Virtual service provider zones
First Claim
Patent Images
1. A system, comprising:
- a first data storage service comprising a plurality of data storage devices and a first web service interface configured to receive web service requests transmitted to the first web service interface, the first data storage service being configured to process the web service requests transmitted to the first web service interface using the plurality of data storage devices; and
a second data storage service, where first data storage service is implemented with computing resources in a first set of one or more facilities operated by a computing resource service provider and the second data storage service is implemented with computing resources in a second set of one or more facilities that is geographically distinct from the first set of one or more facilities and operated by the computing resource service provider and the first data storage service is configured in accordance with a first set of regulations associated with a first legal jurisdiction and the second data storage service is configured in accordance with a second set of regulations that is different from the first set of regulations and associated with a second legal jurisdiction, the second data storage service comprising a second web service interface, the second data storage service configured to operate as a proxy to the first data storage service by at least;
receiving, at the second web service interface, a request from a requestor to store data, the request originating from a network not operated by the service provider;
encrypting the data using a cryptographic key inaccessible to the first data storage service;
transmitting the encrypted data to the first data storage service for persistent storage on behalf of the requestor; and
maintaining access to the cryptographic key while preventing access to the cryptographic key by the first data storage service.
1 Assignment
0 Petitions
Accused Products
Abstract
A service proxy services as an application programming interface proxy to a service, which may involve data storage. When a request to store data is received by the service proxy, the service proxy encrypts the data and stores the data in encrypted form at the service. Similarly, when a request to retrieve data is received by the service proxy, the service proxy obtains encrypted data from the service and decrypts the data. The data may be encrypted using a key that is kept inaccessible to the service.
189 Citations
27 Claims
-
1. A system, comprising:
-
a first data storage service comprising a plurality of data storage devices and a first web service interface configured to receive web service requests transmitted to the first web service interface, the first data storage service being configured to process the web service requests transmitted to the first web service interface using the plurality of data storage devices; and a second data storage service, where first data storage service is implemented with computing resources in a first set of one or more facilities operated by a computing resource service provider and the second data storage service is implemented with computing resources in a second set of one or more facilities that is geographically distinct from the first set of one or more facilities and operated by the computing resource service provider and the first data storage service is configured in accordance with a first set of regulations associated with a first legal jurisdiction and the second data storage service is configured in accordance with a second set of regulations that is different from the first set of regulations and associated with a second legal jurisdiction, the second data storage service comprising a second web service interface, the second data storage service configured to operate as a proxy to the first data storage service by at least; receiving, at the second web service interface, a request from a requestor to store data, the request originating from a network not operated by the service provider; encrypting the data using a cryptographic key inaccessible to the first data storage service; transmitting the encrypted data to the first data storage service for persistent storage on behalf of the requestor; and maintaining access to the cryptographic key while preventing access to the cryptographic key by the first data storage service. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A system, comprising:
-
one or more processors; and memory comprising computer executable instructions that, when executed by the one or more processors, cause the system to; operate, by a service provider, an application programming interface to which requests are submittable over a network, the request originating from a network not operated by the service provider; and for each first request of at least a plurality of requests submitted to the application programming interface, process the first request by at least; using a key to perform one or more cryptographic operations on data involved in processing the first request; and transmitting, across a network, a second request to a service utilizing separate computing resources than the application programming interface that causes the service to perform one or more operations on the data in encrypted form wherein the separate computing resources are located in a first location governed by different regulations than a second location where the application programming interface is located, the service lacking access to the key and being configured to be independently configured to process the first request. - View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A computer-implemented method, comprising:
under the control of one or more computer systems configured with executable instructions, receiving, from a requestor at a network address of the one or more computer systems, an application programming interface request to perform one or more operations, where the network address originates from a network that is not operated by a service provider wherein the network is located in a first location governed by different regulations than a second location where the application programming interface is located; and processing the application programming interface request by at least; transmitting, over the network, a request to a service operated by the service provider that is configured to be independently configured to perform the one or more operations, the request being configured to causes the service to perform one or more service operations on encrypted data, the encrypted data being encrypted under a key that is inaccessible to the service; and using the key to perform one or more cryptographic operations in connection with the encrypted data. - View Dependent Claims (16, 17, 18, 19, 20)
-
21. One or more non-transitory computer-readable storage media having collectively stored therein computer executable instructions that, when executed by one or more processors of a computer system, cause the computer system to:
-
provide an application programming interface accessible at a network address; receive, at the application programming interface, an application programming interface request, from a requestor, to perform one or more operations on a set of data, the application programming interface request originating from a network that is not associated with the network address and governed by different regulations; and fulfill the received application programming interface request, at least in part by; causing at least a subset of the set of data to be encrypted under a key kept inaccessible to a remote service; and utilizing the remote service operated by a service provider distinct from the requestor to perform at least a subset of the one or more operations on the set of data such that, for the subset of the set of data, the remote service has access to the subset of the set of data only in encrypted form. - View Dependent Claims (22, 23, 24, 25, 26, 27)
-
Specification