Patent Grant
8286232
Cloud computing is a type of computing in which dynamically scalable and typically virtualized resources are provided as services via the Internet. As a result, users need not, and typically do not, possess knowledge of, expertise in, or control over the technology and/or infrastructure implemented in the cloud. Cloud computing generally incorporates infrastructure as a service (“IaaS”), platform as a service (“PaaS”), and/or software as a service (“SaaS”). In a typical embodiment, cloud computing services provide common applications online, which applications are accessed using a web browser and the software and data for which are stored on servers comprising the cloud.
Cloud computing customers typically do not own or possess the physical infrastructure that hosts their software platform; rather, the infrastructure is leased in some manner from a third-party provider. Cloud computing customers can avoid capital expenditures by paying a provider for only what they use on a utility, or resources consumed, basis or a subscription, or time-based, basis, for example. Sharing computing power and/or storage capacity among multiple lessees has many advantages, including improved utilization rates and an increase in overall computer usage.
With the advent of cloud computing and cloud storage, enterprise resources are not transparently accessible across enterprise and/or cloud boundaries via standard mechanisms, protocols and portals.
One embodiment is a system for providing transparent cloud access. The system comprises an enterprise computing environment maintained by an enterprise and a cloud computing environment maintained by a cloud provider; and a secure bridge mechanism for interconnecting the enterprise computing environment and the cloud computing environment. The secure bridge mechanism comprises a first secure bridge portion associated with the enterprise and a second secure bridge portion associated with the cloud computing environment. The first and second secure bridge portions interoperate to provide transparent and secure access by resources of one of the computing environments to those of the other computing environment.
To better illustrate the advantages and features of the embodiments, a particular description of several embodiments will be provided with reference to the attached drawings. These drawings, and other embodiments described herein, only illustrate selected aspects of the embodiments and are not intended to limit the scope thereof. Further, despite reference to specific features illustrated in the example embodiments, it will nevertheless be understood that these features are not essential to all embodiments and no limitation of the scope thereof is thereby intended. Any alterations and further modifications in the described embodiments, and any further applications of the principles of the embodiments as described herein are contemplated as would normally occur to one skilled in the art. Furthermore, some items are shown in a simplified form, and inherently include components that are well known in the art. Further still, some items are illustrated as being in direct connection for the sake of simplicity and clarity. Despite the apparent direct connection, it is understood that such illustration does not preclude the existence of intermediate components and/or protocols not otherwise illustrated.
The embodiments described herein provide a mechanism for providing transparent cloud access. To this end, one or more embodiments described herein provide a method and mechanism allow transparent access of enterprise resources whether they are hosted in the enterprise or in one or more clouds.
Enterprises using the cloud are represented by virtualization processes and storage shown as workloads 112. These processes are typically started by an enterprise via a cloud portal or API utilized by administrative personnel or processes running at the enterprise or in the cloud. A typical cloud provider may be using standard ITIL practices and may utilize a configuration management database (“CMDB”) 114, which affects the entire cloud infrastructure and which describes the practice and policies used for instantiating virtualized workloads and storage.
In particular, the secure bridge mechanism 200 provides transparent port mapping and other transparent protocol mappings so that, for example, an LDAP bind to an LDAP directory from the process 208A will succeed whether the LDAP directory resides in the enterprise 206 or the cloud 214. As a result, embodiments described herein enable assets needed by the enterprise 206 to be migrated from the enterprise to the cloud 214 without requiring modification of the operation and/or configuration thereof.
In one embodiment, storage medium 210 may also be represented locally and within the cloud 214 as storage medium 220 as simultaneous instances, by caching, or with a synchronization model with an authoritative source designation providing scalability, failover and fault tolerance. The secure bridges 204, 212, can also function as a protocol proxy such that a native LDAP bind from applications 202A-202C can transparently access storage media 210, 220, and a likewise a native LDAP bind at any of the workloads 216A-216C can transparently access storage media 210 or 220. Note that other protocols can be transferred in the same manner and that storage can be incrementally expanded or contracted on either side.
It will be recognized that the secure bridge mechanism 200 can be implemented in any one of a number of different manners, including, but not limited to, Virtual Private Network (“VPN”)-type technology, proxy tunneling, and SSH tunneling.
In step 302, an automated process or enterprise administrator initiates a “securebridge.exe” process at the enterprise bridge portion 202. The securebridge.exe process accesses a designated external IP address (e.g., 151.155.94.122:22) corresponding to the securebridgeserver.exe process initiated in step 300. In step 304, the listener posted at port 22 by the securebridgeserver.exe process in step 300 receives the request from the securebridge.exe process and negotiates setup of a secure and encrypted connection between enterprise bridge portion 202 and the cloud bridge portion 204. It will be recognized that, because the connection negotiated in step 304 was initiated from within the enterprise 206 (i.e., from behind the enterprise firewall (not shown)), there is no need to punch a hole in the firewall. In step 306, the securebridge.exe process posts a listener on the LDAP port such that any LDAP calls from within the enterprise 206 will be picked up by the listener.
Once the secure bridge mechanism is set up as described in connection with
It will be recognized that various ones of the elements and/or modules described herein may be implemented using one or more general purpose computers or portions thereof executing software applications designed to perform the functions described or using one or more special purpose computers or portions thereof configured to perform the functions described. The software applications may comprise computer-executable instructions stored on computer-readable media. Additionally, repositories described herein may be implemented using databases or other appropriate storage media.
While the preceding description shows and describes one or more embodiments, it will be understood by those skilled in the art that various changes in form and detail may be made therein without departing from the spirit and scope of the present disclosure. For example, various steps of the described methods may be executed in a different order or executed sequentially, combined, further divided, replaced with alternate steps, or removed entirely. In addition, various functions illustrated in the methods or described elsewhere in the disclosure may be combined to provide additional and/or alternate functions. Therefore, the claims should be interpreted in a broad manner, consistent with the present disclosure.
This application claims the benefit under Title 35, United States Code §119(e) of U.S. Provisional Patent Application No. 61/160,038 filed on Mar. 13, 2009, the disclosure of which is incorporated herein by reference in its entirety. This application is related to the following commonly-assigned, co-pending applications, each of which is also incorporated herein by reference in its entirety: 1. U.S. patent application Ser. No. 12/612,807 filed on Nov. 5, 2009, now U.S. Pat. No. 8,065,395 issued on Nov. 22, 2011; 2. U.S. patent application Ser. No. 12/612,818 filed on Nov. 5, 2009; 3. U.S. patent application Ser. No. 12/612,834 filed on Nov. 5, 2009; 4. U.S. patent application Ser. No. 12/612,882 filed on Nov. 5, 2009; 5. U.S. patent application Ser. No. 12/612,895 filed on Nov. 5, 2009; 6. U.S. patent application Ser. No. 12/612,903 filed on Nov. 5, 2009; 7. U.S. patent application Ser. No. 12/612,925 filed on Nov. 5, 2009; 8. U.S. patent application Ser. No. 12/613,077 filed on Nov. 5, 2009; 9. U.S. patent application Ser. No. 12/613,098 filed on Nov. 5, 2009; 10. U.S. patent application Ser. No. 12/613,112 filed on Nov. 5, 2009; and 11. U.S. patent application Ser. No. 12/197,833 filed on Aug. 25, 2008, now U.S. Pat. No. 8,036,396 issued on Oct. 11, 2011.
| Number | Name | Date | Kind |
|---|---|---|---|
| 5428738 | Carter et al. | Jun 1995 | A |
| 5608903 | Prasad et al. | Mar 1997 | A |
| 5677851 | Kingdon et al. | Oct 1997 | A |
| 5758344 | Prasad et al. | May 1998 | A |
| 5784560 | Kingdon et al. | Jul 1998 | A |
| 5787175 | Carter | Jul 1998 | A |
| 5828893 | Wied et al. | Oct 1998 | A |
| 5832275 | Olds | Nov 1998 | A |
| 5832487 | Olds et al. | Nov 1998 | A |
| 5870564 | Jensen et al. | Feb 1999 | A |
| 5878415 | Olds | Mar 1999 | A |
| 5878419 | Carter | Mar 1999 | A |
| 5956718 | Prasad et al. | Sep 1999 | A |
| 6055575 | Paulsen et al. | Apr 2000 | A |
| 6067572 | Jensen et al. | May 2000 | A |
| 6108619 | Carter et al. | Aug 2000 | A |
| 6119230 | Carter | Sep 2000 | A |
| 6185612 | Jensen et al. | Feb 2001 | B1 |
| 6219652 | Carter et al. | Apr 2001 | B1 |
| 6275819 | Carter | Aug 2001 | B1 |
| 6405199 | Carter et al. | Jun 2002 | B1 |
| 6459809 | Jensen et al. | Oct 2002 | B1 |
| 6519610 | Ireland et al. | Feb 2003 | B1 |
| 6539381 | Prasad et al. | Mar 2003 | B1 |
| 6601171 | Carter et al. | Jul 2003 | B1 |
| 6647408 | Ricart et al. | Nov 2003 | B1 |
| 6650777 | Jensen et al. | Nov 2003 | B1 |
| 6697497 | Jensen et al. | Feb 2004 | B1 |
| 6738907 | Carter | May 2004 | B1 |
| 6742035 | Zayas et al. | May 2004 | B1 |
| 6742114 | Carter et al. | May 2004 | B1 |
| 6760843 | Carter | Jul 2004 | B1 |
| 6772214 | McClain et al. | Aug 2004 | B1 |
| 6826557 | Carter et al. | Nov 2004 | B1 |
| 6862606 | Major et al. | Mar 2005 | B1 |
| 6993508 | Major et al. | Jan 2006 | B1 |
| 7043555 | McClain et al. | May 2006 | B1 |
| 7107538 | Hinckley et al. | Sep 2006 | B1 |
| 7152031 | Jensen et al. | Dec 2006 | B1 |
| 7177922 | Carter et al. | Feb 2007 | B1 |
| 7185047 | Bate et al. | Feb 2007 | B1 |
| 7197451 | Carter et al. | Mar 2007 | B1 |
| 7286977 | Carter et al. | Oct 2007 | B1 |
| 7299493 | Burch et al. | Nov 2007 | B1 |
| 7316027 | Burch et al. | Jan 2008 | B2 |
| 7334257 | Ebrahimi et al. | Feb 2008 | B1 |
| 7356819 | Ricart et al. | Apr 2008 | B1 |
| 7363577 | Kinser et al. | Apr 2008 | B2 |
| 7376134 | Carter et al. | May 2008 | B2 |
| 7386514 | Major et al. | Jun 2008 | B2 |
| 7389225 | Jensen et al. | Jun 2008 | B1 |
| 7426516 | Ackerman et al. | Sep 2008 | B1 |
| 7467415 | Carter | Dec 2008 | B2 |
| 7475008 | Jensen et al. | Jan 2009 | B2 |
| 7505972 | Wootton et al. | Mar 2009 | B1 |
| 7506055 | McClain et al. | Mar 2009 | B2 |
| 7552468 | Burch et al. | Jun 2009 | B2 |
| 7562011 | Carter et al. | Jul 2009 | B2 |
| 7606229 | Foschiano et al. | Oct 2009 | B1 |
| Number | Date | Country | |
|---|---|---|---|
| 20100235903 A1 | Sep 2010 | US |
| Number | Date | Country | |
|---|---|---|---|
| 61160038 | Mar 2009 | US |
