Patent Application
20250233862
The present disclosure relates generally to cybersecurity threat detection and specifically to determining effective permissions of principals to determine cybersecurity threats.
Organizations are increasingly turning to hybrid and multi-cloud platform solutions. Such solutions utilize multiple public cloud computing environments, or combinations of private and public cloud computing environments. Cloud computing environments, such as Amazon® Web Services (AWS), Microsoft® Azure, Google® Cloud platform, and the like, may offer similar functionalities, but often have different implementations, even for similar technology stacks. For example, a container engine deployed in AWS is deployed differently than in Azure. However, each of these platforms may provide different benefits to an organization, which makes it worthwhile to maintain such structures.
A drawback of having a multi-cloud solution is that managing different cloud entities across multiple platforms has increased complexity, especially where the platforms do not offer a bridging solution. Managing access within a cloud computing environment, and between cloud computing environments is crucial for cybersecurity purposes, as mismanaged access can result in mistakes (e.g., a junior grade user shutting down a server) or active cybersecurity threats, such as data theft.
Cloud computing environments include cloud entities such as principals and resources. A principal is a cloud entity that may initiate actions in the cloud computing environment and act on resources. A principal may be a user account, for example. A resource is a cloud entity which provides access to computing resources such as storage, memory, processors, and the like, or services, such as web applications. In order to understand which of these cloud entities may access others, an administrator must check, for each cloud entity, whether it can access, or be accessed by, every other cloud entity.
For typical cloud computing environments, this can lead to a large and complicated calculation requiring large compute and memory resources to accomplish, and in most cases, it is not a feasible solution.
It would therefore be advantageous to provide a solution that would overcome the challenges noted above.
A summary of several example embodiments of the disclosure follows. This summary is provided for the convenience of the reader to provide a basic understanding of such embodiments and does not wholly define the breadth of the disclosure. This summary is not an extensive overview of all contemplated embodiments, and is intended to neither identify key or critical elements of all embodiments nor to delineate the scope of any or all aspects. Its sole purpose is to present some concepts of one or more embodiments in a simplified form as a prelude to the more detailed description that is presented later. For convenience, the term “some embodiments” or “certain embodiments” may be used herein to refer to a single embodiment or multiple embodiments of the disclosure.
Certain embodiments disclosed herein include a method for detecting effective permissions of a principal in a cloud computing environment. The method comprises: detecting a group of principal nodes, each principal node representing a principal in a cloud computing environment, in a security graph, the security graph storing therein a representation of the cloud computing environment; selecting a first principal node from the group of principal nodes; determining a permission between the first principal node and a resource node, wherein the resource node represents a resource deployed in the cloud computing environment; and associating the group of principal nodes with the determined permission.
Certain embodiments disclosed herein also include a non-transitory computer-readable medium having stored thereon causing a processing circuitry to execute a process, the process comprising: detecting a group of principal nodes, each principal node representing a principal in a cloud computing environment, in a security graph, the security graph storing therein a representation of the cloud computing environment; selecting a first principal node from the group of principal nodes; determining a permission between the first principal node and a resource node, wherein the resource node represents a resource deployed in the cloud computing environment; and associating the group of principal nodes with the determined permission.
Certain embodiments disclosed herein also include a system for detecting effective permissions of a principal in a cloud computing environment. The system comprises: a processing circuitry; and a memory, the memory containing instructions that, when executed by the processing circuitry, configure the system to: detect a group of principal nodes, each principal node representing a principal in a cloud computing environment, in a security graph, the security graph storing therein a representation of the cloud computing environment; select a first principal node from the group of principal nodes;
A system of one or more computers can be configured to perform particular operations or actions by virtue of having software, firmware, hardware, or a combination of them installed on the system that in operation causes or cause the system to perform the actions. One or more computer programs can be configured to perform particular operations or actions by virtue of including instructions that, when executed by data processing apparatus, cause the apparatus to perform the actions.
In one general aspect, a method may include detecting in a security database a plurality of principal nodes, each principal node representing a principal of a cloud computing environment, where the security database further includes a representation of the cloud computing environment. The method may also include selecting a first principal node from the plurality of principal nodes, where the first principal node is representative of all of the principal nodes of the plurality of principal nodes. The method may furthermore include detecting a permission between the first principal node and a resource node, where the resource node represents a resource deployed in the cloud computing environment. The method may in addition include associating the group of principal nodes with the detected permission in the security database to indicate a grant of the detected permission to each principal represented by a principal node of the plurality of principal nodes. Other embodiments of this aspect include corresponding computer systems, apparatus, and computer programs recorded on one or more computer storage devices, each configured to perform the actions of the methods.
Implementations may include one or more of the following features. The method may include: generating the plurality of principal nodes by applying maximal biclique detection on the security database. The method may include: receiving at least one of, related to the principal represented by the first principal node: a permission set, an access rule, and an access policy. The method may include: detecting the permission between the first principal node and the resource node based on the received at least one of: the permission set, the access rule, and the access policy. The method may include: generating an edge in the security database indicating the permission, between each principal node of the group of principal nodes and the resource node. The method may include: generating in the security database a principal group node representing the group of principal nodes; and generating in the security database an edge between the resource node and the principal group node, where the edge represents the detected permission. The method may include: generating an edge in the security database between each principal node of the plurality of principal nodes and the principal group node. The method where the first principal node represents at least one of: an user account, a service account, and a role. The method where the resource node represents at least one of: a virtual machine, a container, a serverless function, and an application. The method where the group of principal nodes includes at least a first principal node representing a first principal of a first cloud computing environment and a second principal node representing a principal of a second cloud computing environment. Implementations of the described techniques may include hardware, a method or process, or a computer tangible medium.
In one general aspect, a non-transitory computer-readable medium may include one or more instructions that, when executed by one or more processors of a device, cause the device to: detect in a security database a plurality of principal nodes, each principal node representing a principal of a cloud computing environment, where the security database further includes a representation of the cloud computing environment; select a first principal node from the plurality of principal nodes, where the first principal node is representative of all of the principal nodes of the plurality of principal nodes; detect a permission between the first principal node and a resource node, where the resource node represents a resource deployed in the cloud computing environment; and associate the group of principal nodes with the detected permission in the security database to indicate a grant of the detected permission to each principal represented by a principal node of the plurality of principal nodes. Other embodiments of this aspect include corresponding computer systems, apparatus, and computer programs recorded on one or more computer storage devices, each configured to perform the actions of the methods.
In one general aspect, a system may include a processing circuitry. The system may also include a memory, the memory containing instructions that, when executed by the processing circuitry, configure the system to. The system detect in a security database a plurality of principal nodes, each principal node representing a principal of a cloud computing environment, where the security database further includes a representation of the cloud computing environment. The system may in addition select a first principal node from the plurality of principal nodes, where the first principal node is representative of all of the principal nodes of the plurality of principal nodes. The system may moreover detect a permission between the first principal node and a resource node, where the resource node represents a resource deployed in the cloud computing environment. The system may also associate the group of principal nodes with the detected permission in the security database to indicate a grant of the detected permission to each principal represented by a principal node of the plurality of principal nodes. Other embodiments of this aspect include corresponding computer systems, apparatus, and computer programs recorded on one or more computer storage devices, each configured to perform the actions of the methods.
Implementations may include one or more of the following features. The system where the memory contains further instructions which when executed by the processing circuitry further configure the system to: generate the plurality of principal nodes by applying maximal biclique detection on the security database. The system where the memory contains further instructions which when executed by the processing circuitry further configure the system to: receive at least one of, related to the principal represented by the first principal node: a permission set, an access rule, and an access policy. The system where the memory contains further instructions which when executed by the processing circuitry further configure the system to: detect the permission between the first principal node and the resource node based on the received at least one of: the permission set, the access rule, and the access policy. The system where the memory contains further instructions which when executed by the processing circuitry further configure the system to: generate an edge in the security database indicating the permission, between each principal node of the group of principal nodes and the resource node. The system where the memory contains further instructions which when executed by the processing circuitry further configure the system to: generate in the security database a principal group node representing the group of principal nodes; and generate in the security database an edge between the resource node and the principal group node, where the edge represents the detected permission. The system where the memory contains further instructions which when executed by the processing circuitry further configure the system to: generate an edge in the security database between each principal node of the plurality of principal nodes and the principal group node. The system where the first principal node represents at least one of: a user account, a service account, and a role. The system where the resource node represents at least one of: a virtual machine, a container, a serverless function, and an application. The system where the group of principal nodes includes at least a first principal node representing a first principal of a first cloud computing environment and a second principal node representing a principal of a second cloud computing environment. Implementations of the described techniques may include hardware, a method or process, or a computer tangible medium.
The subject matter disclosed herein is particularly pointed out and distinctly claimed in the claims at the conclusion of the specification. The foregoing and other objects, features, and advantages of the disclosed embodiments will be apparent from the following detailed description taken in conjunction with the accompanying drawings.
It is important to note that the embodiments disclosed herein are only examples of the many advantageous uses of the innovative teachings herein. In general, statements made in the specification of the present application do not necessarily limit any of the various claimed embodiments. Moreover, some statements may apply to some inventive features but not to others. In general, unless otherwise indicated, singular elements may be in plural and vice versa with no loss of generality. In the drawings, like numerals refer to like parts through several views.
The various disclosed embodiments include a method and system for detecting permission misconfigurations by detecting effective permissions. Effective permissions are permissions which, for example, a principal has in practice. Effective permissions may or may not overlap with what permissions an administrator intends a principal to have. For example, a principal may have more permissions (i.e., higher permissions), than an administrator intended to have. The system performs identity mapping for detecting the effective permissions, whereby principals and resources of a cloud computing environment, or of different cloud computing environments, are mapped into a security graph using a unified model. The unified model includes a principal data structure for defining a principal, and a resource data structure which defines a resource. Thus, principals from different cloud environments, for example, are defined using a principal data structure, which allows standardizing how a principal is defined. Principals and resources are cloud entities. A principal is a cloud entity which has permission to act on a resource, for example by initiating actions in or on the cloud computing environment. A principal may be, for example, a user account, a service account, a role, and the like. A resource is a cloud entity which provides access to hardware, such as processing, storage, memory, and the like, or provides access to a service, a virtualization, and the like. A resource may be, for example, a virtual machine, a container, a serverless function, a web application firewall, an application programming interface (API) gateway, a load balancer, a bucket, and the like.
Mapping principals to the security graph further includes detecting permissions accessed from the cloud environment. For example, an API of a cloud computing environment may be queried to determine security policies, permissions, rules, and the like which apply to principals, resources, and a combination thereof. Principals and resources are represented (i.e., mapped) in the security graph by nodes, each node generated based on the corresponding data structure. A permission may be represented in the security graph by an edge, such that an edge connecting a principal node (i.e., a node representing a principal) to a resource node (i.e., a node representing a resource) indicates a certain permission, whereby the principal has a permission with respect to the resource.
Traversing the security graph allows detection of cybersecurity threats, for example, by detecting permission escalation potential between two or more principal nodes, detecting effective permissions of a principal, and the like. However, determining permissions for each principal on each resource is a processing intensive procedure. Therefore, in order to decrease complexity of the security graph, various optimizations, such as utilizing maximal biclique, are implemented when generating connections (i.e., representing permissions) in the graph between principals and resources. This allows to decrease memory usage and processing resources, resulting in a system with increased security utilizing less resources than the prior art.
It is noted in this regard that determining effective permissions is something a human can do. However, it is recognized that cloud computing environments contain many relationships between principals and resources, often exceeding thousands in number. Even where a human could conceivably determine what the effective permissions are for each principal acting on each resource, no human can compute this fast enough to be actionable in the context of a cybersecurity threat. Furthermore, these relationships constantly change as administrators are changing the environments, resources, such as containers, are spun up and spun down, all of which result in effective permissions being constantly subject to change.
Additionally, certain advantages disclosed herein, such as utilizing maximal bicliques, improve the operation of a computer system determining effective permissions, and as such cannot be performed by a human.
However, utilizing different cloud environments may lead to complicated security policies, which in turn can present vulnerabilities for an organization. In order to at least minimize these, it would be beneficial to have a single normalized (i.e., unified) model for all cloud computing environments, in order to more easily understand where potential threats and risks are.
Generally, every cloud environment includes principals, which act on resources. A principal may be a user account, service account, role, and the like, while a resource may be a virtual machine, container, serverless function, and the like. Each cloud computing environment may include different definitions and data structures for what constitutes a principal or a resource. For example, in some cloud environments code may execute as a user account rather than a service account, while in others code can only execute as a service account.
A first cloud computing environment 110 includes a plurality of user accounts 114, a plurality of resources 116, and a plurality of roles 118. A role 118 is a set of one or more permissions which may be associated with one or more user accounts 114. A user account 114 may be associated with a plurality of roles. The cloud computing environment 110 further includes a policy server 112, which includes one or more policies, each policy including one or more permissions which allow a user account 114, a role 118 or both, access to a resource 116. A policy may be implemented, for example, as a JSON file including therein text which indicates what certain permissions are. A policy may include wildcards, allowing, for example, every user account having an email address at a first domain access to a first resource, and user accounts having an email address at a second domain access to the first resource and to a second resource.
A second cloud computing environment 120 includes a plurality of user accounts 124, a plurality of resources 126, and an API server 122. The API server 122 may provide upon request data including user accounts, applications, resources, and relationships (i.e., permissions) between them.
Each of the cloud computing environments 110 and 120 are communicatively connected to a unifying identity mapper 130. In an embodiment, the unifying identity mapper 130 may be implemented in a security environment 131. The security environment 131 may be implemented as a cloud computing environment, such as Azure. The security environment 131 further includes a graph database 132, on which a security graph may be stored. A security graph is configured to represent a plurality of cloud computing environments. For example, the unifying identity mapper 130 may store identities as nodes in the security graph, where a node represents an identity. An identity may be, for example, a unique user account, unique service account, and the like.
In an embodiment, the first cloud computing environment 110 and the second cloud computing environment 120 may be the same type of cloud environment, or different types of cloud environments. For example, a first cloud computing environment may be deployed in AWS, while the second cloud computing environment is deployed in Azure. As another example, the first and second cloud computing environments 110 and 120 may be both deployed in AWS, as separate environments under the same cloud computing architecture. For example, each cloud computing environment may be deployed as a virtual private cloud (VPC) in AWS.
In some embodiments, the unifying identity mapper 130 (also referred to as mapper 130) may be implemented in the first cloud computing environment 110, the second cloud computing environment 120, or a different networked or cloud computing environment. The mapper 130 is configured to receive from each cloud computing environment data pertaining to principals, user accounts, service accounts, resources, roles, policies, permissions, and the like.
Receiving such data may be different based on the cloud environment architecture. For example, Google® Cloud Platform provides such information by accessing an API. In an embodiment the mapper 130 is configured to call the API with a request to receive the data. As another example, AWS utilizes policies which may be requested as JSON files. In an embodiment the mapper 130 is configured to read data from the JSON file. The mapper 130 is further configured to map the received data into a security graph. Mapping the received data may include generating nodes in the security graph representing principals, and resources, and connecting the nodes (i.e., generating edges) based on permissions which are read from the received data. This is discussed in more detail in
Each identity 210 may be connected to a plurality of attributes, such as a first attribute 212, a second attribute 214, and third attribute 216. While three attributes are used in this example, it is readily understood that any number of attributes may define an identity node, and that each identity node may be defined by one or more attributes. An attribute may be metadata. For example, a role identifier (e.g., “admin”) may be an attribute of an identity node (e.g., indicating an identity is an administrator).
At S310, identity data is received from a cloud computing environment. Identity data may include information relating to principals, resources, and connections between principals and resources. For example, information may be identifiers, such as username, account name, role identifier, service account identifier, network address, IP address, and the like. Connections between principals and resources may be defined by policies, permissions, and the like. For example, a policy may indicate that a user account associated with a certain predefined role may access a first plurality of resources in a cloud computing environment.
At S320, a plurality of principals from the cloud computing environment are each mapped to a corresponding principal node of a security graph. In an embodiment mapping includes generating the principal node and associating it with the principal. Associating a principal with a principal node may include, for example, storing a unique identifier of the principal on the principal node. A principal node may be, for example, an identity node. For example, a user account is a principal, and the user account is mapped to a principal node representing the user account. The security graph may further store metadata associated with the user account, such as a username.
At S330 a plurality of resources from the cloud computing environment are each mapped to a corresponding resource node of the security graph. In an embodiment, mapping is performed by generating a resource node and associating it with the resource. Associating may be performed by storing a unique identifier of the resource on the resource node. A resource node may be, for example, a node representing a virtual machine, a container, a serverless function, a software application, an operating system, a WAF, a gateway, a load balancer, and the like.
In an embodiment, a generated resource node, and a generated principal node, may each store information, for example as data attributes, which points to a corresponding identity, resource, and the like, to which they are mapped, enabling a trace between the representation (e.g., principal node) and the represented object (specific username). In some embodiments, an object (i.e., cloud entity) in a cloud computing environment may be a principal, and also a resource to other principals. For example, a load balancer may be a resource for a user account, but a principal for a web server which utilizes the load balancer. The security graph may further store metadata for a resource node, such as IP address, name in a namespace, etc.
At S340 a connection is determined between a first cloud entity and a second cloud entity in the cloud computing environment. The first cloud entity and the second cloud entity each may be a principal, or a resource. In an embodiment, determining a connection includes reading a policy, a permission, and the like, and determining a relationship between a first cloud entity and a second cloud entity, wherein the cloud entities form a condition of the policy, permission, and the like. In an embodiment, a cloud entity may be a role, and associated with a role node, implemented as a type of principal node. A role node is associated with a specific role (i.e., set of one or more permissions relating to a resource). Determining a connection may include reading data from a policy in order to determine if a permission exists to allow communication between the principal node and another principal node or a resource node. In an embodiment, a determined connection is stored as an edge in the security graph. For example, a connection indicating that a principal can access a resource may be stored as a principal node connected by an edge to a resource node, wherein the edge indicates a “can access” type connection.
At S350 a check is performed if additional data is received. If yes, execution continues at S310. Otherwise, execution may terminate. In some embodiments, a check may be performed to determine if additional principals need to be mapped. If yes, execution continues at S320. In yet other embodiments, a check may be performed to determine if additional resources need to be mapped. If yes, execution may continue at S330.
In order to determine effective permissions, permissions need to be determined for each principal on each resource, e.g., determining if each principal can access each resource. Performing such a calculation is processing intensive, as well as requiring large amounts of memory due to the volume of both principals and resources in a cloud computing environment. This complication is compounded when also taking into account that certain service accounts may assume other service accounts (for example across different cloud platforms), certain user accounts may assume other user accounts, and certain resources may also be principals. The disclosed embodiments reduce the burden of processing and memory usage, for example, by reducing the amount of checks performed for each principal-resource combination, while still maintaining complete information on effective permissions.
At S410, a group of a plurality of principals is detected in a security graph. The security graph, as detailed above, represents a cloud computing environment of which principals and resources are represented as nodes in the security graph. Detecting a group of principals may be performed, for example, by utilizing vertex maximal bicliques. A biclique is maximal when it is the largest size, based on number of nodes (vertex maximum biclique) or number of edges (edge maximum biclique). A biclique is a bipartite graph where every node of the first set (principals) is connected to every node of the second set (resources). Each principal in the group has the same permissions to act on each of the resources. By only determining in the next steps permissions for one principal as a representative of the group, redundant determinations are not performed, thereby decreasing processing and memory requirements.
At S420, permissions are determined for a first principal of the group with respect to a resource. In an embodiment, permissions may be associated with a resource, a plurality of resources, and the like. A permission may be an access policy, an access rule, and the like. Permissions may include a permission set, which is a group of permissions which together define access to a particular resource, group of resources, action, actions, and the like. For example, a first permission set (i.e., role) may be associated with a first resource, a second permission set may be associated with a second resource, and so on.
At S430 the first group of principals is associated with the determined permissions. In an embodiment, associating a group of principals with the determined permissions includes generating a node representing the effective permissions in the security graph. An edge is generated between each of the principal nodes representing the first group of principals, to the node representing the effective permissions. By associating all the principals based on determining permissions for a single principal, many redundant calculations are not performed, thereby reducing compute and memory resources required for computing and storing the redundant information. In other embodiments, a principal group node may be generated, to represent the first group of principals. The principal group node may be associated with the permission, for example by connecting the principal group node to the resource node with an edge representing the permission. Each of the principal nodes may be in turn connected to the principal group node.
In order to determine effective permissions, permissions need to be determined for each resource on each other resource, e.g., determining if each resource can access each other resource. Performing such a calculation is processing intensive, as well as requiring large amounts of memory due to the volume of both principals and resources in a cloud computing environment. This complication is compounded when also taking into account that certain service accounts may assume other service accounts (for example across different cloud platforms), certain user accounts may assume other user accounts, and certain resources may also be principals. The disclosed embodiments reduce the burden of processing and memory usage, for example by reducing the amount of checks performed for each principal-resource combination, while still maintaining complete information on effective permissions.
At 510 a first group of a plurality of resources is detected in a security graph. The security graph, as detailed above, represents a cloud computing environment of which principals and resources are represented as nodes in the security graph. Detecting a group of resources may be performed, for example, by utilizing vertex maximal bicliques. A biclique is maximal when it is the largest size, based on number of nodes (vertex maximum biclique) or number of edges (edge maximum biclique). A biclique is a bipartite graph where every node of the first set (resources) is connected to every node of the second set (other resources). Each resource in the group has the same permissions to act on each of the other resources. By only determining in the next steps permissions for one resource as a representative of the group, redundant determinations are not performed, thereby decreasing processing and memory requirements.
At S520 permissions are determined for a first resource of the first group. The permissions may be associated with one or more resources or principals. For example, a first permission set (i.e., role) may be associated with a first resource, a second permission set may be associated with a second resource, etc. A permission may be, for example, permission to read data from a storage, and permission to write data to the storage.
For example, a first group may have permission to read from the storage, while a second group may have permissions to read and write to the storage. As another example, a serverless function may have permission to write to a storage of a distributed storage system, which includes multiple storage devices. As the multiple storage devices share a common policy, the serverless function has permission to write to any of the multiple storage devices. By grouping the storage devices (i.e., utilizing maximal bicliques), less memory is required to indicate that the serverless function has permission to write to any of the multiple storage devices.
At 530 the first group of resources is associated with the determined permissions. In an embodiment, associating a group of resources with the determined permissions includes generating a node representing the effective permissions in the security graph. An edge is generated between each of the resource nodes representing the first group of resources, to the node representing the effective permissions. By associating all the resources based on determining permissions for a single resource, many redundant calculations are not performed, thereby reducing compute and memory resources required for storing the redundant information.
At S610 a second principal node is detected for a first principal node in a security graph. The second principal (represented by the second principal node) is able to assume the first principal (represented by the first principal node), i.e., the second principal may act as the first principal, in some, or all aspects. Permissions of a principal may change when acting through (i.e., assuming) another principal. For example, an application may have permission to perform a wide variety of operations in a cloud computing environment. However, a user account operating the application may only access limited permissions of all the permissions available to the application.
In an embodiment, detecting the second principal node may be performed by querying the security graph to detect principal nodes which are connected to the first principal node.
At S620, a permission escalation event is detected based on determined permissions of the first principal node and the second principal node. In an embodiment, detecting a permission escalation event may occur when an access occurs which involves a principal which is not authorized for the access. For example, the second principal is not authorized to access a resource which the first principal is authorized to access. When the second principal is allowed to assume the first principal, the second principal has an effective permission to access the first resource, which should not be permitted.
As another example, the second principal may assume a role of the first principal node, and as the first principal node grant additional permissions to the second principal which were not previously available. The additional permissions are stored on the security graph and can be detected, for example, by querying the security graph to detect permissions granted by a first principal to a second principal, where the second principal can assume a role of the first principal.
This detection is possible by tracing the connection between the access and the principal utilizing the security graph described above.
At S630, a permission associated with the second principal is revoked. Revoking a permission is performed in an attempt to prevent the escalation event. In another embodiment, a notification may be generated to an administrator account to notify that a potential permission escalation may occur.
The processing element 710 is coupled via a bus 705 to a memory 720. The memory 720 may include a memory portion 722 that contains instructions that when executed by the processing element 710 performs the method described in more detail herein. The memory 720 may be further used as a working scratch pad for the processing element 710, a temporary storage, and others, as the case may be. The memory 720 may be a volatile memory such as, but not limited to random access memory (RAM), or non-volatile memory (NVM), such as, but not limited to, Flash memory.
The processing element 710 may be coupled to a network interface controller (NIC) 730, which provides connectivity to one or more cloud computing environments, via a network.
The processing element 710 may be further coupled with a storage 740. Storage 740 may be used for the purpose of holding a copy of the method executed in accordance with the disclosed technique. The storage 740 may include a storage portion 745 containing a security graph model (i.e., a data structure for a principal, and a data structure for a resource) into which principals and resources of a cloud environment are mapped to corresponding nodes, and connections between the nodes are determined based on data received from the cloud environment indicating permissions of each principal to act on one or more resources.
The processing element 710 and/or the memory 720 may also include machine-readable media for storing software. Software shall be construed broadly to mean any type of instructions, whether referred to as software, firmware, middleware, microcode, hardware description language, or otherwise. Instructions may include code (e.g., in source code format, binary code format, executable code format, or any other suitable format of code). The instructions, when executed by the one or more processors, cause the processing system to perform the various functions described in further detail herein.
It should be understood that the embodiments described herein are not limited to the specific architecture illustrated in
The various embodiments disclosed herein can be implemented as hardware, firmware, software, or any combination thereof. Moreover, the software is preferably implemented as an application program tangibly embodied on a program storage unit or computer-readable medium consisting of parts, or of certain devices and/or a combination of devices. The application program may be uploaded to, and executed by, a machine comprising any suitable architecture. Preferably, the machine is implemented on a computer platform having hardware such as one or more central processing units (“CPUs”), a memory, and input/output interfaces. The computer platform may also include an operating system and microinstruction code. The various processes and functions described herein may be either part of the microinstruction code or part of the application program, or any combination thereof, which may be executed by a CPU, whether or not such a computer or processor is explicitly shown. In addition, various other peripheral units may be connected to the computer platform such as an additional data storage unit and a printing unit. Furthermore, a non-transitory computer-readable medium is any computer-readable medium except for a transitory propagating signal.
All examples and conditional language recited herein are intended for pedagogical purposes to aid the reader in understanding the principles of the disclosed embodiment and the concepts contributed by the inventor to furthering the art, and are to be construed as being without limitation to such specifically recited examples and conditions. Moreover, all statements herein reciting principles, aspects, and embodiments of the disclosed embodiments, as well as specific examples thereof, are intended to encompass both structural and functional equivalents thereof. Additionally, it is intended that such equivalents include both currently known equivalents as well as equivalents developed in the future, i.e., any elements developed that perform the same function, regardless of structure.
It should be understood that any reference to an element herein using a designation such as “first,” “second,” and so forth does not generally limit the quantity or order of those elements. Rather, these designations are generally used herein as a convenient method of distinguishing between two or more elements or instances of an element. Thus, a reference to first and second elements does not mean that only two elements may be employed there or that the first element must precede the second element in some manner. Also, unless stated otherwise, a set of elements comprises one or more elements.
As used herein, the phrase “at least one of” followed by a listing of items means that any of the listed items can be utilized individually, or any combination of two or more of the listed items can be utilized. For example, if a system is described as including “at least one of A, B, and C,” the system can include A alone; B alone; C alone; 2A; 2B; 2C; 3A; A and B in combination; B and C in combination; A and C in combination; A, B, and C in combination; 2A and C in combination; A, 3B, and 2C in combination; and the like.
This application is a continuation of U.S. Non-Provisional application Ser. No. 17/812,909, filed Jul. 15, 2022, which claims the benefit of U.S. Provisional Application No. 63/222,714 filed on Jul. 16, 2021, the contents of which are hereby incorporated by reference.
| Number | Date | Country | |
|---|---|---|---|
| 63222714 | Jul 2021 | US |
| Number | Date | Country | |
|---|---|---|---|
| Parent | 17812909 | Jul 2022 | US |
| Child | 19068817 | US |
