Enabling granular discretionary access control for data stored in a cloud computing environment

US 8,990,950 B2
Filed: 12/27/2010
Issued: 03/24/2015
Est. Priority Date: 12/27/2010
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

one or more processors;

one or more non-transitory storage mediums comprising program instructions able to be executed by the one or more processors;

a plurality of data artifacts representing electronic data files, wherein the data artifacts are stored in one or more non-transitory storage mediums;

a cloud computing environment comprising a plurality of cloud service providers configured to operate in accordance with a cloud computing model;

a data storage cloud service, comprising at least a subset of the program instructions, configured to manage storage and access of the plurality of data artifacts within the cloud computing environment;

an access manager cloud service, comprising at least a subset of the program instructions, configured to provide discretionary access control to the plurality of data artifacts managed by the data storage cloud service, wherein said discretionary access control is performed in addition to access control operations executed by the data storage cloud service, and wherein the discretionary access control of the access manager cloud service is capable of countermanding access allowances and access denials made by the data storage cloud service, wherein the access manager cloud service further comprises;

a plurality of owner-specified access rules defining at least one parameter value that restricts access to a data artifact of the plurality of data artifacts; and

a plurality of owner-specified access exceptions defining conditions allowing access to the data artifact, wherein the access is denied by at least one of the data storage service and at least one owner-specified access rule; and

an authentication mechanism configured to validate authentication information associated with an owner-specified access exception, wherein receipt of valid authentication data by the access manager cloud service enables access to the data artifact.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Enabling discretionary data access control in a cloud computing environment can begin with the obtainment of a data request and response message by an access manager service. The response message can be generated by a data storage service in response to the data request. The access manager service can identify owner-specified access rules and/or access exceptions applicable to the data request. An access response can be determined using the applicable owner-specified access rules and/or access exceptions. Both the response message and the access response can indicate the allowance or denial of access to the requested data artifact. The access response can be compared to the response message. If the access response does not match the response message, the response message can be overridden to express the access response. If the access response matches the response message, the response message can be conveyed to the originating entity of the data request.

12 Citations

View as Search Results

18 Claims

1. A system comprising:
- one or more processors;
  
  one or more non-transitory storage mediums comprising program instructions able to be executed by the one or more processors;
  
  a plurality of data artifacts representing electronic data files, wherein the data artifacts are stored in one or more non-transitory storage mediums;
  
  a cloud computing environment comprising a plurality of cloud service providers configured to operate in accordance with a cloud computing model;
  
  a data storage cloud service, comprising at least a subset of the program instructions, configured to manage storage and access of the plurality of data artifacts within the cloud computing environment;
  
  an access manager cloud service, comprising at least a subset of the program instructions, configured to provide discretionary access control to the plurality of data artifacts managed by the data storage cloud service, wherein said discretionary access control is performed in addition to access control operations executed by the data storage cloud service, and wherein the discretionary access control of the access manager cloud service is capable of countermanding access allowances and access denials made by the data storage cloud service, wherein the access manager cloud service further comprises;
  
  a plurality of owner-specified access rules defining at least one parameter value that restricts access to a data artifact of the plurality of data artifacts; and
  
  a plurality of owner-specified access exceptions defining conditions allowing access to the data artifact, wherein the access is denied by at least one of the data storage service and at least one owner-specified access rule; and
  
  an authentication mechanism configured to validate authentication information associated with an owner-specified access exception, wherein receipt of valid authentication data by the access manager cloud service enables access to the data artifact.
- View Dependent Claims (2, 3, 4, 5, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The system of claim 1, wherein the data storage cloud service further comprises:
    - a plurality of data handling rules defining limitations for access of the plurality of data artifacts, wherein the data storage cloud service utilizes said plurality of data handling rules to determine at least one of an access allowance and an access denial for a data consumer requesting access to the data artifact.
  - 3. The system of claim 1, wherein the authentication mechanism is further configured to automatically generate the authentication information.
  - 4. The system of claim 1, wherein the authentication mechanism is configured to utilize a strong authentication process.
  - 5. The system of claim 1, further comprising:
    - an access manager service user interface configured to allow definition of the plurality of owner-specified access rules and the plurality of owner-specified access exceptions.
  - 11. The system of claim 1, wherein each of the electronic data files is one of a text file, an image file, an audio file, and a multimedia file.
  - 12. The system of claim 1, wherein the system receives a data request from a remotely located computer of a data consumer, wherein the data request is for accessing the data artifact, wherein the data request per requirements imposed by the system comprises at least one of an Internet protocol (IP) address of the data consumer, an action being performed by the data consumer, and a timestamp of the data request.
  - 13. The system of claim 1, wherein the cloud computing environment is one of a private cloud environment, a community cloud environment, a public cloud environment, and a hybrid cloud environment.
  - 14. The system of claim 1, wherein the access manager cloud service is further configured to interrupt functioning of the data storage service based on the discretionary access control.
  - 15. The system of claim 1, wherein the data storage cloud service invokes the access manager cloud service as a final stage access control operation prior to providing data artifacts to a data consumer.
  - 16. The system of claim 12, wherein the owner-specified access exception access is further configured to:
    - request authentication data from an originating entity of the data request, wherein the originating entity is the data consumer;
      
      upon receipt of the authentication data, validate said authentication data; and
      
      if the authentication data is determined valid, immediately override the response message to express the owner-specified access exception.
  - 17. The system of claim 16, wherein the owner-specified access exception access is further configured to:
    - if the authentication data is determined invalid, inform the originating entity of the data request of the invalid authentication data; and
      
      repeat the requesting and validating of authentication data from the originating entity, wherein access to the data artifact is denied until at least one of a receipt of valid authentication data, a termination of a session created by the data storage service associated with the data request, and an expiration of a predefined time limit.
  - 18. The system of claim 16, wherein the access manager cloud service is further configured to:
    - aggregate the at least one identified owner specified access rule;
      
      identify an existence of a conflict within the aggregate of owner-specified access rules, wherein at least two owner-specified access rules are considered to be in conflict if parameters of the at least two owner-specified access rules are mutually exclusive; and
      
      if the conflict exists, resolve said conflict using priority values associated with each owner-specified access rule identified as in conflict, wherein an owner-specified access rule having a highest priority value is used over owner specified access rules having lower priority values, wherein the owner-specified access rules having the lower priority values are removed from the aggregate of owner-specified access rules.

6. A computer program product comprising a computer readable storage medium having computer usable program code embodied therewith, the computer usable program code comprising:
- computer usable program code stored on a non-transitory storage medium, configured to obtain a data request and a response message for the data request, wherein the response message is generated by a data storage service operating in a cloud computing environment in response to the data request, wherein the response message indicates at least one of an allowance and a denial of access to a data artifact stored by the data storage service;
  
  computer usable program code stored on a non-transitory storage medium, configured to identify an existence of at least one of at least one owner-specified access rule and at least one owner-specified access exception applicable to the data request;
  
  computer usable program code stored on a non-transitory storage medium, configured to determine an access response to the data request, wherein the access response is determined by an access manager service based upon the identified at least one owner-specified access rule and at least one owner specified access exception, wherein said access response indicates at least one of the allowance and the denial of access to the data artifact requested in the data request, and wherein an owner specified access rule defines at least one parameter value that restricts access to the data artifact, and wherein an owner-specified access exception defines conditions allowing access to the data artifact, wherein the access is denied by at least one of the data storage service and at least one owner-specified access rule;
  
  computer usable program code stored on a non-transitory storage medium, configured to compare the determined access response to the response message;
  
  computer usable program code stored on a non-transitory storage medium, configured to, if the determined access response does not match the response message, override the response message to express the determined access response; and
  
  computer usable program code stored on a non-transitory storage medium, configured to, if the determined access response matches the response message, convey the response message to an originating entity of the data request.
- View Dependent Claims (7, 8, 9)
- - 7. The computer program product of claim 6, wherein, if the identification results in the existence of an owner-specified access exception, the computer program product further comprises:
    - computer usable program code stored on a non-transitory storage medium, configured to request authentication data from the originating entity of the data request;
      
      computer usable program code stored on a non-transitory storage medium, configured to, upon receipt of the authentication data, validate said authentication data; and
      
      computer usable program code stored on a non-transitory storage medium, configured to, if the authentication data is determined valid, immediately override the response message to express the owner-specified access exception.
  - 8. The computer program product of claim 7, further comprising:
    - computer usable program code stored on a non-transitory storage medium, configured to, if the authentication data is determined invalid, inform the originating entity of the data request of the invalid authentication data; and
      
      computer usable program code stored on a non-transitory storage medium, configured to repeat the requesting and validating of authentication data from the originating entity, wherein access to the data artifact is denied until at least one of a receipt of valid authentication data, a termination of a session created by the data storage service associated with the data request, and an expiration of a predefined time limit.
  - 9. The computer program product of claim 6, wherein computer usable program code to determine the access response further comprises:
    - computer usable program code stored on a non-transitory storage medium, configured to aggregate the at least one identified owner specified access rule;
      
      computer usable program code stored on a non-transitory storage medium, configured to identify an existence of a conflict within the aggregate of owner-specified access rules, wherein at least two owner-specified access rules are considered to be in conflict if parameters of the at least two owner-specified access rules are mutually exclusive;
      
      computer usable program code stored on a non-transitory storage medium, configured to, if the conflict exists, resolve said conflict using priority values associated with each owner-specified access rule identified as in conflict, wherein an owner-specified access rule having a highest priority value is used over owner specified access rules having lower priority values, wherein the owner-specified access rules having the lower priority values are removed from the aggregate of owner-specified access rules;
      
      computer usable program code stored on a non-transitory storage medium, configured to compare data values from the data request that correspond to parameter values expressed by the aggregate of owner-specified access rules;
      
      computer usable program code stored on a non-transitory storage medium, configured to, if said comparison indicates that the data values satisfy the parameter values, set the access response as the denial of access to the data artifact; and
      
      computer usable program code stored on a non-transitory storage medium, configured to, if said comparison indicates that the parameters are unsatisfied by the data values, set the access response as the allowance of access to the data artifact.

10. A computer program product comprising a computer readable storage medium having computer usable program code embodied therewith, the computer usable program code comprising:
- computer usable program code stored on a non-transitory storage medium, configured to receive of a data request by a data storage cloud service of a cloud storage system, wherein said data request requests access to a data artifact stored by the cloud storage system within a cloud computing environment;
  
  computer usable program code stored on a non-transitory storage medium, configured to determine of a response to the data request by the data storage cloud service, wherein said determination indicates at least one of allowing access and denying access to the data artifact;
  
  computer usable program code stored on a non-transitory storage medium, configured to detect of the data storage cloud service'"'"'s receipt of the data request by an access manager cloud service;
  
  computer usable program code stored on a non-transitory storage medium, configured to interrupt of the data storage cloud service'"'"'s handling of the data request prior to an execution of the determined response by the access manager cloud service;
  
  computer usable program code stored on a non-transitory storage medium, configured to obtain of a copy of the data request and the data storage cloud service'"'"'s response by the access manager cloud service;
  
  computer usable program code stored on a non-transitory storage medium, configured to evaluate of contents of the copy of the data request by the access manager cloud service with respect to discretionary access controls defined for the data artifact, wherein said discretionary access controls are configured by an entity associated with the data artifact;
  
  computer usable program code stored on a non-transitory storage medium, configured to determine of response from said evaluation of the data request copy by the access manager cloud service, wherein said determination indicates at least one of allowing access and denying access to the data artifact;
  
  computer usable program code stored on a non-transitory storage medium, configured to compare of the response determined by the data storage cloud service with the response internally determined by the access manager cloud service;
  
  computer usable program code stored on a non-transitory storage medium, configured to, if said comparison indicates disagreement between the responses of the data storage cloud service and the access manager cloud service, override of the data storage cloud service'"'"'s response by the access manager cloud service, wherein the response determined by the access manager cloud service is given precedence over the response determined by the data storage cloud service; and
  
  computer usable program code stored on a non-transitory storage medium, configured to, if said comparison indicates agreement between the responses of the data storage cloud service and the access manager cloud service, release of the interruption to the data storage cloud service'"'"'s handling of the data request by the access manager cloud service, wherein the data storage cloud service is allowed to complete fulfillment of the data request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Kruger, Stephen P., Pieczul, Olgierd S.
Primary Examiner(s)
Abrishamkar, Kaveh
Assistant Examiner(s)
Alata, Ayoub

Application Number

US12/979,117
Publication Number

US 20120167197A1
Time in Patent Office

1,548 Days
Field of Search

726 26- 30, 707/781, 707/E17.005
US Class Current

726/26
CPC Class Codes

G06F 12/00   Accessing, addressing or al...

G06F 16/00   Information retrieval; Data...

G06F 21/10   Protecting distributed prog...

G06F 21/31   User authentication

G06F 21/62   Protecting access to data v...

G06F 2221/2141   Access rights, e.g. capabil...

Enabling granular discretionary access control for data stored in a cloud computing environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

12 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Enabling granular discretionary access control for data stored in a cloud computing environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

12 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links