US20130067239A1 - Framework and method for secure data management in a diversified platform - Google Patents
Framework and method for secure data management in a diversified platform Download PDFInfo
- Publication number
- US20130067239A1 US20130067239A1 US13/327,547 US201113327547A US2013067239A1 US 20130067239 A1 US20130067239 A1 US 20130067239A1 US 201113327547 A US201113327547 A US 201113327547A US 2013067239 A1 US2013067239 A1 US 2013067239A1
- Authority
- US
- United States
- Prior art keywords
- computing device
- enterprise server
- enterprise
- user
- keys
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/33—User authentication using certificates
- G06F21/335—User authentication using certificates for accessing specific resources, e.g. using Kerberos tickets
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
Definitions
- the present disclosure relates generally to the field of data management.
- the present disclosure relates to secure data management in a diversified platform.
- the method comprises: enabling, by an enterprise server, a user to download an enterprise application from the enterprise server using a computing device.
- User authentication credentials are provided by the enterprise server to a user when the user registers with the enterprise server.
- a unique client ID is assigned for the enterprise application downloaded by the computing device by the enterprise server.
- Keys for data encryption or decryption are generated by the enterprise server, for different services provided by the enterprise server based on a combination of the unique client ID, a user ID and/or a computing device ID.
- the method further comprises: enabling the enterprise server to provide a list of services, a first set of keys for data encryption or decryption and a first set of predefined encryption or decryption algorithms corresponding to the list of services to the computing device.
- the method further comprises: enabling the computing device to launch the enterprise application and retrieve the first set of keys for data encryption or decryption and the first set of predefined encryption or decryption algorithms from the enterprise server.
- the method further comprises: enabling the user to select an appropriate service from the list of the services provided by the enterprise server upon successful authentication of the user by the enterprise server, where the services may be bundled along with the enterprise application at the time of downloading the enterprise application.
- Data that is yet to be stored or already stored in the computing device is encrypted and/or decrypted by using at least one key from among the first set of keys and at least one encryption or decryption algorithm from among the first set of encryption or decryption algorithm corresponding to the service selected by the user.
- the method further comprises: deleting the information pertaining to the keys and the predefined encryption or decryption algorithms whenever the computing device exits the enterprise application.
- a framework for secure data management comprises an enterprise server that is configured to enable a user to download an enterprise application from the enterprise server using a computing device, provide user authentication credentials when a user registers with the enterprise server and assign a unique client ID for the enterprise application that is downloaded by the computing device from the enterprise server.
- the enterprise server generates keys for data encryption or decryption for different services provided by the enterprise server based on the unique client ID, the user ID and/or a computing device ID, provides a list of services, a first set of keys for data encryption or decryption and a first set of predefined encryption or decryption algorithms corresponding to the list of services to the computing device.
- the computing device is configured to launch the enterprise application that is downloaded, and retrieve the first set of keys for encryption or decryption and the first set of predefined encryption or decryption algorithms from the enterprise server.
- the user selects an appropriate service from the list of services provided by the enterprise server upon successful authentication of the user by the enterprise server using the computing device, where the services may be bundled along with the enterprise application at the time of downloading the enterprise application.
- the data that is yet to be stored or already stored in the computing device is encrypted and/or decrypted by using at least one key from among the first set of keys and at least one encryption or decryption algorithm from among the first set of encryption or decryption algorithm corresponding to the service selected by the user.
- the enterprise application further deletes the information pertaining to the keys and the predefined encryption or decryption algorithms whenever the computing device exits the enterprise application.
- FIG. 1 shows a flow chart describing a method for secure data management, in accordance with an embodiment
- FIG. 2 shows a flow chart describing steps involved when a user notifies the utilization of a new device for accessing an enterprise application, in accordance with an embodiment
- FIG. 3 is a framework 300 for secure data management, in accordance with an embodiment.
- FIG. 4 illustrates a generalized example of a computing environment 400 .
- FIG. 1 shows a flow chart describing a method for secure data management, in accordance with an embodiment of the present invention.
- a user downloads an enterprise application from the enterprise server using a first computing device at step 102 .
- the enterprise server provides user authentication credentials to the user when the user registers with the enterprise server.
- the enterprise server assigns a unique client ID to the enterprise application that is downloaded.
- the enterprise server generates keys for data encryption or decryption for different services provided by the enterprise server based on a combination of a unique client ID, a user ID, and a computing device ID, where the computing device ID is optional.
- the enterprise server provides a list of services to the computing device.
- the enterprise server provides a first set of keys for encryption or decryption and information pertaining to a first set of encryption or decryption algorithms corresponding to the list of services to the first computing device.
- the first computing device launches the enterprise application that is downloaded and at step 116 , the first set of keys for encryption or decryption and the first set of encryption or decryption algorithms corresponding to the list of services are retrieved from the enterprise server by the first computing device, where the first set of keys for encryption or decryption and the information pertaining to the first set of encryption or decryption algorithms are shared via secure channel like HTTPS.
- the user selects an appropriate service from the list of services by using the first computing device.
- the data that is yet to be stored or already stored in the first computing device is encrypted or decrypted based on one of the keys from the first set of keys for encryption or decryption and by one of the algorithms from the first set of algorithms for encryption or decryption corresponding to the service selected by the user.
- the information pertaining to the keys and the predefined encryption or decryption algorithms are deleted whenever the first computing device exits the enterprise application.
- the first computing device performs the steps 114 - 122 every time the enterprise application is launched in the first computing device.
- FIG. 2 shows a flow chart describing steps involved when a user notifies the utilization of a new device for accessing an enterprise application, in accordance with an embodiment of the present invention.
- the enterprise server takes a backup of the data that is stored on the first computing device and synchronizes a second computing device with the backup data.
- the enterprise application that is downloaded in the first computing device is blocked by the enterprise server.
- FIG. 3 is a framework 300 for secure data management, in accordance with an embodiment of the present invention.
- framework 300 includes an enterprise server 302 , which enables a user to download an enterprise application [not shown in the figure] from the enterprise server using a first computing device 304 and assign a unique client ID for the enterprise application.
- Enterprise server 302 also provides user authentication credentials to a user when the user registers with enterprise server 302 .
- Enterprise server 302 generates keys for data encryption or decryption for different services provided by enterprise server 302 based on a combination of the unique client ID, the user ID and a computing device ID, where the computing device ID is optional.
- the unique client ID, user ID and the computing device ID could be numbers or alphabets or a combination of alphabets and numbers.
- Enterprise server 302 provides a list of services, a first set of keys for data encryption or decryption and information pertaining to a first set of predefined encryption or decryption algorithms corresponding to the list of services to the first computing device 304 a .
- Services provided by enterprise server can be a cheque book request on a banking application or employee accessing critical work information from the enterprise server.
- First computing device 304 a launches the enterprise application that is downloaded from enterprise server 302 .
- First computing device 304 a also retrieves the first set of keys for data encryption or decryption and the information pertaining to the first set of predefined encryption or decryption algorithms via a secure channel, such as HTTPS.
- the user selects an appropriate service from the list of services provided by the enterprise server using first computing device 304 a upon successful authentication of the user by the enterprise server 302 .
- the computing device could be a mobile device, PDA, desktop, notebook, tablet, netbook, laptop, ultrabook etc.
- the data that is yet to be stored or already stored in first computing device 304 a is encrypted or decrypted by using at least one key from among the first set of keys and at least one algorithm from among the first set of encryption or decryption algorithm corresponding to the service selected by the user.
- the enterprise application that is downloaded in first computing device 304 a is configured to delete information pertaining to the keys and the predefined encryption or decryption algorithms, provided by enterprise server 302 whenever the first computing device 304 a exits the enterprise application.
- enterprise server 302 is further configured to share same or different keys for different services provided by enterprise server 302 .
- enterprise server 302 may utilize the same or different predefined encryption or decryption algorithms for each service provided by enterprise server 302 .
- enterprise server 302 replaces at least one key from the first set of keys with at least one key from among a second set of keys at any instant of time and notifies about the change in the keys to the enterprise application.
- Enterprise server 302 provides the first set of keys and the second set of keys to the enterprise application to enable the enterprise application to decrypt the data stored in the computing device by using the first set of keys, and then encrypt and store the data by using the second of keys.
- Enterprise server 302 may replace at least one of the predefined encryption or decryption algorithm from the first set of predefined encryption or decryption algorithms at any instant of time and notifies about the change in the predefined encryption or decryption algorithms to the enterprise application.
- Enterprise server 302 provides both the first set of predefined encryption or decryption algorithms and the second set of predefined encryption or decryption algorithms to the enterprise application to enable the enterprise application to decrypt the data stored in first computing device 304 a by using the first set of predefined encryption or decryption algorithms and then encrypt and store the data by using the second set of predefined encryption or decryption algorithms.
- Enterprise server 302 is configured to handle various scenarios, wherein the invention is not intended to be limited to scenarios described below.
- enterprise server 302 is configured to allow the user to register with the enterprise server using multiple computing devices ( 304 a - 304 n ). In such a case, enterprise server 302 allows the user to download the enterprise application in multiple computing devices ( 304 a - 304 n ) and assigns unique client ID for each enterprise application that is downloaded in multiple computing devices ( 304 a - 304 n ). Enterprise server 302 is configured to provide first set of keys and first set of encryption or decryption algorithms to the multiple computing devices ( 304 a - 304 n ) or different sets of keys and sets of encryption or decryption algorithms for data encryption or decryption.
- the user may notify enterprise server 302 that a second computing device 304 b would be utilized for accessing the enterprise application in place of first computing device 304 a .
- enterprise server 302 is configured to back up the data that is stored in first computing device 304 a and synchronize the second computing device 304 b with the backup data when the user notifies enterprise server 302 that second computing device 304 b would be utilized in place of the first computing device 304 a henceforth for accessing the enterprise application.
- Enterprise server 302 further blocks the enterprise application that is downloaded in first computing device 304 a and issues a new client ID, a new set of keys for encryption or decryption and a new set of predefined encryption or decryption algorithms for the enterprise application that is downloaded in second computing device 304 b.
- enterprise server 302 allows the user to download a new version of the enterprise application in first computing device 304 a .
- enterprise server 302 is configured to back up the data stored in first computing device 304 a and retains the backup data in first computing device 304 a when first computing device 304 a completes downloading the new version of the enterprise application.
- Enterprise server 302 may also avoid retaining the backup data in the first computing device 304 a on completion of downloading the new version of the enterprise application in first computing device 304 a .
- enterprise server 302 may choose to utilize the first set of keys for encryption or decryption before and after the downloading of the new version of the enterprise application or issue a different set of keys after downloading of the new version of the enterprise application for data encryption or decryption.
- enterprise server 302 may handle scenario such as stolen computing device or incorrect entry of user authentication credentials for several attempts by blocking first computing device 304 a from accessing the enterprise application and deleting the data stored in first computing device 304 a on a first access when (i) the user reports that first computing device 304 a is stolen or (ii) upon incorrect entry of user authentication credentials for several attempts.
- Enterprise server 302 also applies camouflage techniques to the data stored in first computing device 304 a and provides incorrect data when an intruder decrypts the data stored in first computing device 304 a.
- enterprise server 302 allows multiple users to access the enterprise application by utilizing first computing device 304 a .
- enterprise server 302 assigns only one client ID to the enterprise application downloaded in first computing device 304 a , wherein the client ID is associated with multiple user IDs.
- the enterprise application assigns different locations for storing the encrypted data for individual users in first computing device 304 a and the location information is shared with the corresponding users upon successful authentication of the user with enterprise server 302 .
- FIG. 4 illustrates a generalized example of a computing environment 400 .
- the computing environment 400 is not intended to suggest any limitation as to scope of use or functionality of described embodiments.
- the computing environment 400 includes at least one processing unit 410 and memory 420 .
- the processing unit 410 executes computer-executable instructions and may be a real or a virtual processor. In a multi-processing system, multiple processing units execute computer-executable instructions to increase processing power.
- the memory 420 may be volatile memory (e.g., registers, cache, RAM), non-volatile memory (e.g., ROM, EEPROM, flash memory, etc.), or some combination of the two. In some embodiments, the memory 420 stores software 480 implementing described techniques.
- a computing environment may have additional features.
- the computing environment 400 includes storage 440 , one or more input devices 450 , one or more output devices 460 , and one or more communication connections 470 .
- An interconnection mechanism such as a bus, controller, or network interconnects the components of the computing environment 400 .
- operating system software provides an operating environment for other software executing in the computing environment 400 , and coordinates activities of the components of the computing environment 400 .
- the storage 440 may be removable or non-removable, and includes magnetic disks, magnetic tapes or cassettes, CD-ROMs, CD-RWs, DVDs, or any other medium which can be used to store information and which can be accessed within the computing environment 400 .
- the storage 440 stores instructions for the software 480 .
- the input device(s) 450 may be a touch input device such as a keyboard, mouse, pen, trackball, touch screen, or game controller, a voice input device, a scanning device, a digital camera, or another device that provides input to the computing environment 400 .
- the output device(s) 460 may be a display, printer, speaker, or another device that provides output from the computing environment 400 .
- the communication connection(s) 470 enable communication over a communication medium to another computing entity.
- the communication medium conveys information such as computer-executable instructions, audio or video information, or other data in a modulated data signal.
- a modulated data signal is a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal.
- communication media include wired or wireless techniques implemented with an electrical, optical, RF, infrared, acoustic, or other carrier.
- Computer-readable media are any available media that can be accessed within a computing environment.
- Computer-readable media include memory 420 , storage 440 , communication media, and combinations of any of the above.
- Any of the computer-readable media herein can be non-transitory (e.g., volatile or non-volatile memory, magnetic storage, optical storage, or the like).
- Any of the storing actions described herein can be implemented by storing in one or more computer-readable media (e.g., computer-readable storage media or other tangible media).
- computer-readable media e.g., computer-readable storage media or other tangible media.
- Any of the things described as stored can be stored in one or more computer-readable media (e.g., computer-readable storage media or other tangible media).
- computer-readable media e.g., computer-readable storage media or other tangible media.
- Any of the methods described herein can be implemented by computer-executable instructions in (e.g., encoded on) one or more computer-readable media (e.g., computer-readable storage media or other tangible media). Such instructions can cause a computer to perform the method.
- computer-executable instructions e.g., encoded on
- computer-readable media e.g., computer-readable storage media or other tangible media.
- Such instructions can cause a computer to perform the method.
- the technologies described herein can be implemented in a variety of programming languages.
- Any of the methods described herein can be implemented by computer-executable instructions stored in one or more computer-readable storage devices (e.g., memory, magnetic storage, optical storage, or the like). Such instructions can cause a computer to perform the method.
- computer-executable instructions stored in one or more computer-readable storage devices (e.g., memory, magnetic storage, optical storage, or the like). Such instructions can cause a computer to perform the method.
Abstract
Description
- The present disclosure relates generally to the field of data management. In particular, the present disclosure relates to secure data management in a diversified platform.
- Developments in secure management of data have made a revolutionary change in services such as banking, insurance etc. Typically, data management is securely handled by following different standards for a single platform or for multiple platforms. Different platforms provide different levels of security. A few of these platforms may support secured storage of data while others may not. When an application is targeted for different platforms, different approaches are required for different platforms adding to the complexity. Further, additional complexities such as upgrading of application/handsets, using multiple devices to access, stolen handsets, and multiple user access on the same handset are not addressed.
- Hence, there is a need for a unique security framework that ensures uniform level of secure data management for computing devices running on multiple platforms.
- The present disclosure relates to a method and a framework for secure data management. In various embodiments, the method comprises: enabling, by an enterprise server, a user to download an enterprise application from the enterprise server using a computing device. User authentication credentials are provided by the enterprise server to a user when the user registers with the enterprise server. A unique client ID is assigned for the enterprise application downloaded by the computing device by the enterprise server. Keys for data encryption or decryption are generated by the enterprise server, for different services provided by the enterprise server based on a combination of the unique client ID, a user ID and/or a computing device ID.
- The method further comprises: enabling the enterprise server to provide a list of services, a first set of keys for data encryption or decryption and a first set of predefined encryption or decryption algorithms corresponding to the list of services to the computing device.
- The method further comprises: enabling the computing device to launch the enterprise application and retrieve the first set of keys for data encryption or decryption and the first set of predefined encryption or decryption algorithms from the enterprise server.
- The method further comprises: enabling the user to select an appropriate service from the list of the services provided by the enterprise server upon successful authentication of the user by the enterprise server, where the services may be bundled along with the enterprise application at the time of downloading the enterprise application. Data that is yet to be stored or already stored in the computing device is encrypted and/or decrypted by using at least one key from among the first set of keys and at least one encryption or decryption algorithm from among the first set of encryption or decryption algorithm corresponding to the service selected by the user.
- The method further comprises: deleting the information pertaining to the keys and the predefined encryption or decryption algorithms whenever the computing device exits the enterprise application.
- In various embodiments, a framework for secure data management comprises an enterprise server that is configured to enable a user to download an enterprise application from the enterprise server using a computing device, provide user authentication credentials when a user registers with the enterprise server and assign a unique client ID for the enterprise application that is downloaded by the computing device from the enterprise server.
- The enterprise server generates keys for data encryption or decryption for different services provided by the enterprise server based on the unique client ID, the user ID and/or a computing device ID, provides a list of services, a first set of keys for data encryption or decryption and a first set of predefined encryption or decryption algorithms corresponding to the list of services to the computing device.
- The computing device is configured to launch the enterprise application that is downloaded, and retrieve the first set of keys for encryption or decryption and the first set of predefined encryption or decryption algorithms from the enterprise server.
- The user selects an appropriate service from the list of services provided by the enterprise server upon successful authentication of the user by the enterprise server using the computing device, where the services may be bundled along with the enterprise application at the time of downloading the enterprise application.
- The data that is yet to be stored or already stored in the computing device is encrypted and/or decrypted by using at least one key from among the first set of keys and at least one encryption or decryption algorithm from among the first set of encryption or decryption algorithm corresponding to the service selected by the user.
- The enterprise application further deletes the information pertaining to the keys and the predefined encryption or decryption algorithms whenever the computing device exits the enterprise application.
- These and other features, aspects, and advantages will be better understood when the following detailed description is read with reference to the accompanying drawings in which like characters represent like parts throughout the drawings, wherein:
-
FIG. 1 shows a flow chart describing a method for secure data management, in accordance with an embodiment; -
FIG. 2 shows a flow chart describing steps involved when a user notifies the utilization of a new device for accessing an enterprise application, in accordance with an embodiment; -
FIG. 3 is aframework 300 for secure data management, in accordance with an embodiment; and -
FIG. 4 illustrates a generalized example of acomputing environment 400. - The following description is the full and informative description of the best method and system presently contemplated for carrying out the present invention which is known to the inventors at the time of filing the patent application. Of course, many modifications and adaptations will be apparent to those skilled in the relevant arts in view of the following description in view of the accompanying drawings and the appended claims. While the system and method described herein are provided with a certain degree of specificity, the present technique may be implemented with either greater or lesser specificity, depending on the needs of the user. Further, some of the features of the present technique may be used to get an advantage without the corresponding use of other features described in the following paragraphs. As such, the present description should be considered as merely illustrative of the principles of the present technique and not in limitation thereof, since the present technique is defined solely by the claims.
-
FIG. 1 shows a flow chart describing a method for secure data management, in accordance with an embodiment of the present invention. In various embodiments, a user downloads an enterprise application from the enterprise server using a first computing device atstep 102. At step 104, the enterprise server provides user authentication credentials to the user when the user registers with the enterprise server. Atstep 106, the enterprise server assigns a unique client ID to the enterprise application that is downloaded. - At
step 108, the enterprise server generates keys for data encryption or decryption for different services provided by the enterprise server based on a combination of a unique client ID, a user ID, and a computing device ID, where the computing device ID is optional. - At
step 110, the enterprise server provides a list of services to the computing device. Atstep 112, the enterprise server provides a first set of keys for encryption or decryption and information pertaining to a first set of encryption or decryption algorithms corresponding to the list of services to the first computing device. - At
step 114, the first computing device launches the enterprise application that is downloaded and atstep 116, the first set of keys for encryption or decryption and the first set of encryption or decryption algorithms corresponding to the list of services are retrieved from the enterprise server by the first computing device, where the first set of keys for encryption or decryption and the information pertaining to the first set of encryption or decryption algorithms are shared via secure channel like HTTPS. - At
step 118, the user selects an appropriate service from the list of services by using the first computing device. - At step 120, the data that is yet to be stored or already stored in the first computing device is encrypted or decrypted based on one of the keys from the first set of keys for encryption or decryption and by one of the algorithms from the first set of algorithms for encryption or decryption corresponding to the service selected by the user.
- At
step 122, the information pertaining to the keys and the predefined encryption or decryption algorithms are deleted whenever the first computing device exits the enterprise application. - It should be noted that the first computing device performs the steps 114-122 every time the enterprise application is launched in the first computing device.
-
FIG. 2 shows a flow chart describing steps involved when a user notifies the utilization of a new device for accessing an enterprise application, in accordance with an embodiment of the present invention. In various embodiments, when the user notifies the enterprise server about the utilization of a new device for accessing the enterprise application, atstep 202, the enterprise server takes a backup of the data that is stored on the first computing device and synchronizes a second computing device with the backup data. Atstep 204, the enterprise application that is downloaded in the first computing device is blocked by the enterprise server. -
FIG. 3 is aframework 300 for secure data management, in accordance with an embodiment of the present invention. In various embodiments,framework 300 includes anenterprise server 302, which enables a user to download an enterprise application [not shown in the figure] from the enterprise server using a first computing device 304 and assign a unique client ID for the enterprise application.Enterprise server 302 also provides user authentication credentials to a user when the user registers withenterprise server 302.Enterprise server 302 generates keys for data encryption or decryption for different services provided byenterprise server 302 based on a combination of the unique client ID, the user ID and a computing device ID, where the computing device ID is optional. The unique client ID, user ID and the computing device ID could be numbers or alphabets or a combination of alphabets and numbers. -
Enterprise server 302 provides a list of services, a first set of keys for data encryption or decryption and information pertaining to a first set of predefined encryption or decryption algorithms corresponding to the list of services to thefirst computing device 304 a. Services provided by enterprise server can be a cheque book request on a banking application or employee accessing critical work information from the enterprise server. -
First computing device 304 a launches the enterprise application that is downloaded fromenterprise server 302.First computing device 304 a also retrieves the first set of keys for data encryption or decryption and the information pertaining to the first set of predefined encryption or decryption algorithms via a secure channel, such as HTTPS. - The user selects an appropriate service from the list of services provided by the enterprise server using
first computing device 304 a upon successful authentication of the user by theenterprise server 302. The computing device could be a mobile device, PDA, desktop, notebook, tablet, netbook, laptop, ultrabook etc. In accordance with an embodiment of the present invention, the data that is yet to be stored or already stored infirst computing device 304 a is encrypted or decrypted by using at least one key from among the first set of keys and at least one algorithm from among the first set of encryption or decryption algorithm corresponding to the service selected by the user. - The enterprise application that is downloaded in
first computing device 304 a is configured to delete information pertaining to the keys and the predefined encryption or decryption algorithms, provided byenterprise server 302 whenever thefirst computing device 304 a exits the enterprise application. - In accordance with various embodiments,
enterprise server 302 is further configured to share same or different keys for different services provided byenterprise server 302. - Similarly,
enterprise server 302 may utilize the same or different predefined encryption or decryption algorithms for each service provided byenterprise server 302. In an embodiment,enterprise server 302 replaces at least one key from the first set of keys with at least one key from among a second set of keys at any instant of time and notifies about the change in the keys to the enterprise application.Enterprise server 302 provides the first set of keys and the second set of keys to the enterprise application to enable the enterprise application to decrypt the data stored in the computing device by using the first set of keys, and then encrypt and store the data by using the second of keys. -
Enterprise server 302 may replace at least one of the predefined encryption or decryption algorithm from the first set of predefined encryption or decryption algorithms at any instant of time and notifies about the change in the predefined encryption or decryption algorithms to the enterprise application.Enterprise server 302 provides both the first set of predefined encryption or decryption algorithms and the second set of predefined encryption or decryption algorithms to the enterprise application to enable the enterprise application to decrypt the data stored infirst computing device 304 a by using the first set of predefined encryption or decryption algorithms and then encrypt and store the data by using the second set of predefined encryption or decryption algorithms. -
Enterprise server 302 is configured to handle various scenarios, wherein the invention is not intended to be limited to scenarios described below. - In accordance with various embodiments,
enterprise server 302 is configured to allow the user to register with the enterprise server using multiple computing devices (304 a-304 n). In such a case,enterprise server 302 allows the user to download the enterprise application in multiple computing devices (304 a-304 n) and assigns unique client ID for each enterprise application that is downloaded in multiple computing devices (304 a-304 n).Enterprise server 302 is configured to provide first set of keys and first set of encryption or decryption algorithms to the multiple computing devices (304 a-304 n) or different sets of keys and sets of encryption or decryption algorithms for data encryption or decryption. - In accordance with various embodiments, the user may notify
enterprise server 302 that asecond computing device 304 b would be utilized for accessing the enterprise application in place offirst computing device 304 a. In such a scenario,enterprise server 302 is configured to back up the data that is stored infirst computing device 304 a and synchronize thesecond computing device 304 b with the backup data when the user notifiesenterprise server 302 thatsecond computing device 304 b would be utilized in place of thefirst computing device 304 a henceforth for accessing the enterprise application.Enterprise server 302 further blocks the enterprise application that is downloaded infirst computing device 304 a and issues a new client ID, a new set of keys for encryption or decryption and a new set of predefined encryption or decryption algorithms for the enterprise application that is downloaded insecond computing device 304 b. - In accordance with various embodiments,
enterprise server 302 allows the user to download a new version of the enterprise application infirst computing device 304 a. In such a scenario,enterprise server 302 is configured to back up the data stored infirst computing device 304 a and retains the backup data infirst computing device 304 a whenfirst computing device 304 a completes downloading the new version of the enterprise application.Enterprise server 302 may also avoid retaining the backup data in thefirst computing device 304 a on completion of downloading the new version of the enterprise application infirst computing device 304 a. However, it should be noted that in both the cases,enterprise server 302 may choose to utilize the first set of keys for encryption or decryption before and after the downloading of the new version of the enterprise application or issue a different set of keys after downloading of the new version of the enterprise application for data encryption or decryption. - In accordance with various embodiments,
enterprise server 302 may handle scenario such as stolen computing device or incorrect entry of user authentication credentials for several attempts by blockingfirst computing device 304 a from accessing the enterprise application and deleting the data stored infirst computing device 304 a on a first access when (i) the user reports thatfirst computing device 304 a is stolen or (ii) upon incorrect entry of user authentication credentials for several attempts.Enterprise server 302 also applies camouflage techniques to the data stored infirst computing device 304 a and provides incorrect data when an intruder decrypts the data stored infirst computing device 304 a. - In accordance with various embodiments,
enterprise server 302 allows multiple users to access the enterprise application by utilizingfirst computing device 304 a. In such a scenario,enterprise server 302 assigns only one client ID to the enterprise application downloaded infirst computing device 304 a, wherein the client ID is associated with multiple user IDs. The enterprise application assigns different locations for storing the encrypted data for individual users infirst computing device 304 a and the location information is shared with the corresponding users upon successful authentication of the user withenterprise server 302. - One or more of the above-described techniques can be implemented in or involve one or more computer systems.
FIG. 4 illustrates a generalized example of acomputing environment 400. Thecomputing environment 400 is not intended to suggest any limitation as to scope of use or functionality of described embodiments. - With reference to
FIG. 4 , thecomputing environment 400 includes at least oneprocessing unit 410 andmemory 420. InFIG. 4 , this mostbasic configuration 430 is included within a dashed line. Theprocessing unit 410 executes computer-executable instructions and may be a real or a virtual processor. In a multi-processing system, multiple processing units execute computer-executable instructions to increase processing power. Thememory 420 may be volatile memory (e.g., registers, cache, RAM), non-volatile memory (e.g., ROM, EEPROM, flash memory, etc.), or some combination of the two. In some embodiments, thememory 420stores software 480 implementing described techniques. - A computing environment may have additional features. For example, the
computing environment 400 includesstorage 440, one ormore input devices 450, one ormore output devices 460, and one or more communication connections 470. An interconnection mechanism (not shown) such as a bus, controller, or network interconnects the components of thecomputing environment 400. Typically, operating system software (not shown) provides an operating environment for other software executing in thecomputing environment 400, and coordinates activities of the components of thecomputing environment 400. - The
storage 440 may be removable or non-removable, and includes magnetic disks, magnetic tapes or cassettes, CD-ROMs, CD-RWs, DVDs, or any other medium which can be used to store information and which can be accessed within thecomputing environment 400. In some embodiments, thestorage 440 stores instructions for thesoftware 480. - The input device(s) 450 may be a touch input device such as a keyboard, mouse, pen, trackball, touch screen, or game controller, a voice input device, a scanning device, a digital camera, or another device that provides input to the
computing environment 400. The output device(s) 460 may be a display, printer, speaker, or another device that provides output from thecomputing environment 400. - The communication connection(s) 470 enable communication over a communication medium to another computing entity. The communication medium conveys information such as computer-executable instructions, audio or video information, or other data in a modulated data signal. A modulated data signal is a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal. By way of example, and not limitation, communication media include wired or wireless techniques implemented with an electrical, optical, RF, infrared, acoustic, or other carrier.
- Implementations can be described in the general context of computer-readable media. Computer-readable media are any available media that can be accessed within a computing environment. By way of example, and not limitation, within the
computing environment 400, computer-readable media includememory 420,storage 440, communication media, and combinations of any of the above. - Any of the computer-readable media herein can be non-transitory (e.g., volatile or non-volatile memory, magnetic storage, optical storage, or the like).
- Any of the storing actions described herein can be implemented by storing in one or more computer-readable media (e.g., computer-readable storage media or other tangible media).
- Any of the things described as stored can be stored in one or more computer-readable media (e.g., computer-readable storage media or other tangible media).
- Any of the methods described herein can be implemented by computer-executable instructions in (e.g., encoded on) one or more computer-readable media (e.g., computer-readable storage media or other tangible media). Such instructions can cause a computer to perform the method. The technologies described herein can be implemented in a variety of programming languages.
- Any of the methods described herein can be implemented by computer-executable instructions stored in one or more computer-readable storage devices (e.g., memory, magnetic storage, optical storage, or the like). Such instructions can cause a computer to perform the method.
- Having described and illustrated the principles of our invention with reference to described embodiments, it will be recognized that the described embodiments can be modified in arrangement and detail without departing from such principles. It should be understood that the programs, processes, or methods described herein are not related or limited to any particular type of computing environment, unless indicated otherwise. Various types of general purpose or specialized computing environments may be used with or perform operations in accordance with the teachings described herein. Elements of the described embodiments shown in software may be implemented in hardware and vice versa.
- As will be appreciated by those ordinary skilled in the art, the foregoing example, demonstrations, and method steps may be implemented by suitable code on a processor base system, such as general purpose or special purpose computer. It should also be noted that different implementations of the present technique may perform some or all the steps described herein in different orders or substantially concurrently, that is, in parallel. Furthermore, the functions may be implemented in a variety of programming languages. Such code, as will be appreciated by those of ordinary skilled in the art, may be stored or adapted for storage in one or more tangible machine readable media, such as on memory chips, local or remote hard disks, optical disks or other media, which may be accessed by a processor based system to execute the stored code. Note that the tangible media may comprise paper or another suitable medium upon which the instructions are printed. For instance, the instructions may be electronically captured via optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner if necessary, and then stored in a computer memory.
- The foregoing description is presented to enable a person of ordinary skill in the art to make and use the invention and is provided in the context of the requirement for a obtaining a patent. The present description is the best presently-contemplated method for carrying out the present invention. Various modifications to the preferred embodiment will be readily apparent to those skilled in the art and the generic principles of the present invention may be applied to other embodiments, and some features of the present invention may be used without the corresponding use of other features. Accordingly, the present invention is not intended to be limited to the embodiment shown but is to be accorded the widest scope consistent with the principles and features described herein.
Claims (39)
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
IN3151CH2011 | 2011-09-14 | ||
IN3151/CHE/2011 | 2011-09-14 |
Publications (2)
Publication Number | Publication Date |
---|---|
US20130067239A1 true US20130067239A1 (en) | 2013-03-14 |
US8412955B1 US8412955B1 (en) | 2013-04-02 |
Family
ID=47830925
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/327,547 Active 2031-12-19 US8412955B1 (en) | 2011-09-14 | 2011-12-15 | Framework and method for secure data management in a diversified platform |
Country Status (1)
Country | Link |
---|---|
US (1) | US8412955B1 (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20130262855A1 (en) * | 2012-03-28 | 2013-10-03 | Hon Hai Precision Industry Co., Ltd. | Document encrypting system and method using same |
US20170156057A1 (en) * | 2015-11-29 | 2017-06-01 | International Business Machines Corporation | Securing enterprise data on mobile devices |
WO2018235061A1 (en) * | 2017-06-23 | 2018-12-27 | Flux7 Labs Inc | Method, system, and platform for implementing an enterprise devops framework (edf) |
US11122014B2 (en) * | 2019-01-25 | 2021-09-14 | V440 Spółka Akcyjna | User device and method of providing notification in messaging application on user device |
US11343094B2 (en) * | 2020-01-13 | 2022-05-24 | i2Chain, Inc. | Methods and systems for encrypting shared information through its lifecycle |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10033704B2 (en) * | 2015-11-29 | 2018-07-24 | International Business Machines Corporation | Securing enterprise data on mobile devices |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8095972B1 (en) * | 2008-10-06 | 2012-01-10 | Southern Company Services, Inc. | Secure authentication for web-based applications |
-
2011
- 2011-12-15 US US13/327,547 patent/US8412955B1/en active Active
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8095972B1 (en) * | 2008-10-06 | 2012-01-10 | Southern Company Services, Inc. | Secure authentication for web-based applications |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20130262855A1 (en) * | 2012-03-28 | 2013-10-03 | Hon Hai Precision Industry Co., Ltd. | Document encrypting system and method using same |
US20170156057A1 (en) * | 2015-11-29 | 2017-06-01 | International Business Machines Corporation | Securing enterprise data on mobile devices |
US20170155505A1 (en) * | 2015-11-29 | 2017-06-01 | International Business Machines Corporation | Securing enterprise data on mobile devices |
US10028135B2 (en) * | 2015-11-29 | 2018-07-17 | International Business Machines Corporation | Securing enterprise data on mobile devices |
US10038551B2 (en) * | 2015-11-29 | 2018-07-31 | International Business Machines Corporation | Securing enterprise data on mobile devices |
WO2018235061A1 (en) * | 2017-06-23 | 2018-12-27 | Flux7 Labs Inc | Method, system, and platform for implementing an enterprise devops framework (edf) |
US11122014B2 (en) * | 2019-01-25 | 2021-09-14 | V440 Spółka Akcyjna | User device and method of providing notification in messaging application on user device |
US11343094B2 (en) * | 2020-01-13 | 2022-05-24 | i2Chain, Inc. | Methods and systems for encrypting shared information through its lifecycle |
Also Published As
Publication number | Publication date |
---|---|
US8412955B1 (en) | 2013-04-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10762229B2 (en) | Secure searchable and shareable remote storage system and method | |
US9430211B2 (en) | System and method for sharing information in a private ecosystem | |
US9037870B1 (en) | Method and system for providing a rotating key encrypted file system | |
US8412955B1 (en) | Framework and method for secure data management in a diversified platform | |
US20140281520A1 (en) | Secure cloud data sharing | |
KR20210061426A (en) | Double-encrypted secret portion allowing assembly of the secret using a subset of the double-encrypted secret portion | |
KR20230157929A (en) | Transfer cryptocurrency from a remote access restricted wallet | |
US8181028B1 (en) | Method for secure system shutdown | |
US10630722B2 (en) | System and method for sharing information in a private ecosystem | |
US10630474B2 (en) | Method and system for encrypted data synchronization for secure data management | |
US11250143B2 (en) | Method and system for implementing an encryption SDK | |
CN110221990B (en) | Data storage method and device, storage medium and computer equipment | |
US11075753B2 (en) | System and method for cryptographic key fragments management | |
CN103973646A (en) | Method, client device and system for storing services by aid of public cloud | |
CN111414628A (en) | Data storage method and device and computing equipment | |
US11343094B2 (en) | Methods and systems for encrypting shared information through its lifecycle | |
EP3557470B1 (en) | System and method for secure data handling | |
CN109995774B (en) | Key authentication method, system, device and storage medium based on partial decryption | |
CN105553661A (en) | Key management method and apparatus | |
CN112052432A (en) | Terminal device authorization method and device | |
CN102404363A (en) | Access method and access device | |
US10043015B2 (en) | Method and apparatus for applying a customer owned encryption | |
CN112306582A (en) | Configuration variable encryption and decryption method and device, computer equipment and readable storage medium | |
JP2011164907A (en) | Information management system | |
JP2020155801A (en) | Information management system and method therefor |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: INFOSYS LIMITED, INDIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:GUPTA, PUNEET;DARBARI, AKSHAY;SIVARAMAMURTHY, VENKAT KUMAR;REEL/FRAME:027412/0453 Effective date: 20111215 |
|
FEPP | Fee payment procedure |
Free format text: PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
FEPP | Fee payment procedure |
Free format text: PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
CC | Certificate of correction | ||
REMI | Maintenance fee reminder mailed | ||
FPAY | Fee payment |
Year of fee payment: 4 |
|
SULP | Surcharge for late payment | ||
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 8 |