US2016065364A1PendingUtilityA1

Enhanced remote key management for an enterprise in a cloud-based environment

Assignee: BOX INCPriority: Oct 17, 2012Filed: Mar 26, 2015Published: Mar 3, 2016
Est. expiryOct 17, 2032(~6.3 yrs left)· nominal 20-yr term from priority
H04L 63/06G06F 21/60H04L 2209/60H04L 9/0897H04L 63/0428H04L 9/0822H04L 2209/24H04L 9/0819
41
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

Systems and methods are disclosed for facilitating remote key management services in a collaborative cloud-based environment. In one embodiment, the remote key management architecture and techniques described herein provide for local key encryption and automatic generation of a reason code associated with content access. The reason code is logged by a hardware security module which is monitored by a remote client device (e.g., an enterprise client) to control a second (remote) layer of key encryption. The remote client device provides client-side control and configurability of the second layer of key encryption.

Claims

exact text as granted — not AI-modified
1 . A method for facilitating remote key management services in a collaborative cloud-based environment, the method comprising:
 receiving a content request for a data item;   determining that the data item corresponding to the content request is associated with remote key management functionality; initiating a key request to a hardware security module (HSM), the key request corresponding to a key that is at least encrypted twice, wherein an unencrypted key is encrypted a first time to produce an encrypted key and the encrypted key while still encrypted is encrypted a second time to produce the key that is encrypted at least twice, and wherein a secure key response is received from the HSM with regards to the key that determines whether the data item is to be provided in response to the content request; and   causing audit log information associated with the content request to be provided to a log monitoring system, wherein the audit log information includes a reason code enumerating a user behavior performed on the data item in the collaborative cloud-based environment.   
     
     
         2 . The method of  claim 1 , wherein the HSM stores the audit log information. 
     
     
         3 . The method of  claim 2 , wherein the HSM signs the audit log information with a secure key. 
     
     
         4 . The method of  claim 1 , wherein the audit log information is included in the key request. 
     
     
         5 . The method of  claim 1 , wherein the HSM is hosted by the collaborative cloud-based environment. 
     
     
         6 . The method of  claim 1 , wherein the HSM is hosted by a second collaborative cloud-based environment distinct from the collaborative cloud-based environment. 
     
     
         7 . The method of  claim 1 , wherein the HSM is hosted by a managed services provider. 
     
     
         8 . The method of  claim 1 , wherein the HSM provides access to the collaborative cloud-based environment. 
     
     
         9 . The method of  claim 1 , wherein the unencrypted key is encrypted with a local key encryption key by a key service engine and the encrypted key is encrypted with a remote encryption key by the HSM. 
     
     
         10 . The method of  claim 1 , wherein the content request comprises an access request and wherein the key request includes a request to decrypt a twice encrypted encryption key. 
     
     
         11 . The method of  claim 1 , further comprising using the reason code to determine whether to grant or deny the content request. 
     
     
         12 . A system for facilitating remote key management services in a collaborative cloud-based environment, the system comprising:
 one or more processors;   a memory unit having instructions stored thereon which, when executed by the one or more processors, causes the system to: receive a content request for a data item; determine that the data item corresponding to the content request is associated with remote key management functionality; initiate a key request to a hardware security module (HSM), the key request corresponding to a key that is at least encrypted twice, wherein an unencrypted key is encrypted a first time to produce an encrypted key and the encrypted key while still encrypted is encrypted a second time to produce the key that is encrypted at least twice, and wherein a secure key response is received from the HSM with regards to the key that determines whether the data item is to be provided in response to the content request; and cause audit log information associated with the content request to be provided to a log monitoring system, wherein the audit log information includes a reason code enumerating a user behavior performed on the data item in the collaborative cloud-based environment.   
     
     
         13 . The system of  claim 12 , wherein the HSM stores the audit log information. 
     
     
         14 . The system of  claim 13 , wherein the HSM signs the audit log information with a secure key. 
     
     
         15 . The system of  claim 12 , wherein the HSM is hosted by the collaborative cloud-based environment. 
     
     
         16 . The system of  claim 12 , wherein the HSM is hosted by a second collaborative cloud-based environment distinct from the collaborative cloud-based environment. 
     
     
         17 . The system of  claim 12 , wherein the HSM is hosted by a managed services provider. 
     
     
         18 . The method of  claim 12 , wherein the HSM provides access to the collaborative cloud-based environment. 
     
     
         19 . The system of  claim 12 , wherein the unencrypted key is encrypted with a local key encryption key by a key service engine and the encrypted key is encrypted with a remote encryption key by the HSM. 
     
     
         20 . The system of  claim 12 , wherein the content request comprises an access request and wherein the key request includes a request to decrypt a twice encrypted encryption key. 
     
     
         21 . The system of  claim 12 , wherein the reason code is used to determine whether to grant or deny the content request. 
     
     
         22 . A computer program product embodied in a non-transitory computer readable medium, the computer readable medium having stored thereon a sequence of instructions which, when executed by a processor causes the processor to execute a process to facilitate remote key management services in a collaborative cloud-based environment, the method comprising:
 receiving a content request for a data item;   determining that the data item corresponding to the content request is associated with remote key management functionality;   initiating a key request to a hardware security module (HSM), the key request corresponding to a key that is at least encrypted twice, wherein an unencrypted key is encrypted a first time to produce an encrypted key and the encrypted key while still encrypted is encrypted a second time to produce the key that is encrypted at least twice, and wherein a secure key response is received from the HSM with regards to the key that determines whether the data item is to be provided in response to the content request; and   causing audit log information associated with the content request to be provided to a log monitoring system, wherein the audit log information includes a reason code enumerating a user behavior performed on the data item in the collaborative cloud-based environment.   
     
     
         23 . The computer program product of  claim 22 , wherein the HSM stores the audit log information. 
     
     
         24 . The computer program product of  claim 23 , wherein the HSM signs the audit log information with a secure key. 
     
     
         25 . The computer program product of  claim 22 , wherein the HSM is hosted by the collaborative cloud-based environment. 
     
     
         26 . The computer program product of  claim 22 , wherein the HSM is hosted by a second collaborative cloud-based environment distinct from the collaborative cloud-based environment. 
     
     
         27 . The computer program product of  claim 22 , wherein the HSM provides access to the collaborative cloud-based environment. 
     
     
         28 . The computer program product of  claim 22 , wherein the unencrypted key is encrypted with a local key encryption key by a key service engine and the encrypted key is encrypted with a remote encryption key by the HSM. 
     
     
         29 . The computer program product of  claim 22 , wherein the content request comprises an access request and wherein the key request includes a request to decrypt a twice encrypted encryption key. 
     
     
         30 . The computer program product of  claim 22 , wherein the reason code is used to determine whether to grant or deny the content request.

Join the waitlist — get patent alerts

Track US2016065364A1 — get alerts on status changes and closely related new filings.

We store only your email — no account needed. See our privacy policy.