FLEXIBLE END-POINT COMPLIANCE AND STRONG AUTHENTICATION FOR DISTRIBUTED HYBRID ENTERPRISES

US 20110307947A1
Filed: 06/14/2010
Published: 12/15/2011
Est. Priority Date: 06/14/2010
Status: Active Grant

First Claim

Patent Images

1. A method for use by a client computer to access at least one resource hosted by at least one server controlled by at least one service provider, comprising:

sending, to an access control gateway controlled by at least one enterprise different from the at least one service provider, authentication information associated with a user of the client computer and a statement of health regarding the client computer;

receiving a security token from the access control gateway;

sending, to the at least one server hosting the at least one resource, the security token received from the access control gateway; and

accessing the at least one resource from the at least one server.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods and apparatus for accessing at least one resource hosted by at least one server of a cloud service provider. In some embodiments, a client computer sends authentication information associated with a user of the client computer and a statement of health regarding the client computer to an access control gateway deployed in an enterprise'"'"'s managed network. The access control gateway authenticates the user and determines whether the user is authorized to access the at least one resource hosted in the cloud. If the user authentication and authorization succeeds, the access control gateway requests a security token from a security token service trusted by an access control component in the cloud and forwards the security token to the client computer. The client computer sends the security token to the access component in the cloud to access the at least one resource from the at least one server.

180 Citations

20 Claims

1. A method for use by a client computer to access at least one resource hosted by at least one server controlled by at least one service provider, comprising:
- sending, to an access control gateway controlled by at least one enterprise different from the at least one service provider, authentication information associated with a user of the client computer and a statement of health regarding the client computer;
  
  receiving a security token from the access control gateway;
  
  sending, to the at least one server hosting the at least one resource, the security token received from the access control gateway; and
  
  accessing the at least one resource from the at least one server.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising:
    - sending a request for the security token to the access control gateway; and
      
      receiving at least one security challenge from the access control gateway, wherein the access control gateway sends the at least one security challenge in response to the request for the security token, and wherein the client computer sends the authentication information and the statement of health in response to the at least one security challenge.
  - 3. The method of claim 1, further comprising:
    - sending, to the at least one server, a request to access the at least one resource; and
      
      receiving, from the at least one server, an instruction to contact the access control gateway as a prerequisite to accessing the at least one resource.
  - 4. The method of claim 1, wherein the authentication information comprises at least two user credentials selected from a group consisting of:
    - a secret knowledge credential, a physical object credential, and a personal physical characteristic credential.
  - 5. The method of claim 1, wherein the statement of health regarding the client computer comprises configuration information regarding at least one protective component of the client computer, the at least one protective component being selected from a group consisting of:
    - an anti-virus software, a firewall, and an operating system patch.
  - 6. The method of claim 1, wherein the access control gateway is configured to determine, based at least in part on the access request information, whether the client computer is authorized to access the at least one resource hosted by the at least one server, and wherein the security token is obtained from a security token service by the access control gateway if the access control gateway determines that the client computer is authorized to access the at least one resource, the security token service being trusted by the at least one server.

7. A client computer for accessing at least one resource hosted by at least one server controlled by at least one service provider, comprising at least one processor programmed to:
- send, to an access control gateway controlled by at least one enterprise different from the at least one service provider, access request information purporting to indicate that the client computer is authorized to access the at least one resource;
  
  receive a security token from the access control gateway;
  
  send, to the at least one server hosting the at least one resource, the security token received from the access control gateway; and
  
  access the at least one resource from the at least one server.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The client computer of claim 7, wherein the at least one processor is further programmed to:
    - send a request for the security token to the access control gateway; and
      
      receive at least one security challenge from the access control gateway, wherein the access control gateway sends the at least one security challenge in response to the request for the security token, and wherein the at least one processor is programmed to send the access request information in response to the at least one security challenge.
  - 9. The client computer of claim 7, wherein the at least one processor is further programmed to:
    - send, to the at least one server, a request to access the at least one resource; and
      
      receive, from the at least one server, an instruction to contact the access control gateway as a prerequisite to accessing the at least one resource.
  - 10. The client computer of claim 7, wherein the access request information comprises at least two user credentials selected from a group consisting of:
    - a secret knowledge credential, a physical object credential, and a personal physical characteristic credential.
  - 11. The client computer of claim 7, wherein the access request information comprises configuration information regarding at least one protective component of the client computer, the at least one protective component being selected from a group consisting of:
    - an anti-virus software, a firewall, and an operating system patch.
  - 12. The client computer of claim 7, wherein the access control gateway is configured to determine, based at least in part on the access request information, whether the client computer is authorized to access the at least one resource hosted by the at least one server, and wherein the security token is obtained from a security token service by the access control gateway if the access control gateway determines that the client computer is authorized to access the at least one resource, the security token service being trusted by the at least one server.
  - 13. The client computer of claim 12, wherein the at least one server is configured to determine whether the security token is generated by a trusted security token service, and wherein the at least one server allows the client computer to access the at least one resource only if the at least one server determines that the security token is generated by a trusted security token service.

14. At least one non-transitory computer-readable medium having encoded thereon instructions that, when executed by at least one processor, perform a method for use by an access gateway controlled by at least one enterprise, the method comprising:
- receiving, from a client computer, access request information purporting to indicate that the client computer is authorized to access at least one resource hosted by at least one server controlled by at least one service provider different from the at least one enterprise;
  
  determining, based at least in part on the access request information, whether the client computer is authorized to access the at least one resource; and
  
  if it is determined that the client computer is authorized to access the at least one resource, sending a security token to the client computer to be presented to the at least one server to obtain access to the at least one resource.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The at least one non-transitory computer-readable medium of claim 14, wherein the method further comprises:
    - receiving a request for the security token from the client computer; and
      
      in response to the request for the security token, sending at least one security challenge to the client computer, wherein the client computer sends the access request information in response to the at least one security challenge.
  - 16. The at least one non-transitory computer-readable medium of claim 14, wherein the method further comprises:
    - requesting the security token from a security token service trusted by the at least one server.
  - 17. The at least one non-transitory computer-readable medium of claim 14, wherein the access request information comprises at least two user credentials selected from a group consisting of:
    - a secret knowledge credential, a physical object credential, and a personal physical characteristic credential.
  - 18. The at least one non-transitory computer-readable medium of claim 14, wherein determining whether the client computer is authorized to access the at least one resource comprises:
    - forwarding at least some of the access request information comprising one or more user credentials to an authentication server controlled by the least one enterprise.
  - 19. The at least one non-transitory computer-readable medium of claim 14, wherein the access request information comprises configuration information regarding at least one protective component of the client computer, the at least one protective component being selected from a group consisting of:
    - an anti-virus software, a firewall, and an operating system patch.
  - 20. The at least one non-transitory computer-readable medium of claim 14, wherein determining whether the client computer is authorized to access the at least one resource comprises:
    - forwarding at least some of the access request information comprising configuration information regarding the client computer to a health policy server controlled by the least one enterprise.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Ananiev, Oleg, Kershaw, Daniel, Neystadt, Eugene (John), Kariv, Asaf, Tovbeyn, Eli

Granted Patent

US 8,997,196 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/9
CPC Class Codes

H04L 2463/082   applying multi-factor authe...

H04L 63/08   for authentication of entit...

H04L 63/102   Entity profiles

FLEXIBLE END-POINT COMPLIANCE AND STRONG AUTHENTICATION FOR DISTRIBUTED HYBRID ENTERPRISES

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

180 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

FLEXIBLE END-POINT COMPLIANCE AND STRONG AUTHENTICATION FOR DISTRIBUTED HYBRID ENTERPRISES

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

180 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links