Data security in a cloud computing environment

US 8,769,613 B2
Filed: 11/17/2010
Issued: 07/01/2014
Est. Priority Date: 09/14/2010
Status: Active Grant

First Claim

Patent Images

1. A method of securing sensitive data in a cloud computing system, the method comprising:

monitoring events at a node in the system;

on detection of an event of a specified type, interrupting a message associated with the event;

selecting a security template from a set of security templates based on data in the message and at least one parameter associated with the message, the at least one parameter being one of;

a User ID, a Session ID, a Server Location, a channel type, a Device ID, a Transaction Type, or a time, the security template including a location of at least one data element within the data in the message and an obfuscation method to be applied to the at least one data element;

applying the obfuscation method to the at least one data element within the data in the message according to the selected security template to create modified data;

inserting the modified data into the interrupted message in place of the data in the message; and

releasing the message.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus for providing data security, in particular for cloud computing environments, are described. In an embodiment, a software component monitors events at a node in a computing system and on detection of an event of a particular type, interrupts a message associated with the event. Before the message is allowed to continue towards its intended destination, a security template is selected based on the message (e.g. the data in the message and identifiers within the message) and this template is used to determine what data protection methods are applied to each data element in the message. A modified data packet is created by applying the security template and then this modified data packet is inserted into the message in place of the data packet in the interrupted message.

25 Citations

View as Search Results

19 Claims

1. A method of securing sensitive data in a cloud computing system, the method comprising:
- monitoring events at a node in the system;
  
  on detection of an event of a specified type, interrupting a message associated with the event;
  
  selecting a security template from a set of security templates based on data in the message and at least one parameter associated with the message, the at least one parameter being one of;
  
  a User ID, a Session ID, a Server Location, a channel type, a Device ID, a Transaction Type, or a time, the security template including a location of at least one data element within the data in the message and an obfuscation method to be applied to the at least one data element;
  
  applying the obfuscation method to the at least one data element within the data in the message according to the selected security template to create modified data;
  
  inserting the modified data into the interrupted message in place of the data in the message; and
  
  releasing the message.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. A method according to claim 1, wherein the obfuscation method comprises one of a method to create obfuscated data from input data and a method to recover original data from obfuscated input data.
  - 3. A method according to claim 1, wherein applying an obfuscation method to at least one data element within the data in the message according to the selected security template to create modified data comprises:
    - applying a plurality of obfuscation methods to create the modified data, each obfuscation method being applied to a different data element within the data in the message according to the selected security template.
  - 4. A method according to claim 1, wherein the modified data comprises a data element which is unchanged from the data in the interrupted message.
  - 5. A method according to claim 1, further comprising initiating the method in response to a trigger message.
  - 6. A method according to claim 1, wherein the node in the system comprises an execution node of a gateway server at a perimeter of the cloud computing system.
  - 7. A method according to claim 6, wherein the specified event type comprises service invocation.
  - 8. A method according to claim 1, wherein the node in the system comprises a load balancing server within the cloud computing system.
  - 9. A method according to claim 8, wherein the specified event type comprises service transactions diverted to an untrusted server.
  - 10. A method according to claim 9, wherein an untrusted server is defined based on geographical location of the server.
  - 11. A method according to claim 1, wherein the node in the system comprises a device acting as a client of the cloud computing system.
  - 12. A method according to claim 11, wherein the specified event type comprises HTTPs or Mobile Gateway delegated calls.
  - 13. A method according to claim 1, wherein the node in the system comprises a boundary between architectural layers in the system.
  - 14. A method according to claim 13, wherein the boundary comprises a boundary between a data storage layer and a business logic layer and wherein the specified event type comprises stored procedure execution on data stored in the data storage layer.
  - 15. A method according to claim 13, wherein the boundary comprises a boundary between a business logic layer and a user interface layer and wherein the specified event type comprises web service execution calls and wherein the at least one parameter associated with the message comprises a user identifier.
  - 16. A method according to claim 1, wherein the event of a specified type comprises file transfer activity.

17. One or more tangible non-transitory device-readable media with device-executable instructions that, when executed by a cloud computing system, direct the cloud computing system to perform steps comprising:
- monitoring events at a node in the cloud computing system;
  
  on detection of an event of a specified type, interrupting a message associated with the event;
  
  selecting a security template from a set of security templates based on data in the message and at least one parameter associated with the message, the at least one parameter being one of;
  
  a User ID, a Session ID, a Server Location, a channel type, a Device ID a Transaction Type, or a time, the security template including a location of at least one data element within the data in the message and an obfuscation method to be applied to the at least one data element;
  
  applying the obfuscation method to the at least one data element within the data in the message according to the selected security template to create modified data;
  
  inserting the modified data into the interrupted message in place of the data in the message; and
  
  releasing the message.

18. A cloud computer system comprising:
- a processor; and
  
  a memory arranged to store computer executable instructions which when executed cause the processor to;
  
  monitor events at a node in the cloud computer system to detect events of a specified type;
  
  interrupt a message associated with a detected event of a specified type;
  
  select a security template from a set of security templates based on data in the message and at least one parameter associated with the message, the at least one parameter being one of;
  
  a User ID, a Session ID, a Server Location, a channel type, a Device ID, a Transaction Type, or a time, the security template including a location of at least one data element within the data in the message and an obfuscation method to be applied to the at least one data element;
  
  apply the obfuscation method to the at least one data element within the data in the message according to the selected security template to create modified data;
  
  insert the modified data into the interrupted message in place of the data in the message; and
  
  release the message.

19. A cloud computer system comprising:
- a processor; and
  
  a memory arranged to store computer executable instructions which when executed cause the processor to;
  
  monitor events at a node in the system to detect events of a specified type;
  
  interrupt a message associated with a detected event of a specified type;
  
  select a security template from a set of security templates based on data in the message and at least one parameter associated with the message, the at least one parameter being one of;
  
  a User ID, a Session ID, a Server Location, a channel type, a Device ID, a Transaction Type, or a time, the security template including˜
  
  a location of at least one data element within the data in the message and an obfuscation method to be applied to the at least one data element;
  
  apply the obfuscation method to the at least one data element within the data in the message according to the selected security template to create modified data;
  
  insert the modified data into the interrupted message in place of the data in the message; and
  
  release the message.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Mastek (UK) Ltd.
Original Assignee
Mastek (UK) Ltd.
Inventors
Latchem, Stephen, Dash, Bilash
Primary Examiner(s)
Parthasarathy, Pramila

Application Number

US12/948,646
Publication Number

US 20120066769A1
Time in Patent Office

1,322 Days
Field of Search
US Class Current

726/3
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/6245   Protecting personal data, e...

G06F 21/6263   during internet communicati...

H04L 63/0421   Anonymous communication, i....

H04L 63/1408   by monitoring network traff...

Data security in a cloud computing environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

25 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Data security in a cloud computing environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

25 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links