Securing information within a cloud computing environment

US 8,826,001 B2
Filed: 04/27/2010
Issued: 09/02/2014
Est. Priority Date: 04/27/2010
Status: Active Grant

First Claim

Patent Images

1. A method for securing information within a Cloud computing environment, comprising:

making, using at least one first computing device, a first determination whether a uniform resource locator of a first communication originating from a first endpoint matches a destination comprising a Cloud storage system;

if the first determination is no match, evaluating, using the at least one first computing device, whether additional information is requested;

if the first determination is a match, redirecting, using the at least one first computing device, to a central encryption service, the communication having the destination of the Cloud storage system, the first communication containing first information to be secured from the first endpoint at the central encryption service;

receiving, using the at least one first computing device, the first communication at the central encryption service;

encrypting, using the at least one first computing device, the first information at the central encryption service;

communicating, using the at least one first computing device, the encrypted first information to the Cloud storage system from the central encryption service;

storing, using the at least one first computing device, the encrypted first information in the Cloud storage system;

making, using at least second computing device, a second determination whether a uniform resource locator of a second communication matches the destination comprising the Cloud storage system;

if the second determination is no match, evaluating, using the at least second computing device, whether additional information is requested;

if the second determination is a match, redirecting, using the at least one second computing device, to the central encryption service, the second communication having the destination of the Cloud storage system, the second communication containing first information to be secured from a second endpoint at the central encryption service;

receiving, using the at least one second computing device, the second communication at the central encryption service;

encrypting, using the at least one second computing device, the second information at the central encryption service;

communicating, using the at least one second computing device, the encrypted second information to the Cloud storage system from the central encryption service; and

storing, using the at least one second computing device, the encrypted second information in the Cloud storage system;

wherein the central encryption service operates on a system at a remote location from the first endpoint and the second endpoint; and

wherein the central encryption service, the first endpoint, and the second endpoint belong to the same enterprise.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the invention provide a solution for securing information within a Cloud computing environment. Specifically, an encryption service/gateway is provided to handle encryption/decryption of information for all users in the Cloud computing environment. Typically, the encryption service is implemented between Cloud portals and a storage Cloud. Through the use of a browser/portal plug-in (or the like), the configuration and processing of the security process is managed for the Cloud computing environment user by pointing all traffic for which security is desired to this encryption service so that it can perform encryption (or decryption in the case of document retrieval) as needed (e.g., on the fly) between the user and the Cloud.

28 Citations

View as Search Results

32 Claims

1. A method for securing information within a Cloud computing environment, comprising:
- making, using at least one first computing device, a first determination whether a uniform resource locator of a first communication originating from a first endpoint matches a destination comprising a Cloud storage system;
  
  if the first determination is no match, evaluating, using the at least one first computing device, whether additional information is requested;
  
  if the first determination is a match, redirecting, using the at least one first computing device, to a central encryption service, the communication having the destination of the Cloud storage system, the first communication containing first information to be secured from the first endpoint at the central encryption service;
  
  receiving, using the at least one first computing device, the first communication at the central encryption service;
  
  encrypting, using the at least one first computing device, the first information at the central encryption service;
  
  communicating, using the at least one first computing device, the encrypted first information to the Cloud storage system from the central encryption service;
  
  storing, using the at least one first computing device, the encrypted first information in the Cloud storage system;
  
  making, using at least second computing device, a second determination whether a uniform resource locator of a second communication matches the destination comprising the Cloud storage system;
  
  if the second determination is no match, evaluating, using the at least second computing device, whether additional information is requested;
  
  if the second determination is a match, redirecting, using the at least one second computing device, to the central encryption service, the second communication having the destination of the Cloud storage system, the second communication containing first information to be secured from a second endpoint at the central encryption service;
  
  receiving, using the at least one second computing device, the second communication at the central encryption service;
  
  encrypting, using the at least one second computing device, the second information at the central encryption service;
  
  communicating, using the at least one second computing device, the encrypted second information to the Cloud storage system from the central encryption service; and
  
  storing, using the at least one second computing device, the encrypted second information in the Cloud storage system;
  
  wherein the central encryption service operates on a system at a remote location from the first endpoint and the second endpoint; and
  
  wherein the central encryption service, the first endpoint, and the second endpoint belong to the same enterprise.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, the information comprising an electronic document.
  - 3. The method of claim 1, the first endpoint being a browser.
  - 4. The method of claim 1, the first endpoint, the second endpoint, the central encryption service, and the Cloud storage system comprising at least four distinct systems, the central encryption service being implemented by a trusted third party entity.
  - 5. The method of claim 1, further comprising:
    - receiving, using the at least one first computing device, a request for the information from the first endpoint on the central encryption service;
      
      receiving, using the at least one first computing device, the first information from the Cloud storage system on the central encryption service;
      
      decrypting, using the at least one first computing device, the first information on the central encryption service; and
      
      communicating, using the at least one first computing device, the decrypted first information to the first endpoint in fulfillment of the request.
  - 6. The method of claim 5, further comprising receiving, using the at least one first computing device, a first set of encryption keys, the encrypting comprising encrypting the first information at the central encryption service using the first set of encryption keys, and the decrypting comprising decrypting the first information at the central encryption service using the first set of encryption keys.

7. A system for securing information within a Cloud computing environment, comprising:
- a memory medium comprising instructions;
  
  a bus coupled to the memory medium; and
  
  a processor coupled to the bus that when executing the instructions causes the system to;
  
  make a determination whether an internet protocol address of a first communication originating from a first endpoint matches a destination comprising a Cloud storage system;
  
  if the first determination is no match, evaluate whether additional information is requested;
  
  if the first determination is a match, redirect, to a central encryption service, the first communication having the destination of the Cloud storage system, the first communication containing information to be secured from the first endpoint at the central encryption service;
  
  receive the first communication at the central encryption service;
  
  encrypt the first information at the central encryption service;
  
  communicate the encrypted first information to the Cloud storage system from the central encryption service;
  
  store the encrypted first information in the Cloud storage system;
  
  make, a second determination whether a uniform resource locator of a second communication matches the destination comprising the Cloud storage system;
  
  if the second determination is no match, evaluate whether additional information is requested;
  
  if the second determination is a match, redirect to the central encryption service, the second communication having the destination of the Cloud storage system, the second communication containing first information to be secured from a second endpoint at the central encryption service;
  
  receive the second communication at the central encryption service;
  
  encrypt the second information at the central encryption service;
  
  communicate the encrypted second information to the Cloud storage system from the central encryption service; and
  
  store the encrypted second information in the Cloud storage system;
  
  wherein the central encryption service operates on a system at a remote location from the first endpoint and the second endpoint; and
  
  wherein the central encryption service, the first endpoint, and the second endpoint belong to the same enterprise.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The system of claim 7, the information comprising an electronic document.
  - 9. The system of claim 7, the first endpoint being a browser.
  - 10. The system of claim 7, the first endpoint, the second endpoint, and the central encryption service, and the Cloud storage system comprising at least four distinct systems.
  - 11. The system of claim 7, the system further being caused to:
    - receive a request for the first information from the first endpoint on the central encryption service;
      
      receive the first information from the Cloud storage system on the central encryption service;
      
      decrypt the first information on the central encryption service; and
      
      communicate the decrypted first information to the first endpoint in fulfillment of the request.
  - 12. The system of claim 11, the system further being caused to receive a first set of encryption keys, the system further being caused to encrypt the first information at the central encryption service using the first set of encryption keys, and decrypt the first information at the central encryption service using the first set of encryption keys.

13. A non-transitory computer readable storage medium containing a program product for securing information within a Cloud computing environment, the non-transitory computer readable storage medium comprising program code for causing a computer to:
- make a first determination whether a uniform resource locator of a first communication originating from a first endpoint matches a destination comprising a Cloud storage system;
  
  if the first determination is no match, evaluate whether additional information is requested;
  
  if the first determination is a match, redirect, to a central encryption service, the first communication having the destination of the Cloud storage system, the first communication containing first information to be secured from the first endpoint at the central encryption service;
  
  receive the first communication at the central encryption service;
  
  encrypt the first information at the central encryption service;
  
  communicate the encrypted first information to the Cloud storage system from the central encryption service;
  
  store the encrypted first information in the Cloud storage system;
  
  make, a second determination whether a uniform resource locator of a second communication matches the destination comprising the Cloud storage system;
  
  if the second determination is no match, evaluate whether additional information is requested;
  
  if the second determination is a match, redirect to the central encryption service, the second communication having the destination of the Cloud storage system, the second communication containing second information to be secured from a second endpoint at the central encryption service;
  
  receive the second communication at the central encryption service;
  
  encrypt the second information at the central encryption service;
  
  communicate the encrypted second information to the Cloud storage system from the central encryption service;
  
  store the encrypted second information in the Cloud storage system; and
  
  wherein the central encryption service operates on a system at a remote location from the first endpoint and the second endpoint; and
  
  wherein the central encryption service, the first endpoint, and the second endpoint belong to the same enterprise.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The non-transitory computer readable storage medium containing the program product of claim 13, the information comprising an electronic document.
  - 15. The non-transitory computer readable storage medium containing the program product of claim 13, the first endpoint being a browser.
  - 16. The non-transitory computer readable storage medium containing the program product of claim 13, the first endpoint, the second endpoint, the central encryption service, and the Cloud storage system comprising at least four distinct systems.
  - 17. The non-transitory computer readable storage medium containing the program product of claim 13, the computer readable medium further comprising program code for causing the computer to:
    - receive a request for the first information from the first endpoint on the central encryption service;
      
      receive the first information from the Cloud storage system on the central encryption service;
      
      decrypt the first information on the central encryption service; and
      
      communicate the decrypted first information to the first endpoint in fulfillment of the request.
  - 18. The non-transitory computer readable storage medium containing the program product of claim 17, the system further being caused to receive a first set of encryption keys, the system further being caused to encrypt the first information at the central encryption service using the first set of encryption keys, and decrypt the first information at the central encryption service using the first set of encryption keys.

19. A method for deploying an application for securing information within a Cloud computing environment, comprising:
- providing a computer infrastructure being operable to;
  
  make a first determination whether an internet protocol address of a first communication originating from a first endpoint matches a destination comprising a Cloud storage system;
  
  if the first determination is no match, evaluate whether additional information is requested;
  
  if the first determination is a match, redirect, to a central encryption service, the first communication having the destination of the Cloud storage system, the first communication containing first information to be secured from the first endpoint at the central encryption service;
  
  receive the first communication at the central encryption service;
  
  encrypt the first information at the central encryption service;
  
  communicate the encrypted first information to the Cloud storage system from the central encryption service;
  
  store the encrypted first information in the Cloud storage system;
  
  make, a second determination whether a uniform resource locator of a second communication matches the destination comprising the Cloud storage system;
  
  if the second determination is no match, evaluate whether additional information is requested;
  
  if the second determination is a match, redirect to the central encryption service, the second communication having the destination of the Cloud storage system, the second communication containing second information to be secured, from the second endpoint, at the central encryption service;
  
  receive the second communication at the central encryption service;
  
  encrypt the second information at the central encryption service;
  
  communicate the encrypted second information to the Cloud storage system from the central encryption service;
  
  store the encrypted second information in the Cloud storage system;
  
  wherein the computer infrastructure comprises at least one computer; and
  
  wherein the central encryption service operates on a system at a remote location from the first endpoint and the second endpoint; and
  
  wherein the central encryption service, the first endpoint, and the second endpoint belong to the same enterprise.

20. A method for securing information within a Cloud computing environment, comprising:
- making, using at least one first computing device, a first determination whether a uniform resource locator of a first communication originating from a first endpoint matches a destination comprising the Cloud storage system;
  
  if the first determination is no match, evaluating, using the at least one first computing device, whether additional information is requested;
  
  if the first determination is a match, redirecting, using the at least one first computing device, to a central encryption service, the first communication having the destination of the Cloud storage system, the first communication containing information to be secured from the first endpoint at the central encryption service;
  
  receiving, using the at least one first computing device, the first communication at the central encryption service;
  
  encrypting, using the at least one first computing device, the first information at the central encryption service using a first set of previously received encryption keys;
  
  communicating, using the at least one first computing device, the encrypted first information to the first endpoint from the central encryption service;
  
  communicating, using the at least one first computing device, the encrypted first information from the first endpoint to the Cloud storage system for storage;
  
  storing, using the at least one first computing device, the encrypted first information in the Cloud storage system;
  
  making, using at least one second computing device, a second determination whether a uniform resource locator of a second communication, originating from a second endpoint, matches the destination comprising the Cloud storage system;
  
  if the second determination is no match, evaluating, using the at least one second computing device, whether additional information is requested;
  
  if the second determination is a match, redirecting, using the at least one second computing device, to the central encryption service, the second communication having the destination of the Cloud storage system, the second communication containing second information to be secured, from the second endpoint, at the central encryption service;
  
  receiving, using the at least one second computing device, the second communication at the central encryption service;
  
  encrypting, using the at least one second computing device, the second information at the central encryption service using a second set of previously received encryption keys;
  
  communicating, using the at least one second computing device, the encrypted second information to the second endpoint from the central encryption service;
  
  communicating, using the at least one second computing device, the encrypted second information from the second endpoint to the Cloud storage system for storage; and
  
  storing, using the at least one second computing device, the encrypted second information in the Cloud storage system;
  
  wherein the central encryption service operates on a system at a remote location from the first endpoint and the second endpoint; and
  
  wherein the central encryption service, the first endpoint, and the second endpoint belong to the same enterprise.
- View Dependent Claims (21, 22, 23)
- - 21. The method of claim 20, the information comprising an electronic document, and the first endpoint being a browser.
  - 22. The method of claim 20, the first endpoint, the second endpoint, the central encryption service, and the Cloud storage system comprising at least four distinct systems.
  - 23. The method of claim 20, further comprising:
    - receiving, using the at least one first computing device, the encrypted first information from the Cloud storage system at the first endpoint;
      
      communicating, using the at least one first computing device, the encrypted information to the central encryption service;
      
      decrypting, using the at least one first computing device, the information on the central encryption service using the first set of previously received encryption keys; and
      
      communicating, using the at least one first computing device, the decrypted first information to the first endpoint from the central encryption service.

24. A system for securing information within a Cloud computing environment, comprising:
- a memory medium comprising instructions;
  
  a bus coupled to the memory medium; and
  
  a processor coupled to the bus that when executing the instructions caused the system to;
  
  make a determination whether an internet protocol address of a communication originating from a first endpoint matches a destination comprising a Cloud storage system;
  
  if the determination is no match, evaluate whether additional information is requested;
  
  if the determination is a match, redirect, to a central encryption service, the first communication having the destination of the Cloud storage system, the first communication containing first information to be secured from the first endpoint at the central encryption service;
  
  receive the first communication at the central encryption service;
  
  encrypt the first information at the central encryption service;
  
  communicate the encrypted first information to the first endpoint from the central encryption service;
  
  communicate the encrypted first information from the first endpoint to the Cloud storage system for storage;
  
  store the encrypted first information in the Cloud storage system;
  
  make a second determination whether a uniform resource locator of a second communication, originating from a second endpoint, matches the destination comprising the Cloud storage system;
  
  if the second determination is no match, evaluate whether additional information is requested;
  
  if the second determination is a match, redirect to the central encryption service, the second communication having the destination of the Cloud storage system, the second communication containing second information to be secured, from the second endpoint, at the central encryption service;
  
  receive the second communication at the central encryption service;
  
  encrypt the second information at the central encryption service using a second set of previously received encryption keys;
  
  communicate the encrypted second information to the second endpoint from the central encryption service;
  
  communicate the encrypted second information from the second endpoint to the Cloud storage system for storage; and
  
  store the encrypted second information in the Cloud storage system;
  
  wherein the central encryption service operates on a system at a remote location from the first endpoint and the second endpoint;
  
  wherein the central encryption service, the first endpoint, and the second endpoint belong to the same enterprise.
- View Dependent Claims (25, 26, 27)
- - 25. The system of claim 24, the information comprising an electronic document, and the first endpoint being a browser.
  - 26. The system of claim 24, the first endpoint, the second endpoint, the central encryption service, and the Cloud storage system comprising at least four distinct systems.
  - 27. The system of claim 24, the system further being caused to:
    - receive the encrypted first information from the Cloud storage system at the first endpoint;
      
      communicate the encrypted first information to the central encryption service;
      
      decrypt the first information on the central encryption service; and
      
      communicate the decrypted first information to the first endpoint from the central encryption service.

28. A non-transitory computer readable storage medium containing a program product for securing information within a Cloud computing environment, the computer readable storage medium comprising program code for causing a computer to:
- make a determination whether a uniform resource locator of a communication originating from a first endpoint matches a destination comprising a Cloud storage system;
  
  if the determination is no match, evaluate whether additional information is requested;
  
  if the determination is a match, redirect, to a central encryption service, the first communication having the destination of the Cloud storage system, the first communication containing first information to be secured from the first endpoint at the central encryption service;
  
  receive the first communication at the central encryption service;
  
  encrypt the first information at the central encryption service;
  
  communicate the encrypted first information to the first endpoint from the central encryption service;
  
  communicate the encrypted first information from the first endpoint to the Cloud storage system for storage;
  
  storing the encrypted first information in the Cloud storage system;
  
  make a second determination whether a uniform resource locator of a second communication, originating from a second endpoint, matches the destination comprising the Cloud storage system;
  
  if the second determination is no match, evaluate whether additional information is requested;
  
  if the second determination is a match, redirect to the central encryption service, the second communication having the destination of the Cloud storage system, the second communication containing information to be secured, from the second endpoint, at the central encryption service;
  
  receive the second communication at the central encryption service;
  
  encrypt the second information at the central encryption service using a second set of previously received encryption keys;
  
  communicate the encrypted second information to the second endpoint from the central encryption service;
  
  communicate the encrypted second information from the second endpoint to the Cloud storage system for storage;
  
  store the encrypted second information in the Cloud storage system;
  
  wherein the central encryption service operates on a system at a remote location from the first endpoint and the second endpoint; and
  
  wherein the central encryption service, the first endpoint, and the second endpoint belong to the same enterprise.
- View Dependent Claims (29, 30, 31)
- - 29. The non-transitory computer readable storage medium containing a program product of claim 28, the first information comprising an electronic document, and the first endpoint being a browser.
  - 30. The non-transitory computer readable storage medium containing a program product of claim 28, the first endpoint, the second endpoint, the central encryption service, and the Cloud storage system comprising at least four distinct systems.
  - 31. The non-transitory computer readable storage medium containing a program product of claim 28, the computer readable storage medium further comprising program code for causing the computer to:
    - receive the encrypted first information from the Cloud storage computer readable medium containing a program product at the endpoint;
      
      communicate the encrypted first information to the central encryption service;
      
      decrypt the first information on the central encryption service; and
      
      communicate the decrypted first information to the first endpoint from the central encryption service.

32. A method for deploying an application for securing information within a Cloud computing environment, comprising:
- providing a computer infrastructure being operable to;
  
  make a first determination whether an internet protocol address of a first communication originating from a first endpoint matches a destination comprising a Cloud storage system;
  
  if the first determination is no match, evaluate whether additional information is requested;
  
  if the first determination is a match, redirect, to a central encryption service, the first communication having the destination of the Cloud storage system, the first communication containing first information to be secured from the first endpoint at the central encryption service;
  
  receive the first communication at the central encryption service;
  
  encrypt the first information at the central encryption service;
  
  communicate the encrypted first information to the first endpoint from the central encryption service;
  
  communicate the encrypted first information from the first endpoint to the Cloud storage system for storage;
  
  store the encrypted first information in the Cloud storage system;
  
  make a second determination whether a uniform resource locator of a second communication, originating from a second endpoint, matches the destination comprising the Cloud storage system;
  
  if the second determination is no match, evaluate whether additional information is requested;
  
  if the second determination is a match, redirect to the central encryption service, the second communication having the destination of the Cloud storage system, the second communication containing information to be secured from the second endpoint at the central encryption service;
  
  receive the second communication at the central encryption service;
  
  encrypt the second information at the central encryption service;
  
  communicate the encrypted second information to the second endpoint from the central encryption service;
  
  communicate the encrypted second information, from the second endpoint, to the Cloud storage system for storage; and
  
  store the encrypted second information in the Cloud storage system;
  
  wherein the computer infrastructure comprises at least one computer;
  
  wherein the central encryption service operates on a system at a remote location from the first endpoint and the second endpoint;
  
  wherein the central encryption service, the first endpoint, and the second endpoint belong to the same enterprise.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Betz, Linda N., Ho, Wesley J., Merrill, David P., Lingafelt, Charkes S.
Primary Examiner(s)
Schwartz, Darren B
Assistant Examiner(s)
GYORFI, THOMAS A

Application Number

US12/768,106
Publication Number

US 20110264907A1
Time in Patent Office

1,589 Days
Field of Search

713/153, 713/160, 713/162, 705/51
US Class Current

713/153
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/062   for key distribution, e.g. ...

H04L 67/10   in which an application is ...

Securing information within a cloud computing environment

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

28 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Securing information within a cloud computing environment

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links