What technology area does this patent fall under?

Primary CPC classification H04L63/20. Mapped technology areas include Electricity.

When was this patent published?

Publication date Tue Dec 22 2015 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Systems and methods for cloud data security

US9219753B2 · US · B2

Patent metadata
Field	Value
Publication number	US-9219753-B2
Application number	US-201414196969-A
Country	US
Kind code	B2
Filing date	Mar 4, 2014
Priority date	Mar 4, 2013
Publication date	Dec 22, 2015
Grant date	Dec 22, 2015

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

Techniques for providing data security services with respect to cloud-based services are described. Examples include a security service provider (“SSP”) configured to perform or provide one or more security-related services or functions with respect to or on behalf of some other system or service. The other system or service may be, for example, a cloud-based system that provides network-accessible services. The SSP allows a user of the cloud-based service to provide and manage one or more security-related services, such as data storage, encryption, decryption, key management, and the like. By using and controlling the SSP, the user can be confident that his or her data is being securely represented and stored, even though it is being operated upon by a cloud-based service that is not under the user's control.

First claim

Opening claim text (preview).

The embodiments of the invention in which an exclusive property or privilege is claimed are defined as follows: 1. A non-transitory computer-readable medium including instructions that, when executed by a computing system, provide security services with respect to a remote cloud-based service, by performing a method comprising: in a security service provider module that is controlled by a first entity that is distinct from a second entity that controls the cloud-based service, wherein the security service provider module executes on a device that is distinct from a computing system that hosts the cloud-based service: receiving a first request to perform a security-related function including an encryption operation, the first request caused by the cloud-based service and received from a device of a user of the cloud-based service, the first request based on a policy that is stored by the cloud-based service and that causes the cloud-based service to utilize the security service provider module to perform the security-related function, wherein the policy causes the cloud-based service provider to redirect to the security services provider module a user access to uploaded data stored by the cloud-based service, by transmitting a redirection instruction to the device of the user, such that the user accesses the data from the security services provider module in unencrypted form without the cloud-based service ever accessing the data in unencrypted form, the redirection instruction including an identifier of the uploaded data stored by the cloud-based service and an identifier of an associated key; and performing the security-related function on behalf of the cloud-based service by: receiving from the device of the user the first request to access the uploaded data, the first request including the identifier of the uploaded data and the identifier of the associated key; retrieving the uploaded data from the cloud-based service; decrypting, based on the policy, the retrieved uploaded data using the associated key; and transmitting the decrypted data to the device of the user, without passing through the cloud-based service, and wherein the method further comprises: receiving a request to restrict access by the cloud-based service to the encrypted data stored by the cloud-based service; and denying a subsequent request from the cloud-based service to decrypt the encrypted data, such that the data can no longer be accessed via the cloud-based service even though the cloud-based service still possesses one or more copies of the encrypted data. 2. The computer-readable medium of claim 1 , the first request caused by a first redirection instruction transmitted from the cloud-based service to the device of the user, and wherein the method further comprises facilitating an upload of data to the cloud-based service, by: receiving data from the device of the user; encrypting the data according to the policy; transmitting the encrypted data to the cloud-based service, thereby causing the cloud-based service to store the encrypted data; and transmitting a second redirection instruction to the device of the user, the instruction causing the device to access the cloud-based-service to receive confirmation that the data was successfully uploaded to the cloud-based service. 3. A computing system configured to provide security services with respect to a remote cloud-based service, the computing system comprising: a memory; and a security services provider module that is stored on the memory and that is configured, when executed, to: define a policy associated with the cloud-based service, the policy causing the cloud-based service to utilize the security service provider module to perform a security-related function, wherein the policy causes the cloud-based service provider to redirect to the security services provider module a user access to uploaded data stored by the cloud-based service, by transmitting a redirection instruction to a device of the user, such that the user accesses the data from the security services provider module in unencrypted form without the cloud-based service ever accessing the data in unencrypted form, the redirection instruction including an identifier of the uploaded data stored by the cloud-based service and an identifier of an associated key; receive a first request to perform the security-related function including an encryption operation, the first request based on the policy, the first request caused by the cloud-based service and received from the device of the user; and perform the security-related function on behalf of the cloud-based service by: receiving from the device of the user the first request to access the uploaded data, the first request including the identifier of the uploaded data and the identifier of the associated key; retrieving the uploaded data from the cloud-based service; decrypting, based on the policy, the retrieved uploaded data using the associated key; and transmitting the decrypted data to the device of the user, without passing through the cloud-based service, wherein the computing system is controlled by an entity that does not control the remote cloud-based service, further comprising a policy that specifies that unencrypted access by the cloud-based service to a document stored by the cloud-based service is to be restricted upon occurrence of a specified document state that is one of new document, sent document, viewed document, signed document, and completed document, and wherein the security services provider module is further configured to: monitor state changes to the document by consulting the policy to determine whether the specified document state has occurred; before occurrence of the specified document state, decrypt the document on behalf of the cloud-based service; and after occurrence of the specified document state, refuse to decrypt the document on behalf of the cloud-based service, thereby restricting unencrypted access by the cloud-based service to the document. 4. The computing system of claim 3 , further comprising the cloud-based service, wherein the cloud-based service is configured to: receive from the device of the user a second request to upload data to the cloud-based service; transmit a first redirection instruction to a device of the user, thereby causing the device of the user to transmit the first request to the security services provider module; wherein the security services provider module is further configured to: receive the data from the device of the user; encrypt the data according to the policy; transmit the encrypted data to the cloud-based service, thereby causing the cloud-based service to store the encrypted data; and transmit a second redirection instruction to the device of the user, the instruction causing the device to access the cloud-based-service to receive confirmation that the data was successfully uploaded to the cloud-based service. 5. The computing system of claim 4 , wherein the cloud-based service never accesses the uploaded data in unencrypted form. 6. The computing system of claim 4 , wherein the second request to upload data is an HTTP request, and wherein the first and second redirection instructions are HTTP redirect instructions. 7. The computing system of claim 3 , wherein the cloud-based service is an electronic signature service, and wherein the security services provider module is configured to: process a request to store an electronic signature document on behalf of the electronic signature service; and process a request to encrypt or decrypt an electronic signature document on behalf of the electronic signature service. 8. The computing system of claim 7 , wherein the security services provider

Assignees

Docusign Inc

Inventors

Classifications

H04L9/3247
involving digital signatures · CPC title
H04L63/06
for supporting key management in a packet data network (cryptographic mechanisms or cryptographic arrangements for key management H04L9/08) · CPC title
H04L63/0428
wherein the data content is protected, e.g. by encrypting or encapsulating the payload · CPC title
H04L63/20Primary
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
G06F21/64
Protecting data integrity, e.g. using checksums, certificates or signatures · CPC title

Patent family

Related publications grouped by family.

View patent family 51421714

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US9219753B2 cover?: Techniques for providing data security services with respect to cloud-based services are described. Examples include a security service provider (“SSP”) configured to perform or provide one or more security-related services or functions with respect to or on behalf of some other system or service. The other system or service may be, for example, a cloud-based system that provides network-access…
Who is the assignee on this patent?: Docusign Inc
What technology area does this patent fall under?: Primary CPC classification H04L63/20. Mapped technology areas include Electricity.
When was this patent published?: Publication date Tue Dec 22 2015 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).