Policy engine for cloud platform

US 8,572,706 B2
Filed: 04/26/2011
Issued: 10/29/2013
Est. Priority Date: 04/26/2010
Status: Active Grant

First Claim

Patent Images

1. A method for setting organizational policies for web applications deployed in a cloud computing environment, the method comprising the steps of:

receiving authentication credentials of a user of the cloud computing environment;

authenticating the user;

intercepting a communications packet from the user intended for a component of the cloud computing environment configured to orchestrate deployment of a web application in the cloud computing environment;

identifying a command to manage deployment of the web application in the cloud computing environment in the intercepted communications packet;

dispatching the intercepted communications packet to a rules engine corresponding to the identified command;

executing a set of rules in the rules engine that implements a policy set by an organization desiring to deploy web applications in the cloud computing environment;

forwarding the communications packet to the component of the cloud computing environment when completion of execution of the set of rules indicates compliance of the intercepted communications packet with the policy; and

rejecting the communications packet when completion of execution of the set of rules indicates non-compliance of the communications packet with the policy.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A policy engine is situated between the communications path of a cloud computing environment and a user of the cloud computing environment to comply with an organization'"'"'s policies for deploying web applications in the cloud computing environment. The policy engine intercepts communications packets to the cloud computing environment from a user, such as a web application developer, for example, in preparation for deploying a web application in the cloud computing environment. The policy engine identifies commands corresponding to the communications packets and directs the communications packets to appropriate rules engines corresponding to such commands in order to execute rules to comply with an organization'"'"'s policies. Upon completion of execution of the rules, the communications packets are forwarded to the cloud computing environment if they comply with the policies.

53 Citations

View as Search Results

18 Claims

1. A method for setting organizational policies for web applications deployed in a cloud computing environment, the method comprising the steps of:
- receiving authentication credentials of a user of the cloud computing environment;
  
  authenticating the user;
  
  intercepting a communications packet from the user intended for a component of the cloud computing environment configured to orchestrate deployment of a web application in the cloud computing environment;
  
  identifying a command to manage deployment of the web application in the cloud computing environment in the intercepted communications packet;
  
  dispatching the intercepted communications packet to a rules engine corresponding to the identified command;
  
  executing a set of rules in the rules engine that implements a policy set by an organization desiring to deploy web applications in the cloud computing environment;
  
  forwarding the communications packet to the component of the cloud computing environment when completion of execution of the set of rules indicates compliance of the intercepted communications packet with the policy; and
  
  rejecting the communications packet when completion of execution of the set of rules indicates non-compliance of the communications packet with the policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the executing step further comprises editing payload data in the communications packet to comply with the policy.
  - 3. The method of claim 1, wherein the executing step further comprises accessing a networked service to confirm compliance with the policy.
  - 4. The method of claim 1, wherein the executing step further comprises redirecting a transmitter of the communications packet to interact with a networked service to comply with the policy.
  - 5. The method of claim 1, further comprising the steps of:
    - receiving a response to the communications packet from the cloud computing environment;
      
      dispatching the response to a response rules engine related to the identified command; and
      
      forwarding the response to a transmitter of the communications packet when completion of execution of a set of rules in the response rules engine indicates compliance of the response with the policy.
  - 6. The method of claim 1, implemented as a process in a proxy server at the organization.
  - 7. The method of claim 1, further comprising the steps of:
    - identifying a federated token corresponding to the user; and
      
      transmitting the federated token to the cloud computing environment in relation to the communications packet.

8. A non-transitory computer-readable storage medium including instructions that, when executed on a computer processor, causes the computer processor to set organizational policies for web applications deployed in a cloud computing environment, by performing the steps of:
- receiving authentication credentials of a user of the cloud computing environment;
  
  authenticating the user;
  
  intercepting a communications packet from the user intended for a component of the cloud computing environment configured to orchestrate deployment of a web application in the cloud computing environment;
  
  identifying a command to manage deployment of the web application in the cloud computing environment in the intercepted communications packet;
  
  dispatching the intercepted communications packet to a rules engine corresponding to the identified command;
  
  executing a set of rules in the rules engine that implements a policy set by an organization desiring to deploy web applications in the cloud computing environment;
  
  forwarding the communications packet to the component of the cloud computing environment when completion of execution of the set of rules indicates compliance of the intercepted communications packet with the policy; and
  
  rejecting the communications packet when completion of execution of the set of rules indicates non-compliance of the communications packet with the policy.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The non-transitory computer-readable storage medium of claim 8, wherein the executing step further comprises editing payload data in the communications packet to comply with the policy.
  - 10. The non-transitory computer-readable storage medium of claim 8, wherein the executing step further comprises accessing a networked service to confirm compliance with the policy.
  - 11. The non-transitory computer-readable storage medium of claim 8, wherein the executing step further comprises redirecting a transmitter of the communications packet to interact with a networked service to comply with the policy.
  - 12. The non-transitory computer-readable storage medium of claim 8, further comprising instructions to perform the steps of:
    - receiving a response to the communications packet from the cloud computing environment;
      
      dispatching the response to a response rules engine related to the identified command; and
      
      forwarding the response to a transmitter of the communications packet when completion of execution of a set of rules in the response rules engine indicates compliance of the response with the policy.
  - 13. The non-transitory computer-readable storage medium of claim 8, further comprising instructions to perform the steps of:
    - identifying a federated token corresponding to the user; and
      
      transmitting the federated token to the cloud computing environment in relation to the communications packet.

14. A proxy server for setting organizational policies for web applications deployed in a cloud computing environment, the server comprising one or more central processing units (CPUs) configured to perform the steps of:
- receiving authentication credentials of a user of the cloud computing environment;
  
  authenticating the user;
  
  intercepting a communications packet from the user intended for a component of the cloud computing environment configured to orchestrate deployment of a web application in the cloud computing environment;
  
  identifying a command to manage deployment of the web application in the cloud computing environment in the intercepted communications packet;
  
  dispatching the intercepted communications packet to a rules engine corresponding to the identified command;
  
  executing, by operation of the one or more CPUs, a set of rules in the rules engine that implements a policy set by an organization desiring to deploy web applications in the cloud computing environment;
  
  forwarding the communications packet to the component of the cloud computing environment when completion of execution of the set of rules indicates compliance of the intercepted communications packet with the policy; and
  
  rejecting the communications packet when completion of execution of the set of rules indicates non-compliance of the communications packet with the policy.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The proxy server of claim 14, wherein the executing step further comprises editing payload data in the communications packet to comply with the policy.
  - 16. The proxy server of claim 14, wherein the executing step further comprises accessing a networked service to confirm compliance with the policy.
  - 17. The proxy server of claim 14, wherein the executing step further comprises redirecting a transmitter of the communications packet to interact with a networked service to comply with the policy.
  - 18. The proxy server of claim 14, wherein the processor is further configured to perform the steps of:
    - receiving a response to the communications packet from the cloud computing environment;
      
      dispatching the response to a response rules engine related to the identified command; and
      
      forwarding the response to a transmitter of the communications packet when completion of execution of a set of rules in the response rules engine indicates compliance of the response with the policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pivotal Software, Inc. (Broadcom, Inc.)
Original Assignee
VMware, Inc. (Broadcom, Inc.)
Inventors
Collison, Derek, Lucovsky, Mark, Spivak, Vadim, Chen, Gerald C., Laddad, Ramnivas
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
LEE, JASON T

Application Number

US13/094,500
Publication Number

US 20110265168A1
Time in Patent Office

917 Days
Field of Search

726/7, 726/13
US Class Current

726/7
CPC Class Codes

G06F 21/62   Protecting access to data v...

G06F 21/629   to features or functions of...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/0895   Configuration of virtualise...

H04L 63/0245   Filtering by information in...

H04L 63/0815   providing single-sign-on or...

H04L 63/083   using passwords cryptograph...

H04L 63/10   for controlling access to d...

H04L 63/108   when the policy decisions a...

H04L 63/20   for managing network securi...

Policy engine for cloud platform

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

53 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Policy engine for cloud platform

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

53 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links