Method and system for visibility and control over access transactions between clouds using resource authorization messages
First Claim
1. A method comprising:
- detecting, by a computing system, an access transaction comprising one or more resource authorization messages transmitted via a resource authorization protocol, the access transaction pertaining to a consumer cloud requesting access to a protected resource hosted by a provider cloud;
generating, by the computing system, relationship data based on the resource authorization messages, the relationship data including an identifier for the provider cloud hosting the protected resource, an identifier for the consumer cloud requesting the access to the protected resource, and an identifier for a resource owner that is granting the access to the protected resource, wherein the relationship data represents a relationship between the provider cloud, the consumer cloud, and the resource owner;
storing policy data specifying cloud type criteria for access control actions;
storing security profile data for the resource owner indicating a security level for the resource owner;
generating a cloud trust model based on the relationship data, the security data, and the policy data, wherein the cloud trust model indicates a degree of the consumer cloud being a trusted cloud; and
performing, by the computing system, an access control action in relation to the access transaction based on the relationship data, wherein the access control action is at least one of allowing the consumer cloud the access to the protected resource or denying the consumer cloud the access to the protected resource.
6 Assignments
0 Petitions
Accused Products
Abstract
A computing system detects an access transaction based on one or more resource authorization messages transmitted via a resource authorization protocol. The access transaction pertains to access of a protected resource by a consumer cloud, the protected resource hosted by a provider cloud. The computing system generates relationship data based on the resource authorization messages. The relationship data can indicate a resource owner that is granting the access, the consumer cloud, and/or the provider cloud. The computing system performs an access control action in relation to the access transaction based on the relationship data. The access control action can be allowing the consumer cloud access to the protected resource or denying the consumer cloud access to the protected resource.
14 Citations
17 Claims
-
1. A method comprising:
-
detecting, by a computing system, an access transaction comprising one or more resource authorization messages transmitted via a resource authorization protocol, the access transaction pertaining to a consumer cloud requesting access to a protected resource hosted by a provider cloud; generating, by the computing system, relationship data based on the resource authorization messages, the relationship data including an identifier for the provider cloud hosting the protected resource, an identifier for the consumer cloud requesting the access to the protected resource, and an identifier for a resource owner that is granting the access to the protected resource, wherein the relationship data represents a relationship between the provider cloud, the consumer cloud, and the resource owner; storing policy data specifying cloud type criteria for access control actions; storing security profile data for the resource owner indicating a security level for the resource owner; generating a cloud trust model based on the relationship data, the security data, and the policy data, wherein the cloud trust model indicates a degree of the consumer cloud being a trusted cloud; and performing, by the computing system, an access control action in relation to the access transaction based on the relationship data, wherein the access control action is at least one of allowing the consumer cloud the access to the protected resource or denying the consumer cloud the access to the protected resource. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A system comprising:
-
a memory; and a processing device coupled to the memory to; detect an access transaction comprising one or more resource authorization messages transmitted via a resource authorization protocol, the access transaction pertaining to a consumer cloud requesting access to a protected resource hosted by a provider cloud; generate relationship data based on the resource authorization messages, the relationship data including an identifier for the provider cloud hosting the protected resource, an identifier for the consumer cloud requesting the access to the protected resource, and an identifier for a resource owner that is granting the access to the protected resource, wherein the relationship data represents a relationship between the provider cloud, the consumer cloud, and the resource owner; store, into the memory, policy data specifying cloud type criteria for access control actions, and security profile data for the resource owner indicating a security level for the resource owner; generating a cloud trust model based on the relationship data, the security profile data, and the policy data, wherein the cloud trust model indicates a degree of the consumer cloud being a trusted cloud; and perform an access control action in relation to the access transaction based on the relationship data, wherein the access control action is at least one of allowing the consumer cloud the access to the protected resource or denying the consumer cloud the access to the protected resource. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A non-transitory computer readable storage medium including instructions that, when executed by a processor, cause the processor to perform a method comprising:
-
detecting an access transaction comprising one or more resource authorization messages transmitted via a resource authorization protocol, the access transaction pertaining to a consumer cloud requesting access to a protected resource hosted by a provider cloud; generating, by the processor, relationship data based on the resource authorization messages, the relationship data including an identifier for the provider cloud hosting the protected resource, an identifier for the consumer cloud requesting the access to the protected resource, and an identifier for a resource owner that is granting the access to the protected resource, wherein the relationship data represents a relationship between the provider cloud, the consumer cloud, and the resource owner; storing policy data specifying cloud type criteria for access control actions; storing security profile data for the resource owner indicating a security level for the resource owner; generating a cloud trust model based on the relationship data, the security profile data, and the policy data, wherein the cloud trust model indicates a degree of the consumer cloud being a trusted cloud; and performing an access control action in relation to the access transaction based on the relationship data, wherein the access control action is at least one of allowing the consumer cloud the access to the protected resource or denying the consumer cloud the access to the protected resource. - View Dependent Claims (14, 15, 16, 17)
-
Specification