Unified access controls for cloud services

US 9,450,945 B1
Filed: 05/03/2012
Issued: 09/20/2016
Est. Priority Date: 05/03/2011
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving, from a user device, a request to access a cloud service to utilize a resource provided by the cloud service, wherein to utilize the resource, the user device is configured to at least one of request information from the resource or send information to the resource;

in response to receiving the request, determining a context of the request to access the cloud service;

comparing, by a processor, the context of the request to a cloud service access policy, the cloud service access policy to control utilization of the resource provided by the cloud service;

if the context of the request satisfies the cloud service access policy, determining a type of the information associated with the request, wherein the type of information is determined using at least one of a non-reversible hash and signature-based detection;

comparing, by the processor, the type of the information associated with the request to an information control policy, the information control policy to control what types of information are requested from the resource and sent by the user device to the resource in view of the context of the request to access to the cloud service; and

if the type of the information satisfies the information control policy, granting the user device access to the cloud service.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A cloud service access and information gateway receives, from a user device, a request to access a cloud service. The cloud service access and information gateway determines a context of the request and compares the context of the request to a cloud service access policy. If the context of the request satisfies the cloud service access policy, the cloud service access and information gateway determines a type of information associated with the request and compares the type of information associated with the request to an information control policy. If the type of information satisfies the information control policy, the cloud service access and information gateway grants the user device access to the cloud service.

Citations

26 Claims

1. A method, comprising:
- receiving, from a user device, a request to access a cloud service to utilize a resource provided by the cloud service, wherein to utilize the resource, the user device is configured to at least one of request information from the resource or send information to the resource;
  
  in response to receiving the request, determining a context of the request to access the cloud service;
  
  comparing, by a processor, the context of the request to a cloud service access policy, the cloud service access policy to control utilization of the resource provided by the cloud service;
  
  if the context of the request satisfies the cloud service access policy, determining a type of the information associated with the request, wherein the type of information is determined using at least one of a non-reversible hash and signature-based detection;
  
  comparing, by the processor, the type of the information associated with the request to an information control policy, the information control policy to control what types of information are requested from the resource and sent by the user device to the resource in view of the context of the request to access to the cloud service; and
  
  if the type of the information satisfies the information control policy, granting the user device access to the cloud service.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the context of the request comprises at least one of an identity of a user, a type of the user device, a type of network, or a type of the cloud service.
  - 3. The method of claim 2, wherein the type of the cloud service comprises at least one of a public cloud service or a private cloud service.
  - 4. The method of claim 2, wherein the type of the user device comprises at least one of a managed user device or an unmanaged user device.
  - 5. The method of claim 2, wherein the type of network comprises at least one of a secure network or an unsecure network.
  - 6. The method of claim 1, further comprising:
    - if the context of the request does not satisfy the cloud service access policy, denying the request.
  - 7. The method of claim 1, wherein the type of information associated with the request comprises at least one of confidential information or public information.
  - 8. The method of claim 1, wherein comparing the type of information associated with the request to the information control policy comprises:
    - determining if the type of information is restricted;
      
      if the type of information is restricted, determining if the context of the request meets a requirement of the information control policy; and
      
      if the context of the request does not meet the requirement of the information control policy;
      
      determining if the requirement can be satisfied.
  - 9. The method of claim 8, further comprising:
    - if the type of information is not restricted, granting the user device access to the cloud service; and
      
      if the context of the request does meet the requirement of the information control policy, granting the user device access to the cloud service.
  - 10. The method of claim 8, further comprising:
    - if the requirement can be satisfied, performing an action to satisfy the condition; and
      
      if the requirement cannot be satisfied, denying the request to access the cloud service.
  - 11. The method of claim 10, wherein performing the action to satisfy the condition comprises encrypting the information associated with the request.

12. A system, comprising:
- a memory; and
  
  a processor coupled with the memory to;
  
  receive, from a user device, a request to access a cloud service to utilize a resource provided by the cloud service, wherein to utilize the resource, the user device is configured to at least one of request information from the resource or send information to the resource;
  
  in response to receiving the request, determine a context of the request to access the cloud service;
  
  compare the context of the request to a cloud service access policy, the cloud service access policy to control utilization of the resource provided by the cloud service;
  
  if the context of the request satisfies the cloud service access policy, determine a type of the information associated with the request, wherein the type of information is determined using at least one of a non-reversible hash and signature-based detection;
  
  compare the type of the information associated with the request to an information control policy, the information control policy to control what types of information are requested from the resource and sent by the user device to the resource in view of the context of the request to access to the cloud service; and
  
  if the type of the information satisfies the information control policy, grant the user device access to the cloud service.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The system of claim 12, wherein the context of the request comprises at least one of an identity of a user, a type of the user device, a type of network, or a type of the cloud service.
  - 14. The system of claim 12, the processor further to:
    - if the context of the request does not satisfy the cloud service access policy, deny the request.
  - 15. The system of claim 12, wherein the type of information associated with the request comprises at least one of confidential information or public information.
  - 16. The system of claim 12, wherein when the processor compares the type of information associated with the request to the information control policy, the processor further to:
    - determine if the type of information is restricted;
      
      if the type of information is restricted, determine if the context of the request meets a requirement of the information control policy; and
      
      if the context of the request does not meet the requirement of the information control policy;
      
      determine if the requirement can be satisfied.
  - 17. The system of claim 16, the processor further to:
    - if the type of information is not restricted, grant the user device access to the cloud service; and
      
      if the context of the request does meet the requirement of the information control policy, grant the user device access to the cloud service.
  - 18. The system of claim 16, the processor further to:
    - if the requirement can be satisfied, perform an action to satisfy the condition; and
      
      if the requirement cannot be satisfied, deny the request to access the cloud service.
  - 19. The system of claim 18, wherein performing the action to satisfy the condition comprises encrypting the information associated with the request.

20. A non-transitory computer readable storage medium including instructions that, when executed by a processor, cause the processor to perform operations comprising:
- receiving, from a user device, a request to access a cloud service to utilize a resource provided by the cloud service, wherein to utilize the resource, the user device is configured to at least one of request information from the resource or send information to the resource;
  
  in response to receiving the request, determining a context of the request to access the cloud service;
  
  comparing, by a processor, the context of the request to a cloud service access policy, the cloud service access policy to control utilization of the resource provided by the cloud service;
  
  if the context of the request satisfies the cloud service access policy, determining a type of the information associated with the request, wherein the type of information is determined using at least one of a non-reversible hash and signature-based detection;
  
  comparing, by the processor, the type of the information associated with the request to an information control policy, the information control policy to control what types of information are requested from the resource and sent by the user device to the resource in view of the context of the request to access to the cloud service; and
  
  if the type of the information satisfies the information control policy, granting the user device access to the cloud service.
- View Dependent Claims (21, 22, 23, 24, 25, 26)
- - 21. The non-transitory computer readable storage medium of claim 20, wherein the context of the request comprises at least one of an identity of a user, a type of the user device, a type of network, or a type of the cloud service.
  - 22. The non-transitory computer readable storage medium of claim 20, the operations further comprising:
    - if the context of the request does not satisfy the cloud service access policy, denying the request.
  - 23. The non-transitory computer readable storage medium of claim 20, wherein the type of information associated with the request comprises at least one of confidential information or public information.
  - 24. The non-transitory computer readable storage medium of claim 20, wherein comparing the type of information associated with the request to the information control policy comprises:
    - determining if the type of information is restricted;
      
      if the type of information is restricted, determining if the context of the request meets a requirement of the information control policy; and
      
      if the context of the request does not meet the requirement of the information control policy;
      
      determining if the requirement can be satisfied.
  - 25. The non-transitory computer readable storage medium of claim 24, the operations further comprising:
    - if the type of information is not restricted, granting the user device access to the cloud service; and
      
      if the context of the request does meet the requirement of the information control policy, granting the user device access to the cloud service.
  - 26. The non-transitory computer readable storage medium of claim 24, the operations further comprising:
    - if the requirement can be satisfied, performing an action to satisfy the condition; and
      
      if the requirement cannot be satisfied, denying the request to access the cloud service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Koeten, Robert, Popp, Nicolas
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Murphy, J. Brant

Application Number

US13/463,664
Time in Patent Office

1,601 Days
Field of Search

726/1, 726/8, 726/12, 726 27- 30
US Class Current

1/1
CPC Class Codes

G06F 21/41   where a single sign-on prov...

G06F 21/45   Structures or tools for the...

G06F 21/51   at application loading time...

G06F 21/54   by adding security routines...

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2141   Access rights, e.g. capabil...

H04L 41/022   Multivendor or multi-standa...

H04L 41/0226   Mapping or translating mult...

H04L 41/0253   using browsers or web-pages...

H04L 41/22   comprising specially adapte...

H04L 41/28   Restricting access to netwo...

H04L 63/0815   providing single-sign-on or...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

H04L 67/10   in which an application is ...

H04L 67/30   Profiles

Unified access controls for cloud services

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Unified access controls for cloud services

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links