Enforcing runtime policies in a networked computing environment

US 9,973,539 B2
Filed: 08/19/2016
Issued: 05/15/2018
Est. Priority Date: 07/03/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for enforcing runtime policies relating to execution of computer code and data of an application, in a networked computing environment, comprising:

applying a first annotation to a first portion of computer code, the first annotation being attached during development to the first portion of computer code and comprising metadata defining a set of runtime policies for executing the first portion of computer code and associated data, wherein the runtime policies of the first annotation comprise a geographic location restriction for performing execution of the first portion of the computer code;

applying a second annotation to a second portion of computer code, the second annotation being attached during development to the second portion of computer code and comprising metadata defining a set of runtime policies for executing the second portion of computer code and associated data, wherein the runtime policies of the second annotation comprise a different geographic location restriction for performing execution of the second portion of the computer code;

receiving a request to run an application;

dynamically determining whether a set of parameters satisfy a set of conditions precedent defined in the sets of runtime policies for execution of the computer code and the data of the application; and

enforcing, at a runtime of the application, the set of runtime policies for executing the computer code by running the first portion of the computer code without running the second portion of the computer code based on satisfaction of the first geographic location restriction and non-satisfaction of the second geographic location restriction of the set of conditions precedent.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the present invention provide approaches for enforcing runtime policies in a networked computing environment (e.g., a cloud computing environment). Specifically, in a typical embodiment, computer code and data of an application is annotated with metadata defining a set of runtime policies for executing the computer code and data. Once a request is received to run the application, a set of parameters (e.g., geographic location) corresponding to the execution of the computer code and data of the application is dynamically determined, and compared to the runtime policies. The runtime policies for executing the computer code and data are then enforced at runtime. This includes either running the application, or preventing the running of the application in the case that the set of parameters corresponding to the execution of the computer code and data of the application do not satisfy the runtime policies.

Citations

20 Claims

1. A computer-implemented method for enforcing runtime policies relating to execution of computer code and data of an application, in a networked computing environment, comprising:
- applying a first annotation to a first portion of computer code, the first annotation being attached during development to the first portion of computer code and comprising metadata defining a set of runtime policies for executing the first portion of computer code and associated data, wherein the runtime policies of the first annotation comprise a geographic location restriction for performing execution of the first portion of the computer code;
  
  applying a second annotation to a second portion of computer code, the second annotation being attached during development to the second portion of computer code and comprising metadata defining a set of runtime policies for executing the second portion of computer code and associated data, wherein the runtime policies of the second annotation comprise a different geographic location restriction for performing execution of the second portion of the computer code;
  
  receiving a request to run an application;
  
  dynamically determining whether a set of parameters satisfy a set of conditions precedent defined in the sets of runtime policies for execution of the computer code and the data of the application; and
  
  enforcing, at a runtime of the application, the set of runtime policies for executing the computer code by running the first portion of the computer code without running the second portion of the computer code based on satisfaction of the first geographic location restriction and non-satisfaction of the second geographic location restriction of the set of conditions precedent.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method of claim 1, further comprising dynamically determining a set of parameters corresponding to the execution of the computer code and the data of the application.
  - 3. The computer-implemented method of claim 2, further comprising comparing the set of parameters corresponding to the execution of the computer code and the data of the application with the set of runtime policies.
  - 4. The computer-implemented method of claim 3, wherein the enforcing is performed based on the comparing.
  - 5. The computer-implemented method of claim 4, the set of parameters corresponding to the execution of the computer code and data of the application comprising at least one of:
    - time, industry regulations, government regulations, and financial limits on computing power.
  - 6. The computer-implemented method of claim 1, the networked computing environment comprising a cloud computing environment.
  - 7. The computer-implemented method of claim 1, further comprising receiving a set of annotations from an annotation library, each annotation of the library capable of operating in the cloud computing environment.

8. A system for enforcing runtime policies relating to execution of computer code and data of an application, in a networked computing environment, comprising:
- a memory medium comprising instructions;
  
  a bus coupled to the memory medium; and
  
  a processor coupled to the bus that when executing the instructions causes the system to;
  
  apply a first annotation to a first portion of computer code, the first annotation being attached during development to the first portion of computer code and comprising metadata defining a set of runtime policies for executing the first portion of computer code and associated data, wherein the runtime policies of the first annotation comprise a geographic location restriction for performing execution of the first portion of the computer code;
  
  apply a second annotation to a second portion of computer code, the second annotation being attached during development to the second portion of computer code and comprising metadata defining a set of runtime policies for executing the second portion of computer code and associated data, wherein the runtime policies of the second annotation comprise a different geographic location restriction for performing execution of the second portion of the computer code;
  
  receive a request to run an application;
  
  dynamically determine whether a set of parameters satisfy a set of conditions precedent defined in the sets of runtime policies for execution of the computer code and the data of the application; and
  
  enforce, at a runtime of the application, the set of runtime policies for executing the computer code by running the first portion of the computer code without running the second portion of the computer code based on satisfaction of the first geographic location restriction and non-satisfaction of the second geographic location restriction of the set of conditions precedent.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, the instructions further causing the system to dynamically determine a set of parameters corresponding to the execution of the computer code and the data of the application.
  - 10. The system of claim 9, the instructions further causing the system to dynamically compare the set of parameters corresponding to the execution of the computer code and the data of the application with the set of runtime policies.
  - 11. The system of claim 10, wherein the enforcing is performed based on the comparing.
  - 12. The system of claim 8, the set of parameters corresponding to the execution of the computer code and data of the application further comprising at least one of:
    - time, industry regulations, government regulations, and financial limits on computing power.
  - 13. The system of claim 8, the networked computing environment comprising a cloud computing environment.
  - 14. The system of claim 13, the instructions further causing the system to receive a set of annotations from an annotation library, each annotation of the library capable of operating in the cloud computing environment.

15. A computer program product for enforcing runtime policies relating to execution of computer code and data of an application, in a networked computing environment, the computer program product comprising a computer readable hardware storage device, and program instructions stored on the computer readable hardware storage device, to:
- apply a first annotation to a first portion of computer code, the first annotation being attached during development to the first portion of computer code and comprising metadata defining a set of runtime policies for executing the first portion of computer code and associated data, wherein the runtime policies of the first annotation comprise a geographic location restriction for performing execution of the first portion of the computer code;
  
  apply a second annotation to a second portion of computer code, the second annotation being attached during development to the second portion of computer code and comprising metadata defining a set of runtime policies for executing the second portion of computer code and associated data, wherein the runtime policies of the second annotation comprise a different geographic location restriction for performing execution of the second portion of the computer code;
  
  receive a request to run an application;
  
  dynamically determine whether a set of parameters satisfy a set of conditions precedent defined in the sets of runtime policies for execution of the computer code and the data of the application; and
  
  enforce, at a runtime of the application, the set of runtime policies for executing the computer code by running the first portion of the computer code without running the second portion of the computer code based on satisfaction of the first geographic location restriction and non-satisfaction of the second geographic location restriction of the set of conditions precedent.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer program product of claim 15, the computer readable hardware storage device further comprising instructions to dynamically determine a set of parameters corresponding to the execution of the computer code and the data of the application.
  - 17. The computer program product of claim 16, the computer readable hardware storage device further comprising instructions to dynamically compare the set of parameters corresponding to the execution of the computer code and the data of the application with the set of runtime policies.
  - 18. The computer program product of claim 17, wherein the enforcing is performed based on the comparing.
  - 19. The computer program product of claim 15, the networked computing environment comprising a cloud computing environment.
  - 20. The computer program product of claim 18, the set of parameters corresponding to the execution of the computer code and data of the application comprising at least one of:
    - time, industry regulations, government regulations, and financial limits on computing power.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Workday Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Abuelsaad, Kelly, DeLuca, Lisa Seacat, Jang, Soobaek, Krook, Daniel C.
Primary Examiner(s)
Thieu, Benjamin M

Application Number

US15/241,226
Publication Number

US 20160359920A1
Time in Patent Office

634 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/121   Restricting unauthorised ex...

G06F 21/123   by using dedicated hardware...

G06F 21/6209   to a single file or object,...

G06F 2221/2111   Location-sensitive, e.g. ge...

H04L 41/0893   Assignment of logical group...

H04L 41/5096   wherein the managed service...

H04L 63/20   for managing network securi...

H04L 67/10   in which an application is ...

H04L 67/52   specially adapted for the l...

H04W 12/08   Access security

H04W 12/63   Location-dependent; Proximi...

H04W 12/67   Risk-dependent, e.g. select...

Enforcing runtime policies in a networked computing environment

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Enforcing runtime policies in a networked computing environment

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links