Supporting compliance in a cloud environment

US 9,110,976 B2
Filed: 10/15/2010
Issued: 08/18/2015
Est. Priority Date: 10/15/2010
Status: Expired due to Fees

First Claim

Patent Images

1. A computer program product for providing auditable data concerning actions in a cloud computing environment, comprising:

a tangible, computer readable storage memory device;

program instructions encoded by the tangible, computer readable storage memory device to cause a compliance cloud computing server processor to operate a cloud service which performs the steps of;

responsive to receiving an auditable data request from a cloud client computer for a customer, querying a plurality of cloud application services for auditable data retained in cloud application services data storage relevant to the customer, resultant from computing actions taken on behalf of the customer;

receiving one or more responses to the querying from the plurality of cloud application services indicating available retained customer-relevant auditable data items;

responsive to finding customer-relevant auditable data items stored by the cloud application services, transmitting a list of the available auditable data items to the cloud client computer, wherein the list contains a geographical storage location identifier of each data item;

subsequent to transmitting the list, receiving from the cloud client computer a selection of less than all of the listed auditable data items;

retrieving from the cloud application services the selected auditable data items;

transmitting to the cloud client computer the retrieved auditable data items;

thereby avoiding a need for the cloud client computer to store the location of auditable data items at the cloud application services; and

wherein the querying of cloud application services, receiving responses, transmitting a list, receiving a selection, retrieving the selected auditable data items, and transmitting the retrieved auditable data items are performed as a cloud service separate from the cloud client computer and from the plurality of cloud application services, thereby avoiding the need for the cloud client computer to store the location of auditable.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Gathering auditable data concerning actions in a cloud computing environment is automated by determining that one or more auditable data items are available associated with a requester and with at least one application program; responsive to determining that data items are available, transmitting a list of the available auditable data items to a requesting cloud client computer; subsequent to transmitting the list, receiving a data request from the cloud client computer for one or more particular auditable data items from the list; preparing the requested particular auditable data items for transmission according to a predetermined format; and transmitting the prepared requested particular auditable data items to the cloud client computer. Optionally, in some embodiments, the requesting cloud client computer may negotiate a data exchange format with the cloud service provider for receipt of the requested auditable information.

34 Citations

View as Search Results

25 Claims

1. A computer program product for providing auditable data concerning actions in a cloud computing environment, comprising:
- a tangible, computer readable storage memory device;
  
  program instructions encoded by the tangible, computer readable storage memory device to cause a compliance cloud computing server processor to operate a cloud service which performs the steps of;
  
  responsive to receiving an auditable data request from a cloud client computer for a customer, querying a plurality of cloud application services for auditable data retained in cloud application services data storage relevant to the customer, resultant from computing actions taken on behalf of the customer;
  
  receiving one or more responses to the querying from the plurality of cloud application services indicating available retained customer-relevant auditable data items;
  
  responsive to finding customer-relevant auditable data items stored by the cloud application services, transmitting a list of the available auditable data items to the cloud client computer, wherein the list contains a geographical storage location identifier of each data item;
  
  subsequent to transmitting the list, receiving from the cloud client computer a selection of less than all of the listed auditable data items;
  
  retrieving from the cloud application services the selected auditable data items;
  
  transmitting to the cloud client computer the retrieved auditable data items;
  
  thereby avoiding a need for the cloud client computer to store the location of auditable data items at the cloud application services; and
  
  wherein the querying of cloud application services, receiving responses, transmitting a list, receiving a selection, retrieving the selected auditable data items, and transmitting the retrieved auditable data items are performed as a cloud service separate from the cloud client computer and from the plurality of cloud application services, thereby avoiding the need for the cloud client computer to store the location of auditable.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer program product as set forth in claim 1 further comprising program instructions to, prior to the receiving of an auditable data request, perform cloud service registration of a client device by creating and assigning a unique identifier to a cloud client computer, and sharing a security artifact between a cloud computing server and the cloud client computer, wherein the sixth program instructions are stored by the computer readable storage memory device.
  - 3. The computer program product as set forth in claim 1 further comprising program instructions to, prior to or concurrently with receiving a data request from the cloud client computer, negotiate between the cloud client computer and the cloud computing server a mutually-agreeable data exchange format in which requested auditable data will be delivered to the cloud client computer, wherein the sixth program instructions are stored by the computer readable storage memory device.
  - 4. The computer program product as set forth in claim 1 wherein the program instructions for determining that one or more auditable data items are available comprise program instructions to determine if the requester is entitled to each of the available auditable data items, and to remove from the list each auditable data item to which the requester is not entitled.
  - 5. The computer program product as set forth in claim 1 further comprising program instructions stored or encoded by the computer readable storage memory device to issue an authentication token to the cloud client computer prior to the receiving an auditable data request, wherein the determining that one or more auditable data items are available comprises extracting the previously-issued token from the auditable data request, and wherein the transmitting of a list of available auditable data items is prevented responsive to the extracted token not being associated with the requesting cloud client computer or responsive to a token being not found in the received auditable data request.
  - 6. The computer program product as set forth in claim 1 wherein the program instructions for preparing of the requested auditable data items further comprises program instructions to perform compliance analysis against one or more compliance policies, and wherein the transmitting of the prepared data items further comprises transmitting one or more results of the compliance analysis.
  - 7. The computer program product as set forth in claim 6 wherein the program instructions for performing of compliance analysis are performed by a cloud service provider computer which is separate from a cloud service provider which received the request for auditable data items and which is separate from the requesting cloud client computer.
  - 8. The computer program product as set forth in claim 1 further comprising program instructions stored or encoded by the computer readable storage memory device to receive the transmitted auditable data items by a cloud client computer, and to perform compliance analysis against one or more compliance policies by the cloud client computer.

9. A system for providing auditable data concerning actions in a cloud computing environment, comprising:
- a computing platform having a processor or circuit for performing a logical process and a tangible, computer readable storage memory device;
  
  program instructions encoded by the tangible, computer readable storage memory device to cause the processor to operate a cloud service which performs the steps of;
  
  responsive to receiving an auditable data request from a cloud client computer for a customer, querying a plurality of cloud application services for auditable data retained in cloud application services data storage relevant to the customer resultant from computing actions taken on behalf of the customer;
  
  receiving one or more responses to the querying from the plurality of cloud application services indicating available retained customer-relevant auditable data items;
  
  responsive to finding customer-relevant auditable data items stored by the cloud application services, transmitting a list of the available auditable data items to the cloud client computer, wherein the list contains a geographical storage location identifier of each data item;
  
  subsequent to transmitting the list, receiving from the cloud client computer a selection of less than all of the listed auditable data items;
  
  retrieving from the cloud application services the selected auditable data items;
  
  transmitting to the cloud client computer the retrieved auditable data items;
  
  thereby avoiding a need for the cloud client computer to store the location of auditable data items at the cloud application services; and
  
  wherein the querying of cloud application services, receiving responses, transmitting a list, receiving a selection, retrieving the selected auditable data items, and transmitting the retrieved auditable data items are performed as a cloud service separate from the cloud client computer and from the plurality of cloud application services, thereby avoiding the need for the cloud client computer to store the location of auditable.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The system as set forth in claim 9 wherein the program instructions further comprise program instructions for, prior to the receiving of an auditable data request, performing cloud service registration of a client device by creating and assigning a unique identifier to a cloud client computer, and for sharing a security artifact between a cloud computing server and the cloud client computer.
  - 11. The system as set forth in claim 9 wherein the program instructions further comprise program instructions for, prior to or concurrently with receiving a data request from the cloud client computer, negotiating between the cloud client computer and the cloud computing server a mutually-agreeable data exchange format in which requested auditable data will be delivered to the cloud client computer.
  - 12. The system as set forth in claim 9 wherein determining that one or more auditable data items are available by the query request handler comprises determining if the requester is entitled to each of the available auditable data items, and removing from the list each auditable data item to which the requester is not entitled.
  - 13. The system as set forth in claim 9 wherein the program instructions further comprise program instructions for issuing a authentication token to the cloud client computer prior to the receiving an auditable data request, wherein the determining that one or more auditable data items are available comprises extracting the previously-issued token from the auditable data request, and wherein the transmitting of a list of available auditable data items is prevented responsive to the extracted token not being associated with the requesting cloud client computer or responsive to a token being not found in the received auditable data request.
  - 14. The system as set forth in claim 9 wherein the preparing of the requested auditable data items by the data request handler further comprises performing compliance analysis against one or more compliance policies, and wherein the transmitting of the prepared data items further comprises transmitting one or more results of the compliance analysis.
  - 15. The system as set forth in claim 14 wherein the performing of compliance analysis is performed by a cloud service provider computer which is separate from a cloud service provider which received the request for auditable data items and which is separate from the requesting cloud client computer.
  - 16. The system as set forth in claim 9 further comprising a cloud client computer for receiving the transmitted auditable data items, the cloud client computer also performing compliance analysis against one or more compliance policies.
  - 17. The computer program product as set forth in claim 9 wherein the list further comprises one or more descriptors selected from the group consisting of an application instance identifier for each data item, an event category of each data item, a quantity of each data item, and a data exchange format for each data item, and wherein the event category comprises one or more categories selected from the group consisting of a security event, an application event, a security violation event, and an auditing event.

18. A method for a compliance cloud computing server processor to operate a cloud service to provide auditable data concerning actions in a cloud computing environment, comprising:
- responsive to receiving an auditable data request from a cloud client computer for a customer, querying by the processor a plurality of cloud application services for auditable data retained in cloud application services data storage relevant to the customer-resultant from computing actions taken on behalf of the customer;
  
  receiving by the processor one or more responses to the querying from the plurality of cloud application services indicating available retained customer-relevant auditable data items;
  
  responsive to finding customer-relevant auditable data items stored by the cloud application services, transmitting by the processor a list of the available auditable data items to the cloud client computer, wherein the list contains a geographical storage location identifier of each data item;
  
  subsequent to transmitting the list, receiving by the processor from the cloud client computer a selection of less than all of the listed auditable data items;
  
  retrieving by the processor from the cloud application services the selected auditable data items;
  
  transmitting by the processor to the cloud client computer the retrieved auditable data items;
  
  thereby avoiding a need for the cloud client computer to store the location of auditable data items at the cloud application services; and
  
  wherein the querying of cloud application services, receiving responses, transmitting a list, receiving a selection, retrieving the selected auditable data items, and transmitting the retrieved auditable data items are performed as a cloud service separate from the cloud client computer and from the plurality of cloud application services, thereby avoiding the need for the cloud client computer to store the location of auditable.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
- - 19. The method as set forth in claim 18 wherein the program instructions further comprise program instructions for, prior to the receiving of an auditable data request, performing by the cloud computing server cloud service registration of a client device by creating and assigning a unique identifier to a cloud client computer, and sharing a security artifact between a cloud computing server and the cloud client computer.
  - 20. The method as set forth in claim 18 wherein the program instructions further comprise program instructions for, prior to or concurrently with the receiving of the data request from the cloud client computer, negotiating between the cloud client computer and the cloud computing server a mutually-agreeable data exchange format in which requested auditable data will be delivered to the cloud client computer.
  - 21. The method as set forth in claim 18 wherein the determining that one or more auditable data items are available comprises determining if the requester is entitled to each of the available auditable data items, and to remove from the list each auditable data item to which the requester is not entitled.
  - 22. The method as set forth in claim 18 wherein the program instructions further comprise program instructions for issuing an authentication token to the cloud client computer prior to the receiving an auditable data request, wherein the determining that one or more auditable data items are available comprises extracting the previously-issued token from the auditable data request, and wherein the transmitting of a list of available auditable data items is prevented responsive to the extracted token not being associated with the requesting cloud client computer or responsive to a token being not found in the received auditable data request.
  - 23. The method as set forth in claim 18 wherein the preparing of the requested auditable data items further comprises performing compliance analysis against one or more compliance policies, and wherein the transmitting of the prepared data items further comprises transmitting one or more results of the compliance analysis.
  - 24. The method as set forth in claim 23 wherein the compliance analysis is performed by a cloud service provider computer which is separate from a cloud service provider which received the request for auditable data items and which is separate from the requesting cloud client computer.
  - 25. The method as set forth in claim 18 wherein the program instructions further comprise program instructions for receiving the transmitted auditable data items by a cloud client computer, and performing compliance analysis against one or more compliance policies by the cloud client computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Bolgert, Anne Louise, Kalyanaraman, Raghuraman, Forlenza, Randolf Michael, Cohen, Richard Jay
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
GYORFI, THOMAS A

Application Number

US12/905,232
Publication Number

US 20120096525A1
Time in Patent Office

1,768 Days
Field of Search

726/6, 707/648
US Class Current

1/1
CPC Class Codes

G06F 11/3006 where the computing system ...

G06F 11/3065 Monitoring arrangements det...

Supporting compliance in a cloud environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

34 Citations

25 Claims

Specification

Use Cases

Quick Links

Others

Supporting compliance in a cloud environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

25 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others