Control pool based enterprise policy enabler for controlled cloud access

US 9,167,050 B2
Filed: 12/31/2012
Issued: 10/20/2015
Est. Priority Date: 08/16/2012
Status: Active Grant

First Claim

Patent Images

1. A method for controlling access to a plurality of cloud networks, wherein the method is implemented in a gateway with a cloud interface and an enterprise interface, and wherein the method comprises:

establishing an enterprise session with an enterprise user via the enterprise interface to obtain an enterprise security key unique to the enterprise user;

establishing a cloud session with a first of the cloud networks via the cloud interface to obtain a cloud security key unique to the gateway and the first cloud network;

creating an enterprise session to cloud session mapping by mapping the enterprise security key to the cloud security key;

storing the enterprise session to cloud session mapping in a secure key store located in the gateway;

receiving a packet comprising the enterprise security key from the enterprise user via the enterprise interface;

replacing the enterprise security key in the packet with the cloud security key; and

forwarding the packet comprising the cloud security key to the first cloud network via the cloud interface,wherein the cloud security key is not provided to the enterprise user to prevent the enterprise user from obtaining direct access to the first cloud network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for controlling access to a Cloud, comprising receiving traffic from an Enterprise user at a gateway, wherein the traffic carries a first key specific to the Enterprise user for use internal to the gateway, replacing the first key with a second key, wherein the second key is a Cloud-negotiated key generic to a plurality of Enterprise users which permits access to the Cloud, and sending traffic to the Cloud.

139 Citations

View as Search Results

13 Claims

1. A method for controlling access to a plurality of cloud networks, wherein the method is implemented in a gateway with a cloud interface and an enterprise interface, and wherein the method comprises:
- establishing an enterprise session with an enterprise user via the enterprise interface to obtain an enterprise security key unique to the enterprise user;
  
  establishing a cloud session with a first of the cloud networks via the cloud interface to obtain a cloud security key unique to the gateway and the first cloud network;
  
  creating an enterprise session to cloud session mapping by mapping the enterprise security key to the cloud security key;
  
  storing the enterprise session to cloud session mapping in a secure key store located in the gateway;
  
  receiving a packet comprising the enterprise security key from the enterprise user via the enterprise interface;
  
  replacing the enterprise security key in the packet with the cloud security key; and
  
  forwarding the packet comprising the cloud security key to the first cloud network via the cloud interface,wherein the cloud security key is not provided to the enterprise user to prevent the enterprise user from obtaining direct access to the first cloud network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the secure key store is configured for storing keys specific to a plurality of enterprise users, keys for interfacing with the plurality of cloud networks, and session mappings between the enterprise user keys and the cloud network keys.
  - 3. The method of claim 2, further comprising:
    - monitoring performance data associated with the plurality of cloud networks based on packets received from the cloud networks, wherein the performance data includes at least one of load factor, response time, latency, time of day, cost, available bandwidth, public accessibility, network loss, gating speeds, and resource security; and
      
      selectively distributing resource requests from the plurality of enterprise users to the plurality of cloud networks based on the performance data.
  - 4. The method of claim 1, wherein the packet from the enterprise user comprises a destination address associated with a first destination, and wherein the method further comprises changing the destination address from the first destination to a second destination associated with one of the plurality of cloud networks such that the destination address change is opaque to the enterprise user.
  - 5. The method of claim 1, further comprising applying a policy to the packet prior to forwarding the packet to the first cloud network, wherein the policy is selected from a group consisting of:
    - encryption, compression, optimization, traffic steering, traffic distribution, de-identification, and re-identification.
  - 6. The method of claim 1, further comprising:
    - receiving traffic from at least one of the cloud networks via the cloud interface, wherein the traffic comprises the cloud security key and a destination address associated with the enterprise user;
      
      replacing the cloud security key with the enterprise security key; and
      
      forwarding the traffic to the enterprise user.
  - 7. The method of claim 1, further comprising:
    - evaluating contents of the packet based on at least one metric selected from a group consisting of;
      
      size, confidentiality, protocol compliance, and threat potential; and
      
      applying a policy on the packet based on results of the evaluation prior to forwarding the packet.
  - 8. The method of claim 1, further comprising:
    - evaluating the packet based on information specific to the enterprise user, wherein the information specific to the enterprise user is selected from a group consisting of;
      
      user geographic location, user identity, user-group identity, user access type, user device type, and user-requested resource; and
      
      applying a policy on the packet prior to forwarding the packet.

9. A method for exchanging data between an enterprise user and a plurality of cloud networks, wherein the method is implemented in an enterprise policy enabler with a cloud interface and an enterprise interface, and wherein the method comprises:
- establishing an enterprise session with the enterprise user via the enterprise interface to obtain an enterprise security key unique to the enterprise user;
  
  establishing a cloud session with the cloud networks via the cloud interface to obtain a cloud security key unique to a private cloud network;
  
  creating an enterprise session to cloud session mapping by mapping the enterprise security key to the cloud security key;
  
  storing the enterprise session to cloud session mapping in a secure key store;
  
  receiving a packet from the enterprise user via the enterprise interface, wherein the packet comprises the enterprise security key and a request for access to at least one resource associated with a public cloud network;
  
  modifying packet data to modify the request based on at least one policy associated with the plurality of cloud networks, wherein modifying the request comprises replacing the enterprise security key with the cloud security key based on the enterprise session to cloud session mapping; and
  
  forwarding the packet to a resource of the private cloud network via the cloud interface,wherein the modifying the request based on the policy comprises redirecting the packet from the public cloud network to the private cloud network based on a determination that the policy prohibits access to the public cloud network resource due to confidential data stored in the packet data.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The method of claim 9, further comprising:
    - receiving a second packet from a second enterprise user, the second packet comprising a second request for a third resource;
      
      modifying packet data of the second packet to modify the second request based on a second policy associated with the plurality of cloud networks; and
      
      selecting the second policy based on information specific to the second enterprise user,wherein the information specific to the second enterprise user is selected from a group consisting of;
      
      user geographic location, user identity, user-group identity, user access type, user device type, and user-requested resource.
  - 11. The method of claim 9, further comprising selecting the at least one policy based on information specific to the public cloud network resource or the private cloud network resource, wherein the information specific to the public cloud network resource or the private cloud network resource is selected from a group consisting of:
    - load factor, response time, latency, time of day, cost, available bandwidth, public accessibility, network loss, gating speeds, and resource security.
  - 12. The method of claim 9, wherein the at least one policy is selected from a group consisting of:
    - encryption, compression, optimization, traffic steering, traffic distribution, de-identification, and re-identification.
  - 13. The method of claim 9, further comprising:
    - receiving traffic from the private network via the cloud interface, wherein the traffic is associated with the enterprise user'"'"'s request for the public cloud resource;
      
      modifying the traffic based on at least one policy associated with an enterprise network associated with the enterprise user, wherein modifying the traffic comprises rendering redirection of the enterprise user'"'"'s request for the public cloud resource opaque to the enterprise user by modifying traffic address information; and
      
      sending the traffic to the enterprise user via the enterprise interface and the enterprise network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Futurewei Technologies Incorporated (Huawei Investment & Holding Co., Ltd.)
Original Assignee
Futurewei Technologies Incorporated (Huawei Investment & Holding Co., Ltd.)
Inventors
Durazzo, Kenneth, Murthy, Shree
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
MURPHY, JOSEPH B

Application Number

US13/732,159
Publication Number

US 20140053280A1
Time in Patent Office

1,023 Days
Field of Search

726 2- 21, 726 26- 30
US Class Current

1/1
CPC Class Codes

H04L 63/0281   Proxies

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

H04L 67/1097   for distributed storage of ...

H04L 67/306   User profiles

H04L 67/60   Scheduling or organising th...

Control pool based enterprise policy enabler for controlled cloud access

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

139 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Control pool based enterprise policy enabler for controlled cloud access

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

139 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links