Systems and methods for cloud data security

US 9,736,127 B2
Filed: 01/12/2016
Issued: 08/15/2017
Est. Priority Date: 03/04/2013
Status: Active Grant

First Claim

Patent Images

1. A computing device for protecting stored data accessed by a cloud-based service platform, the computing device comprising:

a network connection;

a working memory device;

a persistent data storage medium; and

one or more processors coupled to the working memory device, the network connection and the persistent data storage medium, the persistent data storage medium containing instructions that, when executed on the computing device, cause the computing device to perform operations including;

receiving, over the network connection using the one or more processors, a document as part of a service request from a first user of the cloud-based service platform;

maintaining, within the working memory device, the document, without writing the document to the persistent data storage medium;

performing, while the document continues to maintained within the working memory device, a first action involving the document in satisfaction of a portion of the service request, wherein the first action includes document processing in support of obtaining at least one digital or electronic signature on the document;

transmitting, over the network connection using the one or more processors and in response to completion of the first action, the document to a security service provider for encryption;

deleting the document from the cloud-based service platform in response to receiving a confirmation of receipt of the document from the security service provider;

storing an encrypted version of the document in response to receiving the encrypted version of the document over the network connection from the security service provider;

determining, after deleting the document, that a second action required to complete performance of the service request requires access to the document in unencrypted form on the computing device;

sending, in response to determining the second action requires access to the document, the encrypted version of the document back to the security service provider for decryption;

receiving, into the working memory device, the document in unencrypted form from the security service provider in response to sending the encrypted version of the document;

performing, using the one or more processors, a second action involving the document in satisfaction of at least part of the service request, while maintaining the document in working memory, the second action including the pending action, wherein the second action includes document processing to generate a representation of the document for presentation to a second user to obtain at least one digital or electronic signature on the document; and

upon completion of the second action involving the document, deleting the document from the working memory device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for providing data security services with respect to cloud-based services are described. Examples include a security service provider (“SSP”) configured to perform or provide one or more security-related services or functions with respect to or on behalf of some other system or service. The other system or service may be, for example, a cloud-based system that provides network-accessible services. The SSP allows a user of the cloud-based service to provide and manage one or more security-related services, such as data storage, encryption, decryption, key management, and the like. By using and controlling the SSP, the user can be confident that his or her data is being securely represented and stored, even though it is being operated upon by a cloud-based service that is not under the user'"'"'s control.

Citations

22 Claims

1. A computing device for protecting stored data accessed by a cloud-based service platform, the computing device comprising:
- a network connection;
  
  a working memory device;
  
  a persistent data storage medium; and
  
  one or more processors coupled to the working memory device, the network connection and the persistent data storage medium, the persistent data storage medium containing instructions that, when executed on the computing device, cause the computing device to perform operations including;
  
  receiving, over the network connection using the one or more processors, a document as part of a service request from a first user of the cloud-based service platform;
  
  maintaining, within the working memory device, the document, without writing the document to the persistent data storage medium;
  
  performing, while the document continues to maintained within the working memory device, a first action involving the document in satisfaction of a portion of the service request, wherein the first action includes document processing in support of obtaining at least one digital or electronic signature on the document;
  
  transmitting, over the network connection using the one or more processors and in response to completion of the first action, the document to a security service provider for encryption;
  
  deleting the document from the cloud-based service platform in response to receiving a confirmation of receipt of the document from the security service provider;
  
  storing an encrypted version of the document in response to receiving the encrypted version of the document over the network connection from the security service provider;
  
  determining, after deleting the document, that a second action required to complete performance of the service request requires access to the document in unencrypted form on the computing device;
  
  sending, in response to determining the second action requires access to the document, the encrypted version of the document back to the security service provider for decryption;
  
  receiving, into the working memory device, the document in unencrypted form from the security service provider in response to sending the encrypted version of the document;
  
  performing, using the one or more processors, a second action involving the document in satisfaction of at least part of the service request, while maintaining the document in working memory, the second action including the pending action, wherein the second action includes document processing to generate a representation of the document for presentation to a second user to obtain at least one digital or electronic signature on the document; and
  
  upon completion of the second action involving the document, deleting the document from the working memory device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computing device of claim 1, wherein the deleting the document in response to receiving a confirmation of receipt includes considering the receiving the encrypted version of the document as the confirmation of receipt of the document from the security service provider.
  - 3. The computing device of claim 1, wherein the storing includes storing the encrypted version of the document in persistent data storage on the computing system.
  - 4. The computing device of claim 1, wherein the sending the encrypted version of the document back to the security service provider includes analyzing metadata associated with the document to identify the security service provider from a plurality of security service providers as the security service provider holding the decryption key.
  - 5. The computing device of claim 1, further comprising analyzing a policy associated with the first user to select the security service provider from a plurality of data encryption provider options.
  - 6. The computing device of claim 5, wherein the analyzing the policy includes determining a status associated with the document.
  - 7. The computing device of claim 5, wherein the analyzing the policy includes determining a type associated with the service request or the document.
  - 8. The computing device of claim 1, further comprising, prior to the deleting the document upon completion of the second action, determining whether the second action updated the document;
    - andin response to determining the document was updated, sending the updated document to the security service provider for encryption of the updated document.
  - 9. The computing device of claim 8, further comprising in response to determining the document was updated, updating metadata associated with the document to reflect changes.

10. A method for protecting stored data accessed by a cloud-based service platform, the method comprising:
- on a computing system within the cloud-based document management service platform performing operations including;
  
  receiving, over a network connection using one or more processors, a document as part of a service request from a first user of the cloud-based service platform;
  
  maintaining, within working memory on the computing system, the document, without writing the document to persistent data storage on the computing system;
  
  performing, while the document continues to maintained within the working memory, a first action involving the document in satisfaction of a portion of the service request, wherein the first action includes document processing in support of obtaining at least one digital or electronic signature on the document;
  
  transmitting, over the network connection using the one or more processors and in response to completion of the first action, the document to a security service provider for encryption;
  
  deleting the document from the cloud-based service platform in response to receiving a confirmation of receipt of the document from the security service provider;
  
  storing an encrypted version of the document in response to receiving the encrypted version of the document over the network connection from the security service provider;
  
  determining, after deleting the document, that a second action involved in performance of the service request requires access to the document in unencrypted form on the computing system;
  
  sending the encrypted version of the document back to the security service provider for decryption;
  
  receiving, in response to sending the encrypted version of the document, the document in unencrypted form from the security service provider;
  
  performing, using the one or more processors, the second action involving the document in satisfaction of at least part of the service request, while maintaining the unencrypted form of the document in working memory, wherein the second action includes document processing to generate a representation of the document for presentation to a second user to obtain at least one digital or electronic signature on the document; and
  
  upon completion of the second action involving the document, deleting the document from the cloud-based service platform.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 22)
- - 11. The method of claim 10, wherein the deleting the document in response to receiving a confirmation of receipt includes using the receiving the encrypted version of the document as the confirmation of receipt of the document from the security service provider.
  - 12. The method of claim 10, wherein the storing includes storing the encrypted version of the document in persistent data storage on the computing system.
  - 13. The method of claim 10, wherein the sending the encrypted version of the document back to the security service provider includes analyzing metadata associated with the document to identify the security service provider as holding the decryption key.
  - 14. The method of claim 10, further comprising analyzing a policy associated with the first user to select the security service provider from a plurality of data encryption provider options.
  - 15. The method of claim 14, wherein the analyzing the policy includes determining a status associated with the document.
  - 16. The method of claim 14, wherein the analyzing the policy includes determining a type associated with the service request or the document.
  - 17. The method of claim 10, further comprising, prior to the deleting the document upon completion of the second action, determining whether the second action updated the document;
    - andin response to determining the document was updated, sending the updated document to the security service provider for encryption of the updated document.
  - 18. The method of claim 17, further comprising in response to determining the document was updated, updating metadata associated with the document to reflect changes.
  - 22. The non-transitory computer-readable storage medium of claim 10, wherein the instructions further include instructions that cause the computer service to perform operations including analyzing a policy associated with the first user to select the security service provider from a plurality of data encryption provider options.

19. A non-transitory computer-readable storage medium containing instructions that, when executed on a computer system within a cloud-based service platform, cause the computer system to perform operations including:
- receiving, over a network connection, a document as part of a service request from a first user of the cloud-based service platform;
  
  maintaining, within working memory on the computing system, the document, without writing the document to persistent data storage on the computing system;
  
  performing, while the document continues to maintained within the working memory device, a first action involving the document in satisfaction of a portion of the service request, wherein the first action includes document processing in support of obtaining at least one digital or electronic signature on the document;
  
  transmitting, over the network connection and in response to completion of the first action, the document to a security service provider for encryption;
  
  deleting the document from the cloud-based service platform in response to receiving a confirmation of receipt of the document from the security service provider;
  
  storing an encrypted version of the document in response to receiving the encrypted version of the document over the network connection from the security service provider;
  
  determining, after deleting the document, that a second action involved in performance of the service request requires access to the document in unencrypted form on the computing system;
  
  sending the encrypted version of the document back to the security service provider for decryption;
  
  receiving, in response to sending the encrypted version of the document, the document in unencrypted form from the security service provider;
  
  performing the second action involving the document in satisfaction of at least part of the service request, while maintaining the unencrypted form of the document in working memory, wherein the second action includes document processing to generate a representation of the document for presentation to a second user to obtain at least one digital or electronic signature on the document; and
  
  upon completion of the second action involving the document, deleting the document from the cloud-based service platform for at least a second time.
- View Dependent Claims (20, 21)
- - 20. The non-transitory computer-readable storage medium of claim 19, wherein the deleting the document in response to receiving a confirmation of receipt includes using receiving the encrypted version of the document as the confirmation of receipt of the document from the security service provider.
  - 21. The non-transitory computer-readable storage medium of claim 19, wherein the sending the encrypted version of the document back to the security service provider includes analyzing metadata associated with the document to identify the security service provider as holding the decryption key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
DocuSign Incorporated
Original Assignee
DocuSign Incorporated
Inventors
Fleischman, Eric, Peterson, Donald G., Wald, Duane E.
Primary Examiner(s)
King, John B

Application Number

US14/993,331
Publication Number

US 20160127337A1
Time in Patent Office

581 Days
Field of Search

726 1
US Class Current
CPC Class Codes

G06F 12/1408   by using cryptography for d...

G06F 21/64   Protecting data integrity, ...

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0876   based on the identity of th...

H04L 63/20   for managing network securi...

H04L 9/3247   involving digital signatures

Systems and methods for cloud data security

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for cloud data security

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links