Enforcing consistent enterprise and cloud security profiles

US 8,578,442 B1
Filed: 03/11/2011
Issued: 11/05/2013
Est. Priority Date: 03/11/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of enforcing consistent enterprise and cloud security profiles comprising:

defining a domain model describing cloud resource objects associated with an enterprise, wherein the cloud security profiles associated with enterprise users describe permissions of the users with respect to the objects;

specifying a relationship map mapping permissions for objects of the domain model to one or more roles of enterprise users, wherein local security profiles maintained by the enterprise associate users with one or more roles, the domain model and relationship map collectively forming an access policy for the cloud resource objects;

monitoring network traffic to detect an attempt to configure a cloud security profile associated with a user in a manner inconsistent with the access policy; and

remediating a detected attempt to configure the cloud security profile in the manner inconsistent with the access policy.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Consistent enterprise and cloud security profiles are enforced. A domain model describing cloud resource objects associated with an enterprise is defined. Further, a relationship map describing relationships between the objects of the domain model and roles of enterprise users described by local security profiles maintained by the enterprise is specified. The domain model and relationship map collectively form an access policy for the cloud resource objects. Network traffic is monitored to detect network traffic attempting to configure a cloud security profile describing permissions of an enterprise user with respect to cloud resource objects in a manner inconsistent with the access policy. Detected network traffic attempting to configure the cloud security profile in the manner inconsistent with access policy is remediated.

Citations

20 Claims

1. A computer-implemented method of enforcing consistent enterprise and cloud security profiles comprising:
- defining a domain model describing cloud resource objects associated with an enterprise, wherein the cloud security profiles associated with enterprise users describe permissions of the users with respect to the objects;
  
  specifying a relationship map mapping permissions for objects of the domain model to one or more roles of enterprise users, wherein local security profiles maintained by the enterprise associate users with one or more roles, the domain model and relationship map collectively forming an access policy for the cloud resource objects;
  
  monitoring network traffic to detect an attempt to configure a cloud security profile associated with a user in a manner inconsistent with the access policy; and
  
  remediating a detected attempt to configure the cloud security profile in the manner inconsistent with the access policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein defining the domain model comprises:
    - identifying cloud resource objects provided to the enterprise by a Software-as-a-Service (SaaS) provider; and
      
      establishing relationships among the cloud resource objects.
  - 3. The method of claim 1, wherein specifying the relationship map comprises:
    - identifying roles assigned to the enterprise users by the local security profiles;
      
      associating the roles assigned to the enterprise users with objects in the domain model; and
      
      specifying permissions of the roles with respect to the objects with which the roles are associated.
  - 4. The method of claim 1, wherein the access policy describes permissions of enterprise users with respect to the cloud resource objects.
  - 5. The method of claim 4, further comprising:
    - configuring a plurality of cloud security profiles to conform with the access policy.
  - 6. The method of claim 1, wherein monitoring network traffic comprises:
    - inspecting network traffic to detect an attempt to alter the cloud security profile; and
      
      determining whether the attempted alteration of the cloud security profile is consistent with the access policy.
  - 7. The method of claim 1, wherein remediating the detected attempt comprises blocking the attempt.

8. A non-transitory computer-readable storage medium storing executable computer program instructions for enforcing consistent enterprise and cloud security profiles, the instructions executable to perform steps comprising:
- defining a domain model describing cloud resource objects associated with an enterprise, wherein the cloud security profiles associated with enterprise users describe permissions of the users with respect to the objects;
  
  specifying a relationship map mapping permissions for objects of the domain model to one or more roles of enterprise users, wherein local security profiles maintained by the enterprise associate users with one or more roles, the domain model and relationship map collectively forming an access policy for the cloud resource objects;
  
  monitoring network traffic to detect an attempt to configure a cloud security profile associated with a user in a manner inconsistent with the access policy; and
  
  remediating a detected attempt to configure the cloud security profile in the manner inconsistent with the access policy.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer-readable storage medium of claim 8, wherein defining the domain model comprises:
    - identifying cloud resource objects provided to the enterprise by a Software-as-a-Service (SaaS) provider; and
      
      establishing relationships among the cloud resource objects.
  - 10. The computer-readable storage medium of claim 8, wherein specifying the relationship map comprises:
    - identifying roles assigned to the enterprise users by the local security profiles;
      
      associating the roles assigned to the enterprise users with objects in the domain model; and
      
      specifying permissions of the roles with respect to the objects with which the roles are associated.
  - 11. The computer-readable storage medium of claim 8, wherein the access policy describes permissions of enterprise users with respect to the cloud resource objects.
  - 12. The computer-readable storage medium of claim 11, the steps further comprising:
    - configuring a plurality of cloud security profiles to conform with the access policy.
  - 13. The computer-readable storage medium of claim 8, wherein monitoring network traffic comprises:
    - inspecting network traffic to detect an attempt to alter the cloud security profile; and
      
      determining whether the attempted alteration of the cloud security profile is consistent with the access policy.
  - 14. The computer-readable storage medium of claim 8, wherein remediating the detected attempt comprises blocking the attempt.

15. A computer system for enforcing consistent enterprise and cloud security profiles, comprising:
- a non-transitory computer-readable storage medium storing executable computer program instructions comprising instructions for;
  
  defining a domain model describing cloud resource objects associated with an enterprise, wherein the cloud security profiles associated with enterprise users describe permissions of the users with respect to the objects;
  
  specifying a relationship map mapping permissions for objects of the domain model to one or more roles of enterprise users, wherein local security profiles maintained by the enterprise associate users with one or more roles, the domain model and relationship map collectively forming an access policy for the cloud resource objects;
  
  monitoring network traffic to detect an attempt to configure a cloud security profile associated with a user in a manner inconsistent with the access policy; and
  
  remediating a detected attempt to configure the cloud security profile in the manner inconsistent with the access policy; and
  
  a processor for executing the computer program instructions.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer system of claim 15, wherein defining the domain model comprises:
    - identifying cloud resource objects provided to the enterprise by a Software-as-a-Service (SaaS) provider; and
      
      establishing relationships among the cloud resource objects.
  - 17. The computer system of claim 15, wherein specifying the relationship map comprises:
    - identifying roles assigned to the enterprise users by the local security profiles;
      
      associating the roles assigned to the enterprise users with objects in the domain model; and
      
      specifying permissions of the roles with respect to the objects with which the roles are associated.
  - 18. The computer system of claim 15, wherein the access policy describes permissions of enterprise users with respect to the cloud resource objects.
  - 19. The computer system of claim 18, the steps further comprising:
    - configuring a plurality of cloud security profiles to conform with the access policy.
  - 20. The computer system of claim 15, wherein monitoring network traffic comprises:
    - inspecting network traffic to detect an attempt to alter the cloud security profile; and
      
      determining whether the attempted alteration of the cloud security profile is consistent with the access policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Banerjee, Deb
Primary Examiner(s)
ARMOUCHE, HADI S

Application Number

US13/046,664
Time in Patent Office

970 Days
Field of Search

None
US Class Current

726/1
CPC Class Codes

H04L 63/102 Entity profiles

H04L 63/1441 Countermeasures against mal...

Enforcing consistent enterprise and cloud security profiles

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Enforcing consistent enterprise and cloud security profiles

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links