Systems and methods for enforcing enterprise data access control policies in cloud computing environments
First Claim
1. A computer-implemented method for enforcing enterprise data access control policies in cloud computing environments, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- intercepting, at a proxy, an attempt to configure a computing instance that provides virtualized access to computing resources on a cloud computing platform and that provides third-party processing for an enterprise with a permission that would provide the computing instance with access to secured data on the cloud computing platform;
identifying, at the proxy, a user within the enterprise that initiated the attempt to configure the computing instance with the permission;
determining, at the proxy, based on a data access control policy for the enterprise, that the user is not entitled to access the secured data;
blocking, at the proxy, the attempt to configure the computing instance with the permission based on determining that the user is not entitled to access the secured data;
identifying, subsequent to blocking the attempt, an entitled user within the enterprise that is entitled to access the secured data;
initiating a request to the entitled user to approve the attempt to configure the computing instance with the permission that would provide the computing instance with access to secured data on the cloud computing platform;
receiving, in response to the request, approval from the entitled user to configure the computing instance with the permission;
forwarding the attempt to configure the computing instance to the cloud computing platform.
2 Assignments
0 Petitions
Accused Products
Abstract
A computer-implemented method for enforcing enterprise data access control policies in cloud computing environments may include (1) intercepting, at a proxy, an attempt to configure a computing instance on a cloud computing platform with a permission that would provide the computing instance with access to secured data on the cloud computing platform, (2) identifying a user within an enterprise that initiated the attempt to configure the computing instance with the permission, (3) determining, based on a data access control policy for the enterprise, that the user is not entitled to access the secured data, and (4) blocking the attempt to configure the computing instance with the permission based on determining that the user is not entitled to access the secured data. Various other methods, systems, and computer-readable media are also disclosed.
-
Citations
18 Claims
-
1. A computer-implemented method for enforcing enterprise data access control policies in cloud computing environments, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
-
intercepting, at a proxy, an attempt to configure a computing instance that provides virtualized access to computing resources on a cloud computing platform and that provides third-party processing for an enterprise with a permission that would provide the computing instance with access to secured data on the cloud computing platform; identifying, at the proxy, a user within the enterprise that initiated the attempt to configure the computing instance with the permission; determining, at the proxy, based on a data access control policy for the enterprise, that the user is not entitled to access the secured data; blocking, at the proxy, the attempt to configure the computing instance with the permission based on determining that the user is not entitled to access the secured data; identifying, subsequent to blocking the attempt, an entitled user within the enterprise that is entitled to access the secured data; initiating a request to the entitled user to approve the attempt to configure the computing instance with the permission that would provide the computing instance with access to secured data on the cloud computing platform; receiving, in response to the request, approval from the entitled user to configure the computing instance with the permission; forwarding the attempt to configure the computing instance to the cloud computing platform. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system for enforcing enterprise data access control policies in cloud computing environments, the system comprising:
-
an interception module, stored in memory, that intercepts, at a proxy, an attempt to configure a computing instance that provides virtualized access to computing resources on a cloud computing platform and that provides third-party processing for an enterprise with a permission that would provide the computing instance with access to secured data on the cloud computing platform; an identification module, stored in memory, that identifies, at the proxy, a user within the enterprise that initiated the attempt to configure the computing instance with the permission; a determination module, stored in memory, that determines, at the proxy, based on a data access control policy for the enterprise, that the user is not entitled to access the secured data; a blocking module, stored in memory, that; blocks, at the proxy, the attempt to configure the computing instance with the permission based on determining that the user is not entitled to access the secured data; identifies, subsequent to blocking the attempt, an entitled user within the enterprise that is entitled to access the secured data; initiates a request to the entitled user to approve the attempt to configure the computing instance with the permission that would provide the computing instance with access to secured data on the cloud computing platform; receives, in response to the request, approval from the entitled user to configure the computing instance with the permission; forwards the attempt to configure the computing instance to the cloud computing platform; at least one physical processor that executes the interception module, the identification module, the determination module, and the blocking module. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A non-transitory computer-readable medium comprising one or more computer-readable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
-
intercept, at a proxy, an attempt to configure a computing instance that provides virtualized access to computing resources on a cloud computing platform and that provides third-party processing for an enterprise with a permission that would provide the computing instance with access to secured data on the cloud computing platform; identify, at the proxy, a user within the enterprise that initiated the attempt to configure the computing instance with the permission; determine, at the proxy, based on a data access control policy for the enterprise, that the user is not entitled to access the secured data; block, at the proxy, the attempt to configure the computing instance with the permission based on determining that the user is not entitled to access the secured data; identify, subsequent to blocking the attempt, an entitled user within the enterprise that is entitled to access the secured data; initiate a request to the entitled user to approve the attempt to configure the computing instance with the permission that would provide the computing instance with access to secured data on the cloud computing platform; receive, in response to the request, approval from the entitled user to configure the computing instance with the permission; forward the attempt to configure the computing instance to the cloud computing platform. - View Dependent Claims (16, 17, 18)
-
Specification