Patent Grant
9614855
Cloud computing is a type of computing in which dynamically scalable and typically virtualized resources are provided as services via the Internet. As a result, users need not, and typically do not, possess knowledge of, expertise in, or control over the technology and/or infrastructure implemented in the cloud. Cloud computing generally incorporates infrastructure as a service (“IaaS”), platform as a service (“PaaS”), and/or software as a service (“SaaS”). In a typical embodiment, cloud computing services provide common applications online, which applications are accessed using a web browser and the software and data for which are stored on servers comprising the cloud.
Cloud computing customers typically do not own or possess the physical infrastructure that hosts their software platform; rather, the infrastructure is leased in some manner from a third-party provider. Cloud computing customers can avoid capital expenditures by paying a provider only for what they use on a utility, or resources consumed, basis or a subscription, or time-based, basis, for example. Sharing computing power and/or storage capacity among multiple lessees has many advantages, including improved utilization rates and an increase in overall computer usage.
Cloud computing and cloud storage are rapidly becoming the preferred way for enterprises to extend their data center processing and storage capacity efficiently and inexpensively. One problem faced by modern enterprises is users accessing cloud assets in relationship to the data center. In particular, a difficulty exists in providing entitlement processing via enterprise-specified policy over cloud assets, especially web applications.
One embodiment of a system for providing a secure web application entitlement service comprises a plurality of entitlement point records each comprising a unique identifier associated therewith such that each of the enforcement point records can be associated with an enforcement point within an application; an identity service (“IS”) configured to provide a first token for enabling a user to access the application; an access gateway configured to provide a second token, the second token including a list of at least a portion of the unique identifiers; an entitlement server (“ES”) configured to receive an entitlement request from the application, the entitlement request including the second token, the ES further configured to associate the entitlement request with a user-authenticated session in the IS; and a policy decision point (“PDP”) configured to receive the list of at least a portion of the unique identifiers and to render a decision on the entitlement request based at least in part on policy information associated with ones of the enforcement point records identified by the unique identifiers of the list and attribute information from the IS; wherein subsequent to the rendering of a decision by the PDP, the decision is communicated to the application.
To better illustrate the advantages and features of the embodiments, a particular description of several embodiments will be provided with reference to the attached drawings. These drawings, and other embodiments described herein, only illustrate selected aspects of the embodiments and are not intended to limit the scope thereof. Further, despite reference to specific features illustrated in the example embodiments, it will nevertheless be understood that these features are not essential to all embodiments and no limitation of the scope thereof is thereby intended. Any alterations and further modifications in the described embodiments, and any further applications of the principles of the embodiments as described herein are contemplated as would normally occur to one skilled in the art. Furthermore, some items are shown in a simplified form, and inherently include components that are well known in the art. Further still, some items are illustrated as being in direct connection for the sake of simplicity and clarity. Despite the apparent direct connection, it is understood that such illustration does not preclude the existence of intermediate components not otherwise illustrated.
The embodiments described herein provide a mechanism whereby cloud assets can be controlled by an entitlement policy. The embodiments described herein further provide a mechanism to allow an entitlement policy to be defined and communicated with cloud assets such that cloud assets can function as a policy enforcement point (“PEP”).
Enterprises using the cloud are represented by virtualization processes and storage shown as workloads 112. These processes are typically started by an enterprise via a cloud portal or API utilized by administrative personnel or processes running at the enterprise. A typical cloud provider may be using standard ITIL processes and may utilize a configuration management database (“CMDB”) 114, which affects the entire cloud infrastructure and which describes the practice and policies used for instantiating virtualized workloads and storage.
Referring again to
The token 220 is made available to the AG 216 either via a communications channel 222 or to the web application 210 via a communications channel 224. A token returned via the communications channel 214 or 222 is well known in the art. For example, an identity token can take the form of SAML 1.x, SAML 2.x, WS-Federation, and others. It will be recognized that one purpose of an identity token is to represent a user's identity without requiring the user to be present or provide a userID and/or password. While an identity token for a user may be created from an authentication using the user's userID/password, this need not be the case.
In one embodiment, when enabling user access to the web application 210, the AG 216 provides a second token 225 via a communications channel 226. The second token 225 contains a list of the URIs that are tagged to provide the web application 210 with a way of associating a URI with an entitlement enforcement point record, such as one of the records 204a-204c. In other words, the token 225 provides a list of “protected resources” that are managed by a PEP. In the illustrated embodiment, such protected resources are identified by URI, but any sort of identifier, global or otherwise, may be substituted therefore. The token 225 also includes a protected indicator of the identity session created in the IS 218 when the user authenticated, as described above. In particular, in order to prevent protected resources from being inappropriately presented to the PEP with bogus policies, the second token 225 can include a protected indicator of the identity of the person or service requesting the protection. This usually is in the form of a digital signature, although it will be recognized that alternative and/or additional mechanisms may be employed. In one embodiment, the URI list in the token 225 could be provided by the IS 218 to the web application 210 via the communications channel 224.
In one embodiment, the URI list is not provided to the web application 210 via the AG 216 or the IS 218, in which case the web application must access the URI list via a communications channel 230. It will be recognized that access to obtain the URI list or other token information is preferably performed via a protected communications channel, such as SSL.
Once the web application 210 has access to the URI lists that are tagged such that the web application knows which URI is used to protect specific entitlement points, the web application can make a call to an entitlement server 232 via a communications channel 234. The application 210 provides the token 225 to the ES 232, thereby enabling the ES to associate a web application request with a user authenticated session in the IS 218. In addition to the token 225, the web application 210 transmits to the ES 232 the URI list, which is subsequently sent to a policy decision point (“PDP”) 236 for resolution, as represented by a path 237. The PDP 236 accesses any necessary policy information from the respective policy 206a-206c via a communications channel 238 and accesses any necessary attribute information via a communications channel 239. The results, or decision, of the PDP 236 are communicated back to the ES 232 together with any attribute information that policy dictated should be sent back and the ES provides the web application 210 with the entitlement request disposition and other information as necessary to fulfill the policy. At this point, the web application 210 interrogates the results of the PDP 236 and, if allowed, entitlement is provided; otherwise, the entitlement is withheld.
It should be noted that the PDP 236, the ES 232, and the web application 210 all provide compliance events to a compliance enforcer 240, which correlates the compliance events and compares them with a best practices policy so that if an issue arises with the manner in which the PDP 236, the ES 232, and the web application 210 are interoperating, mitigating actions can be taken. For example, consider a situation in which a policy statement is not enforced properly, such as a case in which access to financial information is not allowed from connections are outside of the firewall within a blackout period and in which an access is attempted and succeeds. A mitigating action that might be taken in such a situation would be to abort the connection or vector the connection to a honeypot, for example.
The embodiments described herein enable a web application to enforce an entitlement policy that does not reside at the web application and is under the control of the enterprise administrations. Moreover, the granting or withholding of entitlement can be audited for compliance.
U.S. patent application Ser. No. 12/612,834, entitled: “System and Method for Reduced Cloud IP Address Utilization,” filed on Nov. 5, 2009, and now issued as U.S. Pat. No. 8,364,842, which is incorporated by its entirety herein, describes a distributor function, which may be implemented herein as a distributor 214. In one embodiment, the distributor 241 provides keys via a communications channel 242 and a communications channel 244 so that the web application 210 and the ES 232 share a key that provides for secure communications outside of the realm of SSL. In this embodiment, the distributor 241 is also a source of compliance events, wherein the compliance enforcer 240 can correlate the events with the other events as previously discussed so that mitigation actions can be taken. It will be recognized that the particular manner in which mitigation actions are enforced is not of particular concern with respect to the embodiments described herein.
In an alternative embodiment, illustrated in
Additionally, in the embodiment illustrated in
In the general case, the AG 216, application 210, PDP/ES 232/236, and compliance enforcer 240 can be permuted over the set of ISes 218, 246, 248, and 250. As previously noted, in the embodiment illustrated in
It will be recognized that various ones of the elements and/or modules described herein may be implemented using one or more general purpose computers or portions thereof executing software applications designed to perform the functions described or using one or more special purpose computers or portions thereof configured to perform the functions described. The software applications may comprise computer-executable instructions stored on computer-readable media. Additionally, repositories described herein may be implemented using databases or other appropriate storage media.
While the preceding description shows and describes one or more embodiments, it will be understood by those skilled in the art that various changes in form and detail may be made therein without departing from the spirit and scope of the present disclosure. For example, various steps of the described methods may be executed in a different order or executed sequentially, combined, further divided, replaced with alternate steps, or removed entirely. In addition, various functions illustrated in the methods or described elsewhere in the disclosure may be combined to provide additional and/or alternate functions. Therefore, the claims should be interpreted in a broad manner, consistent with the present disclosure.
| Number | Name | Date | Kind |
|---|---|---|---|
| 5428738 | Carter et al. | Jun 1995 | A |
| 5787175 | Carter | Jul 1998 | A |
| 5870564 | Jensen et al. | Feb 1999 | A |
| 5878419 | Carter | Mar 1999 | A |
| 6067572 | Jensen et al. | May 2000 | A |
| 6108619 | Carter et al. | Aug 2000 | A |
| 6119230 | Carter | Sep 2000 | A |
| 6185612 | Jensen et al. | Feb 2001 | B1 |
| 6219652 | Carter et al. | Apr 2001 | B1 |
| 6275819 | Carter | Aug 2001 | B1 |
| 6279111 | Jensenworth | Aug 2001 | B1 |
| 6405199 | Carter et al. | Jun 2002 | B1 |
| 6459809 | Jensen et al. | Oct 2002 | B1 |
| 6601171 | Carter et al. | Jul 2003 | B1 |
| 6647408 | Ricart et al. | Nov 2003 | B1 |
| 6650777 | Jensen et al. | Nov 2003 | B1 |
| 6697497 | Jensen et al. | Feb 2004 | B1 |
| 6738907 | Carter | May 2004 | B1 |
| 6742035 | Zayas et al. | May 2004 | B1 |
| 6742114 | Carter et al. | May 2004 | B1 |
| 6760843 | Carter | Jul 2004 | B1 |
| 6772214 | McClain et al. | Aug 2004 | B1 |
| 6826557 | Carter et al. | Nov 2004 | B1 |
| 6862606 | Major et al. | Mar 2005 | B1 |
| 6993508 | Major et al. | Jan 2006 | B1 |
| 7043555 | McClain et al. | May 2006 | B1 |
| 7152031 | Jensen et al. | Dec 2006 | B1 |
| 7177922 | Carter et al. | Feb 2007 | B1 |
| 7185047 | Bate et al. | Feb 2007 | B1 |
| 7197451 | Carter et al. | Mar 2007 | B1 |
| 7286977 | Carter et al. | Oct 2007 | B1 |
| 7299493 | Burch et al. | Nov 2007 | B1 |
| 7313816 | Sinha et al. | Dec 2007 | B2 |
| 7316027 | Burch et al. | Jan 2008 | B2 |
| 7334257 | Ebrahimi et al. | Feb 2008 | B1 |
| 7356819 | Ricart et al. | Apr 2008 | B1 |
| 7363577 | Kinser et al. | Apr 2008 | B2 |
| 7376134 | Carter et al. | May 2008 | B2 |
| 7386514 | Major et al. | Jun 2008 | B2 |
| 7389225 | Jensen et al. | Jun 2008 | B1 |
| 7426516 | Ackerman et al. | Sep 2008 | B1 |
| 7467415 | Carter | Dec 2008 | B2 |
| 7475008 | Jensen et al. | Jan 2009 | B2 |
| 7505972 | Wootten et al. | Mar 2009 | B1 |
| 7506055 | McClain et al. | Mar 2009 | B2 |
| 7552468 | Burch et al. | Jun 2009 | B2 |
| 8051491 | Cavage | Nov 2011 | B1 |
| 20070289018 | Steeves et al. | Dec 2007 | A1 |
| 20080018927 | Martin | Jan 2008 | A1 |
| 20090199277 | Norman | Aug 2009 | A1 |
| 20090228967 | Gbadegesin et al. | Sep 2009 | A1 |
| 20090235349 | Lai | Sep 2009 | A1 |
| 20090249439 | Olden | Oct 2009 | A1 |
| 20090249440 | Platt | Oct 2009 | A1 |
| 20090328216 | Rafalovich et al. | Dec 2009 | A1 |
| Number | Date | Country | |
|---|---|---|---|
| 20110107411 A1 | May 2011 | US |
