Seamless Provision of Authentication Credential Data to Cloud-Based Assets on Demand

US 20180367528A1
Filed: 07/30/2018
Published: 12/20/2018
Est. Priority Date: 06/12/2017
Status: Abandoned Application

First Claim

Patent Images

1. A non-transitory computer readable medium including instructions that, when executed by at least one processor, cause the at least one processor to perform operations for providing authentication credential data to cloud-based assets on demand, the operations comprising:

receiving a prompt indicating that a cloud-based asset is seeking to communicate with an access-controlled resource, wherein the cloud-based asset lacks authorization to communicate with the access-controlled resource;

extracting information associated with the cloud-based asset by, at least in part, accessing a trusted cloud platform resource storing data associated with verified cloud-based assets, the trusted cloud platform resource being separate from the cloud-based asset;

authenticating the cloud-based asset based on the extracted information;

generating first authentication credential data for the cloud-based asset;

generating second authentication credential data for the cloud-based asset;

making the first authentication credential data available to the cloud-based asset via a first communication channel; and

making the second authentication credential data available to the cloud-based asset via a second communication channel;

wherein a combination of the first and the second authentication credential data is sufficient to authenticate the cloud-based asset to the access-controlled resource.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed embodiments include systems and methods for providing authentication credential data to cloud-based assets on demand. Operations include receiving a prompt indicating that a cloud-based asset is seeking to communicate with an access-controlled resource, extracting information associated with the cloud-based asset, authenticating the cloud-based asset based on the extracted information, generating first authentication credential data for the cloud-based asset, generating second authentication credential data for the cloud-based asset, making the first authentication credential data available to the cloud-based asset via a first communication channel, and making the second authentication credential data available to the cloud-based asset via a second communication channel. A combination of the first and the second authentication credential data may be sufficient to authenticate the cloud-based asset to the access-controlled resource.

104 Citations

View as Search Results

30 Claims

1. A non-transitory computer readable medium including instructions that, when executed by at least one processor, cause the at least one processor to perform operations for providing authentication credential data to cloud-based assets on demand, the operations comprising:
- receiving a prompt indicating that a cloud-based asset is seeking to communicate with an access-controlled resource, wherein the cloud-based asset lacks authorization to communicate with the access-controlled resource;
  
  extracting information associated with the cloud-based asset by, at least in part, accessing a trusted cloud platform resource storing data associated with verified cloud-based assets, the trusted cloud platform resource being separate from the cloud-based asset;
  
  authenticating the cloud-based asset based on the extracted information;
  
  generating first authentication credential data for the cloud-based asset;
  
  generating second authentication credential data for the cloud-based asset;
  
  making the first authentication credential data available to the cloud-based asset via a first communication channel; and
  
  making the second authentication credential data available to the cloud-based asset via a second communication channel;
  
  wherein a combination of the first and the second authentication credential data is sufficient to authenticate the cloud-based asset to the access-controlled resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The non-transitory computer readable medium of claim 1, wherein the first and the second authentication credential data include at least one of a certificate, blockchain token, password, cryptographic key, or access token.
  - 3. The non-transitory computer readable medium of claim 1, wherein an authentication policy dynamically determines how many types of authentication credential data to generate for the cloud-based asset.
  - 4. The non-transitory computer readable medium of claim 3, wherein the authentication policy performs the dynamic determination individually for each of a plurality of cloud-based assets in a network environment.
  - 5. The non-transitory computer readable medium of claim 4, wherein the dynamic determination is based on a level of trust or distrust for each of the plurality of cloud-based assets in a network environment.
  - 6. The non-transitory computer readable medium of claim 1, wherein a configuration file associated with the cloud-based asset determines how many types of authentication credential data to generate for the cloud-based asset.
  - 7. The non-transitory computer readable medium of claim 1, wherein the first and the second authentication credential data are created by separating a single authentication credential into a plurality of portions.
  - 8. The non-transitory computer readable medium of claim 7, wherein the separating the single authentication credential is based on an authentication policy or configuration file.
  - 9. The non-transitory computer readable medium of claim 7, wherein the separating the single authentication credential includes separating the single authentication credential into a particular number of portions.
  - 10. The non-transitory computer readable medium of claim 7, wherein the operations further comprise making available each of the plurality of portions of the single authentication credential in response to individual requests for each of the plurality of portions of the single authentication credential.
  - 11. The non-transitory computer readable medium of claim 7, wherein each of the plurality of portions of the single authentication credential are made available to an authorization system that performs the determining whether the cloud-based asset is authorized to access the access-controlled resource.
  - 12. The non-transitory computer readable medium of claim 1, wherein the operations further comprise injecting the first authentication credential data into the cloud-based asset.
  - 13. The non-transitory computer readable medium of claim 1, wherein the operations further comprise providing the second authentication credential data to the cloud-based asset without injecting the second authentication credential data into the cloud-based asset.
  - 14. The non-transitory computer readable medium of claim 1, wherein the first and the second authentication credential data are each separate authentication credentials.
  - 15. The non-transitory computer readable medium of claim 1, wherein the second authentication credential data is made available to the cloud-based asset conditional on a successful verification of an IP address associated with the cloud-based asset.

16. A computer-implemented method, executable by a processor of a computing system, for providing authentication credential data to a cloud-based asset on demand, the method comprising:
- receiving a prompt indicating that a cloud-based asset is seeking to communicate with an access-controlled resource, wherein the cloud-based asset lacks authorization to communicate with the access-controlled resource;
  
  extracting information associated with the cloud-based asset by, at least in part, accessing a trusted cloud platform resource storing data associated with verified cloud-based assets, the trusted cloud platform resource being separate from the cloud-based asset;
  
  authenticating the cloud-based asset based on the extracted information;
  
  generating first authentication credential data for the cloud-based asset;
  
  generating second authentication credential data for the cloud-based asset;
  
  making the first authentication credential data available to the cloud-based asset via a first communication channel; and
  
  making the second authentication credential data available to the cloud-based asset via a second communication channel;
  
  wherein a combination of the first and the second authentication credential data is sufficient to authenticate the cloud-based asset to the access-controlled resource.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
- - 17. The computer-implemented method of claim 16, wherein the first authentication credential data is made available to the cloud-based asset via an application programming interface of the trusted cloud platform resource.
  - 18. The computer-implemented method of claim 16, wherein the first authentication credential data is made available to the cloud-based asset via a remote connection between the cloud-based asset and the trusted cloud platform resource.
  - 19. The computer-implemented method of claim 16, wherein the first authentication credential data is made available to the cloud-based asset via a volume that is shared between the cloud-based asset and the trusted cloud platform resource.
  - 20. The computer-implemented method of claim 16, wherein the first authentication credential data is made available to the cloud-based asset via an application programming interface of a dedicated agent running on the cloud-based asset.
  - 21. The computer-implemented method of claim 16, wherein the first authentication credential data is made available to the cloud-based asset via a database to which both the cloud-based asset and the trusted cloud platform resource have access.
  - 22. The computer-implemented method of claim 16, wherein the first authentication credential data is made available to the cloud-based asset in response to a request from the cloud-based asset for the first authentication credential data.
  - 23. The computer-implemented method of claim 16, wherein the cloud-based asset includes multiple cloud-based identities, and the method further comprises generating identity-specific authentication credential data for the multiple cloud-based identities.

24. A non-transitory computer readable medium including instructions that, when executed by at least one processor, cause the at least one processor to perform operations for obtaining access to authentication credential data on demand, the operations comprising:
- requesting, by a cloud-based asset, to communicate with an access-controlled resource, wherein the cloud-based asset lacks authorization to communicate with the access-controlled resource;
  
  in response to the request to communicate and conditional on the cloud-based asset being authenticated based on extracted information associated with the cloud-based asset, obtaining access to first authentication credential data for the cloud-based asset via a first communication channel;
  
  issuing a prompt, based on the first authentication credential data, requesting access to second authentication credential data for the cloud-based asset via a second communication channel;
  
  requesting authorization, using the first and the second authentication credential data, to access the access-controlled resource; and
  
  receiving authorization, in response to the request for authorization, to access the access-controlled resource.
- View Dependent Claims (25, 26, 27, 28, 29, 30)
- - 25. The non-transitory computer readable medium of claim 24, wherein the operations further comprise receiving the first authentication credential data via a dedicated agent from the trusted cloud platform resource.
  - 26. The non-transitory computer readable medium of claim 24, wherein the operations further comprise receiving the first authentication credential data via a remote connection between the cloud-based asset and the trusted cloud platform resource.
  - 27. The non-transitory computer readable medium of claim 24, wherein the operations further comprise receiving the first authentication credential data from a database to which both the cloud-based asset and the trusted cloud platform resource have access.
  - 28. The non-transitory computer readable medium of claim 24, wherein the operations further comprise receiving a single authentication credential, of which the first and the second authentication credential data are parts.
  - 29. The non-transitory computer readable medium of claim 28, wherein receiving the single authentication credential includes receiving a plurality of portions of the single authentication credential through separate communications channels.
  - 30. The non-transitory computer readable medium of claim 28, wherein receiving the single authentication credential includes receiving a plurality of portions of the single authentication credential at separate times.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CyberArk Software Ltd.
Original Assignee
CyberArk Software Ltd.
Inventors
Schwarz, Rafi, Maccabi, Eli, Cohen, Moti, Lahav, Nessi, Zilberman Kubovsky, Inbal, Sakirko, Evgeny

Application Number

US16/048,917
Publication Number

US 20180367528A1
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/41   where a single sign-on prov...

H04L 2463/082   applying multi-factor authe...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/083   using passwords cryptograph...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3236   using cryptographic hash fu...

H04L 9/50   using hash chains, e.g. blo...

Seamless Provision of Authentication Credential Data to Cloud-Based Assets on Demand

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

104 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Seamless Provision of Authentication Credential Data to Cloud-Based Assets on Demand

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

104 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links