Seamless provision of authentication credential data to cloud-based assets on demand

US 10,333,925 B2
Filed: 06/20/2018
Issued: 06/25/2019
Est. Priority Date: 06/12/2017
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer readable medium including instructions that, when executed by at least one processor, cause the at least one processor to perform operations for providing authentication credential data to cloud-based assets on demand, the operations comprising:

receiving a prompt indicating that a cloud-based asset is seeking to communicate with an access-controlled resource, wherein the cloud-based asset lacks authorization to communicate with the access-controlled resource;

extracting information associated with the cloud-based asset by, at least in part, accessing a trusted cloud platform resource storing data associated with verified cloud-based assets, the trusted cloud platform resource being separate from the cloud-based asset and being configured to analyze information associated with a creation of the cloud-based asset;

authenticating the cloud-based asset based on the extracted information;

making first authentication credential data available to the cloud-based asset in response to a first request;

authenticating the cloud-based asset based on the first authentication credential data;

making second authentication credential data available to the cloud-based asset, in response to a second request; and

concatenating the first authentication credential data and the second authentication credential data;

wherein the cloud-based asset'"'"'s right to access the access-controlled resource is contingent on the cloud-based asset providing the first and second authentication credential data, on the first and second authentication credential data being concatenated, and on a verification of the concatenated first and second authentication credential data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed embodiments include systems and methods for providing security tokens to cloud-based assets on demand. Operations performed in the disclosed embodiments include receiving a prompt from a cloud-based asset indicating that the cloud-based asset is seeking to communicate with an access-controlled resource, wherein the cloud-based asset lacks authorization to communicate with the access-controlled resource. Additionally, the operations include extracting information associated with the cloud-based asset by accessing a trusted cloud platform resource storing data associated with verified cloud-based assets, where the trusted cloud platform resource is separate from the cloud-based asset, and authenticating the cloud-based asset based on the extracted information. The operations also include generating a security token for the cloud-based asset, making a first portion of the security token available to be injected into the cloud-based asset, and responding to the prompt with a second portion of the security token.

Citations

21 Claims

1. A non-transitory computer readable medium including instructions that, when executed by at least one processor, cause the at least one processor to perform operations for providing authentication credential data to cloud-based assets on demand, the operations comprising:
- receiving a prompt indicating that a cloud-based asset is seeking to communicate with an access-controlled resource, wherein the cloud-based asset lacks authorization to communicate with the access-controlled resource;
  
  extracting information associated with the cloud-based asset by, at least in part, accessing a trusted cloud platform resource storing data associated with verified cloud-based assets, the trusted cloud platform resource being separate from the cloud-based asset and being configured to analyze information associated with a creation of the cloud-based asset;
  
  authenticating the cloud-based asset based on the extracted information;
  
  making first authentication credential data available to the cloud-based asset in response to a first request;
  
  authenticating the cloud-based asset based on the first authentication credential data;
  
  making second authentication credential data available to the cloud-based asset, in response to a second request; and
  
  concatenating the first authentication credential data and the second authentication credential data;
  
  wherein the cloud-based asset'"'"'s right to access the access-controlled resource is contingent on the cloud-based asset providing the first and second authentication credential data, on the first and second authentication credential data being concatenated, and on a verification of the concatenated first and second authentication credential data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The non-transitory computer readable medium of claim 1, wherein the making first authentication credential data available includes generating the first authentication credential data.
  - 3. The non-transitory computer readable medium of claim 1, wherein the first authentication credential data and the second authentication credential data are each portions of a security token.
  - 4. The non-transitory computer readable medium of claim 1, wherein the first authentication credential data and the second authentication credential data are each separate authentication credentials.
  - 5. The non-transitory computer readable medium of claim 1, wherein the operations further comprise making the first authentication credential data available to be injected into the cloud-based asset.
  - 6. The non-transitory computer readable medium of claim 1, wherein the operations further comprise making the second authentication credential data available to the cloud-based asset in response to the prompt and further in response to the authenticating of the cloud-based asset based on the first authentication credential data.
  - 7. The non-transitory computer readable medium of claim 1, wherein the first authentication credential data includes a random data portion.
  - 8. The non-transitory computer readable medium of claim 1, wherein the first authentication credential data includes a portion including information regarding the cloud-based asset.
  - 9. The non-transitory computer readable medium of claim 1, wherein the first authentication credential data includes a portion including information regarding a cloud environment in which the cloud-based asset was spun up.

10. A computer-implemented method, executable by a processor of a computing system, for providing authentication credential data to a cloud-based asset on demand, the method comprising:
- receiving a prompt indicating that a cloud-based asset is seeking to communicate with an access-controlled resource, wherein the cloud-based asset lacks authorization to communicate with the access-controlled resource;
  
  extracting information associated with the cloud-based asset by, at least in part, accessing a trusted cloud platform resource storing data associated with verified cloud-based assets, the trusted cloud platform resource being separate from the cloud-based asset and being configured to analyze information associated with a creation of the cloud-based asset;
  
  wherein the extracted information includes information regarding a virtualization platform used to spin up the cloud-based asset and a parameter or configuration setting of the virtualization platform;
  
  authenticating the cloud-based asset based on the extracted information;
  
  making first authentication credential data available to the cloud-based asset in response to a first request;
  
  authenticating the cloud-based asset based on the first authentication credential data; and
  
  making second authentication credential data available to the cloud-based asset, in response to a second request;
  
  wherein the cloud-based asset'"'"'s right to access the access-controlled resource is contingent on the cloud-based asset providing the first and second authentication credential data, and on a verification of both the first and second authentication credential data.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The computer-implemented method of claim 10, wherein the extracted information associated with the cloud-based asset includes a virtual computing identifier associated with the cloud-based asset.
  - 12. The computer-implemented method of claim 10, wherein the extracted information associated with the cloud-based asset includes a virtual computing namespace associated with the cloud-based asset.
  - 13. The computer-implemented method of claim 10, wherein the extracted information includes a permissible type of cloud-based assets.
  - 14. The computer-implemented method of claim 10, wherein the extracted information includes a permissible role of cloud-based assets.
  - 15. The computer-implemented method of claim 10, wherein the authenticating the cloud-based asset based on the extracted information is performed based on an authentication policy and the extracted information.
  - 16. The computer-implemented method of claim 15, wherein the authentication policy includes rules that take into account a history of activity involving a virtualization platform used to spin up the cloud-based asset.
  - 17. The computer-implemented method of claim 15, wherein the authentication policy includes rules that take into account a history of activity involving the cloud-based asset.

18. A non-transitory computer readable medium including instructions that, when executed by at least one processor, cause the at least one processor to perform operations for obtaining access to authentication credential data on demand, the operations comprising:
- requesting, by a cloud-based asset, to communicate with an access-controlled resource, wherein the cloud-based asset lacks authorization to communicate with the access-controlled resource;
  
  in response to the request to communicate and conditional on the cloud-based asset being authenticated based on extracted information associated with the cloud-based asset, obtaining access to first authentication credential data for the cloud-based asset;
  
  wherein the extracted information is maintained by a trusted cloud platform resource that is configured to analyze information associated with a creation of the cloud-based asset;
  
  in response to a subsequent request, obtaining access to second authentication credential data for the cloud-based asset;
  
  requesting authorization, using the first authentication credential data and the second authentication credential data, to access the access-controlled resource; and
  
  receiving authorization, in response to the request for authorization, to access the access-controlled resource;
  
  wherein the cloud-based asset'"'"'s right to access the access-controlled resource is contingent on the cloud-based asset providing the first and second authentication credential data, on the first and second authentication credential data being concatenated, and on a verification of the concatenated first and second authentication credential data.
- View Dependent Claims (19, 20, 21)
- - 19. The non-transitory computer readable medium of claim 18, wherein the first authentication credential data and the second authentication credential data are separately verified.
  - 20. The non-transitory computer readable medium of claim 18, wherein the first authentication credential data and the second authentication credential data are each portions of a security token.
  - 21. The non-transitory computer readable medium of claim 18, wherein the operations further comprise receiving the first authentication credential data before the requesting to communicate with the access-controlled resource, and receiving the second authentication credential data after the requesting to communicate with the access-controlled resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CyberArk Software Ltd.
Original Assignee
CyberArk Software Ltd.
Inventors
Schwarz, Rafi, Maccabi, Eli, Cohen, Moti, Lahav, Nessi, Zilberman Kubovsky, Inbal, Sakirko, Evgeny
Primary Examiner(s)
Rahman, Mahfuzur

Application Number

US16/013,242
Publication Number

US 20180359239A1
Time in Patent Office

370 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/41   where a single sign-on prov...

G06F 21/44   Program or device authentic...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/083   using passwords cryptograph...

H04L 63/0853   using an additional device,...

H04L 63/10   for controlling access to d...

H04L 9/3213   using tickets or tokens, e....

Seamless provision of authentication credential data to cloud-based assets on demand

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Seamless provision of authentication credential data to cloud-based assets on demand

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links