Protection of data stored in the cloud

US 9,954,828 B1
Filed: 03/15/2016
Issued: 04/24/2018
Est. Priority Date: 03/24/2014
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a client device that is configured to receive a credential from a customer who uses a cloud application hosted by a cloud computer system, to forward the credential to a remotely located intermediary computer system, to run a cloud application client, and to forward plaintext data from the cloud application client to the intermediary computer system;

the intermediary computer system that is configured to receive the credential, to receive the plaintext data, to locally generate a plaintext encryption key for the customer, to use the plaintext encryption key to encrypt the plaintext data into encrypted data, to use the credential to encrypt the plaintext encryption key to generate an encrypted encryption key, to forward the encrypted encryption key to a remotely located key server computer system, and to forward the encrypted data to the cloud computer system; and

the key server computer system that is configured to receive the encrypted encryption key and to store the encrypted encryption key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for protecting data stored in the cloud includes a computing device that generates a plaintext encryption key and encrypts the plaintext encryption key using a credential of a customer that uses a cloud application. The computing device encrypts plaintext data using the encryption key and forwards the encrypted data to a cloud computer system that hosts the cloud application. The plaintext data can be received from a cloud application client that runs in the computing device or from another computing device that hosts the cloud application client. The encrypted encryption key can be stored in and retrieved from a key server.

Citations

20 Claims

1. A system comprising:
- a client device that is configured to receive a credential from a customer who uses a cloud application hosted by a cloud computer system, to forward the credential to a remotely located intermediary computer system, to run a cloud application client, and to forward plaintext data from the cloud application client to the intermediary computer system;
  
  the intermediary computer system that is configured to receive the credential, to receive the plaintext data, to locally generate a plaintext encryption key for the customer, to use the plaintext encryption key to encrypt the plaintext data into encrypted data, to use the credential to encrypt the plaintext encryption key to generate an encrypted encryption key, to forward the encrypted encryption key to a remotely located key server computer system, and to forward the encrypted data to the cloud computer system; and
  
  the key server computer system that is configured to receive the encrypted encryption key and to store the encrypted encryption key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, wherein the intermediary computer system comprises a router.
  - 3. The system of claim 2, wherein the router serves as a gateway or a firewall.
  - 4. The system of claim 1, wherein the intermediary computer system is on-premise within a same private computer network as the client device.
  - 5. The system of claim 1, wherein the intermediary computer system comprises a proxy server.
  - 6. The system of claim 1, wherein the intermediary computer system is off-premise outside a private computer network of the client device.
  - 7. The system of claim 1, further comprising:
    - the cloud computer system that is configured to host the cloud application that works in conjunction with the cloud application client, to receive the encrypted data over the Internet, and to store the encrypted data.
  - 8. The system of claim 1, wherein the intermediary computer system is configured to receive the encrypted encryption key forwarded back by the key server computer system, to decrypt the encrypted encryption key using the credential to recover the plaintext encryption key, to receive the encrypted data forwarded back by the cloud computer system, and to decrypt the encrypted data using the plaintext encryption key to recover the plaintext data.
  - 9. The system of claim 1, wherein the client device is a mobile computing device that runs a mobile operating system and the cloud application client is a mobile application that is running on the client device.
  - 10. The system of claim 1, wherein the credential comprises biometric data of the customer.

11. A computer-implemented method of protecting data stored in the cloud, the method comprising:
- receiving, from a client device over a computer network, plaintext data of a cloud application client of a cloud application hosted by a cloud computer system;
  
  locally generating a plaintext encryption key for the customer;
  
  encrypting plaintext data of the cloud application client using the plaintext encryption key to generate encrypted data;
  
  forwarding the encrypted data to the cloud computer system;
  
  encrypting the plaintext encryption key using a credential of the customer to generate an encrypted encryption key; and
  
  forwarding the encrypted encryption key to a key server computer system.
- View Dependent Claims (12, 13, 14)
- - 12. The method of claim 11, wherein the credential comprises biometric data of the customer.
  - 13. The method of claim 11, wherein the credential comprises federated identity authentication of the customer.
  - 14. The method of claim 11, further comprising:
    - retrieving the encrypted data from the cloud computer system over the computer network;
      
      retrieving the encrypted encryption key from the key server computer system;
      
      decrypting the encrypted encryption key using the credential of the customer to recover the plaintext encryption key; and
      
      decrypting the encrypted data using the plaintext encryption key to recover the plaintext data.

15. A system comprising:
- an intermediary computer system that receives a credential of a customer who uses a cloud application hosted by a cloud computer system, receives plaintext data of a cloud application running on a client device that is employed by the customer to access the cloud application, uses a plaintext encryption key to encrypt the plaintext data into encrypted data, uses the credential of the customer to encrypt the plaintext encryption key to generate an encrypted encryption key, provides the encrypted encryption key to a remotely located key server computer system, and forwards the encrypted data to the cloud computer system.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein the credential of the customer comprises biometric data of the customer.
  - 17. The system of claim 15, wherein the credential of the customer comprises federated identity authentication of the customer.
  - 18. The system of claim 15, further comprising:
    - the key server computer system that receives the encrypted encryption key and stores the encrypted encryption key.
  - 19. The system of claim 15, further comprising:
    - the cloud computer system that hosts the cloud application that works in conjunction with the cloud application client that runs on the client device, receives the encrypted data over the Internet, and stores the encrypted data.
  - 20. The system of claim 15, wherein the intermediary computer system is on-premise within a same private computer network as the client device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
Trend Micro Inc.
Inventors
Chandrasekhar, Bharath Kumar, Ji, Shuang
Primary Examiner(s)
Lim, Krisna

Application Number

US15/070,878
Time in Patent Office

770 Days
Field of Search
US Class Current
CPC Class Codes

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 2463/062   applying encryption of the ...

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 9/0822   using key encryption key

H04L 9/0894   Escrow, recovery or storing...

Protection of data stored in the cloud

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Protection of data stored in the cloud

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links