Extending infrastructure security to services in a cloud computing environment
First Claim
1. A method of extending cloud computing infrastructure security to a service that is shared across virtual application deployments in the cloud computing infrastructure as a shared service, the method operative in a security service executing on a hardware element, comprising:
- establishing a trust relationship between the shared service and the security service;
upon receipt of a request from a user to access the shared service, the request issued from an application other than the shared service, executing a token exchange among the application, the security service and the shared service to exchange a first token for a shared services token that is distinct from the first token, the first token representing the user within the security service and identifying privileges the user has and resources the user can access, the shared services token including credential information and one or more deployment constraints on authorized access to the shared service, the credential information including user identity and one or more security roles, the token exchange that exchanges the first token for the shared services token executed transparently to a provider of the shared service; and
issuing to the shared service the shared services token, the credential information therein facilitating a transfer of control from the application to shared service interface to enable access to the shared service by the user without challenge.
1 Assignment
0 Petitions
Accused Products
Abstract
A cloud deployment appliance (or other platform-as-a-service (IPAS) infrastructure software) includes a mechanism to deploy a product as a “shared service” to the cloud, as well as to enable the product to establish a trust relationship between itself and the appliance or IPAS. The mechanism further enables multiple products deployed to the cloud to form trust relationships with each other (despite the fact that each deployment and each product typically, by the nature of the cloud deployment, are intended to be isolated from one another). In addition, once deployed and provisioned into the cloud, a shared service can become part of a single sign-on (SSO) domain automatically. SSO is facilitated using a token-based exchange. Once a product registers with a token service, it can participate in SSO. This approach enables enforcement of consistent access control policy across product boundaries, and without requiring a user to perform any configuration.
-
Citations
21 Claims
-
1. A method of extending cloud computing infrastructure security to a service that is shared across virtual application deployments in the cloud computing infrastructure as a shared service, the method operative in a security service executing on a hardware element, comprising:
-
establishing a trust relationship between the shared service and the security service; upon receipt of a request from a user to access the shared service, the request issued from an application other than the shared service, executing a token exchange among the application, the security service and the shared service to exchange a first token for a shared services token that is distinct from the first token, the first token representing the user within the security service and identifying privileges the user has and resources the user can access, the shared services token including credential information and one or more deployment constraints on authorized access to the shared service, the credential information including user identity and one or more security roles, the token exchange that exchanges the first token for the shared services token executed transparently to a provider of the shared service; and issuing to the shared service the shared services token, the credential information therein facilitating a transfer of control from the application to shared service interface to enable access to the shared service by the user without challenge. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. Apparatus, comprising:
-
a processor; computer memory holding computer program instructions that when executed by the processor provide a security service, the computer program instructions further executed by the processor to provide a method to extend cloud computing infrastructure security to a service that is shared across virtual application deployments in the cloud computing infrastructure as a shared service, the method comprising; establishing a trust relationship between the shared service and the security service; upon receipt of a request from a user to access the shared service, the request issued from an application other than the shared service, executing a token exchange among the application, the security service and the shared service to exchange a first token for a shared services token that is distinct from the first token, the first token representing the user within the security service and identifying what privileges the user has and resources the user can access, the shared services token including credential information and one or more deployment constraints on authorized access to the shared service, the credential information including user identity and one or more security roles, the token exchange that exchanges the first token for the shared services token executed transparently to a provider of the shared service; and issuing to the shared service the shared services token, the credential information therein facilitating a transfer of control from the application to a shared service interface to enable access to the shared service by the user without challenge. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer program product in a non-transitory computer readable medium for use in a data processing system that provides a security service, the non-transitory computer readable medium comprising computer program instructions stored thereon which, when executed by the data processing system, provide a method to extend cloud computing infrastructure security to a service that is shared across virtual application deployments in the cloud computing infrastructure as a shared service, the method comprising:
-
establishing a trust relationship between the shared service and the security service; upon receipt of a request from a user to access the shared service, the request issued from an application other than the shared service, executing a token exchange among the application, the security service and the shared service to exchange a first token for a shared services token that is distinct from the first token, the first token representing the user within the security service and identifying what privileges the user has and resources the user can access, the shared services token including credential information and one or more deployment constraints on authorized access to the shared service, the credential information including user identity and one or more security roles, the token exchange that exchanges the first token for the shared services token executed transparently to a provider of the shared service; and issuing to the shared service the shared services token, the credential information therein facilitating a transfer of control from the application to a shared service interface to enable access to the shared service by the user without challenge. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
Specification