Extending security platforms to cloud-based networks

US 8,977,750 B2
Filed: 02/24/2009
Issued: 03/10/2015
Est. Priority Date: 02/24/2009
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

generating a set of security policies for a set of managed machines in a network;

identifying a cloud-accessible subset of the set of managed machines to be used as a shared resource by an external cloud environment;

identifying a first subset of security policies within the set of security policies, the first subset of security policies corresponding to a set of access conditions for the cloud-accessible subset of the set of managed machines;

identifying a second subset of baseline security policies within the set of security policies to apply to the cloud-accessible subset of the set of managed machines when the cloud-accessible subset of the set of managed machines are not exposed to the external cloud environment;

generating, by a processor, a partitioned security class in the set of security policies that includes the first subset of security policies corresponding to the set of access conditions for the cloud-accessible subset of the set of managed machines; and

in response to determining that the cloud-accessible subset of the set of managed machines is exposed to the external cloud environment, applying the partitioned security class to the subset of the set of managed machines, wherein the partitioned security class permits sharing of the cloud-accessible subset of the set of managed machines with the external cloud environment based on the first subset of security policies.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments relate to systems and methods for extending a network security platform to a cloud-based network. A set of managed machines, such as personal computers or servers, can be managed by a network security engine. The network security engine can govern access to and operation of the set of managed machines through a set of security policies. According to embodiments, the set of security policies can be sub-divided into a partitioned security class corresponding to a subset of the managed network which is intended to be deployed as a cloud-accessible subset of the overall managed network. The partitioned security class can specify access restrictions for the cloud-accessible subset to receive resources from or provide resources to the external cloud environment. A corporate campus network or other managed network can therefore permit access of the cloud to some or all of its machines, while still maintaining desired local security conditions.

139 Citations

20 Claims

1. A method, comprising:
- generating a set of security policies for a set of managed machines in a network;
  
  identifying a cloud-accessible subset of the set of managed machines to be used as a shared resource by an external cloud environment;
  
  identifying a first subset of security policies within the set of security policies, the first subset of security policies corresponding to a set of access conditions for the cloud-accessible subset of the set of managed machines;
  
  identifying a second subset of baseline security policies within the set of security policies to apply to the cloud-accessible subset of the set of managed machines when the cloud-accessible subset of the set of managed machines are not exposed to the external cloud environment;
  
  generating, by a processor, a partitioned security class in the set of security policies that includes the first subset of security policies corresponding to the set of access conditions for the cloud-accessible subset of the set of managed machines; and
  
  in response to determining that the cloud-accessible subset of the set of managed machines is exposed to the external cloud environment, applying the partitioned security class to the subset of the set of managed machines, wherein the partitioned security class permits sharing of the cloud-accessible subset of the set of managed machines with the external cloud environment based on the first subset of security policies.
- View Dependent Claims (2, 3, 4, 5, 6, 18)
- - 2. The method of claim 1, wherein the network comprises at least one of a local area network, a metropolitan area network, or a wide area network.
  - 3. The method of claim 1, wherein the network comprises at least one of a wired network or a wireless network located in a single campus.
  - 4. The method of claim 1, wherein the sharing of the cloud-accessible subset with the external could environment comprises at least one of providing resources from the cloud-accessible subset to the external cloud environment or receiving resources from the external cloud environment in the cloud-accessible subset.
  - 5. The method of claim 1, wherein the set of access conditions comprises at least one of limitations on processor cycles, limitations on memory access, limitations on storage access, limitations on input/output bandwidth, limitations on scheduled access time, limitations on use of applications, or limitations on access to user profile data.
  - 6. The method of claim 1, wherein the cloud-accessible subset comprises a dynamically selectable cloud-accessible subset of the set of managed machines.
  - 18. The method of claim 1, further comprising:
    - in response to determining that the cloud-accessible subset of the set of managed machines is not exposed to the external cloud environment, applying the second subset of baseline security policies to the cloud-accessible subset of the set of managed machines.

7. A computer system, comprising:
- a memory component; and
  
  a processor coupled to the memory component, wherein the processor is to;
  
  generate a set of security policies for a set of managed machines in a managed network;
  
  identify a cloud-accessible subset of the set of the managed machines to be used as a shared resource by an external cloud environment;
  
  identify a first subset of security policies within the set of security policies, the first subset of security policies corresponding to a set of access conditions for the cloud-accessible subset of the set of managed machines;
  
  identify a second subset of baseline security policies within the set of security policies to apply to the cloud-accessible subset of the set of managed machines when the cloud-accessible subset of the set of managed machines are not exposed to the external cloud environment;
  
  generate a partitioned security class in the set of security policies that includes the first subset of security policies corresponding to the set of access conditions for the cloud- accessible subset of the set of managed machines; and
  
  in response to determining that the cloud-accessible subset of the set of managed machines is exposed to the external cloud environment, apply the partitioned security class to the subset of the set of managed machines, wherein the partitioned security class permits sharing of the cloud-accessible subset of the set of managed machines with the external cloud environment based on the first subset of security policies.
- View Dependent Claims (8, 9, 10, 11, 12, 19)
- - 8. The computer system of claim 7, wherein the managed network comprises at least one of a local area network, a metropolitan area network, or a wide area network.
  - 9. The computer system of claim 7, wherein the managed network comprises at least one of a wired network or a wireless network located in a single campus.
  - 10. The computer system of claim 7, wherein the sharing of the cloud-accessible subset with the external could environment comprises at least one of providing resources from the cloud-accessible subset to the external cloud environment or receiving resources from the external cloud environment in the cloud-accessible subset.
  - 11. The computer system of claim 7, wherein the set of access conditions comprises at least one of limitations on processor cycles, limitations on memory access, limitations on storage access, limitations on input/output bandwidth, limitations on scheduled access time, limitations on use of applications, or limitations on access to user profile data.
  - 12. The computer system of claim 7, wherein the cloud-accessible subset comprises a dynamically selectable cloud-accessible subset of the set of managed machines.
  - 19. The system of claim 8, wherein the processor is further to:
    - in response to determining that the cloud-accessible subset of the set of managed machines is not exposed to the external cloud environment, apply the second subset of baseline security policies to the cloud-accessible subset of the set of managed machines.

13. A non-transitory computer readable medium programmed to include instructions that, when executed by a processor, cause the processor to:
- generate a set of security policies for a set of managed machines in a network;
  
  identify a cloud-accessible subset of the set of managed machines to be used as a shared resource by an external cloud environment;
  
  identify a first subset of security policies within the set of security policies, the first subset of security policies corresponding to a set of access conditions for the cloud- accessible subset of the set of managed machines;
  
  identify a second subset of baseline security policies within the set of security policies to apply to the cloud-accessible subset of the set of managed machines when the cloud-accessible subset of the set of managed machines are not exposed to the external cloud environment;
  
  generate a partitioned security class in the set of security policies that includes the first subset of security policies corresponding to the set of access conditions for the cloud-accessible subset of the set of managed machines; and
  
  in response to determining that the cloud-accessible subset of the set of managed machines is exposed to the external cloud environment, apply the partitioned security class to the subset of the set of managed machines, wherein the partitioned security class permits sharing of the cloud-accessible subset of the set of managed machines with the external cloud environment based on the first subset of security policies.
- View Dependent Claims (14, 15, 16, 17, 20)
- - 14. The non-transitory computer readable medium of claim 13, wherein the network comprises at least one of a local area network, a metropolitan area network, or a wide area network.
  - 15. The non-transitory computer readable medium of claim 13, wherein the network comprises at least one of a wired network or a wireless network located in a single campus.
  - 16. The non-transitory computer readable medium of claim 13, wherein the sharing of the cloud-accessible subset with the external could environment comprises at least one of providing resources from the cloud-accessible subset to the external cloud environment or receiving resources from the external cloud environment in the cloud-accessible subset.
  - 17. The non-transitory computer readable medium of claim 13, wherein the set of access conditions comprises at least one of limitations on processor cycles, limitations on memory access, limitations on storage access, limitations on input/output bandwidth, limitations on scheduled access time, limitations on use of applications, or limitations on access to user profile data.
  - 20. The non-transitory computer readable medium of claim 15, wherein the instructions, when executed by the processor, further cause the processor to:
    - in response to determining that the cloud-accessible subset of the set of managed machines is not exposed to the external cloud environment, apply the second subset of baseline security policies to the cloud-accessible subset of the set of managed machines.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Ferris, James Michael
Primary Examiner(s)
Pollack, Melvin H

Application Number

US12/391,802
Publication Number

US 20100217850A1
Time in Patent Office

2,205 Days
Field of Search

705/8, 705/9, 705/51, 705/59, 709/1, 709/2, 709/3, 709/4, 709/6, 709/7, 709/9, 709/21, 709/27, 709/23, 709/219, 709/225, 726/203, 726/217, 726/218, 726/219, 726/223, 726/224, 726/225, 726/229, 726/6, 726/7, 726/27
US Class Current

709/225
CPC Class Codes

H04L 63/20 for managing network securi...

Extending security platforms to cloud-based networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

139 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Extending security platforms to cloud-based networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

139 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links