Access to data stored in a cloud

US 10,320,777 B2
Filed: 05/09/2012
Issued: 06/11/2019
Est. Priority Date: 06/08/2011
Status: Active Grant

First Claim

Patent Images

1. A method for accessing data stored in a cloud, the method comprising:

inquiring a rights application about whether access to the data by an accessing entity is allowed, the data stored by a provider of the cloud where a server application and an application server hosting the server application are subject to control of the cloud provider, the accessing entity comprising at least one of a client application, a server application, or a user wishing to access the data using the client application, the server application or the client application and the server application;

informing, by the rights application, a rights server of the inquired access, the rights server not subject to control of the cloud provider and comprising a rights policy which defines at least the following access rights;

(i) access rights of users, user groups or the users and the user groups, and (ii) access rights of both the client and server applications;

providing, by the rights server, an item of access information that is configured to be used to determine whether the access is allowed according to the access rights of the accessing entity according to the rights policy; and

accessing the data only when access is allowed according to the access information, the data not being able to be viewed without the item of access information;

where the informing and providing are configured to be performed when the accessing entity corresponds to the server application and when the accessing entity corresponds to the client application.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

It is proposed that known digital rights management (EDRM: Enterprise Digital Rights Management) be extended such that control over the access to data stored in a cloud remains with the user or originator of the data. This requires the access information to be coordinated between a rights application in the cloud and a rights server in the region of the user (that is to say outside the cloud). A rights policy can be used for fine-grained regulation of the access for users (user groups), computers (client, server) and validity periods. In this context, the access comprises a wide variety of actions which can be performed with the data. In particular, it is advantageous that a server application is provided with (temporally limited) access to a portion of the data in order to index said data, for example, without the server being able to access the complete contents of the data in the process. By way of example, the approach for works for document management and for databases that have been relocated in the cloud. The invention can be used for any type of distributed data processing in which the data are intended to be protected against unauthorized access operations.

20 Citations

31 Claims

1. A method for accessing data stored in a cloud, the method comprising:
- inquiring a rights application about whether access to the data by an accessing entity is allowed, the data stored by a provider of the cloud where a server application and an application server hosting the server application are subject to control of the cloud provider, the accessing entity comprising at least one of a client application, a server application, or a user wishing to access the data using the client application, the server application or the client application and the server application;
  
  informing, by the rights application, a rights server of the inquired access, the rights server not subject to control of the cloud provider and comprising a rights policy which defines at least the following access rights;
  
  (i) access rights of users, user groups or the users and the user groups, and (ii) access rights of both the client and server applications;
  
  providing, by the rights server, an item of access information that is configured to be used to determine whether the access is allowed according to the access rights of the accessing entity according to the rights policy; and
  
  accessing the data only when access is allowed according to the access information, the data not being able to be viewed without the item of access information;
  
  where the informing and providing are configured to be performed when the accessing entity corresponds to the server application and when the accessing entity corresponds to the client application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 2. The method as claimed in claim 1, further comprising authenticating the client application with the server application prior to the inquiring.
  - 3. The method as claimed in claim 1, wherein the rights application accesses the data and forwards the data to the server application.
  - 4. The method as claimed in claim 1, wherein the client application transfers an authentication token to the server application, wherein the token is transmitted from the rights application to the rights server in order to gain access to the data.
  - 5. The method as claimed in claim 1, wherein the client application transfers a reference that is transmitted from the rights application of the application server to the rights server, the rights server requesting, carrying out, or requesting and carrying out authentication on the basis of the reference.
  - 6. The method as claimed in claim 5, wherein the reference is a reference to a rights application of a client.
  - 7. The method as claimed in claim 1, wherein inquiring comprises inquiring for at least one of the following items of information:
    - an item of user information;
      
      an item of computer information; and
      
      an item of information for identifying the data to be accessed.
  - 8. The method as claimed in claim 1, wherein the access information comprises:
    - the rights policy; and
      
      a key for decrypting the data.
  - 9. The method as claimed in claim 1, wherein the rights server checks, based on the inquiry from the rights application, whether access to the data is allowed by carrying out a comparison with the rights policy previously created for the data.
  - 10. The method as claimed in claim 1, wherein the rights policy comprises at least one of the following items of information:
    - an item of user or computer information;
      
      an action that is configured to be carried out by the user or a computer;
      
      an action that cannot be carried out by the user or the computer and a validity period.
  - 11. The method as claimed in claim 1, wherein communication between the rights server and the rights application is secured.
  - 12. The method as claimed in claim 1, wherein the rights server logs at least one inquiry.
  - 13. The method as claimed in claim 1, wherein the data are in the form of at least one of the following:
    - at least one document;
      
      at least one application;
      
      at least one database;
      
      at least one data record in a database; and
      
      at least one database entry.
  - 14. The method as claimed in claim 1, wherein access is allowed according to the access rights when the access information is provided by the rights server.
  - 15. The method as claimed in claim 1, wherein the access information comprises the access rights of the accessing entity.
  - 16. The method as claimed in claim 1, wherein the access information comprises a reference to an application to be used to check the access rights.
  - 17. The method as claimed in claim 1, wherein access is enabled according to the access information when access is allowed by a referenced application upon request.
  - 18. The method as claimed in claim 1, wherein the access rights are limited to part of the data.
  - 19. The method as claimed in claim 18, wherein the part of the data is in the form of a keyword part of a document or an attribute, tuple, object or combinations thereof in a database.
  - 20. The method as claimed in claim 1, wherein the access rights have a time limit.
  - 21. The method as claimed in claim 1, wherein the data are stored in encrypted form and the access information is required to decrypt said data.
  - 22. The method as claimed in claim 1, wherein data stored in encrypted form are decrypted by the rights application.
  - 23. The method as claimed in claim 1, wherein the rights application is part of the client application or the server application.
  - 24. The method as claimed in claim 1, wherein the rights application is assigned to the client application and another rights application is assigned to the server application.
  - 25. The method as claimed in claim 24, wherein the server application and the assigned rights application are arranged in an environment controlled by the cloud provider.
  - 26. The method as claimed in claim 1, wherein the rights server is controlled by the accessing entity that accesses the data in the cloud.
  - 27. The method as claimed in claim 1, wherein the access rights of the client application and of the server application differ from one another, the access rights of the client application being a different combination of a right to view, a right to change, and a right to print the data than the access rights of the server application, the data comprising a document or database.
  - 28. The method as claimed in claim 1, wherein, in the rights policy (i) a distinction is made between the rights of a user on a local computer on which the client application runs and the rights on a server on which the server application runs, (ii) the client application is allocated different rights than the server application, or (iii) both (i) and (ii);
    - and wherein accessing the data differs for the client application and for the server application because of the different respective access rights.
  - 29. The method as claimed in claim 1, wherein at least one of a right for editing, a right for converting a document, a right for search indexing, or a right for checking for viruses is allocated to the server application, and a right for printing is not allocated to the server application.

30. A system for accessing data stored in a cloud, the system comprising:
- a provider of the cloud comprising a computer network storing the data;
  
  an entity that accesses the data, the entity comprising at least one of a client application, a server application, or a user wishing to access the data using the client application, the server application or the client application and the server application;
  
  at least one rights application; and
  
  a rights server provided on a computer, the rights server not subject to the control of the cloud provider and comprising a rights policy that is configured to define at least the following access rights;
  
  access rights of users, user groups or the users and the user groups, and access rights of the client and server applications to operate on the data stored in the computer network of the provider of the cloud;
  
  wherein the rights application is configured to be inquired about whether access to the data by a accessing entity is allowed both when the accessing entity corresponds to the client application and when the accessing entity corresponds to the server application;
  
  wherein the rights application is configured to inform the rights server of the inquired access both when the accessing entity corresponds to the client application and when the accessing entity corresponds to the server application;
  
  wherein the rights server is configured to be provided an item of access information that is configured to be used to determine whether the access is allowed according to the access rights of the accessing entity both when the accessing entity corresponds to the client application and when the accessing entity corresponds to the server application; and
  
  wherein the cloud is configured to provide access to the data of the computer network only when access is allowed according to the access information.

31. A rights server for accessing data stored in a cloud, the rights server comprising:
- a memory configured to store a rights policy configured to define at least the following access rights;
  
  access rights of users, access rights of a client application, and access rights of a server application;
  
  a processor configured to be provided an item of access information that is configured to be used to determine whether access to the data is allowed according to the access rights of an accessing entity, the processor configured to inquire a rights application about whether the access to the data is allowed such that the cloud is configured to provide access to the data only when access is allowed according to the access information, the item provided and the rights application inquired both when the accessing entity corresponds to the client application and when the accessing entity corresponds to the server application;
  
  wherein the server application and an application server hosting the server application are subject to control of a provider of the cloud;
  
  wherein the rights server is not subject to the control of the provider of the cloud.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ServiceNow Incorporated
Original Assignee
Siemens AG
Inventors
Maidl, Monika, Seltzsam, Stefan
Primary Examiner(s)
Chang, Kenneth W

Application Number

US14/124,728
Publication Number

US 20140208409A1
Time in Patent Office

2,589 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/252   between a Database Manageme...

G06F 21/10   Protecting distributed prog...

G06F 21/6218   to a system of files or obj...

H04L 63/0853   using an additional device,...

Access to data stored in a cloud

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

20 Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

Access to data stored in a cloud

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links