Control Pool Based Enterprise Policy Enabler for Controlled Cloud Access

US 20140053280A1
Filed: 12/31/2012
Published: 02/20/2014
Est. Priority Date: 08/16/2012
Status: Active Grant

First Claim

Patent Images

1. A method for controlling access to a Cloud, comprising:

receiving traffic from an Enterprise user at a gateway, wherein the traffic carries a first key specific to the Enterprise user for use internal to the gateway;

replacing the first key with a second key, wherein the second key is a Cloud-negotiated key generic to a plurality of Enterprise users which permits access to the Cloud; and

sending traffic to the Cloud.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for controlling access to a Cloud, comprising receiving traffic from an Enterprise user at a gateway, wherein the traffic carries a first key specific to the Enterprise user for use internal to the gateway, replacing the first key with a second key, wherein the second key is a Cloud-negotiated key generic to a plurality of Enterprise users which permits access to the Cloud, and sending traffic to the Cloud

Citations

20 Claims

1. A method for controlling access to a Cloud, comprising:
- receiving traffic from an Enterprise user at a gateway, wherein the traffic carries a first key specific to the Enterprise user for use internal to the gateway;
  
  replacing the first key with a second key, wherein the second key is a Cloud-negotiated key generic to a plurality of Enterprise users which permits access to the Cloud; and
  
  sending traffic to the Cloud.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the gateway comprises a secure key store for storing keys specific to a plurality of Enterprise users and keys for interfacing with a plurality of the Clouds, and wherein the second key is one of the Cloud-negotiated keys maintained by the gateway for interfacing with a plurality of the Clouds, further comprising storing the first key in the secure key store.
  - 3. The method of claim 2, further comprising:
    - monitoring performance data from the plurality of Clouds, wherein the received performance data includes at least one of the following;
      
      load factor, response time, latency, time of day, cost, available bandwidth, public accessibility, network loss, gating speeds, and resource security; and
      
      selecting the Cloud from the plurality of Clouds based on the received performance data.
  - 4. The method of claim 1, wherein the traffic from the Enterprise user is intended for a first destination, wherein the Cloud comprises a second destination different from the first destination, and wherein changing the first destination to the second destination is opaque to the Enterprise user.
  - 5. The method of claim 1, further comprising applying a policy to the traffic prior to sending, wherein the policy is selected from a group consisting of:
    - encryption, compression, optimization, traffic steering, traffic distribution, de-identification, and re-identification.
  - 6. The method of claim 1, further comprising:
    - receiving traffic from the Cloud at a gateway, wherein the traffic carries the Cloud-negotiated key, and wherein the intended recipient of the traffic is the user;
      
      replacing the Cloud-negotiated key with the artificial key; and
      
      sending traffic to the user.
  - 7. The method of claim 1, further comprising:
    - evaluating the traffic content based on at least one metric selected from a group consisting of;
      
      size, confidentiality, protocol compliance, and threat potential; and
      
      applying a policy on the traffic based on the results of the evaluation prior to sending.
  - 8. The method of claim 1, further comprising:
    - evaluating the traffic based on information specific to the user, wherein the information specific to the user is selected from a group consisting of;
      
      user geographic location, user identity, user-group identity, user access type, user device type, and user-requested resource; and
      
      applying the policy on the traffic prior to sending.

9. A method for exchanging data between an Enterprise and a Cloud, comprising:
- receiving traffic from an Enterprise user at an Enterprise Policy Enabler;
  
  evaluating the traffic based on information specific to the user, information specific to the resource being accessed, or both;
  
  applying a policy on the traffic at the Enterprise Policy Enabler based on the results of the evaluation; and
  
  sending traffic to a destination Cloud.
- View Dependent Claims (10, 11, 12, 13, 20)
- - 10. The method of claim 9, wherein the information specific to the user is selected from a group consisting of:
    - user geographic location, user identity, user-group identity, user access type, user device type, and user-requested resource.
  - 11. The method of claim 9, wherein the information specific to the resource being accessed is selected from a group consisting of:
    - load factor, response time, latency, time of day, cost, available bandwidth, public accessibility, network loss, gating speeds, and resource security.
  - 12. The method of claim 9, wherein the policy is selected from a group consisting of:
    - encryption, compression, optimization, traffic steering, traffic distribution, de-identification, and re-identification.
  - 13. The method of claim 9, further comprising:
    - receiving traffic from the Cloud at the Enterprise Policy Enabler;
      
      applying a second policy on the traffic; and
      
      sending data to the Enterprise user.
  - 20. The apparatus of claim 9, wherein the first policy is selected from a group consisting of:
    - encryption, compression, optimization, traffic steering, traffic distribution, de-identification, and re-identification.

14. An apparatus comprising:
- a processor configured to;
  
  establish an integration layer, wherein the integration layer comprises;
  
  an Enterprise-facing control pool configured to;
  
  receive data ingress from an Enterprise user;
  
  apply a first policy to the data; and
  
  send data to at least one Cloud; and
  
  a Cloud-facing control pool configured to;
  
  receive data ingress from the at least one Cloud;
  
  apply a second policy to the data; and
  
  send data to the user; and
  
  wherein changes to the policy of one control pool do not affect the policy of the other control pool.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The apparatus of claim 14, wherein first policy comprises:
    - assigning a secure identification key to the user;
      
      recording the secure identification key and the user identity in a secure identity store;
      
      removing the user identity from the data;
      
      replacing the user identity in the data with the secure identification key information; and
      
      configuring the data for sending to the at least one Cloud.
  - 16. The apparatus of claim 14, wherein the integration layer is further configured to:
    - receive performance data from a plurality of Clouds, wherein the received performance data includes at least one of the following;
      
      load factor, response time, latency, time of day, cost, available bandwidth, public accessibility, network loss, gating speeds, and resource security; and
      
      select a data recipient Cloud from the plurality of Clouds based on the received performance data.
  - 17. The apparatus of claim 16, wherein the data ingress from the Enterprise user is intended for a first destination, wherein the data recipient Cloud comprises a second destination different from the first destination, wherein the data ingress from the at least one Cloud originates at the second destination, and wherein the Enterprise-facing control pool and the Cloud-facing control pool are further configured to render the distinction between the first destination and the second destination opaque to the Enterprise user.
  - 18. The apparatus of claim 14, wherein the Enterprise-facing control pool is further configured to evaluate the data based on information specific to the user, wherein the information specific to the user is selected from a group consisting of:
    - user geographic location, user identity, user-group identity, user access type, user device type, and user-requested resource.
  - 19. The apparatus of claim 14, wherein the first policy comprises:
    - evaluating the data content based on at least one metric selected from a group consisting of;
      
      size, confidentiality, protocol compliance, and threat potential; and
      
      applying a third policy on the data based on the results of the evaluation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Futurewei Technologies Incorporated (Huawei Investment & Holding Co., Ltd.)
Original Assignee
Futurewei Technologies Incorporated (Huawei Investment & Holding Co., Ltd.)
Inventors
Durazzo, Kenneth, Murthy, Shree

Granted Patent

US 9,167,050 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/28
CPC Class Codes

H04L 63/0281   Proxies

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

H04L 67/1097   for distributed storage of ...

H04L 67/306   User profiles

H04L 67/60   Scheduling or organising th...

Control Pool Based Enterprise Policy Enabler for Controlled Cloud Access

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Control Pool Based Enterprise Policy Enabler for Controlled Cloud Access

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links