MANAGING COMPUTER SECURITY SERVICES FOR CLOUD COMPUTING PLATFORMS

US 20200137125A1
Filed: 10/26/2018
Published: 04/30/2020
Est. Priority Date: 10/26/2018
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of managing security services for one or more cloud computing platforms, comprising:

receiving, by a main controller, a security policy from a client device,the client device being associated with a set of computing applications hosted by one or more independent, private virtual clusters on one or more cloud computing platforms,the main controller residing outside the one or more virtual clusters,each of the one or more virtual clusters to be served by a security gateway system residing within the one or more cloud computing platforms,the security policy indicating how threat intelligence data is to be applied to the set of computing applications with respect to a plurality of application scopes;

receiving application data from the client device,the application data indicating whether a specific computing application of the set of computing applications has one or more application properties of a plurality of application properties,the plurality of application properties corresponding to the plurality of application scopes,the one or more application properties including a functional attribute related to a function of the specific computing application,obtaining a piece of threat intelligence data from a data source;

mapping the piece of threat intelligence data to the plurality of application scopes;

determining to which of the one or more security gateway systems to send the piece of threat intelligence data based on the security policy;

transmitting the piece of threat intelligence data to at least one of the one or more security gateway systems based on the determining.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method of managing security services for one or more cloud computing platforms is disclosed. The method comprises receiving, by a main controller, a security policy from a client device, the client device being associated with a set of computing applications hosted by one or more independent, private virtual clusters on one or more cloud computing platforms, the main controller residing outside the one or more virtual clusters, each of the one or more virtual clusters to be served by a security gateway system residing within the one or more cloud computing platforms, the security policy indicating how threat intelligence data is to be applied to the set of computing applications with respect to a plurality of application scopes; receiving application data from the client device, the application data indicating whether a specific computing application of the set of computing applications has one or more application properties of a plurality of application properties, the plurality of application properties corresponding to the plurality of application scopes, the one or more application properties including a functional attribute related to a function of the specific computing application, obtaining a piece of threat intelligence data from a data source; mapping the piece of threat intelligence data to the plurality of application scopes; determining to which of the one or more security gateway systems to send the piece of threat intelligence data based on the security policy; transmitting the piece of threat intelligence data to at least one of the one or more security gateway systems based on the determining.

Citations

22 Claims

1. A computer-implemented method of managing security services for one or more cloud computing platforms, comprising:
- receiving, by a main controller, a security policy from a client device,the client device being associated with a set of computing applications hosted by one or more independent, private virtual clusters on one or more cloud computing platforms,the main controller residing outside the one or more virtual clusters,each of the one or more virtual clusters to be served by a security gateway system residing within the one or more cloud computing platforms,the security policy indicating how threat intelligence data is to be applied to the set of computing applications with respect to a plurality of application scopes;
  
  receiving application data from the client device,the application data indicating whether a specific computing application of the set of computing applications has one or more application properties of a plurality of application properties,the plurality of application properties corresponding to the plurality of application scopes,the one or more application properties including a functional attribute related to a function of the specific computing application,obtaining a piece of threat intelligence data from a data source;
  
  mapping the piece of threat intelligence data to the plurality of application scopes;
  
  determining to which of the one or more security gateway systems to send the piece of threat intelligence data based on the security policy;
  
  transmitting the piece of threat intelligence data to at least one of the one or more security gateway systems based on the determining.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer-implemented method of claim 1,the obtaining comprising crawling a Web interface of an online threat intelligence feed or receiving security anomaly data from one of the one or more security gateway systems or another security gateway system,the piece of threat intelligence data including information regarding a source of a computer security threat, a nature of the computer security threat, or a target of the computer security threat.
  - 3. The computer-implemented method of claim 1, the plurality of application scopes including:
    - a client device scope covering the set of computing applications,a geographical region scope covering the set of computing applications hosted by at least one of the one or more cloud computing platforms located in one geographical region,a cloud computing platform scope covering the set of computing applications hosted by one of the one or more cloud computing platforms,a virtual cluster scope covering the set of computing applications hosted by one of the one or more virtual clusters on the one or more cloud computing platforms,an individual application scope covering one of the set of computing applications, orone or more application functional attribute scopes, each covering the set of computing applications having a corresponding application functional attribute.
  - 4. The computer-implemented method of claim 1,the application data indicating, for the one application property of the specific computing application, a key and a corresponding value,the key being defined by the client device or the cloud computing platform having the virtual cluster hosting the specific computing application.
  - 5. The computer-implemented method of claim 1, further comprisingobtaining an API of the specific computing application,identifying an additional function attribute related to the API;
    - updating the application data and the security policy based on the identifying.
  - 6. The computer-implemented method of claim 1, further comprising:
    - receiving a request from the client device for estimating an impact of a security threat on the one or more virtual clusters;
      
      sending an instruction to at least one of the one or more security gateway systems to estimate the impact of the security threat based on historical digital communications received and stored by the at least one of the one or more security gateway systems;
      
      receiving an estimate of the impact the of the security threat from the one or more security gateway systems;
      
      updating the security policy based on the estimate.
  - 7. The computer-implemented method of claim 1, further comprising:
    - receiving a request from the client device for establishing an account to be associated with the security policy and application data;
      
      in response to the request, causing launching the one or more security gateway systems respectively on the one or more cloud computing platforms;
      
      receiving heartbeats from the one or more security gateway systems;
      
      adjusting a number or structure of security gateway systems serving the one virtual cluster based on the heartbeats.
  - 8. The computer-implemented method of claim 1, further comprising:
    - after receiving the security policy, causing launching one or more local controllers respectively on the one or more virtual clusters;
      
      receiving private data from the client device, including security keys in an encrypted form associated with the set of computing applications;
      
      distributing the private data to the one or more local controllers.

9. A system for managing security services for one or more cloud computing platforms, comprising:
- one or more local controllers respectively residing within one or more independent, private virtual clusters on one or more cloud computing platforms;
  
  one or more security gateway systems respectively corresponding to the one or more local controllers and residing within the one or more cloud computing platforms;
  
  a main controller residing outside the one or more virtual clusters,the one or more virtual clusters being associated with one or more client devices,the one or more virtual clusters hosting a set of computing applications,a specific local controller of the one or more local controllers receiving private data associated with a specific client device of the one or more client devices from the main controller or one or more computing applications of the set of computing applications,the specific local controller residing within a specific virtual cluster of the one or more virtual clusters associated with the specific client device,the one or more computing applications being hosted by the specific virtual cluster,the specific local controller storing the private data in a local storage using a secure approach that achieves data security and integrity,the specific local controller receiving a request for retrieving the private data from a corresponding security gateway system of the one or more security gateway systems,the specific local controller transmitting the private data to the corresponding security gateway system in response to the request using a secure approach that achieves data security and integrity.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The system of claim 9, the private data including security keys associated with one of the one or more computing applications hosted by the specific virtual cluster or private threat intelligence data applicable to the one computing application.
  - 11. The system of claim 9,the specific local controller receiving additional private data associated with the specific client device or the one or more computing applications,the additional private data including credentials for an account with a third-party data management system containing certain private data,the specific local controller obtaining the certain private data from the third-party data management system using the additional private data.
  - 12. The system of claim 9,the private data being in an encrypted form inaccessible to the main controller,the specific local controller decrypting the private data before the storing.
  - 13. The system of claim 9, the one cloud computing platform comprising lower-performance standard processors and higher-performance special-purpose hardware.
  - 14. The system of claim 9,the specific local controller receiving an instruction from the main controller to terminate operation,the specific local controller performing a termination procedure in response to the instruction.

15. One or more non-transitory computer-readable storage media storing sequences of instructions which when executed cause one or more hardware processors to perform a computer-implemented method of managing security services for one or more cloud computing platforms, the method comprising:
- receiving, by a security gateway system, a digital communication related to one of one or more computing applications hosted by a private virtual cluster on a cloud computing platform,the security gateway system residing within the cloud computing platform,the security gateway system performing network security gateway functions for the one or more computing applications;
  
  storing the digital communication in association with a timestamp in a storage device;
  
  receiving a piece of threat intelligence data indicating a security threat from a main controller residing outside the virtual cluster;
  
  determining whether the piece of threat intelligence data applies to any of the digital communications in the storage device;
  
  transmitting an estimate of an extent or timing of past impact of the security threat based on the determining.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22)
- - 16. The one or more non-transitory computer-readable storage media of claim 15, the method further comprising:
    - receiving a request from a client device or the main controller for assessing a future impact of the security threat on the virtual cluster,the determining and transmitting being responsive to the request.
  - 17. The one or more non-transitory computer-readable storage media of claim 15, the method further comprising storing the digital communication in association with additional metadata, including information identifying a source or a destination of the digital communication.
  - 18. The one or more non-transitory computer-readable storage media of claim 15, the method further comprising:
    - storing the piece of threat intelligence data in a database;
      
      receiving a specific digital communication from a source computing device related to a specific computing application of the one or more computing applications;
      
      sending a request to a local controller for security keys,the local controller managing the secure keys using a secure approach that achieves certain goals of cryptography,the local controller residing within the virtual cluster;
      
      receiving the security keys without storing the security keys in a local storage;
      
      authenticating the source computing device with the security keys.
  - 19. The one or more non-transitory computer-readable storage media of claim 18, the method further comprising:
    - determining whether the specific digital communication matches any of the pieces of threat intelligence data in the database;
      
      in response to determining that the specific digital communication matches a certain piece of threat intelligence data in the database, cleaning up or discarding the specific digital communication;
      
      in response to determining that the specific digital communication matches no piece of threat intelligence data in the database, sending application-level data of the digital communication to a destination of the digital communication.
  - 20. The one or more non-transitory computer-readable storage media of claim 15, the method further comprising:
    - transmitting a heartbeat to the main controller periodically, the heartbeat indicating a health status or a workload of the security gateway system;
      
      receiving an instruction from the main controller to upgrade or terminate operation.
  - 21. The one or more non-transitory computer-readable storage media of claim 15, the method further comprising transmitting an error code, a failure indicator, an occurrence of a security anomaly, or a new piece of threat intelligence data related to the one or more computing applications to the main controller.
  - 22. The one or more non-transitory computer-readable storage media of claim 15, the method further comprising:
    - determining that a number or volume of received digital communications related to the one or more computing application is below a threshold;
      
      sending an advance termination notification to the main controller;
      
      performing a termination procedure to terminate operation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Valtix LLC (Cisco Systems, Inc.)
Original Assignee
Valtix, Inc. (Cisco Systems, Inc.)
Inventors
PATNALA, Praveen, JAIN, Vishal, CHANDER, Vijay

Granted Patent

US 11,012,475 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/951   Indexing; Web crawling tech...

G06F 2009/45587   Isolation or security of vi...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/64   Protecting data integrity, ...

G06F 9/45558   Hypervisor-specific managem...

H04L 12/66   Arrangements for connecting...

H04L 41/0894   Policy-based network config...

H04L 41/16   using machine learning or a...

H04L 41/40   using virtualisation of net...

H04L 43/10   Active monitoring, e.g. hea...

H04L 43/20   the monitoring system or th...

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/102   Entity profiles

H04L 63/107   wherein the security polici...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

H04L 63/205 : involving negotiation or de...

H04L 63/302 : gathering intelligence info...

H04L 67/10 : in which an application is ...

View All

MANAGING COMPUTER SECURITY SERVICES FOR CLOUD COMPUTING PLATFORMS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

MANAGING COMPUTER SECURITY SERVICES FOR CLOUD COMPUTING PLATFORMS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links