Control of cloud application access for enterprise customers

US 9,692,759 B1
Filed: 04/14/2014
Issued: 06/27/2017
Est. Priority Date: 04/14/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of controlling access to cloud applications, the method comprising:

receiving network traffic between a cloud application client and a cloud application being accessed by the cloud application client;

examining the network traffic to identify the cloud application;

identifying an application handler in a plurality of application handlers for processing the network traffic involving the cloud application hosted by a particular server computer, each application handler in the plurality of application handlers being configured to process network traffic of a particular cloud application in a plurality of cloud applications to identify and log access to a corresponding cloud application, each of the plurality of cloud applications being hosted by a corresponding particular server computer;

forwarding the network traffic to the application handler; and

enforcing on the network traffic an application policy in a plurality of application policies;

generating a cloud access log that indicates the network traffic;

forwarding the cloud access log to a log analysis server over the Internet; and

generating a cloud access report based on the cloud access log,(a) wherein a first application policy in the plurality of application policies indicates blocking cloud applications that belong to a category of cloud applications, and wherein enforcing the application policy comprises determining a category of the cloud application and blocking the network traffic in response to determining that the cloud application belongs to the category of cloud applications,(b) wherein a second application policy in the plurality of application policies indicates which user can access which cloud application in the plurality of cloud applications, and wherein enforcing the application policy comprises determining a user of the cloud application client and blocking the network traffic in response to determining that the user is not authorized to access the cloud application, and(c) wherein a server that is hosting the cloud application is in a blacklist, and wherein enforcing the application policy comprises blocking the network traffic in accordance with the blacklist.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for controlling access to cloud applications includes a cloud security server that receives network traffic stream from cloud application clients of a private computer network. The cloud security server examines the network traffic stream to identify a cloud application that is associated with the network traffic stream and directs the network traffic stream to one of several application handlers that is configured to process network traffic stream for the cloud application. The application handler enforces on the network traffic stream an application policy that is applicable to the cloud application.

45 Citations

View as Search Results

8 Claims

1. A computer-implemented method of controlling access to cloud applications, the method comprising:
- receiving network traffic between a cloud application client and a cloud application being accessed by the cloud application client;
  
  examining the network traffic to identify the cloud application;
  
  identifying an application handler in a plurality of application handlers for processing the network traffic involving the cloud application hosted by a particular server computer, each application handler in the plurality of application handlers being configured to process network traffic of a particular cloud application in a plurality of cloud applications to identify and log access to a corresponding cloud application, each of the plurality of cloud applications being hosted by a corresponding particular server computer;
  
  forwarding the network traffic to the application handler; and
  
  enforcing on the network traffic an application policy in a plurality of application policies;
  
  generating a cloud access log that indicates the network traffic;
  
  forwarding the cloud access log to a log analysis server over the Internet; and
  
  generating a cloud access report based on the cloud access log,(a) wherein a first application policy in the plurality of application policies indicates blocking cloud applications that belong to a category of cloud applications, and wherein enforcing the application policy comprises determining a category of the cloud application and blocking the network traffic in response to determining that the cloud application belongs to the category of cloud applications,(b) wherein a second application policy in the plurality of application policies indicates which user can access which cloud application in the plurality of cloud applications, and wherein enforcing the application policy comprises determining a user of the cloud application client and blocking the network traffic in response to determining that the user is not authorized to access the cloud application, and(c) wherein a server that is hosting the cloud application is in a blacklist, and wherein enforcing the application policy comprises blocking the network traffic in accordance with the blacklist.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein enforcing the application policy comprises encrypting data to be provided to the cloud application.
  - 3. The method of claim 2, further comprising:
    - receiving an encryption key from a remote key server; and
      
      using the encryption key to encrypt the data to be provided to the cloud application.
  - 4. The method of claim 1, further comprising:
    - retrieving data from the network traffic;
      
      determining that the data comprise protected corporate data; and
      
      blocking the network traffic in response to determining that the data comprise protected corporate data.

5. A system for controlling access to cloud applications, the system comprising:
- a cloud application server hosting a first cloud application;
  
  a plurality of cloud application clients of a private computer network; and
  
  a cloud security server that receives over the Internet a network traffic stream from a first cloud application client in the plurality of cloud application clients, identifies the first cloud application in a plurality of cloud applications as being associated with the network traffic stream, directs the network traffic stream to a first application handler in a plurality of application handlers that is configured to identify and log access to the first cloud application hosted by the cloud application server, enforces on the network traffic stream an application policy rule in a plurality of application policy rules that is applicable to the first cloud application, and forwards the network traffic stream to the first cloud application when the application policy rule does not prohibit forwarding of the network stream to the first cloud application, generates a cloud access boa that indicates the network traffic stream, forwards the cloud access log to a log analysis server over the Internet, and generates a cloud access report based on the cloud access log,(a) wherein a first application policy rule in the plurality of application policy rules indicates blocking cloud applications that belong to a category of cloud applications, and wherein the application policy rule is enforced by determining a category of the first cloud application and blocking the network traffic stream in response to determining that the first cloud application belongs to the category of cloud applications,(b) wherein a second application policy rule in the plurality of application policy rules indicates which user can access which cloud application, and wherein the application policy rule is enforced by determining a user of the first cloud application and blocking the network traffic stream in response to determining that the user is not authorized to access the first cloud application, and(c) wherein the cloud application server is in a blacklist, and wherein the application policy rule is enforced by blocking the network traffic stream in accordance with the blacklist.
- View Dependent Claims (6, 7, 8)
- - 6. The system of claim 5, further comprising:
    - a key server that provides an encryption key to the cloud security server over the Internet when the application policy rule dictates encrypting data to be received by the first cloud application.
  - 7. The system of claim 5, further comprising:
    - an application reputation server that provides over the Internet reputation information of the first cloud application.
  - 8. The system of claim 5, further comprising:
    - a cloud access controller that receives the cloud access report and forwards to the cloud security server another application policy that is based on the cloud access report, wherein the cloud access controller belongs to the private computer network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
Trend Micro Inc.
Inventors
Chandrasekhar, Bharath Kumar
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
Corum, Jr., William

Application Number

US14/252,557
Time in Patent Office

1,170 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 67/10   in which an application is ...

H04L 9/3247   involving digital signatures

Control of cloud application access for enterprise customers

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

45 Citations

8 Claims

Specification

Solutions

Use Cases

Quick Links

Control of cloud application access for enterprise customers

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

45 Citations

8 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links