Remote key management in a cloud-based environment
First Claim
Patent Images
1. A key service engine for facilitating remote key management services in a collaborative cloud-based environment, the key service engine comprising:
- a processor;
a key service proxy device configured to initiate a remote key request responsive to a determination that a data item indicated by a content request is associated with remote key management functionality, the data item being encrypted or decrypted by an encryption key, and the remote key request corresponding to (a) an encryption of the encryption key performed by a remote key service engine to generate an encrypted encryption key or (b) a decryption of the encrypted encryption key performed by a remote key service engine to decrypt the encrypted encryption; and
a reason engine configured to determine a reason code associated with the content request, wherein determining the reason code comprises directing the processor to;
(a) identify the reason associated with the content request and (b) subsequently generate a corresponding reason code associated with the remote key request;
the remote key request being processed by the remote key service engine that is located on a second client device that is remote from the key service proxy device located on a first client device, the remote key request sent across a network from the first client to the second client device, wherein the remote key request is processed by the remote key service engine based at least in part on the reason code.
3 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods are disclosed for facilitating remote key management services in a collaborative cloud-based environment. In one embodiment, the remote key management architecture and techniques described herein provide for local key encryption and automatic generation of a reason code associated with content access. The reason code is used by a remote client device (e.g., an enterprise client) to control a second (remote) layer of key encryption. The remote client device provides client-side control and configurability of the second layer of key encryption.
516 Citations
34 Claims
-
1. A key service engine for facilitating remote key management services in a collaborative cloud-based environment, the key service engine comprising:
-
a processor; a key service proxy device configured to initiate a remote key request responsive to a determination that a data item indicated by a content request is associated with remote key management functionality, the data item being encrypted or decrypted by an encryption key, and the remote key request corresponding to (a) an encryption of the encryption key performed by a remote key service engine to generate an encrypted encryption key or (b) a decryption of the encrypted encryption key performed by a remote key service engine to decrypt the encrypted encryption; and a reason engine configured to determine a reason code associated with the content request, wherein determining the reason code comprises directing the processor to;
(a) identify the reason associated with the content request and (b) subsequently generate a corresponding reason code associated with the remote key request;the remote key request being processed by the remote key service engine that is located on a second client device that is remote from the key service proxy device located on a first client device, the remote key request sent across a network from the first client to the second client device, wherein the remote key request is processed by the remote key service engine based at least in part on the reason code. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A collaboration system for facilitating remote key management services in a collaborative cloud-based environment, the system comprising:
-
a processor; a memory unit having instructions stored thereon which when executed by the processor, causes the collaboration system to; encrypt a content item indicated by a content request using an encryption key; encrypt the encryption key using a local key encryption key (KEK); determine if the content item is associated with remote key management functionality, a data item being encrypted by an encryption key, and a remote key request corresponding to encryption of the encryption key performed by a remote key service engine to generate an encrypted encryption key; and if the content item is associated with remote key management functionality, determine a reason code associated with the content request, wherein the reason code is determined by directing the processor to (a) identify the reason associated with the content request and (b) subsequently generate a corresponding reason code associated with the content request; and the remote key request being processed by the remote key service engine that is located on a second computing device that is remote from a key service proxy device located on a first computing device, the remote key request sent across a network from the first computing to the second computing device, wherein the remote key request is processed by the remote key service engine based at least in part on the reason code; and initiate a remote key encryption request including the encrypted encryption key and the reason code. - View Dependent Claims (10, 11, 12, 13)
-
-
14. A collaboration system for facilitating remote key management services in a collaborative cloud-based environment, the system comprising:
-
a processor; a memory unit having instructions stored thereon which when executed by the processor, causes the collaboration system to; determine if a content item associated with a received content request is associated with remote key management functionality, a data item being decrypted by an encryption key, and a remote key request corresponding to encryption of the encryption key performed by a remote key service to a decrypt the encrypted encryption key; and
if the content item is associated with the remote key management functionality,determine a reason code associated with the content request, wherein determining the reason code is determined by directing the processor to;
(a) identify the reason code associated with the content request and (b) subsequently generate a corresponding reason code associated with the remote key request,the remote key request being processed by a remote key service engine that is located on a second computing device that is remote from a key service proxy device located on a first computing device, the remote key request sent across a network from the first computing to the second computing device, wherein the remote key request is processed by the remote key service engine based at least in part on the reason code; access a encrypted encryption key from a data store; and initiate a remote key decryption request including the encrypted encryption key and the reason code. - View Dependent Claims (15, 16, 17, 18)
-
-
19. A computer program product embodied in a non-transitory computer readable storage medium, the computer readable medium having stored thereon a sequence of instructions which when executed by a processor causes the processor to execute a process to facilitate remote key management services in a collaborative cloud-based environment, the method comprising:
-
initiating a remote key request responsive to a determination that a data item indicated by a content request is associated with remote key management functionality, the data item being encrypted or decrypted by an encryption key, and the remote key request corresponding to (a) an encryption of the encryption key performed by a remote key service engine to generate an encrypted encryption key or (b) a decryption of the encrypted encryption key performed by a remote key service engine to decrypt the encrypted encryption key; and determining a reason code associated with the content request, wherein determining the reason code comprises directing the processor to;
(a) identify the reason associated with the content request and (b) subsequently generate a corresponding reason code associated with the remote key request;the remote key request being processed by the remote key service engine that is located on a second client device that is remote from a key service proxy device located on a first client device, the remote key request sent across a network from the first client to the second client device, wherein the remote key request is processed by the remote key service engine based at least in part on the reason code. - View Dependent Claims (20)
-
-
21. A computer program product embodied in a non-transitory computer readable storage medium, the computer readable medium having stored thereon a sequence of instructions which when executed by a processor causes the processor to execute a process to facilitate remote key management services in a collaborative cloud-based environment, the method comprising:
-
encrypting a content item indicated by a content request using an encryption key; encrypting the encryption key using a local key encryption key (KEK); determining if the content item is associated with remote key management functionality, a data item being encrypted by an encryption key, and a remote key request corresponding to encryption of the encryption key to generate an encrypted encryption key, wherein the encryption of the encryption key to generate the encrypted encryption key is performed by a remote key service engine; and if the content item is associated with remote key management functionality, determining a reason code associated with the content request, wherein the reason code is determined by directing the processor to (a) identify the reason associated with the content request and (b) subsequently generate a corresponding reason code associated with the content request; and being processed by the remote key service engine that is located on a second client device that is remote from a key service proxy device located on a first client device, the remote key request sent across a network from the first client to the second client device, wherein the remote key request is processed by the remote key service engine based at least in part on the reason code; and initiating a remote key encryption request including the encrypted encryption key and the reason code.
-
-
22. A computer program product embodied in a non-transitory computer-readable storage medium, the computer readable medium having stored thereon a sequence of instructions which when executed by a processor causes the processor to execute a process to facilitate remote key management services in a collaborative cloud-based environment, the method comprising:
-
determining if a content item associated with a received content request is associated with remote key management functionality, a data item being decrypted by an encryption key, and a remote key request corresponding to encryption of the encryption key performed by a remote key service to decrypt the encrypted encryption key; and
if the content item is associated with the remote key management functionality,determining a reason code associated with the content request, wherein determining the reason code is determined by directing the processor to;
(a) identify the reason code associated with the content request and (b) subsequently generate a corresponding reason code associated with the remote key request,the remote key request being processed by a remote key service engine that is located on a second computing device that is remote from a key service proxy device located on a first computing device, the remote key request sent across a network from the first computing to the second computing device, wherein the remote key request is processed by the remote key service engine based at least in part on the reason code;
accessing an encrypted encryption key from a data store; andinitiating a remote key decryption request including the encrypted encryption key and the reason code.
-
-
23. A method for facilitating remote key management services in a collaborative cloud-based environment, the method comprising:
-
initiating a remote key request responsive to a determination that a data item indicated by a content request is associated with remote key management functionality, the data item being encrypted or decrypted by an encryption key, and the remote key request corresponding to (a) an encryption of the encryption key performed by a remote key service engine to generate an encrypted encryption key or (b) a decryption of the encrypted encryption key performed by a remote key service engine to decrypt the encrypted encryption key; and determining a reason code associated with the content request, wherein determining the reason code comprises directing a processor to;
(a) identify the reason associated with the content request and (b) subsequently generate a corresponding reason code associated with the remote key request;the remote key request being processed by the remote key service engine that is located on a second client device that is remote from a first client device that initiates the remote key request, the remote key request sent across a network from the first client to the second client device, wherein the remote key request is processed by the remote key service engine based at least in part on the reason code. - View Dependent Claims (24, 25)
-
-
26. A method for facilitating remote key management services in a collaborative cloud-based environment, the method comprising:
-
encrypting a content item indicated by a content request using an encryption key; encrypting the encryption key using a local key encryption key (KEK); determining if the content item is associated with remote key management functionality, a data item being encrypted by an encryption key, and a remote key request corresponding to encryption of the encryption key to generate an encrypted encryption key, wherein the encryption of the encryption key to generate the encrypted encryption key is performed by a remote key service engine; and if the content item is associated with remote key management functionality, determining a reason code associated with the content request, wherein the reason code is determined by directing a processor to (a) identify the reason associated with the content request and (b) subsequently generate a corresponding reason code associated with the content request; and being processed by the remote key service engine that is located on a second client device that is remote from a key service proxy device located on a first client device, the remote key request sent across a network from the first client to the second client device, wherein the remote key request is processed by the remote key service engine based at least in part on the reason code; and initiating a remote key encryption request including the encrypted encryption key and the reason code. - View Dependent Claims (27, 28)
-
-
29. A method for facilitating remote key management services in a collaborative cloud-based environment, the method comprising:
-
determining if a content item associated with a received content request is associated with remote key management functionality, a data item being decrypted by an encryption key, and a remote key request corresponding to a decryption of an encrypted encryption key to performed by a remote key service engine decrypt the encrypted encryption key; and
if the content item is associated with the remote key management functionality,determining a reason code associated with the content request, wherein determining the reason code is determined by directing a processor to;
(a) identify the reason code associated with the content request and (b) subsequently generate a corresponding reason code associated with the remote key request,the remote key request being processed by the remote key service engine that is located on a second computing device that is remote from a key service proxy device located on a first computing device, the remote key request sent across a network from the first computing to the second computing device, wherein the remote key request is processed by the remote key service engine based at least in part on the reason code, accessing an encrypted encryption key from a data store; and initiating a remote key decryption request including the encrypted encryption key and the reason code. - View Dependent Claims (30, 31)
-
-
32. A computer program product embodied in a non-transitory computer readable medium, the computer readable medium having stored thereon a sequence of instructions which, when executed by a processor causes the processor to execute a process to facilitate remote key management services in a collaborative cloud-based environment, the method comprising:
-
encrypting a content item indicated by a content request using an encryption key; encrypting the encryption key using a local key encryption key (KEK); determining if the content item is associated with remote key management functionality, a data item being encrypted by an encryption key, and a remote key request corresponding to encryption of the encryption key to generate an encrypted encryption key, wherein the encryption of the encryption key to generate the encrypted encryption key is performed by a remote key service engine; and if the content item is associated with remote key management functionality, determining a reason code associated with the content request, wherein the reason code is determined by directing the processor to (a) identify the reason associated with the content request and (b) subsequently generate a corresponding reason code associated with the content request; and the remote key request being processed by the remote key service engine that is located on a second computing device that is remote from a key service proxy device located on a first computing device, the remote key request sent across a network from the first computing to the second computing device, wherein the remote key request is processed by the remote key service engine based at least in part on the reason code; and initiating a remote key encryption request including the encrypted encryption key and the reason code.
-
-
33. The computer program product of 21, further comprising instructions for receiving an encrypted encryption key responsive to initiating the remote key encryption request.
-
34. The computer program product of 22,further comprising instructions for receiving the content request and identifying the content item associated with the content request.
Specification