System and method for a facet security framework

US 9,225,682 B2
Filed: 10/03/2013
Issued: 12/29/2015
Est. Priority Date: 10/03/2013
Status: Active Grant

First Claim

Patent Images

1. A method for securing a federated cloud computing environment, comprising:

intercepting, by a trust enforcer computing device from a requesting computing device, a first action request from the requesting computing device for an action to be performed with respect to a resource in the federated cloud computing environment;

determining, by the trust enforcer computing device, that the first action request does not include a resource facet to allow access to the resource by the requesting computing device;

in response to determining, by the trust enforcer computing device, that the first action request does not include the resource facet, redirecting the requesting computing device to an identity provider computing device;

after redirecting the requesting computing device to the identity provider computing device, receiving, by the trust enforcer computing device from the requesting computing device, an authentication token issued to the requesting computing device by the identity provider computing device;

upon validating the authentication token with the identity provider computing device, redirecting, by the trust enforcer computing device, the first request to a trust authority computing device, wherein the trust authority computing device is to evaluate the identity of the requesting computing device against a policy associated with the resource and to cause a facet server to issue a resource facet for the requesting computing device when the policy is satisfied;

intercepting, by the trust enforcer computing device, a second action request from the requesting computing device for the action to be performed with respect to the resource in the federated cloud computing environment, wherein the second action request comprises the resource facet;

determining, by the trust enforcer computing device, whether the resource facet is valid for the action; and

in response to determining that the resource facet is valid for the action, allowing the requesting computing device to perform the action.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An example method is provided and includes intercepting an action request from an entity for an action to be performed with respect to a resource in a cloud environment, where the action request comprises a resource facet that controls access to the resource. The method also includes determining whether the resource facet is valid for the action by evaluating a policy associated with the resource; and allowing the action.

4 Citations

View as Search Results

19 Claims

1. A method for securing a federated cloud computing environment, comprising:
- intercepting, by a trust enforcer computing device from a requesting computing device, a first action request from the requesting computing device for an action to be performed with respect to a resource in the federated cloud computing environment;
  
  determining, by the trust enforcer computing device, that the first action request does not include a resource facet to allow access to the resource by the requesting computing device;
  
  in response to determining, by the trust enforcer computing device, that the first action request does not include the resource facet, redirecting the requesting computing device to an identity provider computing device;
  
  after redirecting the requesting computing device to the identity provider computing device, receiving, by the trust enforcer computing device from the requesting computing device, an authentication token issued to the requesting computing device by the identity provider computing device;
  
  upon validating the authentication token with the identity provider computing device, redirecting, by the trust enforcer computing device, the first request to a trust authority computing device, wherein the trust authority computing device is to evaluate the identity of the requesting computing device against a policy associated with the resource and to cause a facet server to issue a resource facet for the requesting computing device when the policy is satisfied;
  
  intercepting, by the trust enforcer computing device, a second action request from the requesting computing device for the action to be performed with respect to the resource in the federated cloud computing environment, wherein the second action request comprises the resource facet;
  
  determining, by the trust enforcer computing device, whether the resource facet is valid for the action; and
  
  in response to determining that the resource facet is valid for the action, allowing the requesting computing device to perform the action.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the policy has a plurality of addresses and attributes, each associated with at least one resource.
  - 3. The method of claim 2, wherein determining whether the resource facet is valid for the action comprises:
    - comparing an address and attributes of the resource facet to the plurality of addresses and attributes of the policy.
  - 4. The method of claim 1, wherein the requesting computing device is in a domain different from a domain of the resource.
  - 5. The method of claim 1, wherein the identity provider computing device is to authenticate the requesting computing device in accordance with SAML.
  - 6. The method of claim 1, wherein the resource facet includes delegator information indicating that access to the resource was delegated to the requesting computing device by another entity in the federated cloud computing system.

7. A trust enforcer computing device comprising at least one processor and at least one memory, the at least one memory including computer program instructions that, when executed by the at least one processor, cause the trust enforcer computing device to:
- intercept, from a requesting computing device, a first action request from the requesting computing device for an action to be performed with respect to a resource in the federated cloud computing environment;
  
  determine that the first action request does not include a resource facet to allow access to the resource by the requesting computing device;
  
  in response to a determination that the first action request does not include the resource facet, redirect the requesting computing device to an identity provider computing device;
  
  after redirection of the requesting computing device to the identity provider computing device, receive, from the requesting computing device, an authentication token issued to the requesting computing device by the identity provider computing device;
  
  upon validation of the authentication token with the identity provider computing device, redirect the first request to a trust authority computing device, wherein the trust authority computing device is to evaluate the identity of the requesting computing device against a policy associated with the resource and to cause a facet server to issue a resource facet for the requesting computing device when the policy is satisfied;
  
  intercept a second action request from the requesting computing device for the action to be performed with respect to the resource in the federated cloud environment, wherein the second action request comprises the resource facet;
  
  determine whether the resource facet is valid for the action; and
  
  in response to a determination that the resource facet is valid for the action, allow the requesting computing device to perform the action.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14)
- - 8. The trust enforcer computing device of claim 7, wherein the policy has a plurality of addresses and attributes, each associated with at least one resource.
  - 9. The trust enforcer computing device of claim 8, wherein a determination of whether the resource facet is valid comprises a comparison of an address and attributes of the resource facet to the plurality of addresses and attributes of the policy.
  - 10. The trust enforcer computing device of claim 7, wherein the trust authority computing device is to receive the policy associated with the resource from a resource provider computing device via an application programming interface (API).
  - 11. The trust enforcer computing device of claim 7, wherein the resource facet is a uniform resource locator (URL).
  - 12. The trust enforcer computing device of claim 7, wherein the trust authority computing device is to access the policy from a computing device remote from the trust authority computing device.
  - 13. The trust enforcer computing device of claim 7, wherein the facet server is to sign the resource facet with a digital signature associated with the facet server.
  - 14. The trust enforcer computing device of claim 7, wherein the facet server is to provide a facet verification service to provide an issue history for the resource facet.

15. A non-transitory computer readable media comprising instructions that, when executed by a processor of a trust enforcer computing device, cause the trust enforcer computing device to:
- intercept, from a requesting computing device, a first action request from the requesting computing device for an action to be performed with respect to a resource in the federated cloud computing environment;
  
  determine that the first action request does not include a resource facet to allow access to the resource by the requesting computing device;
  
  in response to a determination that the first action request does not include the resource facet, redirect the requesting computing device to an identity provider computing device;
  
  after redirection of the requesting computing device to the identity provider computing device, receive, from the requesting computing device, an authentication token issued to the requesting computing device by the identity provider computing device;
  
  upon validation of the authentication token with the identity provider computing device, redirect the first request to a trust authority computing device, wherein the trust authority computing device is to evaluate the identity of the requesting computing device against a associated with the resource and to cause a facet server to issue a resource facet for the requesting computing device when the policy is satisfied;
  
  intercept a second action request from the requesting computing device for the action to be performed with respect to the resource in the federated cloud computing environment, wherein the second action request comprises the resource facet;
  
  determine whether the resource facet is valid for the action; and
  
  in response to a determination that the resource fact is valid for the action, allow the requesting computing device to perform the action.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The media of claim 15, wherein the policy has a plurality of addresses and attributes, each associated with at least one resource.
  - 17. The media of claim 16, wherein a determination of whether the resource facet is valid for the action comprises a comparison of an address and attributes of the resource facet to the plurality of addresses and attributes of the policy.
  - 18. The media of claim 15, wherein the instructions are further to, upon execution by the processor, cause the trust enforcer computing device to communicate with multiple different identity provider computing devices using multiple different protocols.
  - 19. The media of claim 18, wherein the multiple different protocols include two or more of SAML v1, SAML v2, Liberty, and Shibboleth.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Sarkar, Dipankar, Danilov, Oleg, Batra, Alok, Morrell, John M.
Primary Examiner(s)
Chao, Michael

Application Number

US14/045,350
Publication Number

US 20150101034A1
Time in Patent Office

817 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/62   Protecting access to data v...

H04L 63/00   Network architectures or ne...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/102   Entity profiles

System and method for a facet security framework

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

4 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for a facet security framework

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

4 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links