A. Technical Field
The present invention pertains generally to computer applications and data storage, and relates more particularly to systems and methods for facilitating secure data storage and data sharing.
B. Background of the Invention
Over that last several years, digital technologies have increasingly become more prevalent in people's work and personal lives. Smaller, less expensive, and more powerful computing devices, along with the expansion in both reach and speed of data networks, have helped fuel this digital growth. Currently, almost every organization employs computers. And similarly, most families have at least one computer. If one counts items such as multi-media players, cameras, smartphones, and the like, companies and personal users use many digital devices.
The expansion in digital devices has created a complementary expansion in digital data demands. For users, be they business, governmental, non-profit, or personal, having secure data storage and secure access are important, if not critical, matters. One attempt to address these issues is cloud file synchronization.
Cloud file synchronization allows users to copy files to a remote storage network via an Internet connection. These services typically allow users to move files across all their devices via device synchronization clients that continually keep the devices up to date with a file snapshot in the public cloud.
Both consumer users and business system administrators have concerns around public cloud security and privacy. In the case of consumer users, these concerns may be mitigated by offering support for personal encryption keys. A personal encryption key is a key that is known only to the user and his/her file synchronization clients. This renders their data in the cloud highly private, depending on the strength of the encryption. In the case of businesses, these concerns are similarly mitigated by means of a managed encryption key, which is owned by and private to the file synchronization administrator and common across the company or organization. The employees' synchronization clients have access to this managed key while the employees do not, so that the business can have confidence that their cloud data is private.
End users of file synchronization systems may also have an expectation that collaborative sharing be supported by the system. Collaboration is a very useful and popular functionality across both consumer and business users. Typically, a shared cloud folder is duplicated to the share members' devices by the file synchronizer, allowing collaborative sharing of the cloud folder, with each user being able to add and modify files on their devices. If the user modifies a file while offline, when the user reconnects the files are then synchronized.
This form of sharing is incompatible with the requirements for public cloud privacy just mentioned. Consider a consumer case, which is depicted in FIG. 1 and FIG. 2. FIG. 1 illustrates that a personal-encryption-key user (consumer user 1) can share, whether collaboratively or simple read-only, from their file synchronization folder by giving their personal encryption key to the share invitee (consumer user 2). However, such an approach is unwieldy because the user (e.g., consumer user 1) loses control over their key. If the invitee (e.g., consumer user 2) does not take adequate care to secure the key, it becomes exposed. However, as illustrated in FIG. 2, a personal-encryption-key user (consumer user 3) cannot share from their file synchronization folder without giving their personal encryption key to the share invitees. If the personal-encryption-key user (consumer user 3) does not share the key, the invitee (consumer user 2) cannot decrypt the data, making the folder or files unreadable.
Consider also the business case in which a managed key is employed. For businesses, collaborative sharing with external partners is an important capability of a cloud file synchronization system, but it has not been feasible because it cannot be securely managed. In the business case depicted in FIG. 3, employees can share with fellow employees (e.g., Org. A User 1 can share with Org. A User 2) because the system administrator has configured each of their client systems to have access to the managed key used to encrypted/decrypt the data. However, as illustrated in FIG. 4, company users (e.g., Org A User 1) cannot share with anybody external to the company (e.g., Org. B User 2) because individuals outside of the organization do not have access to the managed encryption key.
Accordingly, what is needed are improved systems and methods for providing secure data storage and secure data sharing or collaboration.