Instant data security in untrusted environments

US 9,716,728 B1
Filed: 09/10/2013
Issued: 07/25/2017
Est. Priority Date: 05/07/2013
Status: Expired due to Fees

First Claim

Patent Images

1. A method of managing keys and policies, comprising:

communicating enterprise policies from a key and policy manager in a computing device in an enterprise environment to an agent while the agent is in a computing or communication device in a cloud environment;

generating keys at the key and policy manager;

distributing one or more of the keys from the key and policy manager in the enterprise environment to computing or communication devices in the enterprise environment, in accordance with the enterprise policies; and

enforcing the enterprise policies in the cloud environment via an application of the enterprise policies by the agent in the cloud environment, wherein at least one method operation is executed through a processor,migrating data in the cloud environment from usage of keys generated in the cloud environment to usage of the keys generated at the key and policy manager, via decryption with the keys generated in the cloud environment and re-encryption with the keys generated at the key and policy manager.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of managing keys and policies is provided. The method includes communicating policies from a key and policy manager in an enterprise environment to an agent in a cloud environment. The method includes generating keys at the key and policy manager and distributing one or more of the keys to computing or communication devices in the enterprise environment, in accordance with the policies. The method includes enforcing the policies in the cloud environment via an application of the policies by the agent, wherein at least one method operation is executed through a processor.

63 Citations

View as Search Results

19 Claims

1. A method of managing keys and policies, comprising:
- communicating enterprise policies from a key and policy manager in a computing device in an enterprise environment to an agent while the agent is in a computing or communication device in a cloud environment;
  
  generating keys at the key and policy manager;
  
  distributing one or more of the keys from the key and policy manager in the enterprise environment to computing or communication devices in the enterprise environment, in accordance with the enterprise policies; and
  
  enforcing the enterprise policies in the cloud environment via an application of the enterprise policies by the agent in the cloud environment, wherein at least one method operation is executed through a processor,migrating data in the cloud environment from usage of keys generated in the cloud environment to usage of the keys generated at the key and policy manager, via decryption with the keys generated in the cloud environment and re-encryption with the keys generated at the key and policy manager.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein enforcing the policies includes:
    - providing software services from the cloud environment to the computing or communication devices in the enterprise environment in accordance with the enterprise policies as received by the agent.
  - 3. The method of claim 1, further comprising:
    - sending a further one or more of the keys from the key and policy manager to the agent, wherein enforcing the enterprise policies in the cloud environment includes the agent distributing the further one or more of the keys to one or more servers in the cloud environment in accordance with the enterprise policies.
  - 4. The method of claim 1, further comprising:
    - generating an access token at the key and policy manager, wherein the agent authenticates communications from the key and policy manager via application of the access token.
  - 5. The method of claim 1, further comprising:
    - initiating an audit at the agent;
      
      collecting at least one log from at least one key and policy manager, at the agent; and
      
      sending a result of the audit, based on the at least one log, to a system log server or to the at least one key and policy manager.
  - 6. The method of claim 1, wherein updating or adding to the enterprise policies in the key and policy manager results in an automatic communication of an updated or added enterprise policy from the key and policy manager to the agent.

7. A non-transient, tangible, computer-readable medium having thereupon instructions which, when executed by a processor cause the processor to perform a method comprising:
- generating, at a key and policy manager implemented in a computing device in an enterprise environment, enterprise policies relating to computing devices in the enterprise environment and relating to cloud services;
  
  generating keys at the key and policy manager in the enterprise environment;
  
  distributing the keys from the key and policy manager in the enterprise environment to the computing devices in the enterprise environment in accordance with the enterprise policies; and
  
  communicating the enterprise policies from the key and policy manager in the enterprise environment to one or more agents operating in one or more computing or communication devices outside of the enterprise environment, wherein the one or more agents enforce the enterprise policies relative to the environment outside of the enterprise environment as provided to the computing devices in the enterprise environment,migrating data in the cloud environment from usage of keys generated in the cloud environment to usage of the keys generated at the key and policy manager, via decryption with the keys generated in the cloud environment and re-encryption with the keys generated at the key and policy manager.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The media of claim 7, wherein the method further comprises:
    - sending further keys from the enterprise environment to the one or more agents for distribution by the one or more agents operating outside of the enterprise environment in accordance with the enterprise policies.
  - 9. The media of claim 7, wherein the method further comprises:
    - sending a log from the enterprise environment to the one or more agents, in response to an audit request from the one or more agents, the log relating usage of the cloud services as provided to the computing or communication devices in the enterprise environment.
  - 10. The media of claim 7, wherein the method further comprises:
    - generating a first access token for a first agent; and
      
      generating a second access token for a second agent.
  - 11. The media of claim 7, wherein:
    - a key and policy manager in the enterprise environment maintains control of the keys and the enterprise policies, the key and policy manager including the processor performing the method; and
      
      a secure environment is extended from the enterprise environment to cloud service providers, via the enterprise policies and the keys.

12. A data security system comprising:
- a key and policy manager that is operable in a computing device in an enterprise environment and includes at least one processor, the key and policy manager configured to;
  
  receive enterprise policies relating to communication devices in the enterprise environment and relating to cloud services;
  
  generate keys, and distribute the keys to the communication devices in the enterprise environment in accordance with the enterprise policies; and
  
  communicate the enterprise policies to one or more agents operating in a cloud environment external to the enterprise environment, the cloud environment associated with the cloud services; and
  
  an agent that is operable in a computing or communication device in a software as a service (SaaS) provider in the cloud, the agent configured to;
  
  receive the enterprise policies from the key and policy manager that is operable in the enterprise environment; and
  
  enforce the enterprise policies relative to services provided by the SaaS provider and relative to the computing or communication devices in the enterprise environment receiving the services provided by the SaaS provider,whether the system migrates data in the cloud environment from usage of keys generated in the cloud environment to usage of the keys generated at the key and policy manager, via decryption with the keys generated in the cloud environment and re-encryption with the keys generated at the key and policy manager.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The data security system of claim 12, wherein the key and policy manager includes:
    - a network protocol address storage configured to store a network protocol address;
      
      a token generator configured to generate access token identifiers and secret access tokens;
      
      a key generator configured to generate the keys for encryption and decryption;
      
      a policy storage configured to store the enterprise policies;
      
      a log storage configured to store one or more logs; and
      
      a manager engine configured to;
      
      send one or more of the keys to one or more of the communication devices in the enterprise environment in accordance with the enterprise policies;
      
      send a further one or more of the keys to the one or more agents for distribution by the one or more agents to devices associated with the cloud services in accordance with the enterprise policies; and
      
      write the one or more logs to the log storage as a history of the cloud services provided to the communication devices in the enterprise environment.
  - 14. The data security system of claim 12, wherein the agent includes:
    - a storage configured to store network protocol addresses of one or more key and policy managers, access tokens of the one or more key and policy managers, and enterprise policies of the one or more key and policy managers; and
      
      an enforcement engine, configured to;
      
      arrange for the SaaS provider to provide the services to the computing or communication devices in the enterprise environment in accordance with the enterprise policies; and
      
      distribute one or more keys, provided by the key and policy manager, to devices of the SaaS provider in accordance with the enterprise policies.
  - 15. The data security system of claim 12, wherein the agent is further configured to:
    - authorize and authenticate communications from the key and policy manager to the agent, via application of an access token generated by the key and policy manager.
  - 16. The data security system of claim 12, further comprising:
    - the key and policy manager configured to;
      
      write a log; and
      
      send the log to the agent; and
      
      the agent configured to;
      
      request a log from one or more key and policy managers; and
      
      produce an audit based on the log from the one or more key and policy managers.
  - 17. The data security system of claim 12, wherein:
    - all communication between the key and policy manager and the agent is agent-initiated; and
      
      at least one communication between the key and policy manager and the agent includes the agent polling the key and policy manager.
  - 18. The data security system of claim 12, further comprising:
    - the key and policy manager configured to;
      
      generate a first access token; and
      
      generate a second access token, wherein a further agent authenticates communication from the key and policy manager through usage of the second access token; and
      
      the agent configured to;
      
      authenticate communication from the key and policy manager through usage of the first access token; and
      
      authenticate communication from a further key and policy manager through usage of a third access token generated by the further key and policy manager.
  - 19. The data security system of claim 12, wherein the key and policy manager is configured to communicate one or more enterprise policies to the one or more agents and generate one or more keys, in response to the key and policy manager performing one from a set consisting of:
    - receiving the one or more enterprise policies, receiving an update to the one or more enterprise policies, and generating the one or more enterprise policies.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Thales E-Security Incorporated
Original Assignee
Vormetric, Inc. (Thales SA)
Inventors
Tumulak, Derek
Primary Examiner(s)
Poltorak, Peter

Application Number

US14/023,113
Time in Patent Office

1,414 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/20   for managing network securi...

H04L 9/083   involving central third par...

H04L 9/0861   Generation of secret inform...

H04L 9/088   Usage controlling of secret...

H04L 9/3234   involving additional secure...

Instant data security in untrusted environments

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

63 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Instant data security in untrusted environments

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

63 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links