Method and system for automatically managing secret application and maintenance

US 9,894,069 B2
Filed: 11/01/2013
Issued: 02/13/2018
Est. Priority Date: 11/01/2013
Status: Active Grant

First Claim

Patent Images

1. A system for automatically managing secrets application and maintenance comprising:

at least one processor; and

at least one memory coupled to the at least one processor, the at least one memory having stored therein instructions which when executed by any set of the at least one processors, perform a process for automatically managing secrets application and maintenance, the process for automatically managing secrets application and maintenance including;

generating data classification data defining one or more classes of data;

for each class of data, generating secret application and maintenance policy data including required secrets application data indicating required secret types to be applied to each class of data and secrets maintenance policy data indicating secret maintenance procedures for required secrets to be applied to each class of data;

obtaining access to data to be protected;

determining the class of the data to be protected;

obtaining the secret application and maintenance policy data for the determined class of the data to be protected;

analyzing the required secrets application data of the secret application and maintenance policy data for the determined class of the data to be protected to identify the required secret types to be applied to the data to be protected, and to also identify a class of secrets associated with the determined class of data, wherein each different class of secrets associated with different levels of protection are each stored in different data stores;

obtaining required secrets data representing one or more secrets of the required secret types to be applied to the data to be protected, the one or more secrets of the required secrets types including at least multifactor authentication data;

automatically scheduling the application of the one or more secrets of the required secret types to the data to be protected in accordance with the required secrets application data of the secret application and maintenance policy data for the determined class of the data to be protected; and

automatically scheduling the reapplication, rotation or change of the one or more secrets of the required secrets data in accordance with the secrets maintenance policy data of the secret application and maintenance policy data for the determined class of the data to be protected, wherein each different secret type is governed by a different secrets maintenance policy data, and a period of rotation, change, or expiration of secrets of a given type depends on a level of security associated with the secret application and maintenance policy.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Secret application and maintenance policy data is generated for different classes of data. The class of data to be protected is determined and the secret application and maintenance policy data for the determined class of the data to be protected is identified and obtained. Required secrets data representing one or more secrets to be applied to the data to be protected is obtained and then automatically scheduled for application to the data to be protected in accordance with the secret application and maintenance policy data for the determined class of the data to be protected. Maintenance of the one or more secrets is also automatically scheduled in accordance with the secret application and maintenance policy data for the determined class of the data to be protected.

93 Citations

View as Search Results

38 Claims

1. A system for automatically managing secrets application and maintenance comprising:
- at least one processor; and
  
  at least one memory coupled to the at least one processor, the at least one memory having stored therein instructions which when executed by any set of the at least one processors, perform a process for automatically managing secrets application and maintenance, the process for automatically managing secrets application and maintenance including;
  
  generating data classification data defining one or more classes of data;
  
  for each class of data, generating secret application and maintenance policy data including required secrets application data indicating required secret types to be applied to each class of data and secrets maintenance policy data indicating secret maintenance procedures for required secrets to be applied to each class of data;
  
  obtaining access to data to be protected;
  
  determining the class of the data to be protected;
  
  obtaining the secret application and maintenance policy data for the determined class of the data to be protected;
  
  analyzing the required secrets application data of the secret application and maintenance policy data for the determined class of the data to be protected to identify the required secret types to be applied to the data to be protected, and to also identify a class of secrets associated with the determined class of data, wherein each different class of secrets associated with different levels of protection are each stored in different data stores;
  
  obtaining required secrets data representing one or more secrets of the required secret types to be applied to the data to be protected, the one or more secrets of the required secrets types including at least multifactor authentication data;
  
  automatically scheduling the application of the one or more secrets of the required secret types to the data to be protected in accordance with the required secrets application data of the secret application and maintenance policy data for the determined class of the data to be protected; and
  
  automatically scheduling the reapplication, rotation or change of the one or more secrets of the required secrets data in accordance with the secrets maintenance policy data of the secret application and maintenance policy data for the determined class of the data to be protected, wherein each different secret type is governed by a different secrets maintenance policy data, and a period of rotation, change, or expiration of secrets of a given type depends on a level of security associated with the secret application and maintenance policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The system for automatically managing secrets application and maintenance of claim 1 wherein the one or more classes of data include at least one class of data selected from the group of classes of data consisting of:
    - highly sensitive data, requiring the maximum level of protection;
      
      moderately sensitive data, requiring a significant level of protection;
      
      sensitive data, requiring some level of protection; and
      
      non-sensitive data, requiring a minimal level of protection.
  - 3. The system for automatically managing secrets application and maintenance of claim 1 wherein at least one of the required secret types of the required secrets application data is selected from the group of secret types consisting of:
    - usernames;
      
      passwords;
      
      passphrases;
      
      encryption keys;
      
      digital certificates;
      
      biometric data;
      
      account numbers;
      
      identification numbers; and
      
      any combination thereof.
  - 4. The system for automatically managing secrets application and maintenance of claim 1 wherein the secrets maintenance policy data includes data indicating a rotation period associated with one or more of the required secret types of the required secrets application data.
  - 5. The system for automatically managing secrets application and maintenance of claim 1 wherein the secrets maintenance policy data includes data indicating a use period associated with one or more of the required secret types of the required secrets application data.
  - 6. The system for automatically managing secrets application and maintenance of claim 1 wherein the secrets maintenance policy data includes data indicating a retirement procedure associated with one or more of the required secret types of the required secrets application data.
  - 7. The system for automatically managing secrets application and maintenance of claim 1 wherein the class of the data to be protected is determined based, at least in part, on at least one data classification factor selected from the group of data classification factors consisting of:
    - a determination as to the sensitivity of the data to be protected as determined by the owner of the data to be protected;
      
      the sensitivity of the data to be protected as determined by one or more regulations and/or regulatory agencies;
      
      the sensitivity of the data to be protected as determined based on the need to protect the identity and personal information of the owners and/or sources of the data to be protected;
      
      a determination of the risk associated with the data to be protected;
      
      a determination of the vulnerability associated with the data to be protected;
      
      the commercial value of the data;
      
      the strategic value of the data;
      
      the entertainment value of the data; and
      
      any combination thereof.
  - 8. The system for automatically managing secrets application and maintenance of claim 7 wherein the secrets store includes required secrets data and the secret application and maintenance policy data for the determined class of data to be protected for two or more classes of data to be protected.
  - 9. The system for automatically managing secrets application and maintenance of claim 1 further comprising correlating the required secrets data and the secret application and maintenance policy data for the determined class of the data to be protected to the data to be protected and storing the required secrets data and the secret application and maintenance policy data for the determined class of the data to be protected in a secrets store location associated with the data to be protected.
  - 10. The system for automatically managing secrets application and maintenance of claim 1 further comprising providing an application scheduler for scheduling the application of the one or more secrets of the required secret types to the data to be protected in accordance with the required secrets application data of the secret application and maintenance policy data for the determined class of the data to be protected.
  - 11. The system for automatically managing secrets application and maintenance of claim 1 further comprising providing a maintenance scheduler for scheduling the maintenance of the one or more secrets of the required secrets data in accordance with the secrets maintenance policy data of the secret application and maintenance policy data for the determined class of the data to be protected.
  - 12. The system for automatically managing secrets application and maintenance of claim 1 wherein the data to be protected is associated with an asset in a first computing environment and the system for automatically managing secrets application and maintenance is associated with a second computing environment.
  - 13. The system for automatically managing secrets application and maintenance of claim 1 wherein the data to be protected is associated with a virtual asset instantiated in a cloud computing environment.
  - 14. The system for automatically managing secrets application and maintenance of claim 13 wherein the system for automatically managing secrets application and maintenance is implemented, at least in part, in a computing environment outside the cloud computing environment.
  - 15. The system for automatically managing secrets application and maintenance of claim 13 wherein the system for automatically managing secrets application and maintenance is implemented, at least in part, by a second virtual asset instantiated in the cloud computing environment.

16. A system for automatically managing encryption key application and maintenance comprising:
- at least one processor; and
  
  at least one memory coupled to the at least one processor, the at least one memory having stored therein instructions which when executed by any set of the one or more processors, perform a process for automatically managing encryption key application and maintenance, the process for automatically managing encryption key application and maintenance including;
  
  generating data classification data defining one or more classes of data;
  
  for each class of data, generating encryption key application and maintenance policy data including required encryption key application data indicating the required encryption key to be applied to each class of data and encryption key maintenance policy data indicating encryption key maintenance procedures for the required encryption key to be applied to each class of data;
  
  obtaining access to data to be protected;
  
  determining the class of the data to be protected;
  
  obtaining the encryption key application and maintenance policy data for the determined class of the data to be protected;
  
  analyzing the required encryption key application data of the encryption key application and maintenance policy data for the determined class of the data to be protected to identify the required encryption key type to be applied to the data to be protected, and to also identify a class of encryption key associated with the determined class of data, wherein each different class of encryption key associated with different levels of protection are each stored in different data stores;
  
  obtaining required encryption key data representing an encryption key of the required encryption key type to be applied to the data to be protected;
  
  automatically scheduling the application of the encryption key of the required encryption key type to the data to be protected in accordance with the required encryption key application data of the encryption key application and maintenance policy data for the determined class of the data to be protected; and
  
  automatically scheduling the reapplication, rotation or change of the encryption key of the required encryption key data in accordance with the encryption key maintenance policy data of the encryption key application and maintenance policy data for the determined class of the data to be protected, wherein each different secret type is governed by a different secrets maintenance policy data, and a period of rotation, change, or expiration of secrets of a given type depends on a level of security associated with the secret application and maintenance policy.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 17. The system for automatically managing encryption key application and maintenance of claim 16 wherein the one or more classes of data include at least one class of data selected from the group of classes of data consisting of:
    - highly sensitive data, requiring the maximum level of protection;
      
      moderately sensitive data, requiring a significant level of protection;
      
      sensitive data, requiring some level of protection; and
      
      non-sensitive data, requiring a minimal level of protection.
  - 18. The system for automatically managing encryption key application and maintenance of claim 16 wherein at least one of the required encryption key types of the required encryption key application data is selected from the group of encryption key types consisting of:
    - a public encryption key;
      
      a private encryption key;
      
      a symmetric encryption key;
      
      an asymmetric encryption key;
      
      a public pre-placed encryption key;
      
      a private pre-placed encryption key;
      
      a 40-bit encryption key;
      
      any length encryption keys;
      
      an authentication encryption key;
      
      a benign encryption key;
      
      a content-encryption key (CEK);
      
      a cryptovariable encryption key;
      
      a derived encryption key;
      
      an electronic encryption key;
      
      an ephemeral encryption key;
      
      a key encryption key (KEK);
      
      a key production encryption key (KPK);
      
      a FIREFLY encryption key;
      
      a master encryption key;
      
      a message encryption key (MEK);
      
      a RED encryption key;
      
      a session encryption key;
      
      a traffic encryption key (TEK);
      
      a transmission security encryption key (TSK);
      
      a seed encryption key;
      
      a signature encryption key;
      
      a stream encryption key;
      
      a Type 1 encryption key;
      
      a Type 2 encryption key;
      
      a Vernam encryption key;
      
      a zeroized encryption key; and
      
      any combination thereof.
  - 19. The system for automatically managing encryption key application and maintenance of claim 16 wherein the encryption key maintenance policy data includes data indicating a rotation period associated with encryption key type of the required encryption key application data.
  - 20. The system for automatically managing encryption key application and maintenance of claim 16 wherein the encryption key maintenance policy data includes data indicating a retirement procedure associated with the required encryption key type of the required encryption key application data.
  - 21. The system for automatically managing encryption key application and maintenance of claim 16 wherein the class of the data to be protected is determined based, at least in part, on at least one data classification factor selected from the group of data classification factors consisting of:
    - a determination as to the sensitivity of the data to be protected as determined by the owner of the data to be protected;
      
      the sensitivity of the data to be protected as determined by one or more regulations and/or regulatory agencies;
      
      the sensitivity of the data to be protected as determined based on the need to protect the identity and personal information of the owners and/or sources of the data to be protected;
      
      a determination of the risk associated with the data to be protected;
      
      a determination of the vulnerability associated with the data to be protected;
      
      a determination of the vulnerability associated with the data to be protected;
      
      the commercial value of the data;
      
      the strategic value of the data;
      
      the entertainment value of the data;
      
      any combination thereof; and
      
      any combination thereof.
  - 22. The system for automatically managing encryption key application and maintenance of claim 16 further comprising correlating the required encryption key data and the encryption key application and maintenance policy data for the determined class of the data to be protected to the data to be protected and storing the required encryption key data and the encryption key application and maintenance policy data for the determined class of the data to be protected in an encryption key store location associated with the data to be protected.
  - 23. The system for automatically managing encryption key application and maintenance of claim 22 wherein the encryption key store includes required encryption key data and the encryption key application and maintenance policy data for the determined class of data to be protected for two or more classes of data to be protected.
  - 24. The system for automatically managing encryption key application and maintenance of claim 16 further comprising providing an application scheduler for scheduling the application of the encryption key of the required encryption key type to the data to be protected in accordance with the required encryption key application data of the encryption key application and maintenance policy data for the determined class of the data to be protected.
  - 25. The system for automatically managing encryption key application and maintenance of claim 16 further comprising providing a maintenance scheduler for scheduling the maintenance of the encryption key of the required encryption key data in accordance with the encryption key maintenance policy data of the encryption key application and maintenance policy data for the determined class of the data to be protected.
  - 26. The system for automatically managing encryption key application and maintenance of claim 16 wherein the data to be protected is associated with an asset in a first computing environment and the system for automatically managing encryption key application and maintenance is associated with a second computing environment.
  - 27. The system for automatically managing encryption key application and maintenance of claim 16 wherein the data to be protected is associated with a virtual asset instantiated in a cloud computing environment.
  - 28. The system for automatically managing encryption key application and maintenance of claim 27 wherein the system for automatically managing encryption key application and maintenance is implemented, at least in part, in a computing environment outside the cloud computing environment.
  - 29. The system for automatically managing encryption key application and maintenance of claim 27 wherein the system for automatically managing encryption key application and maintenance is implemented, at least in part, by a second virtual asset instantiated in the cloud computing environment.

30. A computing system implemented method for automatically managing secrets application and maintenance comprising the following, which when executed individually or collectively by any set of one or more processors perform a process including:
- generating data classification data defining one or more classes of data;
  
  for each class of data, generating secret application and maintenance policy data including required secrets application data indicating the required secret types to be applied to each class of data and secrets maintenance policy data indicating secret maintenance procedures for the required secrets to be applied to each class of data;
  
  obtaining access to data to be protected;
  
  determining the class of the data to be protected;
  
  obtaining the secret application and maintenance policy data for the determined class of the data to be protected;
  
  analyzing the required secrets application data of the secret application and maintenance policy data for the determined class of the data to be protected to identify the required secret types to be applied to the data to be protected, the required secret types including at least multifactor authentication data, and to also identify a class of secrets associated with the determined class of data, wherein each different class of secrets associated with different levels of protection are each stored in different data stores;
  
  obtaining required secrets data representing one or more secrets of the required secret types to be applied to the data to be protected;
  
  automatically scheduling the application of the one or more secrets of the required secret types to the data to be protected in accordance with the required secrets application data of the secret application and maintenance policy data for the determined class of the data to be protected; and
  
  automatically scheduling the reapplication, rotation or change of the one or more secrets of the required secrets data in accordance with the secrets maintenance policy data of the secret application and maintenance policy data for the determined class of the data to be protected, wherein each different secret type is governed by a different secrets maintenance policy data, and a period of rotation, change, or expiration of secrets of a given type depends on a level of security associated with the secret application and maintenance policy.
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38)
- - 31. The computing system implemented method for automatically managing secrets application and maintenance of claim 30 wherein the one or more classes of data include at least one class of data selected from the group of classes of data consisting of:
    - highly sensitive data, requiring the maximum level of protection;
      
      moderately sensitive data, requiring a significant level of protection;
      
      sensitive data, requiring some level of protection; and
      
      non-sensitive data, requiring a minimal level of protection.
  - 32. The computing system implemented method for automatically managing secrets application and maintenance of claim 30 wherein at least one of the required secret types of the required secrets application data is selected from the group of secret types consisting of:
    - usernames;
      
      passwords;
      
      passphrases;
      
      encryption keys;
      
      digital certificates;
      
      biometric data;
      
      account numbers;
      
      identification numbers; and
      
      any combination thereof.
  - 33. The computing system implemented method for automatically managing secrets application and maintenance of claim 30 wherein the secrets maintenance policy data includes data indicating a rotation period associated with one or more of the required secret types of the required secrets application data.
  - 34. The computing system implemented method for automatically managing secrets application and maintenance of claim 30 wherein the secrets maintenance policy data includes data indicating a use period associated with one or more of the required secret types of the required secrets application data.
  - 35. The computing system implemented method for automatically managing secrets application and maintenance of claim 30 wherein the secrets maintenance policy data includes data indicating a retirement procedure associated with one or more of the required secret types of the required secrets application data.
  - 36. The computing system implemented method for automatically managing secrets application and maintenance of claim 30 wherein the class of the data to be protected is determined based, at least in part, on at least one data classification factor selected from the group of data classification factors consisting of:
    - a determination as to the sensitivity of the data to be protected as determined by the owner of the data to be protected;
      
      the sensitivity of the data to be protected as determined by one or more regulations and/or regulatory agencies;
      
      the sensitivity of the data to be protected as determined based on the need to protect the identity and personal information of the owners and/or sources of the data to be protected;
      
      a determination of the risk associated with the data to be protected;
      
      a determination of the vulnerability associated with the data to be protected;
      
      the commercial value of the data;
      
      the strategic value of the data;
      
      the entertainment value of the data; and
      
      any combination thereof.
  - 37. The computing system implemented method for automatically managing secrets application and maintenance of claim 30 further comprising correlating the required secrets data and the secret application and maintenance policy data for the determined class of the data to be protected to the data to be protected and storing the required secrets data and the secret application and maintenance policy data for the determined class of the data to be protected in a secrets store location associated with the data to be protected.
  - 38. The computing system implemented method for automatically managing secrets application and maintenance of claim 30 wherein the data to be protected is associated with an asset in a first computing environment and a computing system implementing at least part of the method for automatically managing secrets application and maintenance is associated with a second computing environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intuit, Inc.
Original Assignee
Intuit, Inc.
Inventors
Weaver, Brett, Philip, Sabu Kuruvila, Otillio, Troy, Whitehouse, III, Jinglei, Gryb, Oleg, Wolfe, Jeffrey M., Jain, Ankur, Lietz, M. Shannon, Cabrera, Luis Felipe
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
LE, THANH H

Application Number

US14/069,921
Publication Number

US 20180007048A1
Time in Patent Office

1,565 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/6218   to a system of files or obj...

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/0457   wherein the sending and rec...

H04L 63/0815   providing single-sign-on or...

H04L 63/10   for controlling access to d...

H04L 9/0838   Key agreement, i.e. key est...

Method and system for automatically managing secret application and maintenance

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

93 Citations

38 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for automatically managing secret application and maintenance

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

93 Citations

38 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links