Authentication and authorization methods for cloud computing security platform

US 20130007845A1
Filed: 06/30/2011
Published: 01/03/2013
Est. Priority Date: 06/30/2011
Status: Active Grant

First Claim

Patent Images

1. A method for authentication and authorization in an environment wherein computing resources are hosted in a shared pool of configurable computing resources, comprising:

receiving a request from a first entity for access to the shared pool of configurable computing resources managed by a second entity;

upon execution of an agreement among the first entity, the second entity and a third entity that is distinct from the first entity and the second entity, assigning the first entity a resource group;

registering a plug-in security module associated with the first entity in a plug-in service operated by the second entity in association with the shared pool of configurable computing resources; and

restricting access to the resource group except via the plug-in security module.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An authentication and authorization plug-in model for a cloud computing environment enables cloud customers to retain control over their enterprise information when their applications are deployed in the cloud. The cloud service provider provides a pluggable interface for customer security modules. When a customer deploys an application, the cloud environment administrator allocates a resource group (e.g., processors, storage, and memory) for the customer'"'"'s application and data. The customer registers its own authentication and authorization security module with the cloud security service, and that security module is then used to control what persons or entities can access information associated with the deployed application. The cloud environment administrator, however, typically is not registered (as a permitted user) within the customer'"'"'s security module; thus, the cloud environment administrator is not able to access (or release to others, or to the cloud'"'"'s general resource pool) the resources assigned to the cloud customer (even though the administrator itself assigned those resources) or the associated business information. To further balance the rights of the various parties, a third party notary service protects the privacy and the access right of the customer when its application and information are deployed in the cloud.

Citations

26 Claims

1. A method for authentication and authorization in an environment wherein computing resources are hosted in a shared pool of configurable computing resources, comprising:
- receiving a request from a first entity for access to the shared pool of configurable computing resources managed by a second entity;
  
  upon execution of an agreement among the first entity, the second entity and a third entity that is distinct from the first entity and the second entity, assigning the first entity a resource group;
  
  registering a plug-in security module associated with the first entity in a plug-in service operated by the second entity in association with the shared pool of configurable computing resources; and
  
  restricting access to the resource group except via the plug-in security module.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method as described in claim 1 further including receiving and storing in the resource group information associated with permitted users of the first entity.
  - 3. The method as described in claim 2 further including returning the resource group to the shared pool upon occurrence of an event.
  - 4. The method as described in claim 3 wherein the step of returning the resource group comprises:
    - upon occurrence of the event, issuing a request to the third party, the request seeking permission to disassociate the first entity from the resource group; and
      
      receiving a response from the third party, the response indicating that the second entity has permission to disassociate the first entity from the resource group.
  - 5. The method as described in claim 4 further including deleting the information associated with permitted users of the first entity prior to returning the resource group to the shared pool.
  - 6. The method as described in claim 3 wherein the step of returning the resource group comprises:
    - receiving an indication that a permission associated with the resource group has been removed by the first entity; and
      
      deleting the information associated with a permitted user of the first entity prior to returning the resource group to the shared pool.
  - 7. The method as described in claim 1 wherein the agreement is secured cryptographically so that it cannot be repudiated by either the first entity or the second entity.

8. Apparatus for authentication and authorization in an environment wherein computing resources are hosted in a shared pool of configurable computing resources, comprising:
- a processor;
  
  computer memory holding computer program instructions that when executed by the processor perform a method comprising;
  
  receiving a request from a first entity for access to the shared pool of configurable computing resources managed by a second entity;
  
  upon execution of an agreement among the first entity, the second entity and a third entity that is distinct from the first entity and the second entity, assigning the first entity a resource group;
  
  registering a plug-in security module associated with the first entity in a plug-in service operated by the second entity in association with the shared pool of configurable computing resources; and
  
  restricting access to the resource group except via the plug-in security module.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The apparatus as described in claim 8 wherein the method further includes receiving and storing in the resource group information associated with permitted users of the first entity.
  - 10. The apparatus as described in claim 8 wherein the method further includes returning the resource group to the shared pool upon occurrence of an event.
  - 11. The apparatus as described in claim 10 wherein the step of returning the resource group comprises:
    - upon occurrence of the event, issuing a request to the third party, the request seeking permission to disassociate the first entity from the resource group; and
      
      receiving a response from the third party, the response indicating that the second entity has permission to disassociate the first entity from the resource group.
  - 12. The apparatus as described in claim 11 wherein the method further includes deleting the information associated with permitted users of the first entity prior to returning the resource group to the shared pool.
  - 13. The apparatus as described in claim 10 wherein the step of returning the resource group comprises:
    - receiving an indication that a permission associated with the resource group has been removed by the first entity; and
      
      deleting the information associated with a permitted user of the first entity prior to returning the resource group to the shared pool.
  - 14. The apparatus as described in claim 8 wherein the agreement is secured cryptographically so that it cannot be repudiated by either the first entity or the second entity.

15. A computer program product in a computer readable medium for use in a data processing system for authentication and authorization in an environment wherein computing resources are hosted in a shared pool of configurable computing resources, the computer program product holding computer program instructions which, when executed by the data processing system, perform a method comprising:
- receiving a request from a first entity for access to the shared pool of configurable computing resources managed by a second entity;
  
  upon execution of an agreement among the first entity, the second entity and a third entity that is distinct from the first entity and the second entity, assigning the first entity a resource group;
  
  registering a plug-in security module associated with the first entity in a plug-in service operated by the second entity in association with the shared pool of configurable computing resources; and
  
  restricting access to the resource group except via the plug-in security module.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The computer program product as described in claim 15 wherein the method further includes receiving and storing in the resource group information associated with permitted users of the first entity.
  - 17. The computer program product as described in claim 16 wherein the method further includes returning the resource group to the shared pool upon occurrence of an event.
  - 18. The computer program product as described in claim 17 wherein the step of returning the resource group comprises:
    - upon occurrence of the event, issuing a request to the third party, the request seeking permission to disassociate the first entity from the resource group; and
      
      receiving a response from the third party, the response indicating that the second entity has permission to disassociate the first entity from the resource group.
  - 19. The computer program product as described in claim 18 wherein the method further includes deleting the information associated with permitted users of the first entity prior to returning the resource group to the shared pool.
  - 20. The computer program product as described in claim 17 wherein the step of returning the resource group comprises:
    - receiving an indication that a permission associated with the resource group has been removed by the first entity; and
      
      deleting the information associated with a permitted user of the first entity prior to returning the resource group to the shared pool.
  - 21. The computer program product as described in claim 15 wherein the agreement is secured cryptographically so that it cannot be repudiated by either the first entity or the second entity.

22. Apparatus operated in a shared pool of configurable computing resources, comprising:
- a processor;
  
  computer memory holding computer program instructions executed by the processor (i) to provide an application programming interface (API) that receives, as plug-ins, first and second security modules, the first security module being associated with a first client of the shared pool of configurable computing resources, the second security module being associated with a second client of the shared pool of configurable computing resources, and (ii) to allocate to each of the first and second clients, first and second resource groups, wherein access to the first resource group is restricted except as permitted by the first security module, wherein access to the second resource group is restricted except as permitted by the second security module.

23. The apparatus as described in claim 23 wherein the computer program instructions are executed by the processor (iii) to return a resource group to the shared pool upon a given occurrence.
- View Dependent Claims (24, 25)
- - 24. The apparatus as described in claim 23 wherein the given occurrence is receipt of an indication from a third party notary that vouches for the return of the resource group.
  - 25. The apparatus as described in claim 24 wherein the computer program instructions are executed by the processor (iv) to delete any client-specific information from the resource group prior to returning the resource group to the shared pool.

26. Apparatus associated with a shared pool of configurable computing resources, the shared pool operated by a service provider and including a resource group that has been allocated for use to a tenant according to an agreement among the service provider, the tenant and a third party that manages the apparatus, wherein as a result of the agreement a plug-in security module is associated with the tenant and used to restrict access to the resource group except via the plug-in security module, the apparatus comprising:
- a processor;
  
  computer memory holding computer program instructions executed by the processor to enforce the agreement by (i) receiving a request from the service provider to disassociate the tenant from the resource group upon a given event, and (ii) issuing a response to the service provider indicating that the service provider has permission to disassociate the tenant from the resource group.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Chang, David Yu, Benantar, Messaoud, Chang, John Yow-Chun, Venkataramappa, Vishwanath

Granted Patent

US 8,769,622 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

G06F 21/62   Protecting access to data v...

G06F 21/6218   to a system of files or obj...

G06F 21/78   to assure secure storage of...

G06F 2221/2115   Third party

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/104   Grouping of entities

H04L 67/01   Protocols

H04L 67/10   in which an application is ...

H04L 67/34   involving the movement of s...

Authentication and authorization methods for cloud computing security platform

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Authentication and authorization methods for cloud computing security platform

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links