Control pool based enterprise policy enabler for controlled cloud access
First Claim
Patent Images
1. A method for controlling access to a plurality of cloud networks, wherein the method is implemented in a gateway with a cloud interface and an enterprise interface, and wherein the method comprises:
- establishing an enterprise session with an enterprise user via the enterprise interface to obtain an enterprise security key unique to the enterprise user;
establishing a cloud session with a first of the cloud networks via the cloud interface to obtain a cloud security key unique to the gateway and the first cloud network;
creating an enterprise session to cloud session mapping by mapping the enterprise security key to the cloud security key;
storing the enterprise session to cloud session mapping in a secure key store located in the gateway;
receiving a packet comprising the enterprise security key from the enterprise user via the enterprise interface;
replacing the enterprise security key in the packet with the cloud security key; and
forwarding the packet comprising the cloud security key to the first cloud network via the cloud interface,wherein the cloud security key is not provided to the enterprise user to prevent the enterprise user from obtaining direct access to the first cloud network.
1 Assignment
0 Petitions
Accused Products
Abstract
A method for controlling access to a Cloud, comprising receiving traffic from an Enterprise user at a gateway, wherein the traffic carries a first key specific to the Enterprise user for use internal to the gateway, replacing the first key with a second key, wherein the second key is a Cloud-negotiated key generic to a plurality of Enterprise users which permits access to the Cloud, and sending traffic to the Cloud.
-
Citations
13 Claims
-
1. A method for controlling access to a plurality of cloud networks, wherein the method is implemented in a gateway with a cloud interface and an enterprise interface, and wherein the method comprises:
-
establishing an enterprise session with an enterprise user via the enterprise interface to obtain an enterprise security key unique to the enterprise user; establishing a cloud session with a first of the cloud networks via the cloud interface to obtain a cloud security key unique to the gateway and the first cloud network; creating an enterprise session to cloud session mapping by mapping the enterprise security key to the cloud security key; storing the enterprise session to cloud session mapping in a secure key store located in the gateway; receiving a packet comprising the enterprise security key from the enterprise user via the enterprise interface; replacing the enterprise security key in the packet with the cloud security key; and forwarding the packet comprising the cloud security key to the first cloud network via the cloud interface, wherein the cloud security key is not provided to the enterprise user to prevent the enterprise user from obtaining direct access to the first cloud network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method for exchanging data between an enterprise user and a plurality of cloud networks, wherein the method is implemented in an enterprise policy enabler with a cloud interface and an enterprise interface, and wherein the method comprises:
-
establishing an enterprise session with the enterprise user via the enterprise interface to obtain an enterprise security key unique to the enterprise user; establishing a cloud session with the cloud networks via the cloud interface to obtain a cloud security key unique to a private cloud network; creating an enterprise session to cloud session mapping by mapping the enterprise security key to the cloud security key; storing the enterprise session to cloud session mapping in a secure key store; receiving a packet from the enterprise user via the enterprise interface, wherein the packet comprises the enterprise security key and a request for access to at least one resource associated with a public cloud network; modifying packet data to modify the request based on at least one policy associated with the plurality of cloud networks, wherein modifying the request comprises replacing the enterprise security key with the cloud security key based on the enterprise session to cloud session mapping; and forwarding the packet to a resource of the private cloud network via the cloud interface, wherein the modifying the request based on the policy comprises redirecting the packet from the public cloud network to the private cloud network based on a determination that the policy prohibits access to the public cloud network resource due to confidential data stored in the packet data. - View Dependent Claims (10, 11, 12, 13)
-
Specification