System and method for secure cloud service delivery with prioritized services in a network environment

US 9,444,789 B2
Filed: 08/27/2014
Issued: 09/13/2016
Est. Priority Date: 05/16/2012
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving, at an Internet Key Exchange (IKE) processing node in a cloud, a request for a cloud capability set comprising cloud capabilities associated with at least one of a plurality of service tiers, each service tier in the plurality of service tiers being associated with a different cloud capability set, the cloud capability set being selectable at a self-service portal of a cloud orchestration framework, the request being associated with a virtual private network (VPN) tunnel between a subscriber and the IKE processing node;

selecting particular cryptographic modules from a plurality of cryptographic modules located in the cloud based on the request, wherein different cryptographic modules support different cloud capability sets, wherein the particular cryptographic modules support the requested cloud capability set;

offloading, by the IKE processing node, the VPN tunnel to the particular cryptographic modules in the cloud; and

configuring, by an orchestration engine in the cloud, network resources in the cloud to channel services according to the at least one service tier through the particular cryptographic modules.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An example method includes receiving a request for a cloud capability set during an Internet Key Exchange negotiation associated with a virtual private network (VPN) tunnel between a subscriber and a cloud, wherein the cloud capability set comprises one or more cloud capabilities, mapping the request to one or more cryptographic modules that can support the cloud capability set, and offloading the VPN tunnel to the one or more cryptographic modules. The request can be an Internet Security Association and Key Management Protocol (ISAKMP) packet listing the one or more cloud capabilities in a private payload. The method may further include splitting the VPN tunnel between the cryptographic modules if no single cryptographic module can support substantially all the cloud capabilities in the cloud capability set. In some embodiments, the request is compared with a service catalog comprising authorized cloud capabilities.

Citations

20 Claims

1. A method, comprising:
- receiving, at an Internet Key Exchange (IKE) processing node in a cloud, a request for a cloud capability set comprising cloud capabilities associated with at least one of a plurality of service tiers, each service tier in the plurality of service tiers being associated with a different cloud capability set, the cloud capability set being selectable at a self-service portal of a cloud orchestration framework, the request being associated with a virtual private network (VPN) tunnel between a subscriber and the IKE processing node;
  
  selecting particular cryptographic modules from a plurality of cryptographic modules located in the cloud based on the request, wherein different cryptographic modules support different cloud capability sets, wherein the particular cryptographic modules support the requested cloud capability set;
  
  offloading, by the IKE processing node, the VPN tunnel to the particular cryptographic modules in the cloud; and
  
  configuring, by an orchestration engine in the cloud, network resources in the cloud to channel services according to the at least one service tier through the particular cryptographic modules.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, further comprising:
    - receiving, at the IKE processing node, a service catalog from the orchestration engine, the service catalog indicating available cloud capability sets associated with the subscriber according to a Service Level Agreement (SLA) with the subscriber;
      
      identifying the requested cloud capability set in the service catalog; and
      
      provisioning the requested cloud capability set across the particular cryptographic modules.
  - 3. The method of claim 2, further comprising:
    - denying the request if the requested cloud capability set is not included in the available cloud capability sets for the subscriber.
  - 4. The method of claim 2, wherein the service catalog is provided by a business service management portal in the cloud.
  - 5. The method of claim 2, wherein the service catalog includes an application programming interface (API) to facilitate generating the request for cloud capabilities.
  - 6. The method of claim 2, wherein different subscribers are associated with different service level catalogs.
  - 7. The method of claim 1, wherein some cloud capabilities overlap between more than one service tier.
  - 8. The method of claim 1, wherein the cloud capabilities are differentiated into the plurality of service tiers according to criteria, including at least one selected from a group consisting of demand, infrastructure cost, and arbitrary differentiation.
  - 9. The method of claim 1, where each service tier is associated with a different price for the subscriber.
  - 10. The method of claim 1, wherein services offered in the cloud are differentiated into pre-defined service tiers.
  - 11. The method of claim 10, wherein each service tier includes different support features including virtual machine resources, storage features, application tiers, stateful services, bandwidth control, quality of service (QoS) agreements, and services.
  - 12. The method of claim 10, wherein each service tier is based in a separate vittual local area network (VLAN) in the cloud.

13. Non-transitory tangible media that includes instructions for execution, which when executed by a processor of a network element, is operable to perform operations comprising:
- receiving, at an IKE processing node in a cloud, a request for a cloud capability set comprising cloud capabilities associated with at least one of a plurality of service tiers, each service tier in the plurality of service tiers being associated with a different cloud capability set, the cloud capability set being selectable at a self-service portal of a cloud orchestration framework, the request being associated with a VPN tunnel between a subscriber and the IKE processing node;
  
  selecting particular cryptographic modules from a plurality of cryptographic modules located in the cloud based on the request, wherein different cryptographic modules support different cloud capability sets, wherein the particular cryptographic modules support the requested cloud capability set;
  
  offloading, by the IKE processing node, the VPN tunnel to the particular cryptographic modules in the cloud; and
  
  configuring, by an orchestration engine in the cloud, network resources in the cloud to channel services according to the at least one service tier through the particular cryptographic modules.
- View Dependent Claims (14, 15, 16)
- - 14. The media of claim 13, further comprising:
    - receiving, at the IKE processing node, a service catalog from the orchestration engine, the service catalog indicating available cloud capability sets associated with the subscriber according to a Service Level Agreement (SLA) with the subscriber;
      
      identifying the requested cloud capability set in the service catalog; and
      
      provisioning the requested cloud capability set across the particular cryptographic modules.
  - 15. The media of claim 13, wherein some cloud capabilities overlap between more than one service tier.
  - 16. The media of claim 13, wherein services offered in the cloud are differentiated into pre-defined service tiers.

17. An apparatus located in a cloud, comprising:
- a memory element for storing data; and
  
  a processor, wherein the processor executes instructions associated with the data, wherein the processor and the memory element cooperate, such that the apparatus is configured for;
  
  receiving a request for a cloud capability set comprising cloud capabilities associated with at least one of a plurality of service tiers, each service tier in the plurality of service tiers being associated with a different cloud capability set, the cloud capability set being selectable at a self-service portal of a cloud orchestration framework, the request being associated with a VPN tunnel between a subscriber and the IKE processing node; and
  
  selecting particular cryptographic modules from a plurality of cryptographic modules located in the cloud based on the request, wherein different cryptographic modules support different cloud capability sets, wherein the particular cryptographic modules support the requested cloud capability set;
  
  offloading the VPN tunnel to the particular cryptographic modules in the cloud, wherein an orchestration engine in the cloud configures network resources in the cloud to channel services according to the at least one service tier through the particular cryptographic modules.
- View Dependent Claims (18, 19, 20)
- - 18. The apparatus of claim 17, further configured for:
    - receiving a service catalog from the orchestration engine, the service catalog indicating available cloud capability sets associated with the subscriber according to a Service Level Agreement (SLA) with the subscriber;
      
      identifying the requested cloud capability set in the service catalog; and
      
      provisioning the requested cloud capability set across the particular cryptographic modules.
  - 19. The apparatus of claim 17, wherein some cloud capabilities overlap between more than one service tier.
  - 20. The apparatus of claim 17, wherein services offered in the cloud are differentiated into pre-defined service tiers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Cherukuri, Sunil, Khalid, Mohamed, Cinque, Brian
Primary Examiner(s)
Patel, Nirav B

Application Number

US14/470,497
Publication Number

US 20140372761A1
Time in Patent Office

748 Days
Field of Search

713/170, 713/171, 713/151, 726 11- 15
US Class Current

1/1
CPC Class Codes

H04L 41/0803   Configuration setting

H04L 63/0272   Virtual private networks

H04L 67/1001   for accessing one among a p...

H04L 9/0838   Key agreement, i.e. key est...

System and method for secure cloud service delivery with prioritized services in a network environment

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for secure cloud service delivery with prioritized services in a network environment

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links