公开(公告)号：US20240119168A1

公开(公告)日：2024-04-11

申请号：US17938711

申请日：2022-10-07

Applicant: Microsoft Technology Licensing, LLC

Inventor： Ramarathnam VENKATESAN ,  Nishanth CHANDRAN ,  Panagiotis ANTONOPOULOS ,  Srinath T.V. SETTY ,  Basil CHERIAN ,  Daniel John CARROLL, JR. ,  Jason Sydney BARNWELL

IPC: G06F21/62 ,  H04L9/08 ,  H04L9/32

CPC classification number: G06F21/6227 ,  H04L9/085 ,  H04L9/3263

Abstract: Embodiments described herein enable at least one of a plurality of entities to access data protected by a security policy in response to validating respective digital access requests from the entities. The respective digital access requests are received, each comprising a proof. For each request, an encrypted secret share is obtained from a respective ledger database. Each request is validated based at least on the respective encrypted secret share and the proof, without decrypting the respective encrypted secret share. In response to validating all of the requests, a verification that an access criteria of a security policy is met is made. If so, at least one of the entities is provided with access to data protected by the security policy. In an aspect, embodiments enable a blind subpoena to be performed. In another aspect, embodiments enable the at least one entity to access the data for an isolated purpose.

公开(公告)号：US20230161895A1

公开(公告)日：2023-05-25

申请号：US18152343

申请日：2023-01-10

Applicant: Microsoft Technology Licensing, LLC

Inventor： Daniel John CARROLL, JR. ,  Kameshwar JAYARAMAN ,  Stuart KWAN ,  Kartik Tirunelveli KANAKASABESAN ,  Shefali GULATI ,  Charles Glenn JEFFRIES ,  Ganesh PANDEY ,  Roberto Carlos TABOADA ,  Parul MANEK ,  Steven Mark SILVERBERG

IPC: G06F21/62 ,  G06F9/451 ,  G06F9/50 ,  G06F21/31 ,  G06F21/60

CPC classification number: G06F21/6218 ,  G06F9/451 ,  G06F9/5072 ,  G06F21/31 ,  G06F21/602 ,  G06F2221/2141

Abstract: Access to data and resources in a multi-tenant computing system is managed by tagging the data and resources with attributes, as well as by tagging users with attributes. Tenant-specific access policies are configured. When an access request is received from a workload, a policy decision engine processes the attributes that are tagged to the requesting workload (e.g., user, application, etc.) as well as those tagged to the requested data or resource, given a relevant tenant-specific policy. An access decision is provided in response to the access request, and the access decision can be enforced by a tenant-specific enforcement system.

公开(公告)号：US20210117561A1

公开(公告)日：2021-04-22

申请号：US16660275

申请日：2019-10-22

Applicant: Microsoft Technology Licensing, LLC

Inventor： Daniel John CARROLL, JR. ,  Kameshwar Jayaraman ,  Stuart Kwan ,  Kartik Tirunelveli Kanakasabesan ,  Shefali Gulati ,  Charles Glenn Jeffries ,  Ganesh Pandey ,  Roberto Carlos Taboada ,  Parul Manek ,  Steven Mark Silverberg

IPC: G06F21/62 ,  G06F21/31 ,  G06F21/60 ,  G06F9/50 ,  G06F9/451

Abstract: Access to data and resources in a multi-tenant computing system is managed by tagging the data and resources with attributes, as well as by tagging users with attributes. Tenant-specific access policies are configured. When an access request is received from a workload, a policy decision engine processes the attributes that are tagged to the requesting workload (e.g., user, application, etc.) as well as those tagged to the requested data or resource, given a relevant tenant-specific policy. An access decision is provided in response to the access request, and the access decision can be enforced by a tenant-specific enforcement system.

公开(公告)号：US20240121081A1

公开(公告)日：2024-04-11

申请号：US18045335

申请日：2022-10-10

Applicant: Microsoft Technology Licensing, LLC

Inventor： Ramarathnam VENKATESAN ,  Nishanth CHANDRAN ,  Ganesh ANANTHANARAYANAN ,  Panagiotis ANTONOPOULOS ,  Srinath T.V. SETTY ,  Daniel John CARROLL, JR. ,  Kiran MUTHABATULLA ,  Yuanchao SHU ,  Sanjeev MEHROTRA

IPC: H04L9/08

CPC classification number: H04L9/0825 ,  H04L9/085 ,  H04L9/0866

Abstract: An access control system is disclosed for controlling access to a resource. A request is received by a location attribute policy (LAP) server to access an encrypted resource. The LAP server accesses a resource policy that identifies requirements for granting access to the encrypted resource, such as a list of attributes of the requestor that are required and a dynamic attribute requirement of the requestor. The LAP server receives a cryptographic proof from the computing device that the requestor possesses the attributes and validates the proof based at least on information obtained from a trusted ledger. Once the proof is validated, the LAP server provides a shared secret associated with the dynamic attribute requirement to a decryption algorithm. The decryption algorithm uses the dynamic attribute shared secret in combination with one or more attribute shared secrets from the requestor to generate a decryption key for the encrypted resource.