Method and apparatus for multi-tenancy secrets management
US-2015319192-A1 · Nov 5, 2015 · US
Method and system for providing an encryption proxy
US9569630B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9569630-B2 |
| Application number | US-201615167593-A |
| Country | US |
| Kind code | B2 |
| Filing date | May 27, 2016 |
| Priority date | Oct 15, 2013 |
| Publication date | Feb 14, 2017 |
| Grant date | Feb 14, 2017 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
An encryption proxy is instantiated in a first computing environment and includes encryption proxy authentication data for identifying itself to a secrets distribution management system in a second computing environment as a trusted virtual asset to receive and cache encryption key data in a secure encryption key cache outside the second computing environment. The encryption proxy requests one or more encryption keys to be cached and is then provided encryption key data representing the requested encryption keys in the encryption key cache. The encryption proxy then receives application request data from a second virtual asset instantiated in the first computing environment requesting one or more encryption keys be applied to second virtual asset data. The encryption proxy then obtains the required encryption keys from the secure secrets cache and coordinates the application of the encryption keys to the second virtual asset data.
First claim
Opening claim text (preview).
What is claimed is: 1. A system for providing an encryption proxy comprising: at least one processor; and at least one memory coupled to the at least one processor, the at least one memory having stored therein instructions which when executed by any set of the one or more processors, perform a process for providing an encryption proxy, the process for providing an encryption proxy including: securely decentralizing encryption key data and decreasing access latency for encryption key data by providing an encryption proxy in a cloud computing environment, the encryption proxy being a virtual asset instantiated in the cloud computing environment, the encryption proxy including encryption proxy authentication data, the encryption proxy authentication data for identifying the encryption proxy as a trusted virtual asset in the cloud computing environment, the encryption proxy authentication data including hardware identification data identifying underlying hardware on which the encryption proxy is running; providing a secrets distribution management system, the secrets distribution management system being in a second computing environment, the secrets distribution management system having access to the encryption key data representing one or more encryption keys, the secrets distribution management system controlling the distribution of the one or more encryption keys in accordance with one or more encryption key distribution policies; providing, by the encryption proxy, the encryption proxy authentication data to the secrets distribution management system; authenticating, by the secrets distribution management system, the encryption proxy by comparing the hardware identification data with data obtained via a cloud provider of the cloud computing environment; identifying, by the secrets distribution management system, the encryption proxy as a trusted virtual asset eligible to cache encryption key data in a remote encryption key cache outside the second computing environment; generating, by the encryption proxy, cache encryption key request data representing a request for data representing one or more requested encryption keys to be cached in the remote encryption key cache; providing, by the encryption proxy, the cache encryption key request data to the secrets distribution management system; and providing, by the secrets distribution management system in response to the cache encryption key request data, data representing one or more of the requested encryption keys to the remote encryption key cache. 2. The system for providing an encryption proxy of claim 1 wherein the cloud computing environment is an untrusted computing environment. 3. The system for providing an encryption proxy of claim 2 wherein the encryption proxy is a virtual asset generated in the untrusted computing environment. 4. The system for providing an encryption proxy of claim 1 wherein the second computing environment is a trusted computing environment. 5. The system for providing an encryption proxy of claim 4 wherein the second computing environment is a data center network. 6. The system for providing an encryption proxy of claim 1 wherein the secrets distribution management system is a Hardware Security Module (HSM). 7. The system for providing an encryption proxy of claim 1 wherein the encryption proxy authentication data includes data representing an authentication mechanism consisting of: loading specified datum from a specified storage service onto the encryption proxy and then providing the specified datum to confirm the identity of the encryption proxy. 8. The system for providing an encryption proxy of claim 1 wherein the one or more requested encryption keys to be cached in the remote encryption key cache are selected by the encryption proxy based on the type of computing environment represented by the cloud computing environment. 9. The system for providing an encryption proxy of claim 1 wherein the one or more requested encryption keys to be cached in the remote encryption key cache are selected by the encryption proxy based on the types of virtual assets in the cloud computing environment. 10. The system for providing an encryption proxy of claim 1 wherein the one or more requested encryption keys to be cached in the remote encryption key cache are selected by the encryption proxy based on the capabilities of the virtual assets in the cloud computing environment. 11. The system for providing an encryption proxy of claim 1 wherein the one or more requested encryption keys to be cached in the remote encryption key cache are selected by the encryption proxy based on the reputation profiles of the virtual assets in the first computing environment. 12. The system for providing an encryption proxy of claim 1 wherein the one or more requested encryption keys to be cached in the remote encryption key cache are selected by the encryption proxy based on the resources associated with the virtual assets in the first computing environment. 13. The system for providing an encryption proxy of claim 1 wherein the encryption proxy provides the encryption proxy authentication data to the secrets distribution management system via a secure communications channel. 14. The system for providing an encryption proxy of claim 13 wherein the secure communications channel is an authenticated Secure Sockets Layer (SSL) communications channel. 15. The system for providing an encryption proxy of claim 13 wherein the secure communications channel is any private communications channel. 16. The system for providing an encryption proxy of claim 1 wherein the remote encryption key cache is an encryption key data store outside the second computing environment. 17. The system for providing an encryption proxy of claim 1 wherein the remote encryption key cache is part of the encryption proxy. 18. The system for providing an encryption proxy of claim 1 further comprising: a second virtual asset instantiated in the cloud computing environment, the second virtual asset generating encryption/decryption request data requesting that second virtual asset data associated with a second virtual asset be encrypted or decrypted; the encryption proxy receiving the encryption/decryption request data; the encryption proxy authenticating the second virtual asset; the encryption proxy obtaining the encryption keys associated with the encryption/decryption request data from the remote encryption key cache; and the encryption proxy coordinating the encryption of decryption of the second virtual asset data. 19. The system for providing an encryption proxy of claim 18 wherein the second virtual asset data is an object and the encryption proxy coordinates object level encryption or decryption of the second virtual asset object. 20. The system for providing an encryption proxy of claim 19 wherein once the encryption proxy coordinates object level encryption of the second virtual asset object, the encryption proxy coordinates the storing the object encrypted second virtual asset object in an object store. 21. The system for providing an encryption proxy of claim 18 wherein the encryption proxy coordinates the encryption or decryption of the second virtual asset data performed by an encryption engine implemented in the cloud computing environment. 22. The system for providing an encryption proxy of claim 18 wherein the encryption proxy coordinates the encryption or decryption of the second virtual asset data performed by an en
Assignees
Inventors
Classifications
Network architectures or network communication protocols for network security (cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00; network architectures or network communication protocols for wireless network security H04W12/00; security arrangements for protecting computers or computer systems against unauthorised activity G06F21/00) · CPC title
based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint · CPC title
Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms (network architectures or network communication protocols for using time-dependent keys in a packet data network H04L63/068) · CPC title
by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity · CPC title
- G06F21/602Primary
Providing cryptographic facilities or services · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9569630B2 cover?
- An encryption proxy is instantiated in a first computing environment and includes encryption proxy authentication data for identifying itself to a secrets distribution management system in a second computing environment as a trusted virtual asset to receive and cache encryption key data in a secure encryption key cache outside the second computing environment. The encryption proxy requests one …
- Who is the assignee on this patent?
- Intuit Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/602. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Feb 14 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 7 related publications on this page (citations in our corpus or others sharing the same primary CPC).