Method and system for visibility and control over access transactions between clouds using resource authorization messages

US 9,813,418 B1
Filed: 01/05/2015
Issued: 11/07/2017
Est. Priority Date: 07/29/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

detecting, by a computing system, an access transaction comprising one or more resource authorization messages transmitted via a resource authorization protocol, the access transaction pertaining to a consumer cloud requesting access to a protected resource hosted by a provider cloud;

generating, by the computing system, relationship data based on the resource authorization messages, the relationship data including an identifier for the provider cloud hosting the protected resource, an identifier for the consumer cloud requesting the access to the protected resource, and an identifier for a resource owner that is granting the access to the protected resource, wherein the relationship data represents a relationship between the provider cloud, the consumer cloud, and the resource owner;

storing policy data specifying cloud type criteria for access control actions;

storing security profile data for the resource owner indicating a security level for the resource owner;

generating a cloud trust model based on the relationship data, the security data, and the policy data, wherein the cloud trust model indicates a degree of the consumer cloud being a trusted cloud; and

performing, by the computing system, an access control action in relation to the access transaction based on the relationship data, wherein the access control action is at least one of allowing the consumer cloud the access to the protected resource or denying the consumer cloud the access to the protected resource.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computing system detects an access transaction based on one or more resource authorization messages transmitted via a resource authorization protocol. The access transaction pertains to access of a protected resource by a consumer cloud, the protected resource hosted by a provider cloud. The computing system generates relationship data based on the resource authorization messages. The relationship data can indicate a resource owner that is granting the access, the consumer cloud, and/or the provider cloud. The computing system performs an access control action in relation to the access transaction based on the relationship data. The access control action can be allowing the consumer cloud access to the protected resource or denying the consumer cloud access to the protected resource.

14 Citations

View as Search Results

17 Claims

1. A method comprising:
- detecting, by a computing system, an access transaction comprising one or more resource authorization messages transmitted via a resource authorization protocol, the access transaction pertaining to a consumer cloud requesting access to a protected resource hosted by a provider cloud;
  
  generating, by the computing system, relationship data based on the resource authorization messages, the relationship data including an identifier for the provider cloud hosting the protected resource, an identifier for the consumer cloud requesting the access to the protected resource, and an identifier for a resource owner that is granting the access to the protected resource, wherein the relationship data represents a relationship between the provider cloud, the consumer cloud, and the resource owner;
  
  storing policy data specifying cloud type criteria for access control actions;
  
  storing security profile data for the resource owner indicating a security level for the resource owner;
  
  generating a cloud trust model based on the relationship data, the security data, and the policy data, wherein the cloud trust model indicates a degree of the consumer cloud being a trusted cloud; and
  
  performing, by the computing system, an access control action in relation to the access transaction based on the relationship data, wherein the access control action is at least one of allowing the consumer cloud the access to the protected resource or denying the consumer cloud the access to the protected resource.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the resource authorization protocol is Open Authentication (OAuth) protocol.
  - 3. The method of claim 1, further comprising:
    - detecting a subsequent access transaction based on one or more subsequent resource authorization messages, the access transaction pertaining to the access of the protected resource by the consumer cloud;
      
      generating the relationship data based on the subsequent resource authorization messages; and
      
      updating the cloud trust model based on the relationship data pertaining to the subsequent access transaction.
  - 4. The method of claim 1, further comprising:
    - implementing the cloud trust model as a graph model, the graph model comprising nodes and edges connecting at least a subset of the nodes, the nodes representing users, consumer clouds, and provider clouds, and the edges representing relationships between the nodes; and
      
      determining the access control action to be performed using a belief propagation technique and the graph model.
  - 5. The method of claim 1, wherein detecting the access transaction comprises:
    - accessing the one or more resource authorization messages originating from outside an enterprise firewall.
  - 6. The method of claim 1, wherein the relationship data further comprises the protected resource to be accessed.

7. A system comprising:
- a memory; and
  
  a processing device coupled to the memory to;
  
  detect an access transaction comprising one or more resource authorization messages transmitted via a resource authorization protocol, the access transaction pertaining to a consumer cloud requesting access to a protected resource hosted by a provider cloud;
  
  generate relationship data based on the resource authorization messages, the relationship data including an identifier for the provider cloud hosting the protected resource, an identifier for the consumer cloud requesting the access to the protected resource, and an identifier for a resource owner that is granting the access to the protected resource, wherein the relationship data represents a relationship between the provider cloud, the consumer cloud, and the resource owner;
  
  store, into the memory, policy data specifying cloud type criteria for access control actions, and security profile data for the resource owner indicating a security level for the resource owner;
  
  generating a cloud trust model based on the relationship data, the security profile data, and the policy data, wherein the cloud trust model indicates a degree of the consumer cloud being a trusted cloud; and
  
  perform an access control action in relation to the access transaction based on the relationship data, wherein the access control action is at least one of allowing the consumer cloud the access to the protected resource or denying the consumer cloud the access to the protected resource.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The system of claim 7, wherein the resource authorization protocol is Open Authorization (OAuth) protocol.
  - 9. The system of claim 7, wherein the processing device is further to:
    - detect a subsequent access transaction based on one or more subsequent resource authorization messages, the access transaction pertaining to the access of the protected resource by the consumer cloud;
      
      generate the relationship data based on the subsequent resource authorization messages; and
      
      update the cloud trust model based on the relationship data pertaining to the subsequent access transaction.
  - 10. The system of claim 7, wherein the processing device is further to:
    - implement the cloud trust model as a graph model, the graph model comprising nodes and edges connecting at least a subset of the nodes, the nodes representing users, consumer clouds, and provider clouds, and the edges representing relationships between the nodes; and
      
      determine the access control action to be performed using a belief propagation technique and the graph model.
  - 11. The system of claim 7, further comprising:
    - at least one of a reverse proxy and a forward proxy to intercept the one or more resource authorization messages originating from outside an enterprise firewall.
  - 12. The system of claim 11, wherein the processing device is to detect the access transaction by:
    - accessing the resource authorization messages originating from outside the enterprise firewall.

13. A non-transitory computer readable storage medium including instructions that, when executed by a processor, cause the processor to perform a method comprising:
- detecting an access transaction comprising one or more resource authorization messages transmitted via a resource authorization protocol, the access transaction pertaining to a consumer cloud requesting access to a protected resource hosted by a provider cloud;
  
  generating, by the processor, relationship data based on the resource authorization messages, the relationship data including an identifier for the provider cloud hosting the protected resource, an identifier for the consumer cloud requesting the access to the protected resource, and an identifier for a resource owner that is granting the access to the protected resource, wherein the relationship data represents a relationship between the provider cloud, the consumer cloud, and the resource owner;
  
  storing policy data specifying cloud type criteria for access control actions;
  
  storing security profile data for the resource owner indicating a security level for the resource owner;
  
  generating a cloud trust model based on the relationship data, the security profile data, and the policy data, wherein the cloud trust model indicates a degree of the consumer cloud being a trusted cloud; and
  
  performing an access control action in relation to the access transaction based on the relationship data, wherein the access control action is at least one of allowing the consumer cloud the access to the protected resource or denying the consumer cloud the access to the protected resource.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The non-transitory computer readable storage medium of claim 13, wherein the resource authorization protocol is Open Authentication (OAuth) protocol.
  - 15. The non-transitory computer readable storage medium of claim 13, further comprising:
    - detecting a subsequent access transaction based on one or more subsequent resource authorization messages, the access transaction pertaining to the access of the protected resource by the consumer cloud;
      
      generating the relationship data based on the subsequent resource authorization messages; and
      
      updating the cloud trust model based on the relationship data pertaining to the subsequent access transaction.
  - 16. The non-transitory computer readable storage medium of claim 13, further comprising:
    - implementing the cloud trust model as a graph model, the graph model comprising nodes and edges connecting at least a subset of the nodes, the nodes representing users, consumer clouds, and provider clouds, and the edges representing relationships between the nodes; and
      
      determining the access control action to be performed using a belief propagation technique and the graph model.
  - 17. The non-transitory computer readable storage medium of claim 13, wherein detecting the access transaction comprises:
    - accessing the one or more resource authorization messages originating from outside an enterprise firewall.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gen Digital Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Banerjee, Deb
Primary Examiner(s)
Lagor, Alexander

Application Number

US14/589,936
Time in Patent Office

1,037 Days
Field of Search

709217, 709223, 726 1, 726 3- 9, 713168
US Class Current
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 21/6245   Protecting personal data, e...

H04L 63/0407   wherein the identity of one...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

Method and system for visibility and control over access transactions between clouds using resource authorization messages

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

14 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for visibility and control over access transactions between clouds using resource authorization messages

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links