Method and system for providing a secure secrets proxy and distributing secrets

US 9,684,791 B2
Filed: 04/20/2016
Issued: 06/20/2017
Est. Priority Date: 10/14/2013
Status: Active Grant

First Claim

Patent Images

1. A system for providing a secure secrets proxy and distributing secrets comprising:

at least one processor; and

at least one memory coupled to the at least one processor, the at least one memory having stored therein instructions which when executed by any set of the one or more processors, perform a process for providing a secure secrets proxy and distributing secrets, the process for providing a secure secrets proxy and distributing secrets including;

providing a secure secrets proxy in a first computing environment, the secure secrets proxy being a virtual asset instantiated in the first computing environment, the secure secrets proxy including secure secrets proxy authentication data;

providing a secrets distribution management system in a second computing environment, the secrets distribution management system having access to secrets data representing one or more secrets and configured to control the distribution of the one or more secrets in accordance with one or more secrets distribution policies;

providing, by the secure secrets proxy, the secure secrets proxy authentication data to the secrets distribution management system;

providing secrets distribution policy data representing one or more secrets distribution factors used to control the distribution of one or more secrets;

receiving, at the secrets distribution management system, secrets request data from a requesting virtual asset for secrets data necessary to access a resource of a resource type;

obtaining, by the secrets distribution management system, requesting virtual asset profile data associated with the requesting virtual asset;

authenticating, by the secrets distribution management system, the secure secrets proxy as a trusted virtual asset eligible to cache secrets data in a secure secrets cache;

authenticating, by the secrets distribution management system, the requesting virtual asset;

analyzing the requesting virtual asset profile data using one or more of the one or more secrets distribution factors to generate authorized secrets data for the requesting virtual asset;

providing, by the secrets distribution system to the secure secrets proxy in response to the secrets request data, authorized secrets data representing one or more requested secrets;

providing, from the secure secrets proxy to the requesting virtual asset, authorized secrets data for the requesting virtual asset.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure secrets proxy is instantiated in a first computing environment and includes secure secrets proxy authentication data for identifying itself to a secrets distribution management system in a second computing environment as a trusted virtual asset to receive and cache secrets data in a secure secrets cache outside the second computing environment. A virtual asset requests one or more secrets, triggering a process to authenticate the requesting virtual asset, gathering authorized secrets data representing secrets the virtual asset is allowed to have. The secure secrets proxy is provided data representing the requested secrets and stores that secrets data in the secure secrets cache of the proxy.

94 Citations

View as Search Results

28 Claims

1. A system for providing a secure secrets proxy and distributing secrets comprising:
- at least one processor; and
  
  at least one memory coupled to the at least one processor, the at least one memory having stored therein instructions which when executed by any set of the one or more processors, perform a process for providing a secure secrets proxy and distributing secrets, the process for providing a secure secrets proxy and distributing secrets including;
  
  providing a secure secrets proxy in a first computing environment, the secure secrets proxy being a virtual asset instantiated in the first computing environment, the secure secrets proxy including secure secrets proxy authentication data;
  
  providing a secrets distribution management system in a second computing environment, the secrets distribution management system having access to secrets data representing one or more secrets and configured to control the distribution of the one or more secrets in accordance with one or more secrets distribution policies;
  
  providing, by the secure secrets proxy, the secure secrets proxy authentication data to the secrets distribution management system;
  
  providing secrets distribution policy data representing one or more secrets distribution factors used to control the distribution of one or more secrets;
  
  receiving, at the secrets distribution management system, secrets request data from a requesting virtual asset for secrets data necessary to access a resource of a resource type;
  
  obtaining, by the secrets distribution management system, requesting virtual asset profile data associated with the requesting virtual asset;
  
  authenticating, by the secrets distribution management system, the secure secrets proxy as a trusted virtual asset eligible to cache secrets data in a secure secrets cache;
  
  authenticating, by the secrets distribution management system, the requesting virtual asset;
  
  analyzing the requesting virtual asset profile data using one or more of the one or more secrets distribution factors to generate authorized secrets data for the requesting virtual asset;
  
  providing, by the secrets distribution system to the secure secrets proxy in response to the secrets request data, authorized secrets data representing one or more requested secrets;
  
  providing, from the secure secrets proxy to the requesting virtual asset, authorized secrets data for the requesting virtual asset.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The system for distributing secrets of claim 1 wherein at least one of the one or more secrets distribution factors is selected from the group of secrets distribution factors consisting of:
    - a determination as to whether owner identification data associated with the owner of the requesting virtual asset is included in a registry of trusted owners'"'"' owner identification data;
      
      a determination as to whether the requesting virtual asset is in compliance with one or more security policies;
      
      a determination as to how long the requesting virtual asset has currently been operating;
      
      a determination of the number of resources associated with the requesting virtual asset;
      
      a determination of modules or capabilities associated with the requesting virtual asset;
      
      a determination of the type of requesting virtual asset and the legitimate access requirements of that type of requesting virtual asset; and
      
      any combination thereof.
  - 3. The system for distributing secrets of claim 1 wherein the requesting virtual asset is a virtual asset selected from the group of the virtual assets consisting of:
    - a virtual machine;
      
      a virtual server;
      
      an instance in a cloud infrastructure;
      
      a cloud infrastructure access system;
      
      mobile devices;
      
      remote sensors;
      
      laptops;
      
      desktops;
      
      point-of-sale devices;
      
      ATMs;
      
      electronic voting machines; and
      
      a database.
  - 4. The system for distributing secrets of claim 1 wherein at least one of the one or more resource types is selected from the group of resource types consisting of:
    - databases and data;
      
      external services;
      
      internal services;
      
      cloud-based services;
      
      data center-based services;
      
      the Internet;
      
      a cloud;
      
      applications;
      
      encrypted data;
      
      authenticated SSL communication channels;
      
      wireless accessible services; and
      
      any communication channels.
  - 5. The system for providing a secure secrets proxy and distributing secrets of claim 1 wherein the secure secrets proxy authentication data includes data representing at least one authentication mechanism selected from the group of authentication mechanisms consisting of:
    - loading specified datum from a specified storage service onto the secure secrets proxy and then providing the specified datum to confirm the identity of the secure secrets proxy;
      
      obtaining hardware identification data indicating the identification of underlying hardware on which the secure secrets proxy is running and confirming the hardware identification data by comparing it with data obtained via a cloud provider control plane; and
      
      any combination thereof.
  - 6. The system for providing a secure secrets proxy and distributing secrets of claim 1 wherein the secrets data includes data representing one or more secrets selected from the group of secrets consisting of:
    - usernames;
      
      passwords;
      
      passphrases;
      
      encryption keys;
      
      digital certificates;
      
      multifactor authentication data;
      
      account numbers;
      
      identification numbers; and
      
      any combination thereof.
  - 7. The system for providing a secure secrets proxy and distributing secrets of claim 1 wherein the one or more requested secrets to be cached in the secure secrets cache are selected by the secure secrets proxy based on the type of computing environment represented by the first computing environment.
  - 8. The system for providing a secure secrets proxy and distributing secrets of claim 1 wherein the one or more requested secrets to be cached in the secure secrets cache are selected by the secure secrets proxy based on the types of virtual assets in the first computing environment.
  - 9. The system for providing a secure secrets proxy and distributing secrets of claim 1 wherein the one or more requested secrets to be cached in the secure secrets cache are selected by the secure secrets proxy based on the capabilities of the virtual assets in the first computing environment.
  - 10. The system for providing a secure secrets proxy and distributing secrets of claim 1 wherein the one or more requested secrets to be cached in the secure secrets cache are selected by the secure secrets proxy based on the reputation profiles of the virtual assets in the first computing environment.
  - 11. The system for providing a secure secrets proxy and distributing secrets of claim 1 wherein the one or more requested secrets to be cached in the secure secrets cache are selected by the secure secrets proxy based on the resources associated with the virtual assets in the first computing environment.
  - 12. The system for providing a secure secrets proxy and distributing secrets of claim 1 wherein the secure secrets proxy provides the secure secrets proxy authentication data to the secrets distribution management system via a secure communications channel.
  - 13. The system for providing a secure secrets proxy and distributing secrets of claim 1 wherein the secure secrets cache is a secrets data store outside the second computing environment.
  - 14. The system for providing a secure secrets proxy and distributing secrets of claim 1 wherein the secure secrets cache is a data cache in the secure secrets proxy.
  - 15. The system for providing a secure secrets proxy and distributing secrets of claim 1 further comprising:
    - a second virtual asset instantiated in the first computing environment, the second virtual asset generating secrets application request data requesting that one or more secrets be applied to second virtual asset data associated with the second virtual asset;
      
      the secure secrets proxy receiving the secrets application request data;
      
      the secure secrets proxy authenticating the second virtual asset;
      
      the secure secrets proxy obtaining the secrets associated with the secrets application request data from the secure secrets cache; and
      
      the secure secrets proxy coordinating the application of the secrets associated with the secrets application request data to the second virtual asset data.
  - 16. The system for providing a secure secrets proxy and distributing secrets of claim 1 wherein the second virtual asset is a virtual asset selected from the group of the virtual assets consisting of:
    - a virtual machine;
      
      a virtual server;
      
      an instance in a cloud infrastructure;
      
      a cloud infrastructure access system;
      
      a mobile device;
      
      a remote sensor;
      
      a laptop;
      
      a desktop;
      
      a point-of-sale device;
      
      an ATM;
      
      an electronic voting machine; and
      
      a database.

17. A system for providing an encryption proxy and distributing encryption keys comprising:
- at least one processor; and
  
  at least one memory coupled to the at least one processor, the at least one memory having stored therein instructions which when executed by any set of the one or more processors, perform a process for providing an encryption proxy, the process for providing an encryption proxy including;
  
  providing an encryption proxy in a first computing environment, the encryption proxy being a virtual asset instantiated in the first computing environment, the encryption proxy including encryption proxy authentication data;
  
  providing a secrets distribution management system, the secrets distribution management system being in a second computing environment, the secrets distribution management system having access to encryption key data representing one or more encryption keys and configured to control the distribution of the one or more encryption keys in accordance with one or more encryption key distribution policies;
  
  providing, by the encryption proxy, the encryption proxy authentication data to the secrets distribution management system;
  
  providing secrets distribution policy data representing one or more secrets distribution factors used to control the distribution of one or more encryption keys;
  
  receiving, at the secrets distribution management system, encryption key request data from a requesting virtual asset for encryption key data necessary to access a resource of a resource type;
  
  obtaining, by the secrets distribution management system, requesting virtual asset profile data associated with the requesting virtual asset;
  
  authenticating, by the secrets distribution management system, the encryption proxy and identifying the encryption proxy as a trusted virtual asset eligible to cache encryption key data in an remote encryption key cache outside the second computing environment;
  
  analyzing the requesting virtual asset profile data using one or more of the one or more secrets distribution factors to generate authorized encryption key data for the requesting virtual asset;
  
  providing, by the secrets distribution system to the secure secrets proxy in response to the secrets request data, authorized encryption key data representing one or more requested encryption keys;
  
  providing, from the secure secrets proxy to the requesting virtual asset, the authorized encryption key data for the requesting virtual asset.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 18. The system for providing an encryption proxy and distributing encryption keys of claim 17 wherein the first computing environment is an untrusted computing environment.
  - 19. The system for providing an encryption proxy and distributing encryption keys of claim 17 wherein the encryption proxy is a virtual asset generated in the untrusted computing environment.
  - 20. The system for providing an encryption proxy and distributing encryption keys of claim 17 wherein the second computing environment is a trusted computing environment.
  - 21. The system for providing an encryption proxy and distributing encryption keys of claim 17 wherein at least one of the one or more resource types is selected from the group of resource types consisting of:
    - databases and data;
      
      external services;
      
      internal services;
      
      cloud-based services;
      
      data center-based services;
      
      the Internet;
      
      a cloud;
      
      applications;
      
      encrypted data;
      
      authenticated SSL communication channels;
      
      wireless accessible services; and
      
      any communication channels.
  - 22. The system for providing an encryption proxy and distributing encryption keys of claim 17 wherein the encryption proxy authentication data includes data representing at least one authentication mechanism selected from the group of authentication mechanisms consisting of:
    - loading specified datum from a specified storage service onto the secure secrets proxy and then providing the specified datum to confirm the identity of the secure secrets proxy;
      
      obtaining hardware identification data indicating the identification of underlying hardware on which the secure secrets proxy is running and confirming the hardware identification data by comparing it with data obtained via a cloud provider control plane; and
      
      any combination thereof.
  - 23. The system for providing an encryption proxy and distributing encryption keys of claim 17 wherein the one or more requested encryption keys to be cached in the remote encryption key cache are selected by the encryption proxy based on the type of computing environment represented by the first computing environment.
  - 24. The system for providing an encryption proxy and distributing encryption keys of claim 17 wherein the one or more requested encryption keys to be cached in the remote encryption key cache are selected by the encryption proxy based on the types of virtual assets in the first computing environment.
  - 25. The system for providing an encryption proxy and distributing encryption keys of claim 17 wherein the one or more requested encryption keys to be cached in the remote encryption key cache are selected by the encryption proxy based on the capabilities of the virtual assets in the first computing environment.
  - 26. The system for providing an encryption proxy and distributing encryption keys of claim 17 wherein the one or more requested encryption keys to be cached in the remote encryption key cache are selected by the encryption proxy based on the reputation profiles of the virtual assets in the first computing environment.
  - 27. The system for providing an encryption proxy and distributing encryption keys of claim 17 wherein the one or more requested encryption keys to be cached in the remote encryption key cache are selected by the encryption proxy based on the resources associated with the virtual assets in the first computing environment.
  - 28. The system for providing an encryption proxy and distributing encryption keys of claim 17 wherein the encryption proxy provides the encryption proxy authentication data to the secrets distribution management system via a secure communications channel.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intuit, Inc.
Original Assignee
Intuit, Inc.
Inventors
Shanmugam, Elangovan, Cabrera, Luis Felipe, Lietz, M. Shannon, Armitage, James, Gryb, Oleg, Philip, Sabu Kuruvila, Weaver, Brett, Bishop, Thomas, Otillio, Troy, Whitehouse, Jinglei, Wolfe, Jeffrey M., Jain, Ankur
Primary Examiner(s)
Gergiso, Techane

Application Number

US15/134,096
Publication Number

US 20160234015A1
Time in Patent Office

426 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 9/455   Emulation; Interpretation; ...

H04L 63/00   Network architectures or ne...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0876   based on the identity of th...

H04L 63/0884   by delegation of authentica...

H04L 63/20   for managing network securi...

H04L 9/083   involving central third par...

H04L 9/088   Usage controlling of secret...

Method and system for providing a secure secrets proxy and distributing secrets

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

94 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for providing a secure secrets proxy and distributing secrets

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

94 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links