System and method for secure cloud service delivery with prioritized services in a network environment
First Claim
1. A method, comprising:
- receiving, at an Internet Key Exchange (IKE) processing node in a cloud, a request for a cloud capability set comprising cloud capabilities associated with at least one of a plurality of service tiers, each service tier in the plurality of service tiers being associated with a different cloud capability set, the cloud capability set being selectable at a self-service portal of a cloud orchestration framework, the request being associated with a virtual private network (VPN) tunnel between a subscriber and the IKE processing node;
selecting particular cryptographic modules from a plurality of cryptographic modules located in the cloud based on the request, wherein different cryptographic modules support different cloud capability sets, wherein the particular cryptographic modules support the requested cloud capability set;
offloading, by the IKE processing node, the VPN tunnel to the particular cryptographic modules in the cloud; and
configuring, by an orchestration engine in the cloud, network resources in the cloud to channel services according to the at least one service tier through the particular cryptographic modules.
0 Assignments
0 Petitions
Accused Products
Abstract
An example method includes receiving a request for a cloud capability set during an Internet Key Exchange negotiation associated with a virtual private network (VPN) tunnel between a subscriber and a cloud, wherein the cloud capability set comprises one or more cloud capabilities, mapping the request to one or more cryptographic modules that can support the cloud capability set, and offloading the VPN tunnel to the one or more cryptographic modules. The request can be an Internet Security Association and Key Management Protocol (ISAKMP) packet listing the one or more cloud capabilities in a private payload. The method may further include splitting the VPN tunnel between the cryptographic modules if no single cryptographic module can support substantially all the cloud capabilities in the cloud capability set. In some embodiments, the request is compared with a service catalog comprising authorized cloud capabilities.
-
Citations
20 Claims
-
1. A method, comprising:
-
receiving, at an Internet Key Exchange (IKE) processing node in a cloud, a request for a cloud capability set comprising cloud capabilities associated with at least one of a plurality of service tiers, each service tier in the plurality of service tiers being associated with a different cloud capability set, the cloud capability set being selectable at a self-service portal of a cloud orchestration framework, the request being associated with a virtual private network (VPN) tunnel between a subscriber and the IKE processing node; selecting particular cryptographic modules from a plurality of cryptographic modules located in the cloud based on the request, wherein different cryptographic modules support different cloud capability sets, wherein the particular cryptographic modules support the requested cloud capability set; offloading, by the IKE processing node, the VPN tunnel to the particular cryptographic modules in the cloud; and configuring, by an orchestration engine in the cloud, network resources in the cloud to channel services according to the at least one service tier through the particular cryptographic modules. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. Non-transitory tangible media that includes instructions for execution, which when executed by a processor of a network element, is operable to perform operations comprising:
-
receiving, at an IKE processing node in a cloud, a request for a cloud capability set comprising cloud capabilities associated with at least one of a plurality of service tiers, each service tier in the plurality of service tiers being associated with a different cloud capability set, the cloud capability set being selectable at a self-service portal of a cloud orchestration framework, the request being associated with a VPN tunnel between a subscriber and the IKE processing node; selecting particular cryptographic modules from a plurality of cryptographic modules located in the cloud based on the request, wherein different cryptographic modules support different cloud capability sets, wherein the particular cryptographic modules support the requested cloud capability set; offloading, by the IKE processing node, the VPN tunnel to the particular cryptographic modules in the cloud; and configuring, by an orchestration engine in the cloud, network resources in the cloud to channel services according to the at least one service tier through the particular cryptographic modules. - View Dependent Claims (14, 15, 16)
-
-
17. An apparatus located in a cloud, comprising:
-
a memory element for storing data; and a processor, wherein the processor executes instructions associated with the data, wherein the processor and the memory element cooperate, such that the apparatus is configured for; receiving a request for a cloud capability set comprising cloud capabilities associated with at least one of a plurality of service tiers, each service tier in the plurality of service tiers being associated with a different cloud capability set, the cloud capability set being selectable at a self-service portal of a cloud orchestration framework, the request being associated with a VPN tunnel between a subscriber and the IKE processing node; and selecting particular cryptographic modules from a plurality of cryptographic modules located in the cloud based on the request, wherein different cryptographic modules support different cloud capability sets, wherein the particular cryptographic modules support the requested cloud capability set; offloading the VPN tunnel to the particular cryptographic modules in the cloud, wherein an orchestration engine in the cloud configures network resources in the cloud to channel services according to the at least one service tier through the particular cryptographic modules. - View Dependent Claims (18, 19, 20)
-
Specification