Abstract: A method of data transfer from a tenant to a service provider comprises encrypting the data with a public key of a key pair generated by a secure device within the service provider system. The data thus cannot be accessed by the service provider during transmission. The data is generated with a corresponding access control list, which specifies that a valid certificate must be presented in order to grant a particular use of the data once stored. The tenant can thus retain control of the use of the data even though it has been transferred out of the tenant system. A method of controlling use of data securely stored in the service provider system comprises issuing a use certificate having an expiry time to the party requesting use of the data. The use certificate must be validated before use of the stored data is granted. This enables the tenant to grant use of the stored data for a limited time period.

Abstract: A method of data transfer from a tenant to a service provider comprises encrypting the data with a public key of a key pair generated by a secure device within the service provider system. The data thus cannot be accessed by the service provider during transmission. The data is generated with a corresponding access control list, which specifies that a valid certificate must be presented in order to grant a particular use of the data once stored. The tenant can thus retain control of the use of the data even though it has been transferred out of the tenant system. A method of controlling use of data securely stored in the service provider system comprises issuing a use certificate having an expiry time to the party requesting use of the data. The use certificate must be validated before use of the stored data is granted. This enables the tenant to grant use of the stored data for a limited time period.

Abstract: Systems and methods for managing cryptographic tokens within a hardware security module are disclosed. A parent cryptographic token contains a plurality of parent cryptographic objects, and a child cryptographic token contains a plurality of child cryptographic objects. The child cryptographic token is associated with the parent cryptographic token. A session established with the child token provides access to at least some of the plurality of child cryptographic objects and at least some the plurality of parent cryptographic objects.

Abstract: A method of data transfer from a tenant to a service provider comprises encrypting the data with a public key of a key pair generated by a secure device within the service provider system. The data thus cannot be accessed by the service provider during transmission. The data is generated with a corresponding access control list, which specifies that a valid certificate must be presented in order to grant a particular use of the data once stored. The tenant can thus retain control of the use of the data even though it has been transferred out of the tenant system. A method of controlling use of data securely stored in the service provider system comprises issuing a use certificate having an expiry time to the party requesting use of the data. The use certificate must be validated before use of the stored data is granted. This enables the tenant to grant use of the stored data for a limited time period.

Abstract: A method of data transfer from a tenant to a service provider comprises encrypting the data with a public key of a key pair generated by a secure device within the service provider system. The data thus cannot be accessed by the service provider during transmission. The data is generated with a corresponding access control list, which specifies that a valid certificate must be presented in order to grant a particular use of the data once stored. The tenant can thus retain control of the use of the data even though it has been transferred out of the tenant system. A method of controlling use of data securely stored in the service provider system comprises issuing a use certificate having an expiry time to the party requesting use of the data. The use certificate must be validated before use of the stored data is granted. This enables the tenant to grant use of the stored data for a limited time period.

Abstract: A method for cryptographic material management is provided. The method includes receiving into a computing device, through an API of the computing device, a designation of which of a plurality of key-producing cloud services sources each of a plurality of keys and which of a plurality of key-consuming cloud service providers uses each of the plurality of keys for encrypting or decrypting data. The method includes directing, from the computing device through a first plurality of end modules each interfaced to a specific API of a specific one of the plurality of key-producing cloud services, production of one or more of the plurality of keys. The method includes directing, from the computing device through a second plurality of end modules each interfaced to a specific API of a specific one of the plurality of key-consuming cloud service providers usage of one or more of the plurality of keys.

Abstract: A method of data transfer from a tenant to a service provider comprises encrypting the data with a public key of a key pair generated by a secure device within the service provider system. The data thus cannot be accessed by the service provider during transmission. The data is generated with a corresponding access control list, which specifies that a valid certificate must be presented N in order to grant a particular use of the data once stored. The tenant can thus retain control of the use of the data even though it has been transferred out of the tenant system. A method of controlling use of data securely stored in the service provider system comprises issuing a use certificate having an expiry time to the party requesting use of the data. The use certificate must be validated before use of the stored data is granted. This enables the tenant to grant use of the stored data for a limited time period.

Abstract: A method for cryptographic material management is provided. The method includes receiving into a computing device, through an API of the computing device, a designation of which of a plurality of key-producing cloud services sources each of a plurality of keys and which of a plurality of key-consuming cloud service providers uses each of the plurality of keys for encrypting or decrypting data. The method includes directing, from the computing device through a first plurality of end modules each interfaced to a specific API of a specific one of the plurality of key-producing cloud services, production of one or more of the plurality of keys. The method includes directing, from the computing device through a second plurality of end modules each interfaced to a specific API of a specific one of the plurality of key-consuming cloud service providers usage of one or more of the plurality of keys.