated by the management server, authenticate the client to ensure the client has permission to write the data to the cloud storage by accessing authentication information stored in the management server; and using the security information including the one or more access control policies and master keys received from the management server, convert the data file into an encrypted object configured to remain encrypted while at rest in the cloud storage. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. An apparatus comprising:
-
a network interface unit configured to enable communications over a network and encrypt and decrypt data; a processor coupled to the network interface unit, and configured to; send an authentication registration request from the network interface unit to a management server that maintains different security information, including the one or more access control policies and master keys, associated with each of a plurality of access groups for the management server to authenticate the apparatus and register the apparatus to a selected one of the one or more access groups; in response to the authentication registration request, receive via the network interface unit from the management server security information, including one or more access control policies and master keys, associated with the selected access group; intercept, via the network interface unit, a data file transmitted to cloud storage from a client in an enterprise computing environment; and after the network interface unit has been authenticated by the management server, authenticate, by the at least one network interface unit, the client to ensure the client has permission to write the data file to the cloud storage by accessing authentication information stored in the management server; and use the security information including the one or more access control policies and master keys received from the management server to convert the data file into an encrypted object configured to remain encrypted while at rest in the cloud storage. - View Dependent Claims (17, 18, 19, 20)
-
-
21. One or more non-transitory computer readable storage media encoded with software comprising computer executable instructions and when the software is executed operable to:
-
send an authentication registration request from at least one network device configured to encrypt and decrypt data to a management server that maintains different security information, including one or more access control policies and master keys, associated with each of one or more access groups for the management server to authenticate the at least one network device and register the at least one network device to a selected one of the one or more access groups; in response to the authentication registration request, receive at the at least one network device from the management server security information, including the one or more access control policies and master keys, associated with the selected access group; intercept, with at least one network device, a data file transmitted to cloud storage from a client in an enterprise computing environment; after the network device has been authenticated by the management server, authenticate the client to ensure the client has permission to write the data to the cloud storage by accessing authentication information stored in the management server; and convert, based on security information including the one or more access control policies and master keys received from the management server, the data file into an encrypted object configured to remain encrypted while at rest in the cloud storage. - View Dependent Claims (22, 23, 24)
-
Specification