MIDDLE WARE SECURITY LAYER FOR CLOUD COMPUTING SERVICES

US 20170264619A1
Filed: 12/02/2016
Published: 09/14/2017
Est. Priority Date: 03/11/2016
Status: Active Grant

First Claim

Patent Images

1. A method of establishing a middle ware object security layer between an organization'"'"'s user systems and independent object stores, the method including:

combining active proxy analysis of object deposit to, retrieval from and sharing via the independent object stores with inspection of objects in the independent object stores, each of the analysis and inspection generating and persisting metadata of the objects, including;

using a proxy interposed between the user systems and the independent object stores, actively controlling manipulation of proxy-subject objects on the independent object stores by applying rules that utilize the active proxy analysis and sensitivity metadata to actively control the deposit to, the retrieval from and the sharing via the independent object stores by the user systems; and

inspecting proxy-bypassing objects on the independent object stores, and classifying and persisting sensitivity metadata of the proxy-bypassing objects deposited to and retrieved by users able to bypass the proxy and machines not subject to the proxy; and

making the metadata available to the proxy to enforce policies based on the metadata.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The technology disclosed relates to enforcing multi-part policies on data-deficient transactions of independent data stores. In particular, it relates to combining active analysis of access requests for the independent object stores with inspection of objects in the independent object stores, each of the analysis and inspection generating and persisting object metadata in a supplemental data store, actively processing data-deficient transactions that apply to the objects by accessing the supplemental data store to retrieve object metadata not available in transaction streams of the data-deficient transactions, and actively enforcing the multi-part policies using the retrieved object metadata.

Citations

20 Claims

1. A method of establishing a middle ware object security layer between an organization'"'"'s user systems and independent object stores, the method including:
- combining active proxy analysis of object deposit to, retrieval from and sharing via the independent object stores with inspection of objects in the independent object stores, each of the analysis and inspection generating and persisting metadata of the objects, including;
  
  using a proxy interposed between the user systems and the independent object stores, actively controlling manipulation of proxy-subject objects on the independent object stores by applying rules that utilize the active proxy analysis and sensitivity metadata to actively control the deposit to, the retrieval from and the sharing via the independent object stores by the user systems; and
  
  inspecting proxy-bypassing objects on the independent object stores, and classifying and persisting sensitivity metadata of the proxy-bypassing objects deposited to and retrieved by users able to bypass the proxy and machines not subject to the proxy; and
  
  making the metadata available to the proxy to enforce policies based on the metadata.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 16)
- - 2. The method of claim 1, wherein the policy enforcement includes actively rejecting object sharing requests of first objects in the independent object stores, further including:
    - applying rules that utilize logs or current metadata store and the metadata to identify improper sharing of the first objects; and
      
      using an application programming interface (API) to cancel the identified improper sharing of the first objects.
  - 3. The method of claim 1, wherein the policy enforcement includes retroactively cancelling object sharing of second objects from the independent object stores by inspecting logs or current metadata store from the independent object stores, further including:
    - applying rules that utilize logs or current metadata store and the metadata to identify improper sharing of the second objects; and
      
      using an application programming interface (API) to cancel the identified improper sharing of the second objects.
  - 4. The method of claim 1, wherein the policy enforcement includes actively controlling retrieval of third objects from the independent object stores, further including:
    - applying rules that access object threat metadata that identifies the third objects as malicious; and
      
      blocking retrieval of the identified malicious third objects.
  - 5. The method of claim 1, wherein the policy enforcement includes actively controlling retrieval of fourth objects from the independent object stores, further including:
    - applying rules that access user system at-risk metadata that identifies user systems as compromised; and
      
      blocking retrieval of the fourth objects by the identified at-risk user systems.
  - 6. The method of claim 1, wherein the policy enforcement includes actively controlling deposit of fifth objects to the independent object stores, further including:
    - applying rules that access user system at-risk metadata that identifies user systems as compromised; and
      
      blocking deposit of the fifth objects by the identified at-risk user systems.
  - 7. The method of claim 1, wherein the policy enforcement includes preserving integrity of sixth objects in the independent object stores, further including:
    - persisting a true file type of sixth objects based on the active proxy analysis and/or inspection;
      
      determining changes in the true file type during the inspection of objects in the independent object stores; and
      
      triggering a security action in response to the determination.
  - 16. A system including one or more processors coupled to memory, the memory loaded with computer instructions, the instructions, when executed on the processors, implement actions of claim 1.

8. A method of establishing a middle ware object security layer between an organization'"'"'s user systems and independent object stores, the method including:
- combining active analysis of access requests for independent object stores with inspection of objects in the independent object stores, each of the analysis and inspection generating and persisting object metadata; and
  
  actively controlling manipulation of the objects by applying rules that utilize the persisted metadata.
- View Dependent Claims (17, 19)
- - 17. A non-transitory computer readable storage medium impressed with computer program instructions, the instructions, when executed on a processor, implement the method of claim 8.
  - 19. A system including one or more processors coupled to memory, the memory loaded with computer instructions, the instructions, when executed on the processors, implement actions of claim 8.

9. A method of providing visibility of enterprise information stored on a cloud computing service (CCS), the method including:
- using a cross-application monitor to detect a cloud computing service (CCS) application programming interface (API) in use;
  
  determining object metadata of objects in the CCS by parsing a data stream based on the CCS API including exposure information of the objects; and
  
  generating for display, visual representation data for the objects in the CCS that graphical summarize;
  
  number of privately owned objects;
  
  number of publicly accessible objects;
  
  number of intra-organizationally shared objects;
  
  number of extra-organizationally shared objects;
  
  true file types of the objects; and
  
  number of policy violations.
- View Dependent Claims (18, 20)
- - 18. A non-transitory computer readable storage medium impressed with computer program instructions, the instructions, when executed on a processor, implement the method of claim 9.
  - 20. A system including one or more processors coupled to memory, the memory loaded with computer instructions, the instructions, when executed on the processors, implement actions of claim 9.

10. A non-transitory computer readable storage medium impressed with computer program instructions to establish a middle ware object security layer between an organization'"'"'s user systems and independent object stores, the instructions, when executed on a processor, implement a method comprising:
- combining active proxy analysis of object deposit to, retrieval from and sharing via the independent object stores with inspection of objects in the independent object stores, each of the analysis and inspection generating and persisting metadata of the objects, including;
  
  using a proxy interposed between the user systems and the independent object stores, actively controlling manipulation of proxy-subject objects on the independent object stores by applying rules that utilize the active proxy analysis and sensitivity metadata to actively control the deposit to, the retrieval from and the sharing via the independent object stores by the user systems; and
  
  inspecting proxy-bypassing objects on the independent object stores, and classifying and persisting sensitivity metadata of the proxy-bypassing objects deposited to and retrieved by users able to bypass the proxy and machines not subject to the proxy; and
  
  making the metadata available to the proxy to enforce policies based on the metadata.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The non-transitory computer readable storage medium of claim 10, wherein the policy enforcement includes actively rejecting object sharing requests of first objects in the independent object stores, implementing the method further comprising:
    - applying rules that utilize logs or current metadata store and the metadata to identify improper sharing of the first objects; and
      
      using an application programming interface (API) to cancel the identified improper sharing of the first objects.
  - 12. The non-transitory computer readable storage medium of claim 10, wherein the policy enforcement includes retroactively cancelling object sharing of second objects from the independent object stores by inspecting logs or current metadata store from the independent object stores, implementing the method further comprising:
    - applying rules that utilize logs or current metadata store and the metadata to identify improper sharing of the second objects; and
      
      using an application programming interface (API) to cancel the identified improper sharing of the second objects.
  - 13. The non-transitory computer readable storage medium of claim 10, wherein the policy enforcement includes actively controlling retrieval of third objects from the independent object stores, implementing the method further comprising:
    - applying rules that access object threat metadata that identifies the third objects as malicious; and
      
      blocking retrieval of the identified malicious third objects.
  - 14. The non-transitory computer readable storage medium of claim 10, wherein the policy enforcement includes actively controlling retrieval of fourth objects from the independent object stores, implementing the method further comprising:
    - applying rules that access user system at-risk metadata that identifies user systems as compromised; and
      
      blocking retrieval of the fourth objects by the identified at-risk user systems.
  - 15. The non-transitory computer readable storage medium of claim 10, wherein the policy enforcement includes actively controlling deposit of fifth objects to the independent object stores, implementing the method further comprising:
    - applying rules that access user system at-risk metadata that identifies user systems as compromised; and
      
      blocking deposit of the fifth objects by the identified at-risk user systems.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Netskope Incorporated
Original Assignee
Netskope Incorporated
Inventors
NARAYANASWAMY, Krishna, CHENG, Lebin, KULKARNI, Abhay, ITHAL, Ravi, ANAND, Chetan, CHOPRA, Rajneesh

Granted Patent

US 11,019,101 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/285   Clustering or classification

G06F 16/951   Indexing; Web crawling tech...

G06F 21/6209   to a single file or object,...

H04L 63/0281   Proxies

H04L 63/10   for controlling access to d...

H04L 63/104   Grouping of entities

H04L 63/105   Multiple levels of security

H04L 63/12   Applying verification of th...

H04L 63/20   for managing network securi...

MIDDLE WARE SECURITY LAYER FOR CLOUD COMPUTING SERVICES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

MIDDLE WARE SECURITY LAYER FOR CLOUD COMPUTING SERVICES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links