IDENTITY AND POLICY ENFORCED INTER-CLOUD AND INTRA-CLOUD CHANNEL

US 20110119729A1
Filed: 03/18/2010
Published: 05/19/2011
Est. Priority Date: 11/19/2009
Status: Active Grant

First Claim

Patent Images

1. A method implemented in a non-transitory machine-readable storage medium and processed by one or more processors configured to perform the method, comprising:

configuring a first process within a first cloud computing environment to manage select messages occurring within a communication channel within the first cloud computing environment;

instantiating the first cloud computing environment with the first process executing therein; and

enforcing, by the first process, selective policy restrictions based on the select messages that enter and exit the communication channel.

View all claims

16 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for identity and policy enforced cloud communications are presented. Cloud channel managers monitor messages occurring within a cloud or between independent clouds. Policy actions are enforced when processing the messages. The policy actions can include identity-based restrictions and the policy actions are specific to the messages and/or clouds within which the messages are being processed.

50 Citations

View as Search Results

20 Claims

1. A method implemented in a non-transitory machine-readable storage medium and processed by one or more processors configured to perform the method, comprising:
- configuring a first process within a first cloud computing environment to manage select messages occurring within a communication channel within the first cloud computing environment;
  
  instantiating the first cloud computing environment with the first process executing therein; and
  
  enforcing, by the first process, selective policy restrictions based on the select messages that enter and exit the communication channel.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 further comprising:
    - configuring a second process within a second cloud computing environment to manage other select messages occurring within a second communication channel within the second cloud computing environment;
      
      instantiating the second cloud computing environment with the second process executing therein; and
      
      the second process enforces other selective policy restrictions based on the other select messages that enter and exit the second communication channel.
  - 3. The method of claim 2 further comprising, sending by the first process a particular message that exits the communication channel and is directed to the second communication channel, the particular message intercepted and handled by the second process.
  - 4. The method of claim 3, wherein sending further includes sending the particular message to the second cloud computing environment where the first and second cloud computing environments are independent and separate cloud computing environments.
  - 5. The method of claim 3, wherein sending further includes sending the particular message to the second cloud computing environment where the first and second cloud computing environments are different sub environments of a global cloud environment that includes both the first and second cloud computing environments.
  - 6. The method of claim 1 further comprising, sending by the first process a particular message that exits the communication channel and is directed to a second communication channel, the particular message intercepted and handled by a second process that monitors the second communication channel within the first cloud computing environment.
  - 7. The method of claim 1, wherein enforcing further includes consulting an identity service and/or policy service in response to enforcing one or more of the policy restrictions, the identity service authenticating one or more of the following:
    - identities of senders of the selective messages, identifies of receivers of the selective messages, identities for the selective messages, identities for other cloud environments that the selective messages originate from or are being directed to, and an identity for the first process, and the policy service applying a correct policy specification to the selective messages for enforcement of the selective policy restrictions.
  - 8. The method of claim 1, wherein enforcing further includes one of:
    - consulting an identity service to acquire the one or more policy restrictions, the identity service acting as a Policy Decision Point (PDP) service for acquiring policy specifications and the one or more policy restrictions and the first process acts as a Policy Enforcement Point (PEP) for enforcing the one or more policy restrictions; and
      
      consulting a PDP to acquire policy specifications for the one or more policy restrictions and the first process acting as the PEP for enforcing the one or more policy restrictions.
  - 9. The method of claim 1, wherein enforcing further includes logging the selective messages, the policy restrictions, and identities associated with senders and receivers of the selective messages in response to enforcing some of the policy restrictions.

10. A method implemented in a non-transitory machine-readable storage medium and processed by one or more processors configured to perform the method, comprising:
- detecting within a first cloud computing environment an event that identifies a message to manage on behalf of the first cloud computing environment;
  
  acquiring a policy in response to an identity assigned to the message; and
  
  processing actions defined in the policy.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The method of claim 10, wherein detecting further includes monitoring a configured event type that the event is assigned to within the first cloud computing environment, the monitoring of the configured event type defining a communication channel for the first cloud computing environment.
  - 12. The method of claim 10, wherein detecting further includes determining that the event originated from second independent and disparate cloud computing environment.
  - 13. The method of claim 10, wherein detecting further includes determining that event originated from with the first cloud computing environment and associated with a different communication channel within the first cloud computing environment.
  - 14. The method of claim 10, wherein acquiring further includes one or more of:
    - authenticating the message;
      
      authenticating the policy;
      
      consulting an identity service to acquire the policy; and
      
      logging the message and the policy along with other metadata collected from the message.
  - 15. The method of claim 10, wherein processing further includes one or more of:
    - guaranteeing a sender of the message of message delivery to a receiver;
      
      backing up and/or mirroring the message to a second cloud computing environment that is independent and disparate from the first cloud computing environment; and
      
      performing message sequencing for the message within the first cloud computing environment when the message is one of many messages associated with a transaction processing through the first cloud computing environment.
  - 16. The method of claim 10, wherein processing further includes detecting in response to a particular action that the message originated from a message service within the first cloud computing environment and is to be sent to a second disparate and independent cloud computing environment, the message service is incompatible with and unaware of the second disparate and independent cloud computing environment and believes the message is being processed by another message service that the message service believes to be within the first cloud computing environment.

17. A multi-processor implemented system, comprising:
- a first processor configured to execute a cloud configurator; and
  
  a plurality of second processors, each second processor configured to execute one or more cloud channel managers;
  
  the cloud configurator configured to instantiate cloud computing environments, each cloud computing environment processing on one or more the second processors, and each cloud computing environment having one or more of the cloud channel managers, each cloud channel manager configured to handle inbound and outbound messages occurring over a particular communication channel and within that cloud channel manager'"'"'s cloud computing environment and enforcing policy and identity restrictions for each of the inbound and outbound messages processed.
- View Dependent Claims (18, 19, 20)
- - 18. The system of claim 17, wherein the cloud configurator is configured to instantiate each cloud computing environment in response to global configuration restrictions global to all the cloud computing environments and in response to local configuration restrictions specific to each particular cloud computing environment.
  - 19. The system of claim 17, wherein the cloud configurator is configured to instantiate each cloud computing environment with its own independent identity service that performs authentication services within that cloud computing environment, and/or the cloud configuration is also configured to instantiate each cloud computing environment with its own independent Policy Decision Point (PDP) for determination of the policy restrictions.
  - 20. The system of claim 19, wherein each cloud channel manager is configured to monitor, log, and audit the inbound and outbound messages occurring within that cloud channel manager'"'"'s communication channel.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus Software, Inc. (Open Text Corporation)
Original Assignee
Novell Incorporated (Open Text Corporation)
Inventors
Bergeson, Bruce L., Holm, Vernon Roger, McClain, Carolyn B., Carter, Stephen R.

Granted Patent

US 8,806,566 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/606   by securing the transmissio...

G06F 9/5061   Partitioning or combining o...

H04L 41/0893   Assignment of logical group...

H04L 63/102   Entity profiles

H04L 67/10   in which an application is ...

H04L 67/30   Profiles

H04L 67/60   Scheduling or organising th...

IDENTITY AND POLICY ENFORCED INTER-CLOUD AND INTRA-CLOUD CHANNEL

First Claim

16 Assignments

0 Petitions

Accused Products

Abstract

50 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

IDENTITY AND POLICY ENFORCED INTER-CLOUD AND INTRA-CLOUD CHANNEL

First Claim

16 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

50 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others