System and method for a facet security framework
First Claim
Patent Images
1. A method for securing a federated cloud computing environment, comprising:
- intercepting, by a trust enforcer computing device from a requesting computing device, a first action request from the requesting computing device for an action to be performed with respect to a resource in the federated cloud computing environment;
determining, by the trust enforcer computing device, that the first action request does not include a resource facet to allow access to the resource by the requesting computing device;
in response to determining, by the trust enforcer computing device, that the first action request does not include the resource facet, redirecting the requesting computing device to an identity provider computing device;
after redirecting the requesting computing device to the identity provider computing device, receiving, by the trust enforcer computing device from the requesting computing device, an authentication token issued to the requesting computing device by the identity provider computing device;
upon validating the authentication token with the identity provider computing device, redirecting, by the trust enforcer computing device, the first request to a trust authority computing device, wherein the trust authority computing device is to evaluate the identity of the requesting computing device against a policy associated with the resource and to cause a facet server to issue a resource facet for the requesting computing device when the policy is satisfied;
intercepting, by the trust enforcer computing device, a second action request from the requesting computing device for the action to be performed with respect to the resource in the federated cloud computing environment, wherein the second action request comprises the resource facet;
determining, by the trust enforcer computing device, whether the resource facet is valid for the action; and
in response to determining that the resource facet is valid for the action, allowing the requesting computing device to perform the action.
1 Assignment
0 Petitions
Accused Products
Abstract
An example method is provided and includes intercepting an action request from an entity for an action to be performed with respect to a resource in a cloud environment, where the action request comprises a resource facet that controls access to the resource. The method also includes determining whether the resource facet is valid for the action by evaluating a policy associated with the resource; and allowing the action.
4 Citations
19 Claims
-
1. A method for securing a federated cloud computing environment, comprising:
-
intercepting, by a trust enforcer computing device from a requesting computing device, a first action request from the requesting computing device for an action to be performed with respect to a resource in the federated cloud computing environment; determining, by the trust enforcer computing device, that the first action request does not include a resource facet to allow access to the resource by the requesting computing device; in response to determining, by the trust enforcer computing device, that the first action request does not include the resource facet, redirecting the requesting computing device to an identity provider computing device; after redirecting the requesting computing device to the identity provider computing device, receiving, by the trust enforcer computing device from the requesting computing device, an authentication token issued to the requesting computing device by the identity provider computing device; upon validating the authentication token with the identity provider computing device, redirecting, by the trust enforcer computing device, the first request to a trust authority computing device, wherein the trust authority computing device is to evaluate the identity of the requesting computing device against a policy associated with the resource and to cause a facet server to issue a resource facet for the requesting computing device when the policy is satisfied; intercepting, by the trust enforcer computing device, a second action request from the requesting computing device for the action to be performed with respect to the resource in the federated cloud computing environment, wherein the second action request comprises the resource facet; determining, by the trust enforcer computing device, whether the resource facet is valid for the action; and in response to determining that the resource facet is valid for the action, allowing the requesting computing device to perform the action. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A trust enforcer computing device comprising at least one processor and at least one memory, the at least one memory including computer program instructions that, when executed by the at least one processor, cause the trust enforcer computing device to:
-
intercept, from a requesting computing device, a first action request from the requesting computing device for an action to be performed with respect to a resource in the federated cloud computing environment; determine that the first action request does not include a resource facet to allow access to the resource by the requesting computing device; in response to a determination that the first action request does not include the resource facet, redirect the requesting computing device to an identity provider computing device; after redirection of the requesting computing device to the identity provider computing device, receive, from the requesting computing device, an authentication token issued to the requesting computing device by the identity provider computing device; upon validation of the authentication token with the identity provider computing device, redirect the first request to a trust authority computing device, wherein the trust authority computing device is to evaluate the identity of the requesting computing device against a policy associated with the resource and to cause a facet server to issue a resource facet for the requesting computing device when the policy is satisfied; intercept a second action request from the requesting computing device for the action to be performed with respect to the resource in the federated cloud environment, wherein the second action request comprises the resource facet; determine whether the resource facet is valid for the action; and in response to a determination that the resource facet is valid for the action, allow the requesting computing device to perform the action. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14)
-
-
15. A non-transitory computer readable media comprising instructions that, when executed by a processor of a trust enforcer computing device, cause the trust enforcer computing device to:
-
intercept, from a requesting computing device, a first action request from the requesting computing device for an action to be performed with respect to a resource in the federated cloud computing environment; determine that the first action request does not include a resource facet to allow access to the resource by the requesting computing device; in response to a determination that the first action request does not include the resource facet, redirect the requesting computing device to an identity provider computing device; after redirection of the requesting computing device to the identity provider computing device, receive, from the requesting computing device, an authentication token issued to the requesting computing device by the identity provider computing device; upon validation of the authentication token with the identity provider computing device, redirect the first request to a trust authority computing device, wherein the trust authority computing device is to evaluate the identity of the requesting computing device against a associated with the resource and to cause a facet server to issue a resource facet for the requesting computing device when the policy is satisfied; intercept a second action request from the requesting computing device for the action to be performed with respect to the resource in the federated cloud computing environment, wherein the second action request comprises the resource facet; determine whether the resource facet is valid for the action; and in response to a determination that the resource fact is valid for the action, allow the requesting computing device to perform the action. - View Dependent Claims (16, 17, 18, 19)
-
Specification