CLOUD-BASED HARDWARE SECURITY MODULES

US 20130219164A1
Filed: 03/14/2013
Published: 08/22/2013
Est. Priority Date: 12/29/2011
Status: Abandoned Application

First Claim

Patent Images

1. A system for cloud-based hardware security modules, comprising:

a physical security device with a processor configured to;

create a secure connection to a user device across a multi-user network; and

decrypt data accessed by the user device over the multi-user network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A cloud-based hardware security device (HSM) providing core security functions of a physically controlled HSM, such as a USB HSM, while allowing user access within the cloud and from a user device, including user devices without input ports capable of direct connection to the HSM. The HSMs can be connected to multi-HSM appliances on the organization or user side of the cloud network, or on the cloud provider side of the cloud network. HSMs can facilitate multiple users, and multi-HSM appliances can facilitate multiple organizations.

406 Citations

35 Claims

1. A system for cloud-based hardware security modules, comprising:
- a physical security device with a processor configured to;
  
  create a secure connection to a user device across a multi-user network; and
  
  decrypt data accessed by the user device over the multi-user network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The system of claim 1, wherein the secure connection is independent of any transport protocol.
  - 3. The system of claim 1, wherein the physical security device includes a connector of a first type configured to connect to a reciprocal input port of the first type, and wherein the user device does not include an input port of the first type.
  - 4. The system of claim 3, wherein the user device comprises a redirection module for transparent redirection of the secure connection from the input port of the first type to the physical security device, over the multi-user network.
  - 5. The system of claim 4, wherein the first type is a Universal Serial Bus (USB).
  - 6. The system of claim 1, wherein the physical security device is associated with multiple users.
  - 7. The system of claim 1, comprising an appliance configured to receive a plurality of the physical security devices.
  - 8. The system of claim 7, wherein each of the plurality of physical security devices is associated with multiple users, each processor being configured to create multiple secure connections, including at least one secure connection per user.
  - 9. The system of claim 8, wherein each physical security device is associated with only one organization and the multiple users associated with a particular physical security device are all within the only one organization.
  - 10. The system of claim 9, wherein a plurality of the physical security devices are associated with a single organization.
  - 11. The system of claim 1, wherein the physical security device operates in a cloud environment, remote from the user device over the multi-user network.
  - 12. The system of claim 11, wherein the processor is configured to de-provision user access to the user device by revoking the physical security device.

13. A method for providing hardware security modules over a multi-user network, comprising:
- providing shared resources over a multi-user network to multiple users;
  
  connecting multiple hardware security modules to the shared resources, wherein each hardware security module is associated with at least one user;
  
  establishing a secure connection over the multi-user network between the at least one user and an associated hardware security module; and
  
  providing encrypted data to the at least one user, wherein the encrypted data can only be decrypted with one or more keys stored on the associated hardware security module.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 14. The method of claim 13, wherein the shared resources are shared among multiple organizations requiring strict data access separation such that each organization can only access data associated with that particular organization.
  - 15. The method of claim 14, wherein each hardware security module is associated with only one organization and at least one user within the only one organization.
  - 16. The method of claim 15, wherein a plurality of the multiple hardware security modules are associated with the only one organization.
  - 17. The method of claim 13, wherein at least one of the multiple hardware security modules is associated with multiple users.
  - 18. The method of claim 13, comprising providing management tools to a user associated with a particular one of the multiple hardware security modules to directly configure the particular hardware security module.
  - 19. The method of claim 13, wherein connecting multiple hardware security modules includes connecting a security appliance to the shared resources, wherein the security appliance is configured to receive and connect to the multiple hardware security modules.
  - 20. The method of claim 13, comprising the at least one user running an application on a user digital device.
  - 21. The method of claim 20, comprising providing the one or more keys to the application via the secure connection over the multi-user network, and decrypting the encrypted data using the one or more keys.
  - 22. The method of claim 20, wherein the user digital device lacks a hardware interface for communicative coupling with the hardware security module, absent the multi-user network.
  - 23. The method of claim 22, comprising operating the associated hardware security module in a cloud environment, remote from the at least one user over the multi-user network.
  - 24. The method of claim 23, comprising redirecting the communicative coupling from the hardware interface to the associated hardware security module operating in the cloud environment.
  - 25. The method of claim 24, wherein redirecting the communicative coupling is performed transparently, such that the application does not require modification as compared to an implementation on a user digital device having the hardware interface.
  - 26. The method of claim 23, comprising revoking access by the at least one user to the associated hardware security device operating in the cloud environment.
  - 27. The method of claim 23, comprising revoking access by the at least one user to the user digital device by operation of the associated hardware security device in the cloud environment.

28. A method for managing data in a non-volatile memory system, comprising:
- providing shared resources over a multi-user network to multiple users;
  
  connecting multiple hardware security modules to the shared resources, wherein each hardware security module is associated with at least one user;
  
  establishing a secure connection over the multi-user network between the at least one user and an associated hardware security module; and
  
  providing encrypted data to the at least one user, wherein the data can be decrypted with one or more keys stored on the associated hardware security module.
- View Dependent Claims (29, 30, 31, 32, 33, 34)
- - 29. The method of claim 28, comprising revoking user access to the one or more keys by operation of the hardware security module in a cloud environment, remote from the at least one user over the multi-user network
  - 30. The method of claim 29, comprising preventing operative access of the at least one user to the digital device by the revocation of user access to the hardware security module.
  - 31. The method of claim 28, comprising sharing the one or more keys over the secure connection with an application running on a digital device associated with the at least one user, and decrypting the encrypted data, using the one or more keys.
  - 32. The method of claim 31, wherein the digital device lacks a hardware interface for communicative coupling with the hardware security module, absent the secure connection over the multi-user network.
  - 33. The method of claim 32, comprising transparently redirecting the communicative coupling from the hardware interface to the associated hardware security module operating in the cloud environment.
  - 34. The method of claim 33, wherein the application runs without modification as compared to an implementation on a user digital device having the hardware interface.

35. A non-volatile computer readable storage medium including instructions interpretable by a computing device:
- to provide shared resources over a multi-user network to multiple users;
  
  to connect multiple hardware security modules to the shared resources, wherein each hardware security module is associated with at least one user;
  
  to establish a secure connection over the multi-user network between the at least one user and an associated hardware security module; and
  
  to provide encrypted data to the at least one user, wherein the encrypted data can only be decrypted with one or more keys stored on the associated hardware security module.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Imation Corporation (Glassbridge Enterprises, Inc.)
Original Assignee
Imation Corporation (Glassbridge Enterprises, Inc.)
Inventors
Hamid, Laurence

Application Number

US13/826,353
Publication Number

US 20130219164A1
Time in Patent Office

Days
Field of Search
US Class Current

713/150
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/0485   Networking architectures fo...

H04L 63/0853   using an additional device,...

H04L 9/006   involving public key infras...

H04L 9/08   Key distribution or managem...

H04L 9/3234   involving additional secure...

H04L 9/3273   for mutual authentication n...

CLOUD-BASED HARDWARE SECURITY MODULES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

406 Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

CLOUD-BASED HARDWARE SECURITY MODULES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

406 Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links