Seamless provision of secret token to cloud-based assets on demand

US 10,027,658 B1
Filed: 06/12/2017
Issued: 07/17/2018
Est. Priority Date: 06/12/2017
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer readable medium including instructions that, when executed by at least one processor, cause the at least one processor to perform operations for providing security tokens to cloud-based assets on demand over a network, comprising:

receiving a prompt from a cloud-based asset indicating that the cloud-based asset is seeking to communicate with an access-controlled resource, wherein the cloud-based asset lacks authorization to communicate with the access-controlled resource;

extracting information associated with the cloud-based asset by, at least in part, accessing a trusted cloud platform resource storing data associated with verified cloud-based assets, the trusted cloud platform resource being separate from the cloud-based asset;

authenticating the cloud-based asset based on the extracted information, wherein the extracted information is based on characteristics or configurations of the cloud-based asset and a virtualization platform deploying the cloud-based asset that is known to or managed by the trusted cloud platform resource;

generating a security token for the cloud-based asset;

making a first portion of the security token available to be injected into the cloud-based asset;

responding to the prompt with a second portion of the security token;

injecting the first portion of the security token into the cloud-based asset; and

enabling the cloud-based asset to obtain a credential needed for accessing the access-controlled resource by using the first portion of the security token and further based on the response to the prompt with the second portion of the security token.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed embodiments include systems and methods for providing security tokens to cloud-based assets on demand. Operations performed in the disclosed embodiments include receiving a prompt from a cloud-based asset indicating that the cloud-based asset is seeking to communicate with an access-controlled resource, wherein the cloud-based asset lacks authorization to communicate with the access-controlled resource. Additionally, the operations include extracting information associated with the cloud-based asset by accessing a trusted cloud platform resource storing data associated with verified cloud-based assets, where the trusted cloud platform resource is separate from the cloud-based asset, and authenticating the cloud-based asset based on the extracted information. The operations also include generating a security token for the cloud-based asset, making a first portion of the security token available to be injected into the cloud-based asset, and responding to the prompt with a second portion of the security token.

16 Citations

View as Search Results

22 Claims

1. A non-transitory computer readable medium including instructions that, when executed by at least one processor, cause the at least one processor to perform operations for providing security tokens to cloud-based assets on demand over a network, comprising:
- receiving a prompt from a cloud-based asset indicating that the cloud-based asset is seeking to communicate with an access-controlled resource, wherein the cloud-based asset lacks authorization to communicate with the access-controlled resource;
  
  extracting information associated with the cloud-based asset by, at least in part, accessing a trusted cloud platform resource storing data associated with verified cloud-based assets, the trusted cloud platform resource being separate from the cloud-based asset;
  
  authenticating the cloud-based asset based on the extracted information, wherein the extracted information is based on characteristics or configurations of the cloud-based asset and a virtualization platform deploying the cloud-based asset that is known to or managed by the trusted cloud platform resource;
  
  generating a security token for the cloud-based asset;
  
  making a first portion of the security token available to be injected into the cloud-based asset;
  
  responding to the prompt with a second portion of the security token;
  
  injecting the first portion of the security token into the cloud-based asset; and
  
  enabling the cloud-based asset to obtain a credential needed for accessing the access-controlled resource by using the first portion of the security token and further based on the response to the prompt with the second portion of the security token.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. A non-transitory computer readable medium according to claim 1, wherein the extracting involves invoking the trusted cloud platform resource to interoperate with the cloud-based asset to obtain at least part of the extracted information.
  - 3. A non-transitory computer readable medium according to claim 1, wherein the extracting involves interoperating directly with the cloud-based asset.
  - 4. A non-transitory computer readable medium according to claim 1, wherein the security token is unique to the cloud-based asset.
  - 5. A non-transitory computer readable medium according to claim 1, wherein the steps of receiving a prompt, extracting, accessing, authenticating, generating, making, and responding are performed by the trusted cloud platform resource.
  - 6. A non-transitory computer readable medium according to claim 1, wherein the prompt identifies a container associated with the cloud-based asset.
  - 7. A non-transitory computer readable medium according to claim 6, wherein the security token is unique to the container associated with the cloud-based asset.
  - 8. A non-transitory computer readable medium according to claim 1, wherein the prompt indicates a location attribute of the cloud-based asset.
  - 9. A non-transitory computer readable medium according to claim 1, wherein the prompt indicates an environment attribute of the cloud-based asset.
  - 10. A non-transitory computer readable medium according to claim 1, wherein the first portion of the security token includes random data and data associated with the cloud-based asset.
  - 11. A non-transitory computer readable medium according to claim 1, wherein the second portion of the security token includes expiration time data.
  - 12. A non-transitory computer readable medium according to claim 1, wherein the second portion of the security token includes a token signature.
  - 13. A non-transitory computer readable medium according to claim 1, wherein making a first portion of the security token available to be injected into the cloud-based asset includes sending the first portion of the security token to a cloud resource separate from the cloud-based asset.
  - 14. A non-transitory computer readable medium according to claim 13, further comprising requesting the cloud resource to inject the first portion of the security token into the cloud-based asset.
  - 15. A non-transitory computer readable medium according to claim 1, wherein responding to the prompt with a second portion of the security token occurs after receiving an indication that the first portion of the security token has been injected into the cloud-based asset.

16. A non-transitory computer readable medium including instructions that, when executed by at least one processor, cause the at least one processor to perform operations for providing security tokens to cloud-based assets on demand over a network, comprising:
- receiving a prompt from a cloud-based asset indicating that the cloud-based asset is seeking to communicate with an access-controlled resource, wherein the cloud-based asset lacks authorization to communicate with the access-controlled resource;
  
  extracting information associated with the cloud-based asset by, at least in part, accessing a trusted cloud platform resource storing data associated with verified cloud-based assets, the trusted cloud platform resource being separate from the cloud-based asset;
  
  authenticating the cloud-based asset based on the extracted information, wherein the extracted information is based on characteristics or configurations of the cloud-based asset and a virtualization platform deploying the cloud-based asset that is known to or managed by the trusted cloud platform resource;
  
  generating a security token for the cloud-based asset;
  
  making at least a first portion of the security token available to be injected into the cloud-based asset;
  
  injecting the first portion of the security token into the cloud-based asset; and
  
  enabling the cloud-based asset to obtain a credential needed for accessing the access-controlled resource by using the first portion of the security token and further based on a second portion of the security token.

17. A server system for providing security tokens to a cloud-based asset on demand over a network, the system comprising:
- a memory device storing a set of instructions; and
  
  a processor configured to execute the set of instructions to;
  
  receive a prompt from a cloud-based asset indicating that the cloud-based asset is seeking to communicate with an access-controlled resource, wherein the cloud-based asset lacks authorization to communicate with the access-controlled resource;
  
  extract information associated with the cloud-based asset by, at least in part, accessing a trusted cloud platform resource storing data associated with verified cloud-based assets, the trusted cloud platform resource being separate from the cloud-based asset;
  
  authenticate the cloud-based asset based on the extracted information, wherein the extracted information is based on characteristics or configurations of the cloud-based asset and a virtualization platform deploying the cloud-based asset that is known to or managed by the trusted cloud platform resource;
  
  generate a security token for the cloud-based asset;
  
  make a first portion of the security token available to be injected into the cloud-based asset;
  
  respond to the prompt with a second portion of the security token;
  
  inject the first portion of the security token into the cloud-based asset; and
  
  enable the cloud-based asset to obtain a credential needed for accessing the access-controlled resource by using the first portion of the security token and further based on the response to the prompt with the second portion of the security token.

18. A computer-implemented method, executable by a processor of a computing system, for providing a security token to a cloud-based asset on demand over a network, the method comprising:
- receiving a prompt from a cloud-based asset indicating that the cloud-based asset is seeking to communicate with an access-controlled resource, wherein the cloud-based asset lacks authorization to communicate with the access-controlled resource;
  
  extracting information associated with the cloud-based asset by, at least in part, accessing a trusted cloud platform resource storing data associated with verified cloud-based assets, the trusted cloud platform resource being separate from the cloud-based asset;
  
  authenticating the cloud-based asset based on the extracted information, wherein the extracted information is based on characteristics or configurations of the cloud-based asset and a virtualization platform deploying the cloud-based asset that is known to or managed by the trusted cloud platform resource;
  
  generating a security token for the cloud-based asset;
  
  making a first portion of the security token available to be injected into the cloud-based asset;
  
  responding to the prompt with a second portion of the security token;
  
  injecting the first portion of the security token into the cloud-based asset; and
  
  enabling the cloud-based asset to obtain a credential needed for accessing the access-controlled resource by using the first portion of the security token and further based on the response to the prompt with the second portion of the security token.
- View Dependent Claims (19, 20, 21, 22)
- - 19. A computer-implemented method according to claim 18, wherein the extracting involves invoking the trusted cloud platform resource to interoperate with the cloud-based asset to obtain at least part of the extracted information.
  - 20. A computer-implemented method according to claim 18, wherein the security token is unique to a virtualization platform deploying the cloud-based asset.
  - 21. A computer-implemented method according to claim 18, wherein making a first portion of the security token available to be injected into the cloud-based asset includes sending the first portion of the security token to a cloud resource separate from the cloud-based asset.
  - 22. A computer-implemented method according to claim 21, further comprising requesting the cloud resource to inject the first portion of the security token into the cloud-based asset.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CyberArk Software Ltd.
Original Assignee
CyberArk Software Ltd.
Inventors
Schwarz, Rafi, Maccabi, Eli, Cohen, Moti, Lahav, Nessi, Zilberman Kubovsky, Inbal, Sakirko, Evgeny
Primary Examiner(s)
Rahman, Mahfuzur

Application Number

US15/620,262
Time in Patent Office

400 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/41   where a single sign-on prov...

G06F 21/44   Program or device authentic...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/083   using passwords cryptograph...

H04L 63/0853   using an additional device,...

H04L 63/10   for controlling access to d...

H04L 9/3213   using tickets or tokens, e....

Seamless provision of secret token to cloud-based assets on demand

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

16 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Seamless provision of secret token to cloud-based assets on demand

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links