Policy engine for cloud platform

US 9,071,522 B2
Filed: 10/28/2013
Issued: 06/30/2015
Est. Priority Date: 04/26/2010
Status: Active Grant

First Claim

Patent Images

1. A method for enforcing organizational policies of an organization for web applications deployed in a cloud computing environment by users in the organization, the method comprising the steps of:

intercepting, by a policy engine installed on a device associated with the organization, a communications packet transmitted by a user device and intended for the cloud computing environment;

determining that the intercepted communications packet comprises data including a cloud controller command and a command payload and that the cloud controller command relates to management of web applications in the cloud computing environment;

in response to the determining, dispatching the intercepted communications packet to a rules engine corresponding to the cloud controller command;

executing, by the rules engine, a set of rules representing a policy of the organization for web applications in the cloud computing environment, including editing the command payload in the intercepted communications packet according to the set of rules representing the policy; and

forwarding the intercepted communications packet to the cloud computing environment if a result of execution of the set of rules by the rules engine indicates compliance of the intercepted communications packet with the policy.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A policy engine is situated within the communications path of a cloud computing environment and a user of the cloud computing environment to comply with an organization'"'"'s policies for deploying web applications in the cloud computing environment. The policy engine intercepts communications packets to the cloud computing environment from a user, such as a web application developer, for example, in preparation for deploying a web application in the cloud computing environment. The policy engine identifies commands corresponding to the communications packets and directs the communications packets to appropriate rules engines corresponding to such commands in order to execute rules to comply with an organization'"'"'s policies. Upon completion of execution of the rules, the communications packets are forwarded to the cloud computing environment if they comply with the policies.

56 Citations

View as Search Results

17 Claims

1. A method for enforcing organizational policies of an organization for web applications deployed in a cloud computing environment by users in the organization, the method comprising the steps of:
- intercepting, by a policy engine installed on a device associated with the organization, a communications packet transmitted by a user device and intended for the cloud computing environment;
  
  determining that the intercepted communications packet comprises data including a cloud controller command and a command payload and that the cloud controller command relates to management of web applications in the cloud computing environment;
  
  in response to the determining, dispatching the intercepted communications packet to a rules engine corresponding to the cloud controller command;
  
  executing, by the rules engine, a set of rules representing a policy of the organization for web applications in the cloud computing environment, including editing the command payload in the intercepted communications packet according to the set of rules representing the policy; and
  
  forwarding the intercepted communications packet to the cloud computing environment if a result of execution of the set of rules by the rules engine indicates compliance of the intercepted communications packet with the policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein executing the set of rules comprises obtaining policy data from a networked service and determining whether the policy data conforms to the set of rules representing the policy.
  - 3. The method of claim 1, wherein executing the set of rules comprises:
    - redirecting the user device to a networked service; and
      
      receiving an indication that a user of the user device interacted with the networked service in accordance with the set of rules representing the policy.
  - 4. The method of claim 1, further comprising the steps of:
    - receiving, by the policy engine, a response from the cloud computing environment;
      
      dispatching the response to a response rules engine corresponding to the cloud controller command in the intercepted communications packet;
      
      executing, by the response rules engine, a second set of rules representing a response policy of the organization for the cloud controller command; and
      
      forwarding the response to the user device if a second result of execution of the second set of rules by the response rules engine indicates compliance of the response with the response policy.
  - 5. The method of claim 1, wherein intercepting, by a policy engine installed on a device associated with the organization, the communications packet comprises intercepting the communications packet by a proxy server at the organization.
  - 6. The method of claim 1, further comprising rejecting the intercepted communications packet when the result of execution of the set of rules by the rules engine indicates non-compliance of the intercepted communications packet with the policy.
  - 7. The method of claim 1, further comprising the steps of:
    - identifying a federated token associated with the intercepted communications packet; and
      
      identifying a user associated with the federated token, wherein the result of execution of the set of rules by the rules engine depends on a role of the user associated with the federated token.

8. A computer program product for enforcing organizational policies of an organization for web applications deployed in a cloud computing environment by users in the organization, the computer program product being encoded on one or more non-transitory computer storage media and comprising instructions that when executed by one or more computers cause the one or more computers to perform operations comprising:
- intercepting, by a policy engine installed on a device associated with the organization, a communications packet transmitted by a user device and intended for the cloud computing environment;
  
  determining that the intercepted communications packet comprises data including a cloud controller command and a command payload and that the cloud controller command relates to management of web applications in the cloud computing environment;
  
  in response to the determining, dispatching the intercepted communications packet to a rules engine corresponding to the cloud controller command;
  
  executing, by the rules engine, a set of rules representing a policy of the organization for web applications in the cloud computing environment, including editing the command payload in the intercepted communications packet according to the set of rules representing the policy; and
  
  forwarding the intercepted communications packet to the cloud computing environment if a result of execution of the set of rules by the rules engine indicates compliance of the intercepted communications packet with the policy.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The computer program product of claim 8, wherein executing the set of rules comprises obtaining policy data from a networked service and determining whether the policy data conforms to the set of rules representing the policy.
  - 10. The computer program product of claim 8, wherein executing the set of rules comprises:
    - redirecting the user device to a networked service; and
      
      receiving an indication that a user of the user device interacted with the networked service in accordance with the set of rules representing the policy.
  - 11. The computer program product of claim 8, wherein the operations further comprise:
    - receiving, by the policy engine, a response from the cloud computing environment;
      
      dispatching the response to a response rules engine corresponding to the cloud controller command in the intercepted communications packet;
      
      executing, by the response rules engine, a second set of rules representing a response policy of the organization for the cloud controller command; and
      
      forwarding the response to the user device if a second result of execution of the second set of rules by the response rules engine indicates compliance of the response with the response policy.
  - 12. The computer program product of claim 8, wherein the operations further comprise rejecting the intercepted communications packet when the result of execution of the set of rules by the rules engine indicates noncompliance of the intercepted communications packet with the policy.
  - 13. The computer program product of claim 8, wherein the operations further comprise:
    - identifying a federated token associated with the communications packet; and
      
      identifying a user associated with the federated token, wherein the result of execution of the set of rules by the rules engine depends on a role of the user associated with the federated token.

14. A system for enforcing organizational policies of an organization for web applications deployed in a cloud computing environment by user in the organization, the system comprising one or more computers and one or more storage devices storing instructions that are operable, when executed by the one or more computers, to cause the one or more computers to perform operations comprising:
- intercepting, by a policy engine of the system, a communications packet transmitted by a user device and intended for the cloud computing environment;
  
  determining that the communications packet comprises data including a cloud controller command and a command payload and that the cloud controller command relates to management of web applications in the cloud computing environment;
  
  in response to the determining, dispatching the intercepted communications packet to a rules engine corresponding to the cloud controller command;
  
  executing, by the rules engine, a set of rules representing a policy of the organization for web applications in the cloud computing environment, including editing the command payload in the intercepted communications packet according to the set of rules representing the policy; and
  
  forwarding the intercepted communications packet to the cloud computing environment if a second result of execution of the set of rules by the rules engine indicates compliance of the intercepted communications packet with the policy.
- View Dependent Claims (15, 16, 17)
- - 15. The system of claim 14, wherein executing the set of rules comprises obtaining policy data from a networked service and determining whether the policy data conforms to the set of rules representing the policy.
  - 16. The system of claim 14, wherein executing the set of rules comprises:
    - redirecting the user device to a networked service; and
      
      receiving an indication that a user of the user device interacted with the networked service in accordance with the set of rules representing the policy.
  - 17. The system of claim 14, wherein the operations further comprise:
    - receiving, by the policy engine, a response from the cloud computing environment;
      
      dispatching the response to a response rules engine corresponding to the cloud controller command in the intercepted communications packet;
      
      executing, by the response rules engine, a second set of rules representing a response policy of the organization for the cloud controller command; and
      
      forwarding the response to the user device if a second result of execution of the second set of rules by the response rules engine indicates compliance of the response with the response policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pivotal Software, Inc. (Broadcom, Inc.)
Original Assignee
Pivotal Software, Inc. (Broadcom, Inc.)
Inventors
Lucovsky, Mark, Collison, Derek, Spivak, Vadim, Chen, Gerald C., Laddad, Ramnivas
Primary Examiner(s)
LEE, JASON T

Application Number

US14/064,992
Publication Number

US 20140052867A1
Time in Patent Office

610 Days
Field of Search

726/7, 709/226
US Class Current

1/1
CPC Class Codes

G06F 21/62   Protecting access to data v...

G06F 21/629   to features or functions of...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/0895   Configuration of virtualise...

H04L 63/0245   Filtering by information in...

H04L 63/0815   providing single-sign-on or...

H04L 63/083   using passwords cryptograph...

H04L 63/10   for controlling access to d...

H04L 63/108   when the policy decisions a...

H04L 63/20   for managing network securi...

Policy engine for cloud platform

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

56 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Policy engine for cloud platform

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

56 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links