Atty. Docket No.: FORT-011700
`
`Patent Application
`
`IN THE UNITED STATES PA TENT AND TRADEMARK OFFICE
`
`TITLE OF THE INVENTION
`
`SECURE CLOUD STORAGE DISTRIBUTION AND AGGREGATION
`
`Inventor:
`
`DAVID A. REDBERG, residing at:
`1059 Merrimac Dr.
`Sunnyvale, CA 94087
`
`Assignee:
`
`FORTINET, INC.
`A Delaware Corporation
`
`Entity:
`
`Regular Undiscounted
`
`Page 1 of 171
`
`Netskope Exhibit 1003
`
`

`

`SECURE CLOUD STORAGE DISTRIBUTION AND AGGREGATION
`
`COPYRIGHT NOTICE
`
`[0001]
`
`Contained herein is material that is subject to copyright protection. The copyright
`
`owner has no objection to the facsimile reproduction of the patent disclosure by any person as it
`
`appears in the Patent and Trademark Office patent files or records, but otherwise reserves all
`
`rights to the copyright whatsoever. Copyright© 2013, Fortinet, Inc.
`
`Field
`
`BACKGROUND
`
`[0002]
`
`Embodiments of the present invention generally relate to cloud based data storage.
`
`In particular, embodiments of the present invention relate to systems and methods for use of
`
`vendor independent secure cloud storage distribution and aggregation.
`
`Description of the Related Art
`
`[0003]
`
`Computing devices have traditionally executed applications and data services
`
`locally on respective devices, in which, as the data is accessed, processed, stored, cached, etc., it
`
`may travel within the devices over local buses, interfaces and other data pathways. As a result,
`
`users of such devices did not have to worry about interference or exposure of user data unless the
`
`device itself was lost or stolen. However, with the growing amount of data that is generated and
`
`with the evolution of online/Intemet based services and cloud storage platforms, applications,
`
`content, and services are increasingly being moved to network providers who perform some or
`
`all of a given service on behalf of a user's devices. In such cases, a user may become concerned
`
`with who can access, or potentially worse, interfere with, the user's data while it is uploaded to a
`
`service, while it is stored by the service, or while it is retrieved from the service.
`
`[0004]
`
`It has been recognized that while existing cloud storage providers offer a virtually
`
`infinite storage capacity, data owners seek geographical and provider diversity in data placement
`
`so that they are not tied to a particular service provider and have the flexibility to switch to
`
`- 2 -
`
`Page 2 of 171
`
`Netskope Exhibit 1003
`
`

`

`another provider without losing data or making significant efforts in data transition. Moreover,
`
`with the increasing criticality of data being stored, expectations of users to have more reliable
`
`mechanisms in place to ensure availability and durability of the content are also on the rise. On
`
`similar lines, instead of storing data within a single cloud, it may also be desired by users to store
`
`data across multiple cloud platforms to ensure more security, redundancy, and reduction in
`
`potential threat of data compromise.
`
`[0005]
`
`Furthermore, storage of data in an unencrypted format is always at the risk of a
`
`network attack that may lead to the data being compromised. Storage of encrypted data, on the
`
`other hand, using existing technologies, makes the files, folders, filenames, and content thereof
`
`unsearchable and hence unfriendly for user access. Existing encryption techniques also expose
`
`the encrypted content to frequency analysis attacks. Moreover, since the could providers control
`
`the encryption keys, the data in the cloud can be exposed to attack within the cloud, insider jobs
`
`and subpoena - all without the knowledge or consent of the data owner.
`
`[0006]
`
`Existing techniques for managing distribution and aggregation of content stored by
`
`a cloud provider also necessitate service provider and/or vendor specific application
`
`programming interfaces (APis) to be incorporated for storage, access, and processing of the
`
`content, making present systems rigid and non-flexible to implementation of policies that allow
`
`storage of data across different service providers, allow different cloud storage access rights
`
`across users and computing devices, allow searching of downloaded encrypted data across cloud
`
`service vendors, among other desired activities.
`
`- 3 -
`
`Page 3 of 171
`
`Netskope Exhibit 1003
`
`

`

`SUMMARY
`
`[0007]
`
`Methods and systems are described for vendor independent and secure cloud
`
`storage distribution and aggregation. According to one embodiment, a generalized application
`
`programming interface (API) is provided by a cloud storage gateway device that is logically
`
`interposed between one or more third-party cloud storage platforms and users of an enterprise.
`
`The API facilitates storing of files, issuing of search requests against the files and retrieval of
`
`content of the files. A file storage policy is assigned by the cloud storage gateway device to each
`
`user. The assigned file storage policy defines access rights, storage diversity requirements and a
`
`type of encryption to be applied to files for the corresponding user. Responsive to receiving, via
`
`the generalized API, a request to store a file, (i) creating, by the cloud storage gateway device,
`
`searchable encrypted data corresponding to content of the file and/or metadata associated with
`
`the file based on the assigned file storage policy; and (ii) distributing, by the cloud storage
`
`gateway device, the searchable encrypted data among one or more third-party cloud storage
`
`platforms based on the storage diversity requirements defined by the assigned file storage policy.
`
`[0008]
`
`Other features of embodiments of the present disclosure will be apparent from
`
`accompanying drawings and from detailed description that follows.
`
`- 4 -
`
`Page 4 of 171
`
`Netskope Exhibit 1003
`
`

`

`BRIEF DESCRIPTION OF THE DRAWINGS
`
`[0009]
`
`In the Figures, similar components and/or features may have the same reference
`
`label. Further, various components of the same type may be distinguished by following the
`
`reference label with a second label that distinguishes among the similar components. If only the
`
`first reference label is used in the specification, the description is applicable to any one of the
`
`similar components having the same first reference label irrespective of the second reference
`
`label.
`
`[0010]
`
`FIG. 1 illustrates an exemplary network architecture in accordance with an
`
`embodiment of the present invention.in accordance with an embodiment of the present invention.
`
`[0011]
`
`FIG. 2 illustrates exemplary functional modules of the proposed policy-based
`
`framework for secure cloud storage distribution and aggregation in accordance with an
`
`embodiment of the present invention.
`
`[0012]
`
`FIG. 3A illustrates an exemplary flow diagram for generating searchable encrypted
`
`files in accordance with an embodiment of the present invention.
`
`[0013]
`
`FIG. 3B illustrates an exemplary flow diagram for processing search queries for
`
`searching encrypted files in accordance with an embodiment of the present invention.
`
`[0014]
`
`FIGs. 4A-C illustrate an example showing generation of searchable indices from
`
`search queries in order to execute search queries on encrypted files in accordance with an
`
`embodiment of the present invention.
`
`[0015]
`
`FIG. 5 illustrates a flow diagram for uploading one or more files onto multiple
`
`containers provided by one or more cloud storage providers in accordance with an embodiment
`
`of the present invention.
`
`[0016]
`
`FIG. 6 illustrates a flow diagram for executing search queries on encrypted files
`
`stored as one or more containers provided by cloud storage providers in accordance with an
`
`embodiment of the present invention.
`
`[0017]
`
`FIG. 7 illustrates a flow diagram for downloading files from cloud-based storage
`
`containers in accordance with an embodiment of the present invention.
`
`- 5 -
`
`Page 5 of 171
`
`Netskope Exhibit 1003
`
`

`

`[0018]
`
`FIG. 8 illustrates a sequence diagram for uploading files to cloud-based storage
`
`containers in accordance with an embodiment of the present invention.
`
`[0019]
`
`FIG. 9 illustrates a sequence diagram for searching searchable encrypted files that
`
`are stored in cloud-based storage containers in accordance with an embodiment of the present
`
`invention.
`
`[0020]
`
`FIG. 10 illustrates a sequence diagram for downloading files from cloud-based
`
`storage containers onto local drives/discs in accordance with an embodiment of the present
`
`invention.
`
`[0021]
`
`FIG. 11 is an example of a computer system with which embodiments of the
`
`present invention may be utilized.
`
`- 6 -
`
`Page 6 of 171
`
`Netskope Exhibit 1003
`
`

`

`DETAILED DESCRIPTION
`
`[0022]
`
`Systems and methods for a policy-based framework for secure cloud storage
`
`distribution and aggregation are described. Methods and systems are also provided for
`
`implementing a policy based framework for encrypting, storing, accessing, querying and
`
`managing data across one or more cloud platforms. According to one embodiment, a searchable
`
`encryption gateway framework provides assignment of a policy from a group of policies stored
`
`in a policy database to one or more users such that the policy not only defines the manner in
`
`which the users can access and process content stored on the cloud, but can also configure the
`
`mode in which the data is encrypted, stored, searched, and accessed to ensure secure and vendor
`
`independent cloud management. Embodiments of the system of the present invention can
`
`include a policy assignment module, an encryption module, a storage module, and a management
`
`module, each of which can be implemented across one or more network devices such as gateway
`
`devices, proxy devices, network controllers, among other like devices.
`
`[0023]
`
`According to one embodiment, the policy assignment module is configured to
`
`assign a policy to one or more users, where the policy is selected from a group of policies that
`
`are stored in a database. The selected policy can be used for defining the manner in which a file
`
`or metadata related thereto is to be uploaded, stored, searched, downloaded, and/or processed in
`
`the context of one or more cloud platforms. The selected policy can further be used to configure
`
`access rights of the one or more users such that the access rights dictate the manner in which the
`
`users can process the uploaded encrypted files. In an instance, a policy can allow a user to
`
`download a searchable encrypted file stored in the cloud to a local device such as a mobile phone
`
`and search the downloaded encrypted file on the local device for further processing. The policy
`
`can further implement key management policies across cloud providers and local devices such
`
`that no vendor lock-in is required and a user is given flexibility to transfer content across cloud
`
`providers and perform other desired functions that otherwise require vendor specific Application
`
`Programming Interface (API). According to one embodiment, a selected policy can be applied to
`
`a group of users across one or more organizations such that the policy not only controls the
`
`manner in which the content is uploaded, stored, and accessed in the cloud but also manages the
`
`rights of a user and the manner in which the user can retrieve and process the files.
`
`- 7 -
`
`Page 7 of 171
`
`Netskope Exhibit 1003
`
`

`

`[0024]
`
`According to one embodiment, an encryption module is configured to encrypt one
`
`or more files to be uploaded/stored across one or more cloud platforms based on a policy defined
`
`by the policy assignment module. In an implementation, a selected policy can be used to define
`
`encryption keys, decryption keys, and encryption type, among other attributes for carrying out
`
`the encryption of data. According to another embodiment, the encryption module can encrypt
`
`each file and/or content thereof using cryptographic key information such that the encrypted
`
`content is searchable across cloud platforms, making the encryption architecture independent of
`
`the vendor/service provider of the cloud platforms. According to one embodiment, based on the
`
`policy defined by the policy assignment module, encrypted files can also be downloaded by one
`
`or a group of authenticated users onto a local device such that the downloaded encrypted files are
`
`available to offline applications, and hence can be searched, controlled, and managed using the
`
`keys generated by the encryption module based on the policy.
`
`[0025]
`
`According to an embodiment, a storage module is configured to store the searchable
`
`encrypted file within the one or more cloud platforms based on policy selected by the policy
`
`assignment module. In an implementation, the selected policy can be used to define the manner
`
`in which and/or the location at which the file is to be stored ( e.g., whether the file is to be stored
`
`within a single container or spread across multiple containers and/or whether a copy of the file is
`
`to be stored on a local device for offline usage). As the storage module can be implemented
`
`independent of the cloud service providers without using application programming interfaces
`
`(APis) exposed by the vendors, the encrypted files can be moved to any cloud platform, thereby
`
`avoiding vendor lock-in.
`
`[0026]
`
`According to another embodiment, a management module is configured to control
`
`and manage encryption, storage, access, and processing of cloud storage based on the policy
`
`defined by the policy assignment module. In an embodiment, based on user attributes such as
`
`the role of the user, a project assigned to the user, the user's need to access the data at issue,
`
`among other such attributes, and further based on organization level changes and requirements, a
`
`policy identified by the policy assignment module can be dynamically changed or modified at
`
`run-time in order to comply with the organization requirements and configure the cloud storage
`
`for compliance.
`
`- 8 -
`
`Page 8 of 171
`
`Netskope Exhibit 1003
`
`

`

`[0027]
`
`According to another embodiment, the system may further include a mediation
`
`module that is operatively coupled with other modules and is configured to mediate vendor
`
`specific protocol/ AP Is thereby facilitating geographical and provider diversity in data placement,
`
`making the system agnostic with respect to specific cloud vendor APis and increasing
`
`availability and durability of the stored data.
`
`In another embodiment, system of the present
`
`disclosure can further include a generalized API module that is operatively coupled with the
`
`mediation module and configured to provide a generalized API that can be called by any
`
`content/data intensive user application to access content from containers of cloud storage.
`
`Generalized API module can allow a single standard thread to multiple users to connect any of
`
`their applications with the proposed system and to perform any of storage, upload, retrieval,
`
`download, modify, search, and other allied functions at multiple cloud stores of different cloud
`
`service providers.
`
`[0028]
`
`In the following description, numerous specific details are set forth in order to
`
`provide a thorough understanding of embodiments of the present disclosure. It will be apparent,
`
`however, to one skilled in the art that embodiments of the present disclosure may be practiced
`
`without some of these specific details. In other instances, well-known structures and devices are
`
`shown in block diagram form.
`
`[0029]
`
`Embodiments of the present disclosure include vanous steps, which will be
`
`described below. The steps may be performed by hardware components or may be embodied in
`
`machine-executable instructions, which may be used to cause a general-purpose or special(cid:173)
`
`purpose processor programmed with the instructions to perform the steps.
`
`[0030]
`
`Alternatively, the steps may be performed by a combination of hardware, software,
`
`firmware and/or by human operators.
`
`[0031]
`
`Embodiments of the present invention may be provided as a computer program
`
`product, which may include a machine-readable storage medium tangibly embodying thereon
`
`instructions, which may be used to program a computer ( or other electronic devices) to perform a
`
`process. The machine-readable medium may include, but is not limited to, fixed (hard) drives,
`
`magnetic tape, floppy diskettes, optical disks, compact disc read-only memories (CD-ROMs),
`
`and magneto-optical disks, semiconductor memories, such as ROMs, PROMs, random access
`
`memories (RAMs), programmable read-only memories (PROMs), erasable PROMs (EPROMs),
`
`- 9 -
`
`Page 9 of 171
`
`Netskope Exhibit 1003
`
`

`

`electrically erasable PROMs (EEPROMs), flash memory, magnetic or optical cards, or other
`
`type of media/machine-readable medium suitable for storing electronic instructions ( e.g.,
`
`computer programming code, such as software or firmware). Moreover, embodiments of the
`
`present disclosure may also be downloaded as one or more computer program products, wherein
`
`the program may be transferred from a remote computer to a requesting computer by way of data
`
`signals embodied in a carrier wave or other propagation medium via a communication link ( e.g.,
`
`a modem or network connection).
`
`[0032]
`
`In various embodiments, the article(s) of manufacture ( e.g., the computer program
`
`products) containing the computer programming code may be used by executing the code
`
`directly from the machine-readable storage medium or by copying the code from the machine(cid:173)
`
`readable storage medium into another machine-readable storage medium (e.g., a hard disk,
`
`RAM, etc.) or by transmitting the code on a network for remote execution. Various methods
`
`described herein may be practiced by combining one or more machine-readable storage media
`
`containing the code according to the present disclosure with appropriate standard computer
`
`hardware to execute the code contained therein. An apparatus for practicing various
`
`embodiments of the present disclosure may involve one or more computers ( or one or more
`
`processors within a single computer) and storage systems containing or having network access to
`
`computer program(s) coded in accordance with various methods described herein, and the
`
`method steps of the present disclosure could be accomplished by modules, routines, subroutines,
`
`or subparts of a computer program product.
`
`[0033]
`
`Notably, while embodiments of the present invention may be described usmg
`
`modular programming terminology, the code implementing various embodiments of the present
`
`invention are not so limited. For example, the code may reflect other programming paradigms
`
`and/or styles, including, but not limited to object-oriented programming (OOP), agent oriented
`
`programming, aspect-oriented programming, attribute-oriented programming (@OP), automatic
`
`programming, dataflow programming, declarative programming, functional programming, event(cid:173)
`
`driven programming, feature oriented programming, imperative programming, semantic-oriented
`
`programming, functional programming, genetic programming, logic programming, pattern
`
`matching programming and the like.
`
`- 10 -
`
`Page 10 of 171
`
`Netskope Exhibit 1003
`
`

`

`Terminology
`
`[0034]
`
`Brief definitions of terms, abbreviations, and phrases used throughout this
`
`application are given below.
`
`[0035]
`
`The phrases "cloud storage service" and "cloud storage platform" generally refer to
`
`computer storage space and/or related management provided by a cloud storage service provider.
`
`[0036]
`
`The phrases "cloud storage service provider" and "cloud service provider"
`
`generally refer to a company that provides computer storage space and/or related management to
`
`other companies. Examples of cloud service providers include, but are not limited to, Dropbox,
`
`Google Drive and Amazon Web Services.
`
`[0037]
`
`The terms "connected" or "coupled" and related terms are used in an operational
`
`sense and are not necessarily limited to a direct physical connection or coupling. Thus, for
`
`example, two devices may be couple directly, or via one or more intermediary media or devices.
`
`As another example, devices may be coupled in such a way that information can be passed
`
`therebetween, while not sharing any physical connection on with another. Based on the
`
`disclosure provided herein, one of ordinary skill in the art will appreciate a variety of ways in
`
`which connection or coupling exists in accordance with the aforementioned definition.
`
`[0038]
`
`The phrases "in one embodiment," "according to one embodiment," and the like
`
`generally mean the particular feature, structure, or characteristic following the phrase is included
`
`in at least one embodiment of the present invention, and may be included in more than one
`
`embodiment of the present invention. Importantly, such phases do not necessarily refer to the
`
`same embodiment.
`
`[0039]
`
`If the specification states a component or feature "may", "can", "could", or "might"
`
`be included or have a characteristic, that particular component or feature is not required to be
`
`included or have the characteristic.
`
`[0040]
`
`The term "responsive" includes completely or partially responsive.
`
`[0041]
`
`The phrase "storage container" generally refers to a file system and/or a user
`
`interface concept/metaphor that is used to store, organize or catalogue electronic data and/or
`
`electronic files. Some storage containers, such as directories and folders, may include references
`
`- 11 -
`
`Page 11 of 171
`
`Netskope Exhibit 1003
`
`

`

`to other storage containers, such as other directories, folders and/or files. Examples of storage
`
`containers include, but are not limited to, directories, directory structures, web directories,
`
`folders, smart folders, files and namespaces of same.
`
`[0042]
`
`Folder - to In computing, a directory is a file system cataloging structure in which
`
`references to other computer files, and possibly other directories, are kept.
`
`[0043]
`
`FIG. 1 illustrates an exemplary network architecture 100 in accordance with an
`
`embodiment of the present invention. System architecture 100 illustrates a plurality of clients
`
`102a, 102b . .102n, collectively
`
`referred
`
`to clients 102 hereinafter, operatively and
`
`communicatively coupled to each other through a local area network (LAN) 104. Clients 102, as
`
`part of their function, may utilize data, which includes files, directories, metadata ( e.g., access
`
`control list (ACL) creation/edit dates associated with the data, etc.), and other data objects.
`
`Clients 102 may also upload files, search for files or content therein, or even download files as
`
`and when desired, wherein during a copy, backup, archive or other storage operation, clients 102
`
`may send a copy of some data objects to a secondary storage computing device by utilizing one
`
`or more data agents. A data agent may be a software module or part of a software module that is
`
`generally responsible for storage operations, such as copying, uploading, archiving, migrating,
`
`download, and recovering data from a data store or other memory location. Each client 102 may
`
`have at least one data agent, and system architecture 100 can support multiple clients 102.
`
`[0044]
`
`According to one embodiment, clients 102 through LAN 104 can be operatively
`
`coupled with one or more cloud stores 114a, 114b ... 114n, collectively referred to as cloud stores
`
`114 hereinafter, through a cloud gateway 108 using Internet 112. Cloud gateway device 108
`
`typically acts as an interface between the clients 102 and stores 114, wherein different file/data
`
`read/write requests received from clients 102 can be handled by the gateway device 108 to
`
`identify the appropriate set of stores 114 that need to be accessed for processing the requests.
`
`Could gateway device 108 can be selected from one or a combination of access management
`
`devices, proxy devices, gateway devices, and network controllers, which basically have the
`
`intelligence to act as an interface between the clients and cloud service providers.
`
`In an
`
`embodiment, gateway 108 can be configured with a network attached storage (NAS), wherein
`
`NAS provides a way to satisfy incoming data writes from clients 102 quickly, and to buffer or
`
`- 12 -
`
`Page 12 of 171
`
`Netskope Exhibit 1003
`
`

`

`spool data before it is transferred to cloud stores 114. Cloud gateway 108 may further be
`
`configured to de-duplicate locally stored data before being written up to cloud stores 114.
`
`Clients 102 and applications used thereby can also specify parameters ( e.g., under a storage
`
`policy) that dictate to the cloud gateway 108 the manner in which their content is to be handled,
`
`e.g., how long it is to be retained, whether it be encrypted/compressed, should it be deduplicated,
`
`should it be indexed and searchable, should it to be replicated and if so, how many copies and to
`
`where, etc. Cloud gateway device 108 may facilitate and/or configure the cloud stores 114 by
`
`allowing for metadata to be specified on a per file/object basis or on a data container or bucket
`
`basis. Further, the system 100 permits data to be replicated on demand to selected geographies
`
`based on access usage patterns, etc. Cloud gateway 108 can also be configured with the
`
`intelligence of automatically determining the most optimal cloud store 114 for a given client 102
`
`and then route all files/content from the client 102 to the identified store 114.
`
`[0045]
`
`Clients 102 may store one or more files, directories, metadata, or parts thereof
`
`across one or more cloud stores 114. Clients may also store such content across two or more
`
`stores 114 such that the content is divided into multiple chunks and each chunk is stored on a
`
`different cloud store 114. According to one embodiment, system 100 of the present invention
`
`proposes a vendor independent cloud management architecture such that file chunks are stored
`
`across cloud stores 114 that are managed by different cloud service providers. This allows
`
`geographical and provider diversity in data placement and avoids any vendor lock-in, leading to
`
`increased flexibility and availability.
`
`[0046]
`
`According to one embodiment, as can be seen in FIG. 1, LAN 104 can be
`
`operatively coupled with cloud gateway 108 by means of a proxy 106 that can support multiple
`
`protocols such as Hypertext Transfer Protocol Secure (HTTPS), Simple Mail Transfer Protocol
`
`(SMTP), Simple Object Access Protocol (SOAP) and File Transfer Protocol (FTP). Proxy 106
`
`can be configured to establish and terminate sessions between clients 102 and cloud stores 114.
`
`In an embodiment, proxy 106 can also be configured within cloud gateway 108. In addition to
`
`the proxy 106, cloud gateway device 108 can also be operatively coupled with a policy database
`
`110, wherein the policy database 110 can include multiple administrator-configurable policies
`
`such that each client 102 is assigned a policy, which is configured to define the rights of the
`
`client 102. Such rights not only control the manner in which the respective client 102 encrypts,
`
`- 13 -
`
`Page 13 of 171
`
`Netskope Exhibit 1003
`
`

`

`stores, accesses, and manages files and metadata related thereto, but also the mode in which
`
`multiple cloud providers in general interact with the client 102 across one or more cloud
`
`platforms. According to one embodiment, a policy can be implemented for a client 102 or a
`
`group of clients 102, also interchangeably referred to as users 102 hereinafter, based on their role
`
`and responsibility in the organization including other factors relating to the projects they work in,
`
`experience they carry, among other attributes. The selected policy can then be used for defining
`
`the manner in which the client 102 interacts with multiple cloud storage providers and the access
`
`rights he/she possesses to create, upload, store, search, download, and/or process in the context
`
`of one or more cloud platforms. In an instance, a policy stored in the policy database 110 can
`
`allow a client 102 to download a searchable encrypted file from a cloud store such as store 114a
`
`onto a local device, such as client's mobile phone, and then search the downloaded encrypted file
`
`on the local device for further processing. According to one embodiment, policies can be used to
`
`enforce endpoint protection by, for example, allowing/blocking decryption of downloaded data
`
`based on characteristics of the device. For example, an administrator may define a policy for a
`
`user that only allows download of decrypted data to company-approved devices or devices that
`
`provide a secure container in which to place the downloaded data.
`
`[0047]
`
`FIG. 2 illustrates exemplary functional modules of a policy-based framework 200
`
`for secure cloud storage distribution and aggregation in accordance with an embodiment of the
`
`present invention.
`
`Framework 200 of FIG. 2 also illustrates an environment showing
`
`interactions between enterprise users and cloud service providers for storage, retrieval, and
`
`searching of data and content stored by the providers in their respective cloud stores. According
`
`to one embodiment, enterprise 202 can include multiple users 202a, 202b, and 202c, collectively
`
`referred to as users 202 hereinafter, who, in an embodiment, may be structurally similar to the
`
`clients 102 of FIG. 1. Each user 202 of an enterprise may have a different role and
`
`responsibility and hence needs to be given different access rights and privileges to access data
`
`and content for evaluation and processing. In an instance, a project manager would need to have
`
`access to project related costs, billings, and manpower allocation details, which a project
`
`engineer may not need. Enterprise users 202 can be operatively coupled to one or more cloud
`
`service providers 206a, 206b, 206c, collectively referred to as cloud service providers 206
`
`hereinafter. According to one embodiment, users 202a-c may be remote users (e.g., connecting to
`
`- 14 -
`
`Page 14 of 171
`
`Netskope Exhibit 1003
`
`

`

`the enterprise network over the Internet or over a private network using some type of remote
`
`access connection) or local users.
`
`[0048]
`
`Cloud service providers 206 may offer free, personal and/or business accounts
`
`providing hundreds or more of gigabytes of online storage. Cloud service providers 206
`
`typically provide many distributed storage resources acting as one, provide high fault tolerance
`
`via redundancy and/or distribution of data and provide high durability through the creation of
`
`versioned copies. Examples of cloud service providers include, but are not limited to, Dropbox,
`
`Google Drive and Amazon Web Services.
`
`[0049]
`
`According to one embodiment, enterprise users 202 can be operatively coupled with
`
`the cloud service provider 206 through a gateway 204, which is configured to interface
`
`transactions and execute instructions for read/write/search of content between the users 202 and
`
`the containers provided by the cloud service providers 206. According to one embodiment,
`
`gateway 204 can incorporate multiple functional modules to facilitate transactions between the
`
`users 202 and the cloud service providers 206, including but not limited to, a policy assignment
`
`module 208, an encryption module 210, a storage module 212, a management module 214, a
`
`mediation module 216, and a generalized API module 218. Gateway 204 can further be
`
`operatively coupled with a policy database 218, wherein the policy database 218 comprises one
`
`or more policies that define the rights and privileges of the users 202 with respect to their
`
`interactions with multiple cloud service providers 206 and may further enforce endpoint
`
`protection, as described above.
`
`[0050]
`
`According to one embodiment, policy assignment module 208 is configured to
`
`facilitate assignment of a policy selected from the policy database 218 to one or a group of users
`
`202, where the policy to be assigned can be selected, by an administrator, for example, based on
`
`the role, responsibility, enterprise practices, among other attributes and can be configured to
`
`define the manner in which data, metadata, or any other content, can be accessed and processed
`
`by the user or the group of users 202. In one embodiment, a policy not only defines the manner
`
`in which files can be uploaded, stored, downloaded, searched, and/or processed in the context of
`
`one or more cloud platforms, but also includes any other configurable aspect of the mode in
`
`which the user 202 accesses data stored or to be stored in the namespaces, directories, folders,
`
`files or other storage containers of one or more