Method and apparatus for migrating encrypted data
First Claim
1. A method for provisioning and sharing data among users of a data service, comprising:
- receiving, by a processor, a provisioning request to provision a new business unit of an enterprise for access to a data service, wherein the new business unit comprises one or more of the users that belong to the enterprise, and the users that belong to the enterprise are previously assigned to one or more already existing business units, wherein the data service stores encrypted data owned by the enterprise, at least a portion of the encrypted data is accessible to the one or more of the users via the one or more already existing business units in one or more already existing data containers of the data service, and at least another portion of the encrypted data is to be associated with the new business unit in a new data container of the data service and to be accessible by the one or more of the users, wherein the new business unit and the new data container do not exist prior to the provisioning request, and the one or more of the users do not have access rights to the new data container prior to the provisioning request;
associating, by the processor, a security certificate with the new business unit based on the provisioning request;
determining, by the processor, the one or more of the users comprising the new business unit based on the provisioning request; and
in response to the provisioning request, automatically generating, by the processor, a policy for controlling access to the at least another portion of the encrypted data in the new data container by the one or more of the users of the new business unit based on the security certificate; and
associating, by the processor, one or more keys for accessing the at least another portion of the encrypted data with the new data container of the data service, the new business unit, a key manager associated with the data service, or a combination thereof based on the policy.
1 Assignment
0 Petitions
Accused Products
Abstract
An approach is provided for managing the provisioning and sharing of data among common users of a data service. A provisioning platform associates a security certificate with a business unit based on the submission of a provisioning request. The provisioning platform also associating one or more keys for accessing the data from the data service with a data container of the data service, the business unit, a key manager associated with the business unit, or a combination thereof based on the generation of a policy for establishing the identity of the business unit, for controlling access to data associated with the business unit as maintained by a data service, or a combination thereof based on the security certificate.
-
Citations
20 Claims
-
1. A method for provisioning and sharing data among users of a data service, comprising:
-
receiving, by a processor, a provisioning request to provision a new business unit of an enterprise for access to a data service, wherein the new business unit comprises one or more of the users that belong to the enterprise, and the users that belong to the enterprise are previously assigned to one or more already existing business units, wherein the data service stores encrypted data owned by the enterprise, at least a portion of the encrypted data is accessible to the one or more of the users via the one or more already existing business units in one or more already existing data containers of the data service, and at least another portion of the encrypted data is to be associated with the new business unit in a new data container of the data service and to be accessible by the one or more of the users, wherein the new business unit and the new data container do not exist prior to the provisioning request, and the one or more of the users do not have access rights to the new data container prior to the provisioning request; associating, by the processor, a security certificate with the new business unit based on the provisioning request; determining, by the processor, the one or more of the users comprising the new business unit based on the provisioning request; and in response to the provisioning request, automatically generating, by the processor, a policy for controlling access to the at least another portion of the encrypted data in the new data container by the one or more of the users of the new business unit based on the security certificate; and
associating, by the processor, one or more keys for accessing the at least another portion of the encrypted data with the new data container of the data service, the new business unit, a key manager associated with the data service, or a combination thereof based on the policy. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. An apparatus for provisioning and sharing data among users of a data service, comprising:
-
at least one processor; and at least one memory including computer program code for one or more programs, the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus to perform at least the following, receive a provisioning request to provision a new business unit of an enterprise for access to a data service, wherein the new business unit comprises one or more of the users that belong to the enterprise, and the users that belong to the enterprise are previously assigned to one or more already existing business units, wherein the data service stores encrypted data owned by the enterprise, at least a portion of the encrypted data is accessible to the one or more of the users via the one or more already existing business units in one or more already existing data containers of the data service, and at least another portion of the encrypted data is to be associated with the new business unit in a new data container of the data service and to be accessible by the one or more of the users, wherein the new business unit and the new data container do not exist prior to the provisioning request, and the one or more of the users do not have access rights to the new data container prior to the provisioning request; associate a security certificate with the new business unit based on the provisioning request; determine the one or more of the users comprising the new business unit based on the provisioning request; and in response to the provisioning request, automatically generate a policy for controlling access to the at least another portion of the encrypted data in the new data container by the one or more of the users of the new business unit based on the security certificate; and
associate one or more keys for accessing the at least another portion of the encrypted data with the new data container of the data service, the new business unit, a key manager associated with the data service, or a combination thereof based on the policy. - View Dependent Claims (14, 15, 16, 17, 18, 19)
-
-
20. A non-transitory computer-readable storage medium for provisioning and sharing data among users of a data service, carrying one or more sequences of one or more instructions which, when executed by one or more processors, cause an apparatus to perform:
-
receiving a provisioning request to provision a new business unit of an enterprise for access to a data service, wherein the new business unit comprises one or more of the users that belong to the enterprise, and the users that belong to the enterprise are previously assigned to one or more already existing business units, wherein the data service stores encrypted data owned by the enterprise, at least a portion of the encrypted data is accessible to the one or more of the users via the one or more already existing business units in one or more already existing data containers of the data service, and at least another portion of the encrypted data is to be associated with the new business unit in a new data container of the data service and to be accessible by the one or more of the users, wherein the new business unit and the new data container do not exist prior to the provisioning request, and the one or more of the users do not have access rights to the new data container prior to the provisioning request; associating a security certificate with the new business unit based on the provisioning request; determining the one or more of the users comprising the new business unit based on the provisioning request; and in response to the provisioning request, automatically generating a policy for controlling access to the at least another portion of the encrypted data in the new data container by the one or more of the users of the new business unit based on the security certificate; and
associating one or more keys for accessing the at least another portion of the encrypted data with the new data container of the data service, the new business unit, a key manager associated with the data service, or a combination thereof based on the policy.
-
Specification