Systems and methods for enforcing enterprise data access control policies in cloud computing environments

US 9,407,664 B1
Filed: 12/23/2013
Issued: 08/02/2016
Est. Priority Date: 12/23/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for enforcing enterprise data access control policies in cloud computing environments, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

intercepting, at a proxy, an attempt to configure a computing instance that provides virtualized access to computing resources on a cloud computing platform and that provides third-party processing for an enterprise with a permission that would provide the computing instance with access to secured data on the cloud computing platform;

identifying, at the proxy, a user within the enterprise that initiated the attempt to configure the computing instance with the permission;

determining, at the proxy, based on a data access control policy for the enterprise, that the user is not entitled to access the secured data;

blocking, at the proxy, the attempt to configure the computing instance with the permission based on determining that the user is not entitled to access the secured data;

identifying, subsequent to blocking the attempt, an entitled user within the enterprise that is entitled to access the secured data;

initiating a request to the entitled user to approve the attempt to configure the computing instance with the permission that would provide the computing instance with access to secured data on the cloud computing platform;

receiving, in response to the request, approval from the entitled user to configure the computing instance with the permission;

forwarding the attempt to configure the computing instance to the cloud computing platform.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for enforcing enterprise data access control policies in cloud computing environments may include (1) intercepting, at a proxy, an attempt to configure a computing instance on a cloud computing platform with a permission that would provide the computing instance with access to secured data on the cloud computing platform, (2) identifying a user within an enterprise that initiated the attempt to configure the computing instance with the permission, (3) determining, based on a data access control policy for the enterprise, that the user is not entitled to access the secured data, and (4) blocking the attempt to configure the computing instance with the permission based on determining that the user is not entitled to access the secured data. Various other methods, systems, and computer-readable media are also disclosed.

Citations

18 Claims

1. A computer-implemented method for enforcing enterprise data access control policies in cloud computing environments, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- intercepting, at a proxy, an attempt to configure a computing instance that provides virtualized access to computing resources on a cloud computing platform and that provides third-party processing for an enterprise with a permission that would provide the computing instance with access to secured data on the cloud computing platform;
  
  identifying, at the proxy, a user within the enterprise that initiated the attempt to configure the computing instance with the permission;
  
  determining, at the proxy, based on a data access control policy for the enterprise, that the user is not entitled to access the secured data;
  
  blocking, at the proxy, the attempt to configure the computing instance with the permission based on determining that the user is not entitled to access the secured data;
  
  identifying, subsequent to blocking the attempt, an entitled user within the enterprise that is entitled to access the secured data;
  
  initiating a request to the entitled user to approve the attempt to configure the computing instance with the permission that would provide the computing instance with access to secured data on the cloud computing platform;
  
  receiving, in response to the request, approval from the entitled user to configure the computing instance with the permission;
  
  forwarding the attempt to configure the computing instance to the cloud computing platform.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method of claim 1, further comprising retrieving, at the proxy, the data access control policy from the enterprise.
  - 3. The computer-implemented method of claim 1, wherein identifying the user within the enterprise that initiated the attempt to configure the computing instance with the permission comprises extracting, at the proxy, an identifier of the user from the attempt to configure the computing instance.
  - 4. The computer-implemented method of claim 1, wherein determining that the user is not entitled to access the secured data comprises extracting, at the proxy, an identifier of the permission from the attempt to configure the computing instance.
  - 5. The computer-implemented method of claim 1, wherein the user is entitled to configure the computing instance on the cloud computing platform without the permission.
  - 6. The computer-implemented method of claim 1, further comprising:
    - intercepting, at the proxy, an additional attempt to configure an additional computing instance on the cloud computing platform with the permission;
      
      identifying an additional user within the enterprise that initiated the additional attempt to configure the additional computing instance;
      
      determining, based on the data access control policy for the enterprise, that the additional user is entitled to access the secured data;
      
      allowing the attempt to configure the additional computing instance with the permission based on determining that the additional user is entitled to access the secured data.
  - 7. The computer-implemented method of claim 1, wherein determining, based on the data access control policy for the enterprise, that the user is not entitled to access the secured data comprises:
    - identifying a cloud-side role that is defined on the cloud computing platform as having access to the permission;
      
      identifying an enterprise-side role pertaining to the user;
      
      identifying a role map that maps enterprise-side roles to cloud-side roles;
      
      determining, based on the role map, that the enterprise-side role is not mapped to the cloud-side role.

8. A system for enforcing enterprise data access control policies in cloud computing environments, the system comprising:
- an interception module, stored in memory, that intercepts, at a proxy, an attempt to configure a computing instance that provides virtualized access to computing resources on a cloud computing platform and that provides third-party processing for an enterprise with a permission that would provide the computing instance with access to secured data on the cloud computing platform;
  
  an identification module, stored in memory, that identifies, at the proxy, a user within the enterprise that initiated the attempt to configure the computing instance with the permission;
  
  a determination module, stored in memory, that determines, at the proxy, based on a data access control policy for the enterprise, that the user is not entitled to access the secured data;
  
  a blocking module, stored in memory, that;
  
  blocks, at the proxy, the attempt to configure the computing instance with the permission based on determining that the user is not entitled to access the secured data;
  
  identifies, subsequent to blocking the attempt, an entitled user within the enterprise that is entitled to access the secured data;
  
  initiates a request to the entitled user to approve the attempt to configure the computing instance with the permission that would provide the computing instance with access to secured data on the cloud computing platform;
  
  receives, in response to the request, approval from the entitled user to configure the computing instance with the permission;
  
  forwards the attempt to configure the computing instance to the cloud computing platform;
  
  at least one physical processor that executes the interception module, the identification module, the determination module, and the blocking module.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, further comprising a retrieving module that retrieves, at the proxy, the data access control policy from the enterprise.
  - 10. The system of claim 8, wherein the identification module identifies the user within the enterprise that initiated the attempt to configure the computing instance with the permission by extracting, at the proxy, an identifier of the user from the attempt to configure the computing instance.
  - 11. The system of claim 8, wherein the determination module determines that the user is not entitled to access the secured data by extracting, at the proxy, an identifier of the permission from the attempt to configure the computing instance.
  - 12. The system of claim 8, wherein the user is entitled to configure the computing instance on the cloud computing platform without the permission.
  - 13. The system of claim 8, wherein:
    - the interception module further intercepts, at the proxy, an additional attempt to configure an additional computing instance on the cloud computing platform with the permission;
      
      the identification module further identifies an additional user within the enterprise that initiated the additional attempt to configure the additional computing instance;
      
      the determination module further determines, based on the data access control policy for the enterprise, that the additional user is entitled to access the secured data;
      
      the blocking module further allows the attempt to configure the additional computing instance with the permission based on determining that the additional user is entitled to access the secured data.
  - 14. The system of claim 8, wherein the determination module determines, based on the data access control policy for the enterprise, that the user is not entitled to access the secured data by:
    - identifying a cloud-side role that is defined on the cloud computing platform as having access to the permission;
      
      identifying an enterprise-side role pertaining to the user;
      
      identifying a role map that maps enterprise-side roles to cloud-side roles;
      
      determining, based on the role map, that the enterprise-side role is not mapped to the cloud-side role.

15. A non-transitory computer-readable medium comprising one or more computer-readable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- intercept, at a proxy, an attempt to configure a computing instance that provides virtualized access to computing resources on a cloud computing platform and that provides third-party processing for an enterprise with a permission that would provide the computing instance with access to secured data on the cloud computing platform;
  
  identify, at the proxy, a user within the enterprise that initiated the attempt to configure the computing instance with the permission;
  
  determine, at the proxy, based on a data access control policy for the enterprise, that the user is not entitled to access the secured data;
  
  block, at the proxy, the attempt to configure the computing instance with the permission based on determining that the user is not entitled to access the secured data;
  
  identify, subsequent to blocking the attempt, an entitled user within the enterprise that is entitled to access the secured data;
  
  initiate a request to the entitled user to approve the attempt to configure the computing instance with the permission that would provide the computing instance with access to secured data on the cloud computing platform;
  
  receive, in response to the request, approval from the entitled user to configure the computing instance with the permission;
  
  forward the attempt to configure the computing instance to the cloud computing platform.
- View Dependent Claims (16, 17, 18)
- - 16. The non-transitory computer-readable medium of claim 15, wherein the one or more computer-readable instructions further cause the computing device to retrieve, at the proxy, the data access control policy from the enterprise.
  - 17. The non-transitory computer-readable medium of claim 15, wherein the one or more computer-readable instructions cause the computing device to identify the user within the enterprise that initiated the attempt to configure the computing instance with the permission by extracting, at the proxy, an identifier of the user from the attempt to configure the computing instance.
  - 18. The non-transitory computer-readable medium of claim 15, wherein the one or more computer-readable instructions cause the computing device to determine that the user is not entitled to access the secured data by extracting, at the proxy, an identifier of the permission from the attempt to configure the computing instance.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Banerjee, Deb
Primary Examiner(s)
Rashid, Harunur
Assistant Examiner(s)
Taylor, Sakinah

Application Number

US14/138,136
Time in Patent Office

953 Days
Field of Search

726/1
US Class Current

1/1
CPC Class Codes

H04L 63/0281   Proxies

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

Systems and methods for enforcing enterprise data access control policies in cloud computing environments

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for enforcing enterprise data access control policies in cloud computing environments

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links