| CPC G06F 21/602 (2013.01) [G06F 12/1408 (2013.01); G06N 20/00 (2019.01); H04L 9/0844 (2013.01); H04L 9/321 (2013.01); H04L 9/3247 (2013.01); G06F 2212/1052 (2013.01)] | 20 Claims |
|
1. A computer implemented system for operating a trusted execution environment maintaining a segregated data processing subsystem:
a computer readable memory having a protected memory region that is encrypted such that it is inaccessible to both an operating system and kernel system, the protected memory region including at least a data storage region and a data processing subsystem storage region maintaining the segregated data processing subsystem;
a computer readable cache memory; and
a secure enclave data processor operating a data custodian data process for automated policy enforcement of one or more data protection policies, the data custodian data process configured to:
receive a query data object representing a proposed query to be operated on one or more protected database elements having access controlled by the segregated data processing subsystem on the protected memory region;
apply the one or more data protection policies operable on the query data object to determine whether the query data object adheres to the one or more data protection policies;
upon a determination that the query data object adheres to the one or more data protection policies, provide a control message to an attestation process to validate that the data custodian data process is operating on the secure enclave data processor and to receive an attestation token data object from the attestation process;
transmit the attestation token data object to release one or more data protection keys; and
access the one or more protected database elements using the data protection keys and cause execution of the proposed query to receive a query response data object.
|