Security recommendation engine

US 9,386,033 B1
Filed: 09/10/2014
Issued: 07/05/2016
Est. Priority Date: 09/10/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for managing computing resources in a provider network, the method performed by a computing device comprising a processor and memory, the method comprising:

allowing, by the computing device, an authorized user to add or modify tagged metadata associated with a selected computing resource associated with a customer of the provider network;

applying, by the computing device, a revision history, version control, and cryptographic binding scheme to the added or modified tagged metadata;

receiving, by the computing device, a request for a security and compliance assessment of the selected computing resource based on a configuration for the selected computing resource;

in response to receiving the request, analyzing, by the computing device, the selected computing resource and the added or modified tagged metadata based on security reference information;

determining, by the computing device, a recommendation pertaining to security for the selected computing resource based at least in part on the analysis and one or more scoring criteria; and

applying, by the computing device, the revision history, version control, and cryptographic binding scheme to the recommendation and providing the recommendation as the requested security assessment.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Users are authorized to access tagged metadata in a provider network. A revision control and binding mechanism may be applied to tagged metadata that is added or modified by the user. A recommendation pertaining to security and compliance for the computing resource may be determined based on an analysis of the computing resource, scoring criteria, and data pertaining to customer and system data.

23 Citations

View as Search Results

18 Claims

1. A computer-implemented method for managing computing resources in a provider network, the method performed by a computing device comprising a processor and memory, the method comprising:
- allowing, by the computing device, an authorized user to add or modify tagged metadata associated with a selected computing resource associated with a customer of the provider network;
  
  applying, by the computing device, a revision history, version control, and cryptographic binding scheme to the added or modified tagged metadata;
  
  receiving, by the computing device, a request for a security and compliance assessment of the selected computing resource based on a configuration for the selected computing resource;
  
  in response to receiving the request, analyzing, by the computing device, the selected computing resource and the added or modified tagged metadata based on security reference information;
  
  determining, by the computing device, a recommendation pertaining to security for the selected computing resource based at least in part on the analysis and one or more scoring criteria; and
  
  applying, by the computing device, the revision history, version control, and cryptographic binding scheme to the recommendation and providing the recommendation as the requested security assessment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method according to claim 1, wherein the recommendation is further based on data pertaining to security received from one or more of provisioning tools, templates, configurations, and user interactions.
  - 3. The method according to claim 1, wherein the recommendation is further based on one or more of organizational demographics, workload characterization, performance characterization, and configuration information.
  - 4. The method according to claim 1, wherein the recommendation is determined with reference to the customer'"'"'s computing resources.
  - 5. The method according to claim 1, wherein the recommendation is determined according to a reference group defined by the provider network.
  - 6. The method according to claim 1, wherein the recommendation is further based at least in part on an analysis of one or more priorities for the selected computing resource.
  - 7. The method according to claim 1, wherein the configuration for the selected computing resource is operational.
  - 8. The method according to claim 1, further comprising applying the revision history and version control scheme to the recommendation.

9. A system configured to allocate computing resources to customers of a provider network, the system comprising:
- at least one memory having stored therein computer instructions that, upon execution by one or more processors of the system, at least cause the system to;
  
  receive a request for a security and compliance assessment of one or more computing resources associated with a customer of the provider network; and
  
  in response to receiving the request, determine a recommendation pertaining to security and compliance for the computing resources based at least in part on an analysis of the computing resources and tagged metadata associated with the computing resources, wherein a revision history and version control scheme is applied to the tagged metadata, one or more scoring criteria, compliance data, and data pertaining to one or more of account data, billing data, configuration data, policies, and interactive commands.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The system according to claim 9, wherein the data comprises system level data.
  - 11. The system according to claim 9, wherein the data comprises data for other customers with similar configurations.
  - 12. The system according to claim 9, wherein the compliance data comprises inherited controls, shared controls, and workload controls.
  - 13. The system according to claim 9, further comprising computer instructions that, upon execution by one or more processors of the system, at least cause the system to allow an authorized user to add or modify the tagged metadata associated with the computing resource.
  - 14. The system according to claim 9, wherein the recommendation is further based on one or more of organizational demographics, workload characterization, performance characterization, known vulnerability data, and configuration information.
  - 15. The system according to claim 9, wherein the recommendation is determined with reference to the customer'"'"'s computing resources.
  - 16. The system according to claim 9, wherein the recommendation is determined according to a reference group defined by the provider network.
  - 17. The system according to claim 9, wherein the recommendation is further based at least in part on an analysis of one or more priorities for the computing resource.

18. A non-transitory computer-readable storage medium having stored thereon computer-readable instructions, the computer-readable instructions comprising instructions that upon execution on one or more computing devices, at least cause the one or more computing devices to:
- determine a security and compliance recommendation for one or more computing resources allocated to a customer, the security and compliance recommendation based at least in part on an analysis of the allocated computing resources, the analysis comprising comparison of the allocated computing resources and a reference configuration in accordance with at least one scoring criterion, wherein the security and compliance recommendation is indicative of the comparison; and
  
  generate a user interface indicative the determined security and compliance recommendation, wherein the user interface is indicative of the comparison, and wherein the interface comprises an application programming interface (API) configured to;
  
  receive first electronic messages that encode identifiers indicative of a request for the security recommendation; and
  
  in response to receiving one of the first electronic messages, send second electronic messages indicative of information pertaining to the security recommendation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Rossman, Hart Matthew
Primary Examiner(s)
Song, Hosuk

Application Number

US14/482,753
Time in Patent Office

664 Days
Field of Search

726 1- 7, 726/11, 726/14, 726 22- 25, 713/189, 713/193
US Class Current

1/1
CPC Class Codes

G06F 2009/45562   Creating, deleting, cloning...

G06F 2009/45587   Isolation or security of vi...

G06F 8/71   Version control security ar...

G06F 9/45558   Hypervisor-specific managem...

H04L 41/0893   Assignment of logical group...

H04L 63/10   for controlling access to d...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

H04L 67/306   User profiles

H04L 67/561   Adding application-function...

H04L 67/63   Routing a service request d...

Security recommendation engine

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

23 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Security recommendation engine

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links