System and method for providing key-encrypted storage in a cloud computing environment

US 10,230,704 B2
Filed: 04/10/2017
Issued: 03/12/2019
Est. Priority Date: 03/13/2009
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

routing a request to a cloud resource from a plurality of cloud resources within a cloud, wherein the request is directed to a single Internet Protocol (IP) address for the cloud, wherein routing further includes performing network address translation on a port portion of the IP address by translating the IP address to a subnet IP address comprising a range of IP addresses that are assigned to a plurality of instances of servers within the cloud resource within the cloud and distinguishing the cloud resource from the plurality of cloud resources;

selecting a particular instance of the plurality of instance of servers to service the request based on processing loads associated with the instances and based on the performing network address translation on the port portion of the IP address that identifies the subnet IP address range for the instances;

initiating the particular instance to service the request;

providing a secure encrypted storage within the cloud that is shared between the cloud resources; and

managing each cloud resource'"'"'s access to a decryption key for decrypting the secure encrypted storage during access by the cloud resources to the secure encrypted storage.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

System and method for providing cloud computing services are described. In one embodiment, the system comprises a cloud computing environment comprising resources for supporting cloud workloads, each cloud workload having associated therewith an internal cloud address; and a routing system disposed between external workloads of an external computing environment and the cloud workloads, the routing system for directing traffic from an external address to the internal cloud addresses of the cloud workloads. A designated one of the cloud workloads obtains one key of a first pair of cryptographic keys, the first pair of cryptographic keys for decrypting encrypted storage hosted within the cloud computing environment.

70 Citations

20 Claims

1. A method, comprising:
- routing a request to a cloud resource from a plurality of cloud resources within a cloud, wherein the request is directed to a single Internet Protocol (IP) address for the cloud, wherein routing further includes performing network address translation on a port portion of the IP address by translating the IP address to a subnet IP address comprising a range of IP addresses that are assigned to a plurality of instances of servers within the cloud resource within the cloud and distinguishing the cloud resource from the plurality of cloud resources;
  
  selecting a particular instance of the plurality of instance of servers to service the request based on processing loads associated with the instances and based on the performing network address translation on the port portion of the IP address that identifies the subnet IP address range for the instances;
  
  initiating the particular instance to service the request;
  
  providing a secure encrypted storage within the cloud that is shared between the cloud resources; and
  
  managing each cloud resource'"'"'s access to a decryption key for decrypting the secure encrypted storage during access by the cloud resources to the secure encrypted storage.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein providing further includes providing each cloud resource the decryption key as a unique key pair for decrypting the secure encrypted storage.
  - 3. The method of claim 2, wherein providing further includes providing one key of each unique key pair through a secure connection using a different key pair with each cloud resource.
  - 4. The method of claim 1, wherein routing further includes matching a port range defined in the IP address to the cloud resources.
  - 5. The method of claim 4, wherein routing further includes selecting the cloud resource based on a processing load of the cloud resources, wherein the cloud resources are multiple executing instances of a same cloud resource.
  - 6. The method of claim 5, wherein routing further includes identifying a private IP address for each of the cloud resources based on being within the port range.
  - 7. The method of claim 1, wherein managing further includes providing the decryption key as a key pair.
  - 8. The method of claim 7, wherein providing further includes obtaining a first key of the key pair from an external source to the cloud.
  - 9. The method of claim 8, wherein providing further includes using a designated cloud resource for interfacing with the external source to obtain the first key on behalf of the cloud resources.
  - 10. The method of claim 9, wherein using further includes providing a second key of the key pair during a secure connection using a different key pair with each of the cloud resource.
  - 11. The method of claim of claim 1 further comprising, ensuring that data storage traffic within the cloud is encrypted into and decrypted from the secure encrypted storage.
  - 12. The method of claim 1 further comprising enforcing communication traffic into and out of the cloud over secure communication channels.
  - 13. The method of claim 12, wherein each of the secure communication channels process cryptographic keys for communication with the cloud.

14. A non-transitory computer-readable storage device with computer-executable instructions stored thereon that, when executed by one or more computer processors, cause the one or more computer processors to perform operations comprising:
- maintaining a plurality of executing instances of a cloud resource within a plurality of cloud resources within a secure cloud;
  
  receiving a request for an executing instance that utilizes a single Internet Protocol (IP) address shared by each of the executing instances, wherein maintaining further includes managing the single IP address for access to all of the instances;
  
  performing network address translation on a port portion of the single IP address by translating the single IP address to a subnet IP address comprising a range of IP addresses that are assigned to the plurality of executing instances of the cloud resource within the secure cloud and distinguishing the cloud resource from the plurality of cloud resources;
  
  selecting a particular instance to service the request based on processing loads associated with the instances and based on the performing network address translation on the port portion of the single IP address that identifies the subnet IP address range for the instances;
  
  initiating the particular instance to service the request; and
  
  managing data access for each of the instances from an encrypted storage within the cloud during processing of the instances with each instance having access to the encrypted storage through a unique encryption and decryption key pair.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The non-transitory computer-readable storage device of claim 14, wherein managing further includes proving a first key of the unique encryption and decryption key pair to each of the instances during a secure connection to that instance and utilizing a different key pair for the secure connection.
  - 16. The non-transitory computer-readable storage device of claim 15, wherein managing further includes providing a second key of the unique encryption and decryption key pair to each of the instances through a designated cloud resource.
  - 17. The non-transitory computer-readable storage device of claim 16, wherein providing further includes configuring the designated cloud resource to obtain the second key from an external resource that is external to the cloud.
  - 18. The non-transitory computer-readable storage device of claim 14 further comprising, processing secure communication connections for any communication to and from the cloud.

19. A system, comprising:
- a cloud comprising a plurality of cloud resources, the plurality of cloud resources comprising a plurality of executing instances of a cloud resource;
  
  an encrypted data storage; and
  
  a cloud router configured to;
  
  i) manage the plurality of executing instances of the cloud resource through a single port of a single Internet Protocol (IP) address that is provided for accessing any of the executing instances, ii) perform network address translation on the single port of the single IP address by translating the single IP address to a subnet IP address comprising a range of IP addresses that are assigned to the plurality of executing instances of the cloud resource within the cloud and distinguishing the cloud resource from the plurality of cloud resources, iii) select particular executing instances of the plurality of executing instances to service external requests for the cloud resource based on processing loads for the instances and based on the performing network address translation on the single port of the single IP address that identifies the subnet IP address range for the executing instances within a subnet, iv) select the particular instances from the single IP address based on the private IP addresses being within a port range included as part of the single IP address, v) provide a unique key pair for accessing the encrypted data storage to each of the instances, and vi) provide a first key of the unique key pair to each of the instances during a secure communication session that utilizes a different key pair.
- View Dependent Claims (20)
- - 20. The system of claim 19, wherein the cloud router is further configured to:
    - vi) provide a second key of the unique key pair through a designated cloud resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus Software, Inc. (Open Text Corporation)
Original Assignee
Micro Focus Software, Inc. (Open Text Corporation)
Inventors
Carter, Stephen R, McClain, Carolyn B., Allen, Jared Patrick, Olds, Dale Robert, Burch, Lloyd Leon
Primary Examiner(s)
Bechtel, Kedvin
Assistant Examiner(s)
Tran, Vu V

Application Number

US15/483,810
Publication Number

US 20170214669A1
Time in Patent Office

701 Days
Field of Search

713150
US Class Current
CPC Class Codes

G06F 9/505   considering the load

H04L 45/586   of virtual routers

H04L 61/2514   between local and global IP...

H04L 63/0281   Proxies

H04L 63/061   for key exchange, e.g. in p...

H04L 67/10   in which an application is ...

System and method for providing key-encrypted storage in a cloud computing environment

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

70 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for providing key-encrypted storage in a cloud computing environment

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

70 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links