Provisioning transient-controlled secure environments for viewing sensitive data

US 9,251,368 B2
Filed: 01/08/2014
Issued: 02/02/2016
Est. Priority Date: 01/08/2014
Status: Active Grant

First Claim

Patent Images

1. A method of managing sensitive data at a facility, comprising:

following receipt of a request for a secure support session, receiving information, wherein at least a portion of the information is encrypted;

associating the information with a data record uniquely associated with the secure support session;

instantiating a transient secure computing environment associated with the data record, the transient secure computing environment being access-restricted;

receiving the information in the transient secure computing environment;

decrypting the information, wherein, upon decryption, the information is available for viewing and manipulation only within the transient secure computing environment; and

upon close of the data record indicating that an operation associated with the information is complete, terminating the transient secure computing environment associated with the data record and deleting the information;

wherein the instantiating step is carried out in software executing in a hardware element.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A new approach to customer support that protects working artifacts through their entire lifecycle by provisioning, on-demand, a transient-controlled debugging environment that preferably is associated with a particular support issue (or subset of issues) when particular artifacts (e.g., files) are securely received at the service or software provider. This approach allows for complete (or substantially complete) isolation and control of the artifacts in a contained environment for so long as necessary by the provider. Preferably, the provider owns or otherwise manages the provisioned environment, which can be augmented as needed to meet the debugging requirements of the particular issue. Preferably, the provisioned environment is restricted in access to only those engineers or others with a verifiable need to know, or that have the necessary training and skill sets for the support operation required.

Citations

22 Claims

1. A method of managing sensitive data at a facility, comprising:
- following receipt of a request for a secure support session, receiving information, wherein at least a portion of the information is encrypted;
  
  associating the information with a data record uniquely associated with the secure support session;
  
  instantiating a transient secure computing environment associated with the data record, the transient secure computing environment being access-restricted;
  
  receiving the information in the transient secure computing environment;
  
  decrypting the information, wherein, upon decryption, the information is available for viewing and manipulation only within the transient secure computing environment; and
  
  upon close of the data record indicating that an operation associated with the information is complete, terminating the transient secure computing environment associated with the data record and deleting the information;
  
  wherein the instantiating step is carried out in software executing in a hardware element.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method as described in claim 1 further including sorting data associated with the information to identify a subset of the information, wherein the information received in the transient secure computing environment is only the identified subset.
  - 3. The method as described in claim 1 wherein the transient secure computing environment is instantiated in a virtual machine uniquely associated with the data record.
  - 4. The method as described in claim 3 wherein the information is encrypted with a key, the virtual machine using the key to decrypt the information within the transient secure computing environment.
  - 5. The method as described in claim 3 wherein terminating the transient secure computing environment terminates the virtual machine.
  - 6. The method as described in claim 1 further including enabling access to the transient secure computing environment via a machine associated with an individual, the individual having been authenticated and having an established need to access the information within the transient secure computing environment.
  - 7. The method as described in claim 1 wherein the data record is a Problem Management Report (PMR).
  - 8. The method as described in claim 1 wherein the facility is associated with a first party, and the information is received from a second party, the first party having a need to access the information for a limited time period and for a limited purpose as determined by the second party.

9. Apparatus, comprising:
- a processor;
  
  computer memory holding computer program instructions that when executed by the processor perform a method of managing sensitive data, the method comprising;
  
  following receipt of a request for a secure support session, receiving information, at least a portion of the information being encrypted;
  
  associating the information with a data record uniquely associated with the secure support session;
  
  instantiating a transient secure computing environment associated with the data record, the transient secure computing environment being access-restricted;
  
  receiving the information in the transient secure computing environment;
  
  decrypting the information, wherein, upon decryption, the information is available for viewing and manipulation only within the transient secure computing environment; and
  
  upon close of the data record indicating that an operation associated with the information is complete, terminating the transient secure computing environment associated with the data record and deleting the information.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The apparatus as described in claim 9 wherein the method further includes sorting data associated with the information to identify a subset of the information, wherein the information received in the transient secure computing environment is only the identified subset.
  - 11. The apparatus as described in claim 9 wherein the transient secure computing environment is instantiated in a virtual machine uniquely associated with the data record.
  - 12. The apparatus as described in claim 11 wherein the information is encrypted with a key, the virtual machine using the key to decrypt the information within the transient secure computing environment.
  - 13. The apparatus as described in claim 11 wherein terminating the transient secure computing environment terminates the virtual machine.
  - 14. The apparatus as described in claim 9 wherein the method further includes enabling access to the transient secure computing environment via a machine associated with an individual, the individual having been authenticated and having an established need to access the information within the transient secure computing environment.
  - 15. The apparatus as described in claim 9 wherein the data record is a Problem Management Report (PMR).

16. A computer program product in a non-transitory computer readable medium for use in a data processing system, the computer program product holding computer program instructions which, when executed by the data processing system, perform a method of managing sensitive data, the method comprising:
- following receipt of a request for a secure support session, receiving information, at least a portion of the information being encrypted;
  
  associating the information with a data record uniquely associated with the secure support session;
  
  instantiating a transient secure computing environment associated with the data record, the transient secure computing environment being access-restricted;
  
  receiving the information in the transient secure computing environment;
  
  decrypting the information, wherein, upon decryption, the information is available for viewing and manipulation only within the transient secure computing environment; and
  
  upon close of the data record indicating that an operation associated with the information is complete, terminating the transient secure computing environment associated with the data record and deleting the information.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The computer program product as described in claim 16 wherein the method further includes sorting data associated with the information to identify a subset of the information, wherein the information received in the transient secure computing environment is only the identified subset.
  - 18. The computer program product as described in claim 16 wherein the transient secure computing environment is instantiated in a virtual machine uniquely associated with the data record.
  - 19. The computer program product as described in claim 18 wherein the information is encrypted with a key, the virtual machine using the key to decrypt the information within the transient secure computing environment.
  - 20. The computer program product as described in claim 18 wherein terminating the transient secure computing environment terminates the virtual machine.
  - 21. The computer program product as described in claim 16 wherein the method further includes enabling access to the transient secure computing environment via a machine associated with an individual, the individual having been authenticated and having an established need to access the information within the transient secure computing environment.
  - 22. The computer program product as described in claim 16 wherein the data record is a Problem Management Report (PMR).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Booth, Alan Edward, Bowers, Richard Gerald, Fox, James Edward, House, Daniel Edward
Primary Examiner(s)
Song, Hosuk

Application Number

US14/150,021
Publication Number

US 20150193637A1
Time in Patent Office

755 Days
Field of Search

713164-167, 713/189, 713/193, 726 16- 18, 726 26- 30
US Class Current

1/1
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/6245   Protecting personal data, e...

G06F 9/45533   Hypervisors; Virtual machin...

H04L 63/0209   Architectural arrangements,...

H04L 63/0428   wherein the data content is...

Provisioning transient-controlled secure environments for viewing sensitive data

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Provisioning transient-controlled secure environments for viewing sensitive data

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links