Search

US-20260127324-A1 - ENCRYPTED ANALYTICAL VAULT FOR TRUSTED ACCESS

US20260127324A1US 20260127324 A1US20260127324 A1US 20260127324A1US-20260127324-A1

Abstract

An encrypted analytical vault may implement an entanglement process in data encryption when storing the data, and may include an native search plugin for searching the encrypted data. The encrypted analytical vault thus allows the data stored in the vault to be searchable, aggregable, and sortable while the data are still encrypted in the vault.

Inventors

  • Arti Arora Raman
  • Nikita Raman
  • Karthikeyan Mariappan
  • Fadil Mesic
  • Seshadhri Pakshi Rajan

Assignees

  • Portal26, Inc.

Dates

Publication Date
20260507
Application Date
20251231

Claims (20)

  1. 1 . A method for data storage in an encrypted analytical vault, the method comprising: receiving data for storage in a persistent data store associated with the encrypted analytical vault; applying a data entanglement process on the data prior to encryption; and encrypting the entangled data; and storing the encrypted data in the persistent data store associated with encrypted analytical vault, wherein the encrypted data is searchable using a native search engine.
  2. 2 . The method of claim 1 , wherein the entangled data is encrypted with an encryption key using symmetric key encryption.
  3. 3 . The method of claim 2 , wherein the encryption key is generated based on a seed provided by a data provider associated with the data.
  4. 4 . The method of claim 2 , wherein the encryption key is derived from an encryption key provided by a data provider associated with the data.
  5. 5 . The method of claim 2 , wherein the encryption key is controllable by a data provider associated with the data.
  6. 6 . The method of claim 1 , wherein the entangled data is encrypted with a set of encryption keys, wherein the set of encryption keys have varying levels of granularity.
  7. 7 . The method of claim 6 , wherein the set of encryption keys are further encrypted using a master key.
  8. 8 . The method of claim 1 , further comprising: decrypting the encrypted data and re-encrypt the decrypted data with salt.
  9. 9 . The method of claim 8 , further comprising: transferring the re-encrypted data to a different encrypted analytical vault associated with a third party.
  10. 10 . The method of claim 9 , further comprising: sharing a valet key with the third party, wherein the valet key enables the third party to search the encrypted data without exposing the encrypted data in cleartext.
  11. 11 . The method of claim 1 , further comprising: generating searchable indices for the data, wherein the searchable indices comprises a set of searchable entangled strings in an encrypted form.
  12. 12 . The method of claim 1 , further comprising: releasing the encrypted data in cleartext under a walled garden arrangement.
  13. 13 . The method of claim 1 , further comprising: releasing the encrypted data to different users according to different release schemas.
  14. 14 . The method of claim 1 , further comprising: releasing the encrypted data in different formats.
  15. 15 . The method of claim 14 , further comprising: receiving a search request for the released data, the search request comprising a search term; and translating the search term into a proper format according to a format that the encrypted data is released.
  16. 16 . An encrypted analytical vault, comprising: a data preprocessing component configured to: receive data for storage in a persistent data store associated with the encrypted analytical vault, and apply a data entanglement process on the data prior to encryption; a cryptographic component configured to: encrypt the entangled data, and store the encrypted data in the persistent data store associated with the encrypted analytical vault, wherein the encrypted data is searchable using a native search engine.
  17. 17 . The encrypted analytical vault of claim 16 , further comprising: an Elasticsearch plugin for searching the encrypted data stored in the persistent data store.
  18. 18 . The encrypted analytical vault of claim 16 , wherein the Elasticsearch plugin is a piece of program that runs within a native Elasticsearch application.
  19. 19 . The encrypted analytical vault of claim 16 , wherein the data is received from a business-to-business software-as-a-service provider.
  20. 20 . The encrypted analytical vault of claim 16 , wherein the persistent data store is a cloud-based storage.

Description

CROSS-REFERENCE TO RELATED APPLICATION This application is a continuation of U.S. patent application Ser. No. 17/684,798, filed on Mar. 2, 2022, and titled “Encrypted Analytical Vault For Trusted Access,” which is a continuation-in-part of U.S. patent application Ser. No. 17/512,546, filed on Oct. 27, 2021, and titled “The Use Of Data Entanglement For Improving The Security Of Search Indexes While Using Native Enterprise Search Engines And For Protecting Computer Systems Against Malware Including Ransomware,” which claims the benefit of U.S. Provisional Patent Application No. 63/106,253, filed on Oct. 27, 2020, and titled “Use Of Data Entanglement For Improving The Security Of Search Indexes While Using Native Enterprise Search Engines And For Protecting Computer Systems Against Malware Including Ransomware.” The entire contents of all applications are incorporated herein by reference in their entireties. TECHNICAL FIELD This disclosure relates to a vault for data storage and, more particularly to, an encrypted analytical vault that allows searches on encrypted indices and provides search results for encrypted data stored in the vault. BACKGROUND Data vaults have been used by enterprises as a warehouse platform for data storage. Fueled by software as a service (SaaS) trends, more and more data is now outsourced to remote (cloud) storage providers for backend storage in enterprise computing. For instance, cloud storage services allow enterprises to efficiently outsource their data anytime and anywhere for backend storage. Such cloud storage services may provide convenience to customers and enterprises, but also lead to privacy concerns. While storage providers may not read enterprises' data, attackers may gain access by exploiting vulnerabilities in the providers' storage system. Data may also be leaked by curious administrators. Data owners want to be certain that their data is safe against hacking by outsiders, internal threats, and untrusted service providers alike. To safeguard the data, an encrypted vault may be used by enterprises to encrypt all the data before submitting them for backend cloud storage. This method, however, makes it impossible to efficiently search and/or analyze encrypted stored data since this type of activity requires data to be queried in flexible ways and research results to be analyzable. Therefore, most analytical vaults used by the enterprises currently retain data in cleartext (i.e., in a non-encrypted form), which poses a substantial risk for the enterprises as discussed above. SUMMARY To address the aforementioned shortcomings, an encrypted analytical vault is disclosed that secures the data stored in the vault. Although the stored data is encrypted, it can still be searched and analyzed as if it were in cleartext format. According to some embodiments, the present disclosure provides an encrypted analytical vault that secures the data by entangling it prior to index construction and encryption. The encrypted analytical vault secures data while allowing it to be searched and analyzed without the penalty posed by decryption and re-encryption using traditional approaches. The encrypted analytical vault may allow the secure data format(s) to become established as the de-facto secured formats in the vault. In this modality, all sensitive data are secured as soon as they are ingested by the vault before persisting it, thereby making it easy to share the data without worrying about breaches. In addition, other systems that must access the data may be granted the right set of privileges to consume, search, and analyze the secured data which may not be in the form of cleartext for improved security. The foregoing is a summary and thus contains, by necessity, simplifications, generalizations and omissions of detail; consequently, the summary is illustrative only and is not limiting in any way. Other aspects, inventive features, and advantages of the systems and/or processes described herein will become apparent in the non-limiting detailed description set forth herein. BRIEF DESCRIPTION OF THE DRAWINGS The disclosed embodiments have advantages and features which will be more readily apparent from the detailed description, the appended claims, and the accompanying figures (or drawings). A brief introduction of the figures is provided below. FIG. 1 illustrates a data releasing scenario, according to some embodiments of the disclosure. FIG. 2 illustrates a vault-to-vault data transfer scenario, according to some embodiments of the disclosure. FIG. 3 illustrates an application scenario for bring-your-own-key (BYOK)-based encrypted analytical vault for SaaS applications, according to some embodiments of the disclosure. FIGS. 4A-4B collaboratively illustrate exemplary data storage in existing business-to-business (B2B) software-as-a-service (SaaS) applications, according to some embodiments of the disclosure. FIG. 5A illustrates a data write process for a SaaS-based storage system having a