Method and apparatus for multi-tenancy secrets management in multiple data security jurisdiction zones
First Claim
1. A method for managing secrets of tenants of a multi-tenant computing environment, comprising:
- identifying one or more data security jurisdiction zones containing one or more multi-tenant assets to which secrets policies of the tenants are to be applied;
maintaining, by a service provider computing system, service provider secrets policy data representing one or more data security policies associated with one or more cloud computing environments for the identified one or more data security jurisdiction zones and security requirements associated with the secrets of the tenants within the multi-tenant computing environment;
receiving, by the service provider computing system from a first tenant computing system, first tenant secrets policy data representing a first tenant secrets policy of a first tenant of the multi-tenant computing environment and including data indicating secrets of the first tenant secrets policy;
receiving a request from the first tenant computing system to apply the first tenant secrets policy data to a first multi-tenant asset of the multi-tenant computing environment;
in response to receiving the request, comparing the first tenant secrets policy data with the service provider secrets policy data to determine whether the secrets of the first tenant secrets policy are in compliance with the security requirements of the service provider secrets policy data;
further in response to receiving the request, comparing the service provider secrets policy data with the first tenant secrets policy to determine whether the first tenant secrets policy is at least as restrictive as the service provider secrets policy data and further determining whether secrets sharing is allowed between the first tenant and the first multi-tenant asset;
responsive to determining the secrets of the first tenant secrets policy are in compliance with the security requirements of the service provider secrets policy data and responsive to determining the first tenant secrets policy is at least as restrictive as the service provider secrets policy data, and responsive to determining secrets sharing is allowed between the first tenant and the first multi-tenant asset, authorizing, with the service provider computing system, the request from the first tenant computing system to apply the first tenant secrets policy data to the first multi-tenant asset;
responsive to determining the secrets of the first tenant secrets policy are not in compliance with the security requirements of the service provider secrets policy data, or responsive to determining the first tenant secrets policy is not at least as restrictive as the service provider secrets policy data, or responsive to determining secrets sharing is not allowed between the first tenant and the first multi-tenant asset, rejecting the request to apply the first tenant secrets policy data to the first multi-tenant asset; and
applying the first tenant secrets policy data to the first multi-tenant asset responsive to determining the request from the first tenant computing system is authorized.
0 Assignments
0 Petitions
Accused Products
Abstract
A service provider computing environment includes a service provider computing device, which receives tenant secrets policies from tenants. The tenants are tenants of multi-tenant assets of a service provider. One or more data security zones in which the multi-tenant assets are located are identified. A service provider secrets policy includes data security jurisdiction zone secrets policy data for the one or more data security jurisdiction zones. The data security jurisdiction zone secrets policy data is analyzed to determine allowed secrets data with respect to each of the identified data security jurisdiction zones. The service provider computing environment determines of the tenant secrets policies satisfy the requirements of the service provider secrets policy. If the tenant secrets policies satisfy the requirements of the service provider secrets policy, the service provider computing environment allows the tenant secrets policies to be applied to tenant data or information in the multi-tenant assets.
273 Citations
35 Claims
-
1. A method for managing secrets of tenants of a multi-tenant computing environment, comprising:
-
identifying one or more data security jurisdiction zones containing one or more multi-tenant assets to which secrets policies of the tenants are to be applied; maintaining, by a service provider computing system, service provider secrets policy data representing one or more data security policies associated with one or more cloud computing environments for the identified one or more data security jurisdiction zones and security requirements associated with the secrets of the tenants within the multi-tenant computing environment; receiving, by the service provider computing system from a first tenant computing system, first tenant secrets policy data representing a first tenant secrets policy of a first tenant of the multi-tenant computing environment and including data indicating secrets of the first tenant secrets policy; receiving a request from the first tenant computing system to apply the first tenant secrets policy data to a first multi-tenant asset of the multi-tenant computing environment; in response to receiving the request, comparing the first tenant secrets policy data with the service provider secrets policy data to determine whether the secrets of the first tenant secrets policy are in compliance with the security requirements of the service provider secrets policy data; further in response to receiving the request, comparing the service provider secrets policy data with the first tenant secrets policy to determine whether the first tenant secrets policy is at least as restrictive as the service provider secrets policy data and further determining whether secrets sharing is allowed between the first tenant and the first multi-tenant asset; responsive to determining the secrets of the first tenant secrets policy are in compliance with the security requirements of the service provider secrets policy data and responsive to determining the first tenant secrets policy is at least as restrictive as the service provider secrets policy data, and responsive to determining secrets sharing is allowed between the first tenant and the first multi-tenant asset, authorizing, with the service provider computing system, the request from the first tenant computing system to apply the first tenant secrets policy data to the first multi-tenant asset; responsive to determining the secrets of the first tenant secrets policy are not in compliance with the security requirements of the service provider secrets policy data, or responsive to determining the first tenant secrets policy is not at least as restrictive as the service provider secrets policy data, or responsive to determining secrets sharing is not allowed between the first tenant and the first multi-tenant asset, rejecting the request to apply the first tenant secrets policy data to the first multi-tenant asset; and applying the first tenant secrets policy data to the first multi-tenant asset responsive to determining the request from the first tenant computing system is authorized. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A method for managing secrets of customers of a service provider for a multi-tenant computing environment, comprising:
-
identifying one or more data security jurisdiction zones containing one or more multi-tenant assets to which secrets policies of the customers are to be applied; maintaining, by a service provider computing system, a service provider security policy that includes one or more data secrets policies associated with one or more cloud computing environments for the identified one or more data security jurisdiction zones and security requirements for the customers of a first multi-tenant asset, wherein the first multi-tenant asset is hosted for the customers by the service provider, further wherein the first multi-tenant asset includes at least one of; an application shared by the customers; a server computing system shared by the customers; a virtual machine; and non-volatile memory device logically divided between at least two of the customers; receiving a request from a first one of the customers to apply a first customer security policy to a first part of the first multi-tenant asset allocated to the first one of the customers, wherein the first customer security policy includes rules for managing first customer secrets with the first multi-tenant asset in the multi-tenant computing environment and secrets of the first customer security policy; comparing the first customer security policy associated with the request to the service provider security policy to determine whether the secrets of the first customer security policy are in compliance with the security requirements of the service provider security policy and further determining whether secrets sharing is allowed between the first one of the customers and the first part of the first multi-tenant asset; and responsive to determining the first customer security policy is at least as restrictive as the service provider security policy and responsive to determining secrets sharing is allowed between the first one of the customers and the first part of the first multi-tenant asset, authorizing the request to enable the first one of the customers to apply the first customer security policy to the first part of the first multi-tenant asset allocated to the first one of the customers. - View Dependent Claims (17, 18, 19, 20)
-
-
21. A system for managing secrets of tenants of a multi-tenant computing environment, the system comprising:
-
one or more processors; and at least one memory coupled to the one or more processors, the at least one memory having stored therein instructions which when executed by any set of the one or more processors, perform operations for managing the secrets of the tenants of the multi-tenant computing environment, the operations including; identifying one or more data security jurisdiction zones containing one or more multi-tenant assets to which secrets policies of the tenants are to be applied; maintaining, by a service provider computing system, service provider secrets policy data representing one or more data security policies associated with one or more cloud computing environments for the identified one or more data security jurisdiction zones and security requirements associated with the secrets of the tenants within the multi-tenant computing environment; receiving, by the service provider computing system from a first tenant computing system, first tenant secrets policy data representing a first tenant secrets policy of a first tenant of the multi-tenant computing environment and including data indicating secrets of the first tenant secrets policy; receiving a request from the first tenant computing system to apply the first tenant secrets policy data to a first multi-tenant asset of a second tenant of the multi-tenant computing environment; in response to receiving the request, comparing the first tenant secrets policy data with the service provider secrets policy data to determine whether the secrets of the first tenant secrets policy are in compliance with the security requirements of the service provider secrets policy data; further in response to receiving the request, comparing the service provider secrets policy data with the first tenant secrets policy to determine whether the first tenant secrets policy is at least as restrictive as the service provider secrets policy data and further determining whether secrets sharing is allowed between the first tenant and the first multi-tenant asset; responsive to determining the secrets of the first tenant secrets policy are in compliance with the security requirements of the service provider secrets policy data and responsive to determining the first tenant secrets policy is at least as restrictive as the service provider secrets policy data, and responsive to determining secrets sharing is allowed between the first tenant and the first multi-tenant asset, authorizing, with the service provider computing system, the request from the first tenant computing system to apply the first tenant secrets policy data to the first multi-tenant asset; responsive to determining the secrets of the first tenant secrets policy are not in compliance with the security requirements of the service provider secrets policy data, or responsive to determining the first tenant secrets policy is not at least as restrictive as the service provider secrets policy data, or responsive to determining secrets sharing is not allowed between the first tenant and the first multi-tenant asset, rejecting the request to apply the first tenant secrets policy data to the first multi-tenant asset; and applying the first tenant secrets policy data to the first multi-tenant asset responsive to determining the request from the first tenant computing system is authorized. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
-
-
31. A system for managing secrets of customers of a service provider for a multi-tenant computing environment, comprising:
-
one or more processors; and at least one memory coupled to the one or more processors, the at least one memory having stored therein instructions which when executed by any set of the one or more processors, perform operations for managing the secrets of the customers of the service provider for the multi-tenant computing environment, the operations including; identifying one or more data security jurisdiction zones containing one or more multi-tenant assets to which secrets policies of the customers are to be applied; maintaining, by a service provider computing system, a service provider security policy that includes one or more data security policies associated with one or more cloud computing environments for the identified one or more data security jurisdiction zones and security requirements for the customers of a first multi-tenant asset, wherein the first multi-tenant asset is hosted for the customers by the service provider, wherein the first multi-tenant asset includes at least one of; an application shared by the customers; a server computing system shared by the customers; a virtual machine; and non-volatile memory device logically divided between at least two of the customers; receiving a request from a first one of the customers to apply a first customer security policy to a first part of the first multi-tenant asset allocated to the first one of the customers, wherein the first customer security policy includes rules for managing first customer secrets with the first multi-tenant asset in the multi-tenant computing environment and secrets of the first customer security policy; comparing the first customer security policy associated with the request to the service provider security policy to determine whether the secrets of the first customer security policy are in compliance with the security requirements of the service provider security policy and further determining whether secrets sharing is allowed between the first one of the customers and the first part of the first multi-tenant asset; and responsive to determining the first customer security policy is at least as restrictive as the service provider security policy, authorizing the request to enable the first one of the customers to apply the first customer security policy to the first part of the first multi-tenant asset allocated to the first one of the customers. - View Dependent Claims (32, 33, 34, 35)
-
Specification