Protection of user data in hosted application environments

US 9,245,126 B2
Filed: 11/15/2012
Issued: 01/26/2016
Est. Priority Date: 11/13/2012
Status: Expired due to Fees

First Claim

Patent Images

1. A system configured to convert an original application into a distributed application comprising a plurality of application components, the system comprising:

a memory storing a computer program; and

a processor configured to execute the computer program,wherein the program is configured to;

generate a manifest comprising an entry for each application component indicating a part of private information of the user the application component is entitled to access, and either indicating i) a website the application component is permitted to share the information with or ii) that the application component is not to permitted to share the information,split the original application into the plurality of application components along security relevant boundaries according to the manifest by generating a second computer program for each entry that only has access to the part of the private information of the entry and the website of the entry, and a third computer program that has access to all the private information, no access to the websites, and is configured to process data received from the second computer programs,map the application components to hosting infrastructure boundaries, anduse a mechanism to enforce a privacy policy of the user and the manifest.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of converting an original application into a cloud-hosted application includes splitting the original application into a plurality of application components along security relevant boundaries, mapping the application components to hosting infrastructure boundaries, and using a mechanism to enforce a privacy policy of a user. The mapping may include assigning each application component to a distinct virtual machine, which acts as a container for its assigned component.

283 Citations

14 Claims

1. A system configured to convert an original application into a distributed application comprising a plurality of application components, the system comprising:
- a memory storing a computer program; and
  
  a processor configured to execute the computer program,wherein the program is configured to;
  
  generate a manifest comprising an entry for each application component indicating a part of private information of the user the application component is entitled to access, and either indicating i) a website the application component is permitted to share the information with or ii) that the application component is not to permitted to share the information,split the original application into the plurality of application components along security relevant boundaries according to the manifest by generating a second computer program for each entry that only has access to the part of the private information of the entry and the website of the entry, and a third computer program that has access to all the private information, no access to the websites, and is configured to process data received from the second computer programs,map the application components to hosting infrastructure boundaries, anduse a mechanism to enforce a privacy policy of the user and the manifest.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system of claim 1, wherein the program performs the split by parsing computer code of the original application for boundary program labels that define respective boundaries of each application component within the original application, and generating a distinct process for each boundary program label.
  - 3. The system of claim 1, wherein the program performs the map by mapping each application component to a distinct virtual machine.
  - 4. The system of claim 1, wherein the mechanism used by the program is assignment of a firewall between at least two of the application components.
  - 5. The system of claim 1, wherein the mechanism used by the program is assignment of a firewall between at least one of the application components and at least one external application.
  - 6. The system of claim 1, wherein the program is configured to deploy the application in a cloud.
  - 7. The system of claim 6, wherein the program deploys the application by starting each application component in its own virtual machine.
  - 8. The system of claim 1, wherein the program associates a licensing agreement that the user must agree to before it uses the application.
  - 9. The system of claim 8, wherein the licensing agreement includes a distinct section for each application component present in the application.
  - 10. The system of claim 8, wherein a structure of the licensing agreement is machine readable such that the licensing agreement is readable by a natural language processing tools.
  - 11. The system of claim 8, wherein the program presents the licensing agreement to the user before enabling the user access to the application.

12. A system configured to manage a distributed application comprising a plurality of application components, the system comprising:
- a memory storing a computer program; and
  
  a processor configured to execute the program,wherein the program is configured to start a new virtual machine for each application component,wherein each virtual machine runs a distinct one of the application components,wherein a first application component of the application components is configured to communicate first private information of a user to a first website according to a manifest, send a message to the user requesting permission for the first website to access second other private information of the user, update the manifest based on a response of the user to the message, and output the second private information to the website only when the manifest indicates that output of the second private information to the website is allowed,wherein a second application component of the application components is configured to communicate the second private information to a second website, andwherein a third application component of the application components has access to all the private information, no access to the websites, and is configured to process data received from the first and second application components.
- View Dependent Claims (13, 14)
- - 13. The system of claim 12, wherein at least one of the application components generates at least one rule for a firewall based on a privacy policy and information requirements of the external application.
  - 14. The system of claim 12, where the message includes a licensing agreement having a distinct section for each application component.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Christodorescu, Mihai, Pendarakis, Dimitrios, Singh, Kapil K.
Primary Examiner(s)
NGUYEN, THU HA T

Application Number

US13/677,457
Publication Number

US 20140137181A1
Time in Patent Office

1,167 Days
Field of Search

713/166, 713/201, 726/1, 726/26, 726/27, 726/4, 726/22, 726/25
US Class Current

1/1
CPC Class Codes

G06F 21/105   Arrangements for software l...

G06F 21/53   by executing in a restricte...

G06F 21/60   Protecting data

H04L 63/10   for controlling access to d...

Protection of user data in hosted application environments

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

283 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Protection of user data in hosted application environments

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

283 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links