×

Security layer and methods for protecting tenant data in a cloud-mediated computing network

  • US 9,710,664 B2
  • Filed: 09/07/2012
  • Issued: 07/18/2017
  • Est. Priority Date: 09/07/2012
  • Status: Active Grant
First Claim
Patent Images

1. A system for protecting data managed in a cloud-computing network from malicious data operations comprising:

  • an Internet-connected server hosted by a service provider providing the cloud-computing network;

    an Internet-connected computer appliance operated by a tenant of the cloud-computing network;

    a third party generating security tokens that both the tenant and the service provider trusts to generate security tokens; and

    software executing on the server from a non-transitory physical medium, the software;

    providing a control interface enabling a tenant access to and control over data owned by the tenant and cloud-computing services;

    generating a policy definition according to a service level agreement (SLA) for the tenant, wherein security tokens are generated to enable initiation and performance of individual operations or sets of operations defined in the policy definition;

    ordering or accessing from a token store one or more security tokens, the tokens generated at least from the SLA for the tenant, having stored data including defining the scope of services offered, detailing all permitted operations that may be performed relative to the tenant'"'"'s data and identifying who may perform the operations that validate one or more sets of computing operations defined in the policy definition to be performed on the data owned by the tenant;

    generating a hash for each token generated, the hash detailing, in a secure fashion, the computing operation type or types embedded in the one or more tokens;

    brokering two-party signature of the one or more tokens, wherein the tenant and service provider sign the one or more tokens; and

    dynamically activating the one or more signed tokens for a specific time window, the time window selected based upon time required to perform the operations permitted by the token, the operations prevented with expiration of the time window;

    wherein the tenant receives an alert at the control interface wherein an unauthorized request for one or more data specific operations on the tenant data is received outside of the policy definition in accordance to the SLA, and the tenant interacts with the control interface to deny the request or approve the request to perform one or more specific operations on the tenant data by at least generating one or more new security tokens enabling performance of the request, thereby modifying the policy definition in accordance to the SLA to reflect the data operations related to the request stored in the SLA.

View all claims
  • 1 Assignment
Timeline View
Assignment View
    ×
    ×