System, Method, and Software for Providing Access Control Enforcement Capabilities in Cloud Computing Systems

US 20110072487A1
Filed: 09/23/2009
Published: 03/24/2011
Est. Priority Date: 09/23/2009
Status: Abandoned Application

First Claim

Patent Images

1. A system comprising one or more processors coupled to a memory, the one or more processors when executing logic encoded in the memory providing:

a topology manager, configured to;

maintain a security topology of a plurality of hosts, the security topology associating one or more virtual host policies with a plurality of virtual hosts in a cloud computing deployment; and

request a query for one or more hosts that are candidates to be enforced (candidate hosts); and

a portability manager, configured to;

receive a request to deploy an access control agent on the one or more candidate hosts;

determine an optimal agent to be deployed from a list of available agents; and

deploy the optimal agent on the one or more candidate hosts.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, a system comprises one or more processors coupled to a memory. The one or more processors when executing logic encoded in the memory provide a topology manager. The topology manager is configured to maintain a security topology of a plurality of hosts. The security topology associates one or more virtual hosts policies with a plurality of virtual hosts in a cloud computing deployment. The topology manager is also configured to request a query for one or more hosts that are candidates to be enforced. A portability manager is configured to receive a request to deploy an access control agent on the one or more candidate hosts, determine an optimal agent to be deployed from a list of available agents, and deploy the optimal agent on the one or more candidate hosts.

145 Citations

21 Claims

1. A system comprising one or more processors coupled to a memory, the one or more processors when executing logic encoded in the memory providing:
- a topology manager, configured to;
  
  maintain a security topology of a plurality of hosts, the security topology associating one or more virtual host policies with a plurality of virtual hosts in a cloud computing deployment; and
  
  request a query for one or more hosts that are candidates to be enforced (candidate hosts); and
  
  a portability manager, configured to;
  
  receive a request to deploy an access control agent on the one or more candidate hosts;
  
  determine an optimal agent to be deployed from a list of available agents; and
  
  deploy the optimal agent on the one or more candidate hosts.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein the candidate host is provided by a specific vendor, the portability manager further configured to:
    - define a unique vendor package, the unique vendor package comprising instructions and configurations in compliance with the specific vendor; and
      
      package the unique vendor package with the optimal agent such that the optimal agent is configured to deploy on the specific vendor'"'"'s candidate host.
  - 3. The system of claim 1, further comprising:
    - a cloud access control manager, configured to;
      
      intercept cloud management calls from an administrator;
      
      determine whether cloud management calls are authorized; and
      
      prepare the cloud management calls for interaction with a specific vendor.
  - 4. The system of claim 1, further comprising:
    - an attributes extractor, configured to;
      
      extract non-functional characteristics of the cloud computing deployment.
  - 5. The system of claim 4, wherein the non-functional characteristics comprise a virtual host name, a virtual host identifier, and a list of virtual host configuration data.
  - 6. The system of claim 1, the topology manager further configured to maintain a security topology by:
    - requesting discovery of a list of virtual hosts deployed on the cloud computing deployment; and
      
      associating the list of virtual hosts with the one or more virtual host policies.
  - 7. The system of claim 6, the topology manager further configured to maintain a security topology by:
    - requesting discovery of an updated list of virtual hosts deployed on the cloud computing deployment;
      
      resolving discrepancies between the list of virtual hosts and the updated list of virtual hosts; and
      
      updating the security topology.

8. A method comprising:
- at a topology manager comprising logic encoded in one or more media for execution;
  
  maintaining a security topology of a plurality of hosts, the security topology associating one or more virtual host policies with a plurality of virtual hosts in a cloud computing deployment; and
  
  requesting a query for one or more hosts that are candidates to be enforced (candidate hosts); and
  
  at a portability manager comprising logic encoded in one or more media for execution;
  
  receiving a request to deploy an access control agent on the one or more candidate hosts;
  
  determining an optimal agent to be deployed from a list of available agents; and
  
  deploying the optimal agent on the one or more candidate hosts.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, wherein the candidate host is provided by a specific vendor, the method at the portability manager further comprising:
    - defining a unique vendor package, the unique vendor package comprising instructions and configurations in compliance with the specific vendor; and
      
      packaging the unique vendor package with the optimal agent such that the optimal agent is configured to deploy on the specific vendor'"'"'s candidate host.
  - 10. The method of claim 8, further comprising:
    - at a cloud access control manager comprising logic encoded in one or more media for execution;
      
      intercepting cloud management calls from an administrator;
      
      determining whether-cloud management calls are authorized; and
      
      preparing the cloud management calls for interaction with a specific vendor.
  - 11. The method of claim 8, further comprising:
    - at an attributes extractor comprising logic encoded in one or more media for execution;
      
      extract non-functional characteristics of the cloud computing deployment.
  - 12. The method of claim 11, wherein the non-functional characteristics comprise a virtual host name, a virtual host identifier, and a list of virtual host configuration data.
  - 13. The method of claim 8, the method at the topology manager further comprising:
    - requesting discovery of a list of virtual hosts deployed on the cloud computing deployment; and
      
      associating the list of virtual hosts with the one or more virtual host policies.
  - 14. The method of claim 13, the method at the topology manager further comprising:
    - requesting discovery of an updated list of virtual hosts deployed on the cloud computing deployment;
      
      resolving discrepancies between the list of virtual hosts and the updated list of virtual hosts; and
      
      updating the security topology.

15. Logic encoded in one or more computer-readable storage media for execution and when executed operable to provide:
- a topology manager, configured to;
  
  maintain a security topology of a plurality of hosts, the security topology associating one or more virtual host policies with a plurality of virtual hosts in a cloud computing deployment; and
  
  request a query for one or more hosts that are candidates to be enforced (candidate hosts); and
  
  a portability manager, configured to;
  
  receive a request to deploy an access control agent on the one or more candidate hosts;
  
  determine an optimal agent to be deployed from a list of available agents; and
  
  deploy the optimal agent on the one or more candidate hosts.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The logic of claim 15, wherein the candidate host is provided by a specific vendor, the portability manager further configured to:
    - define a unique vendor package, the unique vendor package comprising instructions and configurations in compliance with the specific vendor; and
      
      package the unique vendor package with the optimal agent such that the optimal agent is configured to deploy on the specific vendor'"'"'s candidate host.
  - 17. The logic of claim 15, further providing:
    - a cloud access control manager, configured to;
      
      intercept cloud management calls from an administrator;
      
      determine whether cloud management calls are authorized; and
      
      prepare the cloud management calls for interaction with a specific vendor.
  - 18. The logic of claim 15, further providing:
    - an attributes extractor, configured to;
      
      extract non-functional characteristics of the cloud computing deployment.
  - 19. The logic of claim 18, wherein the non-functional characteristics comprise a virtual host name, a virtual host identifier, and a list of virtual host configuration data.
  - 20. The logic of claim 15, the topology manager further configured to maintain a security topology by:
    - requesting discovery of a list of virtual hosts deployed on the cloud computing deployment; and
      
      associating the list of virtual hosts with the one or more virtual host policies.
  - 21. The logic of claim 20, the topology manager further configured to maintain a security topology by:
    - requesting discovery of an updated list of virtual hosts deployed on the cloud computing deployment;
      
      resolving discrepancies between the list of virtual hosts and the updated list of virtual hosts; and
      
      updating the security topology.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Computer Associates Think Inc. (Broadcom, Inc.)
Inventors
Vax, Nimrod, Jerbi, Amir, Kletskin, Michael, Hadar, Ethan

Application Number

US12/565,474
Publication Number

US 20110072487A1
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 2209/505   Clust

G06F 9/5072   Grid computing

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

System, Method, and Software for Providing Access Control Enforcement Capabilities in Cloud Computing Systems

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

145 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

System, Method, and Software for Providing Access Control Enforcement Capabilities in Cloud Computing Systems

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

145 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links