Method and apparatus for migrating encrypted data

US 9,729,541 B2
Filed: 03/31/2015
Issued: 08/08/2017
Est. Priority Date: 03/31/2015
Status: Active Grant

First Claim

Patent Images

1. A method for provisioning and sharing data among users of a data service, comprising:

receiving, by a processor, a provisioning request to provision a new business unit of an enterprise for access to a data service, wherein the new business unit comprises one or more of the users that belong to the enterprise, and the users that belong to the enterprise are previously assigned to one or more already existing business units, wherein the data service stores encrypted data owned by the enterprise, at least a portion of the encrypted data is accessible to the one or more of the users via the one or more already existing business units in one or more already existing data containers of the data service, and at least another portion of the encrypted data is to be associated with the new business unit in a new data container of the data service and to be accessible by the one or more of the users, wherein the new business unit and the new data container do not exist prior to the provisioning request, and the one or more of the users do not have access rights to the new data container prior to the provisioning request;

associating, by the processor, a security certificate with the new business unit based on the provisioning request;

determining, by the processor, the one or more of the users comprising the new business unit based on the provisioning request; and

in response to the provisioning request, automatically generating, by the processor, a policy for controlling access to the at least another portion of the encrypted data in the new data container by the one or more of the users of the new business unit based on the security certificate; and

associating, by the processor, one or more keys for accessing the at least another portion of the encrypted data with the new data container of the data service, the new business unit, a key manager associated with the data service, or a combination thereof based on the policy.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An approach is provided for managing the provisioning and sharing of data among common users of a data service. A provisioning platform associates a security certificate with a business unit based on the submission of a provisioning request. The provisioning platform also associating one or more keys for accessing the data from the data service with a data container of the data service, the business unit, a key manager associated with the business unit, or a combination thereof based on the generation of a policy for establishing the identity of the business unit, for controlling access to data associated with the business unit as maintained by a data service, or a combination thereof based on the security certificate.

Citations

20 Claims

1. A method for provisioning and sharing data among users of a data service, comprising:
- receiving, by a processor, a provisioning request to provision a new business unit of an enterprise for access to a data service, wherein the new business unit comprises one or more of the users that belong to the enterprise, and the users that belong to the enterprise are previously assigned to one or more already existing business units, wherein the data service stores encrypted data owned by the enterprise, at least a portion of the encrypted data is accessible to the one or more of the users via the one or more already existing business units in one or more already existing data containers of the data service, and at least another portion of the encrypted data is to be associated with the new business unit in a new data container of the data service and to be accessible by the one or more of the users, wherein the new business unit and the new data container do not exist prior to the provisioning request, and the one or more of the users do not have access rights to the new data container prior to the provisioning request;
  
  associating, by the processor, a security certificate with the new business unit based on the provisioning request;
  
  determining, by the processor, the one or more of the users comprising the new business unit based on the provisioning request; and
  
  in response to the provisioning request, automatically generating, by the processor, a policy for controlling access to the at least another portion of the encrypted data in the new data container by the one or more of the users of the new business unit based on the security certificate; and
  
  associating, by the processor, one or more keys for accessing the at least another portion of the encrypted data with the new data container of the data service, the new business unit, a key manager associated with the data service, or a combination thereof based on the policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. A method of claim 1, further comprising:
    - determining fulfillment of the provisioning request based on the association of the one or more keys.
  - 3. A method of claim 1, further comprising:
    - in response to the provisioning request, generating the security certificate in association with the new business unit; and
      
      storing the security certificate to a common data container of the data service,wherein the common data container is a repository maintained by the data service for the enterprise that owns the new business unit and has access rights to the encrypted data prior to the provisioning request.
  - 4. A method of claim 3, further comprising:
    - in response to the provisioning request, generating the new data container at the data service based on the storing of the security certificate in the common data container of the service,wherein the new data container is generated as a business unit data container of the data service, andwherein the new data container exclusively stores data associated with the new business unit.
  - 5. A method of claim 1, further comprising:
    - storing identity information regarding the new business unit to the key manager based on the policy,wherein the key manager stores at least one of the one or more keys for authenticating the new business unit for access to the data service, the encrypted data, or a combination thereof.
  - 6. A method of claim 5, further comprising:
    - storing identity information regarding the one or more of the users of the new business unit to the key manager based on the policy,wherein the key manager stores a subset of the one or more keys and authenticates the one or more of the users for access to the data service, the encrypted data, or a combination thereof.
  - 7. A method of claim 6, wherein the one or more keys include a key pair comprising a public key and a private key generated per user for the one or more of the users of the new business unit for authentication, the method further comprising:
    - generating a table mapping the private key to a respective user and to the new data container,wherein the table is stored at the key manager.
  - 8. A method of claim 1, wherein the one or more keys include a key pair comprising a public key and a private key generated for authenticating the new business unit, the method further comprising:
    - generating a table mapping the private key to the new business unit and to the new data container,wherein the table is stored at the key manager.
  - 9. A method of claim 8, further comprising:
    - transmitting the private key to the key manager for authentication;
      
      receiving a master key from the key manager based on the authentication of the private key of the key pair against the table,wherein the master key is used to decrypt the encrypted data stored in the new data container.
  - 10. A method of claim 9, further comprising:
    - receiving a sharing request to share the new data container, the encrypted data, or a combination thereof with one or more other business units; and
      
      updating the table to map a private key of the one or more other business units to the new data container, the encrypted data, or a combination thereof, to fulfill the sharing request.
  - 11. A method of claim 10, further comprising:
    - generating a permission record for allowing the one or more other business units to access the new data container, the encrypted data, or a combination thereof,wherein the permission record, the table, or a combination thereof is maintained by the key manager.
  - 12. A method of claim 11, wherein fulfillment of the sharing request is based on the generation of the permission record, the updating of the table, or a combination thereof.

13. An apparatus for provisioning and sharing data among users of a data service, comprising:
- at least one processor; and
  
  at least one memory including computer program code for one or more programs,the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus to perform at least the following,receive a provisioning request to provision a new business unit of an enterprise for access to a data service, wherein the new business unit comprises one or more of the users that belong to the enterprise, and the users that belong to the enterprise are previously assigned to one or more already existing business units, wherein the data service stores encrypted data owned by the enterprise, at least a portion of the encrypted data is accessible to the one or more of the users via the one or more already existing business units in one or more already existing data containers of the data service, and at least another portion of the encrypted data is to be associated with the new business unit in a new data container of the data service and to be accessible by the one or more of the users, wherein the new business unit and the new data container do not exist prior to the provisioning request, and the one or more of the users do not have access rights to the new data container prior to the provisioning request;
  
  associate a security certificate with the new business unit based on the provisioning request;
  
  determine the one or more of the users comprising the new business unit based on the provisioning request; and
  
  in response to the provisioning request, automatically generate a policy for controlling access to the at least another portion of the encrypted data in the new data container by the one or more of the users of the new business unit based on the security certificate; and
  
  associate one or more keys for accessing the at least another portion of the encrypted data with the new data container of the data service, the new business unit, a key manager associated with the data service, or a combination thereof based on the policy.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. An apparatus of claim 13, wherein the apparatus is further caused to:
    - determine fulfillment of the provisioning request based on the association of the one or more keys.
  - 15. An apparatus of claim 13, wherein the apparatus is further caused to:
    - in response to the provisioning request, generate the security certificate in association with the new business unit; and
      
      store the security certificate to a common data container of the data service,wherein the common data container is a repository maintained by the data service for the enterprise that owns the new business unit and has access rights to the encrypted data prior to the provisioning request.
  - 16. An apparatus of claim 15, wherein the apparatus is further caused to:
    - in response to the provisioning request, generate the new data container at the data service based on the storing of the security certificate in the common data container of the service,wherein the new data container is generated as a business unit data container of the data service, andwherein the new data container exclusively stores data associated with the new business unit.
  - 17. An apparatus of claim 16, wherein the apparatus is further caused to:
    - store identity information regarding the new business unit to the key manager based on the policy,wherein the key manager stores at least one of the one or more keys for authenticating the new business unit for access to the data service, the encrypted data, or a combination thereof.
  - 18. An apparatus of claim 13, wherein the one or more keys include a key pair comprising a public key and a private key generated for authenticating the new business unit, and wherein the apparatus is further caused to:
    - generate a table mapping the private key to the new business unit and to the new data container,wherein the table is stored at the key manager.
  - 19. An apparatus of claim 18, wherein the apparatus is further caused to:
    - transmit the private key to the key manager for authentication;
      
      receive a master key from the key manager based on the authentication of the private key of the key pair against the table,wherein the master key is used to decrypt the encrypted data stored in the new data container.

20. A non-transitory computer-readable storage medium for provisioning and sharing data among users of a data service, carrying one or more sequences of one or more instructions which, when executed by one or more processors, cause an apparatus to perform:
- receiving a provisioning request to provision a new business unit of an enterprise for access to a data service, wherein the new business unit comprises one or more of the users that belong to the enterprise, and the users that belong to the enterprise are previously assigned to one or more already existing business units, wherein the data service stores encrypted data owned by the enterprise, at least a portion of the encrypted data is accessible to the one or more of the users via the one or more already existing business units in one or more already existing data containers of the data service, and at least another portion of the encrypted data is to be associated with the new business unit in a new data container of the data service and to be accessible by the one or more of the users, wherein the new business unit and the new data container do not exist prior to the provisioning request, and the one or more of the users do not have access rights to the new data container prior to the provisioning request;
  
  associating a security certificate with the new business unit based on the provisioning request;
  
  determining the one or more of the users comprising the new business unit based on the provisioning request; and
  
  in response to the provisioning request, automatically generating a policy for controlling access to the at least another portion of the encrypted data in the new data container by the one or more of the users of the new business unit based on the security certificate; and
  
  associating one or more keys for accessing the at least another portion of the encrypted data with the new data container of the data service, the new business unit, a key manager associated with the data service, or a combination thereof based on the policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
HERE Global B.V. (HERE Holding Corporation)
Original Assignee
HERE Global B.V. (HERE Holding Corporation)
Inventors
Qian, Gaoqiang
Primary Examiner(s)
LESNIEWSKI, VICTOR D

Application Number

US14/674,407
Publication Number

US 20160294563A1
Time in Patent Office

861 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0823   using certificates cryptogr...

H04L 9/083   involving central third par...

H04L 9/3263   involving certificates, e.g...

Method and apparatus for migrating encrypted data

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for migrating encrypted data

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links