Systems and methods for validated secure data access
First Claim
1. A method for securing access to shared data stored in a storage system, the method comprising:
- by a storage management system;
establishing a trust relationship with a series of trusted third-party endorsers;
receiving from an entity a request to access to the shared data;
reading access requirements associated with the requested shared data from the storage system;
sending to the entity a challenge with the access requirements and a list of established trusted third-party endorsers, thereby causing the entity to request an endorsement from at least one of the established trusted third party endorsers based on the challenge, wherein the request comprises entity specific data based on the access requirements;
receiving from the entity the entity specific data and a digitally signed endorsed claim provided to the entity by the at least one of the established trusted third party endorsers; and
determining access to the shared data by validating the digitally signed endorsed claim provided by the entity in response to the challenge,wherein the multiple access criteria include associated weights, and further comprising;
determining a score based on an aggregation of the weights applied to indications of whether each of the multiple access criteria have been met by the entity, wherein a first one of the multiple access criteria requires the entity to make an attestation regarding compliance with a local storage requirement, the first multiple access criteria not requiring an endorsement from the trusted third party, wherein a second one of the multiple access criteria requires an endorsement from the trusted third party; and
transmitting the stored data only when the determined score is higher than or equal to a specified threshold.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods, systems, and techniques for securing access to stored data are provided. Example embodiments provide a Storage Management System (“SMS”) that is configured to facilitate protected information sharing. The SMS may restrict access to shared information based on one or more criteria that validate an entity'"'"'s right to access the information. For example, the SMS may restrict access to entities that are located in a particular geographic region, that are using a particular type of hardware or software, that hold particular credentials, or the like. In some cases, the SMS may require that an entity'"'"'s claim to meet on or more required criteria be validated by a trusted third party.
15 Citations
22 Claims
-
1. A method for securing access to shared data stored in a storage system, the method comprising:
-
by a storage management system; establishing a trust relationship with a series of trusted third-party endorsers; receiving from an entity a request to access to the shared data; reading access requirements associated with the requested shared data from the storage system; sending to the entity a challenge with the access requirements and a list of established trusted third-party endorsers, thereby causing the entity to request an endorsement from at least one of the established trusted third party endorsers based on the challenge, wherein the request comprises entity specific data based on the access requirements; receiving from the entity the entity specific data and a digitally signed endorsed claim provided to the entity by the at least one of the established trusted third party endorsers; and determining access to the shared data by validating the digitally signed endorsed claim provided by the entity in response to the challenge, wherein the multiple access criteria include associated weights, and further comprising; determining a score based on an aggregation of the weights applied to indications of whether each of the multiple access criteria have been met by the entity, wherein a first one of the multiple access criteria requires the entity to make an attestation regarding compliance with a local storage requirement, the first multiple access criteria not requiring an endorsement from the trusted third party, wherein a second one of the multiple access criteria requires an endorsement from the trusted third party; and transmitting the stored data only when the determined score is higher than or equal to a specified threshold. - View Dependent Claims (2, 3, 5, 6, 12, 16, 17, 18)
-
-
4. A method for securing access to shared data stored in a storage system, the method comprising:
-
by a storage management system; establishing a trust relationship with a series of trusted third-party endorsers; receiving from an entity a request to access to the shared data; reading access requirements associated with the requested shared data from the storage system; sending to the entity a challenge with the access requirements and a list of established trusted third-party endorsers, thereby causing the entity to request an endorsement from at least one of the established trusted third party endorsers based on the challenge, wherein the request comprises entity specific data based on the access requirements; receiving from the entity the entity specific data and a digitally signed endorsed claim provided to the entity by the at least one of the established trusted third party endorsers; and determining access to the shared data by validating the digitally signed endorsed claim provided by the entity in response to the challenge, wherein the stored data includes information protected by a government directive or regulation, wherein the multiple access criteria include associated weights, and further comprising; determining a score based on an aggregation of the weights applied to indications of whether each of the multiple access criteria have been met by the entity, wherein a first one of the multiple access criteria requires the entity to make an attestation regarding compliance with a local storage requirement, the first multiple access criteria not requiring an endorsement from the trusted third party, wherein a second one of the multiple access criteria requires an endorsement from the trusted third party; and transmitting the stored data only when the determined score is higher than or equal to a specified threshold.
-
-
7. A non-transitory computer-readable medium including contents that are configured, when executed, to cause a computing system to perform a method for securing access to stored data, the method comprising:
-
by a storage management system; establishing a trust relationship with a series of trusted third-party endorsers; receiving from an entity a request to access to the shared data; reading access requirements associated with the requested shared data from the storage system; sending to the entity a challenge with the access requirements and a list of established trusted third-party endorsers, thereby causing the entity to request an endorsement from at least one of the established trusted third party endorsers based on the challenge, wherein the request comprises entity specific data based on the access requirements; receiving from the entity the entity specific data and a digitally signed endorsed claim provided to the entity by the at least one of the established trusted third party endorsers; and determining access to the shared data by validating the digitally signed endorsed claim provided by the entity in response to the challenge, wherein the multiple access criteria include associated weights, and wherein the method further comprises; determining a score based on an aggregation of the weights applied to indications of whether each of the multiple access criteria have been met by the entity, wherein a first one of the multiple access criteria requires the entity to make an attestation regarding compliance with a local storage requirement, the first multiple access criteria not requiring an endorsement from the trusted third party, wherein a second one of the multiple access criteria requires an endorsement from the trusted third party; and transmitting the stored data only when the determined score is higher than or equal to a specified threshold.
-
-
8. A method for securing access to shared data stored in a storage system, the method comprising:
-
by a storage management system; establishing a trust relationship with a series of trusted third-party endorsers; receiving from an entity a request to access to the shared data; reading access requirements associated with the requested shared data from the storage system; sending to the entity a challenge with the access requirements and a list of established trusted third-party endorsers, thereby causing the entity to request an endorsement from at least one of the established trusted third party endorsers based on the challenge, wherein the request comprises entity specific data based on the access requirements; receiving from the entity the entity specific data and a digitally signed endorsed claim provided to the entity by the at least one of the established trusted third party endorsers; and determining access to the shared data by validating the digitally signed endorsed claim provided by the entity in response to the challenge, wherein the receiving from the first entity multiple access criteria includes;
receiving an access criterion that requires an entity to be or reside at a specified location,wherein the multiple access criteria include associated weights, and further comprising; determining a score based on an aggregation of the weights applied to indications of whether each of the multiple access criteria have been met by the entity, wherein a first one of the multiple access criteria requires the entity to make an attestation regarding compliance with a local storage requirement, the first multiple access criteria not requiring an endorsement from the trusted third party, wherein a second one of the multiple access criteria requires an endorsement from the trusted third party; and transmitting the stored data only when the determined score is higher than or equal to a specified threshold. - View Dependent Claims (9, 10, 11)
-
-
13. A method for securing access to shared data stored in a storage system, the method comprising:
-
by a storage management system; establishing a trust relationship with a series of trusted third-party endorsers; receiving from an entity a request to access to the shared data; reading access requirements associated with the requested shared data from the storage system; sending to the entity a challenge with the access requirements and a list of established trusted third-party endorsers, thereby causing the entity to request an endorsement from at least one of the established trusted third party endorsers based on the challenge, wherein the request comprises entity specific data based on the access requirements; receiving from the entity the entity specific data and a digitally signed endorsed claim provided to the entity by the at least one of the established trusted third party endorsers; and determining access to the shared data by validating the digitally signed endorsed claim provided by the entity in response to the challenge, wherein the receiving from the first entity multiple access criteria includes;
receiving an access criterion that requires an entity to be accessing the stored data from a computer having specified system properties,wherein the multiple access criteria include associated weights, and further comprising; determining a score based on an aggregation of the weights applied to indications of whether each of the multiple access criteria have been met by the entity, wherein a first one of the multiple access criteria requires the entity to make an attestation regarding compliance with a local storage requirement, the first multiple access criteria not requiring an endorsement from the trusted third party, wherein a second one of the multiple access criteria requires an endorsement from the trusted third party; and transmitting the stored data only when the determined score is higher than or equal to a specified threshold. - View Dependent Claims (14, 15)
-
-
19. A system for securing access to stored data, the system comprising:
-
a processor; a memory; and a module that is stored in the memory and that is configured, when executed by the processor, to perform a method comprising; receiving from a first entity an indication of stored data to be shared; receiving from the first entity multiple access criteria for validating an access to the stored data; receiving from a second entity a request to access the stored data; receiving from the second entity data items corresponding to each of the multiple access criteria; and transmitting the stored data to the second entity only when the data item corresponding to at least one of the multiple access criteria is validated based on an endorsement received from a trusted third party, wherein the trusted third party is a social networking service configured to verify identity information, location, and/or residence claims made by the second entity, wherein the receiving from the first entity multiple access criteria includes;
receiving an access criterion that requires an entity to be accessing the stored data from a computer having specified system properties,wherein the multiple access criteria include associated weights, and wherein the method further comprises; determining a score based on an aggregation of the weights applied to indications of whether each of the multiple access criteria have been met by the entity, wherein a first one of the multiple access criteria requires the entity to make an attestation regarding compliance with a local storage requirement, the first multiple access criteria not requiring an endorsement from the trusted third party, wherein a second one of the multiple access criteria requires an endorsement from the trusted third party; and transmitting the stored data only when the determined score is higher than or equal to a specified threshold. - View Dependent Claims (21, 22)
-
-
20. A non-transitory computer-readable medium including contents that are configured, when executed, to cause a computing system to perform a method for securing access to stored data, the method comprising:
-
receiving from a first entity an indication of stored data to be shared; receiving from the first entity multiple access criteria for validating an access to the stored data; receiving from a second entity a request to access the stored data; receiving from the second entity data items corresponding to each of the multiple access criteria; and transmitting the stored data to the second entity only when the data item corresponding to at least one of the multiple access criteria is validated based on an endorsement received from a trusted third party, wherein the trusted third party is a government agency configured to verify identity information and/or residence claims made by the second entity, wherein the receiving from the first entity multiple access criteria includes;
receiving an access criterion that requires an entity to be accessing the stored data from a computer having specified system properties,wherein the multiple access criteria include associated weights, and wherein the method further comprises; determining a score based on an aggregation of the weights applied to indications of whether each of the multiple access criteria have been met by the entity, wherein a first one of the multiple access criteria requires the entity to make an attestation regarding compliance with a local storage requirement, the first multiple access criteria not requiring an endorsement from the trusted third party, wherein a second one of the multiple access criteria requires an endorsement from the trusted third party; and transmitting the stored data only when the determined score is higher than or equal to a specified threshold.
-
Specification