Method and system for secure deployment of information technology (IT) solutions in untrusted environments

US 9,336,363 B2
Filed: 01/21/2014
Issued: 05/10/2016
Est. Priority Date: 01/21/2014
Status: Active Grant

First Claim

Patent Images

1. A system operable to shield data into shielded data, the system comprising:

a hardware processor;

logic instructions stored on computer readable storage media and executable by the hardware processor, the logic instructions being configured to include;

a trusted agent operable in a trusted computing environment, wherein the trusted agent includes a transformation knowledge key generator and a data transformer,wherein the transformation knowledge key generator is operable to generate a transformation knowledge key, the transformation knowledge key being generated using at least two shielding algorithms to shield the data into the shielded data, wherein the transformation knowledge key is configured to include transformation expressions corresponding to each one of the at least two algorithms, wherein the transformation expressions are configured to include transformation operators, the transformation knowledge key being configurable to include a nested instance of another transformation operators corresponding to another transformation knowledge key,wherein the data transformer is operable to transform the data into N segments of the shielded data using corresponding N instances of the transformation knowledge key, N being a positive integer, wherein the trusted agent is configured to store the N instances of the transformation knowledge key and at least one segment of the N segments of the shielded data in the trusted computing environment; and

a communications agent securely coupled to the trusted agent, the communications agent being operable to communicate the N segments of the shielded data for storage.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Described herein are techniques related to shielding data, thereby enabling the shielded data to be distributively placed in untrusted computing environments for cost effective storage. A method and system may include a trusted agent operable in a trusted computing environment. The trusted agent includes a transformation knowledge key generator and a data transformer. The transformation knowledge key generator is operable to generate a transformation knowledge key, the transformation knowledge key being generated with at least two shielding algorithms to shield the data. The data transformer is operable to transform the data into N segments of shielded data using the transformation knowledge key. A communications agent securely coupled to the trusted agent is operable to securely transfer one or more of the N segments of shielded data to one or more storage devices in untrusted computing environments.

21 Citations

38 Claims

1. A system operable to shield data into shielded data, the system comprising:
- a hardware processor;
  
  logic instructions stored on computer readable storage media and executable by the hardware processor, the logic instructions being configured to include;
  
  a trusted agent operable in a trusted computing environment, wherein the trusted agent includes a transformation knowledge key generator and a data transformer,wherein the transformation knowledge key generator is operable to generate a transformation knowledge key, the transformation knowledge key being generated using at least two shielding algorithms to shield the data into the shielded data, wherein the transformation knowledge key is configured to include transformation expressions corresponding to each one of the at least two algorithms, wherein the transformation expressions are configured to include transformation operators, the transformation knowledge key being configurable to include a nested instance of another transformation operators corresponding to another transformation knowledge key,wherein the data transformer is operable to transform the data into N segments of the shielded data using corresponding N instances of the transformation knowledge key, N being a positive integer, wherein the trusted agent is configured to store the N instances of the transformation knowledge key and at least one segment of the N segments of the shielded data in the trusted computing environment; and
  
  a communications agent securely coupled to the trusted agent, the communications agent being operable to communicate the N segments of the shielded data for storage.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 2. The system as recited in claim 1 further comprising:
    - at least one remote agent coupled to the trusted agent, the at least one remote agent operable in an untrusted computing environment, wherein the trusted agent is configured to store I ones of the N segments of shielded data in the trusted environment, wherein the at least one remote agent is configured to store J ones of the N segments of the shielded data in the untrusted environment, wherein I+J=N, and wherein I, and J are non-negative integers, wherein the transformation operators includes a split data operator operable to split the shielded data into the I ones of the N segments of shielded data for storage in the trusted computing environment and the J ones of the N segments of the shielded data for storage in the untrusted computing environment, wherein the nested instance of the transformation knowledge key includes the split data operator.
  - 3. The system as recited in claim 2, wherein the data transformer receives the J ones of the N segments of shielded data from the at least one remote agent in response to a request, wherein the data transformer reconstructs the data from I ones of the N segments of shielded data stored in the trusted environment and the J ones of the N segments of shielded data received from the at least one remote agent using the N instances of the transformation knowledge key.
  - 4. The system as recited in claim 2, wherein the at least one remote agent is configured as (N−
    - I) remote agents coupled to the trusted agent, wherein the (N−
      
      I) remote agents are operable in (N−
      
      I) instances of the untrusted environment, wherein the J ones of the N segments of the shielded data are distributively stored in the (N−
      
      I) remote agents.
  - 5. The system as recited in claim 4, wherein I=1 and J=N−
    - 1, wherein (N−
      
      1) segments of shielded data are transferred to (N−
      
      1) remote agents.
  - 6. The system as recited in claim 2, wherein the communications agent is operable to send to the at least one remote agent transformation logic data to interpret the transformation knowledge key and the transformation knowledge key.
  - 7. The system as recited in claim 6, wherein the at least one remote agent reconstructs the data from the N segments of shielded data using the transformation logic data and the transformation knowledge key.
  - 8. The system as recited in claim 6, wherein the trusted agent is configured to change the transformation logic data and the transformation knowledge key communicated to the at least one remote agent, the change being made in dependence of a transaction of the at least one remote agent.
  - 9. The system as recited in claim 6, wherein the trusted agent is configured to change the transformation logic data and the transformation knowledge key communicated to the at least one remote agent, the change being made in dependence of a configurable timer value.
  - 10. The system as recited in claim 1, wherein the data transformer is operable to split the data into N segments of partially shielded data and transform the N segments of the partially shielded data into the N segments of shielded data using the N instances of the transformation knowledge key.
  - 11. The system as recited in claim 2, wherein the at least one remote agent is configured as a storage agent, the storage agent being configured to access storage components using published application programming interfaces (API'"'"'s) for the storage components.
  - 12. The system as recited in claim 2, wherein the at least one remote agent is configured as a compute agent, the compute agent being configured to communicate data associated with an application software program, the data being communicated to the trusted agent via a secure communications agent.
  - 13. The system as recited in claim 2, wherein the trusted computing environment is controlled by a trusted entity and the untrusted computing environment is controlled by a third party that is different than the trusted entity.
  - 14. The system as recited in claim 2, wherein the N instances of the transformation knowledge key are shielded and stored in the trusted computing environment.
  - 15. The system as recited in claim 1, wherein each one of the at least two shielding algorithms is configured to generate a data byte string, the transformation knowledge key being generated by concatenation of each one of the data byte string in a configurable order.
  - 16. The system as recited in claim 15, wherein the at least two shielding algorithms are configured by selecting codes representing at least two shielding algorithms selectable from a library of shielding algorithms, the data byte string being generated by concatenating the codes.
  - 17. The system as recited in claim 16, wherein a policy engine agent is configured to make a change in the trusted agent, the policy engine agent being operable to add a new shielding algorithm to the library of shielding algorithms, wherein the policy engine agent resides exclusively in the trusted environment.
  - 18. The system as recited in claim 1, wherein one of the at least two shielding algorithms is different than an encryption key type shielding algorithm.
  - 19. The system as recited in claim 1, wherein the transformation knowledge key is unique to each instance of the storage.
  - 20. The system as recited in claim 19, wherein the transformation knowledge key generator and all instances of the transformation knowledge key exclusively reside in the trusted environment.
  - 21. The system as recited in claim 1, wherein the communications agent is configured to select one or more simultaneous channels of communications from N channels of communications available to communicate any segment of the N segments of shielded data.
  - 28. The system as recited in claim 1, wherein the transformation knowledge key is an ordered sequence of operations that are progressively performed by the data transformer for shielding the data into the shielded data.
  - 29. The system as recited in claim 28, wherein the ordered sequence of operations is dynamically generated by the data transformer in real-time to include the nested instance.
  - 30. The system as recited in claim 16, wherein the configurable order is dynamically generated by the transformation knowledge key generator in real-time.
  - 31. The system as recited in claim 16, wherein the data transformer is configured to process the codes making up the transformation knowledge key in an order that is reverse of the configurable order to reconstruct the data from the N segments of the shielded data.
  - 32. The system as recited in claim 16, wherein the transformation knowledge key generator is configurable to generate permutations of the codes in real-time.
  - 33. The system as recited in claim 3, wherein the reconstruction of the data from the shielded data is virtually impossible in absence of any segment of the shielded data from the N segments of the shielded data.
  - 34. The system as recited in claim 3, wherein the reconstruction of the data from the shielded data is virtually impossible in absence of a corresponding one of the N instances of the transformation knowledge key.
  - 35. The system as recited in claim 16, wherein the nested instance is included in the transformation knowledge key in response to a selection of the at least two shielding algorithms from the library of shielding algorithms.
  - 36. The system as recited in claim 35, wherein the selection includes a data splitting type algorithm.
  - 37. The system as recited in claim 16, wherein the another transformation knowledge key is configured to include the at least two shielding algorithms.
  - 38. The system as recited in claim 16, wherein the another transformation knowledge key is configured to include a different set of the at least two shielding algorithms from the library of shielding algorithms.

22. A method of shielding data, the method comprising:
- generating a transformation knowledge key in a trusted computing environment, the transformation knowledge key being generated with at least two shielding algorithms to shield the data, wherein the transformation knowledge key is configured to include transformation expressions corresponding to each one of the at least two algorithms, wherein the transformation expressions are configured to include transformation operators, the transformation knowledge key being configurable to include a nested instance of another transformation operators corresponding to another transformation knowledge key;
  
  transforming the data into N segments of the shielded data using corresponding N instances of the transformation knowledge key, N being a positive integer, wherein the trusted agent is configured to store the N instances of the transformation knowledge key and at least one segment of the N segments of the shielded data in the trusted computing environment; and
  
  communicating the at least one segment of shielded data for storage, wherein at least one of the generating, transforming and communicating steps is implemented by a computer processor.
- View Dependent Claims (23, 24, 25, 26)
- - 23. The method as recited in claim 22, further comprising:
    - receiving the at least one segment of shielded data from the storage;
      
      reconstructing the data from the at least one segment of shielded data using the transformation knowledge key.
  - 24. The method as recited in claim 22, wherein the transforming further comprises:
    - splitting the at least one segment of shielded data into N sub-segments of shielded data;
      
      storing I ones of the N sub-segments in the trusted environment;
      
      communicating J ones of the N sub-segments of shielded data for storage in an untrusted environment, wherein I+J=N, wherein I, J and N are non-negative integers;
      
      receiving the J ones of the N sub-segments of shielded data from the untrusted locations in response to a request; and
      
      reconstructing the data from the I ones and the J ones of the N sub-segments of shielded data from the trusted locations and the untrusted locations respectively using the transformation knowledge key.
  - 25. The method as recited in claim 22, wherein the transforming further comprises:
    - splitting the data into N sub-segments of data using the transformation knowledge key;
      
      transforming the N sub-segments of data into corresponding N sub-segments of shielded data using the transformation knowledge key;
      
      storing I ones of the N sub-segments of shielded data in the trusted environment;
      
      communicating J ones of the N sub-segments of shielded data for storage in an untrusted environment, wherein I+J=N, wherein I, J and N are non-negative integers;
      
      receiving the J ones of the N sub-segments of shielded data from the storage in the untrusted environment in response to a request; and
      
      reconstructing the data from the from the I ones and the J ones of the N sub-segments of shielded data from the trusted locations and the untrusted locations respectively using the transformation knowledge key.
  - 26. The method as recited in claim 22, further comprising:
    - configuring each one of the at least two shielding algorithms to generate a data byte string;
      
      concatenating each one of the data byte string in a configurable sequence to generate the transformation knowledge key.

27. One or more non-transitory computer-readable storage media storing instructions that, when executed by one or more processors, cause the one or more processors to perform acts comprising:
- generating a transformation knowledge key in the trusted computing environment, the transformation knowledge key being generated with at least two shielding algorithms to shield the data, wherein the transformation knowledge key is configured to include transformation expressions corresponding to each one of the at least two algorithms, wherein the transformation expressions are configured to include transformation operators, the transformation knowledge key being configurable to include a nested instance of another transformation operators corresponding to another transformation knowledge key;
  
  transforming the data into N segments of the shielded data using corresponding N instances of the transformation knowledge key, N being a positive integer, wherein the trusted agent is configured to store the N instances of the transformation knowledge key and at least one segment of the N segments of the shielded data in the trusted computing environment; and
  
  communicating the at least one segment of shielded data for storage.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cofactor Computing LLC
Original Assignee
Cofactor Computing LLC
Inventors
Sathaye, Sumedh Wasudeo, Deshmukh, Nitin Sadashiv
Primary Examiner(s)
HERZOG, MADHURI R

Application Number

US14/160,539
Publication Number

US 20150205939A1
Time in Patent Office

840 Days
Field of Search

713164-167, 713189-194, 380258- 30, 707640-653, 707661-686
US Class Current

1/1
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/60   Protecting data

G06F 21/62   Protecting access to data v...

H04L 63/0428   wherein the data content is...

H04L 9/085   Secret sharing or secret sp...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/14   using a plurality of keys o...

Method and system for secure deployment of information technology (IT) solutions in untrusted environments

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

21 Citations

38 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for secure deployment of information technology (IT) solutions in untrusted environments

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

38 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links