The present invention generally relates to computerized data security and encryption key management systems and methods. More particularly, the present invention relates to such systems and methods operating over private or public open networks.
The “cloud” is a new model for distributed computing. The National Institute of Standards and Technology (NIST) defines “cloud computing” in the document titled “The NIST Definition of Cloud Computing” (NIST Special Publication 800-145, September, 2011) as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that may be rapidly provisioned and released with minimal management effort or service provider interaction”.
Increasingly, electronic information that has been previously stored or transmitted on private local or network connected computing systems is moving to “cloud” storage and transmission systems. In addition to this movement of existing information to the cloud, users are creating vast amounts of new information placed directly into cloud storage. These cloud storage systems include information storage that is provided by service or storage providers that provide a method of folder replication such as Dropbox, Box, SugarSync, Google Drive, nCrypted Cloud, and the Microsoft Onedrive service. Other sources and providers of cloud storage exist.
Users of these services are provided authorized access to this storage after obtaining a subscription or membership offered to them by a storage provider. Alternatively, membership may be obtained in other ways. Upon obtaining a membership a user becomes a member. Storage is then accessible to members through the internet. However, the storage available through the internet is provided on an open network unprotected by the traditional perimeter defenses such as corporate firewalls, SSL connections, and access authentication mechanisms that may be used to protect local or network connected storage systems.
Cloud storage may also be available through private storage services and systems such as may be maintained using both local and cloud storage systems. Subscriptions may not be required to access these storage services and a user instead may be granted access through access management such as Windows login and Active Directory authentication. Authentication may include methods that include “multi-factor” authentication requiring at least two items of identity verification where one item may be an user ID and the second may be a security PIN or token such as may be provided by Google Authenticator. Other “multi-factor” methods may be used. Private storage systems may include both open network and private network storage services.
These open network storage systems provide only limited protections to users regarding the confidentiality or integrity of their information that they place onto these storage systems. For example, some storage systems may provide no protections at all. Further this information is often shared between multiple users that have all been granted membership access to the same stored information, giving rise to further security concerns.
Common methods in use today to protect access to information stored on open networks include basic authentication which relies on a user ID and password, or methods such as Oauth as presented by the OAuth group (www.oauth.net) or OpenID as presented by the OpenID Foundation (www.openid.net). These methods may authenticate user and application identities but they do not directly authenticate user data files and they do not provide encryption of these files.
Other methods for information protection available today may provide some limited protections for the information stored on open networks. Some examples of other methods currently deployed are digital timestamps, digital signatures, or file and folder access permissions as may be in use today. For example, digital timestamps provide a way for determining the content of a file at a point in time. This method requires an available timestamping authority (TSA) or server to provide the digital timestamp. This method has a high degree of complexity and requires sufficient timestamp infrastructure to implement.
Digital signatures may provide a record of who applied a signature to a file, but digital signatures do not provide a way for establishing a time sequence or chronology and therefore may not maintain integrity over a time interval. Additional ways of protecting information such as setting file and folder access permissions may prevent access to a file on an open network, but today these methods may often be circumvented and they do not provide any way for data integrity or prevention of replay attacks.
Using these available methods, users must place their information onto these cloud storage systems at their own risk with no certainty that their information will not be intercepted or altered by unauthorized users. In the event that this information is improperly accessed or altered, in an unauthorized manner, the authorized users of this information may never detect that this information has been improperly accessed, or altered.
In some instances, encryption may be available to these users from the storage provider, by their own methods, or through other methods available to them for protecting information. This encryption may be applied to the files and other information placed into storage. However, the use of encryption, which makes information unreadable without the use of an electronic key, may not ensure that data has not been inappropriately accessed or altered. Electronic keys protecting encrypted information may be intercepted or in some cases even guessed allowing unauthorized users to access information they are not otherwise allowed to access.
Once this unauthorized access is obtained, the information may be used inappropriately, altered, and even re-encrypted by the unauthorized user without the knowledge of the authorized users. This may lead the authorized users to come to rely on this altered information as if it was correct, when actually it is not.
Further, the use of encryption does not prevent an unscrupulous user who is allowed access to information stored in the cloud from disregarding any rules established for accessing this stored information. The unscrupulous user may properly access this information, but then improperly use or alter this information to harm or deceive the other authorized members using and relying on the information.
Another method of placing information into the cloud is using information transfer systems. Information transfer systems provide for delivery of information or files between users, organizations, computers, or between other types of information endpoints that may reside in the cloud, in personal or private networks. One example of an information transfer system is electronic email where information comprised of a message and one or more message attachments. Examples of electronic email systems that can be used for the transfer information using the cloud is Google gmail, Microsoft Exchange, and others. Another example of an information transfer system that may be used to transfer information using the cloud is file transfer software programs. Examples of file transfer programs include FTP, SFTP, IBM Connect:Direct, and others.