Systems and methods for validated secure data access

US 9,053,329 B2
Filed: 05/23/2013
Issued: 06/09/2015
Est. Priority Date: 05/24/2012
Status: Active Grant

First Claim

Patent Images

1. A method for securing access to shared data stored in a storage system, the method comprising:

by a storage management system;

establishing a trust relationship with a series of trusted third-party endorsers;

receiving from an entity a request to access to the shared data;

reading access requirements associated with the requested shared data from the storage system;

sending to the entity a challenge with the access requirements and a list of established trusted third-party endorsers, thereby causing the entity to request an endorsement from at least one of the established trusted third party endorsers based on the challenge, wherein the request comprises entity specific data based on the access requirements;

receiving from the entity the entity specific data and a digitally signed endorsed claim provided to the entity by the at least one of the established trusted third party endorsers; and

determining access to the shared data by validating the digitally signed endorsed claim provided by the entity in response to the challenge,wherein the multiple access criteria include associated weights, and further comprising;

determining a score based on an aggregation of the weights applied to indications of whether each of the multiple access criteria have been met by the entity, wherein a first one of the multiple access criteria requires the entity to make an attestation regarding compliance with a local storage requirement, the first multiple access criteria not requiring an endorsement from the trusted third party, wherein a second one of the multiple access criteria requires an endorsement from the trusted third party; and

transmitting the stored data only when the determined score is higher than or equal to a specified threshold.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and techniques for securing access to stored data are provided. Example embodiments provide a Storage Management System (“SMS”) that is configured to facilitate protected information sharing. The SMS may restrict access to shared information based on one or more criteria that validate an entity'"'"'s right to access the information. For example, the SMS may restrict access to entities that are located in a particular geographic region, that are using a particular type of hardware or software, that hold particular credentials, or the like. In some cases, the SMS may require that an entity'"'"'s claim to meet on or more required criteria be validated by a trusted third party.

15 Citations

View as Search Results

22 Claims

1. A method for securing access to shared data stored in a storage system, the method comprising:
- by a storage management system;
  
  establishing a trust relationship with a series of trusted third-party endorsers;
  
  receiving from an entity a request to access to the shared data;
  
  reading access requirements associated with the requested shared data from the storage system;
  
  sending to the entity a challenge with the access requirements and a list of established trusted third-party endorsers, thereby causing the entity to request an endorsement from at least one of the established trusted third party endorsers based on the challenge, wherein the request comprises entity specific data based on the access requirements;
  
  receiving from the entity the entity specific data and a digitally signed endorsed claim provided to the entity by the at least one of the established trusted third party endorsers; and
  
  determining access to the shared data by validating the digitally signed endorsed claim provided by the entity in response to the challenge,wherein the multiple access criteria include associated weights, and further comprising;
  
  determining a score based on an aggregation of the weights applied to indications of whether each of the multiple access criteria have been met by the entity, wherein a first one of the multiple access criteria requires the entity to make an attestation regarding compliance with a local storage requirement, the first multiple access criteria not requiring an endorsement from the trusted third party, wherein a second one of the multiple access criteria requires an endorsement from the trusted third party; and
  
  transmitting the stored data only when the determined score is higher than or equal to a specified threshold.
- View Dependent Claims (2, 3, 5, 6, 12, 16, 17, 18)
- - 2. The method of claim 1, wherein the stored data is stored on a cloud-based storage system.
  - 3. The method of claim 1, wherein the stored data is stored on a non-cloud-based storage system, wherein access to the storage system is limited to users associated with a single organizational entity.
  - 5. The method of claim 1, further comprising:
    - receiving the endorsement from the trusted third party, the endorsement verifying that the data item satisfies the corresponding criterion.
  - 6. The method of claim 1, further comprising:
    - receiving an indication from the trusted third party that the data item does not satisfy the corresponding criterion.
  - 12. The method of claim 1, wherein the receiving from the first entity multiple access criteria includes:
    - receiving an access criterion that requires an entity to authenticate themselves using a password, symmetric key, X.509 certificate, and/or a one-time password provided by a hardware or software token generator.
  - 16. The method of claim 1, wherein the transmitting the stored data to the second entity only when the data item corresponding to at least one of the multiple access criteria is validated includes transmitting the stored data only when the trusted third party verifies that the second entity is accessing the stored data from a computer associated with an organization that is certified as complying with one or more of a security standard, a privacy regulation, or a quality standard.
  - 17. The method of claim 1, wherein the trusted third party is at least one of a voice/data service provider configured to verify a location of a mobile device used by the second entity.
  - 18. The method of claim 1, further comprising:
    - establishing a trusted relationship with the trusted third party by sharing a secret with the trusted third party;
      
      receiving from the second entity an indication that one of the data items has been endorsed by the trusted third party, the indication including a digital signature generated by the trusted third party using the shared secret; and
      
      validating the digital signature generated by the trusted third party.

4. A method for securing access to shared data stored in a storage system, the method comprising:
- by a storage management system;
  
  establishing a trust relationship with a series of trusted third-party endorsers;
  
  receiving from an entity a request to access to the shared data;
  
  reading access requirements associated with the requested shared data from the storage system;
  
  sending to the entity a challenge with the access requirements and a list of established trusted third-party endorsers, thereby causing the entity to request an endorsement from at least one of the established trusted third party endorsers based on the challenge, wherein the request comprises entity specific data based on the access requirements;
  
  receiving from the entity the entity specific data and a digitally signed endorsed claim provided to the entity by the at least one of the established trusted third party endorsers; and
  
  determining access to the shared data by validating the digitally signed endorsed claim provided by the entity in response to the challenge,wherein the stored data includes information protected by a government directive or regulation,wherein the multiple access criteria include associated weights, and further comprising;
  
  determining a score based on an aggregation of the weights applied to indications of whether each of the multiple access criteria have been met by the entity, wherein a first one of the multiple access criteria requires the entity to make an attestation regarding compliance with a local storage requirement, the first multiple access criteria not requiring an endorsement from the trusted third party, wherein a second one of the multiple access criteria requires an endorsement from the trusted third party; and
  
  transmitting the stored data only when the determined score is higher than or equal to a specified threshold.

7. A non-transitory computer-readable medium including contents that are configured, when executed, to cause a computing system to perform a method for securing access to stored data, the method comprising:
- by a storage management system;
  
  establishing a trust relationship with a series of trusted third-party endorsers;
  
  receiving from an entity a request to access to the shared data;
  
  reading access requirements associated with the requested shared data from the storage system;
  
  sending to the entity a challenge with the access requirements and a list of established trusted third-party endorsers, thereby causing the entity to request an endorsement from at least one of the established trusted third party endorsers based on the challenge, wherein the request comprises entity specific data based on the access requirements;
  
  receiving from the entity the entity specific data and a digitally signed endorsed claim provided to the entity by the at least one of the established trusted third party endorsers; and
  
  determining access to the shared data by validating the digitally signed endorsed claim provided by the entity in response to the challenge,wherein the multiple access criteria include associated weights, and wherein the method further comprises;
  
  determining a score based on an aggregation of the weights applied to indications of whether each of the multiple access criteria have been met by the entity, wherein a first one of the multiple access criteria requires the entity to make an attestation regarding compliance with a local storage requirement, the first multiple access criteria not requiring an endorsement from the trusted third party, wherein a second one of the multiple access criteria requires an endorsement from the trusted third party; and
  
  transmitting the stored data only when the determined score is higher than or equal to a specified threshold.

8. A method for securing access to shared data stored in a storage system, the method comprising:
- by a storage management system;
  
  establishing a trust relationship with a series of trusted third-party endorsers;
  
  receiving from an entity a request to access to the shared data;
  
  reading access requirements associated with the requested shared data from the storage system;
  
  sending to the entity a challenge with the access requirements and a list of established trusted third-party endorsers, thereby causing the entity to request an endorsement from at least one of the established trusted third party endorsers based on the challenge, wherein the request comprises entity specific data based on the access requirements;
  
  receiving from the entity the entity specific data and a digitally signed endorsed claim provided to the entity by the at least one of the established trusted third party endorsers; and
  
  determining access to the shared data by validating the digitally signed endorsed claim provided by the entity in response to the challenge,wherein the receiving from the first entity multiple access criteria includes;
  
  receiving an access criterion that requires an entity to be or reside at a specified location,wherein the multiple access criteria include associated weights, and further comprising;
  
  determining a score based on an aggregation of the weights applied to indications of whether each of the multiple access criteria have been met by the entity, wherein a first one of the multiple access criteria requires the entity to make an attestation regarding compliance with a local storage requirement, the first multiple access criteria not requiring an endorsement from the trusted third party, wherein a second one of the multiple access criteria requires an endorsement from the trusted third party; and
  
  transmitting the stored data only when the determined score is higher than or equal to a specified threshold.
- View Dependent Claims (9, 10, 11)
- - 9. The method of claim 8, wherein the location includes at least one of:
    - a city, a state, a country, a GPS location, and/or a region specified by a GPS location and a radius.
  - 10. The method of claim 8, wherein the transmitting the stored data to the second entity only when the data item corresponding to at least one of the multiple access criteria is validated includes transmitting the stored data only when the trusted third party verifies that the second entity is at the specified location.
  - 11. The method of claim 8, wherein the transmitting the stored data to the second entity only when the data item corresponding to at least one of the multiple access criteria is validated includes transmitting the stored data only when the trusted third party verifies that the second entity is accessing the stored data from a mobile device that is at rest or is moving slower than a predefined safe rate.

13. A method for securing access to shared data stored in a storage system, the method comprising:
- by a storage management system;
  
  establishing a trust relationship with a series of trusted third-party endorsers;
  
  receiving from an entity a request to access to the shared data;
  
  reading access requirements associated with the requested shared data from the storage system;
  
  sending to the entity a challenge with the access requirements and a list of established trusted third-party endorsers, thereby causing the entity to request an endorsement from at least one of the established trusted third party endorsers based on the challenge, wherein the request comprises entity specific data based on the access requirements;
  
  receiving from the entity the entity specific data and a digitally signed endorsed claim provided to the entity by the at least one of the established trusted third party endorsers; and
  
  determining access to the shared data by validating the digitally signed endorsed claim provided by the entity in response to the challenge,wherein the receiving from the first entity multiple access criteria includes;
  
  receiving an access criterion that requires an entity to be accessing the stored data from a computer having specified system properties,wherein the multiple access criteria include associated weights, and further comprising;
  
  determining a score based on an aggregation of the weights applied to indications of whether each of the multiple access criteria have been met by the entity, wherein a first one of the multiple access criteria requires the entity to make an attestation regarding compliance with a local storage requirement, the first multiple access criteria not requiring an endorsement from the trusted third party, wherein a second one of the multiple access criteria requires an endorsement from the trusted third party; and
  
  transmitting the stored data only when the determined score is higher than or equal to a specified threshold.
- View Dependent Claims (14, 15)
- - 14. The method of claim 13, wherein the system properties include at least one of:
    - a network identifier, presence of a specified security software module/configuration, presence of a specified non-pirated software module, presence of a specified security patch, connection to a specified private network, and/or presence of a specified version of a software module or operating system.
  - 15. The method of claim 13, wherein the transmitting the stored data to the second entity only when the data item corresponding to at least one of the multiple access criteria is validated includes transmitting the stored data only when the trusted third party verifies that the second entity is accessing the stored data from a computer having the specified system properties.

19. A system for securing access to stored data, the system comprising:
- a processor;
  
  a memory; and
  
  a module that is stored in the memory and that is configured, when executed by the processor, to perform a method comprising;
  
  receiving from a first entity an indication of stored data to be shared;
  
  receiving from the first entity multiple access criteria for validating an access to the stored data;
  
  receiving from a second entity a request to access the stored data;
  
  receiving from the second entity data items corresponding to each of the multiple access criteria; and
  
  transmitting the stored data to the second entity only when the data item corresponding to at least one of the multiple access criteria is validated based on an endorsement received from a trusted third party,wherein the trusted third party is a social networking service configured to verify identity information, location, and/or residence claims made by the second entity,wherein the receiving from the first entity multiple access criteria includes;
  
  receiving an access criterion that requires an entity to be accessing the stored data from a computer having specified system properties,wherein the multiple access criteria include associated weights, and wherein the method further comprises;
  
  determining a score based on an aggregation of the weights applied to indications of whether each of the multiple access criteria have been met by the entity, wherein a first one of the multiple access criteria requires the entity to make an attestation regarding compliance with a local storage requirement, the first multiple access criteria not requiring an endorsement from the trusted third party, wherein a second one of the multiple access criteria requires an endorsement from the trusted third party; and
  
  transmitting the stored data only when the determined score is higher than or equal to a specified threshold.
- View Dependent Claims (21, 22)
- - 21. The system of claim 19, wherein the stored data is stored on a cloud-based storage system.
  - 22. The system of claim 19, wherein the method further comprises:
    - receiving the endorsement from the trusted third party, the endorsement verifying that the data item satisfies the corresponding criterion.

20. A non-transitory computer-readable medium including contents that are configured, when executed, to cause a computing system to perform a method for securing access to stored data, the method comprising:
- receiving from a first entity an indication of stored data to be shared;
  
  receiving from the first entity multiple access criteria for validating an access to the stored data;
  
  receiving from a second entity a request to access the stored data;
  
  receiving from the second entity data items corresponding to each of the multiple access criteria; and
  
  transmitting the stored data to the second entity only when the data item corresponding to at least one of the multiple access criteria is validated based on an endorsement received from a trusted third party, wherein the trusted third party is a government agency configured to verify identity information and/or residence claims made by the second entity,wherein the receiving from the first entity multiple access criteria includes;
  
  receiving an access criterion that requires an entity to be accessing the stored data from a computer having specified system properties,wherein the multiple access criteria include associated weights, and wherein the method further comprises;
  
  determining a score based on an aggregation of the weights applied to indications of whether each of the multiple access criteria have been met by the entity, wherein a first one of the multiple access criteria requires the entity to make an attestation regarding compliance with a local storage requirement, the first multiple access criteria not requiring an endorsement from the trusted third party, wherein a second one of the multiple access criteria requires an endorsement from the trusted third party; and
  
  transmitting the stored data only when the determined score is higher than or equal to a specified threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
LockBox LLC
Original Assignee
LockBox LLC
Inventors
Lam, Kevin
Primary Examiner(s)
Rashid, Harunur
Assistant Examiner(s)
WRIGHT, BRYAN F

Application Number

US13/901,401
Publication Number

US 20130318630A1
Time in Patent Office

747 Days
Field of Search

726/18, 726/28
US Class Current

1/1
CPC Class Codes

G06F 16/1824   implemented using Network-a...

G06F 21/60   Protecting data

G06F 21/6218   to a system of files or obj...

G06F 2221/2111   Location-sensitive, e.g. ge...

G06F 2221/2115   Third party

H04L 2209/24   Key scheduling, i.e. genera...

H04L 2209/72   Signcrypting, i.e. digital ...

H04L 63/0823   using certificates cryptogr...

H04L 63/10   for controlling access to d...

H04L 63/105   Multiple levels of security

H04L 63/107   wherein the security polici...

H04L 67/1097   for distributed storage of ...

H04L 9/3249   using RSA or related signat...

Systems and methods for validated secure data access

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

15 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for validated secure data access

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links