Transparent encryption/decryption gateway for cloud storage services

US 9,306,917 B2
Filed: 01/09/2014
Issued: 04/05/2016
Est. Priority Date: 01/09/2013
Status: Expired due to Fees

First Claim

Patent Images

1. A non-transitory computer-readable storage medium, comprising computer-readable program code embodied therewith which, when executed by a processor, causes the processor to:

intercept a data file from at least a portion of stream data during transmission of the stream data in the distributed computing system;

evaluate the data file for determining a communication protocol used for the stream data transmission;

evaluate the data file based on the communication protocol for determining a destination and a source of the data file;

responsive to determining the destination is the storage and the source is the client;

select a set of analysis algorithms from a plurality of predetermined analysis algorithms;

analyze the data file using each of the analysis algorithms of the set of analysis algorithms for determining whether the data file comprises sensitive data;

in response to a determination that the data file comprises sensitive data, replace payload content of the data file with encrypted payload data; and

transmit the data file to the storage,wherein replacing payload content of the data file with encrypted payload data comprises;

creating a data container;

encrypting the payload content of the data file using at least one encryption key;

storing the at least one encryption key;

storing the encrypted payload content in the data container;

augmenting or reducing a size of the payload content of the data container such that the size of the payload content of the data container equals a size of the payload content of the data file; and

replacing the payload content of the data file with the payload content of the data container.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A mechanism is provided for secure data storage in a distributed computing system by a client of the distributed computing system. A gateway device intercepts a data file from at least a portion of stream data during transmission. If the destination of the data file is the storage, the gateway device selects a set of analysis algorithms to determine whether the data file comprises sensitive data.

Citations

18 Claims

1. A non-transitory computer-readable storage medium, comprising computer-readable program code embodied therewith which, when executed by a processor, causes the processor to:
- intercept a data file from at least a portion of stream data during transmission of the stream data in the distributed computing system;
  
  evaluate the data file for determining a communication protocol used for the stream data transmission;
  
  evaluate the data file based on the communication protocol for determining a destination and a source of the data file;
  
  responsive to determining the destination is the storage and the source is the client;
  
  select a set of analysis algorithms from a plurality of predetermined analysis algorithms;
  
  analyze the data file using each of the analysis algorithms of the set of analysis algorithms for determining whether the data file comprises sensitive data;
  
  in response to a determination that the data file comprises sensitive data, replace payload content of the data file with encrypted payload data; and
  
  transmit the data file to the storage,wherein replacing payload content of the data file with encrypted payload data comprises;
  
  creating a data container;
  
  encrypting the payload content of the data file using at least one encryption key;
  
  storing the at least one encryption key;
  
  storing the encrypted payload content in the data container;
  
  augmenting or reducing a size of the payload content of the data container such that the size of the payload content of the data container equals a size of the payload content of the data file; and
  
  replacing the payload content of the data file with the payload content of the data container.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The non-transitory computer-readable storage medium according to claim 1, wherein the computer-readable program code further causes the processor to:
    - responsive to determining, the destination is the client and the source is the storage;
      
      determining whether the data file is encrypted in accordance with an encryption key of a plurality of stored encryption keys;
      
      responsive to determining the data file is encrypted with a stored encryption key, decrypting the data file using the stored encryption key; and
      
      transmitting the data file to the client in response to determining that the client satisfies a predefined authorization condition.
  - 3. The non-transitory computer-readable storage medium according to claim 1, wherein analyzing the data file using each of the analysis algorithms for determining whether the data file comprises sensitive data comprises;
    - determining a respective set of results;
      
      associating each result of the set of results with a number indicating whether the data file comprises sensitive or not sensitive data;
      
      calculating a weighted sum of the numbers indicating whether the data file comprises sensitive data using the predefined weights;
      
      comparing the weighted sum with a predetermined sensitivity threshold value.
  - 4. The non-transitory computer-readable storage medium according to claim 1, wherein the distributed computing system is a cloud computing system.
  - 5. The non-transitory computer-readable storage medium according to claim 1, wherein evaluating the data file for determining the communication protocol comprises:
    - determining that the data file is encrypted; and
      
      determining an encryption key used to encrypt the data file,wherein the method further comprises;
      
      responsive to determining the destination is the client and die source is the storage;
      
      decrypting the data file using the determined encryption key; and
      
      transmitting the data file to the client responsive to decrypting the data file.
  - 6. The non-transitory computer-readable storage medium according to claim 5, wherein in case the encryption key used to encrypt the data file is unknown the determining the encryption key comprises recovering during a predefined time period said encryption key using a Rainbow table.
  - 7. The non-transitory computer-readable storage medium according to claim 1, wherein the intercepting comprises:
    - sequentially intercepting date packets of the date file;
      
      determining if the data file is complete;
      
      in response to a determination that the data file is not complete, sending an acknowledgment message to the client for triggering further data transmission from the client.
  - 8. The non-transitory computer-readable storage medium according to claim 1, wherein the gateway device comprises a data structure of one or more entries comprising client category identifiers and corresponding encryption data, wherein replacing payload content of the data file with encrypted payload data comprises:
    - determining a client category identifier of the client;
      
      reading the data structure using the client category identifier; and
      
      determining the at least one encryption key based on the encryption data corresponding to the determined client category identifier.
  - 9. The non-transitory computer-readable storage medium according to claim 8, wherein the encryption data is indicative of an encryption strength in one or more levels of encryption.
  - 10. The non-transitory computer-readable storage medium according to claim 8, wherein determining the at least one encryption key comprises:
    - generating the at least one encryption key;
      
      orselecting the at least one encryption key from plurality of stored encryption key.
  - 11. The non-transitory computer-readable storage medium according claim 1, wherein the plurality of analysis algorithms comprises an analysis algorithm for identifying sensitive data in the payload content of the data file by comparing the payload content of the data, file with sensitive date pattern definitions stored in file distributed computing system.
  - 12. The non-transitory computer-readable storage medium according to claim 1, wherein the plurality of analysis algorithms further comprises a Reverse Spam Analysis algorithm.
  - 13. The non-transitory computer-readable storage medium according to claim 12, wherein analysis of the data file using the Reverse Spam Analysis algorithm comprises:
    - providing reference data for sensitive and non-sensitive data respectively;
      
      processing the reference data by a statistical learning technique for generating weights to denote sensitive and non-sensitive data;
      
      using the generated weights for determining whether the payload content of the data file comprises sensitive data.
  - 14. The non-transitory computer-readable storage medium according to claim 2, wherein the distributed computing system comprises an access control list associated with the data file, the access control list comprising client identifiers of clients having access to the data file, wherein transmitting the data file to the client comprises:
    - identifying a client identifier of the client, wherein the predefined authorization condition is satisfied if the access control list comprises the client Identifier.

15. A gateway device for secure data storage in a storage in a distributed computing system the gateway device comprising a memory for storing machine executable instructions and a processor for controlling the gateway device, wherein execution of the machine executable instructions causes the processor to:
- intercept a data file from at least a portion of stream data during transmission of the stream data in the distributed computing system;
  
  evaluate the data file for determining a communication protocol used for the stream data transmission;
  
  evaluate the data file based on the communication protocol for determining a destination and a source of the data file;
  
  responsive to determining the destination is the storage and the source is the client;
  
  select a set of analysis algorithms from a plurality of predetermined analysis algorithms;
  
  analyze the data file using each of the analysis algorithms of the set of analysis algorithms for determining whether the data file comprises sensitive data;
  
  in response to a determination that the data file comprises sensitive data, replace payload content of the data file with encrypted payload data; and
  
  transmit the data file to the storage,wherein replacing payload content of the data file with encrypted payload data comprises;
  
  creating a data container;
  
  encrypting the payload content of the data file using at least one encryption key;
  
  storing the at least one encryption key;
  
  storing the encrypted payload content in the data container;
  
  augmenting or reducing a size of the payload content of the data container such that the size of the payload content of the data container equals a size of the payload content of the data file; and
  
  replacing the payload content of the data file with the payload content of the data container.
- View Dependent Claims (16, 17, 18)
- - 16. The gateway device according to claim 15, wherein the gateway device comprises a data structure of one or more entries comprising client category identifiers and corresponding encryption data, wherein replacing payload content of the data file with encrypted payload data comprises:
    - determining a client category identifier of the client;
      
      reading the data structure using the client category identifier, anddetermining the at least one encryption key based on the encryption data corresponding to the determined client category identifier.
  - 17. The gateway device according to claim 15, execution of the machine executable instructions further causes the processor to:
    - responsive to determining the destination is the client and the source is the storage;
      
      determining whether the data file is encrypted in accordance with an encryption key of a plurality of stored encryption keys;
      
      responsive to determining the data file is encrypted with a stored encryption key, decrypting the data file using the stored encryption key; and
      
      transmitting the data file to the client in response to determining that the client satisfies a predefined authorization condition.
  - 18. The gateway device according to claim 15, wherein analyzing the data file using each of the analysis algorithms for determining whether the data file comprises sensitive data comprises:
    - determining a respective set of results;
      
      associating each result of the set of results with a number indicating whether the data file comprises sensitive or not sensitive data;
      
      calculating a weighted sum of the numbers indicating whether the data file comprises sensitive data using the predefined weights;
      
      comparing the weighted sum with a predetermined sensitivity threshold value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Brugger, Dominik W., Seul, Matthias
Primary Examiner(s)
Ho, Dao

Application Number

US14/150,894
Publication Number

US 20140195798A1
Time in Patent Office

817 Days
Field of Search

713/153
US Class Current

1/1
CPC Class Codes

G06F 21/60   Protecting data

H04L 63/0227   Filtering policies mail mes...

H04L 63/0428   wherein the data content is...

H04L 63/0435   wherein the sending and rec...

H04L 63/101   Access control lists [ACL]

H04L 63/1441   Countermeasures against mal...

Transparent encryption/decryption gateway for cloud storage services

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Transparent encryption/decryption gateway for cloud storage services

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links