Security systems and/or methods for cloud computing environments

US 20120116782A1
Filed: 11/10/2010
Published: 05/10/2012
Est. Priority Date: 11/10/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method in a cloud computing environment including at least first and second partners that share a distributed file system, wherein:

one or more Trading Partner Agreements (TPAs) are negotiated between two or more of the at least first and second partners, each said TPA specifying;

any resources allocated by the partners in the TPA,a transport protocol to be used by the partners in the TPA, anda security mechanism to be used by the partners in the TPA; and

wherein a security policy is formed from the TPAs.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Certain example embodiments described herein relate to security systems and/or methods for cloud computing environments. More particularly, certain example embodiments described herein relate to the negotiation and subsequent use of Trading Partner Agreements (TPAs) between partners in a Virtual Organization, the TPAs enabling resources to be shared between the partners in a secure manner. In certain example embodiments, TPAs are negotiated, an algorithm is executed to determine where an executable is to be run, the resource is transferred to the location where it is to be run, and it is executed—with the TPAs collectively defining a security policy that constrains how and where it can be executed, the resources it can use, etc. The executable may be transferred to a location in a multipart (e.g., SMIME) message, along with header information and rights associated with the executable.

49 Citations

View as Search Results

26 Claims

1. A computer-implemented method in a cloud computing environment including at least first and second partners that share a distributed file system, wherein:
- one or more Trading Partner Agreements (TPAs) are negotiated between two or more of the at least first and second partners, each said TPA specifying;
  
  any resources allocated by the partners in the TPA,a transport protocol to be used by the partners in the TPA, anda security mechanism to be used by the partners in the TPA; and
  
  wherein a security policy is formed from the TPAs.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 22)
- - 2. The method of claim 1, wherein the security policy is accessible by each said partner.
  - 3. The method of claim 1, wherein each said TPA is negotiated and packaged according to an XML schema.
  - 4. The method of claim 1, wherein the TPAs are negotiated and the security policy is formed at design time.
  - 5. The method of claim 1, wherein the security mechanism specifies that a digital signature and/or encryption is/are to be used.
  - 6. The method of claim 1, wherein the security mechanism specifies permissions for any of the allocated resources.
  - 7. The method of claim 6, wherein the resource is a file or file system and the permissions for the file or file system include at least one of read, write, and execute action permissions.
  - 8. The method of claim 6, wherein the resource is a socket and the permissions for the socket include accept connect action permissions.
  - 9. The method of claim 1, further comprising:
    - running an algorithm to determine a target partner or target partner instance to which an executable from a source partner or source partner instance is to be distributed;
      
      transferring the executable to the target partner or target partner instance in accordance with a TPA negotiated between the target partner or target partner instance and the source partner or source partner instance; and
      
      invoking the executable on the target partner or target partner instance within constraints specified by the security policy.
  - 10. The method of claim 1, further comprising defining a multipart message, the multipart message including:
    - a header including sender and receiver information, anda payload container containing the executable to be transferred and rights associated with the executable to be transferred.
  - 11. The method of claim 10, further comprising packaging into a first message the header and payload container.
  - 12. The method of claim 11, wherein the first message is signed in accordance with the TPA negotiated between the target partner or target partner instance and the source partner or source partner instance, the signature and the first message being packaged together into the multipart message.
  - 13. The method of claim 12, further comprising encrypting at least a portion of the payload container in accordance with the TPA negotiated between the target partner or target partner instance and the source partner or source partner instance.
  - 14. The method of claim 13, wherein the multipart message is an SMIME message.
  - 22. The system of claim 13, wherein the multipart message is an SMIME message.

15. A cloud computing system, comprising:
- a plurality of partner servers and/or partner server instances;
  
  a distributed file system shared by the plurality of partner servers and/or partner server instances; and
  
  a software module comprising an algorithm that, when executed, determines a target partner server or target partner server instance to which an executable from a source partner server or source partner server instance is to be distributed, wherein;
  
  one or more Trading Partner Agreements (TPAs) are negotiated between two or more of the plurality of partner servers and/or partner server instances, each said TPA specifying;
  
  any resources allocated by the partner servers and/or partner server instances that are a party to the TPA,a transport protocol to be used by the partner servers and/or partner server instances that are a party to the TPA, anda security mechanism to be used by the partner servers and/or partner server instances that are a party to the TPA;
  
  wherein a security policy is formed from the TPAs;
  
  wherein the source partner server or source partner server instance includes a first processor configured to cause the executable to be transferred to the target partner server or target partner server instance in accordance with a TPA negotiated between the target partner server or target partner server instance and the source partner server or source partner server instance; and
  
  wherein the target partner instance or target partner instance includes a second processor configured to invoke the executable, once received, on the target partner instance or target partner instance, within constraints specified by the security policy.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The system of claim 15, wherein each said TPA is negotiated and packaged according to an XML schema.
  - 17. The system of claim 15, wherein the security mechanism specifies that a digital signature and/or encryption is/are to be used.
  - 18. The system of claim 15, wherein the security mechanism specifies permissions for any of the allocated resources.
  - 19. The system of claim 15, wherein the first processor is further configured to define a multipart message, the multipart message including:
    - a header including sender and receiver information, anda payload container containing the executable to be transferred and rights associated with the executable to be transferred.
  - 20. The system of claim 19, wherein the first processor is further configured to:
    - package into a first message the header and payload container, andsign the first message in accordance with the TPA negotiated between the target partner server or target partner server instance and the source partner server or source partner server instance, the signature and the first message being packaged together into the multipart message.
  - 21. The system of claim 19, further comprising encrypting at least a portion of the payload container in accordance with the TPA negotiated between the target partner server or target partner server instance and the source partner server or source partner server instance.

23. A computer-implemented method for sharing resources among and/or between partners in a virtual organization, the partners adhering to Trading Partner Agreements (TPAs) negotiated between at least two of said partners in the virtual organization, the method comprising:
- running an algorithm to determine a target partner server or target partner server instance to which an executable from a source partner server or source partner server instance is to be distributed;
  
  transferring the executable to the target partner server or target partner server instance in accordance with a TPA negotiated between the target partner server or target partner server instance and the source partner server or source partner server instance; and
  
  invoking the executable on the target partner server or target partner server instance within constraints specified by a security policy, the security policy including each said TPA,wherein the TPA specifies;
  
  any resources allocated by the partners in the TPA,a transport protocol to be used by the partners in the TPA, anda security mechanism to be used by the partners in the TPA.
- View Dependent Claims (24, 25, 26)
- - 24. The method of claim 23, wherein the constraints specified by the security policy help ensure that the executable was not altered during transmit among and/or between partner servers and/or partner server instances.
  - 25. The method of claim 23, wherein the constraints specified by the security policy help ensure that the executable was sent by the partner that claims to have sent it.
  - 26. The method of claim 23, wherein the constraints specified by the security policy help ensure that the executable can only use resources of or on the target partner server or target partner server instance as specified in the TPA negotiated between the target partner server or target partner server instance and the source partner server or source partner server instance.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Software AG
Original Assignee
Software AG
Inventors
Punnoose, Vinay, Devanandam, Kayiti, Joshi, Satish Kumar, Nampally, Aditya Babu

Granted Patent

US 8,656,453 B2
Time in Patent Office

Days
Field of Search
US Class Current

705/1.1
CPC Class Codes

H04L 63/20 for managing network securi...

Security systems and/or methods for cloud computing environments

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

49 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Security systems and/or methods for cloud computing environments

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

49 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links