GEOFENCING OF DATA IN A CLOUD-BASED ENVIRONMENT

US 20180124066A1
Filed: 12/28/2017
Published: 05/03/2018
Est. Priority Date: 11/02/2015
Status: Active Grant

First Claim

Patent Images

1. A method for managing access to data, the method comprising:

configuring a geographic region for a data item, wherein the geographic region identifies a geographic location for which access is denied for the data item, and the data item is encrypted in association with location information that corresponds to the geographic region;

receiving a request to access the data item;

identifying a location associated with the request to access the data item;

determining whether to decrypt the data item based at least in part on the location associated with the request to access the data item, wherein the data item is decryptable if the location does not correspond to the geographic location for which access is denied for the data item; and

denying access to the data item if the location corresponds to the geographic location for which access is denied for the data item.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed is an approach to incorporate geographical access control features for a cloud-based storage platform. This allows, for example, enterprise administrators to define geographical areas (geofences) with arbitrary precision within which content access can be denied for items of data.

Citations

20 Claims

1. A method for managing access to data, the method comprising:
- configuring a geographic region for a data item, wherein the geographic region identifies a geographic location for which access is denied for the data item, and the data item is encrypted in association with location information that corresponds to the geographic region;
  
  receiving a request to access the data item;
  
  identifying a location associated with the request to access the data item;
  
  determining whether to decrypt the data item based at least in part on the location associated with the request to access the data item, wherein the data item is decryptable if the location does not correspond to the geographic location for which access is denied for the data item; and
  
  denying access to the data item if the location corresponds to the geographic location for which access is denied for the data item.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the location associated with the request is identified using a GPS mechanism at a mobile device that sends the request.
  - 3. The method of claim 2, wherein the information pertaining to the location comprises a one-way hashed value of location data for the mobile device.
  - 4. The method of claim 1, wherein the geographic region is configured using a grid square that defines an area represented a coordinate having a fixed precision, where boundaries of the area are defined by incrementing or decrementing a digit of the coordinate.
  - 5. The method of claim 1, wherein the data item is encrypted with a key (DEK), and the DEK is encrypted using the location information to generate an encrypted key (EDEK).
  - 6. The method of claim 5, wherein the location information comprises a hash of a value corresponding to the geographic region.
  - 7. The method of claim 5, wherein the DEK can be decrypted only if the location information does not correspond to the location associated with the request to access the data item, where the data item is not decryptable unless the DEK can be decrypted, where the EDEK is encrypted to generate a double-encrypted key (KEDEK) that is stored in a cloud-based storage system with the data item.
  - 8. The method of claim 7, where a set of KEDEKs is stored that corresponds to a set of location units corresponding to the geographic region, where upon receipt of the request, a set of KEDEKs are processed to determine if any KEDEK corresponds to the location associated with the request, and where access is denied to the data item if the location associated with the request does correspond to at least one KEDEK.

9. A computer program product, embodied in a non-transitory computer readable medium, the non-transitory computer readable medium having stored thereon a sequence of instructions which, when executed by a processor causes the processor to execute a process, the process comprising:
- configuring a geographic region for a data item, wherein the geographic region identifies a geographic location for which access is denied for the data item, and the data item is encrypted in association with location information that corresponds to the geographic region;
  
  receiving a request to access the data item;
  
  identifying a location associated with the request to access the data item;
  
  determining whether to decrypt the data item based at least in part on the location associated with the request to access the data item, wherein the data item is decryptable if the location does not correspond to the geographic location for which access is denied for the data item; and
  
  denying access to the data item if the location corresponds to the geographic location for which access is denied for the data item.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computer program product of claim 9, wherein the location associated with the request is identified using a GPS mechanism at a mobile device that sends the request.
  - 11. The computer program product of claim 10, wherein the information pertaining to the location comprises a one-way hashed value of location data for the mobile device.
  - 12. The computer program product of claim 9, wherein the geographic region is configured using a grid square that defines an area represented a coordinate having a fixed precision, where boundaries of the area are defined by incrementing or decrementing a digit of the coordinate.
  - 13. The computer program product of claim 9, wherein the data item is encrypted with a key (DEK), and the DEK is encrypted using the location information to generate an encrypted key (EDEK).
  - 14. The computer program product of claim 13, wherein the location information comprises a hash of a value corresponding to the geographic region.
  - 15. The computer program product of claim 13, wherein the DEK can be decrypted only if the location information does not correspond to location associated with the request to access the data item, where the data item is not decryptable unless the DEK can be decrypted.
  - 16. The computer program product of claim 15, where the EDEK is encrypted to generate a double-encrypted key (KEDEK) that is stored in a cloud-based storage system with the data item.

19. A system for managing access to data, the system comprising:
- a processor;
  
  a memory comprising a computer program product, embodied in a non-transitory computer readable medium, the non-transitory computer readable medium having stored thereon a sequence of instructions which, when executed by the processor causes the processor to execute a process, the process comprising;
  
  configuring a geographic region for a data item, wherein the geographic region identifies a geographic location for which access is denied for the data item, and the data item is encrypted in association with location information that corresponds to the geographic region;
  
  receiving a request to access the data item;
  
  identifying a location associated with the request to access the data item;
  
  determining whether to decrypt the data item based at least in part on the location associated with the request to access the data item, wherein the data item is decryptable if the location does not correspond to the geographic location for which access is denied for the data item; and
  
  denying access to the data item if the location corresponds to the geographic location for which access is denied for the data item.
- View Dependent Claims (17, 18, 20)
- - 17. The computer program product of claim 20, where a set of KEDEKs is stored that corresponds to a set of location units corresponding to the geographic region.
  - 18. The computer program product of claim 20, where upon receipt of the request, a set of KEDEKs are processed to determine if any KEDEK corresponds to the location associated with the request, and where access is denied to the data item if the location associated with the request does correspond to at least one KEDEK.
  - 20. The system of claim 19, wherein the location associated with the request is identified using a GPS mechanism at a mobile device that sends the request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Box Incorporated
Original Assignee
Box Incorporated
Inventors
Minkovich, Kirill, ADDURI, Pranava

Granted Patent

US 10,454,944 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

G06F 2221/2111   Location-sensitive, e.g. ge...

H04L 63/107   wherein the security polici...

H04L 9/0872   using geo-location informat...

H04L 9/3236   using cryptographic hash fu...

H04L 9/3297   involving time stamps, e.g....

H04W 12/086   using security domains

H04W 4/021   Services related to particu...

GEOFENCING OF DATA IN A CLOUD-BASED ENVIRONMENT

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

GEOFENCING OF DATA IN A CLOUD-BASED ENVIRONMENT

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links