Cloud application control using man-in-the-middle identity brokerage

US 9,654,507 B2
Filed: 07/31/2014
Issued: 05/16/2017
Est. Priority Date: 07/31/2014
Status: Active Grant

First Claim

Patent Images

1. A cloud-based method, comprising:

receiving a request from a user for a cloud application at a proxy server located in a distributed security system which is in an external network from the user and an external network from the cloud application, wherein the distributed security system is located between the user and the cloud application;

determining whether the user is authenticated based on a presence of cookies in the request;

if the cookies are present, un-transforming the cookies by the proxy server and forwarding the request with the un-transformed cookies to the cloud application; and

if the cookies are not present, forwarding the request to the cloud application by the proxy server for authentication and transforming the cookies subsequent to the authentication prior to sending the cookies to the user;

monitoring for data leakage, for policy compliance, and for security threats between the user and the cloud application through the distributed security system; and

preventing direct access to the cloud application except through the distributed security system based on the transforming the cookies, wherein the cookies are only accessible through the distributed security system and wherein communication between the user and the distributed security system is secure separate from the cookies.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A cloud-based method, a system, and a cloud-based security system include receiving a request from a user for a cloud application at a proxy server; determining whether the user is authenticated based on a presence of cookies in the request; if the cookies are present, un-transforming the cookies by the proxy server and forwarding the request with the un-transformed cookies to the cloud application; and, if the cookies are not present, forwarding the request to the cloud application by the proxy server for authentication and transforming the cookies subsequent to the authentication prior to sending the cookies to the user.

Citations

14 Claims

1. A cloud-based method, comprising:
- receiving a request from a user for a cloud application at a proxy server located in a distributed security system which is in an external network from the user and an external network from the cloud application, wherein the distributed security system is located between the user and the cloud application;
  
  determining whether the user is authenticated based on a presence of cookies in the request;
  
  if the cookies are present, un-transforming the cookies by the proxy server and forwarding the request with the un-transformed cookies to the cloud application; and
  
  if the cookies are not present, forwarding the request to the cloud application by the proxy server for authentication and transforming the cookies subsequent to the authentication prior to sending the cookies to the user;
  
  monitoring for data leakage, for policy compliance, and for security threats between the user and the cloud application through the distributed security system; and
  
  preventing direct access to the cloud application except through the distributed security system based on the transforming the cookies, wherein the cookies are only accessible through the distributed security system and wherein communication between the user and the distributed security system is secure separate from the cookies.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The cloud-based method of claim 1, wherein the proxy server is a transparent proxy between the user and the cloud application acting as a man-in-the-middle.
  - 3. The cloud-based method of claim 1, further comprising:
    - performing the authentication through identity federation mechanisms via the proxy server.
  - 4. The cloud-based method of claim 3, wherein the identity federation comprises the proxy server.
  - 5. The cloud-based method of claim 1, wherein the proxy server is part of the distributed security system comprising a Cloud access security broker, and wherein the transforming the cookies is done via crypto algorithms such that the cloud application or the user cannot un-transform the cookies.
  - 6. The cloud-based method of claim 1, further comprising:
    - preventing access to the cloud application by the proxy server based on a plurality of factors.
  - 7. The cloud-based method of claim 6, wherein the plurality of factors comprise a location of the user, an access level of the user, a device type of the user, and an application type used by the user.

8. A system comprising a proxy server, comprising:
- a network interface;
  
  a data store;
  
  a processor communicatively coupled to the network interface and the data store;
  
  memory storing instructions that, when executed, cause the processor to;
  
  receive a request from a user for a cloud application at the proxy server located in a distributed security system which is in an external network from the user and an external network from the cloud application, wherein the distributed security system is located between the user and the cloud application;
  
  determine whether the user is authenticated based on a presence of cookies in the request;
  
  if the cookies are present, un-transform the cookies by the proxy server and forwarding the request with the un-transformed cookies to the cloud application;
  
  monitor for data leakage, for policy compliance, and for security threats between the user and the cloud application through the distributed security system;
  
  if the cookies are not present, forward the request to the cloud application by the proxy server for authentication and transform the cookies subsequent to the authentication prior to sending the cookies to the user; and
  
  prevent direct access to the cloud application except through the distributed security system based on the transformed cookies, wherein the cookies are only accessible through the distributed security system and wherein communication between the user and the distributed security system is secure separate from the cookies.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The system of claim 8, wherein the system comprise a transparent proxy between the user and the cloud application acting as a man-in-the-middle.
  - 10. The system of claim 8, wherein the memory storing instructions that, when executed, further cause the processor to:
    - forward the request to the cloud application by the proxy server for authentication through an identity federation.
  - 11. The system of claim 10, wherein the identity federation comprises the system.
  - 12. The system of claim 8, wherein the system is part of the distributed security system comprising a Cloud access security broker.
  - 13. The system of claim 8, wherein the memory storing instructions that, when executed, further cause the processor to:
    - prevent access to the cloud application by the proxy server based on a plurality of factors, wherein the plurality of factors comprise a location of the user, an access level of the user, a device type of the user, and an application type used by the user, and wherein transforming the cookies is done via crypto algorithms such that the cloud application or the use cannot un-transform the cookies.

14. A cloud-based security system, comprising:
- a plurality of nodes communicatively coupled to one or more users, wherein the plurality of nodes each perform inline monitoring for one of the one or more users for security as a Cloud access security broker, and wherein each of the plurality of nodes is located in an external network from the user and an external network from a cloud application, wherein the plurality of nodes are located between the user and the cloud application;
  
  wherein each of the plurality of nodes is configured to;
  
  receive a request from a user for cloud application;
  
  determine whether the user is authenticated based on a presence of cookies in the request;
  
  if the cookies are present, un-transform the cookies by the proxy server and forwarding the request with the un-transformed cookies to the cloud application;
  
  if the cookies are not present, forward the request to the cloud application by the proxy server for authentication and transform the cookies subsequent to the authentication prior to sending the cookies to the user;
  
  monitor for data leakage, for policy compliance, and for security threats between the user and the cloud application through the distributed security system; and
  
  prevent direct access to the cloud application except through the plurality of nodes based on the transformed cookies, wherein the cookies are only accessible through the plurality of nodes and wherein communication between the user and the plurality of nodes is secure separate from the cookies.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Zscaler Incorporated
Original Assignee
Zscaler Incorporated
Inventors
Gangadharappa, Tejus, Udupa, Sivaprasad, Sharma, Dhawal, Narasimhan, Sridhar, Apte, Manoj
Primary Examiner(s)
Le, Chau
Assistant Examiner(s)
Jamshidi, Ghodrat

Application Number

US14/448,012
Publication Number

US 20160036855A1
Time in Patent Office

1,020 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0281   Proxies

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/20   for managing network securi...

H04L 67/146   Markers for unambiguous ide...

H04L 67/562   Brokering proxy services

Cloud application control using man-in-the-middle identity brokerage

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Cloud application control using man-in-the-middle identity brokerage

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links