公开(公告)号：US09998446B2

公开(公告)日：2018-06-12

申请号：US14838212

申请日：2015-08-27

Applicant: Box, Inc.

Inventor： Drew Barrett Branden ,  Daniel Theurer ,  Aniket Shivajirao Patil ,  Lev Kantorovskiy ,  Sean Andrew Rose ,  Rachel Kay Lambert ,  Timothy Martin Heilig ,  Peter Otto Rexer ,  Rory Arend Paap ,  Charles Boyd Burnette ,  Vikram Sudhir Sardesai ,  Dominic Anton Grillo ,  Wayne Cheng ,  Lyall Yatsun Chun ,  Steve Hackney

IPC: H04L29/06

CPC classification number: H04L63/0807

Abstract: Systems for managing user-level security in a cloud-based service platform. A server in a cloud-based environment is configured to interface with storage devices that store objects that are accessible over a network by two or more users. An enterprise entity is identified using an enterprise identifier associated with the enterprise, and an application service is associated with an application identifier. An application service request comprising a user identifier and the application identifier is received, and authentication is determined based on the combination of the user identifier and a pre-authenticated application identifier. Once the application service request is authenticated, then specific aspects of the service request are authorized. The integrity of the application identifier is confirmed by locating a secure association of the given application identifier to a pre-shared enterprise identifier. Logging, auditing and other functions can be performed at the user level using the user identifier for user-level tracking.

公开(公告)号：US10333936B2

公开(公告)日：2019-06-25

申请号：US15413519

申请日：2017-01-24

Applicant: Box, Inc.

Inventor： Lev Kantorovskiy ,  Kechen Huang ,  Nakul Chander ,  Anil Chaurasia ,  Benjamin Kus

IPC: H04L29/06 ,  H04L29/08

Abstract: Techniques are described for separating subdomains as part of a secure login process. For example the subdomains can correspond to an enterprise user or personal user accounts, or both. The login process involves responding to a login request with an assertion, such as for example a redirect based assertion, that includes an encrypted data structure with account and user information necessary for identification of the corresponding subdomain. The encrypted data structure includes browser-, IP address, and user-specific information to thwart a cross-site request forgery (CSRF) security vulnerability, among other things.

公开(公告)号：US20170093867A1

公开(公告)日：2017-03-30

申请号：US15277451

申请日：2016-09-27

Applicant: Box, Inc.

Inventor： Seena Burns ,  Nakul Chander ,  Adelbert Chang ,  Jonathan Shih-Shuo Fan ,  Divya Jain ,  Lev Kantorovskiy ,  Benjamin John Kus ,  Justin Peng

IPC: H04L29/06

CPC classification number: H04L63/108 ,  H04L63/101 ,  H04L63/102 ,  H04L63/107

Abstract: Systems and corresponding computer-implemented methods for context-based rule evaluation in an electronic data storage system are described. A request to perform an operation with respect to a resource is received from a client device, with the request including various attributes associated with the client device. At least one set of rules applicable to the operation is identified. The rules can be formed from a combination of primitives arranged to dynamically evaluate attributes associated with the resource and attributes associated with the client device. Based on the evaluation of the rule set(s), an action is identified to be performed with respect to the resource.

公开(公告)号：US10432644B2

公开(公告)日：2019-10-01

申请号：US15277451

申请日：2016-09-27

Applicant: Box, Inc.

Inventor： Seena Burns ,  Nakul Chander ,  Adelbert Chang ,  Jonathan Shih-Shuo Fan ,  Divya Jain ,  Lev Kantorovskiy ,  Benjamin John Kus ,  Justin Peng

IPC: H04L29/06

Abstract: Systems and corresponding computer-implemented methods for context-based rule evaluation in an electronic data storage system are described. A request to perform an operation with respect to a resource is received from a client device, with the request including various attributes associated with the client device. At least one set of rules applicable to the operation is identified. The rules can be formed from a combination of primitives arranged to dynamically evaluate attributes associated with the resource and attributes associated with the client device. Based on the evaluation of the rule set(s), an action is identified to be performed with respect to the resource.

公开(公告)号：US20180212965A1

公开(公告)日：2018-07-26

申请号：US15413519

申请日：2017-01-24

Applicant: Box, Inc.

Inventor： Lev Kantorovskiy ,  Kechen Huang ,  Nakul Chander ,  Anil Chaurasia ,  Benjamin Kus

IPC: H04L29/06

CPC classification number: H04L63/10 ,  H04L63/0807 ,  H04L63/0815 ,  H04L63/083 ,  H04L63/0861 ,  H04L67/02 ,  H04L67/10 ,  H04L67/141 ,  H04L67/146 ,  H04L67/2814 ,  H04L67/42

Abstract: Techniques are described for separating subdomains as part of a secure login process. For example the subdomains can correspond to an enterprise user or personal user accounts, or both. The login process involves responding to a login request with an assertion, such as for example a redirect based assertion, that includes an encrypted data structure with account and user information necessary for identification of the corresponding subdomain. The encrypted data structure includes browser-, IP address, and user-specific information to thwart a cross-site request forgery (CSRF) security vulnerability, among other things.

公开(公告)号：US20160065555A1

公开(公告)日：2016-03-03

申请号：US14838212

申请日：2015-08-27

Applicant: Box, Inc.

Inventor： Drew Barrett Branden ,  Daniel Theurer ,  Aniket Shivajirao Patil ,  Lev Kantorovskiy ,  Sean Andrew Rose ,  Rachel Kay Lambert ,  TimothyTimothy Martin Heilig ,  Peter Otto Rexer ,  Rory Arend Paap ,  Charles Boyd Burnette ,  Vikram Sudhir Sardesai ,  Dominic Anton Grillo ,  Wayne Cheng ,  Lyall Yatsun Chun ,  Steven Brett Hackney

IPC: H04L29/06

CPC classification number: H04L63/0807

Abstract: Systems for managing user-level security in a cloud-based service platform. A server in a cloud-based environment is configured to interface with storage devices that store objects that are accessible over a network by two or more users. An enterprise entity is identified using an enterprise identifier associated with the enterprise, and an application service is associated with an application identifier. An application service request comprising a user identifier and the application identifier is received, and authentication is determined based on the combination of the user identifier and a pre-authenticated application identifier. Once the application service request is authenticated, then specific aspects of the service request are authorized. The integrity of the application identifier is confirmed by locating a secure association of the given application identifier to a pre-shared enterprise identifier. Logging, auditing and other functions can be performed at the user level using the user identifier for user-level tracking.

Abstract translation: 用于在基于云的服务平台中管理用户级安全性的系统。 基于云的环境中的服务器被配置为与存储可由两个或多个用户通过网络访问的对象的存储设备进行接口。 使用与企业相关联的企业标识符来识别企业实体，并且应用服务与应用标识符相关联。 接收包括用户标识符和应用标识符的应用服务请求，并且基于用户标识符和预认证的应用标识符的组合来确定认证。 一旦应用服务请求被认证，那么授权服务请求的特定方面。 通过将给定应用标识符的安全关联定位到预共享企业标识符来确认应用标识符的完整性。 可以使用用户级别跟踪的用户标识符在用户级别执行日志记录，审核和其他功能。