Firewalls are critical components for securing internet-connected computing resources, such as application software (“applications”). However, the potential security performance of a firewall cannot be achieved if it is not properly configured with rules identifying permitted and/or denied connections with external nodes or services. In cloud environments, when a user is attempting to configure a firewall to protect virtual network or on-premises (“on-prem”) resources, identifying the necessary information for configuration can be challenging and time-consuming. Additionally, this information may be deployment specific and even change over time, make it harder for users to determine alone the right set of access rules.
The disclosed examples are described in detail below with reference to the accompanying drawing figures listed below. The following summary is provided to illustrate some examples disclosed herein. It is not meant, however, to limit all examples to any particular configuration or sequence of operations.
Some aspects disclosed herein are directed to a solution for firewall auto-learning in zero trust environments, such as cloud environments. Examples include, based at least on a first trigger event, determining a first set of restricted dependencies for a cloud service firewall to learn for a first application; during a first learning phase, learning a first set of candidate rules corresponding to at least a portion of the first set of restricted dependencies; receiving an indication of verifying, blocking, or tailoring one or more candidate rules within the first set of candidate rules, to generate a first set of verified rules; and operating the firewall with the first set of verified rules for the first application. Some examples include receiving a set of constraints, such as a selection from a set of preset constraints and/or a custom constraint. Some examples include retraining based at least on a second trigger event and/or learning rules for a second application.
The disclosed examples are described in detail below with reference to the accompanying drawing figures listed below:
Corresponding reference characters indicate corresponding parts throughout the drawings.
The various examples will be described in detail with reference to the accompanying drawings. Wherever possible, the same reference numbers will be used throughout the drawings to refer to the same or like parts. References made throughout this disclosure relating to specific examples and implementations are provided solely for illustrative purposes but, unless indicated to the contrary, are not meant to limit all examples.
Platform as a Service (PaaS) or Application Platform as a Service (aPaaS) or platform-based service is a category of cloud computing services that provides a platform allowing users to develop, run, and manage applications without the complexity of building and maintaining for themselves the entirety of the infrastructure typically associated with developing and launching an application.
Firewalls are critical components for securing internet-connected computing resources, such as application software (“applications”). In some implementations, firewalls deny traffic by default, unless a rule permits the traffic. In a zero-trust environment, all traffic is denied by default. With this approach, the user is presented with the challenge of determining what traffic should be allowed. When the allow rules are too permissive, the need to specifically deny some traffic becomes relevant (e.g., denying a subset of traffic that is allowed by some rules). The potential security performance of a firewall cannot be achieved if it is not properly configured with rules identifying permitted and/or denied connections with external nodes or services. Unfortunately, when a user is attempting to configure a firewall to protect virtual network or on-prem resources, identifying the necessary information for configuration can be challenging and time-consuming. This is because dependencies are often deployment-specific, and can change for a given application due to an update. Additionally, home grown applications that are moved to the cloud, have their own access needs, but users are rarely aware of them. One potential solution is the use of a learning phase during early stages of an application deployment. This introduces a problematic scenario: Undesirable network traffic (e.g., data exfiltration) could occur during the learning phase and therefore could be included within the firewall configuration, thereby reducing the effectiveness of the firewall.
Therefore, a disclosed solution for firewall auto-learning is presented for zero trust environments, such as cloud environments. The user reviews the learned rules and can either remove them (equal to deny by default), modify them, or accept them. When the list of rules (“rule collection”) is ready, the user assigns a priority and action to the collection and deploys it. In some examples, this includes: based at least on a first trigger event, determining a first set of restricted dependencies for a cloud service firewall to learn for a first application; during a first learning phase, learning a first set of candidate rules corresponding to at least a portion of the first set of restricted dependencies; receiving an indication of verifying, blocking, or tailoring one or more candidate rules within the first set of candidate rules, to generate a first set of verified rules; and operating the firewall with the first set of verified rules for the first application. Some examples include receiving a set of constraints, such as a selection from a set of preset constraints and/or a custom constraint. Some examples include retraining based at least on a second trigger event and/or learning rules for a second application.
Aspects of the disclosure operate in an unconventional way to improve firewall auto-learning in zero trust environments by guiding and restricting learning. That is, application dependencies are learned within constraints, such as preset constraints and/or custom user-defined constraints. By restricting learning, unlearned network traffic will continue to be blocked by the firewall. Various learning modes include learn and allow and learn and deny. In some examples, known storage solutions and other services are made available with preset constraints managed (and updated) by a service provider, to ease the burden on users.
Aspects of the disclosure teach automatically learning dependencies for traffic that is flowing through a firewall and allowing users to create access rules based on that learning. The learning is restricted by a set of constraints, so that the firewall can only learn the needed access for specific destinations. For example, users may configure the firewall to learn access to only certain storage and services and avoid unwanted learning. The learning process is configurable to last hours to days, and at the end the user is presented with a suggested set of rules that are required for a given application. The user reviews and edits the rules before activating them. Using this approach, moving applications to a hosted cloud service (a.k.a. “lift and shift”) is sped up, while still enabling users to secure egress traffic and avoid data exfiltration.
The user has deployed a first application 124 on VM 130, a second application 126 on VM 132, and a third application 128 on VM 138. At some point, the user will update first application 124 with application update 118 (via VPN connection points 120 and 122). Application update 118 is illustrated as residing within on-premises network 110, although it could be located elsewhere, such as on a cloud resource 728. Unfortunately, the user may possess less information about the dependencies of application 124 (and the others) when application 124 is running in a cloud environment (e.g., one of VNets 104, 106, and 108), than if the user was hosting application 124 solely within its own on-premises network 110. As a result, the user may require assistance with properly configuring firewall 102.
Although the service provider, who provides VNet 104, does know information about VNets 104, 106, and 108 and an associated services set 170 (because these are managed and/or provided by the service provider), firewall 120 is a service for which the configuration is owned by the user (customer). Thus, the learning is designed to make it easier for the user to set and manage the configuration of firewall 102. As illustrated, associated services set 170 includes application services 172 and 174 and also the service provider's cloud storage service 176. However, the service provider is unlikely to know all of the dependencies for third party applications, such as application 124, if it was designed and/or produced by the user or another software developer. This is because application dependencies might be deployment-specific, such as some PAAS services and some home-grown applications. As a result, the service provider who operates VNet 104 that runs firewall 102 is able to assist with configuring firewall 102 for dependencies of application 124 related to application services 172 and 174 and also cloud storage service 176. However, in general the service provider's knowledge does not extend to external cloud storage service 178 or communication with cloud resource 728 or other nodes across internet 164.
Thus, firewall 102 requires custom configuration of rules in order for application 124 to operate properly. The various phases of the configuration process, managed by an orchestrator 156, are described in more detail with respect to a timeline 500 and a flow chart 600 in
For example, firewall 102 permits egress for traffic 160 from application 124 and blocks egress traffic 162 from application 124. For private applications (e.g. spoke to spoke communication among VNets 106 and 108) firewall 102 permits or denies traffic incoming to or outgoing from application 126 or 128. Although allowed traffic 160 and denied traffic 162 are illustrated as going to and from internet 164, firewall 102 also manages traffic going to and from associated services set 170 and among VNets 104, 106 and 108. Associated services set 170 can be in various locations, including, in some examples, across internet 164. Associated services set 170 includes storage, operating system (OS) updates, diagnostics, and other services (see, for example
Prior to the start of the learning phase, in some examples, the user uses a graphical user interface (GUI) 116 to set up restricted dependencies that can include smart tags 148, which are a portion of preset constraints 150, and also custom constraints 152. In some examples, a command line interface or script is used. Smart tags 148 includes a set of fully qualified domain names (FQDNs), which can include wild cards, for services known to be secure. Examples include some OS update services and some storage services, for example within associated services set 170. Smart tags 148, and other preset constraints 150, allow the user to rapidly build a set of restricted dependencies for firewall 102 to learn for application 124, and also other applications 126 and 128, along with relearning when application 124 is updated with application update 118. Users can limit outbound http/s traffic to a specified list of FQDNs, including wild cards. Other protocols can also be used. This permits rapidly creating rules for network filtering to allow or deny traffic based on source and destination interne protocol (IP) address, port, and protocol. In some examples, at least two types of dependencies are learned: (1) target FQDN and target URLs, which is Layer 7 learning; and (2) target IPs, which is Layer 4 learning (in the TCP/IP 7 layer model). In some examples, the user can select tags, but not edit them.
Rules are enforced and logged across multiple subscriptions and VNets. For example, with an FQDN tag for an OS update, network traffic from a verified OS update network address can flow through firewall 102. A service tag represents a group of IP address prefixes to help minimize complexity for security rule creation. In some examples, the service provider manages the address prefixes encompassed by the service tag, and automatically updates the service tag as addresses change. In some examples, a preset rule collection includes access to a storage platform image repository (PIR), managed disks status storage access, diagnostics and logging, overriding, and others. Users can override the presets by creating a deny all application rule collection that is processed last.
During the learning phase, logs 154 are generated from learning candidate rules 142. Logs 154 are presented to the user, for example via GUI 116, so that the user can intelligently verify, block, or tailor one or more of candidate rules 142, based on evaluating logs 154. That is, the user reviews the learned rules and can either remove them (equal to deny by default), modify them, or accept them. In operation, orchestrator 156 receives a set of constraints for a first set of restricted dependencies (e.g., custom constraints 152 and preset constraints 150, which includes smart tags 148), such as from the user via GUI 116. In some examples, receiving a set of constraints for the first set of restricted dependencies comprises receiving at least one input selected from the list consisting of: a selection from preset constraints 150 and custom constraints 152. In some examples, the first set of restricted dependencies comprises at least one dependency selected from the list consisting of: an application dependency and a network dependency. Application rules are Layer 7 constructs and network rules are Layer 4 constructs learning in the TCP/IP 7 layer model. An application dependency is a necessary communication (for proper operation) with an application service, such as application services 172 and 174, whereas a network dependency is a necessary communication across a network, such as internet 164. In some examples, orchestrator 156 receives instructions (via GUI 116) for candidate rules 142 to learn and deny or to learn and allow.
Based at least on a first trigger event, ML component 140 determines a first set of restricted dependencies for firewall 102 to learn for application 124. In some examples, the first trigger event comprises an event selected from the list consisting of: a user input (via GUI 116) and an update to application 124, as sensed by orchestrator 156. During a first learning phase, ML component 140 learns set of candidate rules 142 corresponding to at least a portion of the first set of restricted dependencies. Also, during the first learning phase, in some examples, orchestrator 156 generates logs from learning candidate rules 142. In some examples, orchestrator 156 also determines whether, from among the first set of restricted dependencies, a dependency was not exercised. This situation prevents ML component 140 from learning the associated rule. Thus, in some examples, based at least on determining that a dependency was not exercised, orchestrator 156 generates an alert for the user (such as through GUI 116) identifying that a dependency was not exercised.
At the completion of the first learning phase, or in some examples, during the first learning phase, orchestrator 156 presents logs 154 to the user for evaluation. Orchestrator 156 receives, from the user an indication of verifying, blocking, or tailoring one or more candidate rules within candidate rules 142, to generate verified rules 144. VNet 104 then operates firewall 102 with verified rules 144 for application 124. Additionally, firewall 102 can be trained (e.g., configured via learning by ML component 140) for one or more of applications 126 and 128 in a second learning phase. In some examples, training and rule sets are specific to a particular application (e.g., are unique to a single application and each application has its own verified rules 144). In some examples, training can be conducted in parallel, and/or rule sets can apply to more than just a single application. In some examples, the trigger event for learning includes the user completing entry of restricted dependency information into GUI 116.
In some examples, the trigger event for learning includes orchestrator 156 identifying a situation in which updating or retraining dependencies for a particular application is warranted, such as when smart tags are updated. For situations in which application 124 is updated with application update 118, some security paradigms indicate that user-initiated retraining is preferable over automatic retraining. In some examples, when traffic that does not match learned rule set triggers an alert for unexpected traffic within a short time period, retraining may be warranted. In an exemplary scenario, the initial learning phase is set to 24 hours, and the user can indicate that retraining will be permitted (possibly automatically) if alert for unexpected traffic occurs within a week of the completion of the initial learning phase. The retraining may then cover dependencies that were not properly discovered (learned) initially. In some scenarios, if retraining is allowed for a longer time period, a data exfiltration attempt might be mistaken as a need for retraining. In another exemplary scenario, retraining is tied to the use of smart tags. The provider of VNet 104 knows that a smart tag requires updating and the user has agreed for that automatic training is permissible under the user's defined restrictions, based upon the provider's recommendation. For example, a PaaS service in a VNet may need an additional dependency to storage account. In such scenarios, the retraining can be limited to learning only new storage access (and not other access).
A user clicking on selectable link 232 moves GUI 116 to display a new page (screen) listing the specific rules referenced by table entry 230, for example configuration interface 400
A duration field 234 permits the user to specify the duration of the learning phase. A begin GUI button 236 can act as a trigger event to initiate a learning phase, and a cancel GUI button 236 permits the user to exit GUI 116 without initiating a learning phase.
A rules display area 240 has five columns 222, 224, 226, and 223, in a table style display. A first table entry 250 indicates two application rules in a selectable link 252. A user clicking on selectable link 252 moves GUI 116 to display a new page listing the specific rules referenced by table entry 250. A second table entry 254 indicates one application rule in a selectable link 256. A user clicking on selectable link 256 moves GUI 116 to display a new page listing the specific rule referenced by table entry 254. In some examples, the different priorities assigned to different rules have no practical effect, since the rules are enforced independently of priority. A user clicking on “Add Application Rule” GUI button 216 takes GUI 116 to configuration interface 300, illustrated in
FQDN area 310 permits rapid entry of smart tag information, leveraging management of FQDN tag specifics by a service provider who has access to the necessary data, such as the service provider providing VNet 104 and/or associated services set 170. FQDN area 310 includes data entry fields for two rule constraint sets 312 and 322. These include name fields 314 and 324, source address fields 316 and 326, and FQDN tag fields 318 and 322. As indicated, FQDN tag field 318 uses a preset constraint identifying an application service (e.g., application service 172) for OS_Update. This is a smart tag, and the details are managed for the user by the service provider, easing the burden on the user.
Learning includes target FQDNs and target IP addresses. When learning can determine that a set of dependencies is actually a service tag or FQDN tag, this is indicated in FQDNs area 330. Dependency information includes desired protocol and domain names, such as URLs with wildcards. In some examples, there is no need to define target FQDNs as this information is learned. FQDN tags (smart tags) are a way to deliver constraints with a tag. The content of a tag can indeed be used as a constraints list, which is narrowed based on actual access. For example, a tag may include “*.blob.core.provider.net” which means allow access to a wide range of storage locations. After learning, this is replaced with a specific FQDN for a storage account such as “myaccount.blob.core.provider.net.”
Target FQDNs area 330 includes name fields 334 and 334, source address fields 336 and 336, protocol/port fields 338 and 348, and target FQDNs fields 340 and 350. FQDN area 310 indicates an example of learning setup using smart tags 148. FQDN area 310 and target FQDNs area 330 indicate examples of learning setup using preset constraints 150.
IP address area 410 includes data entry fields for two rule constraint sets 412 and 414. These include name fields 420 and 430, protocol fields 422 and 432, source address fields 424 and 434, destination address fields 426 and 436, and destination ports 428 and 438. Service tags area 470 includes data that, in some examples, is managed by the provider of VNet 104. This include name fields 440 and 450, protocol fields 442 and 452, source address fields 444 and 454, service tags fields 446 and 456, and destination ports 448 and 458.
A trigger event occurs in phase 504, to initiate a learning phase 506. In some examples, a trigger event is based on user input. In some examples, a trigger event is based on an update to an application, or another indication that the application is not performing properly because some needed dependencies are being blocked. Based at least on the trigger event, learning phase 506 is initiated, and includes determining a set of restricted dependencies for a cloud service firewall to learn for an application. During learning phase 506, a set of candidate rules is learned that corresponds to at least a portion of the set of restricted dependencies. In some examples, during the first learning phase, logs are generated from learning the set of candidate rules. Some examples include determining whether, from among the set of restricted dependencies, one or more dependencies were not exercised. Based at least on determining that a dependency was not exercised, either during learning phase 506 or during a following verification phase 508, an alert is generated identifying that a dependency was not exercised. In some examples the learning phase is 24 hours. In some examples, the learning phase is a different duration, such as 48 hours, a week, or some other duration. During learning phase 506, the user should try to flex the application to exercise all capabilities and dependencies. If the user did not use certain functionality, then training might not have the proper scope.
During the verification phase 508, prior to receiving an indication of verifying, blocking, or tailoring one or more candidate rules, the logs are presented to a user (or some other artificial intelligence (AI) component) for evaluation. The candidate rules are assessed for verifying, blocking, or tailoring one or more candidate rules within the set of candidate rules, to generate a set of verified rules. After verification of the rules, during operating phase 510, the firewall is operated with the set of verified rules for the application, and in some examples, also with threat intel, which blocks some traffic, such as traffic associated with malicious logic and activity (e.g., unauthorized data exfiltration). Timeline 500 is cyclical, so that phases 502 through 510 are repeated for maintenance and updates to the application, and also for additional applications (apps).
Operation 608 includes, based at least on a trigger event, determining a set of restricted dependencies for a cloud service firewall to learn for a first application. Operation 610 begins a learning phase, which may be 24 hours, 48 hours, or some other duration specified by the user or an algorithm. Operation 612 includes, during a learning phase, learning a set of candidate rules corresponding to at least a portion of the set of restricted dependencies. Operation 614 includes, during the learning phase, generating logs from learning the set of candidate rules. Operation 616 includes determining whether, from among the set of restricted dependencies, a dependency was not exercised. This can occur if the application was not sufficiently flexed or stressed during the learning phase.
If, in decision operation 618, it is determined that a dependency was not exercised, then operation 620 includes based at least on determining that a dependency was not exercised, generating an alert identifying that a dependency was not exercised. Operation 622 is the completion of the learning phase, such as the learning phase reaching its specified duration or some other criteria. In some examples, operation 620 occurs after the learning phase is completed (e.g., after operation 622). In operation 624, the user is prompted to review the rules, for example to change them from learn to allow or deny. This involves operation 626, which includes, prior to receiving an indication of verifying, blocking, or tailoring one or more candidate rules, presenting the logs for evaluation.
The user edits the rules by verifying, blocking, or tailoring various candidate rules to produce verified rules in operation 628. Thus, operation 630 includes receiving an indication of verifying, blocking, or tailoring one or more candidate rules within the set of candidate rules, to generate a set of verified rules. Operation 632 includes operating the firewall with the set of verified rules for the first application. In some examples, operation 630 also includes using threat intel to block (deny) certain traffic.
Operation 634 includes tracking application access events (via the logs) to determine whether the application is using the full scope of permitted traffic. Operation 636 includes, based at least on determining that the application is not using the full scope of permitted traffic, trimming the scope of permitted traffic. In some examples, this is implemented by trimming permitted traffic to that traffic which is within the logs and is not associated with potential problems. Flow chart 600 repeats as necessary for a second trigger event for the application, and/or for additional applications.
Some aspects and examples disclosed herein are directed to a system for firewall auto-learning comprising: a processor; and a computer-readable medium storing instructions that are operative when executed by the processor to: based at least on a first trigger event, determine a first set of restricted dependencies for a cloud service firewall to learn for a first application; during a first learning phase, learn a first set of candidate rules corresponding to at least a portion of the first set of restricted dependencies; receive an indication of verifying, blocking, or tailoring one or more candidate rules within the first set of candidate rules, to generate a first set of verified rules; and operate the firewall with the first set of verified rules for the first application.
Additional aspects and examples disclosed herein are directed to a method of firewall auto-learning comprising: based at least on a first trigger event, determining a first set of restricted dependencies for a cloud service firewall to learn for a first application; during a first learning phase, learning a first set of candidate rules corresponding to at least a portion of the first set of restricted dependencies; receiving an indication of verifying, blocking, or tailoring one or more candidate rules within the first set of candidate rules, to generate a first set of verified rules; and operating the firewall with the first set of verified rules for the first application.
Additional aspects and examples disclosed herein are directed to one or more computer storage devices having computer-executable instructions stored thereon for firewall auto-learning, which, on execution by a computer, cause the computer to perform operations comprising: receiving a set of constraints for a first set of restricted dependencies, wherein receiving a set of constraints for the first set of restricted dependencies comprises receiving at least one input selected from the list consisting of: a selection from a set of preset constraints and a custom constraint; based at least on a first trigger event, determining the first set of restricted dependencies for a cloud service firewall to learn for a first application, wherein the first trigger event comprises an event selected from the list consisting of: a user input and an update to the first application, and wherein the first set of restricted dependencies comprises at least one dependency selected from the list consisting of: an application dependency and a network dependency; during a first learning phase, learning a first set of candidate rules corresponding to at least a portion of the first set of restricted dependencies: during the first learning phase, generating logs from learning the first set of candidate rules; and determining whether, from among the first set of restricted dependencies, a dependency was not exercised; based at least on determining that a dependency was not exercised, generating an alert identifying that a dependency was not exercised; presenting the logs for evaluation; receiving an indication of verifying, blocking, or tailoring one or more candidate rules within the first set of candidate rules, to generate a first set of verified rules; operating the firewall with the first set of verified rules for the first application; based at least on a second trigger event, determining a second set of restricted dependencies for the firewall to learn for the first application, wherein the second trigger event comprises an event selected from the list consisting of: a user input and an update to the first application; during a second learning phase, learning a second set of candidate rules corresponding to at least a portion of the second set of restricted dependencies; receiving an indication of verifying, blocking, or tailoring one or more candidate rules within the second set of candidate rules, to generate a second set of verified rules, the second set of verified rules different from the first set of verified rules; operating the firewall with the second set of verified rules for the first application; based at least on a third trigger event, determining a third set of restricted dependencies for the firewall to learn for a second application; during a third learning phase, learning a third set of candidate rules corresponding to at least a portion of the third set of restricted dependencies; receiving an indication of verifying, blocking, or tailoring one or more candidate rules within the third set of candidate rules, to generate a third set of verified rules; and operating the firewall with the third set of verified rules for the second application.
Alternatively, or in addition to the other examples described herein, examples include any combination of the following:
While the aspects of the disclosure have been described in terms of various examples with their associated operations, a person skilled in the art would appreciate that a combination of operations from any number of different examples is also within scope of the aspects of the disclosure.
Computing device 700 includes a bus 710 that directly or indirectly couples the following devices: computer-storage memory 712, one or more processors 714, one or more presentation components 716, I/O ports 718, I/O components 720, a power supply 722, and a network component 724. While computing device 700 is depicted as a seemingly single device, multiple computing devices 700 may work together and share the depicted device resources. For example, memory 712 may be distributed across multiple devices, and processor(s) 714 may be housed with different devices.
Bus 710 represents what may be one or more busses (such as an address bus, data bus, or a combination thereof). Although the various blocks of
In some examples, memory 712 includes computer-storage media in the form of volatile and/or nonvolatile memory, removable or non-removable memory, data disks in virtual environments, or a combination thereof. Memory 712 may include any quantity of memory associated with or accessible by the computing device 700. Memory 712 may be internal to the computing device 700 (as shown in
Processor(s) 714 may include any quantity of processing units that read data from various entities, such as memory 712 or I/O components 720. Specifically, processor(s) 714 are programmed to execute computer-executable instructions for implementing aspects of the disclosure. The instructions may be performed by the processor, by multiple processors within the computing device 700, or by a processor external to the client computing device 700. In some examples, the processor(s) 714 are programmed to execute instructions such as those illustrated in the flow charts discussed below and depicted in the accompanying drawings. Moreover, in some examples, the processor(s) 714 represent an implementation of analog techniques to perform the operations described herein. For example, the operations may be performed by an analog client computing device 700 and/or a digital client computing device 700. Presentation component(s) 716 present data indications to a user or other device. Exemplary presentation components include a display device, speaker, printing component, vibrating component, etc. One skilled in the art will understand and appreciate that computer data may be presented in a number of ways, such as visually in a graphical user interface (GUI), audibly through speakers, wirelessly between computing devices 700, across a wired connection, or in other ways. I/O ports 718 allow computing device 700 to be logically coupled to other devices including I/O components 720, some of which may be built in. Example I/O components 720 include, for example but without limitation, a microphone, joystick, game pad, satellite dish, scanner, printer, wireless device, etc.
Computing device 700 may operate in a networked environment via network component 724 using logical connections to one or more remote computers. In some examples, network component 724 includes a network interface card and/or computer-executable instructions (e.g., a driver) for operating the network interface card. Communication between the computing device 700 and other devices may occur using any protocol or mechanism over any wired or wireless connection. In some examples, network component 724 is operable to communicate data over public, private, or hybrid (public and private) using a transfer protocol, between devices wirelessly using short range communication technologies (e.g., near-field communication (NFC), BLUETOOTH® communications, or the like), or a combination thereof. Network component 724 communicates over wireless communication link 726 and/or a wired communication link 726a to a cloud resource 728 across network 730 (which in some examples includes at least a portion of internet 164 of
Although described in connection with an example computing device 700, examples of the disclosure are capable of implementation with numerous other general-purpose or special-purpose computing system environments, configurations, or devices. Examples of well-known computing systems, environments, and/or configurations that may be suitable for use with aspects of the disclosure include, but are not limited to, smart phones, mobile tablets, mobile computing devices, personal computers, server computers, hand-held or laptop devices, multiprocessor systems, gaming consoles, microprocessor-based systems, set top boxes, programmable consumer electronics, mobile telephones, mobile computing and/or communication devices in wearable or accessory form factors (e.g., watches, glasses, headsets, or earphones), network PCs, minicomputers, mainframe computers, distributed computing environments that include any of the above systems or devices, virtual reality (VR) devices, augmented reality (AR) devices, mixed reality (MR) devices, holographic device, and the like. Such systems or devices may accept input from the user in any way, including from input devices such as a keyboard or pointing device. via gesture input, proximity input (such as by hovering), and/or via voice input.
Examples of the disclosure may be described in the general context of computer-executable instructions, such as program modules, executed by one or more computers or other devices in software, firmware, hardware, or a combination thereof. The computer-executable instructions may be organized into one or more computer-executable components or modules. Generally, program modules include, but are not limited to, routines, programs, objects, components, and data structures that perform particular tasks or implement particular abstract data types. Aspects of the disclosure may be implemented with any number and organization of such components or modules. For example, aspects of the disclosure are not limited to the specific computer-executable instructions or the specific components or modules illustrated in the figures and described herein. Other examples of the disclosure may include different computer-executable instructions or components having more or less functionality than illustrated and described herein. In examples involving a general-purpose computer, aspects of the disclosure transform the general-purpose computer into a special-purpose computing device when configured to execute the instructions described herein.
By way of example and not limitation, computer readable media comprise computer storage media and communication media. Computer storage media include volatile and nonvolatile, removable and non-removable memory implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules, or the like. Computer storage media are tangible and mutually exclusive to communication media. Computer storage media are implemented in hardware and exclude carrier waves and propagated signals. Computer storage media for purposes of this disclosure are not signals per se. Exemplary computer storage media include hard disks, flash drives, solid-state memory, phase change random-access memory (PRAM), static random-access memory (SRAM), dynamic random-access memory (DRAM), other types of random-access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technology, compact disk read-only memory (CD-ROM), digital versatile disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information for access by a computing device. In contrast, communication media typically embody computer readable instructions, data structures, program modules, or the like in a modulated data signal such as a carrier wave or other transport mechanism and include any information delivery media.
The order of execution or performance of the operations in examples of the disclosure illustrated and described herein is not essential and may be performed in different sequential manners in various examples. For example, it is contemplated that executing or performing a particular operation before, contemporaneously with, or after another operation is within the scope of aspects of the disclosure. When introducing elements of aspects of the disclosure or the examples thereof, the articles “a,” “an,” “the,” and “said” are intended to mean that there are one or more of the elements. The terms “comprising,” “including,” and “having” are intended to be inclusive and mean that there may be additional elements other than the listed elements. The term “exemplary” is intended to mean “an example of” The phrase “one or more of the following: A, B, and C” means “at least one of A and/or at least one of B and/or at least one of C.”
Having described aspects of the disclosure in detail, it will be apparent that modifications and variations are possible without departing from the scope of aspects of the disclosure as defined in the appended claims. As various changes could be made in the above constructions, products, and methods without departing from the scope of aspects of the disclosure, it is intended that all matter contained in the above description and shown in the accompanying drawings shall be interpreted as illustrative and not in a limiting sense.