Incident management to maintain control of restricted data in cloud computing environments

US 10,560,463 B2
Filed: 11/05/2015
Issued: 02/11/2020
Est. Priority Date: 11/05/2015
Status: Active Grant

First Claim

Patent Images

1. One or more computer storage media storing computer-useable instructions that, when used by one or more computing devices, cause the one or more computing devices to perform operations comprising:

receiving incident information regarding an incident in a cloud computing environment;

providing the incident information to a portal on a DevOps device for review by a DevOps personnel who does not have persistent access to restricted data in the cloud computing environment;

receiving, at a service within the cloud computing environment, a request for a just-in-time (JIT) access session to access a resource in a production environment of the cloud computing environment from the portal on the DevOps device, wherein the request specifies request parameters including a level or type of access requested and information regarding the incident including a type of the incident and whether the incident is active;

accessing, from a database of JIT policies stored in the cloud computing environment for a plurality of resources within the production environment of the cloud computing environment, a JIT policy for the resource specified by the request, the JIT policy stored in the database for processing by the service within the cloud computing environment to allow the service to automatically determine whether to grant JIT access to the resource;

determining, by the service within the cloud computing environment, whether to approve the request for the JIT access session based at least in part on automatically evaluating the request parameters using the JIT policy for the resource to determine whether the level or type of access requested is automatically approved depending on the type of the incident and whether the incident is active;

if it is determined to approve the request for the JIT access session, provisioning JIT access for the DevOps personnel including setting a time limit for the JIT access; and

if it is determined to not approve the request for the JIT access session, providing a notice to the portal on the DevOps device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques allow DevOps personnel to perform incident management for cloud computing environments in a manner that maintains control over restricted data and the data plane. The DevOps personnel do not have access to restricted data or the ability to modify the cloud computing environment to gain access to restricted data. The incident management techniques include executing automatic operations to resolve an incident and allowing DevOps personnel to execute remote operations without providing the DevOps personnel access. A further incident management technique provides DevOps personnel with just-in-time (JIT) access that is limited to a certain level or type of access and limited in time. Still another technique for incident management is using an escort model, in which an escort session between operating personnel and DevOps personnel is established and connected to the cloud computing environment to allow the DevOps personnel access to the production environment while escorted by the operating personnel.

30 Citations

20 Claims

1. One or more computer storage media storing computer-useable instructions that, when used by one or more computing devices, cause the one or more computing devices to perform operations comprising:
- receiving incident information regarding an incident in a cloud computing environment;
  
  providing the incident information to a portal on a DevOps device for review by a DevOps personnel who does not have persistent access to restricted data in the cloud computing environment;
  
  receiving, at a service within the cloud computing environment, a request for a just-in-time (JIT) access session to access a resource in a production environment of the cloud computing environment from the portal on the DevOps device, wherein the request specifies request parameters including a level or type of access requested and information regarding the incident including a type of the incident and whether the incident is active;
  
  accessing, from a database of JIT policies stored in the cloud computing environment for a plurality of resources within the production environment of the cloud computing environment, a JIT policy for the resource specified by the request, the JIT policy stored in the database for processing by the service within the cloud computing environment to allow the service to automatically determine whether to grant JIT access to the resource;
  
  determining, by the service within the cloud computing environment, whether to approve the request for the JIT access session based at least in part on automatically evaluating the request parameters using the JIT policy for the resource to determine whether the level or type of access requested is automatically approved depending on the type of the incident and whether the incident is active;
  
  if it is determined to approve the request for the JIT access session, provisioning JIT access for the DevOps personnel including setting a time limit for the JIT access; and
  
  if it is determined to not approve the request for the JIT access session, providing a notice to the portal on the DevOps device.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The one or more computer storage media of claim 1, wherein the request for the JIT access session specifies at least one selected from the following:
    - information regarding the DevOps personnel and an identification of the incident.
  - 3. The one or more computer storage media of claim 2, wherein the information regarding the DevOps personnel identifies a role of the DevOps personnel.
  - 4. The one or more computer storage media of claim 1, wherein the JIT access session is revoked when the time limit for the JIT access expires.
  - 5. The one or more computer storage media of claim 1, wherein the JIT access session is revoked in response to a command from the DevOps personnel during the JIT access session.
  - 6. The one or more computer storage media of claim 1, the operations further comprising:
    - if it is determined to approve the request for the JIT access session, providing a notice regarding approval of the request to operating personnel having persistent access to restricted data.
  - 7. The one or more computer storage media of claim 1, the operations further comprising:
    - if it is determined to not approve the request for the JIT access session, sending the request for the JIT access session to operating personnel having persistent access to restricted data.

8. A computer-implement method comprising:
- receiving incident information regarding an incident in a cloud computing environment;
  
  providing the incident information to a portal on a DevOps device for review by a DevOps personnel who does not have persistent access to restricted data in the cloud computing environment;
  
  receiving, at a service within the cloud computing environment, a request for a just-in-time (JIT) access session to access a resource in a production environment of the cloud computing environment from the portal on the DevOps device, wherein the request specifies request parameters including a level or type of access requested and information regarding the incident including a type of the incident and whether the incident is active;
  
  accessing, from a database of JIT policies stored in the cloud computing environment for a plurality of resources within the production environment of the cloud computing environment, a JIT policy for the resource specified by the request, the JIT policy stored in the database for processing by the service within the cloud computing environment to allow the service to automatically determine whether to grant JIT access to the resource;
  
  determining, by the service within the cloud computing environment, whether to approve the request for the JIT access session based at least in part on automatically evaluating the request parameters using the JIT policy for the resource to determine whether the level or type of access requested is automatically approved depending on the type of the incident and whether the incident is active;
  
  if it is determined to approve the request for the JIT access session, provisioning JIT access for the DevOps personnel including setting a time limit for the JIT access; and
  
  if it is determined to not approve the request for the JIT access session, providing a notice to the portal on the DevOps device.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, wherein the request for the JIT access session specifies at least one selected from the following:
    - information regarding the DevOps personnel and an identification of the incident.
  - 10. The method of claim 9, wherein the information regarding the DevOps personnel identifies a role of the DevOps personnel.
  - 11. The method of claim 8, wherein the JIT access session is revoked when the time limit for the JIT access expires.
  - 12. The method of claim 8, wherein the JIT access session is revoked in response to a command from the DevOps personnel during the JIT access session.
  - 13. The method of claim 8, the method further comprising:
    - if it is determined to approve the request for the JIT access session, providing a notice regarding approval of the request to operating personnel having persistent access to restricted data.
  - 14. The method of claim 8, the method further comprising:
    - if it is determined to not approve the request for the JIT access session, sending the request for the JIT access session to operating personnel having persistent access to restricted data.

15. A system comprising:
- one or more hardware processors; and
  
  one or more computer storage media storing computer-usable instructions that, when used by the one or more processors, cause the one or more processors to;
  
  receive incident information regarding an incident in a cloud computing environment;
  
  provide the incident information to a portal on a DevOps device for review by a DevOps personnel who does not have persistent access to restricted data in the cloud computing environment;
  
  receive, at a service within the cloud computing environment, a request for a just-in-time (JIT) access session to access a resource in a production environment of the cloud computing environment from the portal on the DevOps device, wherein the request specifies request parameters including a level or type of access requested and information regarding the incident including a type of the incident and whether the incident is active;
  
  access, from a database of JIT policies stored in the cloud computing environment for a plurality of resources within the production environment of the cloud computing environment, a JIT policy for the resource specified by the request, the JIT policy stored in the database for processing by the service within the cloud computing environment to allow the service to automatically determine whether to grant JIT access to the resource;
  
  determine, by the service within the cloud computing environment, whether to approve the request for the JIT access session based at least in part on automatically evaluating the request parameters using the JIT policy for the resource to determine whether the level or type of access requested is automatically approved depending on the type of the incident and whether the incident is active;
  
  if it is determined to approve the request for the JIT access session, provision JIT access for the DevOps personnel including setting a time limit for the JIT access; and
  
  if it is determined to not approve the request for the JIT access session, provide a notice to the portal on the DevOps device.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein the request for the JIT access session specifies at least one selected from the following:
    - information regarding the DevOps personnel and an identification of the incident.
  - 17. The system of claim 16, wherein the information regarding the DevOps personnel identifies a role of the DevOps personnel.
  - 18. The system of claim 15, wherein the JIT access session is revoked when the time limit for the JIT access expires.
  - 19. The system of claim 15, wherein the JIT access session is revoked in response to a command from the DevOps personnel during the JIT access session.
  - 20. The system of claim of claim 15, the instructions further causing the one or more processors to:
    - if it is determined to approve the request for the JIT access session, provide a notice regarding approval of the request to operating personnel having persistent access to restricted data; and
      
      if it is determined to not approve the request for the JIT access session, send the request for the JIT access session to operating personnel having persistent access to restricted data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Chattopadhyay, Somak, Knudson, Thomas, Shankar, Chetan, Ali, Maisem, Cui, Lilei, Kalarickal, Sandeep, Nair, Pradeep Ayyappan, Keane, Tom, Pasumarthy, Siddhartha, Miller, Shont, Jin, Lu, Zhou, Qin, Black, Maria, Lu, Elaine, Gallot, Damien, Geisbush, Christopher, Sauntry, David, Miller, Peter
Primary Examiner(s)
Bechtel, Kevin
Assistant Examiner(s)
Farooqui, Quazi

Application Number

US14/933,803
Publication Number

US 20170134392A1
Time in Patent Office

1,559 Days
Field of Search

726 1- 6, 370228, 370401, 709239
US Class Current
CPC Class Codes

G06F 8/60   Software deployment

G06F 8/70   Software maintenance or man...

G06F 9/453   Help systems

H04L 63/105   Multiple levels of security

H04L 63/108   when the policy decisions a...

H04L 63/20   for managing network securi...

Incident management to maintain control of restricted data in cloud computing environments

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

30 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Incident management to maintain control of restricted data in cloud computing environments

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

30 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links