SYSTEM AND METHOD FOR A FACET SECURITY FRAMEWORK

US 20150101034A1
Filed: 10/03/2013
Published: 04/09/2015
Est. Priority Date: 10/03/2013
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

intercepting an action request from an entity for an action to be performed with respect to a resource in a cloud environment, wherein the action request comprises a resource facet that controls access to the resource;

determining whether the resource facet is valid for the action by evaluating a policy associated with the resource; and

allowing the action.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An example method is provided and includes intercepting an action request from an entity for an action to be performed with respect to a resource in a cloud environment, where the action request comprises a resource facet that controls access to the resource. The method also includes determining whether the resource facet is valid for the action by evaluating a policy associated with the resource; and allowing the action.

5 Citations

View as Search Results

20 Claims

1. A method, comprising:
- intercepting an action request from an entity for an action to be performed with respect to a resource in a cloud environment, wherein the action request comprises a resource facet that controls access to the resource;
  
  determining whether the resource facet is valid for the action by evaluating a policy associated with the resource; and
  
  allowing the action.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - intercepting a facet request from the entity for an initial facet, wherein the facet request has an authentication token;
      
      determining whether the authentication token is valid; and
      
      issuing the initial facet to the entity.
  - 3. The method of claim 1, further comprising:
    - intercepting a resource facet request from the entity for the resource facet associated with the resource, wherein the resource facet request is associated with an initial facet;
      
      determining whether the initial facet is valid by evaluating policies associated with the initial facet; and
      
      issuing the resource facet to the entity.
  - 4. The method of claim 1, wherein the policy has a plurality of addresses and attributes.
  - 5. The method of claim 4, wherein determining whether the resource facet is valid for the resource by evaluating a policy associated with the resource comprises:
    - comparing an address and attributes of the initial facet to the plurality of addresses and attributes of the policy.
  - 6. The method of claim 2, wherein determining whether the authentication token is valid comprises:
    - retrieving identity information about the entity from an identity provider used by the entity.
  - 7. The method of claim 3, wherein determining whether the initial facet is valid by evaluating the policies associated with the initial facet comprises:
    - determining whether the initial facet is permitted to access the resource.
  - 8. The method of claim 1, further comprising:
    - determining that a particular facet is not present; and
      
      redirecting the entity to an identity provider in order to exchange one or credentials.

9. An apparatus comprising at least one processor and at least one memory, the at least one memory including computer program instructions that, when executed by the at least one processor, cause the apparatus to:
- intercept an action request from an entity for an action to be performed with respect to a resource in a cloud environment, wherein the action request comprises a resource facet that controls access to the resource;
  
  determine whether the resource facet is valid for the action by evaluating a policy associated with the resource; and
  
  allow the action.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The apparatus of claim 9, wherein the memory further includes computer program instructions that, when executed by the at least one processor, cause the apparatus to:
    - intercept a facet request from the entity for an initial facet, wherein the facet request has an authentication token;
      
      determine whether the authentication token is valid; and
      
      issue the initial facet to the entity.
  - 11. The apparatus of claim 9, wherein the memory further includes computer program instructions that, when executed by the at least one processor, cause the apparatus to:
    - intercept a resource facet request from the entity for the resource facet associated with the resource, wherein the resource facet request is associated with an initial facet;
      
      determine whether the initial facet is valid by evaluating policies associated with the initial facet; and
      
      issue the resource facet to the entity.
  - 12. The apparatus of claim 9, wherein the policy has a plurality of addresses and attributes.
  - 13. The apparatus of claim 12, wherein determining whether the resource facet is valid for the resource by evaluating a policy associated with the resource includes computer program instructions that, when executed by the at least one processor, cause the apparatus to:
    - compare an address and attributes of the initial facet to the plurality of addresses and attributes of the policy.
  - 14. The apparatus of claim 10, wherein determining whether the authentication token is valid includes computer program instructions that, when executed by the at least one processor, cause the apparatus to:
    - retrieve identity information about the entity from an identity provider used by the entity.
  - 15. The apparatus of claim 11, wherein determining whether the initial facet is valid by evaluating the policies associated with the initial facet includes computer program instructions that, when executed by the at least one processor, cause the apparatus to:
    - determine whether the initial facet is permitted to access the resource.

16. A non-transitory computer readable media comprising instructions that, when executed by a processor, cause an apparatus to:
- intercept an action request from an entity for an action to be performed with respect to a resource in a cloud environment, wherein the action request comprises a resource facet that controls access to the resource;
  
  determine whether the resource facet is valid for the action by evaluating a policy associated with the resource; and
  
  allow the action.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The media of claim 16, wherein the instructions further cause the apparatus to:
    - intercept a facet request from the entity for an initial facet, wherein the facet request has an authentication token;
      
      determine whether the authentication token is valid; and
      
      issue the initial facet to the entity.
  - 18. The media of claim 16, wherein the instructions further cause the apparatus to:
    - intercept a resource facet request from the entity for the resource facet associated with the resource, wherein the resource facet request is associated with an initial facet;
      
      determine whether the initial facet is valid by evaluating policies associated with the initial facet; and
      
      issue the resource facet to the entity.
  - 19. The media of claim 16, wherein the policy has a plurality of addresses and attributes.
  - 20. The media of claim 19, wherein determining whether the resource facet is valid for the resource by evaluating a policy associated with the resource comprises the instructions further cause the apparatus to:
    - compare an address and attributes of the initial facet to the plurality of addresses and attributes of the policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Sarkar, Dipankar, Danilov, Oleg, Batra, Alok, Morrell, John M.

Granted Patent

US 9,225,682 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/9
CPC Class Codes

G06F 21/62   Protecting access to data v...

H04L 63/00   Network architectures or ne...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/102   Entity profiles

SYSTEM AND METHOD FOR A FACET SECURITY FRAMEWORK

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

5 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR A FACET SECURITY FRAMEWORK

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

5 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links