Protection of user data in hosted application environments

US 9,098,709 B2
Filed: 11/13/2012
Issued: 08/04/2015
Est. Priority Date: 11/13/2012
Status: Expired due to Fees

First Claim

Patent Images

1. A method of converting an original application into a cloud-hosted application, the method comprising:

splitting, by a processor, the original application into a plurality of application components, along security relevant boundaries, wherein the original application performs a plurality of functions;

mapping, by the processor, the application components to hosting infrastructure boundaries to enable the application components to be hosted by separate entities; and

using, by the processor, a mechanism to enforce a privacy policy of a user of the original application to provide secure communications between the application components,wherein the splitting comprises a processor parsing computer code of the original application for boundary program labels that define respective boundaries of each application component within the original application, and generating a new program for each boundary program label that performs a subset of the functions,wherein each new program has access to a website and only a distinct subset of user information of the user based on the privacy policy, andwherein the processor creates an additional program that has access to all the user information, is configured to process data from the new programs to produce results that are presented to the user, and is prevented from accessing the websites, wherein the mapping comprising assigning each application component to a distinct virtual machine, which acts as a container for its assigned component.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of converting an original application into a cloud-hosted application includes splitting the original application into a plurality of application components along security relevant boundaries, mapping the application components to hosting infrastructure boundaries, and using a mechanism to enforce a privacy policy of a user. The mapping may include assigning each application component to a distinct virtual machine, which acts as a container for its assigned component.

Citations

15 Claims

1. A method of converting an original application into a cloud-hosted application, the method comprising:
- splitting, by a processor, the original application into a plurality of application components, along security relevant boundaries, wherein the original application performs a plurality of functions;
  
  mapping, by the processor, the application components to hosting infrastructure boundaries to enable the application components to be hosted by separate entities; and
  
  using, by the processor, a mechanism to enforce a privacy policy of a user of the original application to provide secure communications between the application components,wherein the splitting comprises a processor parsing computer code of the original application for boundary program labels that define respective boundaries of each application component within the original application, and generating a new program for each boundary program label that performs a subset of the functions,wherein each new program has access to a website and only a distinct subset of user information of the user based on the privacy policy, andwherein the processor creates an additional program that has access to all the user information, is configured to process data from the new programs to produce results that are presented to the user, and is prevented from accessing the websites, wherein the mapping comprising assigning each application component to a distinct virtual machine, which acts as a container for its assigned component.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the using comprises assigning a firewall between at least two of the application components.
  - 3. The method of claim 1, wherein the using comprises assigning a firewall between at least one of the application components and at least one external application.
  - 4. The method of claim 3, wherein the external application is a website.
  - 5. The method of claim 1, further comprises deploying the cloud-hosted application in a cloud.
  - 6. The method of claim 5, wherein deploying the cloud-hosted application comprises an operating system of a computer system starting each application component in its own virtual machine.
  - 7. The method of claim 5, further comprises enforcing restrictions on transfer of information between at least two of the components and at least one external entity based on the privacy policy and a manifest.
  - 8. The method of claim 7, wherein the privacy policy is a computer data structure that indicates information that is to be shared with each external entity, and the manifest is a computer data structure that indicates which of the external entities are configured to communicate with each application component and part of the information required by each application component.
  - 9. The method of claim 8, wherein the enforcing comprises further generating rules for a firewall from the privacy policy and the manifest.
  - 10. The method of claim 5, further comprises associating a licensing agreement that the user must agree to before it uses the cloud-hosted application.
  - 11. The method of claim 10, wherein the licensing agreement includes a distinct section for each application component present in the cloud-hosted application.
  - 12. The method of claim 10, wherein a structure of the licensing agreement is machine readable such that the licensing agreement is readable by a natural language processing tools.
  - 13. The method of claim 10, further comprising presenting the licensing agreement to the user before enabling the user access to the cloud-hosted application.

14. A method of converting an original application into a cloud-hosted application, the method comprising:
- splitting, by a processor, the original application into a plurality of application components, along security relevant boundaries, wherein the original application performs a plurality of functions;
  
  mapping, by the processor, the application components to hosting infrastructure boundaries to enable the application components to be hosted by separate entities; and
  
  using, by the processor, a mechanism to enforce a privacy policy of a user of the original application to provide secure communications between the application components,wherein the splitting comprises a processor parsing computer code of the original application for boundary program labels that define respective boundaries of each application component within the original application, and generating a new program for each boundary program label that performs a subset of the functions,wherein the processor constructs a customized licensing agreement with a section for each application component based on the privacy policy, and the agreement is presented to the user before access to the cloud-hosted application is enabled, wherein each new program has access to a website and only a distinct subset of user information of the user based on the privacy policy,wherein the processor creates an additional program that has access to all the user information, is configured to process data from the new programs to produce results that are presented to the user, and is prevented from accessing the websites, and wherein the mapping comprising assigning each application component to a distinct virtual machine, which acts as a container for its assigned component.
- View Dependent Claims (15)
- - 15. The method of claim 14, wherein when one of the components is disabled based on the privacy policy, the licensing agreement excludes the section corresponding to the disabled component.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Christodorescu, Mihai, Pendarakis, Dimitrios, Singh, Kapil K.
Primary Examiner(s)
Homayounmehr, Farid
Assistant Examiner(s)
Torres-Diaz, Lizbeth

Application Number

US13/675,383
Publication Number

US 20140137179A1
Time in Patent Office

994 Days
Field of Search

726/26, 726/27, 705/64
US Class Current

1/1
CPC Class Codes

G06F 21/105   Arrangements for software l...

G06F 21/53   by executing in a restricte...

G06F 21/60   Protecting data

H04L 63/10   for controlling access to d...

Protection of user data in hosted application environments

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Protection of user data in hosted application environments

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links