×

Efficient cloud resource protection

  • US 10,742,629 B2
  • Filed: 02/28/2017
  • Issued: 08/11/2020
  • Est. Priority Date: 02/28/2017
  • Status: Active Grant
First Claim
Patent Images

1. A computer-implemented cloud resource protection method performed in a cloud-computing environment, the method comprising:

  • authenticating a user on a first computer that is part of a distributed system;

    based on the authentication, assigning to the user, on the first computer, a data structure indicating a set of permissions;

    receiving a directive from the user to initiate, via the first computer, an execution of a process associated with a first class, wherein the first class is one of a plurality of classes and is associated with one or more permissions of the set of permissions;

    based on the data structure, initiating, on a second computer, the execution of the process;

    with no further authentication, controlling access by granting the process access to a data set, access to which is restricted to one or more classes of the plurality of classes, wherein the one or more classes of the plurality of classes includes the first class associated with the process;

    providing a data item from the data set to the user;

    while the process runs, dynamically assigning the process to the process class based on one of;

    a loadable module that is loaded by an application;

    a service accessed by the application;

    ordata used by the application; and

    assigning a process to the first class, such that via a class-based access control policy, the process assigned to the first class accessing the data of the class is controlled, on demand,further comprising;

    with no further authentication, migrating the process from the second computer to a third computer; and

    with no further authentication, providing a further data item from the data set to the user, andan abstraction component, embodied in the cloud computing environment, that facilitates the migration such that if any virtual memory regions belonging to the process being migrated cannot be placed in their prior address ranges, then any pointers to those regions are updated throughout the virtual memory at migration time.

View all claims
  • 1 Assignment
Timeline View
Assignment View
    ×
    ×