DE102012007217A1 - Information technology method for safe handling and safe processing of sensitive data for social security number, involves performing translation of sensitive data on placeholder data and vice versa to use services of private cloud - Google Patents

Abstract

The method involves remaining sensitive data and image data in the safe zone. The clear mapping is performed between the sensitive data and placeholder data by using image data. The insecure zone is used instead of the sensitive data corresponding placeholder data. The translation of sensitive data is performed on placeholder data and vice versa to use services of private cloud (2). The public cloud (1) and/or the client (3) of the private cloud are requested by querying another placeholder data. An independent claim is included for computer program product for safe handling and safe processing of sensitive data.

Description

The invention relates to an IT method for increasing the security in dealing with sensitive data in the use and application of data processing services in connection with the operating model cloud computing.

The term sensitive data is understood to mean, in particular, personal data such as addresses, social security numbers, information on bank details, credit card data, medical data, etc., whereby the definition and the required or desired security classification of the data type is fundamentally open and dependent on the respective field of application. In the further course, the term sensitive data is therefore understood merely as a delineation to such data, which have a lower security rating depending on the area of use and thus can be regarded as less problematic in the context of cloud computing (hereinafter referred to as non-sensitive data).

The term cloud computing describes the approach or operating model, abstracted IT infrastructures (eg computing capacity, data storage, network capacities or even finished software) dynamically, d. H. adapted to the respective needs, to provide over a network. From the user's point of view, the abstracted IT infrastructure provided seems to be remote and opaque, as if cloaked in a "cloud". The offer and use of these services takes place exclusively via defined technical interfaces and protocols. The range of services offered in the context of cloud computing covers the entire spectrum of information technology and includes infrastructure (eg computing power, storage space), platforms (eg application server, programming environments) and software (eg. Merchandise management, photo management, etc.).

From a user's point of view, cloud computing offers some advantages over the traditional operating model, where the user has to take care of the deployment and operation of the required IT infrastructure. For example, the operator of a cloud can give access to the same physical IT infrastructure to multiple user groups and only provide each group with a virtual part of the IT infrastructure. This typically reduces the costs for a user group, with sometimes higher quality compared to the acquisition and the own operation (economy of scale). In addition, a user is often more flexible with cloud computing in terms of the required performance of its associated virtual IT infrastructure. As demand grows, today's cloud computing platforms can dynamically increase or decrease performance by allocating additional resources, with no significant disruption to their operations or even the need to acquire new IT infrastructure from the end user. Typically, cloud computing services are therefore also offered depending on the degree of utilization and remunerated in terms of a rental model through regular payments by the user to the operator.

These advantages are offset by a structural disadvantage in the area of data security. In the case of the typical cloud computing model, the IT infrastructure provided lies with the cloud provider and thus outside the self-controlled hemisphere of the user. In addition, it is shared between several providers and can also be reached by third parties via the Internet. As a result, such a cloud infrastructure is subject to an increased security risk, such that the data transmitted by the user to the cloud can more easily fall into the wrong hands or be manipulated. Ultimately, choosing a cloud provider for a user is always a consideration of risk issues and confidence in the communicated services and measures, which is a whole problematic and one of the main reasons why cloud computing is currently used only in exceptional cases for sensitive data and its processing ,

Another aspect is the fact that many cloud computing services are based on infrastructure that is located in other countries in order to minimize the operating costs of the cloud provider or to use other advantages, such as tax and / or legal. In addition, most cloud computing platforms available today do not allow audit-proof traceability of the actual allocation of data storage to the physical components of the cloud infrastructure. This is a fundamental problem for many areas of application if legal requirements require audit security or stipulate that sensitive data may not be kept outside the country of the user. For all these cases, cloud computing is not an option in terms of storing and processing sensitive data.

The state of the art for increasing the security level of cloud computing is as follows. There are various methods for improving the security level of the cloud infrastructure and / or the transmission of the data over the network between the cloud and the user. These include many well-known methods such as data or channel encryption, mechanisms such as firewalls or so-called hardening processes, in which the potential attack surface of the Cloud infrastructure is reduced or scanning methods that try to systematically identify security-relevant vulnerabilities of the infrastructure or the software components used and close if possible.

• 1. So ist aus AU 002010249631 A1 ein Verfahren bekannt, bei dem ein Data Parser die Sensitiven Daten in mehrere Portionen aufteilt und diese dann getrennt zur Cloud überträgt und getrennt, d. h. an verschiedenen Orten innerhalb der Cloud speichert, um so einen höheren Schutz zu erzielen.
• 2. In CN 000102075542 A wird ein Verfahren beschrieben, bei dem ein sogenannter Secure Client die Daten verschlüsselt, die verschlüsselten Daten dann an die Cloud überträgt und extrahierte Meta-Informationen zu den Daten an einen sogenannten Cloud Data Security Service überträgt.
• 3. Ein weiteres Verfahren ist nach US 8,108,912 B2 bekannt. Hier werden Sensitive Daten verschlüsselt oder maskiert in die Cloud übertragen, wo sie dann für die temporäre Verarbeitung entschlüsselt und demaskiert werden, ohne jedoch dauerhaft in der Cloud gespeichert zu werden.

In addition to the aforementioned known methods, other inventions in the field of cloud security have been filed in the near future and thus also belong to the state of the art:

• 1. That's how it is AU 002010249631 A1 A method is known in which a data parser divides the sensitive data into several portions and then transmits them separately to the cloud and separates them, ie stores them at different locations within the cloud, in order to achieve greater protection.
• 2. In CN 000102075542 A describes a method in which a so-called secure client encrypts the data, then transmits the encrypted data to the cloud and transmits extracted meta-information to the data to a so-called cloud data security service.
• 3. Another method is after US 8,108,912 B2 known. Sensitive data is encrypted or masked into the cloud, where it is then decrypted and unmasked for temporary processing, without being permanently stored in the cloud.

All of these procedures are justified and can help raise the level of security. However, they do not solve the explained basic problems, since the sensitive data are finally transferred to the cloud and can at least theoretically fall into the wrong hands or be manipulated. Furthermore, legal requirements in some areas prevent sensitive data from being transferred to such a cloud per se, which means that the aforementioned methods can not be used.

It is therefore the task to find a method that works differently than the previous methods and the benefits of cloud computing also for these applications that are dependent on the processing and storage Sensitive data.

Of particular advantage of the invention presented here is that the sensitive data is basically not transmitted to the cloud, but it is still possible to use the cloud for processing services. By separating the data storage and data processing as well as the interaction of the components, the task is solved elegantly.

Another advantage is that the location of the sensitive data can be chosen independently of the cloud from which the processing power (i.e., the application logic) comes. Thus, any legal requirements with regard to the location of the sensitive data can be fulfilled, even if the cloud itself does not meet these requirements.

Before the invention is explained in more detail, the relevant manifestations of cloud computing should first be defined more precisely, since this is relevant for the description of the method. It uses the more or less well-established terminology. Today one distinguishes between the following cloud variants (see also 1 ):

Public cloud

In 1 shows 1 the variant Public Cloud. A public cloud corresponds to the previous general remarks on cloud computing. It is therefore an IT infrastructure that is dynamically adapted to the needs and made available to a number of users or user groups via a network, typically the Internet, by the public cloud operator. We also speak of public cloud services and mean all services (such as data processing, data storage, data provision) that a public cloud makes available to its users, depending on their characteristics. The term Public expresses the fact that the cloud services are typically made available to a broader public or to the employees of various companies via the Internet for a fee or free of charge. In the case of public cloud services, therefore, the aforementioned task arises for the secure handling of sensitive data. An application example for a public cloud is a centrally provided blog system such as the well-known WordPress. It is offered by a public cloud operator via the Internet and used by a large number of private individuals and companies (ie different user groups). In order to be able to use it as a user, a commercially available terminal device (such as a PC, smartphone, etc.) equipped with a web browser and an Internet access is sufficient. After a registration process, users receive their access data, can register with the Public Cloud service and use it to maintain their blog and make it available to the public.

Private cloud

In 1 shows 2 a so-called private cloud. Technically, this can be built like a public cloud, which are usually reduced versions such as simple server, or Appliances such as NAS (Network Attached Storage). However, the main difference to the public cloud in a private cloud is that it is typically provided and operated by the company or user group that uses the services of the private cloud itself. The IT infrastructure of the private cloud is thus typically in the hemisphere of their users, it is therefore not intended for the public, which explains the term private. A private cloud is also given if the user is not identical to the operator or provider, but the private cloud is primarily available to him (example: outsourcing of operator services to a third party).

Basically, a private cloud based on the processing of sensitive data is largely comparable to the case that the user acquires and operates the IT infrastructure itself. In any case, it can be assumed that a private cloud, which in terms of security is comparable to a public cloud, can by itself be classified as more secure than a public cloud. This is due to the fact that the number of users is lower, users and operators coincide, the functionality and the level of awareness is usually lower than that of a public cloud. In addition, there is less motivation for criminal attacks, since behind a private cloud significantly fewer user groups and data can be expected than with a public cloud.

For the further explanations and explanations of the invention, we therefore assume that the secure handling of sensitive data in a private cloud is guaranteed or can be ensured and the task does not arise in relation to a private cloud.

It should be noted, however, that the above-mentioned benefits and economic benefits of a public cloud do not or only marginally exist for the private cloud.

One application example for a private cloud is the provision of remote access to data and functions of the enterprise resource planning system for one's own employees. Employees are no longer dependent on being within the company to use the merchandise management system, but can work remotely and access them. As a network, you can use your own, specially protected, company network or the Internet. Usually, when using the Internet then usually a VPN (Virtual Private Network) and possibly other security mechanisms such as SecurID, SmartCards, etc. are used.

Hybrid cloud

For all combinations of public cloud and private cloud mechanisms one speaks of a so-called hybrid cloud. Insofar as sensitive data is transferred to the public cloud area of such a hybrid cloud (of whatever kind) or as far as the private cloud area is not subject to the control and responsibility of the user group responsible for the sensitive data, it is also possible the hybrid cloud is considered to be affected by the task. An application example of a hybrid cloud, for example, the combination of a local server of a company with Internet dial-up line and dynamic IP address (the private cloud share) and a DynDNS service of a provider (Public Cloud Share), this dynamic IP address to a fixed URL, so that clients can connect to this server via this fixed name without further knowledge of the current IP address.

The invention presented here is a method in which public cloud services, private cloud services and the client of a user or the clients of a user group interact in such a way that sensitive data can also be processed with public cloud services without the security of the sensitive data endanger or, as controller of such data, have no control over the location or processing of such data. The method is thus dependent on the exact embodiment as a hybrid cloud or as a combination of a public cloud and a private cloud to designate, in addition to the client in both cases has a special role in the process.

client

• – ein Thin Client in Form eines WebBrowsers (z. B. Firefox, Safari, Chrome, Opera, Internet Explorer und ähnliche Produkte) ausgeführt und betrieben auf
• – einem stationären Desktop-Rechner
• – einem mobilen Notebook, Laptop etc.
• – einem mobilen Endgerät wie einem Handy, Smartphone etc.
• – ein Rich Client in Form einer nativen, d. h. für das Betriebssystem (z. B. IOS, Android, Linux, Solaris, Windows etc.) des Clients entwickelten Software-Programms
• – ein virtualisiertes System (z. B. virtualisiert mit Produkten wie VMware, Parallels etc.)
• – ein Anwendungsprogramm ohne Benutzerschnittstelle, das jedoch als Client gegenüber einem Server agiert

Under the in 1 shown client 3 , In the following, we understand an IT component which, in the sense of the known client-server model, is temporarily or permanently connected to one or more servers via a network and interacts with them, ie exchanges data and provides data processing services (such as generating, modifying, deleting, Correlating data, checking, creating new data from existing data, etc.) on a server. The exact embodiment of the client for the invention is irrelevant. For the sake of clarity, some embodiments of a client are listed and explained by way of example:

• - run and run a thin client in the form of a web browser (eg Firefox, Safari, Chrome, Opera, Internet Explorer and similar products)
• - a stationary desktop computer
• - a mobile notebook, laptop etc.
• A mobile device such as a mobile phone, smartphone etc.
• A rich client in the form of a native software program developed for the client's operating system (eg IOS, Android, Linux, Solaris, Windows etc.)
• - a virtualized system (eg virtualized with products like VMware, Parallels etc.)
• An application program without a user interface, but acting as a client to a server

The relevant entities for the invention are thus a client 3 in 1 , a private cloud service 2 in 1 , a public cloud service 1 in 1 and sensitive data 5 in 1 , The client, as well as the private and the public cloud service can also consist of several instances, components or services - this is irrelevant to the method of the invention.

The client is over a network 6 in 1 connected to the private cloud service (technically running as LAN, WLAN, or WAN, for example). The client is also over a network 7 in 1 connected to the public cloud service (eg, technically running as WAN, Internet, for example). Depending on the embodiment of the method, there is additionally a network 8th in 1 between the private cloud service and the public cloud service.

Depending on the embodiment, the client may be part of the private cloud (ie, it is on the local network, along with the other IT infrastructure components of the private cloud), or it is part of the extended private cloud 4 in 1 and then connected to the private cloud via the Internet or a stand-alone network - the network connection 6 in 1 then would be usually a suitable secure Internet connection. In all cases, we consider the client as belonging to the hemisphere of the private cloud operator, ie under his control and thus as safe in the sense of the procedure.

The data 5 in 1 For the purposes of the method, at least the sensitive data and the image data and, depending on the embodiment, also wildcard data and other non-sensitive data.

As predicted, the invention is based on the idea that we are dealing with a secure and an insecure zone and that the storage or processing of sensitive data may take place exclusively in the secure zone, whereas in the non-secure zone only non-sensitive data and so-called dummy data instead of sensitive data may be stored or processed. The transmission of sensitive data outside the safe zone must also not take place.

We refer to the client and the private cloud or the extended private cloud as well as the network as a secure zone 6 in 1 , Unsafe zone is the public cloud, including the network 7 in 1 between client and public cloud as well as the network 8th in 1 between public cloud and private cloud.

As placeholder data we refer to data that exists as a representative of the Sensitive Data and in turn contains no Sensitive Data and in principle also does not permit the reconstruction of Sensitive Data or conclusions on the Sensitive Data. The placeholder data can thus also be transferred to the insecure zone without any influence on the security of the sensitive data and stored or processed there.

The generation and assignment of the placeholder data to the sensitive data takes place exclusively in the safe zone. The assignment data we call imaging data, they allow the private cloud to sensitive data uniquely determine the associated placeholder data or vice versa from the placeholder data to determine the sensitive data unambiguously.

The generation, storage, manipulation and management of the image data is reserved exclusively for the private cloud or a separate private cloud service. Various embodiments are possible for the exact form of the data modeling for sensitive data, dummy data and image data.

For clarification, we now explain a possible embodiment of the data modeling and data separation in terms of the method and based on the functioning of a conventional relational database. 2a shows with 9 three data records with the structure (first name, last name, account number), where each data record here is a row of the table:
Record 1 = (Max, Meyer, 1234567)
Record 2 = (Paul, Pattern, 2224356)
Record 3 = (Hugo, Schmid, 9871234)

In this example, we assume that the First name field is Non-sensitive data, while the Last name and Account number are Sensitive data in the sense of the procedure. The sensitive data is in 2a With 10 characterized.

This simple example is now mapped to a relational data model in the sense of the method. 2 B shows this illustration and is explained below.

In 2 B will with 11 , the area containing only uncritical data while using 12 the area containing the critical data (sensitive data and image data) is shown.

13 shows the part of the given three data sets, which are non-sensitive, where besides the first name an additional column with an identifier (NSD-ID) is needed for the relational modeling.

14 shows the part of the given three records that are Sensitive, where in addition to the last name and the account number an additional column with an identifier (SD-ID) is needed for the relational modeling.

15 shows the placeholder data generated for the given three sensitive records, plus an additional column with the identifier (PD-ID) needed for relational modeling. In the placeholder data are correspondences (placeholders) for the parts last name and account number, each with a seemingly arbitrary content. The method of the invention does not make any explicit specifications regarding the contents of the placeholder data. However, depending on the embodiment and use case, a content structure may be useful and necessary. Thus, the generation of the placeholder data or the generation of representations (user masks) is generally easier if the data types and the number of digits or characters in the placeholder are identical to the corresponding type of sensitive data. Consider, for example, the generation of HTML pages that have geometric dependencies on the font and scope of the data. Further content specifications are possible and in the sense of the method, as long as the placeholder data themselves do not allow conclusions to be drawn or reconstruction of the corresponding sensitive data.

16 shows a relation table containing the non-sensitive records 13 with the wildcard records 15 relates.

17 shows the image data containing the sensitive records in 14 with the wildcard records 15 relates. Therefore, these image data belong to the sensitive data, since they are the key with which it is possible to get from the wildcard data records to the corresponding sensitive data records.

18 . 19 . 20 and 21 show arrows that illustrate how the well-known, relational model works. So a field points in 16 NSD Ref, for example, to the associated NSD ID in 13 , All others are analogous here.

• – die Abbildungsdaten müssen die eindeutige Abbildung zwischen Sensitiven Daten und den Platzhalterdaten ermöglichen
• – die Platzhalterdaten dürfen weder Sensitive Daten enthalten noch Rekonstruktionen von Sensitiven Daten ermöglichen
• – Es ist je nach Anwendungsfalls zu definieren welche Teile der Daten als Sensitive Daten betrachtet werden. Für diese Daten greift dann der Mechanismus mit Platzhalterdaten und Abbildungsdaten

It should be noted explicitly that this is just one embodiment and that the method does not impose any restrictions on the nature of the data or the modeling of the data as long as the following criteria are met:

• - The image data must enable the unique mapping between sensitive data and the placeholder data
• - The placeholder data must not contain sensitive data or reconstructions of sensitive data
• Depending on the application, it is necessary to define which parts of the data are considered as sensitive data. The mechanism with dummy data and image data then accesses this data

The typically required functions for dealing with these data will now be described below with reference to exemplary embodiments. It explains which tasks are defined here and in 1 Entities shown in the process and how they interact according to the invention. The usual mechanisms such as authentication, authorization, securing the network communication, etc. are assumed to be known and come here also depending on the embodiment in addition to the application. They are therefore to be considered merely as a supplement to the method and are omitted in the following for reasons of clarity and clarity:

a Sensitive data is in the client 3 entered or created elsewhere:

• - The client 3 has an input mask from the public cloud 1 accessed
• - The user enters sensitive data into this mask
• - The client 3 transmits via network 6 the sensitive data to the private cloud service 2 and requests wildcard data (Request)
• - The private cloud service 2 generates corresponding placeholder data and creates the image data
• - The private cloud service 2 Stores the sensitive data, the dummy data and the image data permanently
• - The private cloud service 2 delivers the desired placeholder data to the client 3 off (response)
• - The client 3 replaces the sensitive data with the placeholder data
• - The client 3 transmits the dummy data and any non-sensitive data collected by the user to the public cloud via the network 7
• - The public cloud 1 processes this data, saves it if necessary and delivers the next page or mask via network 7 for the client 3 out

b) placeholder data on the client 3 Resolve and show the sensitive data:

• - the public cloud 1 has via network 7 a page with placeholder data to the client 3 delivered
• - the client 3 transmits the placeholder data via network 6 to the private cloud service 2 and requests the corresponding Sensitive Data (Request)
• - The private cloud service 2 uses the image data and determines the associated sensitive data
• - The private cloud service 2 transmits via network 6 the sensitive data to the client 3
• - The client 3 replaces the placeholder data with the sensitive data and displays the page for the user

c) The client 3 should process a search query for sensitive data:

• - the public cloud 1 has a page via network 7 to the client 3 delivered, in which the user can enter search terms for sensitive data
• - The user enters the search terms in the mask
• - The client 3 Passes the search terms via network 6 to the private cloud service 2 Specifying whether the hits are required as placeholder data or as sensitive data (Request)
• - The private cloud service 2 performs a query on the stored sensitive data and determines the hit set
• - If the request was defined in such a way that the hit list is desired as placeholder data, then the private cloud service determines 2 the corresponding dummy data via the image data
• - The private cloud service 2 transmitted via network 6 the result data to the client 3 (Response)
• - The client 3 represents the result list of the sensitive data for the user
• - In the case of the hit list to the public cloud 1 is to be transmitted, the client uses 3 the hit list of the placeholder data
• - Lies in the client 3 only the result list of the sensitive data before, so the client demands 3 First, the corresponding placeholder data from the private cloud service 2 at
• - The client 3 finally transfers the hit list of the placeholder data via network 7 to the public cloud 1

d) At the client 3 already created sensitive data are changed and should be saved:

• - The public cloud 1 has a page with placeholder data via network 7 to the client 3 delivered
• - The client 3 calls for the private cloud service 2 via network 6 the corresponding Sensitive Data and represents this upon receipt
• - The user changes the sensitive data
• - The client 3 transmits via network 6 the changed sensitive data to the private cloud service 2 and requests the change (Request)
• - The private cloud service 2 updates the memory image of the sensitive data and acknowledges the successful execution via network 6 (Response)
• - If the use case additionally requires a transmission to the public cloud 1 So there are two embodiments:
• - by the client 3 controlled by the client 3 calls for the placeholder data of the modified sensitive data in the private cloud service 2 via network 6 and transmits these after receipt via network 7 to the public cloud 1 ,
• - through the private cloud 2 controlled the private cloud 2 sends the placeholder data of modified Sensitive data via network 8th to the public cloud 1 .

e) The public cloud 1 requires additional data from the private cloud during the processing process 2 :

• - This is only possible if it is the direct connection version of the public cloud 1 to the private cloud 2 is.
• - The public cloud 1 calls via network 8th the desired additional data by transmitting parameters directly to the private cloud 2 to (request)
• - The private cloud 2 determines this data based on those in the private cloud 2 stored data
• - The private cloud 2 transmits the desired additional wildcard data and / or non-sensitive data to the public cloud 1

The invention is not limited to the aforementioned embodiments. Rather, it is possible to realize by combining and modifying the means and features mentioned further variants, without departing from the scope of the invention.

In the following, some explanations will be given on further forms of expression in the sense of the method in order to characterize the spectrum of execution options. Such is the combination of the procedure with current ones Authentication and encryption mechanisms makes sense and additionally increases the security level, if an attacker manages to penetrate into the secure zone, ie private cloud or extended private cloud.

The combination of the method with data integrity assurance mechanisms is also sensible in order to prevent, for example, sensitive data from being changed, but due to a system failure or application error, dummy data or image data were not appropriately retraced. Reference is made here to the known transaction mechanisms such as 2-phase commit, semaphore methods or idempotent operations in connection with compensation mechanisms.

Finally, the case is pointed out, in which the public cloud is temporarily not available but a user still wants to continue working. This is possible via various known mechanisms such as, for example, HTML5 or else caching and synchronization and within the meaning of the invention.

A method has been described which fully fulfills the stated task. It is an invention that extends the scope and scope of cloud computing to areas where sensitive data needs to be processed or where it is not wanted or legally allowed to submit sensitive data to public cloud services save. In these areas, cloud computing has so far only been used in exceptional cases.

In addition to the public cloud and the client, the method described additionally requires a private cloud and well-defined interaction behavior of these entities in order to prevent sensitive data from the secure zone of the private cloud or the extended private cloud from entering the public cloud. This creates an additional expense. However, it can be assumed that this additional effort, depending on the scope and compared to the benefits of cloud computing is considered low. Implementation simplifications, which the current standard HTML5 brings with it, also apply here. In addition, the private cloud provides beyond the described purpose further additional functionalities and benefits for the user.

Overall, it can therefore be stated that the process, which thus extends the scope of cloud computing, can be expected to bring high economic benefits.

Figure directory

1 Entities and relations

2a Example of data Sensitive and non-sensitive

2 B Example of modeling according to procedure

LIST OF REFERENCE NUMBERS

1

Public cloud

2

Private cloud

3

Hybrid cloud

4

Extended private cloud

5

Data storage in the private cloud

6

Network between client and private cloud

7

Network between client and public cloud

8th

Network between public cloud and private cloud

9

Three exemplary records

10

Data of columns Last Name and Account Number

11

Area with non-sensitive data

12

Area with Sensitive Data and Image Data

13

Non-sensitive data with columns NSD-ID and first name

14

Sensitive data with columns SD-ID, last name and account number

15

Wildcard data with columns PD-ID, last name, account number

16

Relationship data between 13 and 15 with columns NSD-Ref and PD-Ref

17

Picture data between 14 and 15 Columns SD-Ref and PD-Ref

18

Clarification how NSD-Ref refers to NSD-ID

19

Clarification as PD ref in 16 on PD-ID in 15 points

20

Clarification as PD ref in 17 on PD-ID in 15 points

21

Clarification as SD-Ref in 17 on SD-ID in 14 points

QUOTES INCLUDE IN THE DESCRIPTION

This list of the documents listed by the applicant has been generated automatically and is included solely for the better information of the reader. The list is not part of the German patent or utility model application. The DPMA assumes no liability for any errors or omissions.

Cited patent literature

• AU 002010249631 A1 [0008]
• CN 000102075542 A [0008]
• US 8108912 B2 [0008]

Claims (10)

Information technology process for the secure handling and processing of sensitive data, consisting of a public cloud, a private cloud, a client and a secure zone defined by the private cloud, the client and the network between private cloud and client, and an insecure zone, which is defined by the public cloud and the network between the public cloud and the client, as well as the network between the public cloud and the private cloud. The method is characterized in that: - Sensitive data and so-called image data remain in the safe zone and do not enter the insecure zone, and - dummy data is processed and / or stored in the insecure zone instead of sensitive data, and - partial or complete reverse transfer the placeholder data in the sensitive data within the insecure zone is not possible and - the mapping data allow a unique mapping between the sensitive data and the placeholder data and - in the insecure zone instead of the sensitive data the corresponding placeholder data are used and - the client the translation of Performs sensitive data on placeholder data and vice versa and / or uses services of the private cloud and - the Public Cloud and / or the private cloud client can query by requesting additional placeholder data. A method according to claim 1, characterized in that the design - The public cloud and / or the private cloud is done by providing one or more services for data processing and / or data storage and - These services are used by one client or multiple clients and - The client communicates via unsecured and / or secured network connections with the public cloud and - The client communicates via unsecured and / or secured network connections with the private cloud and The private cloud is the primary storage location for the sensitive data and the image data. Method according to one of claims 1 to 2, characterized in that a direct exchange - between public cloud and private cloud takes place and The public cloud communicates with the private cloud via an unsecured and / or secure network connection and - The Public Cloud of the private cloud requests further dummy data and / or non-sensitive data in the sense of a query (pull) or in the sense of a notification automatically gets (push) and - receives from the private cloud the desired wildcard data and / or non-sensitive data in response and - That these queries and responses can be synchronous or asynchronous. Method according to one of claims 1 to 3, characterized in that different modes are supported, in which A client interacts exclusively with the private cloud due to a temporary unavailability of the public cloud and If the public cloud is reachable again, data synchronization takes place between the client and the public cloud and / or between the private cloud and the public cloud - The synchronization is designed either as fully automatic, semi-automatic or as a manual process. Method according to one of claims 1 to 4, characterized in that a client - consists of a stationary device or a mobile device and - runs native or virtualized software and - executes on the application level a web browser, a native application with or without a user interface, or a mixed form of web browser and native application. Method according to one of claims 1 to 5, characterized in that the public cloud and / or the private cloud - consist of typical abstracted IT infrastructure components, or of specific appliances (appliances) such as Network Attached Storage (NAS) or other devices with data storage and / or data processing capabilities - be operated with native or virtualized software. Method according to one of claims 1 to 6, characterized in that the sensitive data - captured and entered by the user on the client or - already present in the client or - already exist in the private cloud or - arise as part of the Safe Zone procedure or - otherwise get into the private cloud or the client during the process. Method according to one of claims 1 to 7, characterized in that further protective measures are used and - Common protocols such as HTTP, FTP, RMI, RPC, TCP, TCP / IP, UDP or others are used for unsecured network connections and - for secure network connections common methods such as encryption and / or protocol variants of the Secure Sacket Layer (SSL) such as HTTPS, SFTP, FTPS or others are used and / or - to secure the mutual identity of the communication partners usual authentication methods such as HTTP Basic Authentication, HTTP Client-Server-Authentication, One-Time-Password (OTP), X.509 Authentication, PKI, Kerberos, RSA, SAML, mTAN or others are used and / or - to further increase security in communication and identify additional hardware such as SmartCards, USB sticks, SecurID tokens, mobile phones, or for biometric methods also used cameras, fingerprint scanners, iris scanners or others and / or - an authentication on each access again or for an entire session takes place, wherein the obtained authentication key (security token) is kept as a cookie on the client or is transmitted with each access as a parameter and / or - the validity of a successful authentication is limited in time or unlimited and / or - usual for the restriction of access permissions Authorization methods such as Access Control List (ACL), role-based mechanisms or others are used and / or - used to further increase transactional backup procedures such as 2-phase commit, compensation mechanisms or others. Computer program product or computer program products which can be loaded into the internal memory of a digital computer (s) and software code sections, with which the method according to claim 1 is carried out when the product or the products on one or more computers are running. Computer program product or computer program products, with which the method according to claim 1 is performed and which are stored on a computer-suitable medium and distributed and / or distributed by a download service and / or distributed.

Images