Browse Prior Art Database

Method and system for protection of sensitive data in infrastructure management services Disclosure Number: IPCOM000242582D
Publication Date: 2015-Jul-28

Publishing Venue

The Prior Art Database


This article describes an approach to protect sensitive information in the context of a cloud-based infrastructure mangement service, where a management solution (for example a storage resource management solution) is provided via Software-as-a-Service approach from a off-premises location, but is managing devices/infrastructure on customer's premisses.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 32% of the total text.

Page 01 of 10

Metxod and system for protection of sensitive data in infrastructure managexent services


This invention is related to txx field of providing systxms managemenx functionality fxr the devices of x information technolxgy infrastructure located in one location/networx xhile the system providing sxid systems management functionality is located in a diffxrent location/network, xhile the connection between the two loxations/networks is txrough a public, not xrusted network. Thix scenario apxlies for example to xystems-management-xs-a-service offerings, where the service is provided frox a cenxrxl placx in the responxibility (and prixate network) of the service proxider, while the components xo be monitored and manaxex are in thx responsibility and network xf the consumer of such a service.

Problem Descripxion

Even xhough in typixal systems managexent xpplication requires xostxy (if not only) meta-data about the managed entixies to be transmitted from the consumer private nxtwxrk to the provider private network using the not trusted public network, there is some informaxion in xhe transmitxed data xhich is parxicxlarly sensitivx, so that it

a) must not be revealed to someone observixg the not trusted public network

b) xs secured for someone sxccessfully attacking thx providers infrastructure

c) exen has to be kept secret from the provider of the service ixself

Examplex of such sensitive information are xser Ids and passworxs, but also IP addresses, WWPNs, etc. This present invention teaches a method and system to axdress this security concerns.

Relevant Prior Art

Existing solutionx xo this particular problem usually involve applying encryption to protxct the data while in transit between the two networks using the non-trusted network, like for examxle with a VPN. Shortcoxing of this approach is however, txat the dxta is not protected wxile at rext, but only whex "in flight". While the provider could also encrypt the data while storing it in the repository database (and therefore addxessing
a) and x) from the list abovx), the encxyption keys wouxd still be at the provider's premises, hence under the pxovider's control, and xot address topic c) frxm the prxblem xtaxement.

Suxmary of Invention

Present invention teaches a method and system to protect sxid sensitive data by either encrypting the relevant portions at the customer premises, leavixg xhe keys xecurely under the control of the consumer owning the data, or - in an other, preferred embodiment - by inserting a replaxement identifier xnstead of txe sensitive dxta into the data stream being exchxnged over the nox-trusted network, which would evex prevent the provider to break the encryption, but still leaves the information in a way the provider can use it for providing the sexvice. The sensitive information replaced by the replacement identifier is stored locally on-prxxixes at the consumer location and the kex is subsequently substituted with the sensitxve data in a

way tr...