Data computation in a multi-domain cloud environment

US 9,973,475 B2
Filed: 10/16/2015
Issued: 05/15/2018
Est. Priority Date: 10/22/2014
Status: Active Grant

First Claim

Patent Images

1. A gateway device coupled between a client device and a server, the gateway device and the client device within a trusted domain comprising a pre-determined network of systems subject to one or more security policies corresponding to the trusted domain, the server external to the trusted domain, the gateway device comprising:

an input configured to receive encoded data and a set of operation identifiers each uniquely identifying a computational operation from a set of operations from the server, the server configured to provide the encoded data and the set of operation identifiers to the client device in response to a request for cloud services by the client device, the gateway device configured to intercept the encoded data and the set of operation identifiers before the client device receives the encoded data and the set operation identifiers, the requested cloud services associated with a cloud computational operation, the encoded data and the set of operations selected by the server based on the requested cloud services and based on a set of operations that the gateway device is able to perform such that the set of operations, when performed in a particular order, produce an operation result equivalent to an operation result produced by the cloud computational operation;

a decoding engine configured to decode the encoded data;

a hardware processor configured to perform each computational operation uniquely identified by an operation identifier in the set of operation identifiers on the decoded data to produce operation result data;

an encoding engine configured to encode the operation result data; and

an output configured to;

provide the operation result data to the client device; and

provide the encoded operation result data to the server.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A gateway device for implementing data security is described herein. The gateway device is coupled between a client device and a server device, and is configured to receive encoded data and a set of operations from the server device in response to a request for cloud services from the client device. The gateway device is configured to decode the encoded data, and to provide the decoded data and the set of operations to the client device. The client device is configured to perform the set of operations on the decoded data, and to incorporate the operation results into an application or interface corresponding to the requested cloud service. The gateway device is configured to encode the operation result data, and to provide the encoded operation result data to the server device for storage.

Citations

18 Claims

1. A gateway device coupled between a client device and a server, the gateway device and the client device within a trusted domain comprising a pre-determined network of systems subject to one or more security policies corresponding to the trusted domain, the server external to the trusted domain, the gateway device comprising:
- an input configured to receive encoded data and a set of operation identifiers each uniquely identifying a computational operation from a set of operations from the server, the server configured to provide the encoded data and the set of operation identifiers to the client device in response to a request for cloud services by the client device, the gateway device configured to intercept the encoded data and the set of operation identifiers before the client device receives the encoded data and the set operation identifiers, the requested cloud services associated with a cloud computational operation, the encoded data and the set of operations selected by the server based on the requested cloud services and based on a set of operations that the gateway device is able to perform such that the set of operations, when performed in a particular order, produce an operation result equivalent to an operation result produced by the cloud computational operation;
  
  a decoding engine configured to decode the encoded data;
  
  a hardware processor configured to perform each computational operation uniquely identified by an operation identifier in the set of operation identifiers on the decoded data to produce operation result data;
  
  an encoding engine configured to encode the operation result data; and
  
  an output configured to;
  
  provide the operation result data to the client device; and
  
  provide the encoded operation result data to the server.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The gateway device of claim 1, wherein the client device is configured to execute an application or interface provided by the server, and to incorporate the operation result data into the executed application or interface.
  - 3. The gateway device of claim 1, wherein decoding the encoded data comprises one or both of decrypting the encoded data and detokenizing the encoded data.
  - 4. The gateway device of claim 1, wherein the server is configured to, in response to receiving the request for cloud services, query the gateway device to identify the set of operations that the gateway device is able to perform, to select one or more of the set of identified operations, and to provide operation identifiers identifying the selected one or more operations to the gateway device.
  - 5. The gateway device of claim 1, wherein providing the set of operation identifiers comprises providing executable code to the gateway device, and wherein the gateway device is configured to execute the code.
  - 6. The gateway device of claim 1, wherein the server is configured to, in advance of receiving the request for cloud services, query the gateway device to identify the set of operations that the gateway device is able to perform and store the identified set of operations.
  - 7. The gateway device of claim 6, wherein the server is configured to, in response to receiving the request for cloud services, query the stored identified set of operations that the gateway device is able to perform, select one or more of the stored set of operations, and provide operation identifiers identifying the selected one or more operations to the gateway device.

8. A method comprising:
- requesting, by a client device within a trusted domain from a server external to the trusted domain, a service provided by the server associated with encoded data stored at the server and associated with a service computational operation, the trusted domain comprising a pre-determined network of one or more systems subject to one or more security policies corresponding to the trusted domain, the server unable to decode the encoded data;
  
  receiving, at a gateway device within the trusted domain and communicatively coupled between the client device and the server, the encoded data and a set of operation identifiers each uniquely identifying a computational operation from a set of operations associated with the requested service, the encoded data and the set of operation identifiers selected by the server based on the requested service and based on a set of operations that the gateway device is able to perform such that the set of operations, when performed in a particular order, produce an operation result equivalent to an operation result produced by the service computational operation;
  
  decoding, by the gateway device, the encoded data to produce decoded data;
  
  providing, by the gateway device to the client device, the decoded data and the received set of operation identifiers;
  
  performing, by the client device, each computational operation uniquely identified by an operation identifier in the set of operation identifiers on the decoded data to produce operation result data;
  
  encoding, by the gateway device, the operation result data; and
  
  providing, by the gateway device, the encoded result data to the server.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The method of claim 8, wherein the server is configured to provide the encoded data and the set of operation identifiers to the client device, and wherein the gateway device is configured to intercept the encoded data and the set of operation identifiers before the client device receives the encoded data and the set of operation identifiers.
  - 10. The method of claim 8, wherein the client device is configured to execute an application or interface provided by the server, and to incorporate the operation result data into the executed application or interface.
  - 11. The method of claim 8, wherein decoding the encoded data comprises one or both of decrypting the encoded data and detokenizing the encoded data.
  - 12. The method of claim 8, wherein the server is configured to, in response to receiving the request for cloud services, query the client device to identify the set of operations that the client device is able to perform, to select one or more of the set of identified operations, and to provide identifiers identifying the selected one or more operations to the client device.
  - 13. The method of claim 8, wherein providing the set of operation identifiers comprises provided executable code to the client device, and wherein the client device is configured to execute the code.

14. A method comprising:
- receiving, at a first system from the second system, encoded data and a set of operation identifiers each uniquely identifying a computational operation from a set of operations associated with a requested service, the first system within a trusted domain and the second system external to the trusted domain, the requested service provided by the second system and associated with the encoded data and a service computational operation, the trusted domain comprising a pre-determined network of one or more systems subject to one or more security policies corresponding to the trusted domain, the second system unable to decode the encoded data, the encoded data and the set of operation identifiers selected by the second system based on the requested service and based on a set of operations that the first system is able to perform such that the set of operations, when performed in a particular order, produce an operation result equivalent to an operation result produced by the service computational operation, the requested service requested by a requesting system within the trusted domain, the second system configured to provide the encoded data and the set of operation identifiers to the requesting system in response to receiving a request for the requested service, the first system configured to intercept the encoded data and the set of operation identifiers before the requesting system receives the encoded data and the set of operation identifiers;
  
  decoding, by the first system, the encoded data to produce decoded data;
  
  performing, by the first system, each computational operation uniquely identified by an operation identifier in the set of operation identifiers on the decoded data to produce operation result data;
  
  encoding, by the first system, the operation result data; and
  
  providing, by the first system, the encoded result data to the second system.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The method of claim 14, wherein the first system is configured to execute an application or interface provided by the second system, and to incorporate the operation result data into the executed application or interface.
  - 16. The method of claim 14, wherein decoding the encoded data comprises one or both of decrypting the encoded data and detokenizing the encoded data.
  - 17. The method of claim 14, wherein the second system is configured to, in response to receiving the request for the requested service, query the first system to identify the set of operations that the first system is able to perform, to select one or more of the set of identified operations, and to provide operations identifiers identifying the selected one or more operations to the first system.
  - 18. The method of claim 14, wherein providing the set of operation identifiers comprises provided executable code to the first system, and wherein the first system is configured to execute the code.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Protegrity US Holding LLC
Original Assignee
Protegrity USA, Inc. (Xcelera Inc.)
Inventors
Jain, Rajnish, Levy, Vichai, Mattsson, Ulf, Rozenberg, Yigal
Primary Examiner(s)
Chiang, Jason C

Application Number

US14/885,662
Publication Number

US 20160119289A1
Time in Patent Office

942 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0281   Proxies

H04L 63/0435   wherein the sending and rec...

H04L 63/0471   applying encryption by an i...

H04L 63/08   for authentication of entit...

H04L 63/1408   by monitoring network traff...

H04L 67/34   involving the movement of s...

H04L 67/51   Discovery or management the...

H04L 69/08   Protocols for interworking;...

Data computation in a multi-domain cloud environment

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Data computation in a multi-domain cloud environment

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links