`
`
`
`
`
`a2) United States Patent
`
`
`
`US 9,280,678 B2
`(0) Patent No.:
`
`
`
`
`
`
`Mar.8, 2016
`(45) Date of Patent:
`Redberg
`
`US009280678B2
`
`
`
`
`
`
`
`(54) SECURE CLOUD STORAGE DISTRIBUTION
`AND AGGREGATION
`
`
`
`
`
`(72)
`
`
`
`
`
`
`
`
`
`
`(71) Applicant: Fortinet, Inc., Sunnyvale, CA (US)
`
`
`
`
`
`Inventor: David A. Redberg, Sunnyvale, CA (US)
`
`
`
`
`
`
`(73) Assignee: Fortinet, Inc., Sunnyvale, CA (US)
`
`
`
`
`
`
`
`
`(*) Notice:
`Subject to any disclaimer, the term ofthis
`
`
`
`
`patent is extended or adjusted under 35
`
`
`
`
`U.S.C. 154(b) by 133 days.
`
`
`
`
`
`(21) Appl. No.: 14/094,484
`
`
`
`(22)
`
`(65)
`
`Filed:
`
`
`
`
`Dec. 2, 2013
`
`
`
`
`
`Prior Publication Data
`
`
`
`US 2015/0154418 Al
`Jun. 4, 2015
`
`
`
`
`(51)
`
`
`
`
`
`
`
`
`
`(2006.01)
`(2013.01)
`(2013.01)
`(2013.01)
`(2006.01)
`
`
`
`
`
`
`
`
`Int. Cl.
`
`HOAL 29/06
`GO6F 21/00
`GO6F 21/62
`GO6F 21/60
`
`GO06F 17/30
`
`
`(52) U.S. CL.
`
`
`
`
`
`
`
`CPC ...... GO6F 21/6218 (2013.01); GO6F 17/30106
`
`
`
`
`
`(2013.01); GO6F 17/30194 (2013.01); GO6F
`
`
`
`
`
`21/60 (2013.01); GO6F 21/602 (2013.01);
`
`
`
`
`
`GO6F 21/6227 (2013.01); HO4L 63/06
`
`
`
`
`(2013.01); HO4L 63/260 (2013.01)
`
`
`
`
`(58) Field of Classification Search
`CPC vicicccsesterstesssseecteneceesenseesensenenes GO6F 21/6218
`
`
`
`
`
`
`
`
`
`
`See application file for complete search history.
`
`
`
`
`
`(56)
`
`
`References Cited
`U.S. PATENT DOCUMENTS
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`8/2014 Koetenet al. wu. 726/1
`8,819,768 BL*
`2010/0332401 Al* 12/2010 Prahlad etal.
`......0...0. 705/80
`
`
`
`
`
`
`
`
`
`
`
`
`
`5/2013 Burstein etal. 0... 726/1
`2013/0133023 Al*
`
`
`
`
`
`
`
`8/2013 Guralnik et al.
`» 340/5.21
`2013/0207775 Al*
`...
`
`
`
`
`
`
`
`
`
`2/2014 Aissi etal.
`.....
`713/189
`2014/0052999 Al*
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`5/2014 Haegeretal. ..
`713/153
`2014/0122866 Al*
`
`w 709/223
`5/2014 Yao etal.
`....
`2014/0136675 Al*
`
`
`
`
`
`
`
`2/2015 Huhetal. wo. 726/1
`2015/0046971 Al*
`
`
`
`
`
`
`
`
`
`3/2015 Cullenetal. ou... 713/168
`2015/0074398 Al*
`
`
`
`
`
`
`
`OTHER PUBLICATIONS
`
`
`
`
`
`
`
`
`
`
`AlephCloud. FAQ. http://www.alephcloud.com/#! faq/cl pya. 2 pgs.
`
`
`
`
`
`
`
`AlephCloud. “AlephCloud Raises $7.5M Series B for New Approach
`
`
`
`
`
`
`to Cloud Content Privacy Management.” http://www.alephcloud.
`
`
`
`com/#!pr-20130522/cbri. 2 pgs.
`
`
`AlephCloud.
`“Content Canopy.”
`
`
`
`#!products/cife. 1 pg.
`
`
`
`
`
`
`
`AlephCloud. “It’s the Content, not the Container.” http://www.
`
`
`alephcloud.com/#!solution/c15sb. | pg.
`
`
`
`http://www.alephcloud.com/
`
`
`
`
`
`
`
`
`* cited by examiner
`
`
`
`Primary Examiner — Lisa Lewis
`
`
`
`
`
`
`(74) Attorney, Agent, or Firm — Hamilton, DeSanctis & Cha
`LLP
`
`
`
`
`
`
`(57)
`
`ABSTRACT
`
`
`
`
`
`
`
`
`Methods and systems for vendor independent and secure
`
`
`
`
`
`
`
`cloud storage distribution and aggregation are provided.
`
`
`
`
`
`According to one embodiment, an application programming
`
`
`
`
`
`
`
`interface (API)is provided by a cloud storage gateway device
`
`
`
`
`
`
`
`logically interposed between third-party cloud storage plat-
`
`
`
`
`
`
`
`
`forms and users of an enterprise. The APIfacilitates storing of
`
`
`
`
`
`
`
`
`
`files, issuing of search requests againstthe files and retrieval
`
`
`
`
`
`
`
`of contentofthefiles. A file storage policy is assigned to each
`
`
`
`
`
`
`
`
`user, which defines access rights, storage diversity require-
`
`
`
`
`
`
`
`ments and a type of encryption to be appliedto files. Respon-
`
`
`
`
`
`
`
`
`sive to receiving a request to store a file, (i) searchable
`
`
`
`
`
`
`
`encrypted data is created relating to content and/or metadata
`
`
`
`
`
`
`
`
`
`
`
`ofthe file basedon the assignedfile storage policy; and (ii) the
`
`
`
`
`
`
`
`searchable encrypted data is distributed among the third-
`
`
`
`
`
`
`
`
`party cloud storage platforms based on the storage diversity
`
`
`
`
`
`
`
`requirements defined by the assigned file storage policy.
`
`
`
`
`27 Claims, 12 Drawing Sheets
`
`300 -—,»
`
`
`
`
`
`Page 1 of 30
`
`Netskope Exhibit 1001
`
`Page 1 of 30
`
`Netskope Exhibit 1001
`
`

`

`
`U.S. Patent
`
`
`
`
`Mar.8, 2016
`
`
`
`
`
`Sheet 1 of 12
`
`
`
`US 9,280,678 B2
`
`
`om,
`
`
`
`
`Cloud Store
`
`
`
`
`
`Cloud Stare
`1714b
`
`
`
`
`
`4146
`
`
`
`
`Cloud Store
`
`114d
`
`
`
`Cloud Store {148
`
`
`
`\
`
`
`a .
`‘
`
`
`, .
`
`
`\
`
`
`}
`
`\
`}
`
`
`
`/
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`a
`
`
`eect
`
`
`internet
`
`
`
`412
`ee
`
`
`
`
`
`
`Policy Database
`419
`
`
`
`
`
`
`
`
`— Cocal Area — 7
`
`Network
`|
`
`
`
`
`
`
`
`
`
`
`
`
`
` Data Agent
`
`
`
`
` Data Agent
`
`
`Data Agent
`
`
`
`
`Data Agent
`
`
`
`Fig. 1
`
`
`
`Page 2 of 30
`
`Netskope Exhibit 1001
`
`Page 2 of 30
`
`Netskope Exhibit 1001
`
`

`

`
`U.S. Patent
`
`
`
`
`Mar.8, 2016
`
`
`
`
`Sheet 2 of 12
`
`
`
`US 9,280,678 B2
`
`
`
`
`
`
`
`JOPIAQBAINESDADID
`
`
`
`
`
`vad
`
`SB}ORYaesg
`
`etapeidAssug
`
`B90e
`
`
`
`
`ainpawuondéuoug
`OreaInpowy
`Aono,|
`
`
`
`e0e
`
`}USUGHeUBIY
`
`ainpolyysGeiois
`
`BIGBUDIEES
`
`a4paydéoug
`
`9O0E
`
`
`
`idlyPOZBIEUAS
`
`BLS
`
`UOHEDSY
`
`{sjainpoy
`
`Bb
`
`aseoajecyAgod
`
`BL
`
`
`
`Z“bie
`
`AENGIE quawufissy
`
`BIBYIBAS
`
`
`
`attpeydAiouy
`
`agoe
`
`
`
`
`
`JEDIADIZOMI8SPNOEG
`
`
`
`
`
`JEDIADL.|GOWUASHNO}
`
`BINPAYY
`
`VLS
`
`Le
`
`evose
`
`aSPepBCUMOG
`
`aad
`
`padAug
`
`Page 3 of 30
`
`Netskope Exhibit 1001
`
`Page 3 of 30
`
`Netskope Exhibit 1001
`
`
`

`

`
`U.S. Patent
`
`
`
`
`Mar.8, 2016
`
`
`
`
`Sheet 3 of 12
`
`
`
`US 9,280,678 B2
`
`
`
`300 ™,
`
`Start Searchable File Encryption
`Receive File to be Encrypted
`Partition the File info Mulipie Chunks
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`~~ 302
`
`
`~~ 304
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Encrypt each File Chunk Based on Public and
`
`
`
`
`
`
`
`Private Keys such that Namespace is Created far
`
`
`
`
`each File Chunk
`
`-—- 308
`
`
`
`
`
`
`
`Process further Obfuscation of Encrypted File
`
`
`
`
`
`Chunks, if any
`
`Page 4 of 30
`
`Netskope Exhibit 1001
`
`Page 4 of 30
`
`Netskope Exhibit 1001
`
`

`

`
`U.S. Patent
`
`
`
`
`Mar.8, 2016
`
`
`
`
`Sheet 4 of 12
`
`
`
`US 9,280,678 B2
`
`Evaluate Query to Extract Search Keywords
`
`
`
`
`
`i Start Searching in Encrypted Files
`
`
`
`
`
`Receive Search Query
`
`
`
`
`
`
`
`
`
`
`
`
`
`_ 354
`fo
`
`
`
`
`
`Convert Search Keywords into Searchable
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`— 356
`
`
`~~ 358
`
`
`
`
`
`
`
`
`
`
`
`
`
`Indexes
`Execute Query Based on Searchable indexes
`Receive File Indexes as Resulis
`
`
`End
`
`
`Fig. 3B
`
`Page 5 of 30
`
`Netskope Exhibit 1001
`
`Page 5 of 30
`
`Netskope Exhibit 1001
`
`

`

`
`U.S. Patent
`
`
`
`
`Mar.8, 2016
`
`
`
`
`Sheet 5 of 12
`
`
`
`US 9,280,678 B2
`
`
`
`
`
`noeiid)yo(omAjpen}
`
`aiqeucives
`
`vondAIoua
`
`ered
`
`Page 6 of 30
`
`Netskope Exhibit 1001
`
`Page 6 of 30
`
`Netskope Exhibit 1001
`
`
`

`

`
`U.S. Patent
`
`
`
`
`Mar.8, 2016
`
`
`
`
`Sheet 6 of 12
`
`
`
`US 9,280,678 B2
`
`560 ™,
`
`
`
`
`
`
`{Start Fle Upload Onie Cloud Based \
`
`\
`
`Containers
`
`
`
`
`
`
`
`
`Assign Policy to the User
`
`
`
`
`
`Divide the File into Chunks
`
`v7 BIG
`
`_-~ 520
`/
`
`_—~ 846
`
`
`
`Containers Based on the Policy
`
`
`
`
`
`
`Store File Chunks across one or more
`
`
`
`
`
`
`
`
`End
`
`
`Fig. 5
`
`Page 7 of 30
`
`Netskope Exhibit 1001
`
`/ E
`
`
`
`
`
`
`
`ncrypt File Chunks based on the Policy such
`
`
`
`
`that each Chunk is Searchable
`
`
`
`Page 7 of 30
`
`Netskope Exhibit 1001
`
`

`

`
`U.S. Patent
`
`
`
`
`Mar.8, 2016
`
`
`
`
`Sheet 7 of 12
`
`
`
`US 9,280,678 B2
`
`600 ™,
`
`
`
`
`
`Start Search in Encrypted Files
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Receive Search Query for Searching Files
`
`
`
`
`
`Stored acrass one or more Cloud Based
`eeeeennnennnnneeeeennnCOPANOFSee
`
`
`
`
`
`
`Retrieve Policy Details of User
`
`
`
`
`
`Searchable indexes
`
`
`
`
`
`Convert Search Query Elemants into
`
`
`
`
`
`
`-—~ G40
`
`
`650
`
`
`
`
`
`Execute Query on Data Stored on Containers
`
`
`
`
`Based on Searchable Indexes
`
`
`
`
`
`
`Retrieve Files Matching Query
`
`
`
`|
`
`Fig. 6
`
`Page 8 of 30
`
`Netskope Exhibit 1001
`
`Page 8 of 30
`
`Netskope Exhibit 1001
`
`

`

`
`U.S. Patent
`
`
`
`
`Mar.8, 2016
`
`
`
`
`Sheet 8 of 12
`
`
`
`US 9,280,678 B2
`
`706 ™,
`
`
`
`
`
`Based Containers
`
`
`
`
`
`Start File Download from Cloud
`
`
`
`
`
`
`
`
`Receive Request for File to be Downloaded
`
`
`
`
`
`
`Retrieve Policy Details of User
`
`
`
`
`
`
`
`- 736
`
`
`
`
`
`
`WN Boas User Policy Allow ™
`
`Downloading?
`
`
`
`
`
`778
`
`
`
`— 720
`
`
`740
`
`
`
`
`
`
`
`
`Extract Matching File Chunks from Multiole
`
`
`
`
`
`
`
`Containers of Cloud Based Platform
`
`
`
`
`
`Save File Chunks on Local Drive
`
`
`
`
`
`
`
`Fig. 7
`
`Page 9 of 30
`
`Netskope Exhibit 1001
`
`Page 9 of 30
`
`Netskope Exhibit 1001
`
`

`

`
`U.S. Patent
`
`
`
`Mar.8, 2016
`
`Sheet 9 of 12
`
`
`
`US 9,280,678 B2
`
`
`
`
`
`
`
`BOP/SHUNUDpaydAiouTyaqeyueas
`
`sHnsay
`
`SyNSeY
`
`uondAiougUFBUIE}TUOD|}AQUIE}UODJOPIACLeENEDBIqeyoiees
`
`
`
`
`UF@UIBLUOD|1J@UIBRUIODLaPAOIeNOK)
`
`ScaLLH synsen
`UCHEIDGINteleuibug
`
`Seid/SyuNUGpeidAiougeiqeyowes
`
`
`
`SeidssyunuGpeldAsougaiqeyguess
`
`
`
`eseqeiegAonGdi|AxXOldScLH{UB
`aseqejedAaiiog|AXOid
`
`aOeYoIaS
`
`neydAuous
`
`Sey/SYUDUD
`
`synsey
`
`
`
`
`
`
`
`
`
`
`
`UCHEIDBINId
`
`auiduyuondAsug
`
`aOeUQES
`
`40J@SMOIQ
`
`vaopeonddy
`
`ae008
`
`AdYOdUNS
`
`EysixgAnod
`
`appeodny
`
`30JDSMGG
`
`WSS
`
`voneoyddy
`
`Page 10 of 30
`
`Netskope Exhibit 1001
`
`Page 10 of 30
`
`Netskope Exhibit 1001
`
`
`
`
`
`
`
`

`

`U.S. Patent
`
`Mar.8, 2016
`
`Sheet 10 of 12
`
`US 9,280,678 B2
`
`
`
`
`
`Seuant)GuuaeyiSeyUMEY
`
`LUJOURIUOS1sourequesy
`ageyoiwes
`SianpBuseyP|SuIuTEWell
`
`
`JOfBegpails*eNOWoL
`
`uoAIenDumDATZIOUOSSaNOpUT
`
`YORECgnnnnnh
`
`JBDIADIE|GNGED
`
`UOHEIDOYYIlSuibugvoydAnug
`
`BOHBIDOYYflv
`
`auibusuondAsouy
`
`
`asequyegAstiod}|AxGldSdLiH||qUaY}D)f40288MORg
`
`
`|aseqeec]ADnGeAXOldSchLLH
`
`
`
`ORSJOPIEGpapeuoKianguny
`
`KEPUPTOIBSS
`
`LIS?
`
`SSuSnoH
`
`SIQEUORSS
`
`
`
`AiBneyByesiy
`
`ASHOdSH
`
`UUJBUIZ]UOT}ABUIE}UOT
`
`
`
`JODAGIEPNA
`
`BIQCYUBES
`
`LISAADH
`
`BleUMUESS
`
`40JESMAQ
`
`FUDYSD
`
`uoneaiddy
`
`RL006
`
`6614
`
`uRnsiongAiddy
`
`i
`
`
`
`HEC)OPE)JOH
`
`IFYOO}O}suOKBuadr)
`
`BUBIUD
`
`SUnsey
`
`synsay
`
`Oody
`
`Page 11 of 30
`
`Netskope Exhibit 1001
`
`Page 11 of 30
`
`Netskope Exhibit 1001
`
`
`
`
`
`
`
`
`
`
`
`

`

`
`U.S. Patent
`
`
`
`Mar.8, 2016
`
`Sheet 11 of 12
`
`
`
`US 9,280,678 B2
`
`
`
`aepcennc~eneUIBUIBRUOS||SOLHEYUOTJOpIAdlgPHDajqzualeesesequicAoYOd|AXOUdSALLHWUSHD
`
` OLbi
`
`
`..eatremiyeMOHEIDOWYyflyaubuguondéioug
`LOBEIDOI!flyauiSuguondéisugway
`
`
`
`..uoneoyddy
`
`UJBUIB}UOS||2OLHEIUOD
`
`fODIAOldPOEsiqHUcuedc
`
`eseqEiegAouOd|AXOJdSALIH
`
`JOJISMOLG
`
`uoeoyady
`
`
`
`EASIXTABHOR
`
`
`
`Bil}DEQTUMOG
`
`"
`
`
`
`
`
`
`
`
`
`KODQ01
`
`synsey
`
`
`
`ysonbeypeopimogat
`
`peqwumocd)st
`
`ysonbay
`
`synsey
`
`
`
`papegiumageqo}OHa
`
`
`
`synsew
`
`SHNSOY
`
`JOJ9SMOIQ
`
`Page 12 of 30
`
`Netskope Exhibit 1001
`
`Page 12 of 30
`
`Netskope Exhibit 1001
`
`
`
`
`
`
`
`

`

`
`U.S. Patent
`
`
`
`
`Mar.8, 2016
`
`
`
`
`Sheet 12 of 12
`
`
`
`US 9,280,678 B2
`
`TOON
`
`
`
`
`
`
`
`External Storage Device
`
`1440
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
` Read-Only
`Mass Storage
`
`
`Main Memory
`Device
`Memory
`
`1125
`Y445
`
`
`
`
`
`4420
`
`
`
`
`ut
`i
`i,
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Communication
`
`
`Procassor
`
`
`
`Pori(s}
` 4405
`
`4116
`
`
`
`
`
`
`
`
`Fig. 11
`
`
`
`Page 13 of 30
`
`Netskope Exhibit 1001
`
`Page 13 of 30
`
`Netskope Exhibit 1001
`
`

`

`
`1
`SECURE CLOUD STORAGE DISTRIBUTION
`
`
`
`AND AGGREGATION
`
`
`
`
`
`COPYRIGHT NOTICE
`
`
`
`
`
`
`
`
`
`
`Contained herein is material that is subject to copyright
`
`
`
`
`
`
`
`
`protection. The copyright owner has no objection to the fac-
`
`
`
`
`
`
`simile reproduction of the patent disclosure by any person as
`
`
`
`
`
`
`
`
`
`it appears in the Patent and Trademark Office patentfiles or
`
`
`
`
`
`
`
`
`
`records, but otherwise reserves all rights to the copyright
`
`
`
`
`
`whatsoever. Copyright© 2013, Fortinet, Inc.
`
`me 0
`
`
`
`BACKGROUND
`
`
`
`20
`
`55
`
`1. Field
`
`
`
`
`
`
`
`Embodiments of the present invention generally relate to
`
`
`
`
`
`
`
`cloud based data storage. In particular, embodiments of the
`
`
`
`
`
`
`
`
`present invention relate to systems and methods for use of
`
`
`
`
`
`
`
`vendor independent secure cloud storage distribution and
`
`aggregation.
`
`
`
`
`2. Description of the Related Art
`
`
`
`
`
`
`Computing devices have traditionally executed applica-
`
`
`
`
`
`
`
`
`
`in
`tions and data services locally on respective devices,
`
`
`
`
`
`
`
`
`which,as the data is accessed, processed, stored, cached, etc.,
`
`
`
`
`
`
`
`
`
`
`it may travel within the devices over local buses, interfaces
`
`
`
`
`
`
`
`
`
`and other data pathways. As a result, users of such devices did
`
`
`
`
`
`
`
`
`not have to worry about interference or exposure of user data
`
`
`
`
`
`
`
`
`
`
`unless the device itself was lost or stolen. However, with the
`
`
`
`
`
`
`
`
`
`growing amountof data that is generated and with the evolu-
`
`
`
`
`
`
`
`
`tion of online/Internet based services and cloudstorageplat-
`
`
`
`
`
`
`
`forms, applications, content, and services are increasingly
`
`
`
`
`
`
`
`being movedto network providers who perform someorall of
`
`
`
`
`
`
`
`
`a given service on behalf of a user’s devices. In such cases, a
`
`
`
`
`
`
`
`
`
`user may become concerned with who can access, or poten-
`
`
`
`
`
`
`
`
`
`tially worse, interfere with, the user’s data whileit is uploaded
`
`
`
`
`
`
`
`
`
`to a service, while it is stored by the service, or whileit is
`retrieved from the service.
`
`
`
`
`
`
`
`
`
`
`
`
`
`Tt has been recognized that while existing cloud storage
`
`
`
`
`
`
`
`
`providers offer a virtually infinite storage capacity, data own-
`
`
`
`
`
`
`
`
`ers seek geographical and provider diversity in data place-
`
`
`
`
`
`
`
`
`
`mentso that they are nottied to a particular service provider
`
`
`
`
`
`
`
`
`and havethe flexibility to switch to another provider without
`
`
`
`
`
`
`
`
`losing data or making significant efforts in data transition.
`
`
`
`
`
`
`
`
`Moreover, with the increasingcriticality of data being stored,
`
`
`
`
`
`
`expectations of users to have more reliable mechanisms in
`
`
`
`
`
`
`
`place to ensure availability and durability of the content are
`
`
`
`
`
`
`
`
`also on the rise. On similar lines, instead of storing data within
`
`
`
`
`
`
`
`
`
`a single cloud, it may also be desired by users to store data
`
`
`
`
`
`
`
`across multiple cloud platforms to ensure more security,
`
`
`
`
`
`
`
`redundancy, and reduction in potential threat of data compro-
`mise.
`
`
`
`
`
`
`Furthermore, storage of data in an unencrypted formatis
`
`
`
`
`
`
`
`
`
`
`alwaysat the risk of a network attack that may leadto the data
`
`
`
`
`
`
`
`being compromised. Storage of encrypted data, on the other
`
`
`
`
`
`
`
`
`hand, using existing technologies, makes thefiles, folders,
`
`
`
`
`
`
`
`filenames, and content
`thereof unsearchable and hence
`
`
`
`
`
`
`
`unfriendly for user access. Existing encryption techniques
`
`
`
`
`
`
`
`
`also expose the encrypted content to frequency analysis
`
`
`
`
`
`
`
`
`attacks. Moreover, since the could providers control
`the
`
`
`
`
`
`
`
`
`
`encryption keys, the data in the cloud can be exposedto attack
`
`
`
`
`
`
`
`
`
`within the cloud, insider jobs and subpoena—all without the
`
`
`
`
`knowledge or consent of the data owner.
`
`
`
`
`
`
`
`Existing techniques for managing distribution and aggre-
`
`
`
`
`
`
`
`gation of content stored by a cloud provider also necessitate
`
`
`
`
`
`
`
`service provider and/or vendorspecific application program-
`
`
`
`
`
`
`
`ming interfaces (APIs) to be incorporated for storage, access,
`
`
`
`
`
`
`
`and processing of the content, making present systemsrigid
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`US 9,280,678 B2
`
`
`2
`
`
`
`
`
`
`
`and non-flexible to implementation of policies that allow
`
`
`
`
`
`
`
`
`storage of data across different service providers, allow dif-
`
`
`
`
`
`
`
`
`
`ferent cloud storage access rights across users and computing
`
`
`
`
`
`
`
`devices, allow searching of downloaded encrypted data
`
`
`
`
`
`
`
`
`across cloud service vendors, among other desired activities.
`
`SUMMARY
`
`
`
`
`
`
`
`
`
`
`
`Methods and systems are described for vendor indepen-
`
`
`
`
`
`
`
`
`dent and secure cloud storage distribution and aggregation.
`
`
`
`
`
`
`According to one embodiment, a generalized application pro-
`
`
`
`
`
`
`gramming interface (API) is provided by a cloud storage
`
`
`
`
`
`
`
`gateway device that is logically interposed between one or
`
`
`
`
`
`
`
`
`more third-party cloud storage platforms and users of an
`
`
`
`
`
`
`
`
`
`enterprise. The API facilitates storing of files, issuing of
`
`
`
`
`
`
`
`
`
`search requests againstthe files andretrieval of content ofthe
`
`
`
`
`
`
`
`files. A file storage policy is assigned by the cloud storage
`
`
`
`
`
`
`
`
`
`gateway device to each user. The assignedfile storage policy
`
`
`
`
`
`
`
`defines access rights, storage diversity requirements and a
`
`
`
`
`
`
`
`type of encryption to be applied to files for the corresponding
`
`
`
`
`
`
`
`user. Responsive to receiving, via the generalized API, a
`
`
`
`
`
`
`
`
`
`request to store a file, (i) creating, by the cloud storage gate-
`
`
`
`
`
`
`
`way device, searchable encrypted data corresponding to con-
`tentofthe file and/or metadata associated with the file based
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`on the assignedfile storage policy; and (11) distributing, by the
`
`
`
`
`
`
`
`
`cloud storage gateway device, the searchable encrypted data
`
`
`
`
`
`
`
`
`amongone or more third-party cloud storage platforms based
`
`
`
`
`
`
`on the storage diversity requirements defined by the assigned
`
`
`
`file storage policy.
`
`
`
`
`Other features of embodiments of the present disclosure
`
`
`
`
`
`
`
`will be apparent from accompanying drawings and from
`
`
`
`
`detailed description that follows.
`
`
`
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`In the Figures, similar components and/or features may
`
`
`
`
`
`
`
`have the samereferencelabel. Further, various components of
`
`
`
`
`
`
`
`
`the same type may be distinguished by following the refer-
`
`
`
`
`
`
`
`
`ence label with a secondlabel that distinguishes among the
`
`
`
`
`
`
`
`
`similar components. If only the first reference label is used in
`
`
`
`
`
`
`
`the specification, the description is applicable to any one of
`
`
`
`
`
`
`
`
`
`the similar components having the samefirst reference label
`
`
`
`
`irrespective of the second reference label.
`
`
`
`
`
`
`
`FIG. 1 illustrates an exemplary network architecture in
`
`
`
`
`
`accordance with an embodimentof the present invention in
`
`
`
`
`
`accordance with an embodimentof the present invention.
`
`
`
`
`
`FIG. 2 illustrates exemplary functional modules of the
`
`
`
`
`
`
`proposed policy-based framework for secure cloud storage
`
`
`
`
`
`distribution and aggregation in accordance with an embodi-
`
`
`
`mentof the present invention.
`
`
`
`
`
`
`FIG.3A illustrates an exemplary flow diagram for gener-
`
`
`
`
`
`
`
`ating searchable encrypted files in accordance with an
`
`
`
`embodimentof the present invention.
`
`
`
`
`
`
`FIG.3B illustrates an exemplary flow diagram for process-
`
`
`
`
`
`
`
`ing search queries for searching encrypted files in accordance
`
`
`
`
`with an embodimentof the present invention.
`
`
`
`
`
`
`FIGS. 4A-C illustrate an example showing generation of
`
`
`
`
`
`
`
`searchable indices from search queries in order to execute
`
`
`
`
`
`
`
`
`
`search queries on encrypted files in accordance with an
`
`
`
`embodimentof the present invention.
`
`
`
`
`
`
`
`
`FIG.5 illustrates a flow diagram for uploading one or more
`
`
`
`
`
`
`
`
`files onto multiple containers provided by one or more cloud
`
`
`
`
`
`storage providers in accordance with an embodimentof the
`
`
`present invention.
`
`
`
`
`
`
`
`FIG.6 illustrates a flow diagram for executing search que-
`
`
`
`
`
`
`
`ries on encryptedfiles stored as one or more containers pro-
`
`
`
`
`
`
`
`
`
`
`
`
`
`Page
`
`14 of 30
`
`Netskope Exhibit 1001
`
`Page 14 of 30
`
`Netskope Exhibit 1001
`
`

`

`
`3
`
`
`
`
`
`
`
`
`vided by cloud storage providers in accordance with an
`
`
`
`embodimentof the present invention.
`
`
`
`
`
`
`
`FIG. 7 illustrates a flow diagram for downloading files
`
`
`
`
`
`
`from cloud-based storage containers in accordance with an
`
`
`
`embodimentof the present invention.
`
`
`
`
`
`
`
`FIG.8 illustrates a sequence diagram for uploadingfiles to
`
`
`
`
`
`
`
`cloud-based storage containers
`in accordance with an
`
`
`
`embodimentof the present invention.
`
`
`
`
`
`
`FIG.9 illustrates a sequence diagram for searching search-
`
`
`
`
`
`
`
`able encrypted files that are stored in cloud-based storage
`
`
`
`
`containers in accordance with an embodimentofthe present
`invention.
`
`
`
`
`
`
`
`
`FIG. 10 illustrates a sequence diagram for downloading
`
`
`
`
`
`
`
`
`files from cloud-based storage containers onto local drives/
`
`
`
`
`
`
`
`discs in accordance with an embodimentofthe present inven-
`tion.
`
`
`
`
`
`
`
`
`FIG. 11 is an example of a computer system with which
`
`
`
`
`
`embodiments of the present invention maybe utilized.
`
`
`
`
`
`
`
`
`4
`
`
`
`
`
`According to one embodiment, an encryption module is
`
`
`
`
`
`
`configured to encrypt one or morefiles to be uploaded/stored
`
`
`
`
`
`
`
`
`across one or more cloud platforms based on a policy defined
`
`
`
`
`
`
`by the policy assignment module. In an implementation, a
`
`
`
`
`
`
`
`
`selected policy can be used to define encryption keys, decryp-
`
`
`
`
`
`
`
`
`
`tion keys, and encryption type, among otherattributes for
`
`
`
`
`
`
`
`
`carrying out the encryption of data. According to another
`
`
`
`
`
`
`
`
`embodiment, the encryption module can encrypt each file
`
`
`
`
`
`
`
`and/or content thereof using cryptographic key information
`
`
`
`
`
`
`
`
`such that the encrypted content is searchable across cloud
`
`
`
`
`platforms, making the encryption architecture independent of
`
`
`
`
`
`
`the vendor/service provider of the cloud platforms. Accord-
`
`
`
`
`
`
`
`
`ing to one embodiment, based on the policy defined by the
`
`
`
`
`
`
`
`
`policy assignment module, encryptedfiles can also be down-
`
`
`
`
`
`
`
`loaded by one or a group of authenticated users onto a local
`
`
`
`
`
`
`
`
`
`device such that the downloaded encryptedfiles are available
`
`
`
`
`
`
`
`
`to offline applications, and hence can be searched, controlled,
`
`
`
`
`
`
`
`
`and managed using the keys generated by the encryption
`
`
`
`
`module based onthepolicy.
`
`
`
`
`
`According to an embodiment, a storage moduleis config-
`
`
`
`
`
`
`
`
`
`ured to store the searchable encrypted file within the one or
`
`
`
`
`
`
`
`
`more cloud platforms based on policy selected by the policy
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Systems and methods for a policy-based framework for
`assignment module.
`In an implementation,
`the selected
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`secure cloud storage distribution and aggregation are
`policy can be used to define the manner in which and/or the
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`location at which thefile is to be stored (e.g., whetherthefile
`described. Methods and systemsare also providedfor imple-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`is to be stored within a single container or spread across
`menting a policy based framework for encrypting, storing,
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`multiple containers and/or whether a copyofthe file is to be
`accessing, querying and managing data across one or more
`
`
`
`
`
`
`
`
`
`
`
`
`
`stored on a local device for offline usage). As the storage
`cloud platforms. According to one embodiment, a searchable
`
`
`
`
`
`
`
`
`
`
`
`
`module can be implemented independentof the cloud service
`encryption gateway framework provides assignment of a
`
`
`
`
`
`
`
`
`
`
`
`
`
`providers without using application programminginterfaces
`policy from a group ofpolicies stored in a policy database to
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`(APIs) exposed by the vendors, the encrypted files can be
`one or more users such that the policy not only defines the
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`movedto any cloud platform, thereby avoiding vendorlock-
`manner in which the users can access and process content
`in.
`
`
`
`
`
`
`
`
`
`
`
`stored on the cloud, but can also configure the mode in which
`
`
`
`
`
`
`
`
`
`
`
`
`
`According to another embodiment, a management module
`the data is encrypted, stored, searched, and accessed to ensure
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`is configured to control and manage encryption, storage,
`secure and vendor independent cloud management. Embodi-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`access, and processing of cloud storage based on the policy
`ments of the system of the present invention can include a
`
`
`
`
`
`
`
`
`
`
`
`defined by the policy assignment module. In an embodiment,
`policy assignment module, an encryption module, a storage
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`based on userattributes such as the role of the user, a project
`module, and a management module, each of which can be
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`assignedto the user, the user’s need to accessthe data at issue,
`implemented across one or more network devices such as
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`amongother suchattributes, and further based on organiza-
`gateway devices, proxy devices, network controllers, among
`
`
`
`
`
`
`
`other like devices.
`
`
`
`tion level changes and requirements, a policy identified by the
`
`
`
`
`
`
`
`
`
`
`
`
`policy assignment module can be dynamically changed or
`According to one embodiment,
`the policy assignment
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`modified at run-time in order to comply with the organization
`module is configured to assign a policy to one or moreusers,
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`requirements and configure the cloud storage for compliance.
`wherethe policy is selected from a group ofpolicies that are
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`According to another embodiment, the system mayfurther
`stored in a database. The selected policy can be used for
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`defining the mannerin whichafile or metadatarelated thereto include a mediation module that is operatively coupled with
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`is to be uploaded, stored, searched, downloaded, and/or pro-
`other modules and is configured to mediate vendor specific
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`cessed in the context of one or more cloud platforms. The
`protocol/APIs therebyfacilitating geographical and provider
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`selected policy can further be used to configure access rights
`diversity in data placement, making the system agnostic with
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`ofthe one or moreusers such that the access rights dictate the
`respect to specific cloud vendor APIs and increasing avail-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`manner in which the users can process the uploaded
`ability and durability of the stored data. In another embodi-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`encrypted files. In an instance, a policy can allow a user to
`ment, system of the present disclosure can further include a
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`downloada searchable encryptedfile stored in the cloud to a
`generalized API module that is operatively coupled with the
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`local device such as a mobile phone and search the down-
`mediation module and configured to provide a generalized
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`loaded encrypted file on the local device for further process-
`API that can be called by any content/data intensive user
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`ing. The policy can further implement key managementpoli-
`application to access content from containers of cloud stor-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`cies across cloud providers and local devices such that no
`age. Generalized API module can allow a single standard
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`vendor lock-in is required and a useris given flexibility to
`thread to multiple users to connect any of their applications
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`transfer content across cloud providers and perform other
`with the proposed system and to perform any of storage,
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`desired functions that otherwise require vendor specific
`upload, retrieval, download, modify, search, and other allied
`
`
`
`
`
`
`
`
`
`
`
`
`
`Application Programming Interface (API). According to one
`functions at multiple cloud stores of different cloud service
`
`
`
`
`
`
`
`embodiment, a selected policy can be applied to a group of
`providers.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`users across one or more organizations such that the policy
`In the following description, numerousspecific details are
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`not only controls the mannerin whichthe content is uploaded,
`set forth in order to provide a thorough understanding of
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`stored, and accessed in the cloud but also managesthe rights
`embodiments of the present disclosure. It will be apparent,
`
`
`
`
`
`
`
`
`of a user and the manner in which the user can retrieve and
`
`
`
`
`
`
`
`
`
`
`
`however, to one skilled in the art that embodiments of the
`
`
`
`
`
`
`
`
`
`
`process thefiles.
`present disclosure may be practiced without some of these
`
`
`
`US 9,280,678 B2
`
`DETAILED DESCRIPTION
`
`
`
`
`
`
`
`
`
`
`
`
`20
`
`30
`
`
`
`
`
`40
`
`
`
`50
`
`
`
`
`
`
`
`
`
`Page
`
`15 of 30
`
`Netskope Exhibit 1001
`
`Page 15 of 30
`
`Netskope Exhibit 1001
`
`

`

`
`
`US 9,280,678 B2
`
`
`
`
`
`
`30
`
`50
`
`60
`
`
`5
`
`
`
`
`
`
`specific details. In other instances, well-knownstructures and
`
`
`
`
`
`
`devices are shown in block diagram form.
`
`
`
`
`
`
`Embodiments of the present disclosure include various
`
`
`
`
`
`
`
`
`
`steps, which will be described below. The steps may be per-
`
`
`
`
`
`formed by hardware components or may be embodied in
`
`
`
`
`
`
`machine-executable instructions, which may be used to cause
`
`
`
`
`
`a general-purposeor special-purpose processor programmed
`
`
`
`
`
`
`with the instructions to perform the steps.
`
`
`
`
`
`Alternatively, the steps may be performed by a combina-
`
`
`
`
`
`
`tion of hardware, software, firmware and/or by human opera-
`tors.
`
`
`
`
`
`
`Embodiments of the present invention may be provided as
`
`
`
`
`
`
`
`
`a computer program product, which may include a machine-
`
`
`
`
`
`
`readable storage medium tangibly embodying thereon
`
`
`
`
`
`
`
`instructions, which may be used to program a computer (or
`
`
`
`
`
`
`
`other electronic devices) to perform a process. The machine-
`
`
`
`
`
`
`
`
`
`readable medium may include, but is not limited to, fixed
`
`
`
`
`
`
`
`
`(hard) drives, magnetic tape, floppy diskettes, optical disks,
`
`
`
`
`
`
`
`20
`compact disc read-only memories (CD-ROMs), and mag-
`
`
`
`
`
`
`neto-optical disks, semiconductor memories, such as ROMs,
`
`
`
`
`
`
`PROMs, random access memories (RAMs), programmable
`
`
`
`
`
`
`read-only memories (PROMs), erasable PROMs (EPROMs),
`
`
`
`
`
`
`electrically erasable PROMs (EEPROMs), flash memory,
`
`
`
`
`
`
`magnetic or optical cards, or other type of media/machine-
`
`
`
`
`
`
`
`readable medium suitable for storing electronic instructions
`
`
`
`
`
`
`
`(e.g., computer programming code, such as softwareor firm-
`
`
`
`
`
`
`ware). Moreover, embodiments ofthe present disclosure may
`
`
`
`
`
`
`
`also be downloaded as one or more computer program prod-
`
`
`
`
`
`
`
`
`ucts, wherein the program may betransferred from a remote
`
`
`
`
`
`
`computer to a requesting computer by way of data signals
`
`
`
`
`
`
`embodiedin a carrier wave or other propagation medium via
`
`
`
`
`
`
`
`acommunicationlink (e.g., amodem or network connection).
`
`
`
`
`
`
`
`In various embodiments,
`the article(s) of manufacture
`
`
`
`
`
`
`
`
`(e.g., the computer program products) containing the com-
`
`
`
`
`
`
`
`
`puter programming code maybe used by executing the code
`
`
`
`
`
`
`directly from the machine-readable storage medium or by
`
`
`
`
`
`
`
`
`copying the code from the machine-readable storage medium
`
`
`
`
`
`
`
`into another machine-readable storage medium (e.g., a hard
`
`
`
`
`
`
`
`disk, RAM,etc.) or by transmitting the code on a network for
`
`
`
`
`
`
`
`remote execution. Various methods described herein may be
`
`
`
`
`
`
`practiced by combining one or more machine-readable stor-
`
`
`
`
`
`
`
`
`
`age media containing the code according to the present dis-
`
`
`
`
`
`
`closure with appropriate standard computer hardware to
`
`
`
`
`
`
`
`
`execute the code contained therein. An apparatus for practic-
`
`
`
`
`
`
`
`
`ing various embodiments of the present disclosure may
`
`
`
`
`
`
`
`
`involve one or more computers (or one or more processors
`
`
`
`
`
`
`
`within a single computer) and storage systems containing or
`
`
`
`
`
`
`having network access to computer program(s) coded in
`
`
`
`
`
`
`
`
`accordance with various methods described herein, and the
`
`
`
`
`
`
`methodsteps ofthe present disclosure could b