Cloud application control using man-in-the-middle identity brokerage
First Claim
Patent Images
1. A cloud-based method, comprising:
- receiving a request from a user for a cloud application at a proxy server located in a distributed security system which is in an external network from the user and an external network from the cloud application, wherein the distributed security system is located between the user and the cloud application;
determining whether the user is authenticated based on a presence of cookies in the request;
if the cookies are present, un-transforming the cookies by the proxy server and forwarding the request with the un-transformed cookies to the cloud application; and
if the cookies are not present, forwarding the request to the cloud application by the proxy server for authentication and transforming the cookies subsequent to the authentication prior to sending the cookies to the user;
monitoring for data leakage, for policy compliance, and for security threats between the user and the cloud application through the distributed security system; and
preventing direct access to the cloud application except through the distributed security system based on the transforming the cookies, wherein the cookies are only accessible through the distributed security system and wherein communication between the user and the distributed security system is secure separate from the cookies.
1 Assignment
0 Petitions
Accused Products
Abstract
A cloud-based method, a system, and a cloud-based security system include receiving a request from a user for a cloud application at a proxy server; determining whether the user is authenticated based on a presence of cookies in the request; if the cookies are present, un-transforming the cookies by the proxy server and forwarding the request with the un-transformed cookies to the cloud application; and, if the cookies are not present, forwarding the request to the cloud application by the proxy server for authentication and transforming the cookies subsequent to the authentication prior to sending the cookies to the user.
-
Citations
14 Claims
-
1. A cloud-based method, comprising:
-
receiving a request from a user for a cloud application at a proxy server located in a distributed security system which is in an external network from the user and an external network from the cloud application, wherein the distributed security system is located between the user and the cloud application; determining whether the user is authenticated based on a presence of cookies in the request; if the cookies are present, un-transforming the cookies by the proxy server and forwarding the request with the un-transformed cookies to the cloud application; and if the cookies are not present, forwarding the request to the cloud application by the proxy server for authentication and transforming the cookies subsequent to the authentication prior to sending the cookies to the user; monitoring for data leakage, for policy compliance, and for security threats between the user and the cloud application through the distributed security system; and preventing direct access to the cloud application except through the distributed security system based on the transforming the cookies, wherein the cookies are only accessible through the distributed security system and wherein communication between the user and the distributed security system is secure separate from the cookies. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system comprising a proxy server, comprising:
-
a network interface; a data store; a processor communicatively coupled to the network interface and the data store; memory storing instructions that, when executed, cause the processor to; receive a request from a user for a cloud application at the proxy server located in a distributed security system which is in an external network from the user and an external network from the cloud application, wherein the distributed security system is located between the user and the cloud application; determine whether the user is authenticated based on a presence of cookies in the request; if the cookies are present, un-transform the cookies by the proxy server and forwarding the request with the un-transformed cookies to the cloud application; monitor for data leakage, for policy compliance, and for security threats between the user and the cloud application through the distributed security system; if the cookies are not present, forward the request to the cloud application by the proxy server for authentication and transform the cookies subsequent to the authentication prior to sending the cookies to the user; and prevent direct access to the cloud application except through the distributed security system based on the transformed cookies, wherein the cookies are only accessible through the distributed security system and wherein communication between the user and the distributed security system is secure separate from the cookies. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A cloud-based security system, comprising:
-
a plurality of nodes communicatively coupled to one or more users, wherein the plurality of nodes each perform inline monitoring for one of the one or more users for security as a Cloud access security broker, and wherein each of the plurality of nodes is located in an external network from the user and an external network from a cloud application, wherein the plurality of nodes are located between the user and the cloud application; wherein each of the plurality of nodes is configured to; receive a request from a user for cloud application; determine whether the user is authenticated based on a presence of cookies in the request; if the cookies are present, un-transform the cookies by the proxy server and forwarding the request with the un-transformed cookies to the cloud application; if the cookies are not present, forward the request to the cloud application by the proxy server for authentication and transform the cookies subsequent to the authentication prior to sending the cookies to the user; monitor for data leakage, for policy compliance, and for security threats between the user and the cloud application through the distributed security system; and prevent direct access to the cloud application except through the plurality of nodes based on the transformed cookies, wherein the cookies are only accessible through the plurality of nodes and wherein communication between the user and the plurality of nodes is secure separate from the cookies.
-
Specification