SECURE CLOUD STORAGE DISTRIBUTION AND AGGREGATION

US 20150154418A1
Filed: 12/02/2013
Published: 06/04/2015
Est. Priority Date: 12/02/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

providing, by a cloud storage gateway device logically interposed between one or more third-party cloud storage platforms and a plurality of users of an enterprise, a generalized application programming interface (API) through which the plurality of users can store files to the one or more third-party cloud storage platforms, issue search requests against the files and retrieve content of the files;

assigning, by the cloud storage gateway device, a file storage policy of a plurality of file storage policies to each user of the plurality of users, the plurality of file storage policies defining access rights, storage diversity requirements and a type of encryption to be applied to the files; and

responsive to receiving, via the generalized API, a request to store a file;

creating, by the cloud storage gateway device, searchable encrypted data corresponding to one or more of (i) content of the file and (ii) metadata associated with the file, wherein the storage request is associated with a first user of the plurality of users and the searchable encrypted data is based on the type of encryption defined by the file storage policy assigned to the first user; and

distributing, by the cloud storage gateway device, the searchable encrypted data among the one or more third-party cloud storage platforms based on the storage diversity requirements defined by the assigned file storage policy by uploading a subset of the searchable encrypted data to each of the one or more third-party cloud storage platforms.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for vendor independent and secure cloud storage distribution and aggregation are provided. According to one embodiment, an application programming interface (API) is provided by a cloud storage gateway device logically interposed between third-party cloud storage platforms and users of an enterprise. The API facilitates storing of files, issuing of search requests against the files and retrieval of content of the files. A file storage policy is assigned to each user, which defines access rights, storage diversity requirements and a type of encryption to be applied to files. Responsive to receiving a request to store a file, (i) searchable encrypted data is created relating to content and/or metadata of the file based on the assigned file storage policy; and (ii) the searchable encrypted data is distributed among the third-party cloud storage platforms based on the storage diversity requirements defined by the assigned file storage policy.

260 Citations

32 Claims

1. A method comprising:
- providing, by a cloud storage gateway device logically interposed between one or more third-party cloud storage platforms and a plurality of users of an enterprise, a generalized application programming interface (API) through which the plurality of users can store files to the one or more third-party cloud storage platforms, issue search requests against the files and retrieve content of the files;
  
  assigning, by the cloud storage gateway device, a file storage policy of a plurality of file storage policies to each user of the plurality of users, the plurality of file storage policies defining access rights, storage diversity requirements and a type of encryption to be applied to the files; and
  
  responsive to receiving, via the generalized API, a request to store a file;
  
  creating, by the cloud storage gateway device, searchable encrypted data corresponding to one or more of (i) content of the file and (ii) metadata associated with the file, wherein the storage request is associated with a first user of the plurality of users and the searchable encrypted data is based on the type of encryption defined by the file storage policy assigned to the first user; and
  
  distributing, by the cloud storage gateway device, the searchable encrypted data among the one or more third-party cloud storage platforms based on the storage diversity requirements defined by the assigned file storage policy by uploading a subset of the searchable encrypted data to each of the one or more third-party cloud storage platforms.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1, further comprising:
    - responsive to receiving, via the generalized API, a request to search content of the file or metadata associated with the file;
      
      determining, by the cloud storage gateway device, whether the search request is authorized based on the access rights defined by the file storage policy assigned to a user of the plurality of users with which the search request is associated; and
      
      when the search request is authorized, causing, by the cloud storage gateway device, the one or more third-party cloud storage platforms to apply the search request to the searchable encrypted data and returning results of the search request to a source of the search request.
  - 3. The method of claim 1, further comprising:
    - responsive to receiving, via the generalized API, a request to access the file;
      
      determining, by the cloud storage gateway device, whether the access request is authorized based on the access rights defined by the file storage policy assigned to a user of the plurality of users with which the access request is associated; and
      
      when the access request is authorized, gathering the content of the file, by the cloud storage gateway device, by downloading a subset of the distributed searchable encrypted data from each of the one or more third-party cloud storage platforms and decrypting the searchable encrypted data; and
      
      returning the file to a source of the access request.

4. A method comprising:
- assigning to one or more users, by a gateway device, a policy for managing access to and processing a file to be stored on one or more cloud platforms, wherein the policy defines access rights of the one or more users;
  
  encrypting, by the gateway device, using cryptographic key information defined by the policy, content of the file to produce a searchable encrypted file;
  
  storing, by the gateway device, the searchable encrypted file on the one or more cloud platforms based on the policy; and
  
  managing access to the searchable encrypted file by the one or more users based on the policy.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 5. The method of claim 4, wherein the step of managing comprises allowing the one or more users to download the searchable encrypted file to a local device.
  - 6. The method of claim 5, wherein the local device comprises a mobile computing device.
  - 7. The method of claim 5, wherein the downloaded encrypted file is searchable by the one or more users using the cryptographic key information.
  - 8. The method of claim 4, wherein the step of encrypting further comprises:
    - dividing the file into a plurality of chunks;
      
      creating namespaces for one or more of the plurality of chunks; and
      
      configuring the namespaces of the one or more chunks such that content of the file is encrypted in a manner that makes it searchable.
  - 9. The method of claim 8, wherein a set of chunks from the plurality of chunks is searchable.
  - 10. The method of claim 8, wherein the step of configuring the namespaces comprises storing content of the file as filenames.
  - 11. The method of claim 4, wherein the step of encrypting further comprises the step of randomly creating empty files.
  - 12. The method of claim 4, wherein the step of encrypting the file is carried out independent of the service provider of the one or more cloud platforms.
  - 13. The method of claim 4, wherein the policy is implemented for a group of users.
  - 14. The method of claim 4, wherein the policy defines the manner in which the file is stored, accessed, and processed.
  - 15. The method of claim 4, wherein the file is stored across two or more cloud platforms.
  - 16. The method of claim 4, wherein said storing the searchable encrypted file on the one or more cloud platforms is carried out independent of the service provider of the one or more cloud platforms.
  - 17. The method of claim 4, wherein the policy is selected from a plurality of policies stored in a database, wherein the database is operatively coupled with the gateway device.
  - 18. The method of claim 4, wherein the policy defines one or more of a set of encryption keys, a set of decryption keys, search indices, a type of encryption and one or more authorized locations to which the file may be stored.
  - 19. The method of claim 4, wherein said encrypting further comprises encrypting one or more of filename and search indices.

20. A secure cloud storage system comprising:
- one or more processors;
  
  a communication interface mechanism;
  
  one or more internal data storage devices operatively coupled to the one or more processors and storing;
  
  a policy assignment module configured to implement a policy selected from a group of policies for a user, wherein the policy defines and manages access to and processing of a file to be uploaded on a cloud, wherein the policy defines access rights of the user;
  
  an encryption module configured to, using cryptographic key information defined by the policy, produce a searchable encrypted file by encrypting content of the file to be stored across one or more cloud platforms;
  
  a storage module configured to store the searchable encrypted file on the one or more cloud platforms based on the policy; and
  
  a management module configured to manage and control access to the searchable encrypted file by the user based on the policy.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 21. The system of claim 20, wherein the management module is further configured to allow the user to download the searchable encrypted file to a local device.
  - 22. The system of claim 21, wherein the downloaded encrypted file is searchable by the user using the cryptographic key information defined by the policy.
  - 23. The system of claim 20, wherein the encryption module is further configured to:
    - divide the file into a plurality of chunks;
      
      create namespaces for one or more of the plurality of chunks; and
      
      configure the namespaces of the one or more chunks such that content of the file is encrypted in a manner that makes it searchable.
  - 24. The system of claim 23, wherein a set of chunks from the plurality of chunks is searchable.
  - 25. The system of claim 23, wherein the encryption module is further configured to randomly create empty files.
  - 26. The system of claim 20, wherein one or more of the policy assignment module, the encryption module, the storage module, and the management module are implemented on different devices, wherein the devices are selected from one or more of access management devices, proxy devices, gateway devices, and network controllers.
  - 27. The system of claim 20, further comprising a mediation module configured to make implementation of one or more of the policy assignment module, the encryption module, the storage module, and the policy management module independent of the service provider of the one or more cloud platforms.
  - 28. The system of claim 20, wherein the policy is implemented for a group of users.
  - 29. The system of claim 20, wherein the policy defines the manner in which the file is stored and processed.
  - 30. The system of claim 20, wherein the file is stored across two or more cloud storage platforms.
  - 31. The system of claim 20, wherein the group of policies are stored in a database operatively coupled with the system.
  - 32. The system of claim 20, wherein the policy defines and manages one or more of encryption keys, decryption keys, search indices, type of encryption, and location of the file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Redberg, David A.

Granted Patent

US 9,280,678 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/148   File search processing

G06F 16/164   File meta data generation

G06F 16/182   Distributed file systems

G06F 21/60   Protecting data

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

G06F 21/6227   where protection concerns t...

G06F 21/6272   by registering files or doc...

H04L 63/02   for separating internal fro...

H04L 63/06   for supporting key manageme...

H04L 63/20   for managing network securi...

H04L 9/0631   Substitution permutation ne...

H05K 999/99   dummy group

SECURE CLOUD STORAGE DISTRIBUTION AND AGGREGATION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

260 Citations

32 Claims

Specification

Use Cases

Quick Links

Others

SECURE CLOUD STORAGE DISTRIBUTION AND AGGREGATION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

260 Citations

32 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others