Multi-tenancy architecture

US 9,858,442 B1
Filed: 05/10/2016
Issued: 01/02/2018
Est. Priority Date: 03/29/2013
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a plurality of security computing devices, including a first security computing device, each security computing device configured for cryptographic processing, the first security computing device coupled to receive incoming data packets, the first security computing device comprising at least one memory configured to store key sets, and the incoming data packets including a first data packet from a first data source of a plurality of data sources, the first security computing device to encrypt the first data packet for storing in a data storage;

at least one switch or router configured to select, when the first data packet is received from the first data source, the first security computing device from the plurality of security computing devices for routing of the first data packet to the first security computing device, the selecting based on a source tag in a header of the first data packet, wherein the source tag identifies the first data source, and wherein the at least one switch or router is further configured to, when reading the encrypted first data packet from the data storage, select the first security computing device from the plurality of security computing devices for decryption processing, the selecting of the first security computing device for decryption processing based on a determination that the encrypted first data packet is associated with the first data source; and

a controller configured to select a first set of keys from a plurality of key sets, each of the key sets corresponding to one of the plurality of data sources, the controller further configured to select the first set of keys based on the source tag, wherein the first set of keys is stored in the at least one memory and used by the first security computing device to encrypt the first data packet.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system includes a security device, configured for cryptographic processing, coupled to receive incoming data from a plurality of data sources (e.g., data from different customers), wherein the incoming data includes first data from a first data source; a controller (e.g., an external key manager) configured to select a first set of keys from a plurality of key sets, each of the key sets corresponding to one of the plurality of data sources, wherein the first set of keys is used by the security device to encrypt the first data; and a common encrypted data storage, coupled to receive the encrypted first data from the security device.

161 Citations

17 Claims

1. A system, comprising:
- a plurality of security computing devices, including a first security computing device, each security computing device configured for cryptographic processing, the first security computing device coupled to receive incoming data packets, the first security computing device comprising at least one memory configured to store key sets, and the incoming data packets including a first data packet from a first data source of a plurality of data sources, the first security computing device to encrypt the first data packet for storing in a data storage;
  
  at least one switch or router configured to select, when the first data packet is received from the first data source, the first security computing device from the plurality of security computing devices for routing of the first data packet to the first security computing device, the selecting based on a source tag in a header of the first data packet, wherein the source tag identifies the first data source, and wherein the at least one switch or router is further configured to, when reading the encrypted first data packet from the data storage, select the first security computing device from the plurality of security computing devices for decryption processing, the selecting of the first security computing device for decryption processing based on a determination that the encrypted first data packet is associated with the first data source; and
  
  a controller configured to select a first set of keys from a plurality of key sets, each of the key sets corresponding to one of the plurality of data sources, the controller further configured to select the first set of keys based on the source tag, wherein the first set of keys is stored in the at least one memory and used by the first security computing device to encrypt the first data packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein the first security computing device includes the controller.
  - 3. The system of claim 1, wherein the controller is an internal key manager of the first security computing device.
  - 4. The system of claim 1, wherein the controller is an external key manager coupled to provide keys to the first security computing device via an application programming interface.
  - 5. The system of claim 1, wherein the first data source corresponds to a first user, and an external key manager receives commands from a computing device of the first user to control access to the first set of keys by the first security computing device.
  - 6. The system of claim 1, wherein the cryptographic processing comprises decryption of data packets read from the data storage.
  - 7. The system of claim 1, wherein the first security computing device further comprises a key cache and a cryptographic core, and the first set of keys is loaded into the cryptographic core from the key cache.
  - 8. The system of claim 7, wherein the first security computing device further comprises a packet input engine, coupled to provide a signal used by the key cache in selecting the first set of keys for use by the cryptographic core in encrypting the first data packet.
  - 9. The system of claim 1, wherein each of the plurality of data sources is located at a different physical location for a respective user using the data storage to store data sent over a network.

10. A system, comprising:
- a plurality of computing devices, each configured for cryptographic processing of incoming data received from at least one of a plurality of data sources, wherein the plurality of computing devices includes a first computing device to encrypt first data received from a first data source for storing in a data storage;
  
  at least one switch or router configured to receive the incoming data from the plurality of data sources, the incoming data including the first data, and the at least one switch or router configured to route the incoming data to one of the plurality of computing devices, wherein the first data is routed to the first computing device based on a tag of the first data associated with the first data source, the first data including the tag when the first data is received from the first data source, and wherein the at least one switch or router is further configured to, when reading the first data from the data storage, select the first computing device for decryption processing, the selecting based on a determination that the first data is associated with the first data source; and
  
  a plurality of key managers, each key manager coupled to a respective one of the plurality of computing devices, and each key manager configured to provide a set of keys to the respective computing device for encryption of incoming data, wherein the set of keys for encrypting the first data is stored in at least one memory, and is selected based on the tag.
- View Dependent Claims (11)
- - 11. The system of claim 10, wherein the plurality of key managers includes a first key manager, the first computing device comprises a key cache configured to store a first set of keys received from the first key manager, and the first set of keys is for use to encrypt a data packet of the first data.

12. A system, comprising:
- a plurality of cryptographic cores comprising an input core configured to perform, by at least one processor, encryption for a first data packet when writing to a data storage, and an output core configured to perform, by at least one processor, decryption for the first data packet when reading from the data storage;
  
  at least one memory including at least one key cache configured to store a plurality of key sets, wherein a first set of keys is selected from the plurality of key sets to encrypt the first data packet by the input core;
  
  at least one switch or router configured to select, when the first data packet is received from a first data source of a plurality of data sources, the input core for processing of the first data packet, the selecting based on a source tag in a header of the received first data packet that identifies the first data source, and wherein the at least one switch or router is further configured to, when reading the first data packet from the data storage, select the output core for decryption processing, the selecting based on a determination that the first data packet is associated with the first data source;
  
  a packet input engine configured to detect the source tag in the header of the received first data packet, and to address the first set of keys based on the source tag; and
  
  a packet output engine configured to provide the encrypted first data packet from the input core to the data storage, to detect the source tag when reading from the data storage, and to address keys based on the source tag for decrypting the first data packet by the output core.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The system of claim 12, further comprising a processor configured to verify that the packet input engine is authorized to address the first set of keys.
  - 14. The system of claim 12, further comprising a key loader controller configured to load keys from an external key manager via an application programming interface, the key loader controller further configured to load the first set of keys for storage in the at least one key cache prior to receipt of the first data packet by the switch or router.
  - 15. The system of claim 14, wherein the at least one key cache is configured so that a key cache failure causes the at least one key cache to be zeroized.
  - 16. The system of claim 14, wherein the output core is coupled to provide the decrypted first data packet to the packet input engine.
  - 17. The system of claim 12, wherein the at least one key cache comprises an input cache configured to store the first set of keys.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Secturion Systems, Inc.
Original Assignee
Secturion Systems, Inc.
Inventors
Takahashi, Richard J.
Primary Examiner(s)
Jamshidi, Ghodrat

Application Number

US15/150,624
Time in Patent Office

602 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/72   in cryptographic circuits

H04L 9/083   involving central third par...

Multi-tenancy architecture

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

161 Citations

17 Claims

Specification

Use Cases

Quick Links

Others

Multi-tenancy architecture

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

161 Citations

17 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others