Just-in-time access based on screening criteria to maintain control of restricted data in cloud computing environments

US 10,484,430 B2
Filed: 05/08/2017
Issued: 11/19/2019
Est. Priority Date: 11/05/2015
Status: Active Grant

First Claim

Patent Images

1. A computerized system comprising:

one or more hardware processors; and

one or more computer storage media storing computer-useable instructions that, when used by the one or more hardware processors, cause the one or more hardware processors to;

receive, at a service within a cloud computing environment, a request for just-in-time (JIT) access to a resource within a production environment of the cloud computing environment, the request being received from a portal on a DevOps device operated by a DevOps personnel who does not have persistent access to restricted data in the cloud computing environment, the request specifying request parameters including a level or type of access requested and information regarding an incident;

access, from a database of JIT policies stored in the cloud computing environment for a plurality of resources within the production environment of the cloud computing environment, a JIT policy for the resource specified by the request, the JIT policy stored in the database for processing by the service within the cloud computing environment to allow the service to automatically determine whether to grant JIT access to the resource;

determine, from the JIT policy for the resource, screening criteria restricting JIT access to the resource, the screening criteria specifying one or more security clearance procedures;

receive screening information for the DevOps personnel;

determine, by the service within the cloud computing environment, whether to approve the request for JIT access based at least in part on automatically evaluating the request parameters using the JIT policy for the resource to determine whether the level or type of access requested is automatically approved depending on;

(1) a type of the incident;

(2) whether the incident is active; and

(3) a comparison of the screening information for the DevOps personnel to the screening criteria from the JIT policy to verify that the one or more security clearance procedures have been performed for the DevOps personnel;

if it is determined to automatically approve the request for JIT access, provision a JIT access session for the DevOps device including setting a time limit for the JIT access session; and

if it is determined not to automatically approve the request for JIT access, send the request for JIT access to a portal on an operator device for review by an operating personnel who has access to restricted data in the cloud computing environment.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A JIT service in a cloud computing environment manages just-in-time access to resources in the cloud computing environment for DevOps personnel who do not have persistent access to restricted data or the ability to modify the cloud computing environment to gain access to restricted data. When JIT access to a resource is requested by a DevOps device, the JIT service retrieves a JIT policy for the resource that includes screening criteria limiting automatic granting of JIT access to DevOps personnel who meeting the screening criteria. Screening information for the DevOps personnel is evaluated against one or more screening requirements set forth by the screening criteria. If the screening criteria and any other criteria of the JIT policy are satisfied, the JIT service provisions JIT access to the resource for the DevOps device.

34 Citations

View as Search Results

18 Claims

1. A computerized system comprising:
- one or more hardware processors; and
  
  one or more computer storage media storing computer-useable instructions that, when used by the one or more hardware processors, cause the one or more hardware processors to;
  
  receive, at a service within a cloud computing environment, a request for just-in-time (JIT) access to a resource within a production environment of the cloud computing environment, the request being received from a portal on a DevOps device operated by a DevOps personnel who does not have persistent access to restricted data in the cloud computing environment, the request specifying request parameters including a level or type of access requested and information regarding an incident;
  
  access, from a database of JIT policies stored in the cloud computing environment for a plurality of resources within the production environment of the cloud computing environment, a JIT policy for the resource specified by the request, the JIT policy stored in the database for processing by the service within the cloud computing environment to allow the service to automatically determine whether to grant JIT access to the resource;
  
  determine, from the JIT policy for the resource, screening criteria restricting JIT access to the resource, the screening criteria specifying one or more security clearance procedures;
  
  receive screening information for the DevOps personnel;
  
  determine, by the service within the cloud computing environment, whether to approve the request for JIT access based at least in part on automatically evaluating the request parameters using the JIT policy for the resource to determine whether the level or type of access requested is automatically approved depending on;
  
  (1) a type of the incident;
  
  (2) whether the incident is active; and
  
  (3) a comparison of the screening information for the DevOps personnel to the screening criteria from the JIT policy to verify that the one or more security clearance procedures have been performed for the DevOps personnel;
  
  if it is determined to automatically approve the request for JIT access, provision a JIT access session for the DevOps device including setting a time limit for the JIT access session; and
  
  if it is determined not to automatically approve the request for JIT access, send the request for JIT access to a portal on an operator device for review by an operating personnel who has access to restricted data in the cloud computing environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein the JIT policy includes additional criteria, and wherein the determination to approve the request for JIT access is also based on the additional criteria being satisfied.
  - 3. The system of claim 1, wherein receiving screening information for the DevOps personnel comprises retrieving the screening information for the DevOps personnel from a database of screening information for a plurality of DevOps personnel.
  - 4. The system of claim 3, wherein the request for JIT access includes a user identifier for the DevOps personnel, and wherein the screening information for the DevOps personnel is accessed from the database using the user identifier.
  - 5. The system of claim 1, wherein the one or more security clearance procedures comprises one or more background checks or one or more criminal checks.
  - 6. The system of claim 5, wherein comparing the screening information for the DevOps personnel to the screening criteria comprises comparing the screening information to the one or more security clearance procedures to verify the one or more background checks or one or more criminal checks have been performed for the DevOps personnel.
  - 7. The system of claim 1, wherein the JIT access session is revoked when the time limit for the JIT access session expires.
  - 8. The system of claim 1, wherein the JIT access session is revoked in response to a command from the DevOps personnel or an operator personnel during the JIT access session.

9. One or more computer storage media storing computer-useable instructions that, when used by one or more computing devices, cause the one or more computing devices to perform operations comprising:
- receiving incident information regarding an incident in a cloud computing environment;
  
  providing the incident information to a portal on a DevOps device for review by a DevOps personnel who does not have persistent access to restricted data in the cloud computing environment;
  
  receiving, at a service within the cloud computing environment from the portal on the DevOps device, a request for a just-in-time (JIT) access session to access a resource in a production environment of the cloud computing environment, the request specifying request parameters including a level or type of access requested and information regarding an incident;
  
  accessing a JIT policy for the resource from a database of JIT policies stored in the cloud computing environment for a plurality of resources in the production environment of the cloud computing environment, the JIT policy stored in the database for processing by the service within the cloud computing environment to allow the service to automatically determine whether to grant JIT access to the resource;
  
  determining that the JIT policy for the resource includes screening criteria restricting JIT access to the resource, the screening criteria specifying one or more security clearance procedures;
  
  accessing screening information for the DevOps personnel;
  
  determining, by the service within the cloud computing environment, whether to automatically approve the request for the JIT access session based at least in part automatically evaluating the request parameters using the JIT policy for the resource to determine whether the level or type of access requested is automatically approved depending on;
  
  (1) a type of the incident;
  
  (2) whether the incident is active; and
  
  (3) a comparison of the screening information for the DevOps personnel to the screening criteria of the JIT policy for the resource to verify that the one or more security clearance procedures have been performed for the DevOps personnel;
  
  if it is determined to automatically approve the request for the JIT access session, provisioning the JIT access session for the DevOps device including setting a time limit for the JIT access; and
  
  if it is determined not to automatically approve the request for the JIT access session, sending the request for the JIT access session to a portal on an operator device for review by an operating personnel who has access to restricted data in the cloud computing environment.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The one or more computer storage media of claim 9, wherein the JIT policy includes one or more additional criteria, and wherein determining whether to automatically approve the request for the JIT access session comprises determining whether information regarding the request for the JIT access session also satisfies the one or more additional criteria.
  - 11. The one or more computer storage media of claim 9, wherein receiving screening information for the DevOps personnel comprises retrieving the screening information for the DevOps personnel from a database of screening information for a plurality of DevOps personnel using a user identifier for the DevOps personnel included in the request for JIT access.
  - 12. The one or more computer storage media of claim 9, wherein the screening criteria specifies one or more screening requirements, and wherein comparing the screening information for the DevOps personnel to the screening criteria comprises comparing the screening information to the one or more screening requirements to determine if the one or more screening requirements are satisfied based on the screening information.
  - 13. The one or more computer storage media of claim 9, wherein the JIT access session is revoked when the time limit for the JIT access expires.
  - 14. The one or more computer storage media of claim 9, wherein provisioning the JIT access session comprises providing the DevOps device the level or type of access to the resource for the time limit.

15. A computerized method comprising:
- receiving, at a service within a cloud computing environment, a request for a just-in-time (JIT) access session to a resource within the cloud computing environment, the request being received from a DevOps device operated by a DevOps personnel who does not have persistent access to restricted data in the cloud computing environment, the request specifying request parameters including a level or type of access requested and information regarding an incident;
  
  accessing, from a database of JIT policies stored in the cloud computing environment for a plurality of resources within the cloud computing environment, a JIT policy for the resource specified by the request, the JIT policy stored in the database for processing by the service within the cloud computing environment to allow the service to automatically determine whether to grant JIT access to the resource;
  
  identifying screening criteria from the JIT policy for the resource, the screening criteria specifying one or more security clearance procedures;
  
  receiving screening information for the DevOps personnel;
  
  determining, by the service within the cloud computing environment, whether to approve the request for JIT access based at least in part on automatically evaluating the request parameters using the JIT policy for the resource to determine whether the level or type of access requested is automatically approved depending on;
  
  (1) a type of the incident;
  
  (2) whether the incident is active; and
  
  (3) a determination that the screening information for the DevOps personnel satisfies the screening criteria by verifying that the one or more security clearance procedures have been performed for the DevOps personnel; and
  
  if it is determined to automatically approve the request for JIT access, provisioning the JIT access session for the DevOps device based on determining the screening information for the DevOps personnel satisfies the screening criteria; and
  
  if it is determined not to automatically approve the request for JIT access, sending the request for JIT access to a portal on an operator device for review by an operating personnel who has access to restricted data in the cloud computing environment.
- View Dependent Claims (16, 17, 18)
- - 16. The computerized method of claim 15, wherein the screening criteria sets forth one or more screening requirements for each of a plurality of levels or types of access to the resource.
  - 17. The computerized method of claim 16, wherein determining the screening information for the DevOps personnel satisfies the screening criteria comprises:
    - identifying at least one screening requirement from the screening criteria based on the level or type of access to the resource requested; and
      
      determining the screening information satisfies the at least one screening requirement.
  - 18. The computerized method of claim 15, wherein the JIT access session is provisioned by providing the DevOps device the level or type of access to the resource for a set time period.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Prasad, Ramnath, Nair, Pradeep Ayyappan, Ramachandran, Veena, Kalarickal, Sandeep, Knudson, Thomas, Bandla, Pavan Gopal, Shankar, Chetan, Sanyal, Ranajoy, Wu, Qingsu, Zhou, Chi, Kirschner, Doug, Meyer, Ryan, Keane, Thomas
Primary Examiner(s)
Bechtel, Kevin
Assistant Examiner(s)
Farooqui, Quazi

Application Number

US15/589,486
Publication Number

US 20170244760A1
Time in Patent Office

925 Days
Field of Search

726 1, 726 2, 726 4, 726 5, 726 19, 713182
US Class Current
CPC Class Codes

G06F 8/60   Software deployment

H04L 63/105   Multiple levels of security

H04L 63/107   wherein the security polici...

H04L 63/108   when the policy decisions a...

H04L 63/20   for managing network securi...

H04L 67/1021   based on client or server l...

Just-in-time access based on screening criteria to maintain control of restricted data in cloud computing environments

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

34 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Just-in-time access based on screening criteria to maintain control of restricted data in cloud computing environments

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others