Methods and apparatus for mediating access to derivatives of sensitive data

US 8,978,159 B1
Filed: 12/31/2012
Issued: 03/10/2015
Est. Priority Date: 12/31/2012
Status: Active Grant

First Claim

Patent Images

1. A method for processing a data request from a client for sensitive data, the data request comprising a client identifier and an indication of the intended use of the sensitive data by the client, the method comprising the steps of:

receiving the data request from the client;

providing the client identifier and the indicated use to an access manager, wherein the access manager assesses a risk of providing access to the sensitive data for said indicated use;

if the access manager grants access for the indicated use, receiving one or more keys with corresponding computing restrictions;

computing a result using a hardware protected computation block; and

providing said result to said client, wherein said provided result comprises a derivative of said sensitive data, wherein at least one of said steps is performed by at least one hardware device.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Access control systems are provided that mediate access to derivatives of sensitive data. A method is provided for processing a data request from a client, the data request comprising a client identifier and an indication of the intended use of the data, by receiving the data request from the client; providing the client identifier and indicated use to an access manager, wherein the access manager assesses a risk of providing access to the data for the indicated use; if the access manager grants access for the indicated use, receiving one or more keys with corresponding computing restrictions from the access manager; computing a result; and providing the result to the client, wherein the provided result comprises the derivative of sensitive data. The access manager grants the access for the indicated use, for example, based on a risk score.

15 Citations

View as Search Results

25 Claims

1. A method for processing a data request from a client for sensitive data, the data request comprising a client identifier and an indication of the intended use of the sensitive data by the client, the method comprising the steps of:
- receiving the data request from the client;
  
  providing the client identifier and the indicated use to an access manager, wherein the access manager assesses a risk of providing access to the sensitive data for said indicated use;
  
  if the access manager grants access for the indicated use, receiving one or more keys with corresponding computing restrictions;
  
  computing a result using a hardware protected computation block; and
  
  providing said result to said client, wherein said provided result comprises a derivative of said sensitive data, wherein at least one of said steps is performed by at least one hardware device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, further comprising the step of retrieving a layer of one or more encrypted database entries identified by said data request, wherein said layer is associated with said indicated use.
  - 3. The method of claim 1, wherein said access manager grants said access for the indicated use based on a risk score.
  - 4. The method of claim 3, wherein said risk score is based on information revealed by said layer.
  - 5. The method of claim 3, wherein said risk score is based on a classification of the one or more encrypted database entries.
  - 6. The method of claim 3, wherein said risk score is based on an amount of information revealed by the result.
  - 7. The method of claim 3, wherein said risk score is based on a tenant identifier of the client.
  - 8. The method of claim 3, wherein said risk score is based on a presence of the secure computing container.
  - 9. The method of claim 3, wherein said risk score comprises an overall risk, wherein said overall risk is a product of a User Risk for a user associated with said data request and a Transaction Risk for a transaction associated with said data request.
  - 10. The method of claim 9, wherein said User Risk compares a behavior and device fingerprint for said data request to historical patterns.
  - 11. The method of claim 9, wherein said Transaction Risk is calculated based on a sensitivity of the one or more encrypted database entries and by an amount of information revealed by said data request.
  - 12. The method of claim 1, wherein the result is provided to said client encrypted using an encryption key of said client.
  - 13. The method of claim 1, wherein said access manager performs one or more additional risk-based authentication operations.
  - 14. A non-transitory machine-readable recordable storage medium for processing a data request from a client, wherein one or more software programs when executed by one or more processing devices implement the steps of the method of claim 1.

15. A system for processing a data request from a client for sensitive data, the data request comprising a client identifier and an indication of the intended use of the sensitive data by the client, the system comprising:
- a memory; and
  
  at least one hardware device, coupled to the memory, operative to implement the following steps;
  
  receive the data request from the client;
  
  provide the client identifier and the indicated use to an access manager, wherein the access manager assesses a risk of providing access to the sensitive data for said indicated use;
  
  if the access manager grants access for the indicated use, receive one or more keys with corresponding computing restrictions;
  
  compute a result using a hardware protected computation block; and
  
  provide said result to said client, wherein said provided result comprises a derivative of said sensitive data.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 16. The system of claim 15, wherein said at least one hardware device is further configured to retrieve a layer of one or more encrypted database entries identified by said data request, wherein said layer is associated with said indicated use.
  - 17. The system of claim 15, wherein said access manager grants said access for the indicated use based on a risk score.
  - 18. The system of claim 17, wherein said risk score is based on information revealed by said layer.
  - 19. The system of claim 17, wherein said risk score is based on a classification of the one or more encrypted database entries.
  - 20. The system of claim 17, wherein said risk score is based on an amount of information revealed by the result.
  - 21. The system of claim 17, wherein said risk score is based on a tenant identifier of the client.
  - 22. The system of claim 17, wherein said risk score is based on a presence of the secure computing container.
  - 23. The system of claim 17, wherein said risk score comprises an overall risk, wherein said overall risk is a product of a User Risk for a user associated with said data request and a Transaction Risk for a transaction associated with said data request.
  - 24. The system of claim 15, wherein the result is provided to said client encrypted using an encryption key of said client.
  - 25. The system of claim 15, wherein said access manager performs one or more additional risk-based authentication operations.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
van Dijk, Marten, Hopley, Robert D., Oprea, Alina M., Ray, Kenneth, Curry, Samuel J., Linn, John G.
Primary Examiner(s)
DADA, BEEMNET W

Application Number

US13/731,514
Time in Patent Office

799 Days
Field of Search

726 28- 30
US Class Current

726/29
CPC Class Codes

G06F 21/6227 where protection concerns t...

G06F 2221/2107 File encryption

Methods and apparatus for mediating access to derivatives of sensitive data

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

15 Citations

25 Claims

Specification

Use Cases

Quick Links

Others

Methods and apparatus for mediating access to derivatives of sensitive data

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

25 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others