Securing services and intra-service communications

US 9,596,244 B1
Filed: 06/16/2011
Issued: 03/14/2017
Est. Priority Date: 06/16/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

under control of one or more processors specifically configured with executable instructions,receiving, by a security service from a service provider that is separate from the security service, a registration for a service provided by the service provider, the registration identifying one or more application programming interfaces (APIs) related to the service;

receiving, by the security service from a first service consumer and a second service consumer, a request to access the service, the requests including an identification of the one or more APIs related to the service to be accessed by the first service consumer and by the second service consumer, the one or more APIs configured to provide a quantity of information in response to access requests from service consumers;

in response to receiving the requests to access the service, sending, by the security service to the service provider, a request to approve the access to the service by the first service consumer and by the second service consumer;

receiving, by the security service, approval from the service provider allowing the access to the service by the service consumer;

issuing a respective secret key to the first service consumer and to the second service consumer for use by the first service consumer and by the second service consumer to provide authentication information when accessing the service; and

defining an access policy based, at least in part, on the registration and the request, the access policy;

limiting the first service consumer and the second service consumer access to the one or more APIs related to the service, and the access policy defining a subset of the quantity of information available to the first service consumer and to the second service consumer from the service provider via the one or more APIs, with the subset being different for the first service consumer and for the second service consumer and associated with a third party separate from the first and second service consumer.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security service enables service providers to register available services. Prospective service consumers may register with the security service to access a particular registered service, and may specify conditions for access that are subject to approval by the corresponding service provider. Based on the registrations of the service provider and the service consumer, the security service can define access policies that may be enforced to control the conditions under which a service consumer accesses or utilizes the particular service. Additionally, changes to the access policies may be propagated to running services in near real time. Some implementations enable masking of information provided to particular service consumers based on determined needs of each service consumer for access to particular information. In some instances, the service providers may provide log information to the security service, which may be monitored to identify anomalies, security breaches or the like.

28 Citations

View as Search Results

30 Claims

1. A method comprising:
- under control of one or more processors specifically configured with executable instructions,receiving, by a security service from a service provider that is separate from the security service, a registration for a service provided by the service provider, the registration identifying one or more application programming interfaces (APIs) related to the service;
  
  receiving, by the security service from a first service consumer and a second service consumer, a request to access the service, the requests including an identification of the one or more APIs related to the service to be accessed by the first service consumer and by the second service consumer, the one or more APIs configured to provide a quantity of information in response to access requests from service consumers;
  
  in response to receiving the requests to access the service, sending, by the security service to the service provider, a request to approve the access to the service by the first service consumer and by the second service consumer;
  
  receiving, by the security service, approval from the service provider allowing the access to the service by the service consumer;
  
  issuing a respective secret key to the first service consumer and to the second service consumer for use by the first service consumer and by the second service consumer to provide authentication information when accessing the service; and
  
  defining an access policy based, at least in part, on the registration and the request, the access policy;
  
  limiting the first service consumer and the second service consumer access to the one or more APIs related to the service, and the access policy defining a subset of the quantity of information available to the first service consumer and to the second service consumer from the service provider via the one or more APIs, with the subset being different for the first service consumer and for the second service consumer and associated with a third party separate from the first and second service consumer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method as recited in claim 1, wherein the requests further include an estimation of a frequency that the one or more APIs are to be called by the first service consumer and by the second service consumer.
  - 3. The method as recited in claim 1, wherein defining the access policy specifies one or more features of the one or more APIs that the first service consumer and second service consumer are not permitted to access.
  - 4. The method as recited in claim 1, further comprising providing a runtime client to the service provider, the runtime client utilizing the access policy for responding to requests to access the service received from the first service consumer and from the second service consumer.
  - 5. The method as recited in claim 1, wherein access to the service is provided via a respective direct communication link between the service consumer and the first service consumer and the second service provider.
  - 6. The method as recited in claim 1, wherein first service consumer and the second service consumer access to the one or more APIs related to the service is provided, at the service provider, via a respective direct communication link between the first service consumer and the second service consumer and the service provider.
  - 7. The method as recited in claim 1, wherein the one or more processors comprises a component of a security service in communication with the first service consumer and with the second service consumer and the service provider, and wherein access to the one or more APIs related to the service is provided to the first service consumer and to the second service consumer via a communication link isolated from the security service.
  - 8. The method as recited in claim 7, wherein the first service consumer and the second service consumer have access to the one or more APIs related to the service is provided, at the service provider, via the communication link.
  - 9. The method as recited in claim 1, further comprising:
    - requesting, from the service consumer, a description indicating how the first service consumer and how the second service consumer intend to use the one or more APIs;
      
      receiving a usage description from the consumer, the usage description indicating how the first service consumer and how the second service consumer intend to use the one or more APIs; and
      
      generating the access policy based at least in part on the usage description.
  - 10. The method as recited in claim 1, further including:
    - providing a first set of information to the first service consumer in response to the first service consumer calling a first API using a first parameter; and
      
      providing a second set of information to the second service consumer calling the first API using the first parameter, wherein the second set of information is different from the first set of information, and the second service consumer is different from the first service consumer.

11. A method comprising:
- receiving, via one or more computing devices, a respective request from a first service consumer and from a second service consumer for authorization to access a service previously registered, the request including an estimated frequency at which the first service consumer and the second service consumer will access the service;
  
  requesting, via at least one of the one or more computing devices, from the first service consumer and from the second service consumer, a usage description associated with one or more application programming interfaces (APIs) of the service configured to provide a quantity of information in response to access requests from service consumers; and
  
  authorizing, via at least one of the one or more computing devices, the first service consumer and the second service consumer to access the service and have access to a subset of the quantity of information based, at least in part, on received approval from a provider of the service that is separate from the one or more computing devices, the subset being different for the first service consumer and for the second service consumer and associated with a third party separate from the first service consumer and from the second service consumer, and wherein the received approval is based at least in part on a response to the requesting of the usage description.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method as recited in claim 11, wherein the requests for authorization to access the service further include an identification of the one or more APIs.
  - 13. The method as recited in claim 11, wherein the requests for authorization to access the service further include contact information for a responsible party at the first service consumer and at the second service consumer.
  - 14. The method as recited in claim 11, further comprising establishing one or more access policies for the first service consumer and for the second service consumer with respect to the service based, at least in part, on the estimated frequency at which the service first service consumer and the second consumer will access the service and the response to the requesting of the usage description, the one or more access policies specifying a limitation on an ability of the first service consumer and of the second service consumer to access the one or more APIs.
  - 15. The method as recited in claim 14, further comprising providing an updated version of the one or more access policies to the service provider during a periodic synchronization of the one or more access policies with the service provider.
  - 16. The method as recited in claim 14, further comprising broadcasting changes to the one or more access policies to one or more third parties that monitor access authorizations of particular service consumers to particular services.
  - 17. The method as recited in claim 11, wherein authorizing the first service consumer and the second service consumer further comprises instructing a key management service to issue secret keys to the first service consumer and to the second service consumer and the service provider to enable the service provider to authenticate the first service consumer and the second service consumer when the first service consumer and the second service consumer accesses the service.
  - 18. The method as recited in claim 11, further comprising:
    - receiving log information from the service provider, the log information relating to access to the service by the first service consumer and by the second service consumer; and
      
      based at least in part on the log information, sending a notification to the service provider in response to detection of a violation of one or more access policies by the service consumer.
  - 19. The method as recited in claim 11, further comprising, prior to receiving the request from the first service consumer and from the second service consumer, receiving, from a service provider, a registration for the service provided by the service provider, the registration identifying the one or more APIs.
  - 20. The method as recited in claim 11, further comprising:
    - establishing one or more access policies for the first service consumer and for the second service consumer with respect to the service, the one or more access policies specifying a limitation on an ability of the service consumer to access the one or more APIs; and
      
      providing a runtime client to the service provider, the runtime client utilizing the one or more access policies for responding to requests to access the service received from the first service consumer and from the second service consumer.

21. A system comprising:
- at least one computing device configured to implement one or more modules, wherein the one or more modules are configured for;
  
  receiving a request from a first service consumer and from a second service consumer for authorization to access a service, the request including an estimated frequency at which the first service consumer and the second service consumer will access the service;
  
  requesting, from the first service consumer and from the second service consumer, a usage description associated with one or more API of the service configured to provide a quantity of information in response to access requests from service consumers; and
  
  authorizing the first service consumer and the second service consumer to access the service and have access to a subset of the quantity of information based, at least in part, on received approval from a service provider that is separate from the at least one computing device and that provides the service, wherein the received approval is based at least in part on a response to the requesting of the usage description, the subset being different for the first service consumer and for the second service consumer and associated with a third party separate from the first service consumer and from the second service consumer.
- View Dependent Claims (22, 23, 24, 25)
- - 22. The system as recited in claim 21, wherein the one or more modules are further configured for, prior to receiving the requests from the first service consumer and from the second service consumer, receiving, from the service provider, a registration for the service provided by the service provider, the registration identifying the API related to the service.
  - 23. The system as recited in claim 22, wherein the one or more modules are further configured for defining an access policy based, at least in part, on the registration, the requests from the first service consumer and from the second service consumer, and the response to the requesting of the usage description, the access policy specifying a limitation on an ability of the first service consumer and of the second service consumer to access the service.
  - 24. The system as recited in claim 21, wherein the access requirements for accessing the service comprise a criticality of the service to the first service consumer and to the second service consumer'"'"'s operations.
  - 25. The system as recited in claim 21, wherein the service provider is a first service provider and the service is a first service, and wherein the one or more modules are further configured for:
    - receiving, from a second service provider, a registration for a second service provided by the second service provider;
      
      receiving, from the first service provider, a request for authorization to access the second service; and
      
      authorizing the first service provider to access the second service based, at least in part, on received approval from the second service provider.

26. A method comprising:
- receiving, by a computing device, a request from a first service consumer and a second service consumer for authorization to access a registered service configured to provide a quantity of information in response to access requests from service consumers, the request including an estimated frequency at which the first service consumer and at which the second service consumer will access the registered service; and
  
  based at least in part on received approval from a service provider that is separate from the computing device and that provides the registered service, establishing an access policy for the first service consumer and for the second service consumer in connection with the registered service, the access policy being established based, at least in part, on the estimated frequency, wherein the access policy limits access by the first service consumer and by the second service consumer to the registered service and limits access by the first service consumer and by the second service consumer to a subset of the quantity of information that is different for the first service consumer and for the second service consumer and associated with a third party separate from the first service consumer and from the second service consumer.
- View Dependent Claims (27, 28, 29, 30)
- - 27. The method as recited in claim 26, further comprising providing a runtime client to the service provider, the runtime client utilizing the access policy for responding to requests to access the registered service received from the first service consumer and from the second service consumer.
  - 28. The method as recited in claim 26, the request further including an identification of one or more application programming interfaces (APIs) related to the registered service that the service consumer intends to access, the method further including requesting, from the first service consumer and from the second service consumer, a usage description indicating how the first service consumer and the second service consumer intends to use one or more application programming interfaces (APIs) of the service.
  - 29. The method as recited in claim 28, wherein the access policy specifies one or more features of one or more application programming interfaces (APIs) related to the registered service that the first service consumer and the second service consumer are not permitted to access.
  - 30. The method as recited in claim 26, further comprising, prior to receiving the request from the first service consumer and from the second service consumer, receiving, from a service provider, a registration for registering a service as the registered service provided by the service provider, the registration identifying one or more application programming interfaces (APIs) related to the registered service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Kozolchyk, Jonathan, McAdams, Darin Keith, Fielding, Jeffrey J, Mallya, Vaibhav, Canavor, Darren E.
Primary Examiner(s)
Kim, Jung
Assistant Examiner(s)
Tran, Tri

Application Number

US13/162,343
Time in Patent Office

2,098 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/06   for supporting key manageme...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/105   Multiple levels of security

H04L 63/1408   by monitoring network traff...

H04L 63/20   for managing network securi...

Securing services and intra-service communications

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

28 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Securing services and intra-service communications

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links