MULTI-TENANCY GOVERNANCE IN A CLOUD COMPUTING ENVIRONMENT

US 20140173694A1
Filed: 12/17/2012
Published: 06/19/2014
Est. Priority Date: 12/17/2012
Status: Active Grant

First Claim

Patent Images

1. A cloud computing system comprising:

a plurality of cloud resident applications, wherein the plurality of cloud resident applications reside on one or more computer readable media and are executable by one or more computer processors, wherein each of a plurality of tenants, one or more tenants comprising multiple corresponding users, is permitted to access one or more of the plurality of cloud resident applications, and wherein one or more of the plurality of tenants and its corresponding users are associated with one or more business organizations;

an input governance layer associated with each application; and

an output governance layer associated with each application;

wherein the input governance layer and the output governance layer comprise an encapsulation of a cloud resident application, and the input governance layer and output governance layer associated with a computer processor are operable to;

receive a request from a tenant-user to access a first application on the cloud computing system;

check a governance database to determine if the tenant-user is authorized to access the first application;

when the tenant-user is authorized to access the first application, process the request using the first application, and when the request and the first application generate an output to transmit to a second application in the cloud computing system, check the governance database to determine if the tenant-user is authorized to transmit the output to the second application;

when the tenant-user is not authorized to access the first application, prevent the request from accessing the first application, and transmit an indication of the tenant-user and the request to a cloud system security administrator; and

when the tenant-user is not authorized to transmit the output to the second application, transmit an indication of the tenant-user and the output to the cloud system security administrator.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A cloud computing system includes a plurality of tenants that are permitted to access cloud hosted applications. The system includes an input governance layer associated with each application, and an output governance layer associated with each application. The input governance layer and the output governance layer include an encapsulation of a cloud hosted application. The governance layers receive a request from a tenant-user to access a first application on the cloud computing system, check a governance database to determine if the tenant-user is authorized to access the first application, and allows or denies access accordingly.

103 Citations

View as Search Results

20 Claims

1. A cloud computing system comprising:
- a plurality of cloud resident applications, wherein the plurality of cloud resident applications reside on one or more computer readable media and are executable by one or more computer processors, wherein each of a plurality of tenants, one or more tenants comprising multiple corresponding users, is permitted to access one or more of the plurality of cloud resident applications, and wherein one or more of the plurality of tenants and its corresponding users are associated with one or more business organizations;
  
  an input governance layer associated with each application; and
  
  an output governance layer associated with each application;
  
  wherein the input governance layer and the output governance layer comprise an encapsulation of a cloud resident application, and the input governance layer and output governance layer associated with a computer processor are operable to;
  
  receive a request from a tenant-user to access a first application on the cloud computing system;
  
  check a governance database to determine if the tenant-user is authorized to access the first application;
  
  when the tenant-user is authorized to access the first application, process the request using the first application, and when the request and the first application generate an output to transmit to a second application in the cloud computing system, check the governance database to determine if the tenant-user is authorized to transmit the output to the second application;
  
  when the tenant-user is not authorized to access the first application, prevent the request from accessing the first application, and transmit an indication of the tenant-user and the request to a cloud system security administrator; and
  
  when the tenant-user is not authorized to transmit the output to the second application, transmit an indication of the tenant-user and the output to the cloud system security administrator.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The cloud computing system of claim 1, wherein the input governance layer and the output governance layer comprise an embedded layer within the first application that functions to encapsulate the application.
  - 3. The cloud computing system of claim 2, wherein the first application is developed by a first party and the input and governance layers are developed and maintained by a second party.
  - 4. The cloud computing system of claim 1, wherein the first application and the second application comprise components of a cloud system offering.
  - 5. The cloud computing system of claim 1, wherein the one or more computer processors are operable to receive input from the cloud system security administrator regarding the processing of the request.
  - 6. The cloud computing system of claim 5, wherein the one or more computer processors are operable to process the input received from the cloud system security administrator such that the request is permitted to be processed by the first application or the output is permitted to be transmitted to the second application.
  - 7. The cloud computing system of claim 1, wherein the cloud system security administrator analyzes the request or the output to determine if a security breach has occurred in the cloud computing system.
  - 8. The cloud computing system of claim 1, wherein the cloud system security administrator is independent of a cloud system operator.
  - 9. The cloud computing system of claim 8, wherein the cloud computing system security administrator is authorized to add to the governance database tenants, corresponding users of tenants, and associations of tenants and users to the plurality of applications, and the cloud system operator is not authorized to add to the governance database tenants, corresponding users of tenants, or associations of tenants and users to the plurality of applications.within a tenancy scope or associations of tenancy(subtenants) with the plurality of applications to the governance database.
  - 10. The cloud computing system of claim 1, wherein the cloud system security administrator is authorized to limit security access based only on tenancy.
  - 11. The cloud computing system of claim 1, wherein an application security administrator is authorized to limit security based on application property boundaries.
  - 12. The cloud computing system of claim 11,wherein the cloud system security administrator has access to tenancy restrictions;
    - andwherein the application security administrator is blocked from tenancy governance boundaries thereby blocking the application security administrator from access to the tenancy restrictions.
  - 13. The cloud computing system of claim 1,wherein the cloud resident applications comprise application-specific security layers;
    - andwherein the input governance layer and the output governance layer are configured in parallel to the application-specific security layers.

14. A process comprising:
- receiving a request from a tenant-user on a cloud computing system to access a first application on the cloud computing system;
  
  checking a governance database to determine if the tenant-user is authorized to access the first application;
  
  when the tenant-user is authorized to access the first application, processing the request using the first application, and when the request and the first application generate an output to transmit to a second application in the cloud computing system, checking the governance database to determine if the tenant-user is authorized to transmit the output to the second application;
  
  when the tenant-user is not authorized to access the first application, preventing the request from accessing the first application, and transmitting an indication of the tenant-user and the request to a cloud system security administrator; and
  
  when the tenant-user is not authorized to transmit the output to the second application, transmitting an indication of the tenant-user and the output to the cloud system security administrator.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The process of claim 14,wherein the cloud computing system comprises:
    - a plurality of cloud resident applications, wherein the plurality of cloud resident applications reside on one or more computer readable media and are executable by one or more computer processors, wherein each of a plurality of tenants, one or more tenants comprising multiple corresponding users, is permitted to access one or more of the plurality of cloud resident applications, and wherein one or more of the plurality of tenants and its corresponding users are associated with one or more business organizations;
      
      an input governance layer associated with each application; and
      
      an output governance layer associated with each application;
      
      wherein the input governance layer and the output governance layer comprise an encapsulation of a cloud resident application.
  - 16. The process of claim 14, comprising:
    - receiving input from the cloud system security administrator regarding the processing of the request; and
      
      processing the input received from the cloud system security administrator such that the request is permitted to be processed by the first application or the output is permitted to be transmitted to the second application.
  - 17. The process of claim 14, wherein the cloud system security administrator analyzes the request or the output to determine if a security breach has occurred in the cloud computing system.
  - 18. The process of claim 14,wherein the cloud system security administrator is independent of a cloud system operator;
    - wherein the cloud computing system security administrator is authorized to add to the governance database tenants, corresponding users of tenants, and associations of tenants and users to the plurality of applications; and
      
      wherein the cloud system operator is not authorized to add to the governance database tenants, corresponding users of tenants, or associations of tenants and users to the plurality of applications.
  - 19. The process of claim 14,wherein the cloud system security administrator is authorized to limit security access based only on tenancy;
    - wherein an application security administrator is authorized to limit security based on application property boundaries;
      
      wherein the cloud system security administrator has access to tenancy restrictions;
      
      wherein the application security administrator is blocked from tenancy governance boundaries thereby blocking the application security administrator from access to the tenancy restrictions;
      
      wherein the cloud resident applications comprise application-specific security layers; and
      
      wherein the input governance layer and the output governance layer are configured in parallel to the application-specific security layers.

20. A computer readable storage device comprising instructions that when executed by a processor execute a process comprising:
- receiving a request from a tenant-user on a cloud computing system to access a first application on the cloud computing system;
  
  checking a governance database to determine if the tenant-user is authorized to access the first application;
  
  when the tenant-user is authorized to access the first application, processing the request using the first application, and when the request and the first application generate an output to transmit to a second application in the cloud computing system, checking the governance database to determine if the tenant-user is authorized to transmit the output to the second application;
  
  when the tenant-user is not authorized to access the first application, preventing the request from accessing the first application, and transmitting an indication of the tenant-user and the request to a cloud system security administrator; and
  
  when the tenant-user is not authorized to transmit the output to the second application, transmitting an indication of the tenant-user and the output to the cloud system security administrator.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Inventors
Kranz, Kenneth James

Granted Patent

US 9,323,939 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/606   by securing the transmissio...

G06F 21/6281   at program execution time, ...

G06F 21/629   to features or functions of...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

MULTI-TENANCY GOVERNANCE IN A CLOUD COMPUTING ENVIRONMENT

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

103 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

MULTI-TENANCY GOVERNANCE IN A CLOUD COMPUTING ENVIRONMENT

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

103 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links