Dynamic user identification and policy enforcement in cloud-based secure web gateways
First Claim
1. A cloud-based gateway, comprising:
- a network interface communicatively coupled to a network;
a processor; and
memory storing instructions that, when executed, cause the processor to;
dynamically associate traffic received on the network interface with users to form a dynamic association, wherein the traffic comprises a combination of authenticated traffic and unknown traffic, wherein the authenticated traffic is associated to an authenticated user and the unknown traffic is associated to an associated user of a destination Internet Protocol (IP) address from the unknown traffic;
maintain the dynamic association over time, wherein the dynamic association is maintained over time by updating the dynamic association based on newly received authenticated HTTP traffic, on pre-defined time thresholds for expiring associations, and on detecting collisions of multiple users on the destination IP address; and
apply policies to the traffic based on the dynamic association.
1 Assignment
0 Petitions
Accused Products
Abstract
A cloud-based secure Web gateway, a cloud-based secure Web method, and a network deliver a secure Web gateway (SWG) as a cloud-based service to organizations and provide dynamic user identification and policy enforcement therein. As a cloud-based service, the SWG systems and methods provide scalability and capability of accommodating multiple organizations therein with proper isolation therebetween. There are two basic requirements for the cloud-based SWG: (i) Having some means of forwarding traffic from the organization or its users to the SWG nodes, and (ii) Being able to authenticate the organization and users for policy enforcement and access logging. The SWG systems and methods dynamically associate traffic to users regardless of the source (device, location, encryption, application type, etc.), and once traffic is tagged to a user/organization, various polices can be enforced and audit logs of user access can be maintained.
46 Citations
20 Claims
-
1. A cloud-based gateway, comprising:
-
a network interface communicatively coupled to a network; a processor; and memory storing instructions that, when executed, cause the processor to; dynamically associate traffic received on the network interface with users to form a dynamic association, wherein the traffic comprises a combination of authenticated traffic and unknown traffic, wherein the authenticated traffic is associated to an authenticated user and the unknown traffic is associated to an associated user of a destination Internet Protocol (IP) address from the unknown traffic; maintain the dynamic association over time, wherein the dynamic association is maintained over time by updating the dynamic association based on newly received authenticated HTTP traffic, on pre-defined time thresholds for expiring associations, and on detecting collisions of multiple users on the destination IP address; and apply policies to the traffic based on the dynamic association. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A cloud-based gateway method, implemented by a gateway server, comprising:
-
dynamically associating traffic received on a network with users to form a dynamic association, wherein the traffic comprises a combination of authenticated traffic and unknown traffic, wherein the authenticated traffic is associated to an authenticated user and the unknown traffic is associated to an associated user of a destination Internet Protocol (IP) address from the unknown traffic; maintaining the dynamic association over time by updating the dynamic association based on newly received authenticated HTTP traffic, on pre-defined time thresholds for expiring associations, and on detecting collisions of multiple users on the destination IP address; applying policies to the traffic based on the dynamic association. - View Dependent Claims (12, 13, 14, 15, 16, 17)
-
-
18. A network, comprising:
-
a distributed cloud-based security system coupled to the Internet; a plurality of cloud-based gateways within the distributed cloud-based security system; and a plurality of users accessing the Internet through the distributed cloud-based security system; wherein each of the plurality of cloud-based gateways is configured to; dynamically associate traffic received on the network interface with users to form a dynamic association, wherein the traffic comprises a combination of authenticated traffic and unknown traffic, wherein the authenticated traffic is associated to an authenticated user and the unknown traffic is associated to an associated user of a destination Internet Protocol (IP) address from the unknown traffic; maintain the dynamic association over time, wherein the dynamic association is maintained over time by updating the dynamic association based on newly received authenticated HTTP traffic, on pre-defined time thresholds for expiring associations, and on detecting collisions of multiple users on the destination IP address; and apply policies to the traffic based on the dynamic association. - View Dependent Claims (19, 20)
-
Specification