Dynamic sharing of unused bandwidth capacity of virtualized input/output adapters
US-2016203027-A1 · Jul 14, 2016 · US
Secure computing service environment
US10893029B1 · US · B1
| Field | Value |
|---|---|
| Publication number | US-10893029-B1 |
| Application number | US-201514848152-A |
| Country | US |
| Kind code | B1 |
| Filing date | Sep 8, 2015 |
| Priority date | Sep 8, 2015 |
| Publication date | Jan 12, 2021 |
| Grant date | Jan 12, 2021 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A technology is described for a virtual secure region. An example method may include receiving a request for data stored in a secure computing service environment executing on computing resources used to provide a public computing service environment, where the secure computing service environment may be separated from the public computing environment using encryption. In response to the request, a secure region account that corresponds to a public region account may be identified using a translation table that maps the secure region account to the public region account. A storage location for the data may be identified within the secure computing service environment specified by the secure region account, and the data may be obtained from the storage location within the secure computing service environment. The data may then be transferred to the public computing service environment.
First claim
Opening claim text (preview).
What is claimed is: 1. A non-transitory machine readable storage medium including instructions embodied thereon, the instructions when executed by a processor: create a virtual secure maintenance network in a physically secure area of a data center, which allows cleared labor to access a region translation device located in the physically secure area of the data center, wherein physical access to the physically secure area of the data center is limited to the cleared labor, and the data center includes a physical public area with computing resources used to execute both a public region and a secure region, and a virtual secure maintenance network channel allows the cleared labor to connect to the virtual secure maintenance network and access the region translation device to manage the secure region of the data center; create and configure the secure region of the data center using the virtual secure maintenance network channel, wherein encryption is used to logically separate the secure region from the public region of the data center, wherein ownership of data is determined using the region translation device that has access to a translation table which maps a public region account to a secure region account that owns the data in the secure region, and the translation table specifies a storage location for the data in the secure region of the data center, and the translation table is located with the region translation device in the physically secure area in the data center; receive a customer request associated with the public region account at the data center requesting the data stored in the secure region of the data center; identify the secure region account mapped to the public region account using the region translation device to access the translation table; identify the data stored in the secure region of the data center using the region translation device to access the translation table, wherein the data is encrypted using an encryption technique specified by the secure region account when stored to the secure region; obtain, using the region translation device, the data from the secure region; decrypt, using the region translation device, the data using a decryption technique specified by the secure region account; and transfer the data, using the region translation device, to the public region of the data center for customer-use in the public region in association with the public region account. 2. A non-transitory machine readable storage medium as in claim 1 , wherein the instructions that when executed by the processor further receive a cleared labor request to access the region translation device and modify a configuration of the region translation device via the virtual secure maintenance network channel with a hardware communication line to the region translation device. 3. A non-transitory machine readable storage medium as in claim 1 , wherein the instructions that when executed by the processor further: identify a storage location in the secure region specified in account information for the secure region account; and access the data in the storage location. 4. A computer implemented method, comprising: creating a virtual secure maintenance network in a physically secure area of a data center which allows cleared labor to access a region translation device located in the physically secure area of the data center, wherein physical access to the physically secure area of the data center is limited to the cleared labor, and the data center includes a physical public area with computing resources used to execute both a public region and a secure region, and a virtual secure maintenance network channel allows the cleared labor to connect to the virtual secure maintenance network and access the region translation device to manage the secure region of the data center, and a translation table is located with the region translation device in the physically secure area in the data center; creating and configuring the secure region of the data center using the virtual secure maintenance network channel, wherein encryption is used to logically separate the secure region from the public region of the data center, wherein ownership of data is determined using the region translation device with access to the translation table which maps a public region account to a secure region account that owns the data in the secure region, and the translation table specifies a storage location for the data in the secure region of the data center; receiving a customer request associated with the public region account at the data center requesting the data stored in the secure region of the data center; identifying the secure region account using the region translation device to access the translation table which maps the public region account to the secure region account; identifying a storage location for the data within the secure region of the data center owned by the secure region account using the region translation device to access the translation table which specifies the storage location for the data in the secure region of the data center, wherein the data is encrypted using an encryption technique specified by the secure region account when stored to the secure region; obtaining, using the region translation device, the data from the storage location within the secure region of the data center; decrypting the data using the region translation device and a decryption technique specified by the secure region account; and transferring the data, using the region translation device, to the public region in the data center for customer-use in the public region in association with the public region account. 5. A method as in claim 4 , further comprising: receiving the data to be stored in the secure region of the data center at a public endpoint; encrypting the data; and transmitting the data that is encrypted to the storage location via a secure endpoint within the secure region of the data center. 6. A method as in claim 4 , wherein obtaining the data from the storage location within the secure region of the data center further comprises: retrieving the data from the secure region of the data center via a secure endpoint; and transferring the data to the public region of the data center via a public endpoint. 7. A method as in claim 4 , wherein transferring the data to the public region of the data center further comprises providing the data to a service that executes within the public region of the data center. 8. A method as in claim 4 , further comprising generating a random account identifier for the secure region account that is visible within the public region of the data center resulting in obfuscating a relationship between the public region account and the secure region account. 9. A method as in claim 4 , further comprising associating the public region account with multiple secure region accounts, thereby obfuscating a relationship between the public region account and any individual secure region account included in the multiple secure region accounts. 10. A method as in claim 4 , further comprising associating multiple public region accounts with the secure region account, thereby obfuscating a relationship between the secure region account and any individual public region account included in the multiple public region accounts. 11. A method as in claim 4 , wherein the region translation device uses a public endpoint to communicate with the public region of the data center, and the region translation device uses a secure endpoint to retrieve the data from the secure region of the data center. 12. A method as in claim 11 , wherein the region transl
Assignees
Inventors
Classifications
Virtualized environment, e.g. logically partitioned system · CPC title
Security improvement · CPC title
for a range · CPC title
by using cryptography (for digital transmission H04L9/00) · CPC title
using tables or multilevel address translation means (G06F12/023 takes precedence; address translation in virtual memory systems G06F12/10) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10893029B1 cover?
- A technology is described for a virtual secure region. An example method may include receiving a request for data stored in a secure computing service environment executing on computing resources used to provide a public computing service environment, where the secure computing service environment may be separated from the public computing environment using encryption. In response to the reques…
- Who is the assignee on this patent?
- Amazon Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0471. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jan 12 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (B1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).