Enhanced remote key management for an enterprise in a cloud-based environment

US 10,574,442 B2
Filed: 06/02/2017
Issued: 02/25/2020
Est. Priority Date: 08/29/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

maintaining a collaborative cloud-based environment that hosts a shared workspace for two or more users to collaborate on a data item, wherein access to the data item is controlled via a client-configurable rule that determines whether to reject the access by determining whether to encrypt or decrypt an encrypted key of the data item based at least in part on a reason code determined from a request to access the data item if access inconsistencies are detected;

receiving a content request for the data item from a user of the two or more users associated with the shared workspace, wherein the content request is associated with the reason code for accessing the data item by the user;

determining that the data item corresponding to the content request is associated with remote key management functionality;

initiating a key request to a hardware security module (HSM), the key request corresponding to a key that is at least encrypted twice, wherein an unencrypted key selected to encrypt the data item is encrypted a first time at the collaborative cloud-based environment to produce an encrypted key and the encrypted key while still encrypted is encrypted a second time at the HSM to produce the key that is encrypted at least twice, and wherein the key request is sent to the HSM based at least in part on the reason code associated to the content request; and

monitoring access to the data item via the key request stored on the HSM by providing audit log information associated with the content request to a log monitoring system, wherein the audit log information includes the reason code enumerating a user behavior performed on the data item in the collaborative cloud-based environment.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are disclosed for facilitating remote key management services in a collaborative cloud-based environment. In one embodiment, the remote key management architecture and techniques described herein provide for local key encryption and automatic generation of a reason code associated with content access. The reason code is logged by a hardware security module which is monitored by a remote client device (e.g., an enterprise client) to control a second (remote) layer of key encryption. The remote client device provides client-side control and configurability of the second layer of key encryption.

569 Citations

30 Claims

1. A method comprising:
- maintaining a collaborative cloud-based environment that hosts a shared workspace for two or more users to collaborate on a data item, wherein access to the data item is controlled via a client-configurable rule that determines whether to reject the access by determining whether to encrypt or decrypt an encrypted key of the data item based at least in part on a reason code determined from a request to access the data item if access inconsistencies are detected;
  
  receiving a content request for the data item from a user of the two or more users associated with the shared workspace, wherein the content request is associated with the reason code for accessing the data item by the user;
  
  determining that the data item corresponding to the content request is associated with remote key management functionality;
  
  initiating a key request to a hardware security module (HSM), the key request corresponding to a key that is at least encrypted twice, wherein an unencrypted key selected to encrypt the data item is encrypted a first time at the collaborative cloud-based environment to produce an encrypted key and the encrypted key while still encrypted is encrypted a second time at the HSM to produce the key that is encrypted at least twice, and wherein the key request is sent to the HSM based at least in part on the reason code associated to the content request; and
  
  monitoring access to the data item via the key request stored on the HSM by providing audit log information associated with the content request to a log monitoring system, wherein the audit log information includes the reason code enumerating a user behavior performed on the data item in the collaborative cloud-based environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the HSM stores the audit log information.
  - 3. The method of claim 2, wherein the HSM signs the audit log information with a secure key.
  - 4. The method of claim 1, wherein the audit log information is included in the key request.
  - 5. The method of claim 1, wherein the HSM is hosted by the collaborative cloud-based environment.
  - 6. The method of claim 1, wherein the HSM is hosted by a second collaborative cloud-based environment distinct from the collaborative cloud-based environment.
  - 7. The method of claim 1, wherein the HSM is hosted by a managed services provider.
  - 8. The method of claim 1, wherein the HSM provides access to the collaborative cloud-based environment.
  - 9. The method of claim 1, wherein the unencrypted key is encrypted with a local key encryption key by a key service engine and the encrypted key is encrypted with a remote encryption key by the HSM.
  - 10. The method of claim 1, wherein another content request comprises an access request for the data item, wherein the access request comprises:
    - determining, at the collaborative cloud-based environment, that the data item corresponding to the content request is associated with the remote key management functionality,retrieving, at the collaborative cloud-based environment, at least the key that is encrypted at least twice,initiating a secure key request with the HSM to decrypt the key that is encrypted at least twice,receiving, at the collaborative cloud-based environment, the encrypted key that was encrypted the first time from the HSM,decrypting the encrypted key using a local key encryption key used to encrypt the unencrypted key the first time, anddecrypting the data item using the unencrypted key.
  - 11. The method of claim 1, wherein the two or more users collaborating on the data item from the shared workspace each have their own access rights to data items accessed within the shared workspace.

12. A system comprising:
- one or more processors; and
  
  a memory unit having instructions stored thereon which, when executed by the one or more processors, causes the system to;
  
  maintain a collaborative cloud-based environment that hosts a shared workspace for two or more users to collaborate on a data item, wherein access to the data item is controlled via a client-configurable rule that determines whether to reject the access by determining whether to encrypt or decrypt an encrypted key of the data item based at least in part on a reason code determined from a request to access the data item if access inconsistencies are detected,receive a content request for the data item from a user of the two or more users associated with the shared workspace, wherein the content request is associated with the reason code for accessing the data item by the user,determine that the data item corresponding to the content request is associated with remote key management functionality,initiate a key request to a hardware security module (HSM), the key request corresponding to a key that is at least encrypted twice, wherein an unencrypted key selected to encrypt the data item is encrypted a first time at the collaborative cloud-based environment to produce an encrypted key and the encrypted key while still encrypted is encrypted a second time at the HSM to produce the key that is encrypted at least twice, and wherein the key request is sent to the HSM based at least in part on the reason code associated to the content request, andmonitor access to the data item via the key request stored on the HSM by providing audit log information associated with the content request to a log monitoring system, wherein the audit log information includes the reason code enumerating a user behavior performed on the data item in the collaborative cloud-based environment.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 13. The system of claim 12, wherein the HSM stores the audit log information.
  - 14. The system of claim 13, wherein the HSM signs the audit log information with a secure key.
  - 15. The system of claim 12, wherein the HSM is hosted by the collaborative cloud-based environment.
  - 16. The system of claim 12, wherein the HSM is hosted by a second collaborative cloud-based environment distinct from the collaborative cloud-based environment.
  - 17. The system of claim 12, wherein the HSM is hosted by a managed services provider.
  - 18. The system of claim 12, wherein the HSM provides access to the collaborative cloud-based environment.
  - 19. The system of claim 12, wherein the unencrypted key is encrypted with a local key encryption key by a key service engine and the encrypted key is encrypted with a remote encryption key by the HSM.
  - 20. The system of claim 12, wherein another content request comprises an access request for the data item, wherein the access request comprises:
    - determining, at the collaborative cloud-based environment, that the data item corresponding to the content request is associated with the remote key management functionality,retrieving, at the collaborative cloud-based environment, at least the key that is encrypted at least twice,initiating a secure key request with the HSM to decrypt the key that is encrypted at least twice,receiving, at the collaborative cloud-based environment, the encrypted key that was encrypted the first time from the HSM,decrypting the encrypted key using a local key encryption key used to encrypt the unencrypted key the first time, anddecrypting the data item using the unencrypted key.
  - 21. The system of claim 12, wherein the two or more users collaborating on the data item from the shared workspace each have their own access rights to data items accessed within the shared workspace.

22. A computer program product embodied in a non-transitory computer readable medium, the computer readable medium having stored thereon a sequence of instructions which, when executed by a processor causes the processor to execute a process, the process comprising:
- maintaining a collaborative cloud-based environment that hosts a shared workspace for two or more users to collaborate on a data item, wherein access to the data item is controlled via a client-configurable rule that determines whether to reject the access by determining whether to encrypt or decrypt an encrypted key of the data item based at least in part on a reason code determined from a request to access the data item if access inconsistencies are detected;
  
  receiving a content request for the data item from a user of the two or more users associated with the shared workspace, wherein the content request is associated with the reason code for accessing the data item by the user;
  
  determining that the data item corresponding to the content request is associated with remote key management functionality;
  
  initiating a key request to a hardware security module (HSM), the key request corresponding to a key that is at least encrypted twice, wherein an unencrypted key selected to encrypt the data item is encrypted a first time at the collaborative cloud-based environment to produce an encrypted key and the encrypted key while still encrypted is encrypted a second time at the HSM to produce the key that is encrypted at least twice, and wherein the key request is sent to the HSM based at least in part on the reason code associated to the content request; and
  
  monitoring access to the data item via the key request stored on the HSM by providing audit log information associated with the content request to a log monitoring system, wherein the audit log information includes the reason code enumerating a user behavior performed on the data item in the collaborative cloud-based environment.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30)
- - 23. The computer program product of claim 22, wherein the HSM stores the audit log information.
  - 24. The computer program product of claim 23, wherein the HSM signs the audit log information with a secure key.
  - 25. The computer program product of claim 22, wherein the HSM is hosted by the collaborative cloud-based environment.
  - 26. The computer program product of claim 22, wherein the HSM is hosted by a second collaborative cloud-based environment distinct from the collaborative cloud-based environment.
  - 27. The computer program product of claim 22, wherein the HSM provides access to the collaborative cloud-based environment.
  - 28. The computer program product of claim 22, wherein the content request comprises an upload request and wherein the key request includes a request to encrypt an encrypted encryption key.
  - 29. The computer program product of claim 22, wherein another content request comprises an access request for the data item, wherein the access request comprises:
    - determining, at the collaborative cloud-based environment, that the data item corresponding to the content request is associated with the remote key management functionality,retrieving, at the collaborative cloud-based environment, at least the key that is encrypted at least twice,initiating a secure key request with the HSM to decrypt the key that is encrypted at least twice,receiving, at the collaborative cloud-based environment, the encrypted key that was encrypted the first time from the HSM,decrypting the encrypted key using a local key encryption key used to encrypt the unencrypted key the first time, anddecrypting the data item using the unencrypted key.
  - 30. The computer program product of claim 22, wherein the two or more users collaborating on the data item from the shared workspace each have their own access rights to data items accessed within the shared workspace.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Box Incorporated
Original Assignee
Box Incorporated
Inventors
Amiri, Kia, Queisser, Jeff, Byron, Chris, Wacker, Rand
Primary Examiner(s)
Simitoski, Michael
Assistant Examiner(s)
Elarabi, Tarek

Application Number

US15/612,940
Publication Number

US 20170338949A1
Time in Patent Office

998 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/60   Protecting data

G06F 21/6218   to a system of files or obj...

H04L 2209/12   Details relating to cryptog...

H04L 2209/60   Digital content management,...

H04L 2209/80   Wireless network architectu...

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 9/0822   using key encryption key

H04L 9/0861   Generation of secret inform...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/0897   involving additional device...

H04L 9/3226   using a predetermined code,...

Enhanced remote key management for an enterprise in a cloud-based environment

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

569 Citations

30 Claims

Specification

Use Cases

Quick Links

Others

Enhanced remote key management for an enterprise in a cloud-based environment

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

569 Citations

30 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others