Efficient cloud resource protection
First Claim
1. A computer-implemented cloud resource protection method performed in a cloud-computing environment, the method comprising:
- authenticating a user on a first computer that is part of a distributed system;
based on the authentication, assigning to the user, on the first computer, a data structure indicating a set of permissions;
receiving a directive from the user to initiate, via the first computer, an execution of a process associated with a first class, wherein the first class is one of a plurality of classes and is associated with one or more permissions of the set of permissions;
based on the data structure, initiating, on a second computer, the execution of the process;
with no further authentication, controlling access by granting the process access to a data set, access to which is restricted to one or more classes of the plurality of classes, wherein the one or more classes of the plurality of classes includes the first class associated with the process;
providing a data item from the data set to the user;
while the process runs, dynamically assigning the process to the process class based on one of;
a loadable module that is loaded by an application;
a service accessed by the application;
ordata used by the application; and
assigning a process to the first class, such that via a class-based access control policy, the process assigned to the first class accessing the data of the class is controlled, on demand,further comprising;
with no further authentication, migrating the process from the second computer to a third computer; and
with no further authentication, providing a further data item from the data set to the user, andan abstraction component, embodied in the cloud computing environment, that facilitates the migration such that if any virtual memory regions belonging to the process being migrated cannot be placed in their prior address ranges, then any pointers to those regions are updated throughout the virtual memory at migration time.
1 Assignment
0 Petitions
Accused Products
Abstract
A cloud resource protection method, system, and computer program product include authenticating a user on a first computer that is part of a distributed system, based on the authentication, assigning to the user, on the first computer, a token indicating a set of permissions, receiving a directive from the user to initiate, via the first computer, the execution of a process associated with a class, based on the token, initiating, on a second computer, the execution of the process, with no further authentication, granting the process access to a data set, access to which is restricted to one or more of the plurality of classes, and providing a data item from the data set to the user.
-
Citations
13 Claims
-
1. A computer-implemented cloud resource protection method performed in a cloud-computing environment, the method comprising:
-
authenticating a user on a first computer that is part of a distributed system; based on the authentication, assigning to the user, on the first computer, a data structure indicating a set of permissions; receiving a directive from the user to initiate, via the first computer, an execution of a process associated with a first class, wherein the first class is one of a plurality of classes and is associated with one or more permissions of the set of permissions; based on the data structure, initiating, on a second computer, the execution of the process; with no further authentication, controlling access by granting the process access to a data set, access to which is restricted to one or more classes of the plurality of classes, wherein the one or more classes of the plurality of classes includes the first class associated with the process; providing a data item from the data set to the user; while the process runs, dynamically assigning the process to the process class based on one of; a loadable module that is loaded by an application; a service accessed by the application;
ordata used by the application; and assigning a process to the first class, such that via a class-based access control policy, the process assigned to the first class accessing the data of the class is controlled, on demand, further comprising; with no further authentication, migrating the process from the second computer to a third computer; and with no further authentication, providing a further data item from the data set to the user, and an abstraction component, embodied in the cloud computing environment, that facilitates the migration such that if any virtual memory regions belonging to the process being migrated cannot be placed in their prior address ranges, then any pointers to those regions are updated throughout the virtual memory at migration time. - View Dependent Claims (2, 3, 4, 11, 12, 13)
-
-
5. A computer program product for cloud resource protection embodied in a cloud computing environment, the computer program product comprising a computer-readable storage medium having program instructions embodied therewith, the program instructions executable by a computer to cause the computer to perform:
authenticating a user on a first computer that is part of a distributed system; based on the authentication, assigning to the user, on the first computer, a data structure indicating a set of permissions; receiving a directive from the user to initiate, via the first computer, an execution of a process associated with a first class, wherein the first class is one of a plurality of classes and is associated with one or more permissions of the set of permissions; based on the data structure, initiating, on a second computer, the execution of the process; with no further authentication, controlling access by granting the process access to a data set, access to which is restricted to one or more classes of the plurality of classes, wherein the one or more classes of the plurality of classes includes the first class associated with the process; providing a data item from the data set to the user; while the process runs, dynamically assigning the process to the process class based on one of; a loadable module that is loaded by an application; a service accessed by the application;
ordata used by the application; and assigning a process to the first class, such that via a class-based access control policy, the process assigned to the first class accessing the data of the class is controlled, on demand, further comprising; with no further authentication, migrating the process from the second computer to a third computer; and with no further authentication, providing a further data item from the data set to the user, and an abstraction component, embodied in the cloud computing environment, that facilitates the migrating such that if any virtual memory regions belonging to the process being migrated cannot be placed in their prior address ranges, then any pointers to those regions are updated throughout the virtual memory at migration time. - View Dependent Claims (6, 7, 8)
-
9. A cloud resource protection system embodied in a cloud computing environment, said system comprising:
-
a processor; and a memory, the memory storing instructions to cause the processor to perform; authenticating a user on a first computer that is part of a distributed system; based on the authentication, assigning to the user, on the first computer, a data structure indicating a set of permissions; receiving a directive from the user to initiate, via the first computer, an execution of a process associated with a first class, wherein the first class is one of a plurality of classes and is associated with one or more permissions of the set of permissions; based on the data structure, initiating, on a second computer, the execution of the process; with no further authentication, controlling access by granting the process access to a data set, access to which is restricted to one or more classes of the plurality of classes, wherein the one or more classes of the plurality of classes includes the first class associated with the process; providing a data item from the data set to the user; while the process runs, dynamically assigning the process to the process class based on one of; a loadable module that is loaded by an application; a service accessed by the application;
ordata used by the application; and assigning a process to the first class, such that via a class-based access control policy, the process assigned to the first class accessing the data of the class is controlled, on demand, further comprising; with no further authentication, migrating the process from the second computer to a third computer; and with no further authentication;
providing a further data item from the data set to the user, andan abstraction component, embodied in the cloud computing environment, that facilitates the migrating such that if any virtual memory regions belonging to the process being migrated cannot be placed in their prior address ranges, then any pointers to those regions are updated throughout the virtual memory at migration time. - View Dependent Claims (10)
-
Specification