Virtual service provider zones

US 10,055,594 B2
Filed: 03/14/2016
Issued: 08/21/2018
Est. Priority Date: 06/07/2012
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a first hardware-implemented data storage service, implemented with computing resources in a first set of facilities that is operated by a computing resource service provider; and

a second data storage service, implemented with computing resources in a second set of facilities that is geographically distinct from the first set of facilities and operated by the computing resource service provider, where first data storage service is configured according to first set of regulations associated with a first legal jurisdiction and second data storage service is configured according to a second set of regulations that is different from the first set of regulations and associated with a second legal jurisdiction, the first data storage service receiving web service requests and the first data storage service operating as a proxy to the second data storage service by at least;

receiving, at a first web service interface of the first data storage service, a request from a requestor to store data, the request originating from a network not operated by the computing resource service provider and identifying authentication credentials usable for fulfillment of the request by the first data storage service based at least in part on the first set of facilities being located in the first legal jurisdiction and the authentication credentials being unusable for fulfillment of requests to the second data storage service based at least in part on the second set of facilities being located in the second legal jurisdiction that is different from the first legal jurisdiction;

encrypting the data using a cryptographic key to generate encrypted data, the cryptographic key being accessible to the first data storage service while inaccessible to the second data storage service by preventing access to the key by an entity located in a particular facility of the second set of facilities; and

transmitting the encrypted data to the entity for persistent storage on behalf of the requestor.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A service proxy services as an application programming interface proxy to a service, which may involve data storage. When a request to store data is received by the service proxy, the service proxy encrypts the data and stores the data in encrypted form at the service. Similarly, when a request to retrieve data is received by the service proxy, the service proxy obtains encrypted data from the service and decrypts the data. The data may be encrypted using a key that is kept inaccessible to the service.

311 Citations

20 Claims

1. A system, comprising:
- a first hardware-implemented data storage service, implemented with computing resources in a first set of facilities that is operated by a computing resource service provider; and
  
  a second data storage service, implemented with computing resources in a second set of facilities that is geographically distinct from the first set of facilities and operated by the computing resource service provider, where first data storage service is configured according to first set of regulations associated with a first legal jurisdiction and second data storage service is configured according to a second set of regulations that is different from the first set of regulations and associated with a second legal jurisdiction, the first data storage service receiving web service requests and the first data storage service operating as a proxy to the second data storage service by at least;
  
  receiving, at a first web service interface of the first data storage service, a request from a requestor to store data, the request originating from a network not operated by the computing resource service provider and identifying authentication credentials usable for fulfillment of the request by the first data storage service based at least in part on the first set of facilities being located in the first legal jurisdiction and the authentication credentials being unusable for fulfillment of requests to the second data storage service based at least in part on the second set of facilities being located in the second legal jurisdiction that is different from the first legal jurisdiction;
  
  encrypting the data using a cryptographic key to generate encrypted data, the cryptographic key being accessible to the first data storage service while inaccessible to the second data storage service by preventing access to the key by an entity located in a particular facility of the second set of facilities; and
  
  transmitting the encrypted data to the entity for persistent storage on behalf of the requestor.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The system of claim 1, wherein the entity further comprises a second data storage service, implemented with computing resources in the second set facilities and operated by the computing resource service provider, the second data storage service receiving web service requests transmitted to a second web service interface of the second data storage service.
  - 3. The system of claim 2, wherein the first data storage service operating as the proxy further comprises at least:
    - receiving, at the first web service interface, a second request from the requestor to retrieve the data;
      
      obtaining encrypted data from the second data storage service corresponding to the data;
      
      decrypting the encrypted data using the cryptographic key to generate the data; and
      
      providing the data in response to the request.
  - 4. The system of claim 2, wherein the first web service interface and the second web service interface are publicly addressable interfaces within a public communications network.
  - 5. The system of claim 1, wherein encrypting the data using the cryptographic key further comprises encrypting the data without a corresponding request from the requestor to encrypt the data.

6. A computer-implemented method, comprising:
- implementing a first data storage service using computing resources in a first facility and operated by a computing resource service provider, where the first data storage service operates as a proxy to an entity in a different legal jurisdiction from the first facility by at least;
  
  receiving, via a network not operated by the computing resource service provider, a request to store data, the request identifying authentication credentials usable for fulfillment of the request by the first data storage service based at least in part on a legal jurisdiction associated with the first facility and the authentication credentials unusable for fulfillment of requests to a second data storage service implemented with computing resources in a second facility that is geographically distinct from the first facility and operated by the computing resource service provider, where the first data storage service is configured according to first set of regulations associated with a first legal jurisdiction and the second data storage service is configured according to a second set of regulations that is different from the first set of regulations and associated with a second legal jurisdiction;
  
  encrypting the data using a cryptographic key to obtain encrypted data, the cryptographic key being accessible to the first data storage service while inaccessible to the second data storage service by preventing access to the key by the entity for which the first data storage service is the proxy, the entity located in the second legal jurisdiction; and
  
  transmitting the encrypted data to the entity for persistent storage on behalf of a requestor.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14)
- - 7. The computer-implemented method of claim 6, wherein the computer-implemented method further comprises implementing a second data storage service using computing resources in a second facility that is in the different jurisdiction from the first facility and operated by the computing resource service provider;
    - andwherein the entity further comprises the second data storage service.
  - 8. The computer-implemented method of claim 7, wherein the first data storage service operating as a proxy further comprises at least:
    - receiving a second request indicating data to be provided to the requestor associated with the second request;
      
      obtaining, from the second data storage service, encrypted data associated with the data to be provided to the requestor;
      
      decrypting the encrypted data using the cryptographic key; and
      
      providing a result of decrypting the encrypted data to the requester.
  - 9. The computer-implemented method of claim 7, wherein the first data storage service is operated by a different organizational entity than the second data storage service.
  - 10. The computer-implemented method of claim 6, wherein the request to store data further comprises an application programming interface request received at a web services front end of the first data storage service.
  - 11. The computer-implemented method of claim 10, wherein operating as the proxy further comprises determining to restrict access to the data based at least in part on an analysis of the application programming interface request.
  - 12. The computer-implemented method of claim 11, wherein encrypting the data using the cryptographic key further comprises encrypting the data based at least in part on the determination to restrict access to the data.
  - 13. The computer-implemented method of claim 6, wherein encrypting the data using the cryptographic further comprises transmitting, to a cryptography service, a request that causes the cryptography service to perform one or more cryptographic operations to encrypt the data.
  - 14. The computer-implemented method of claim 6, wherein the request is one of a plurality of requests, where at least a portion of the plurality of requests are transmitted by different users and where each user corresponds to an account of the first data storage service.

15. A set of one or more non-transitory computer-readable storage media having stored thereon executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to:
- execute a first data storage service with computing resources of a first facility that is in a first legal jurisdiction and operated by a computing resource service provider;
  
  operate the first data storage service as a proxy;
  
  receive, via a network not operated by the computing resource service provider, a request to store data, the request identifying authentication credentials usable for fulfillment of the request by the first data storage service and unusable for fulfillment of requests to a second data storage service implemented with computing resources in a second facility that is geographically distinct from the first facility and operated by the computing resource service provider, where the first data storage service is configured according to first set of regulations associated with a first legal jurisdiction and the second data storage service is configured according to a second set of regulations that is different from the first set of regulations and associated with a second legal jurisdiction; and
  
  fulfill the request by at least;
  
  causing the first data storage service to obtain encrypted data, the encrypted data generated based at least in part on using a cryptographic key to encrypt the data, the cryptographic key being accessible to the first data storage service while being inaccessible to the second data storage service by preventing access to the key by an entity for which the first data storage service is the proxy, the entity located in the second legal jurisdiction; and
  
  causing the first data storage service to transmit the encrypted data to the entity.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The set of one or more non-transitory computer-readable storage media of claim 15, wherein the instructions that cause the computer system to fulfill the request further include instructions that cause the computer system to analyze the request to determine that access to the data is restricted.
  - 17. The set of one or more non-transitory computer-readable storage media of claim 15, wherein the instructions that cause the computer system to obtain encrypted data further include instructions that cause the computer system to:
    - transmit an encryption request to a cryptography service for the cryptographic key; and
      
      encrypt the data using the cryptographic key.
  - 18. The set of one or more non-transitory computer-readable storage media of claim 15, wherein the instructions further comprise instructions that, as a result of being executed by the one or more processors, cause the computer system to:
    - receive a second request for data; and
      
      fulfill the second request by at least;
      
      causing the first data storage service to obtain the encrypted data from the entity;
      
      causing the first data storage service to decrypt the encrypted data; and
      
      provide a result of decrypting the encrypted data in response to the second request.
  - 19. The set of one or more non-transitory computer-readable storage media of claim 18, wherein the instructions that cause the computer system to cause the first data storage service to decrypt the encrypted data further include instructions that cause the computer system to:
    - request a decryption key from a cryptography service, where the decryption key is associated with the encrypted data; and
      
      decrypt the encrypted data using the decryption key.
  - 20. The set of one or more non-transitory computer-readable storage media of claim 15, wherein the instructions further comprise instructions that, when executed by the one or more processors, cause the computer system to execute a second data storage service with computing resources of a second facility in the second jurisdiction, the second jurisdiction different from the first jurisdiction;
    - andwherein the entity further comprises the second data storage service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory Branchek, Brandwine, Eric Jason, Wren, Matthew James
Primary Examiner(s)
Shiferaw, Eleni A
Assistant Examiner(s)
SONG, HEE K

Application Number

US15/069,851
Publication Number

US 20160196438A1
Time in Patent Office

890 Days
Field of Search

726 4, 707692
US Class Current
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

G06F 21/6254   by anonymising data, e.g. d...

Virtual service provider zones

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

311 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Virtual service provider zones

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

311 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links