Restricting Access to Public Cloud SaaS Applications to a Single Organization

US 20170201549A1
Filed: 01/13/2016
Published: 07/13/2017
Est. Priority Date: 01/13/2016
Status: Active Grant

First Claim

Patent Images

1. In a computing environment, a system, the system comprising:

one or more processors; and

one or more computer-readable media having stored thereon instructions that are executable by the one or more processors to configure the computer system to allow an entity managed device to access a tenant associated with the entity on a cloud service while preventing the device from accessing one or more other tenants on the cloud service, including instructions that are executable to configure the computer system to perform at least the following;

at the cloud service, obtaining policy from the entity with respect to tenant access;

at the cloud service, receiving a request from the entity managed device to access a tenant at the cloud service; and

granting or denying the access request based on the policy obtained from the entity.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Allowing an entity managed device to access a tenant associated with the e on a public cloud service while preventing the device from accessing one or more other tenants on the cloud service. A method includes, at the cloud service, obtaining policy from the entity with respect to tenant access. The method further includes, at the cloud service, receiving a request from the entity managed device to access a tenant at the cloud service. The method further includes granting or denying the access request based on the policy obtained from the entity.

11 Citations

View as Search Results

20 Claims

1. In a computing environment, a system, the system comprising:
- one or more processors; and
  
  one or more computer-readable media having stored thereon instructions that are executable by the one or more processors to configure the computer system to allow an entity managed device to access a tenant associated with the entity on a cloud service while preventing the device from accessing one or more other tenants on the cloud service, including instructions that are executable to configure the computer system to perform at least the following;
  
  at the cloud service, obtaining policy from the entity with respect to tenant access;
  
  at the cloud service, receiving a request from the entity managed device to access a tenant at the cloud service; and
  
  granting or denying the access request based on the policy obtained from the entity.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein granting or denying the access comprises either issuing or preventing issuance of tokens to devices requesting access to tenants at the cloud service.
  - 3. The system of claim 1, wherein the policy specifies URL filtering conditions identifying at least one of allowed tenants or denied tenants.
  - 4. The system of claim 1, wherein obtaining policy from the entity comprises obtaining policy injected into a header of the request from the entity managed device to access a tenant at the cloud service.
  - 5. The system of claim 4, wherein the policy was injected into the header by a network edge element configured to inject data into headers of network packets.
  - 6. The system of claim 5, wherein one or more computer-readable media further have stored thereon instructions that are executable by the one or more processors to configure the computer system to perform, at the network edge, determining that a request is directed to an identity platform that gates authentication to the cloud applications, and wherein policy is injected into the header of the request from the entity managed device to access a tenant at the cloud service only for traffic directed to an authorized endpoint of the identity platform.
  - 7. The system of claim 4, wherein the policy was injected into the header by a device element configured to inject data into headers of network packets at the device level.

8. In a computing environment, a method of allowing an entity managed device to access a tenant associated with the entity on a cloud service while preventing the device from accessing one or more other tenants on the cloud service, the method comprising:
- at the cloud service, obtaining policy from the entity with respect to tenant access;
  
  at the cloud service, receiving a request from the entity managed device to access a tenant at the cloud service; and
  
  granting or denying the access request based on the policy obtained from the entity.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, wherein granting or denying the access comprises either issuing or preventing issuance of tokens to devices requesting access to tenants at the cloud service.
  - 10. The method of claim 8, wherein the policy specifies URL filtering conditions identifying at least one of allowed tenants or denied tenants.
  - 11. The method of claim 8, wherein obtaining policy from the entity comprises obtaining policy injected into a header of the request from the entity managed device to access a tenant at the cloud service.
  - 12. The method of claim 11, wherein the policy was injected into the header by a network edge element configured to inject data into headers of network packets.
  - 13. The method of claim 12, further comprising, at the network edge, determining that a request is directed to an identity platform that gates authentication to the cloud applications, and wherein policy is injected into the header of the request from the entity managed device to access a tenant at the cloud service only for traffic directed to an authorized endpoint of the identity platform.
  - 14. The method of claim 11, wherein the policy was injected into the header by a device element configured to inject data into headers of network packets at the device level.

15. In a computing environment, a system, the system comprising:
- a cloud service, wherein the cloud service comprises;
  
  a plurality of application instances including at least one application instance for a plurality of tenants;
  
  an identity platform, wherein the identity platform is configured to;
  
  obtain policy from an entity with respect to tenant access for the entity;
  
  receive a request from an entity managed device to access a tenant at the cloud service; and
  
  grant or deny the access request based on the policy obtained from the entity.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein granting or denying the access comprises either issuing or preventing issuance of tokens to devices requesting access to tenants at the cloud service.
  - 17. The system of claim 15, wherein the policy specifies URL filtering conditions identifying at least one of allowed tenants or denied tenants.
  - 18. The system of claim 15, wherein obtaining policy from the entity comprises obtaining policy injected into a header of the request from the entity managed device to access a tenant at the cloud service.
  - 19. The system of claim 18, wherein the policy was injected into the header by a network edge element configured to inject data into headers of network packets.
  - 20. The system of claim 18, wherein the policy was injected into the header by a device element configured to inject data into headers of network packets at the device level.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Vincent, Benjamin Richard, Adams, Ross Peter, Ryvkin, Konstantin, Gordon, Ariel

Granted Patent

US 10,320,844 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

H04L 67/1097   for distributed storage of ...

Restricting Access to Public Cloud SaaS Applications to a Single Organization

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

11 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Restricting Access to Public Cloud SaaS Applications to a Single Organization

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

11 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links