Hybrid cloud security groups

US 10,462,136 B2
Filed: 10/13/2015
Issued: 10/29/2019
Est. Priority Date: 10/13/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving a request from a first cloud network of a hybrid cloud environment at a gateway of a second cloud network of the hybrid cloud environment to transmit data from the second cloud network;

automatically analyzing a security tag associated with the data, at the gateway of the second cloud network, to yield an access determination, the automatically analyzing including an analysis of whether the security tag includes any access permissions to the data, the access permissions indicating that the data is allowed to enter the first cloud network; and

based at least in part on the access determination and if the security tag includes the access permissions indicating the data is allowed to enter the first cloud network, allowing the data to exit the second cloud network via the gateway, the hybrid cloud environment configured to prevent unauthorized access to the hybrid cloud environment while providing scalability to accommodate increases and decreases in demand for one or more computing resources, the one or more computing resources including a processing device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a request may be received from a first cloud network of a hybrid cloud environment to transmit data to a second cloud network of the hybrid cloud environment, wherein the request can include a security profile related to the data. The security profile may be automatically analyzed to determine access permissions related to the data. Based at least in part on the access permissions, data can be allowed to access to the second cloud network.

Citations

20 Claims

1. A method comprising:
- receiving a request from a first cloud network of a hybrid cloud environment at a gateway of a second cloud network of the hybrid cloud environment to transmit data from the second cloud network;
  
  automatically analyzing a security tag associated with the data, at the gateway of the second cloud network, to yield an access determination, the automatically analyzing including an analysis of whether the security tag includes any access permissions to the data, the access permissions indicating that the data is allowed to enter the first cloud network; and
  
  based at least in part on the access determination and if the security tag includes the access permissions indicating the data is allowed to enter the first cloud network, allowing the data to exit the second cloud network via the gateway, the hybrid cloud environment configured to prevent unauthorized access to the hybrid cloud environment while providing scalability to accommodate increases and decreases in demand for one or more computing resources, the one or more computing resources including a processing device.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - screening the request via a firewall of the second cloud network; and
      
      based at least in part on the access determination, denying access to data that is not permitted to exit the second cloud network.
  - 3. The method of claim 1, further comprising:
    - transmitting the data from the second cloud network via a hybrid link, the hybrid link utilized for secure communications between the first cloud network and the second cloud network, wherein the hybrid link does not allow connection to the Internet.
  - 4. The method of claim 1, wherein the security tag is automatically applied to applications initialized in the hybrid cloud environment.
  - 5. The method of claim 1, further comprising:
    - receiving a request for a virtual machine in the hybrid cloud environment;
      
      determining that the request originates from an Internet Protocol (IP) address of a private cloud network of the hybrid cloud environment; and
      
      providing the virtual machine in the hybrid cloud environment.
  - 6. The method of claim 1, further comprising:
    - receiving a request for access to a private cloud network of the hybrid cloud environment from a public cloud network of the hybrid cloud environment;
      
      automatically determining that the request for access to the private cloud network is from an entity with permission to operate in the private cloud network; and
      
      based at least in part on the permission, allowing access to the private cloud network.
  - 7. The method of claim 1, further comprising:
    - receiving a request for access to a public cloud network of the hybrid cloud environment from a private cloud network of the hybrid cloud environment;
      
      automatically determining that the request for access to the public cloud network is from an entity with permission to operate in the public cloud network; and
      
      based at least in part on the permission, allowing access to the public cloud network.

8. A network device comprising:
- one or more servers facilitating a first cloud network of a hybrid cloud environment;
  
  one or more servers facilitating a second cloud network of the hybrid cloud environment;
  
  one or more processors; and
  
  a memory configured to store non-transitory computer-readable instructions, which when executed by the one or more processors, cause the one or more processors to;
  
  receive a request from the first cloud network of the hybrid cloud environment to transmit data from the second cloud network of the hybrid cloud environment;
  
  automatically analyze a security tag associated with the data to determine whether the security tag includes any access permissions to the data and yield an access determination, the access permissions indicating that the data is allowed to enter the first cloud network; and
  
  based at least in part on the access determination and if the security tag includes the access permissions indicating the data is allowed to enter the first cloud network, allow the data to exit the second cloud network, the hybrid cloud environment configured to prevent unauthorized access to the hybrid cloud environment while providing scalability to accommodate increases and decreases in demand for one or more computing resources.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The network device of claim 8, wherein the execution of the computer-readable instructions further cause the one or more processors to:
    - based at least in part on the access determination, deny access to data that is not permitted to exit the second cloud network.
  - 10. The network device of claim 8, wherein the execution of the computer-readable instructions further cause the one or more processors to:
    - transmit the data from the second cloud network via a hybrid link, the hybrid link utilized for secure communications between the first cloud network and the second cloud network, wherein the hybrid link does not allow connection to the Internet.
  - 11. The network device of claim 8, wherein the execution of the computer-readable instructions further cause the one or more processors to:
    - receive a request for a virtual machine in the hybrid cloud environment;
      
      determine that the request originates from an Internet Protocol (IP) address of a private cloud network of the hybrid cloud environment; and
      
      provide the virtual machine in the hybrid cloud environment.
  - 12. The network device of claim 8, wherein the execution of the computer-readable instructions further cause the one or more processors to:
    - receive a request for access to a private cloud network of the hybrid cloud environment from a public cloud network of the hybrid cloud environment;
      
      automatically determine that the request for access to the private cloud network is from an entity with permission to operate in the private cloud network; and
      
      based at least in part on the permission, allow access to the private cloud network.
  - 13. The network device of claim 8, wherein the execution of the computer-readable instructions further cause the one or more processors to:
    - receive a request for access to a public cloud network of the hybrid cloud environment from a private cloud network of the hybrid cloud environment;
      
      automatically determine that the request for access to the public cloud network is from an entity with permission to operate in the public cloud network; and
      
      based at least in part on the permission, allow access to the public cloud network.

14. A non-transitory computer-readable medium having instructions encoded thereon, which when executed by one or more processors, cause the one or more processors to:
- receive a request from a first cloud network of a hybrid cloud environment to transmit data from a second cloud network of the hybrid cloud environment;
  
  automatically analyze a security tag associated with the data to determine whether the security tag includes any access permissions to the data and yield an access determination, the access permissions indicating that the data is allowed to enter the first cloud network; and
  
  based at least in part on the access determination and if the security tag includes the access permissions indicating the data is allowed to enter the first cloud network, allow the data to exit the second cloud network, the hybrid cloud environment configured to prevent unauthorized access to the hybrid cloud environment while providing scalability to accommodate increases and decreases in demand for one or more computing resources.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The non-transitory computer-readable medium of claim 14, wherein the execution of the computer-readable instructions further cause the one or more processors to:
    - based at least in part on the access determination, deny access to data that is not permitted to exit the second cloud network.
  - 16. The non-transitory computer-readable medium of claim 14, wherein the execution of the computer-readable instructions further cause the one or more processors to:
    - transmit the data from the second cloud network via a hybrid link, the hybrid link utilized for secure communications between the first cloud network and the second cloud network, wherein the hybrid link does not allow connection to the Internet.
  - 17. The non-transitory computer-readable medium of claim 14, wherein the security tag is automatically applied to applications initialized in the hybrid cloud environment.
  - 18. The non-transitory computer-readable medium of claim 14, wherein the execution of the computer-readable instructions further cause the one or more processors to:
    - receive a request for a virtual machine in the hybrid cloud environment;
      
      determine that the request originates from an Internet Protocol (IP) address of a private cloud network of the hybrid cloud environment; and
      
      provide the virtual machine in the hybrid cloud environment.
  - 19. The non-transitory computer-readable medium of claim 14, wherein the execution of the computer-readable instructions further cause the one or more processors to:
    - receive a request for access to a private cloud network of the hybrid cloud environment from a public cloud network of the hybrid cloud environment;
      
      automatically determine that the request for access to the private cloud network is from an entity with permission to operate in the private cloud network; and
      
      based at least in part on the permission, allow access to the private cloud network.
  - 20. The non-transitory computer-readable medium of claim 14, wherein the execution of the computer-readable instructions further cause the one or more processors to:
    - receive a request for access to a public cloud network of the hybrid cloud environment from a private cloud network of the hybrid cloud environment;
      
      automatically determine that the request for access to the public cloud network is from an entity with permission to operate in the public cloud network; and
      
      based at least in part on the permission, allow access to the public cloud network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Arregoces, Mauricio, Bagepalli, Nagaraj, Chandrasekaran, Subramanian
Primary Examiner(s)
Truong, Thanhnga B

Application Number

US14/881,649
Publication Number

US 20170104755A1
Time in Patent Office

1,477 Days
Field of Search

726 1- 4, 726 30, 726 15, 726 23, 726 26, 3405721, 4554561, 702 62
US Class Current
CPC Class Codes

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/104   Grouping of entities

H04L 67/10   in which an application is ...

Hybrid cloud security groups

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Hybrid cloud security groups

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links