PARTIAL AND RISK-BASED DATA FLOW CONTROL IN CLOUD ENVIRONMENTS

US 20140068696A1
Filed: 08/30/2012
Published: 03/06/2014
Est. Priority Date: 08/30/2012
Status: Abandoned Application

First Claim

Patent Images

1. A computer-implemented method for risk-based data flow control in a cloud environment, the method being executed using one or more processors and comprising:

intercepting first data transmitted from a first application to a second application before receipt of the first data at the second application, the first application and the second application being hosted within the cloud environment;

processing the first data to provide a first risk factor, the first risk factor reflecting a degree of risk if the first data is received by the second application;

generating first sanitized data based on the first data, the first risk factor and a first access control policy associated with the first data; and

transmitting the first sanitized data to the second application.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Implementations of the present disclosure include methods, systems, and computer-readable storage mediums for risk-based data flow control in a cloud environment. Implementations include actions of intercepting first data transmitted from a first application to a second application before receipt of the first data at the second application, the first application and the second application being hosted within the cloud environment, processing the first data to provide a first risk factor, the first risk factor reflecting a degree of risk if the first data is received by the second application, generating first sanitized data based on the first data, the first risk factor and a first access control policy associated with the first data and transmitting the first sanitized data to the second application.

Citations

16 Claims

1. A computer-implemented method for risk-based data flow control in a cloud environment, the method being executed using one or more processors and comprising:
- intercepting first data transmitted from a first application to a second application before receipt of the first data at the second application, the first application and the second application being hosted within the cloud environment;
  
  processing the first data to provide a first risk factor, the first risk factor reflecting a degree of risk if the first data is received by the second application;
  
  generating first sanitized data based on the first data, the first risk factor and a first access control policy associated with the first data; and
  
  transmitting the first sanitized data to the second application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein the first sanitized data comprises less data than the first data.
  - 3. The method of claim 1, wherein the first sanitized data comprises different data values than the first data.
  - 4. The method of claim 1, wherein the first access control policy provides that access to the first data is to be denied.
  - 5. The method of claim 4, wherein generating first sanitized data based on the first data, the first risk factor and a first access control policy associated with the first data comprises:
    - determining that access of the second application to the first data is denied based on the first access control policy;
      
      selecting a risk threshold based on determining that access of the second application to the first data is denied; and
      
      determining that the first risk factor exceeds the risk threshold and, in response, generating the first sanitized data.
  - 6. The method of claim 1, wherein the first risk factor is determined based on one or more non-intended usages of at least a portion of the first data and one or more probabilities, each probability being associated with a respective non-intended usage.
  - 7. The method of claim 1, further comprising deploying the first application to the cloud environment by:
    - expressing intended use of one or more declassification techniques,providing registration requirements for the cloud environment,registering a data flow control service at the cloud environment,registering an application data schema of the first application and one or more general domain risks at the cloud environment, anddeploying the first application.
  - 8. The method of claim 1, further comprising:
    - intercepting second data transmitted from the first application to the second application before receipt of the second data at the second application;
      
      processing the second data to provide a second risk factor, the second risk factor reflecting a degree of risk if the second data is received by the second application; and
      
      blocking transmission of the second data to the second application.
  - 9. The method of claim 8, wherein blocking transmission of the second data to the second application occurs in response to determining that the second risk factor exceeds a risk threshold.
  - 10. The method of claim 9, further comprising determining that a second access control policy associated with the second data provides that access to the second data is to be granted and, in response, providing a value of the risk threshold.
  - 11. The method of claim 1, further comprising:
    - intercepting second data transmitted from the first application to the second application before receipt of the second data at the second application;
      
      processing the second data to provide a second risk factor, the second risk factor reflecting a degree of risk if the second data is received by the second application; and
      
      transmitting the second data to the second application.
  - 12. The method of claim 11, wherein transmitting the second data to the second application occurs in response to determining that the second risk factor is less than a risk threshold.
  - 13. The method of claim 12, further comprising determining that a second access control policy associated with the second data provides that access to the second data is to be granted and, in response, providing a value of the risk threshold.
  - 14. The method of claim 1, wherein the risk comprises a risk of an unwanted event occurring as a consequence of providing the first data to the second application.

15. A non-transitory computer-readable storage medium coupled to one or more processors and having instructions stored thereon which, when executed by the one or more processors, cause the one or more processors to perform operations for risk-based data flow control in a cloud environment, the operations comprising:
- intercepting first data transmitted from a first application to a second application before receipt of the first data at the second application, the first application and the second application being hosted within the cloud environment;
  
  processing the first data to provide a first risk factor, the first risk factor reflecting a degree of risk if the first data is received by the second application;
  
  generating first sanitized data based on the first data, the first risk factor and a first access control policy associated with the first data; and
  
  transmitting the first sanitized data to the second application.

16. A system, comprising:
- a computing device; and
  
  a computer-readable storage device coupled to the computing device and having instructions stored thereon which, when executed by the computing device, cause the computing device to perform operations for risk-based data flow control in a cloud environment, the operations comprising;
  
  intercepting first data transmitted from a first application to a second application before receipt of the first data at the second application, the first application and the second application being hosted within the cloud environment;
  
  processing the first data to provide a first risk factor, the first risk factor reflecting a degree of risk if the first data is received by the second application;
  
  generating first sanitized data based on the first data, the first risk factor and a first access control policy associated with the first data; and
  
  transmitting the first sanitized data to the second application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP AG (SAP SE)
Inventors
Schaad, Andreas

Application Number

US13/598,916
Publication Number

US 20140068696A1
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 9/54 Interprogram communication

H04L 63/10 for controlling access to d...

PARTIAL AND RISK-BASED DATA FLOW CONTROL IN CLOUD ENVIRONMENTS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

PARTIAL AND RISK-BASED DATA FLOW CONTROL IN CLOUD ENVIRONMENTS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links