Method and system for providing a secure secrets proxy

US 9,396,338 B2
Filed: 10/15/2013
Issued: 07/19/2016
Est. Priority Date: 10/15/2013
Status: Active Grant

First Claim

Patent Images

1. A system for providing a secure secrets proxy comprising:

at least one processor; and

at least one memory coupled to the at least one processor, the at least one memory having stored therein instructions which when executed by any set of the one or more processors, perform a process for providing a secure secrets proxy, the process for providing a secure secrets proxy including;

providing a secure secrets proxy in a first computing environment, the secure secrets proxy being a virtual asset instantiated in the first computing environment, the first computing environment being a cloud environment, the virtual asset being an instance of dynamically allocatable computing resources that are instantiated in the cloud environment, the secure secrets proxy enabling secure decentralization of secrets data from a second computing environment to the cloud environment to decrease access latency for the secrets data from the cloud environment, the secure secrets proxy including secure secrets proxy authentication data, the secure secrets proxy authentication data for identifying the secure secrets proxy as a trusted virtual asset in the first computing environment, the secure secrets proxy authentication data including hardware identification data identifying underlying hardware on which the secure secrets proxy is running;

providing a secrets distribution management system, the secrets distribution management system being in the second computing environment, the secrets distribution management system having access to the secrets data representing one or more secrets, the secrets distribution management system controlling the distribution of the one or more secrets in accordance with one or more secrets distribution policies;

the secure secrets proxy providing the secure secrets proxy authentication data to the secrets distribution management system;

the secrets distribution management system authenticating the secure secrets proxy by comparing the hardware identification data with data obtained via a cloud provider of the cloud environment;

the secrets distribution management system identifying the secure secrets proxy as a trusted virtual asset eligible to cache secrets data in a secure secrets cache outside the second computing environment, the secure secrets cache being a data store that is outside the second computing environment;

the secure secrets proxy generating cache secrets request data representing a request for data representing one or more requested secrets to be cached in the secure secrets cache;

the secure secrets proxy providing the cache secrets request data to the secrets distribution management system; and

in response to the cache secrets request data, the secrets distribution management system providing data representing the one or more requested secrets to the secure secrets cache.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure secrets proxy is instantiated in a first computing environment and includes secure secrets proxy authentication data for identifying itself to a secrets distribution management system in a second computing environment as a trusted virtual asset to receive and cache secrets data in a secure secrets cache outside the second computing environment. The secure secrets proxy requests one or more secrets to be cached and is then provided data representing the requested secrets in the secure secrets cache. The secure secrets proxy then receives secrets application request data from a second virtual asset instantiated in the first computing environment requesting one or more secrets be applied to second virtual asset data. The secure secrets proxy then obtains the required secrets from the secure secrets cache and coordinates the application of the secrets to the second virtual asset data.

86 Citations

View as Search Results

21 Claims

1. A system for providing a secure secrets proxy comprising:
- at least one processor; and
  
  at least one memory coupled to the at least one processor, the at least one memory having stored therein instructions which when executed by any set of the one or more processors, perform a process for providing a secure secrets proxy, the process for providing a secure secrets proxy including;
  
  providing a secure secrets proxy in a first computing environment, the secure secrets proxy being a virtual asset instantiated in the first computing environment, the first computing environment being a cloud environment, the virtual asset being an instance of dynamically allocatable computing resources that are instantiated in the cloud environment, the secure secrets proxy enabling secure decentralization of secrets data from a second computing environment to the cloud environment to decrease access latency for the secrets data from the cloud environment, the secure secrets proxy including secure secrets proxy authentication data, the secure secrets proxy authentication data for identifying the secure secrets proxy as a trusted virtual asset in the first computing environment, the secure secrets proxy authentication data including hardware identification data identifying underlying hardware on which the secure secrets proxy is running;
  
  providing a secrets distribution management system, the secrets distribution management system being in the second computing environment, the secrets distribution management system having access to the secrets data representing one or more secrets, the secrets distribution management system controlling the distribution of the one or more secrets in accordance with one or more secrets distribution policies;
  
  the secure secrets proxy providing the secure secrets proxy authentication data to the secrets distribution management system;
  
  the secrets distribution management system authenticating the secure secrets proxy by comparing the hardware identification data with data obtained via a cloud provider of the cloud environment;
  
  the secrets distribution management system identifying the secure secrets proxy as a trusted virtual asset eligible to cache secrets data in a secure secrets cache outside the second computing environment, the secure secrets cache being a data store that is outside the second computing environment;
  
  the secure secrets proxy generating cache secrets request data representing a request for data representing one or more requested secrets to be cached in the secure secrets cache;
  
  the secure secrets proxy providing the cache secrets request data to the secrets distribution management system; and
  
  in response to the cache secrets request data, the secrets distribution management system providing data representing the one or more requested secrets to the secure secrets cache.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The system for providing a secure secrets proxy of claim 1 wherein the first computing environment is an untrusted computing environment.
  - 3. The system for providing a secure secrets proxy of claim 1 wherein the secure secrets proxy is a virtual asset generated in the untrusted computing environment.
  - 4. The system for providing a secure secrets proxy of claim 1 wherein the second computing environment is a trusted computing environment.
  - 5. The system for providing a secure secrets proxy of claim 1 wherein the second computing environment is a data center network.
  - 6. The system for providing a secure secrets proxy of claim 1 wherein the secure secrets proxy authentication data includes data representing an authentication mechanism consisting of:
    - loading specified datum from a specified storage service onto the secure secrets proxy and then providing the specified datum to confirm the identity of the secure secrets proxy.
  - 7. The system for providing a secure secrets proxy of claim 1 wherein the secrets data includes data representing one or more secrets selected from the group of secrets consisting of:
    - usernames;
      
      passwords;
      
      passphrases;
      
      encryption keys;
      
      digital certificates;
      
      multifactor authentication data;
      
      account numbers;
      
      identification numbers; and
      
      any combination thereof.
  - 8. The system for providing a secure secrets proxy of claim 1 wherein the one or more requested secrets to be cached in the secure secrets cache are selected by the secure secrets proxy based on the type of computing environment represented by the first computing environment.
  - 9. The system for providing a secure secrets proxy of claim 1 wherein the one or more requested secrets to be cached in the secure secrets cache are selected by the secure secrets proxy based on the types of virtual assets in the first computing environment.
  - 10. The system for providing a secure secrets proxy of claim 1 wherein the one or more requested secrets to be cached in the secure secrets cache are selected by the secure secrets proxy based on the capabilities of the virtual assets in the first computing environment.
  - 11. The system for providing a secure secrets proxy of claim 1 wherein the one or more requested secrets to be cached in the secure secrets cache are selected by the secure secrets proxy based on the reputation profiles of the virtual assets in the first computing environment.
  - 12. The system for providing a secure secrets proxy of claim 1 wherein the one or more requested secrets to be cached in the secure secrets cache are selected by the secure secrets proxy based on the resources associated with the virtual assets in the first computing environment.
  - 13. The system for providing a secure secrets proxy of claim 1 wherein the secure secrets proxy provides the secure secrets proxy authentication data to the secrets distribution management system via a secure communications channel.
  - 14. The system for providing a secure secrets proxy of claim 13 wherein the secure communications channel is an authenticated Secure Sockets Layer (SSL) communications channel.
  - 15. The system for providing a secure secrets proxy of claim 13 wherein the secure communications channel is any private communications channel.
  - 16. The system for providing a secure secrets proxy of claim 1 wherein the secure secrets cache is a secrets data store outside the second computing environment.
  - 17. The system for providing a secure secrets proxy of claim 1 wherein the secure secrets cache is a data cache in the secure secrets proxy.
  - 18. The system for providing a secure secrets proxy of claim 1 further comprising:
    - a second virtual asset instantiated in the first computing environment, the second virtual asset generating secrets application request data requesting that one or more secrets be applied to second virtual asset data associated with the second virtual asset;
      
      the secure secrets proxy receiving the secrets application request data;
      
      the secure secrets proxy authenticating the second virtual asset;
      
      the secure secrets proxy obtaining the secrets associated with the secrets application request data from the secure secrets cache; and
      
      the secure secrets proxy coordinating the application of the secrets associated with the secrets application request data to the second virtual asset data.
  - 19. The system for providing a secure secrets proxy of claim 18 wherein the second virtual asset is a virtual asset selected from the group of the virtual assets consisting of:
    - a virtual machine;
      
      a virtual server;
      
      an instance in a cloud infrastructure;
      
      a cloud infrastructure access system;
      
      a mobile device;
      
      a remote sensor;
      
      a laptop;
      
      a desktop;
      
      a point-of-sale device;
      
      an ATM;
      
      an electronic voting machine; and
      
      a database.

20. A secure secrets proxy, the secure secrets proxy being a virtual asset instantiated in a first computing environment, the secure secrets proxy including:
- secure secrets proxy authentication logic, the secure secrets proxy authentication logic for generating secure secrets proxy authentication data identifying the secure secrets proxy as a trusted virtual asset in the first computing environment, the first computing environment being a cloud environment, the trusted virtual asset being an instance of dynamically allocatable computing resources that are instantiated in the cloud environment, the secure secrets proxy enabling secure decentralization of secrets data from a second computing environment to the cloud environment to decrease access latency for the secrets data from within the cloud environment, the secure secrets proxy authentication data including hardware identification data identifying underlying hardware on which the secure secrets proxy is running;
  
  a secrets distribution management system in the second computing environment, the secrets distribution management system having access to the secrets data representing one or more secrets, the secrets distribution management system controlling the distribution of the one or more secrets in accordance with one or more secrets distribution policies, the secrets distribution management system authenticating the secure secrets proxy as the trusted virtual asset by comparing the hardware identification data with data obtained via a cloud provider of the cloud environment;
  
  a secure secrets cache that is a data store that is outside of the second computing environment;
  
  secure secrets proxy cache secrets request data generation logic for generating cache secrets request data representing a request for data representing one or more requested secrets to be cached in the secure secrets cache;
  
  secure secrets proxy cache secrets request data transmission logic for providing the cache secrets request data to the secrets distribution management system; and
  
  requested secrets receipt and caching logic for receiving and storing data representing the one or more requested secrets to be cached in the secure secrets cache.
- View Dependent Claims (21)
- - 21. The secure secrets proxy of claim 20 further comprising:
    - secure secrets proxy secrets application request data receipt logic for receiving secrets application request data from a second virtual asset instantiated in the first computing environment, the second virtual asset requiring the application of one or more secrets to second virtual asset data provided through the second virtual asset, the secrets application request data representing a request that one or more secrets be applied to the second virtual asset data;
      
      secure secrets proxy cached secrets retrieval logic for retrieving the secrets associated with the secrets application request data from the secure secrets cache;
      
      secure secrets proxy secrets application logic for coordinating the application of the secrets associated with the secrets application request data to the second virtual asset data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intuit, Inc.
Original Assignee
Intuit, Inc.
Inventors
Cabrera, Luis Felipe, Lietz, M. Shannon
Primary Examiner(s)
Gergiso, Techane

Application Number

US14/054,450
Publication Number

US 20150106620A1
Time in Patent Office

1,008 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 9/455   Emulation; Interpretation; ...

H04L 63/00   Network architectures or ne...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0876   based on the identity of th...

H04L 63/0884   by delegation of authentica...

H04L 63/20   for managing network securi...

H04L 9/083   involving central third par...

H04L 9/088   Usage controlling of secret...

Method and system for providing a secure secrets proxy

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

86 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for providing a secure secrets proxy

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

86 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links