Techniques to store secret information for global data centers

US 9,135,460 B2
Filed: 12/22/2011
Issued: 09/15/2015
Est. Priority Date: 12/22/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

generating a secret for a data center at a front end service comprising at least one server device;

receiving a request at the front end service to access a back end storage from a client device in the data center;

accessing the back end storage from the front end service using the secret generated for the data center without providing the secret to the client in the data center; and

returning a result of accessing the back end storage to the client.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques to store secret information for global data centers securely may provide a front end service for a back end data store. The front end service may be responsible for deployment, upgrade, and disaster recovery aspects, and so forth, of data center maintenance. Data centers may access data and data-related services from the back end data store through the front end service. Secrets that are needed to access secure data may be stored on behalf of the data centers without providing the secrets to the data centers.

79 Citations

View as Search Results

20 Claims

1. A computer-implemented method, comprising:
- generating a secret for a data center at a front end service comprising at least one server device;
  
  receiving a request at the front end service to access a back end storage from a client device in the data center;
  
  accessing the back end storage from the front end service using the secret generated for the data center without providing the secret to the client in the data center; and
  
  returning a result of accessing the back end storage to the client.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein accessing the back end storage comprises executing a process on the back end storage.
  - 3. The method of claim 1, wherein the received request does not include the secret.
  - 4. The method of claim 1, wherein the secret comprises at least one of:
    - a user name;
      
      a password;
      
      a digital certificate; and
      
      a private encryption key.
  - 5. The method of claim 1, comprising storing the secret on the back end storage, wherein the secret is not accessible to the data center.
  - 6. The method of claim 1, further comprising:
    - authenticating the request from the client at an identity system for the data center; and
      
      validating the request.
  - 7. The method of claim 1, further comprising:
    - monitoring the access from the front end service to the back end storage; and
      
      generating an incident when the access is at least one of unauthorized or not validated.
  - 8. The method of claim 7, comprising:
    - provisioning a new data center and generating a new secret for the new data center when an incident is generated.

9. An article comprising computer readable memory, the computer readable memory comprising instructions that when executed by a processor cause a system to:
- generate a secret for a data center at a front end service;
  
  store the secret on a back end storage not directly accessible to the data center;
  
  receive a request at the front end service to access the back end storage from a client in the data center;
  
  perform a validation process on the request;
  
  access the back end storage from the front end service using the secret generated for the data center, when the request is validated and without providing the secret to the requesting client;
  
  prevent access to data on the back end storage protected by the secret and generate a new secret for the data center, when the request is not validated; and
  
  return a result of the validation process to the client.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The article of claim 9, the medium further comprising instructions that when executed cause the system to:
    - generate the secret for at least one of;
      
      a data center, a farm, an account, a set of access privileges, a role, and a business group, wherein the secret comprises at least one of;
      
      a user name;
      
      a password;
      
      a digital certificate; and
      
      a private encryption key.
  - 11. The article of claim 9, the medium further comprising instructions that when executed cause the system to:
    - receive access credentials for the data center in the request; and
      
      authenticate the data center using the access credentials by accessing an identity service of the data center.
  - 12. The article of claim 11, wherein the secret is associated with an access privilege, the medium further comprising instructions that when executed cause the system to:
    - validate the request, when the data center is authenticated and when the request is for data or a service that is accessible to the data center according to the access privilege associated with the secret for the data center.
  - 13. The article of claim 9, the medium further comprising instructions that when executed cause the system to:
    - prevent access to the secret and to data on the back end storage protected by the secret when the request is not validated; and
      
      generate an incident in response to the request not being validated.
  - 14. The article of claim 9, the medium further comprising instructions that when executed cause the system to:
    - monitor the access from the front end service to the back end storage; and
      
      generate an incident when the access is at least one of unauthorized or not validated.
  - 15. The article of claim 9, the medium further comprising instructions that when executed cause the system to:
    - access the secret that was generated for the data center; and
      
      provide the secret to the back end storage with the request for access.

16. An apparatus, comprising:
- a processor;
  
  a front end service stored in memory and executing on the processor to;
  
  receive, from a client device in a data center, a request to access at least one of data and a service on a back end storage, wherein the request does not contain a secret to access the back end storage;
  
  prompt the back end storage to determine information identifying a secret generated for the data center; and
  
  access the back end storage using the secret generated for the data center, when the request is validated, and without providing the secret to the client device; and
  
  return a result of accessing the back end storage to the client.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The apparatus of claim 16, the front end service further to:
    - generate the secret for a data center; and
      
      store the secret on the back end storage not directly accessible to the data center.
  - 18. The apparatus of claim 16, the front end service further to:
    - authenticate the data center by accessing an identity service for the data center.
  - 19. The apparatus of claim 16, wherein the secret is associated with an access privilege, the front end service further to:
    - validate the request by determining whether the request is for data or a service that is accessible to the data center according to the access privilege associated with the secret for the data center.
  - 20. The apparatus of claim 16, the front end service further to:
    - monitor the access from the front end service to the back end storage; and
      
      generate an incident when the access is at least one of unauthorized or not validated.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Birch, Jonathan, Date, Amit, Jump, Daniel, Malhotra, Vikas, Albrecht, Bradley, Demircioglu, Ali Deniz
Primary Examiner(s)
SHOLEMAN, ABU S

Application Number

US13/334,360
Publication Number

US 20130167200A1
Time in Patent Office

1,363 Days
Field of Search

726 1- 4, 726/7, 726/27, 726/29, 715/735, 718/1, 713/152, 713/155, 709/229, 709/220
US Class Current

1/1
CPC Class Codes

G06F 21/6209 to a single file or object,...

H04L 63/08 for authentication of entit...

Techniques to store secret information for global data centers

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

79 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques to store secret information for global data centers

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

79 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links