Extending infrastructure security to services in a cloud computing environment

US 9,426,155 B2
Filed: 04/18/2013
Issued: 08/23/2016
Est. Priority Date: 04/18/2013
Status: Active Grant

First Claim

Patent Images

1. A method of extending cloud computing infrastructure security to a service that is shared across virtual application deployments in the cloud computing infrastructure as a shared service, the method operative in a security service executing on a hardware element, comprising:

establishing a trust relationship between the shared service and the security service;

upon receipt of a request from a user to access the shared service, the request issued from an application other than the shared service, executing a token exchange among the application, the security service and the shared service to exchange a first token for a shared services token that is distinct from the first token, the first token representing the user within the security service and identifying privileges the user has and resources the user can access, the shared services token including credential information and one or more deployment constraints on authorized access to the shared service, the credential information including user identity and one or more security roles, the token exchange that exchanges the first token for the shared services token executed transparently to a provider of the shared service; and

issuing to the shared service the shared services token, the credential information therein facilitating a transfer of control from the application to shared service interface to enable access to the shared service by the user without challenge.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A cloud deployment appliance (or other platform-as-a-service (IPAS) infrastructure software) includes a mechanism to deploy a product as a “shared service” to the cloud, as well as to enable the product to establish a trust relationship between itself and the appliance or IPAS. The mechanism further enables multiple products deployed to the cloud to form trust relationships with each other (despite the fact that each deployment and each product typically, by the nature of the cloud deployment, are intended to be isolated from one another). In addition, once deployed and provisioned into the cloud, a shared service can become part of a single sign-on (SSO) domain automatically. SSO is facilitated using a token-based exchange. Once a product registers with a token service, it can participate in SSO. This approach enables enforcement of consistent access control policy across product boundaries, and without requiring a user to perform any configuration.

Citations

21 Claims

1. A method of extending cloud computing infrastructure security to a service that is shared across virtual application deployments in the cloud computing infrastructure as a shared service, the method operative in a security service executing on a hardware element, comprising:
- establishing a trust relationship between the shared service and the security service;
  
  upon receipt of a request from a user to access the shared service, the request issued from an application other than the shared service, executing a token exchange among the application, the security service and the shared service to exchange a first token for a shared services token that is distinct from the first token, the first token representing the user within the security service and identifying privileges the user has and resources the user can access, the shared services token including credential information and one or more deployment constraints on authorized access to the shared service, the credential information including user identity and one or more security roles, the token exchange that exchanges the first token for the shared services token executed transparently to a provider of the shared service; and
  
  issuing to the shared service the shared services token, the credential information therein facilitating a transfer of control from the application to shared service interface to enable access to the shared service by the user without challenge.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method as described in claim 1 wherein the token exchange comprises:
    - upon receipt by the security service of the first token, issuing a secret that represents the user; and
      
      upon receipt by the security service of a second token from the shared service and verifying that the second token is associated with the secret, exchanging the second token for the shared services token that includes the credential information.
  - 3. The method as described in claim 2 wherein the second token is exchanged for the shared services token that includes the credential information transparently to the shared service.
  - 4. The method as described in claim 1 wherein the virtual application deployments operate in distinct security zones.
  - 5. The method as described in claim 1 wherein the credential information in the shared services token also includes group membership.
  - 6. The method as described in claim 1 wherein the first token includes no specific deployment constraints with respect to the user'"'"'s privileges.
  - 7. The method as described in claim 1 wherein the service is associated with a virtual machine, and wherein the trust relationship is established by:
    - providing the virtual machine one or more registration artifacts; and
      
      in response, receiving from the virtual machine security information without revealing a private security key associated with the shared service.

8. Apparatus, comprising:
- a processor;
  
  computer memory holding computer program instructions that when executed by the processor provide a security service, the computer program instructions further executed by the processor to provide a method to extend cloud computing infrastructure security to a service that is shared across virtual application deployments in the cloud computing infrastructure as a shared service, the method comprising;
  
  establishing a trust relationship between the shared service and the security service;
  
  upon receipt of a request from a user to access the shared service, the request issued from an application other than the shared service, executing a token exchange among the application, the security service and the shared service to exchange a first token for a shared services token that is distinct from the first token, the first token representing the user within the security service and identifying what privileges the user has and resources the user can access, the shared services token including credential information and one or more deployment constraints on authorized access to the shared service, the credential information including user identity and one or more security roles, the token exchange that exchanges the first token for the shared services token executed transparently to a provider of the shared service; and
  
  issuing to the shared service the shared services token, the credential information therein facilitating a transfer of control from the application to a shared service interface to enable access to the shared service by the user without challenge.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The apparatus as described in claim 8 wherein the token exchange comprises:
    - upon receipt by the security service of the first token, issuing a secret that represents the user; and
      
      upon receipt by the security service of a second token from the shared service and verifying that the second token is associated with the secret, exchanging the second token for the shared services token that includes the credential information.
  - 10. The apparatus as described in claim 9 wherein the second token is exchanged for the shared services token that includes the credential information transparently to the shared service.
  - 11. The apparatus as described in claim 8 wherein the virtual application deployments operate in distinct security zones.
  - 12. The apparatus as described in claim 8 wherein the credential information in the shared services token also includes group membership.
  - 13. The apparatus as described in claim 8 wherein the first token includes no specific deployment constraints with respect to the user'"'"'s privileges.
  - 14. The apparatus as described in claim 8 wherein the service is associated with a virtual machine, and wherein the trust relationship is established by:
    - providing the virtual machine one or more registration artifacts; and
      
      in response, receiving from the virtual machine security information without revealing a private security key associated with the shared service.

15. A computer program product in a non-transitory computer readable medium for use in a data processing system that provides a security service, the non-transitory computer readable medium comprising computer program instructions stored thereon which, when executed by the data processing system, provide a method to extend cloud computing infrastructure security to a service that is shared across virtual application deployments in the cloud computing infrastructure as a shared service, the method comprising:
- establishing a trust relationship between the shared service and the security service;
  
  upon receipt of a request from a user to access the shared service, the request issued from an application other than the shared service, executing a token exchange among the application, the security service and the shared service to exchange a first token for a shared services token that is distinct from the first token, the first token representing the user within the security service and identifying what privileges the user has and resources the user can access, the shared services token including credential information and one or more deployment constraints on authorized access to the shared service, the credential information including user identity and one or more security roles, the token exchange that exchanges the first token for the shared services token executed transparently to a provider of the shared service; and
  
  issuing to the shared service the shared services token, the credential information therein facilitating a transfer of control from the application to a shared service interface to enable access to the shared service by the user without challenge.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The computer program product as described in claim 15 wherein the token exchange comprises:
    - upon receipt by the security service of the first token, issuing a secret that represents the user; and
      
      upon receipt by the security service of a second token from the shared service and verifying that the second token is associated with the secret, exchanging the second token for the shared services token that includes the credential information.
  - 17. The computer program product as described in claim 16 wherein the second token is exchanged for the shared services token that includes the credential information transparently to the shared service.
  - 18. The computer program product as described in claim 15 wherein the virtual application deployments operate in distinct security zones.
  - 19. The computer program product as described in claim 15 wherein the credential information in the shared services token also includes group membership.
  - 20. The computer program product as described in claim 15 wherein the first token includes no specific deployment constraints with respect to the user'"'"'s privileges.
  - 21. The computer program product as described in claim 15 wherein the service is associated with a virtual machine, and wherein the trust relationship is established by:
    - providing the virtual machine one or more registration artifacts; and
      
      in response, receiving from the virtual machine security information without revealing a private security key associated with the shared service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Chao, Ching-Yun, Chang, John Yow-Chun, Bennett, Paul W., Sanchez, John C., Woods, Donald R., Kaneyasu, Yuhsuke, Srinivasan, Sriram, Monteith, Stuart Robert Douglas, Lohmann, Marcos
Primary Examiner(s)
ABYANEH, ALI S

Application Number

US13/865,692
Publication Number

US 20140317716A1
Time in Patent Office

1,223 Days
Field of Search

726 7- 9, 713168-172
US Class Current

1/1
CPC Class Codes

H04L 63/0815 providing single-sign-on or...

H04L 63/10 for controlling access to d...

Extending infrastructure security to services in a cloud computing environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Extending infrastructure security to services in a cloud computing environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links