SECURED ACCESS CONTROL TO CLOUD-BASED APPLICATIONS

US 20160344736A1
Filed: 03/28/2016
Published: 11/24/2016
Est. Priority Date: 05/19/2015
Status: Active Grant

First Claim

Patent Images

1. A method for securing an access to a cloud-based application, comprising:

receiving an authentication token, wherein the authentication token includes an identity of a user of a client device requesting an access to the cloud-based application;

receiving, from an agent executed in the client device, a client certificate;

retrieving, from a compliance server, a device posture of the client device, wherein the device posture is retrieved respective of the received client certificate;

identifying an access policy for the client device to access the cloud-based application, wherein the access policy is identified based at least on the retrieved device posture; and

determining whether to grant an access to the cloud-based application based in part on the compliance of the client device with the identified access policy.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and proxy device for securing an access to a cloud-based application are presented. The method includes receiving an authentication token, wherein the authentication token includes an identity of a user of a client device requesting an access to the cloud-based application; receiving, from an agent executed in the client device, a client certificate; retrieving, from a compliance server, a device posture of the client device, wherein the device posture is retrieved respective of the received client certificate; identifying an access policy for the client device to access the cloud-based application, wherein the access policy is identified based at least on the retrieved device posture; and determining whether to grant an access to the cloud-based application based in part on the compliance of the client device with the identified access policy.

60 Citations

View as Search Results

26 Claims

1. A method for securing an access to a cloud-based application, comprising:
- receiving an authentication token, wherein the authentication token includes an identity of a user of a client device requesting an access to the cloud-based application;
  
  receiving, from an agent executed in the client device, a client certificate;
  
  retrieving, from a compliance server, a device posture of the client device, wherein the device posture is retrieved respective of the received client certificate;
  
  identifying an access policy for the client device to access the cloud-based application, wherein the access policy is identified based at least on the retrieved device posture; and
  
  determining whether to grant an access to the cloud-based application based in part on the compliance of the client device with the identified access policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, further comprising:
    - checking if the agent is installed in the client device; and
      
      causing at least one of;
      
      installation of the agent in the client device and execution of the agent in the client device, when the client device does not include the agent.
  - 3. The method of claim 1, wherein the device posture characterizes at least security capabilities that the client device is configured with.
  - 4. The method of claim 3, wherein the device posture includes at least a set of compliance parameters and a unique certificate associated with the client device.
  - 5. The method of claim 4, wherein each compliance parameter includes a compliance status of at least one of:
    - at least one security capability of the client device.
  - 6. The method of claim 4, wherein the device posture is compiled using information provided by at least one of:
    - a central authentication system, an end-point Data Loss Prevention (DLP) service, a network access control (NAC) service, and a mobile device management (MDM) service.
  - 7. The method of claim 1, wherein the access policy includes a plurality of attributes, a plurality of conditions, and a policy action.
  - 8. The method of claim 7, wherein determining whether to grant an access to the cloud-based application further comprises:
    - determining which of the plurality conditions and of the plurality of attributes set in the access policy are met; and
      
      allowing an access to the cloud-based application based on the determined met conditions and attributes.
  - 9. The method of claim 8, wherein the policy action includes any one of:
    - allow full access, block access, and allow limited access.
  - 10. The method of claim 8, wherein the determination of which of the plurality conditions and attributes are met is performed using information retrieved from at least one of:
    - a central authentication system, a compliance server, an external reputation service, and a lightweight directory access protocol (LDAP) service.
  - 11. The method of claim 1, wherein the client device is any one of:
    - a managed device, and an un-managed device, wherein the managed device and the un-managed device are of the same user.
  - 12. The method of claim 1, wherein the authentication token is received from a central authentication system, wherein the central authentication system is any of:
    - a federated identity management (FIdM) system, and a single-sign-on (SSO) server.
  - 13. A computer readable medium having stored thereon instructions for causing one or more processing units to execute the method according to claim 1.

14. A proxy device for securing an access to a cloud-based application, comprising:
- a processing system; and
  
  a memory, the memory containing instructions that, when executed by the processing system, configure the proxy device to;
  
  receive an authentication token, wherein the authentication token includes an identity of a user of a client device requesting an access to the cloud-based application;
  
  receive, from an agent executed in the client device, a client certificate;
  
  retrieve, from a compliance server, a device posture of the client device, wherein the device posture is retrieved respective of the received client certificate;
  
  identify an access policy for the client device to access the cloud-based application, wherein the access policy is identified based at least on the retrieved posture; and
  
  determine whether to grant an access to the cloud-based application based in part on the compliance of the client device with the identified access policy.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 15. The proxy device of claim 14, wherein the proxy device is further configured to:
    - check if the agent is installed in the client device; and
      
      cause at least one of installation of the agent in the client device and execution of the agent in the client device, when the client device does not include the agent.
  - 16. The proxy device of claim 14, wherein the device posture characterizes at least security capabilities that the client device is configured with.
  - 17. The proxy device of claim 16, wherein the device posture includes at least a set of compliance parameters and a unique certificate associated with the client device.
  - 18. The proxy device of claim 17, wherein each compliance parameter includes a compliance status of at least one of:
    - at least one security capability of the client device.
  - 19. The proxy device of claim 17, wherein the device posture is compiled using information provided by at least one of:
    - a central authentication system, an end-point Data Loss Prevention (DLP) service, a network access control (NAC) service, and a mobile device management (MDM) service.
  - 20. The proxy device of claim 14, wherein the access policy includes a plurality of attributes, a plurality of conditions, and a policy action.
  - 21. The proxy device of claim 20, wherein the proxy device is further configured to:
    - determine which of the plurality conditions and of the plurality of attributes set in the access policy are met; and
      
      allow an access to the cloud-based application based on the determined met conditions and attributes.
  - 22. The proxy device of claim 20, wherein the policy action includes any one of:
    - allow full access, block access, and allow limited access.
  - 23. The proxy device of claim 14, wherein the determination of which of the plurality conditions and attributes are met is performed using information retrieved from at least one of:
    - a central authentication system, a compliance server, an external reputation service, and a lightweight directory access protocol (LDAP) service.
  - 24. The proxy device of claim 14, wherein the client device is any one of:
    - a managed device and un-managed device, wherein the managed device and the un-managed device are of the same user.
  - 25. The proxy device of claim 14, wherein the authentication token is received from a central authentication system, wherein the central authentication system is any of:
    - a federated identity management (FIdM) system, and a single-sign-on (SSO) server.

26. A cloud computing platform, comprising:
- at least one server configured to host at least one cloud-based application;
  
  a compliance server;
  
  a proxy device communicatively connected to the at least one server, wherein the proxy device includes a processing system and a memory;
  
  the memory containing instructions that, when executed by the processing system, configure the proxy device to;
  
  receive an authentication token, wherein the authentication token includes an identity of a user of a client device requesting an access to the cloud-based application;
  
  receive, from an agent executed in the client device, a client certificate;
  
  retrieve, from the compliance server, a device posture of the client device, wherein the device posture is retrieved respective of the received client certificate;
  
  identify an access policy for the client device to access the cloud-based application, wherein the access policy is identified based at least on the retrieved posture; and
  
  determine whether to grant an access to the cloud-based application based in part on the compliance of the client device with the identified access policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
KHAIT, Vitaly, STOLOVICH, Ariel, LUTTWAK, Ami, MOYSI, Liran, VISHNEPOLSKY, Greg

Granted Patent

US 11,115,417 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/33   using certificates

G06F 21/335   for accessing specific reso...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

H04L 63/0884   by delegation of authentica...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/1433   Vulnerability analysis

H04W 12/08   Access security

SECURED ACCESS CONTROL TO CLOUD-BASED APPLICATIONS

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

60 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

SECURED ACCESS CONTROL TO CLOUD-BASED APPLICATIONS

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

60 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links