Enhanced remote key management for an enterprise in a cloud-based environment

US 9,756,022 B2
Filed: 08/29/2014
Issued: 09/05/2017
Est. Priority Date: 08/29/2014
Status: Active Grant

First Claim

Patent Images

1. A method for facilitating remote key management services in a collaborative cloud-based environment, the method comprising:

processing a data item indicated by a content request to determine that the data item is associated with remote key management functionality;

identifying audit log information associated with the content request, wherein the audit log information comprises a reason code enumerating a reason associated with the content request, wherein the reason comprises at least one of;

accessing a data item request, fulfilling a maintenance request, performing a text extraction request, or fulfilling backend services;

initiating a secure key request by a HSM interface engine to a hardware security module (HSM), wherein the secure key request comprises the audit log information; and

determining whether to accept or reject the content request by processing the reason code from the secure key request based at least in part on one or more pre-configured rules by the HSM, wherein the HSM is located on a second client device that is remote from the HSM interface engine located on a first client device, the secure key request sent across a network from the first client device to the second client device for determining whether to accept or reject the content request based at least in part on the reason code.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are disclosed for facilitating remote key management services in a collaborative cloud-based environment. In one embodiment, the remote key management architecture and techniques described herein provide for local key encryption and automatic generation of a reason code associated with content access. The reason code is logged by a hardware security module which is monitored by a remote client device (e.g., an enterprise client) to control a second (remote) layer of key encryption. The remote client device provides client-side control and configurability of the second layer of key encryption.

514 Citations

24 Claims

1. A method for facilitating remote key management services in a collaborative cloud-based environment, the method comprising:
- processing a data item indicated by a content request to determine that the data item is associated with remote key management functionality;
  
  identifying audit log information associated with the content request, wherein the audit log information comprises a reason code enumerating a reason associated with the content request, wherein the reason comprises at least one of;
  
  accessing a data item request, fulfilling a maintenance request, performing a text extraction request, or fulfilling backend services;
  
  initiating a secure key request by a HSM interface engine to a hardware security module (HSM), wherein the secure key request comprises the audit log information; and
  
  determining whether to accept or reject the content request by processing the reason code from the secure key request based at least in part on one or more pre-configured rules by the HSM, wherein the HSM is located on a second client device that is remote from the HSM interface engine located on a first client device, the secure key request sent across a network from the first client device to the second client device for determining whether to accept or reject the content request based at least in part on the reason code.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the secure key request directs the HSM to store the audit log information.
  - 3. The method of claim 2, wherein the secure key request further directs the HSM to sign the audit log information with a secure key.
  - 4. The method of claim 1, wherein the audit log information is included in a free form block of the secure key request to the HSM.
  - 5. The method of claim 1, wherein the HSM is hosted by the collaborative cloud-based environment but the audit log information is inaccessible via the collaborative cloud-based environment.
  - 6. The method of claim 1, wherein the HSM is hosted by a second collaborative cloud-based environment distinct from the collaborative cloud-based environment.
  - 7. The method of claim 1, wherein the HSM is hosted by a managed services provider.
  - 8. The method of claim 1, wherein the HSM provides access to the collaborative cloud-based environment and the collaborative cloud-based environment is distinct from a client enterprise that owns the HSM.
  - 9. The method of claim 1, wherein the content request comprises an upload request and wherein the secure key request includes a request to encrypt an encrypted encryption key.
  - 10. The method of claim 1, wherein the content request comprises an access request and wherein the secure key request includes a request to decrypt a twice encrypted encryption key.

11. A system for facilitating remote key management services in a collaborative cloud-based environment, the system comprising:
- one or more processors;
  
  a memory unit having instructions stored thereon which, when executed by the one or more processors, causes the system to;
  
  process a data item indicated by a content request to determine that the data item is associated with remote key management functionality;
  
  identify audit log information associated with the content request, wherein the audit log information comprises a reason code enumerating a reason associated with the content request, wherein the reason comprises at least one of;
  
  accessing a data item request, fulfilling a maintenance request, performing a text extraction request, or fulfilling backend services;
  
  initiate a secure key request by a HSM interface engine to a hardware security module (HSM), wherein the secure key request comprises the audit log information; and
  
  determine whether to accept or reject the content request by processing the reason code from the secure key request based at least in part on one or more pre-configured rules by the HSM, wherein the HSM is located on a second client device that is remote from the HSM interface engine located on a first client device, the secure key request sent across a network from the first client device to the second client device for determining whether to accept or reject the content request based at least in part on the reason code.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, wherein the secure key request directs the HSM to store the audit log information.
  - 13. The system of claim 12, wherein the secure key request further directs the HSM to sign the audit log information with a secure key.
  - 14. The system of claim 11, wherein the instructions, when executed by the one or more processors, further causes the system to:
    - format the audit log information for a free form block of the secure key request to the HSM, wherein the audit log information is included in the free form block of the secure key request to the HSM.
  - 15. The system of claim 11, wherein the HSM is hosted by the collaborative cloud-based environment but the audit log information is inaccessible via the collaborative cloud-based environment.
  - 16. The system of claim 11, wherein the HSM is hosted by a second collaborative cloud-based environment distinct from the collaborative cloud-based environment.
  - 17. The system of claim 11, wherein the HSM is hosted by a managed services provider.
  - 18. The system of claim 11, wherein the HSM provides access to the collaborative cloud-based environment and the collaborative cloud-based environment is distinct from a client enterprise that owns the HSM.
  - 19. The system of claim 11, wherein the content request comprises an upload request and wherein the secure key request includes a request to encrypt an encrypted encryption key.
  - 20. The system of claim 11, wherein the content request comprises an access request and wherein the secure key request includes a request to decrypt a twice encrypted encryption key.

21. A system for facilitating remote key management services in a collaborative cloud-based environment, the system comprising:
- a processor;
  
  a key service proxy device configured to initiate a secure key request responsive to a determination that a data item indicated by a content request is associated with remote key management functionality, wherein the secure key request comprises a reason code enumerating a reason associated with the content request, wherein the reason comprises at least one of;
  
  accessing a data item request, fulfilling a maintenance request, performing a text extraction request, or fulfilling backend services;
  
  a reason engine configured to determine a reason code associated with the content request, wherein determining the reason code comprises directing the processor to identify a reason associated with the content request and responsively generate the reason code associated with the content request;
  
  a hardware security interface engine configured to format the secure key request according to a particular hardware security module (HSM); and
  
  the HSM configured to determine whether to accept or reject the content request by processing the reason code from the secure key request based at least in part on one or more pre-configured rules by the HSM, wherein the HSM is located on a second client device that is remote from the key service proxy device located on a first client device, the secure key request sent across a network from the first client device to the second client device for determining whether to accept or reject the content request based at least in part on the reason code.
- View Dependent Claims (22, 23, 24)
- - 22. The system of claim 21, wherein the reason code is included in a free form block of the secure key request.
  - 23. The system of claim 21, wherein the secure key request directs the HSM to log the reason code.
  - 24. The system of claim 23, wherein an enterprise client is provided an interface for monitoring the log.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Box Incorporated
Original Assignee
Box Incorporated
Inventors
Amiri, Kia, Queisser, Jeff, Byron, Chris, Wacker, Rand, Babcock, Kevin
Primary Examiner(s)
Colin, Carl
Assistant Examiner(s)
LAVELLE, GARY E

Application Number

US14/472,540
Publication Number

US 20160065363A1
Time in Patent Office

1,103 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/60   Protecting data

H04L 2209/24   Key scheduling, i.e. genera...

H04L 2209/60   Digital content management,...

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 9/0822   using key encryption key

H04L 9/0897   involving additional device...

Enhanced remote key management for an enterprise in a cloud-based environment

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

514 Citations

24 Claims

Specification

Use Cases

Quick Links

Others

Enhanced remote key management for an enterprise in a cloud-based environment

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

514 Citations

24 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others