Policy engine for cloud platform

US 9,560,079 B1
Filed: 06/12/2015
Issued: 01/31/2017
Est. Priority Date: 04/26/2010
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

intercepting, by a policy engine process running on one or more computers associated with an organization, a communications packet that includes a cloud controller command and a command payload for managing a web application belonging to the organization in a cloud computing environment;

determining, by the policy engine process, that a particular set of rules corresponds to the cloud controller command of the intercepted packet and that the intercepted packet does not comply with the particular set of rules, wherein the particular set of rules is one of a plurality of sets of rules, and each set of rules represents a respective policy of the organization and corresponds to a respective cloud controller command;

in response, editing, by the policy engine process, the command payload of the intercepted packet to generate a modified packet that complies with the particular set of rules; and

forwarding, by the policy engine process, the modified packet rather than the intercepted packet to the cloud computing environment.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A policy engine is situated within the communications path of a cloud computing environment and a user of the cloud computing environment to comply with an organization'"'"'s policies for deploying web applications in the cloud computing environment. The policy engine intercepts communications packets to the cloud computing environment from a user, such as a web application developer, for example, in preparation for deploying a web application in the cloud computing environment. The policy engine identifies commands corresponding to the communications packets and directs the communications packets to appropriate rules engines corresponding to such commands in order to execute rules to comply with an organization'"'"'s policies. Upon completion of execution of the rules, the communications packets are forwarded to the cloud computing environment if they comply with the policies.

Citations

24 Claims

1. A method comprising:
- intercepting, by a policy engine process running on one or more computers associated with an organization, a communications packet that includes a cloud controller command and a command payload for managing a web application belonging to the organization in a cloud computing environment;
  
  determining, by the policy engine process, that a particular set of rules corresponds to the cloud controller command of the intercepted packet and that the intercepted packet does not comply with the particular set of rules, wherein the particular set of rules is one of a plurality of sets of rules, and each set of rules represents a respective policy of the organization and corresponds to a respective cloud controller command;
  
  in response, editing, by the policy engine process, the command payload of the intercepted packet to generate a modified packet that complies with the particular set of rules; and
  
  forwarding, by the policy engine process, the modified packet rather than the intercepted packet to the cloud computing environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein determining that the intercepted packet does not comply with the particular set of rules comprises obtaining policy data from a networked service and determining that the intercepted packet does not comply with the policy data.
  - 3. The method of claim 1, further comprising:
    - receiving, by the policy engine process, a response from the cloud computing environment intended for a user device associated with the communications packet;
      
      determining, by the policy engine process, that a second set of rules corresponds to the response received from the cloud computing environment and that the intercepted response complies with the second set of rules, wherein the second set of rules represents a second policy of the organization; and
      
      in response, forwarding, by the policy engine process, the response to the user device.
  - 4. The method of claim 1, wherein intercepting, by the policy engine process, the communications packet comprises intercepting the communications packet by a policy engine process running on a proxy server at the organization.
  - 5. The method of claim 1, further comprising:
    - intercepted, by the policy engine process, a second communications packet that includes a second cloud controller command and a second command payload for managing the web application belonging to the organization in the cloud computing environment;
      
      determining that the second communications packet does not comply with a second set of rules representing a second policy of the organization; and
      
      in response, rejecting the intercepted second communications packet rather than forwarding the second communications packet to the cloud computing environment.
  - 6. The method of claim 1, wherein the cloud controller command relates to providing configuration information for the web application to a cloud controller in the cloud computing environment, deploying another web application in the cloud computing environment, starting a web application deployed in the cloud computing environment, or stopping a web application executing in the cloud computing environment.
  - 7. The method of claim 1, further comprising:
    - receiving authentication credentials for a user on a local authentication system for the organization;
      
      obtaining, by the policy engine process, a federated token for the user; and
      
      including the federal token for the user in the modified packet when forwarding the modified packet to the cloud computing environment.
  - 8. The method of claim 1, further comprising:
    - identifying a federated token associated with a user associated with the intercepted communications packet, wherein the determination that the intercepted packet does not comply with the particular set of rules is based on a role of the user associated with the federated token.

9. A system comprising:
- one or more computers and one or more storage devices storing instructions that are operable, when executed by the one or more computers, to cause the one or more computers to perform operations comprising;
  
  intercepting, by a policy engine process running on one or more computers associated with an organization, a communications packet that includes a cloud controller command and a command payload for managing a web application belonging to the organization in a cloud computing environment;
  
  determining, by the policy engine process, that a particular set of rules corresponds to the cloud controller command of the intercepted packet and that the intercepted packet does not comply with the particular set of rules, wherein the particular set of rules is one of a plurality of sets of rules, and each set of rules represents a respective policy of the organization and corresponds to a respective cloud controller command;
  
  in response, editing, by the policy engine process, the command payload of the intercepted packet to generate a modified packet that complies with the particular set of rules; and
  
  forwarding, by the policy engine process, the modified packet rather than the intercepted packet to the cloud computing environment.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, wherein determining that the intercepted packet does not comply with the particular set of rules comprises obtaining policy data from a networked service and determining that the intercepted packet does not comply with the policy data.
  - 11. The system of claim 9, wherein the operations further comprise:
    - receiving, by the policy engine process, a response from the cloud computing environment intended for a user device associated with the communications packet;
      
      determining, by the policy engine process, that a second set of rules corresponds to the response received from the cloud computing environment and that the intercepted response complies with the second set of rules, wherein the second set of rules represents a second policy of the organization; and
      
      in response, forwarding, by the policy engine process, the response to the user device.
  - 12. The system of claim 9, wherein intercepting, by the policy engine process, the communications packet comprises intercepting the communications packet by a policy engine process running on a proxy server at the organization.
  - 13. The system of claim 9, wherein the operations further comprise:
    - intercepted, by the policy engine process, a second communications packet that includes a second cloud controller command and a second command payload for managing the web application belonging to the organization in the cloud computing environment;
      
      determining that the second communications packet does not comply with a second set of rules representing a second policy of the organization; and
      
      in response, rejecting the intercepted second communications packet rather than forwarding the second communications packet to the cloud computing environment.
  - 14. The system of claim 9, wherein the cloud controller command relates to providing configuration information for the web application to a cloud controller in the cloud computing environment, deploying another web application in the cloud computing environment, starting a web application deployed in the cloud computing environment, or stopping a web application executing in the cloud computing environment.
  - 15. The system of claim 9, wherein the operations further comprise:
    - receiving authentication credentials for a user on a local authentication system for the organization;
      
      obtaining, by the policy engine process, a federated token for the user; and
      
      including the federal token for the user in the modified packet when forwarding the modified packet to the cloud computing environment.
  - 16. The system of claim 9, wherein the operations further comprise:
    - identifying a federated token associated with a user associated with the intercepted communications packet, wherein the determination that the intercepted packet does not comply with the particular set of rules is based on a role of the user associated with the federated token.

17. A computer program product, encoded on one or more non-transitory computer storage media, comprising instructions that when executed by one or more computers cause the one or more computers to perform operations comprising:
- intercepting, by a policy engine process installed on one or more computers associated with an organization, a communications packet that includes a cloud controller command and a command payload for managing a web application belonging to the organization in a cloud computing environment;
  
  determining, by the policy engine process, that a particular set of rules corresponds to the cloud controller command of the intercepted packet and that the intercepted packet does not comply with the particular set of rules, wherein the particular set of rules is one of a plurality of sets of rules, and each set of rules represents a respective policy of the organization and corresponds to a respective cloud controller command;
  
  in response, editing, by the policy engine process, the command payload of the intercepted packet to generate a modified packet that complies with the particular set of rules; and
  
  forwarding, by the policy engine process, the modified packet rather than the intercepted packet to the cloud computing environment.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The computer program product of claim 17, wherein determining that the intercepted packet does not comply with the particular set of rules comprises obtaining policy data from a networked service and determining that the intercepted packet does not comply with the policy data.
  - 19. The computer program product of claim 17, wherein the operations further comprise:
    - receiving, by the policy engine process, a response from the cloud computing environment intended for a user device associated with the communications packet;
      
      determining, by the policy engine process, that a second set of rules corresponds to the response received from the cloud computing environment and that the intercepted response complies with the second set of rules, wherein the second set of rules represents a second policy of the organization; and
      
      in response, forwarding, by the policy engine process, the response to the user device.
  - 20. The computer program product of claim 17, wherein intercepting, by the policy engine process, the communications packet comprises intercepting the communications packet by a policy engine process installed on a proxy server at the organization.
  - 21. The computer program product of claim 17, wherein the operations further comprise:
    - intercepted, by the policy engine process, a second communications packet that includes a second cloud controller command and a second command payload for managing the web application belonging to the organization in the cloud computing environment;
      
      determining that the second communications packet does not comply with a second set of rules representing a second policy of the organization; and
      
      in response, rejecting the intercepted second communications packet rather than forwarding the second communications packet to the cloud computing environment.
  - 22. The computer program product of claim 17, wherein the cloud controller command relates to providing configuration information for the web application to a cloud controller in the cloud computing environment, deploying another web application in the cloud computing environment, starting a web application deployed in the cloud computing environment, or stopping a web application executing in the cloud computing environment.
  - 23. The computer program product of claim 17, wherein the operations further comprise:
    - receiving authentication credentials for a user on a local authentication system for the organization;
      
      obtaining, by the policy engine process, a federated token for the user; and
      
      including the federal token for the user in the modified packet when forwarding the modified packet to the cloud computing environment.
  - 24. The computer program product of claim 17, wherein the operations further comprise:
    - identifying a federated token associated with a user associated with the intercepted communications packet, wherein the determination that the intercepted packet does not comply with the particular set of rules is based on a role of the user associated with the federated token.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pivotal Software, Inc. (Broadcom, Inc.)
Original Assignee
Pivotal Software, Inc. (Broadcom, Inc.)
Inventors
Laddad, Ramnivas, Lucovsky, Mark, Collison, Derek, Spivak, Vadim, Chen, Gerald C.
Primary Examiner(s)
Lee, Jason

Application Number

US14/738,558
Time in Patent Office

599 Days
Field of Search

726/7
US Class Current

1/1
CPC Class Codes

G06F 21/62   Protecting access to data v...

G06F 21/629   to features or functions of...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/0895   Configuration of virtualise...

H04L 63/0245   Filtering by information in...

H04L 63/0815   providing single-sign-on or...

H04L 63/083   using passwords cryptograph...

H04L 63/10   for controlling access to d...

H04L 63/108   when the policy decisions a...

H04L 63/20   for managing network securi...

Policy engine for cloud platform

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Policy engine for cloud platform

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links