Method and system for automatically managing secrets in multiple data security jurisdiction zones

US 9,467,477 B2
Filed: 11/06/2013
Issued: 10/11/2016
Est. Priority Date: 11/06/2013
Status: Active Grant

First Claim

Patent Images

1. A system for automatically managing secrets in a plurality of data security jurisdiction zones comprising:

at least one memory coupled to one or more processors, the at least one memory having stored therein instructions which when executed by any set of the one or more processors, perform a process for automatically managing secrets in the plurality of data security jurisdiction zones, the process for automatically managing secrets in the plurality of data security jurisdiction zones including;

obtaining data security policy data for the plurality of data security jurisdiction zones, the data security policy data for the plurality of data security jurisdiction zones including data indicating allowed secrets data for each respective data security jurisdiction zone of the plurality of data security jurisdiction zones and prohibited secrets data for each respective data security jurisdiction zone of the plurality of data security jurisdiction zones, the allowed secrets data for each respective data security jurisdiction zone representing one or more secrets allowed to be used to protect data in the respective data security jurisdiction zone, the prohibited secrets data for each respective data security jurisdiction zone of the plurality of data security jurisdiction zones representing one or more secrets that are not allowed to be used to protect data in the respective data security jurisdiction zone;

obtaining secrets request data representing a request that secrets data be transferred to a resource;

automatically determining a data security jurisdiction zone of the resource;

automatically obtaining a portion of the data security policy data corresponding to the data security jurisdiction zone of the resource;

automatically analyzing the portion of the data security policy data corresponding to the data security jurisdiction zone of the resource to determine the allowed secrets data with respect to the data security jurisdiction zone of the resource;

identifying one or more secret data classes by classifying the allowed secrets data according to a level of security provided by the allowed secrets data;

obtaining the allowed secrets data within the one or more secret data classes with respect to the data security jurisdiction zone of the resource; and

automatically providing the obtained allowed secrets data with respect to the data security jurisdiction zone of the resource to the resource.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Data security jurisdiction zones are identified and data security policy data for the data security jurisdiction zones is obtained. The data security policy data for the data security jurisdiction zones is then automatically analyzed to determine allowed secrets data with respect to each of the identified data security jurisdiction zones. The allowed secrets data with respect to each of the data security jurisdiction zones is then automatically obtained and provided to resources in the respective data security jurisdiction zones, either from a central secrets data store or from an allowed secrets data store associated with each data security jurisdiction zone.

Citations

26 Claims

1. A system for automatically managing secrets in a plurality of data security jurisdiction zones comprising:
- at least one memory coupled to one or more processors, the at least one memory having stored therein instructions which when executed by any set of the one or more processors, perform a process for automatically managing secrets in the plurality of data security jurisdiction zones, the process for automatically managing secrets in the plurality of data security jurisdiction zones including;
  
  obtaining data security policy data for the plurality of data security jurisdiction zones, the data security policy data for the plurality of data security jurisdiction zones including data indicating allowed secrets data for each respective data security jurisdiction zone of the plurality of data security jurisdiction zones and prohibited secrets data for each respective data security jurisdiction zone of the plurality of data security jurisdiction zones, the allowed secrets data for each respective data security jurisdiction zone representing one or more secrets allowed to be used to protect data in the respective data security jurisdiction zone, the prohibited secrets data for each respective data security jurisdiction zone of the plurality of data security jurisdiction zones representing one or more secrets that are not allowed to be used to protect data in the respective data security jurisdiction zone;
  
  obtaining secrets request data representing a request that secrets data be transferred to a resource;
  
  automatically determining a data security jurisdiction zone of the resource;
  
  automatically obtaining a portion of the data security policy data corresponding to the data security jurisdiction zone of the resource;
  
  automatically analyzing the portion of the data security policy data corresponding to the data security jurisdiction zone of the resource to determine the allowed secrets data with respect to the data security jurisdiction zone of the resource;
  
  identifying one or more secret data classes by classifying the allowed secrets data according to a level of security provided by the allowed secrets data;
  
  obtaining the allowed secrets data within the one or more secret data classes with respect to the data security jurisdiction zone of the resource; and
  
  automatically providing the obtained allowed secrets data with respect to the data security jurisdiction zone of the resource to the resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system for automatically managing secrets in the plurality of data security jurisdiction zones of claim 1 wherein at least one of the plurality of data security jurisdiction zones is selected from the group of data security jurisdiction zones consisting of:
    - a geographic region data security jurisdiction zone;
      
      a political region data security jurisdiction zone;
      
      a security based data security jurisdiction zone;
      
      a computing environment data security jurisdiction zone;
      
      a computing sub-environment data security jurisdiction zone within a computing environment data security jurisdiction zone; and
      
      any combination thereof.
  - 3. The system for automatically managing secrets in the plurality of data security jurisdiction zones of claim 1 wherein the data security policy data for the identified data security jurisdiction zones includes data indicating allowed encryption levels within the identified data security jurisdiction zones.
  - 4. The system for automatically managing secrets in the plurality of data security jurisdiction zones of claim 1 wherein the secrets request data represents a request for encryption key data to be transferred to the resource.
  - 5. The system for automatically managing secrets in the plurality of data security jurisdiction zones of claim 1 wherein the allowed secrets data with respect to the data security jurisdiction zone of the resource is allowed encryption key data including at least one encryption key in compliance with the portion of the data security policy data corresponding to the data security jurisdiction zone of the resource.
  - 6. The system for automatically managing secrets in the plurality of data security jurisdiction zones of claim 5 wherein at least one encryption key represented by the allowed encryption key data is selected from the group of encryption keys consisting of:
    - a public encryption key;
      
      a private encryption key;
      
      a symmetric encryption key;
      
      an asymmetric encryption key;
      
      a public pre-placed encryption key;
      
      a private pre-placed encryption key;
      
      a 40-bit encryption key;
      
      any length encryption keys;
      
      an authentication encryption key;
      
      a benign encryption key;
      
      a content-encryption key (CEK);
      
      a cryptovariable encryption key;
      
      a derived encryption key;
      
      an electronic encryption key;
      
      an ephemeral encryption key;
      
      a key encryption key (KEK);
      
      a key production encryption key (KPK);
      
      a FIREFLY encryption key;
      
      a master encryption key;
      
      a message encryption key (MEK);
      
      a RED encryption key;
      
      a session encryption key;
      
      a traffic encryption key (TEK);
      
      a transmission security encryption key (TSK);
      
      a seed encryption key;
      
      a signature encryption key;
      
      a stream encryption key;
      
      a Type 1 encryption key;
      
      a Type 2 encryption key;
      
      a Vernam encryption key;
      
      a zeroized encryption key; and
      
      any combination thereof.
  - 7. The system for automatically managing secrets in the plurality of data security jurisdiction zones of claim 1 wherein the allowed secrets data with respect to the data security jurisdiction zone of the resource is automatically transferred to a secrets data store in the data security jurisdiction zone of the resource accessible by the resource.
  - 8. The system for automatically managing secrets in the plurality of data security jurisdiction zones of claim 1 wherein the resource is selected from the group of resources consisting of:
    - a virtual machine;
      
      a virtual server;
      
      a database or data store;
      
      an instance in a cloud environment;
      
      a cloud environment access system;
      
      part of a mobile device;
      
      part of a remote sensor;
      
      part of a laptop computing system;
      
      part of a desktop computing system;
      
      part of a point-of-sale computing system;
      
      part of an ATM; and
      
      part of an electronic voting machine computing system.
  - 9. The system for automatically managing secrets in the plurality of data security jurisdiction zones of claim 1 wherein the data security policy data for the data security jurisdiction zones is obtained from a data security policy manager.
  - 10. The system for automatically managing secrets in the plurality of data security jurisdiction zones of claim 1 wherein the data security policy data for the data security jurisdiction zones is updated automatically.

11. A system for automatically managing secrets in a plurality of data security jurisdiction zones comprising:
- one or more processors; and
  
  at least one memory coupled to the one or more processors, the at least one memory having stored therein instructions which when executed by any set of the one or more processors, perform a process for automatically managing secrets in a plurality of data security jurisdiction zones, the process for automatically managing the secrets in the plurality of data security jurisdiction zones including;
  
  obtaining data security policy data for the plurality of data security jurisdiction zones, the data security policy data for the plurality of data security jurisdiction zones including data indicating allowed secrets data for each respective data security jurisdiction zone of the plurality of data security jurisdiction zones and prohibited secrets data for each respective data security jurisdiction zone of the plurality of data security jurisdiction zones, the allowed secrets data for each respective data security jurisdiction zone representing one or more secrets allowed to be used to protect data in the respective data security jurisdiction zone, the prohibited secrets data for each respective data security jurisdiction zone of the plurality of data security jurisdiction zones representing one or more secrets that are not allowed to be used to protect data in the respective data security jurisdiction zone;
  
  for each data security jurisdiction zone of the plurality of data security jurisdiction zones, automatically analyzing a portion of the data security policy data corresponding to the data security jurisdiction zone to determine the allowed secrets data with respect to the data security jurisdiction zone;
  
  identifying one or more secret data classes by classifying the allowed secrets data according to a level of security provided by the allowed secrets data;
  
  for each data security jurisdiction zone of the plurality of data security jurisdiction zones, automatically obtaining the allowed secrets data within the one or more secret data classes with respect to the data security jurisdiction zone; and
  
  for each data security jurisdiction zone of the plurality of data security jurisdiction zones, automatically pre-deploying the allowed secrets data within the one or more secret data classes for the data security jurisdiction zone to an allowed secrets data store associated with the data security jurisdiction zone.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The system for automatically managing secrets in the plurality of data security jurisdiction zones of claim 11 wherein at least one of the plurality of data security jurisdiction zones is selected from the group of data security jurisdiction zones consisting of:
    - a geographic region data security jurisdiction zone;
      
      a political region data security jurisdiction zone;
      
      a security based data security jurisdiction zone;
      
      a computing environment data security jurisdiction zone;
      
      a computing sub-environment data security jurisdiction zone within a computing environment data security jurisdiction zone; and
      
      any combination thereof.
  - 13. The system for automatically managing secrets in the plurality of data security jurisdiction zones of claim 11 wherein the data security policy data for the data security jurisdiction zones includes data indicating allowed encryption levels within the data security jurisdiction zones.
  - 14. The system for automatically managing secrets in the plurality of data security jurisdiction zones of claim 11 wherein the allowed secrets data is allowed encryption key data including at least one encryption key in compliance with the data security policy data for the data security jurisdiction zones.
  - 15. The system for automatically managing secrets in the plurality of data security jurisdiction zones of claim 14 wherein at least one encryption key represented by the allowed encryption key data is selected from the group of encryption keys consisting of:
    - a public encryption key;
      
      a private encryption key;
      
      a symmetric encryption key;
      
      an asymmetric encryption key;
      
      a public pre-placed encryption key;
      
      a private pre-placed encryption key;
      
      a 40-bit encryption key;
      
      any length encryption keys;
      
      an authentication encryption key;
      
      a benign encryption key;
      
      a content-encryption key (CEK);
      
      a cryptovariable encryption key;
      
      a derived encryption key;
      
      an electronic encryption key;
      
      an ephemeral encryption key;
      
      a key encryption key (KEK);
      
      a key production encryption key (KPK);
      
      a FIREFLY encryption key;
      
      a master encryption key;
      
      a message encryption key (MEK);
      
      a RED encryption key;
      
      a session encryption key;
      
      a traffic encryption key (TEK);
      
      a transmission security encryption key (TSK);
      
      a seed encryption key;
      
      a signature encryption key;
      
      a stream encryption key;
      
      a Type 1 encryption key;
      
      a Type 2 encryption key;
      
      a Vernam encryption key;
      
      a zeroized encryption key; and
      
      any combination thereof.
  - 16. The system for automatically managing secrets in the plurality of data security jurisdiction zones of claim 11 wherein for each data security jurisdiction zone of the plurality of data security jurisdiction zones the allowed secrets data for the data security jurisdiction zone is automatically pre-deployed to an allowed secrets data store in the data security jurisdiction zone.
  - 17. The system for automatically managing secrets in the plurality of data security jurisdiction zones of claim 11 wherein the data security policy data for the plurality of data security jurisdiction zones is obtained from a data security policy manager.
  - 18. The system for automatically managing secrets in the plurality of data security jurisdiction zones of claim 11 wherein the data security policy data for the plurality of data security jurisdiction zones is updated automatically.

19. A system for automatically managing secrets in a plurality of data security jurisdiction zones comprising:
- one or more processors; and
  
  at least one memory coupled to the one or more processors, the at least one memory having stored therein instructions which when executed by any set of the one or more processors, perform a process for automatically managing the secrets in the plurality of data security jurisdiction zones, the process for automatically managing the secrets in the plurality of data security jurisdiction zones including;
  
  obtaining data security policy data for a first data security jurisdiction zone of the plurality of data security jurisdiction zones, the data security policy data for the first data security jurisdiction zone including data indicating allowed secrets data for the first data security jurisdiction zone and prohibited secrets data for the first data security jurisdiction zone, the allowed secrets data for the first data security jurisdiction zone representing one or more secrets allowed to protect data in the first data security jurisdiction zone, the prohibited secrets data for the first data security jurisdiction zone representing one or more secrets that are not allowed to protect data in the first data security jurisdiction zone;
  
  automatically analyzing the data security policy data for the first data security jurisdiction zone to determine the allowed secrets data with respect to the first data security jurisdiction zone;
  
  identifying one or more secret data classes by classifying the allowed secrets data according to a level of security provided by the allowed secrets data;
  
  automatically obtaining the allowed secrets data within the one or more secret data classes with respect to the first data security jurisdiction zone;
  
  automatically pre-deploying the allowed secrets data within the one or more secret data classes for the first data security jurisdiction zone to an allowed secrets data store associated with the first data security jurisdiction zone;
  
  obtaining secrets request data representing a request that secrets data be transferred to a first resource;
  
  automatically determining the first resource is within the first data security jurisdiction zone;
  
  automatically providing the first resource access to the pre-deployed allowed secrets data in the allowed secrets data store associated with the first data security jurisdiction zone.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26)
- - 20. The system for automatically managing secrets in the plurality of data security jurisdiction zones of claim 19 wherein the first data security jurisdiction zone is selected from the group of data security jurisdiction zones consisting of:
    - a geographic region data security jurisdiction zone;
      
      a political region data security jurisdiction zone;
      
      a security based data security jurisdiction zone;
      
      a computing environment data security jurisdiction zone;
      
      a computing sub-environment data security jurisdiction zone within a computing environment data security jurisdiction zone; and
      
      any combination thereof.
  - 21. The system for automatically managing secrets in the plurality of data security jurisdiction zones of claim 19 wherein the data security policy data for the first data security jurisdiction zone includes data indicating allowed encryption levels within the first data security jurisdiction zone.
  - 22. The system for automatically managing secrets in the plurality of data security jurisdiction zones of claim 19 wherein the allowed secrets data is allowed encryption key data including at least one encryption key in compliance with the data security policy data for the first data security jurisdiction zone.
  - 23. The system for automatically managing secrets in the plurality of data security jurisdiction zones of claim 22 wherein at least one encryption key represented by the allowed encryption key data is selected from the group of encryption keys consisting of:
    - a public encryption key;
      
      a private encryption key;
      
      a symmetric encryption key;
      
      an asymmetric encryption key;
      
      a public pre-placed encryption key;
      
      a private pre-placed encryption key;
      
      a 40-bit encryption key;
      
      any length encryption keys;
      
      an authentication encryption key;
      
      a benign encryption key;
      
      a content-encryption key (CEK);
      
      a cryptovariable encryption key;
      
      a derived encryption key;
      
      an electronic encryption key;
      
      an ephemeral encryption key;
      
      a key encryption key (KEK);
      
      a key production encryption key (KPK);
      
      a FIREFLY encryption key;
      
      a master encryption key;
      
      a message encryption key (MEK);
      
      a RED encryption key;
      
      a session encryption key;
      
      a traffic encryption key (TEK);
      
      a transmission security encryption key (TSK);
      
      a seed encryption key;
      
      a signature encryption key;
      
      a stream encryption key;
      
      a Type 1 encryption key;
      
      a Type 2 encryption key;
      
      a Vernam encryption key;
      
      a zeroized encryption key; and
      
      any combination thereof.
  - 24. The system for automatically managing secrets in the plurality of data security jurisdiction zones of claim 19 wherein the allowed secrets data for the first data security jurisdiction zone is automatically pre-deployed to an allowed secrets data store in the first data security jurisdiction zone.
  - 25. The system for automatically managing secrets in the plurality of data security jurisdiction zones of claim 19 wherein the data security policy data for the first data security jurisdiction zone is obtained from a data security policy manager.
  - 26. The system for automatically managing secrets in the plurality of data security jurisdiction zones of claim 19 wherein the data security policy data for the first data security jurisdiction zone is updated automatically.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intuit, Inc.
Original Assignee
Intuit, Inc.
Inventors
Cabrera, Luis Felipe, Lietz, M. Shannon
Primary Examiner(s)
Gelagay, Shewaye
Assistant Examiner(s)
NGUYEN, TRONG H

Application Number

US14/073,110
Publication Number

US 20150128207A1
Time in Patent Office

1,070 Days
Field of Search

726/1, 726/4, 726/17, 726 26- 30
US Class Current

1/1
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/062   for key distribution, e.g. ...

H04L 63/10   for controlling access to d...

H04L 63/105   Multiple levels of security

H04L 63/107   wherein the security polici...

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

Method and system for automatically managing secrets in multiple data security jurisdiction zones

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for automatically managing secrets in multiple data security jurisdiction zones

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links