Automated management of confidential data in cloud environments

US 9,996,698 B2
Filed: 11/23/2015
Issued: 06/12/2018
Est. Priority Date: 12/09/2014
Status: Active Grant

First Claim

Patent Images

1. A method for storing data in a shared networked environment, the shared networked environment comprising a security layer between a shared networked storage and a shared networked storage access interface, the method comprising:

physically separating the shared networked storage from a key vault system;

receiving a storage request together with data to be stored in the shared networked storage and receiving the storage request together with a confidentiality rating, the confidentiality rating indicating a level of confidentiality the data is associated with, wherein the storage request together with the data and the confidentiality rating is received via the shared networked storage access interface by the security layer;

encrypting, on request of the security layer and into a data container, the data to be stored by the key vault system, and encrypting, into the data container, the confidentiality rating;

categorizing the shared networked storage into Cloud zones, wherein each Cloud zone is assigned a trust level;

storing the data container in one of the Cloud zones of the shared networked storage, wherein the trust level of the one of the Cloud zones corresponds to the confidentiality rating;

validating that the security layer is trusted for communication and validating that a transmission channel between the security layer and the key vault system is secured by a certificate-based encryption;

creating a transfer ticket, the transfer ticket comprising;

authorization information about the requester of the storage request, metadata about the data to be stored, a first signature made by the security layer, an expiry time for the storage request, and a second signature made by the key vault system; and

sending the transfer ticket to the security layer.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A shared networked storage may be separated from a key vault system. A storage request with data to be stored and the storage request with a confidentiality rating may be received. The confidentiality rating may indicate a level of confidentiality the data is associated with. The storage request with the data and the confidentiality rating may be received via a shared networked storage access interface by a security layer. The data to be stored by the key vault system and the confidentiality rating may be encrypted on request of the security layer and into a data container. The shared networked storage may be categorized into Cloud zones. Each Cloud zone may be assigned a trust level. The data container may be stored in one of the Cloud zones of the shared networked storage. The trust level of the one of the Cloud zones may correspond to the confidentiality rating.

Citations

17 Claims

1. A method for storing data in a shared networked environment, the shared networked environment comprising a security layer between a shared networked storage and a shared networked storage access interface, the method comprising:
- physically separating the shared networked storage from a key vault system;
  
  receiving a storage request together with data to be stored in the shared networked storage and receiving the storage request together with a confidentiality rating, the confidentiality rating indicating a level of confidentiality the data is associated with, wherein the storage request together with the data and the confidentiality rating is received via the shared networked storage access interface by the security layer;
  
  encrypting, on request of the security layer and into a data container, the data to be stored by the key vault system, and encrypting, into the data container, the confidentiality rating;
  
  categorizing the shared networked storage into Cloud zones, wherein each Cloud zone is assigned a trust level;
  
  storing the data container in one of the Cloud zones of the shared networked storage, wherein the trust level of the one of the Cloud zones corresponds to the confidentiality rating;
  
  validating that the security layer is trusted for communication and validating that a transmission channel between the security layer and the key vault system is secured by a certificate-based encryption;
  
  creating a transfer ticket, the transfer ticket comprising;
  
  authorization information about the requester of the storage request, metadata about the data to be stored, a first signature made by the security layer, an expiry time for the storage request, and a second signature made by the key vault system; and
  
  sending the transfer ticket to the security layer.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the receiving the storage request comprises authorizing the security layer from a client that is accessing the data to ensure that a trusted communication is built between the client and the security layer via the network storage access interface.
  - 3. The method of claim 1, wherein the receiving the storage request comprises authorizing a sender of the request, the request including a request to encrypt the data.
  - 4. The method of claim 1, wherein messages sent between the security layer and the key vault system are encrypted, and wherein the messages include the data.
  - 5. The method of claim 1, wherein messages conveyable from and/or receivable by the security layer are encrypted, and wherein the messages include the data.
  - 6. The method of claim 1, further comprising upon receiving the transfer ticket by the security layer from the key vault system, validating the first signature and the second signature before the request for the encryption of the data to be stored, wherein the request for the encryption of the data includes the transfer ticket and the data to be stored.
  - 7. The method of claim 1, further comprising:
    - receiving a validation of the transfer ticket by the key vault system;
      
      validating, in response to the validation of the transfer ticket, the second signature and expiry time for the storage request;
      
      validating whether the first signature, embedded in the transfer ticket, matches the encryption of a file content of the data to be stored, andvalidating whether a file identification of the data to be stored matches an actual file to be transferred.

8. A computer program product for storing data in a shared networked environment, the shared networked environment comprising a security layer between a shared networked storage and a shared networked storage access interface, the computer program product comprising a computer readable storage medium having program instructions embodied therewith, the program instructions executable by a computing device to cause the computing device to perform a method, the method comprising:
- physically separating the shared networked storage from a key vault system;
  
  receiving a storage request together with data to be stored in the shared networked storage and receiving the storage request together with a confidentiality rating, the confidentiality rating indicating a level of confidentiality the data is associated with, wherein the storage request together with the data and the confidentiality rating is received via the shared networked storage access interface by the security layer;
  
  encrypting, on request of the security layer and into a data container, the data to be stored by the key vault system, and encrypting, into the data container, the confidentiality rating;
  
  categorizing the shared networked storage into Cloud zones, wherein each Cloud zone is assigned a trust level;
  
  storing the data container in one of the Cloud zones of the shared networked storage, wherein the trust level of the one of the Cloud zones corresponds to the confidentiality rating;
  
  validating that the security layer is trusted for communication and validating that a transmission channel between the security layer and the key vault system is secured by a certificate-based encryption;
  
  creating a transfer ticket, the transfer ticket comprising;
  
  authorization information about the requester of the storage request, meta data about the data to be stored, a first signature made by the security layer, an expiry time for the storage request, and a second signature made by the key vault system; and
  
  sending the transfer ticket to the security layer.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The computer program product of claim 8, wherein the method further comprises extracting the data from the one of the cloud zones by determining that the requester is a trusted target using the confidentiality rating of the data.
  - 10. The computer program product of claim 8, wherein the method further comprises transferring, subsequent to the storing of the data container, the data from a first Cloud zone to a second Cloud zone of the networked storage by:
    - validating that the confidentiality rating of the second Cloud zone matches the trust level correspondingly, andtransferring the data from the first Cloud zone to the second Cloud zone.
  - 11. The computer program product of claim 8, wherein a determining of the confidentiality rating is based on a content of the data.
  - 12. The computer program product of claim 8, wherein the method further comprises:
    - upon receiving the transfer ticket by the security layer from the key vault system, validating the first signature and the second signature before the request for the encryption of the data to be stored, wherein the request for the encryption of the data comprises the transfer ticket and the data to be stored.

13. A storage sub-system for storing data in a shared networked environment, the shared networked environment comprising a security layer between a shared networked storage and a shared networked storage access interface, the storage sub-system comprising:
- a shared networked storage including the security layer, the security layer physically separated from key vault system, wherein the shared networked storage comprises Cloud zones, wherein each of the Cloud zones has an assigned trust level;
  
  a receiving unit adapted to receive a storage request together with data to be stored in the shared networked storage and together with a confidentiality rating, wherein the storage request together with that data and the confidentiality rating is received via the shared networked storage access interface by the security layer;
  
  wherein the key vault system is adapted to encrypt the data to be stored and the confidentiality rating on request of the security layer into a data container;
  
  a storage component adapted to store the data container in one of the Cloud zones of the shared networked storage, wherein the trust level of the one of the Cloud zones corresponds to the confidentiality rating;
  
  wherein the key vault system is further adapted to, validate that the storage request is compliant with configurable policies by;
  
  validating that the security layer is trusted for communication and validating that a transmission channel between the security layer and the key vault system is secured by a certificate-based encryption;
  
  creating a transfer ticket, the transfer ticket including at least one of;
  
  authorization information about the requester of the storage request, meta data about the data to be stored, a first signature made by the security layer, an expiry time for the storage request, and a second signature made by the key vault system; and
  
  sending the transfer ticket to the security layer.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The storage sub-system of claim 13, wherein the storage sub-system is a part of a Cloud storage system for storing the data in the shared networked environment.
  - 15. The storage sub-system of claim 13, wherein the key vault system is further adapted to:
    - receive a validation of the transfer ticket;
      
      validate, in response to the validation of the transfer ticket, the second signature and expiry time for the storage request;
      
      validate whether the first signature, embedded in the transfer ticket, matches the encryption of a file content of the data to be stored; and
      
      validate whether a file identification of the data to be stored matches an actual file to be transferred.
  - 16. The storage sub-system of claim 13, wherein the data container is inside of an encrypted transaction container, the encrypted transaction container is readable only by the security layer, and wherein the encrypted transaction container includes a transaction identifier to identify the encrypted transaction container.
  - 17. The storage sub-system of claim 13, wherein the cloud zones are areas in which storage systems are physically located, the cloud zones including a first cloud zone and a second cloud zone, and wherein the first cloud zone corresponds to a first country and the second cloud zone corresponds to a second country.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Breuer, Marcus, Goldberg, Itzhack, Muehge, Thorsten, Rueger, Erik, Seul, Matthias
Primary Examiner(s)
Moorthy, Aravind K

Application Number

US14/948,969
Publication Number

US 20160162693A1
Time in Patent Office

932 Days
Field of Search

713164, 713153, 713165, 713166, 713189, 726 7, 726 12, 726 26
US Class Current
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

G06F 3/0622   in relation to access

G06F 3/0637   Permissions

G06F 3/067   Distributed or networked st...

Automated management of confidential data in cloud environments

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Automated management of confidential data in cloud environments

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links