US20160261607A1 - Techniques for identity-enabled interface deployment - Google Patents

Techniques for identity-enabled interface deployment Download PDF

Info

Publication number
US20160261607A1
US20160261607A1 US14/935,581 US201514935581A US2016261607A1 US 20160261607 A1 US20160261607 A1 US 20160261607A1 US 201514935581 A US201514935581 A US 201514935581A US 2016261607 A1 US2016261607 A1 US 2016261607A1
Authority
US
United States
Prior art keywords
cloud
agent
environment
cloud agent
token
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US14/935,581
Inventor
Stephen R. Carter
Douglas Garry Earl
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Micro Focus Software Inc
Original Assignee
Micro Focus Software Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Micro Focus Software Inc filed Critical Micro Focus Software Inc
Priority to US14/935,581 priority Critical patent/US20160261607A1/en
Publication of US20160261607A1 publication Critical patent/US20160261607A1/en
Assigned to MICRO FOCUS SOFTWARE INC. reassignment MICRO FOCUS SOFTWARE INC. CHANGE OF NAME (SEE DOCUMENT FOR DETAILS). Assignors: NOVELL, INC.
Assigned to JPMORGAN CHASE BANK, N.A. reassignment JPMORGAN CHASE BANK, N.A. SECURITY INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: ARCSIGHT, LLC, ATTACHMATE CORPORATION, BORLAND SOFTWARE CORPORATION, ENTIT SOFTWARE LLC, MICRO FOCUS (US), INC., MICRO FOCUS SOFTWARE, INC., NETIQ CORPORATION, SERENA SOFTWARE, INC.
Assigned to NETIQ CORPORATION, SERENA SOFTWARE, INC, MICRO FOCUS LLC (F/K/A ENTIT SOFTWARE LLC), ATTACHMATE CORPORATION, MICRO FOCUS (US), INC., MICRO FOCUS SOFTWARE INC. (F/K/A NOVELL, INC.), BORLAND SOFTWARE CORPORATION reassignment NETIQ CORPORATION RELEASE OF SECURITY INTEREST REEL/FRAME 044183/0718 Assignors: JPMORGAN CHASE BANK, N.A.
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/108Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/41User authentication where a single sign-on provides access to a plurality of computers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos

Definitions

  • the Internet is rapidly evolving to include an operational mode called Cloud Computing and Cloud Storage.
  • the intent of these new modes is the reduction of enterprise data centers and the excess capacity contained in such.
  • the enterprise In order to provide services to customers, the enterprise is often compelled to host high levels of excess capacity (sometimes over 80%) to take care of unanticipated traffic (e.g., a national emergency such as 9/11) and anticipated traffic (e.g., the Christmas consumer buying season).
  • the cloud operational characteristics allow an enterprise to quickly utilize computing and storage capacity in the cloud when increases in traffic or some other increase in the need for computing and storage resources is needed. However, this capability must be supported by an appropriate API by cloud providers, which heretofore is unavailable.
  • techniques for identity-enabled interface deployment are presented. More specifically, and in an embodiment, a method for interface deployment is provided.
  • a cloud agent is configured for deployment within a target cloud environment.
  • the cloud agent is configured within an enterprise environment.
  • the cloud agent is authenticated and a cloud agent identity is obtained.
  • an expiration condition is assigned to the cloud agent identity that when satisfied renders the cloud agent identity invalid and the cloud agent is deployed to the target cloud environment for enforcement of enterprise policy within the target cloud environment, via the cloud agent.
  • FIG. 1 is a diagram of an architecture for identity-enabled interface deployment within a cloud network, according to an example embodiment.
  • FIG. 2 is a method for identity-enabled interface deployment, according to an example embodiment.
  • FIG. 3 is a diagram of another method for identity-enabled interface deployment, according to an example embodiment.
  • FIG. 4 is a diagram of an identity-enabled interface deployment system, according to an example embodiment.
  • a “resource” includes a user, service, system, device, directory, data store, groups of users, combinations of these things, etc.
  • a “principal” is a specific type of resource, such as an automated service or user that acquires an identity.
  • a designation as to what is a resource and what is a principal can change depending upon the context of any given network transaction. Thus, if one resource attempts to access another resource, the actor of the transaction may be viewed as a principal.
  • An “identity” is something that is formulated from one or more identifiers and secrets that provide a statement of roles and/or permissions that the identity has in relation to resources.
  • An “identifier” is information, which may be private and permits an identity to be formed, and some portions of an identifier may be public information, such as a user identifier, name, etc. Some examples of identifiers include social security number (SSN), user identifier and password pair, account number, retina scan, fingerprint, face scan, etc.
  • SSN social security number
  • password password
  • a “processing environment” defines a set of cooperating computing resources, such as machines, storage, software libraries, software systems, etc. that form a logical computing infrastructure.
  • a “logical computing infrastructure” means that computing resources can be geographically distributed across a network, such as the Internet. So, one computing resource at network site X and be logically combined with another computing resource at network site Y to form a logical processing environment.
  • processing environment computing environment
  • cloud processing environment computing environment
  • cloud computing environment
  • a “cloud” refers to a logical and/or physical processing environment as discussed above.
  • cloud network refers to a network of cloud processing environments logically being managed as a single collective network.
  • the embodiments herein provide techniques so that a Cloud Management Application Programming Interface (API) can be used by an enterprise to provide identity, role, and other such mechanisms via the API so that workloads in the cloud can be positively identified and the appropriate policies applied within the cloud.
  • API Cloud Management Application Programming Interface
  • Novell® network and proxy server products can be implemented in existing network architectures.
  • the techniques presented herein are implemented in whole or in part in the Novell® network and proxy server products, operating system products, cloud-based products or services, directory-based products and other products and/or services distributed by Novell®, Inc., of Waltham, Mass.
  • the techniques presented herein are implemented in machines, such as processor or processor-enabled devices. These machines are configured to specifically perform the processing of the methods and systems presented herein. Moreover, the methods and systems are implemented and reside within a non-transitory and computer-readable or processor-readable storage media and processed on the machines (processing devices) configured to perform the methods.
  • FIG. 1 is a diagram of an architecture for identity-enabled interface deployment within a cloud network, according to an example embodiment. It is noted that the architecture is presented for purposes of illustration and that other arrangements are possible to achieve the beneficial teachings presented herein and below.
  • embodiments and components of the architecture are implemented, programmed, and reside in a non-transitory computer-readable medium that executes on one or more processors that are specifically configured to process the components described herein and below.
  • FIG. 1 shows an embodiment in terms of the architecture diagram contained in the Distributed Management Task Force (DMTF) Cloud Management Architecture white paper (DSP-IS0102_1.0.0). All 400-level diagram elements are provided and integrated in a novel manner by the embodiments presented herein to enhance and improve on the DMTF teachings.
  • DMTF Distributed Management Task Force
  • DSP-IS0102_1.0.0 Cloud Management Architecture white paper
  • An administrator 405 or Configuration mechanism 407 provides information to the Agent Console 410 concerning Agents 420 that are to interact with the various cloud providers via a Cloud Service Provider (CSP) Interface 220 .
  • CSP Cloud Service Provider
  • the Agent Console 410 authenticates with the Identity Provider of Identity Service (IDP) 160 via 406 with credentials provided by the administrator 405 or Configuration 407 .
  • the authentication causes the crafting of an identity (e.g., SAML assertion) that contains the rights, permissions, roles, etc. that the Agent Console 410 is allowed to operate with.
  • identity e.g., SAML assertion
  • Implicit in, but not shown in, the FIG. 1 is the presence of a Policy Decision Point (PDP) that evaluates each action in terms of the identity and the rights, permissions, roles, etc. contained within the identity.
  • PDP Policy Decision Point
  • Agent Console 410 using information provided by the administrator 405 or Configuration 407 starts, stops, clones, etc. Agent 420 and provides operational events via 407 such that the Agent 420 is able to interact with a Cloud Provider as detailed below.
  • the Agent 420 communicates with the IDP 160 and authenticates via credentials obtained via 407 .
  • Successful authentication provides the Agent 420 with an identity (e.g., SAML assertion) that contains rights, permissions, roles, etc. that the Agent 420 is allowed to operate with.
  • an identity e.g., SAML assertion
  • TTL Time-To-Live setting
  • an event is sent to Event Timer 430 via 431 that serves to allow Event Timer 430 to provide an event to Agent 420 and/or Agent Console 410 and/or Network Operations Center (NOC) Situation Display 440 that results in credentials being provided to Agent 420 so that a new authentication can be affected via 421 , which extends the expiration specification.
  • NOC Network Operations Center
  • the NOC Situation Display 440 receives events via 441 and 442 , which are displayed in the NOC operational display to allow NOC personnel to perform the appropriate activities (e.g., provide new credentials to Agent 420 , etc.).
  • the Agent 420 communicates securely (e.g., via SSL) with the Security Manager 225 within the CSP Interface 220 via the mechanism specified by the cloud provider (e.g., (Representational State Transfer (RESTful), REST-like, Simple Object Access Protocol (SOAP), Remote Procedure Call (RPC), etc.) requesting authentication of Agent 420 and does so by providing the identity obtained via 421 .
  • the identity is verified by Security Manager 225 by validating the identity (e.g., SAML assertion) via the IDP 260 , which has a trust relationship previously established with the IDP 160 .
  • the trust relationship details the trust level that the cloud provider has with the enterprise so that the validity of the identity can be ascertained (e.g., verify the SAML assertion's digital signature) as well as validating the rights, permissions, roles, etc. that the Agent 420 is requesting to act under.
  • the Security Manger 225 returns to the Agent 420 a token that is specific to the cloud provider's infrastructure and that is used with other requests from Agent 420 to the CSP Interface 220 .
  • the Security Manager 225 within the CSP Interface 220 communicates securely (e.g., via SSL) with the Agent 420 via the mechanism specified by the cloud provider (e.g., RESTful, REST-like, SOAP, RPC, etc.) requesting authentication of Security Manager 225 within the CSP Interface 220 and does so by providing an identity obtained from IDP 260 by the Security Manager 225 .
  • the identity is verified by Agent 420 by validating the identity (e.g., SAML assertion) via the IDP 160 , which has a trust relationship previously established with the IDP 260 .
  • the trust relationship details the trust level the cloud provider has with the enterprise so that the validity of the identity can be ascertained (e.g., verify the SAML assertion's digital signature) as well as validating the rights, permissions, roles, etc. that the Security Manager 225 within the CSP Interface 220 is requesting to act under.
  • the Agent 420 returns to the Security Manager 225 within the CSP Interface 220 a token that is specific to the enterprise infrastructure and that is used with other requests from Security Manager 225 within the CSP Interface 220 to the Agent 420 .
  • the token supplied as specified above may be a Globally Unique Identifier (GUID) or a more complex structure, which is provided with subsequent requests.
  • Receiving processes can validate the request by establishing the relationship between the token and trust relationship (perhaps by a table look up or request to the IDP to verify). The intent is to replace the heavy-weight identity (e.g., SAML) process with something much easier and quicker to implement/process.
  • the token may or may not be encrypted. If it is encrypted, the token can be encrypted via a symmetric key since the processing load of a symmetric key cryptogram is much less than that of an asymmetric cryptogram.
  • the token in other embodiments can also be encrypted using asymmetric mechanisms as well.
  • the token may have an expiration specification that is different from the identity expiration specification. This particular expiration specification is handled internal to the Agent 420 or Security Manager 225 within the CSP Interface 220 because the renewal of the token is based on the already established identity. However, if the identity expiration specification is to expire before the next token expiration, the mechanism specified above for obtaining a new identity is performed followed by the steps to obtain a new token.
  • a secure and identity-enabled processing environment can be established between an enterprise and a cloud provider.
  • FIG. 2 is a method 200 for identity-enabled interface deployment, according to an example embodiment.
  • the method 200 (herein after referred to as “cloud interface deployment manager”) is implemented, programmed, and resides within a non-transitory computer-readable storage medium.
  • One or more processors of a network are specifically configured to execute the cloud interface deployment manager.
  • the network may be wired, wireless, or a combination of wired and wireless.
  • the cloud interface deployment manager configures a cloud agent for deployment to a target cloud environment.
  • the cloud agent is configured to process on the processors of the target cloud environment and to use interfaces that the target cloud environment uses.
  • the cloud interface deployment manager authenticates the cloud agent and obtains a cloud agent identity. This can occur in a variety of manners and through a variety of interactions as discussed above with reference to the FIG. 1 .
  • the cloud interface deployment manager interacts with a third-party identity service.
  • Credentials are supplied for the cloud agent.
  • the credentials are supplied to the identity service via an administrator that uses an agent console (as discussed and presented above with reference to the FIG. 1 ).
  • the cloud interface deployment manager assigns an expiration condition to the cloud agent identity.
  • the cloud agent identity becomes invalid or unusable.
  • the cloud interface deployment manager receives an event from a cloud agent that it will extend beyond the expiration condition. In response to this event, the cloud interface deployment manager re-authenticates the cloud agent to obtain a new and updated expiration condition that lasts for a length of time that the cloud agent anticipates to extend processing for.
  • the cloud interface deployment manager assigns the expiration condition as a time-to-live (TTL) attribute to the cloud agent identity.
  • TTL time-to-live
  • the cloud interface deployment manager deploys the cloud agent to the target cloud environment for enforcement of enterprise policy within the target cloud environment.
  • the cloud interface deployment manager requests, via the deployed cloud agent, a security token from a security manager of the target cloud environment.
  • the security token is unique to the target cloud environment.
  • the cloud interface deployment manager uses, via the deployed cloud agent, the security token with each request issued within the target cloud environment to validate each request and to enforce the enterprise policy with each request.
  • the cloud interface deployment manager receives, via the deployed cloud agent, a token expiration condition with the security token.
  • the security token becomes invalid for use within the target cloud environment when the token expiration condition is met.
  • the cloud interface deployment manager identifies, via the deployed cloud agent, the token expiration condition as being different from the expiration condition of the cloud agent identity.
  • the cloud interface deployment manager recognizes, via the deployed cloud agent, the security token as a globally unique identifier for the target cloud environment.
  • the cloud interface deployment manager uses, via the deployed cloud agent, a cloud provider interface dictated by the target cloud environment to interact with the security manager of the target cloud environment.
  • FIG. 3 is a diagram of another method 300 for identity-enabled interface deployment, according to an example embodiment.
  • the method 300 (herein after referred to as “enterprise interface deployment manager”) is implemented, programmed, and resides within a non-transitory computer-readable storage medium.
  • One or more processors of a network are specifically configured to execute the cloud interface deployment manager.
  • the cloud interface deployment manager represented by the method 200 of the FIG. 2 is presented from the perspective of an enterprise deploying an interface for policy enforcement in a cloud environment. Whereas the enterprise interface deployment manager is presented from the perspective of a cloud interface being deployed in an enterprise environment. It is not that the two methods 200 and 300 are not mutually exclusive such that both can be operational to establish a bi-directional deployment of identity based interfaces.
  • the enterprise interface deployment manager interacts with a cloud agent.
  • the cloud agent previously deployed to a cloud environment by an enterprise environment using a cloud provider interface.
  • the mechanism for deploying the cloud agent was presented above with respect to the FIGS. 1 and 2 .
  • the enterprise interface deployment manager requests that the cloud agent authenticate a security manager of the cloud environment to the enterprise environment. So, the deployed cloud agent is now authenticating a cloud provider's security manager.
  • the enterprise interface deployment manager authenticates the security manager to specific rights, roles, and permissions within the enterprise environment.
  • the enterprise interface deployment manager receives, via the security manager, an enterprise token that is specific to the enterprise environment. This is done in response to the successful authentication of the security manager as presented with the processing of 320 .
  • the enterprise interface deployment manager obtains the enterprise token in an encrypted format.
  • the enterprise interface deployment manager uses a symmetric key to decrypt the encrypted format of the enterprise token.
  • the enterprise interface deployment manager uses, via the security manager, the enterprise token to enforce cloud policy within the enterprise environment.
  • the enterprise interface deployment manager uses a PDP manager to enforce the cloud policy within the enterprise environment.
  • the enterprise interface deployment manager operates the security manager as a particular cloud environment interface within the enterprise environment.
  • FIGS. 1-3 how policy can be enforced from an enterprise environment within a cloud environment and from a cloud environment within an enterprise environment.
  • the policy is identity-enabled via the authentication and identity mechanisms presented above.
  • FIG. 4 is a diagram of an identity-enabled interface deployment system 400 , according to an example embodiment.
  • Components of the identity-enabled interface deployment system 400 are implemented, reside, and programmed within non-transitory computer-readable storage medium as instructions that are executed on one or more processors of a network.
  • the network can be wired, wireless, or a combination of wired and wireless.
  • the identity-enabled interface deployment system 400 implements, inter alia, portions of the architecture presented above with respect to the FIG. 1 and the methods 200 and 300 of the FIGS. 2 and 3 , respectively.
  • the identity-enabled interface deployment system 400 includes an enterprise processing environment 401 and a cloud processing environment 402 . Each of these components and their interactions with one another will now be discussed in turn.
  • the enterprise processing environment 401 includes a plurality of enterprise processing devices. Example processing associated with the enterprise processing environment 401 was presented above with respect to the FIGS. 1 and 2 .
  • the enterprise processing environment 401 configures a cloud agent for deployment to the cloud processing environment for purposes of enforcing enterprise policy within the cloud processing environment 402 .
  • the cloud agent acquires a cloud token that is specific to the cloud processing environment 402 from a security manager to enforce the enterprise policy.
  • the cloud processing environment 402 includes a plurality of cloud processing devices. Example processing associated with the cloud processing environment 402 was presented above with respect to the FIGS. 1 and 3 .
  • the cloud processing environment 402 uses a security manager of the cloud processing environment 402 to interact with the cloud agent for purposes of enforcing cloud policy in the enterprise processing environment 401 .
  • the security manager acquires an enterprise token that is specific to the enterprise processing environment 401 from the cloud agent for purposes of enforcing the cloud policy within the enterprise processing environment 401 .

Abstract

Techniques for providing identity-enabled interfaces for deployment are presented. Specifically, an agent of an enterprise infrastructure authenticates and acquires an agent identity for interacting with a cloud processing environment. Once the agent is deployed in the cloud processing environment, enterprise policy can be enforced within the cloud processing environment on actions occurring within the cloud. The agent acts as an Application Programming Interface between the enterprise and the cloud processing environment. The reverse is also achievable, where a cloud deploys an agent to the enterprise to deploy a cloud interface within the enterprise for policy enforcement.

Description

    RELATED APPLICATIONS
  • This application is a continuation of U.S. patent application Ser. No. 13/182,090, filed Jul. 13, 2011, which is a non-provisional filing of, and claims priority under 35 U.S.C. 119(e) to U.S. Provisional Patent Application Ser. No. 61/364,632, filed on Jul. 15, 2010, entitled: “Identity-Enabled Management Interface,” each of which is incorporated by reference herein and below in its entirety.
    • BACKGROUND
  • The Internet is rapidly evolving to include an operational mode called Cloud Computing and Cloud Storage. The intent of these new modes is the reduction of enterprise data centers and the excess capacity contained in such. In order to provide services to customers, the enterprise is often compelled to host high levels of excess capacity (sometimes over 80%) to take care of unanticipated traffic (e.g., a national emergency such as 9/11) and anticipated traffic (e.g., the Christmas consumer buying season). The cloud operational characteristics allow an enterprise to quickly utilize computing and storage capacity in the cloud when increases in traffic or some other increase in the need for computing and storage resources is needed. However, this capability must be supported by an appropriate API by cloud providers, which heretofore is unavailable.
    • SUMMARY
  • In various embodiments, techniques for identity-enabled interface deployment are presented. More specifically, and in an embodiment, a method for interface deployment is provided.
  • Particularly, a cloud agent is configured for deployment within a target cloud environment. The cloud agent is configured within an enterprise environment. The cloud agent is authenticated and a cloud agent identity is obtained. Next, an expiration condition is assigned to the cloud agent identity that when satisfied renders the cloud agent identity invalid and the cloud agent is deployed to the target cloud environment for enforcement of enterprise policy within the target cloud environment, via the cloud agent.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 is a diagram of an architecture for identity-enabled interface deployment within a cloud network, according to an example embodiment.
  • FIG. 2 is a method for identity-enabled interface deployment, according to an example embodiment.
  • FIG. 3 is a diagram of another method for identity-enabled interface deployment, according to an example embodiment.
  • FIG. 4 is a diagram of an identity-enabled interface deployment system, according to an example embodiment.
    •  DETAILED DESCRIPTION
  • A “resource” includes a user, service, system, device, directory, data store, groups of users, combinations of these things, etc. A “principal” is a specific type of resource, such as an automated service or user that acquires an identity. A designation as to what is a resource and what is a principal can change depending upon the context of any given network transaction. Thus, if one resource attempts to access another resource, the actor of the transaction may be viewed as a principal.
  • An “identity” is something that is formulated from one or more identifiers and secrets that provide a statement of roles and/or permissions that the identity has in relation to resources. An “identifier” is information, which may be private and permits an identity to be formed, and some portions of an identifier may be public information, such as a user identifier, name, etc. Some examples of identifiers include social security number (SSN), user identifier and password pair, account number, retina scan, fingerprint, face scan, etc.
  • A “processing environment” defines a set of cooperating computing resources, such as machines, storage, software libraries, software systems, etc. that form a logical computing infrastructure. A “logical computing infrastructure” means that computing resources can be geographically distributed across a network, such as the Internet. So, one computing resource at network site X and be logically combined with another computing resource at network site Y to form a logical processing environment.
  • The phrases “processing environment,” “cloud processing environment,” and the term “cloud” may be used interchangeably and synonymously herein.
  • Moreover, it is noted that a “cloud” refers to a logical and/or physical processing environment as discussed above.
  • The phrase “cloud network” refers to a network of cloud processing environments logically being managed as a single collective network.
  • The embodiments herein provide techniques so that a Cloud Management Application Programming Interface (API) can be used by an enterprise to provide identity, role, and other such mechanisms via the API so that workloads in the cloud can be positively identified and the appropriate policies applied within the cloud.
  • Various embodiments of this invention can be implemented in existing network architectures. For example, in some embodiments, the techniques presented herein are implemented in whole or in part in the Novell® network and proxy server products, operating system products, cloud-based products or services, directory-based products and other products and/or services distributed by Novell®, Inc., of Waltham, Mass.
  • Also, the techniques presented herein are implemented in machines, such as processor or processor-enabled devices. These machines are configured to specifically perform the processing of the methods and systems presented herein. Moreover, the methods and systems are implemented and reside within a non-transitory and computer-readable or processor-readable storage media and processed on the machines (processing devices) configured to perform the methods.
  • Of course, the embodiments of the invention can be implemented in a variety of architectural platforms, devices, operating and server systems, and/or applications. Any particular architectural layout or implementation presented herein is provided for purposes of illustration and comprehension only and is not intended to limit aspects of the invention.
  • It is within this context that embodiments of the invention are now discussed within the context of FIGS. 1-4.
  • FIG. 1 is a diagram of an architecture for identity-enabled interface deployment within a cloud network, according to an example embodiment. It is noted that the architecture is presented for purposes of illustration and that other arrangements are possible to achieve the beneficial teachings presented herein and below.
  • Again, embodiments and components of the architecture are implemented, programmed, and reside in a non-transitory computer-readable medium that executes on one or more processors that are specifically configured to process the components described herein and below.
  • The FIG. 1 shows an embodiment in terms of the architecture diagram contained in the Distributed Management Task Force (DMTF) Cloud Management Architecture white paper (DSP-IS0102_1.0.0). All 400-level diagram elements are provided and integrated in a novel manner by the embodiments presented herein to enhance and improve on the DMTF teachings.
  • An administrator 405 or Configuration mechanism 407 provides information to the Agent Console 410 concerning Agents 420 that are to interact with the various cloud providers via a Cloud Service Provider (CSP) Interface 220.
  • In an embodiment, the Agent Console 410 authenticates with the Identity Provider of Identity Service (IDP) 160 via 406 with credentials provided by the administrator 405 or Configuration 407. The authentication causes the crafting of an identity (e.g., SAML assertion) that contains the rights, permissions, roles, etc. that the Agent Console 410 is allowed to operate with.
  • Implicit in, but not shown in, the FIG. 1 is the presence of a Policy Decision Point (PDP) that evaluates each action in terms of the identity and the rights, permissions, roles, etc. contained within the identity.
  • The Agent Console 410, using information provided by the administrator 405 or Configuration 407 starts, stops, clones, etc. Agent 420 and provides operational events via 407 such that the Agent 420 is able to interact with a Cloud Provider as detailed below.
  • The Agent 420 communicates with the IDP 160 and authenticates via credentials obtained via 407. Successful authentication provides the Agent 420 with an identity (e.g., SAML assertion) that contains rights, permissions, roles, etc. that the Agent 420 is allowed to operate with. Also contained within the identity is a TTL (Time-To-Live setting) or some other expiration specification. If the Agent 420 is expected to operate longer than the expiration specification, an event is sent to Event Timer 430 via 431 that serves to allow Event Timer 430 to provide an event to Agent 420 and/or Agent Console 410 and/or Network Operations Center (NOC) Situation Display 440 that results in credentials being provided to Agent 420 so that a new authentication can be affected via 421, which extends the expiration specification.
  • In an embodiment, the NOC Situation Display 440 receives events via 441 and 442, which are displayed in the NOC operational display to allow NOC personnel to perform the appropriate activities (e.g., provide new credentials to Agent 420, etc.).
  • The Agent 420 communicates securely (e.g., via SSL) with the Security Manager 225 within the CSP Interface 220 via the mechanism specified by the cloud provider (e.g., (Representational State Transfer (RESTful), REST-like, Simple Object Access Protocol (SOAP), Remote Procedure Call (RPC), etc.) requesting authentication of Agent 420 and does so by providing the identity obtained via 421. The identity is verified by Security Manager 225 by validating the identity (e.g., SAML assertion) via the IDP 260, which has a trust relationship previously established with the IDP 160. The trust relationship details the trust level that the cloud provider has with the enterprise so that the validity of the identity can be ascertained (e.g., verify the SAML assertion's digital signature) as well as validating the rights, permissions, roles, etc. that the Agent 420 is requesting to act under. The Security Manger 225 returns to the Agent 420 a token that is specific to the cloud provider's infrastructure and that is used with other requests from Agent 420 to the CSP Interface 220.
  • In an embodiment, The Security Manager 225 within the CSP Interface 220 communicates securely (e.g., via SSL) with the Agent 420 via the mechanism specified by the cloud provider (e.g., RESTful, REST-like, SOAP, RPC, etc.) requesting authentication of Security Manager 225 within the CSP Interface 220 and does so by providing an identity obtained from IDP 260 by the Security Manager 225. The identity is verified by Agent 420 by validating the identity (e.g., SAML assertion) via the IDP 160, which has a trust relationship previously established with the IDP 260. The trust relationship details the trust level the cloud provider has with the enterprise so that the validity of the identity can be ascertained (e.g., verify the SAML assertion's digital signature) as well as validating the rights, permissions, roles, etc. that the Security Manager 225 within the CSP Interface 220 is requesting to act under. The Agent 420 returns to the Security Manager 225 within the CSP Interface 220 a token that is specific to the enterprise infrastructure and that is used with other requests from Security Manager 225 within the CSP Interface 220 to the Agent 420.
  • If both of the previous processing scenarios are used then a bidirectional mechanism is established so that requests from the enterprise to the cloud provider and from the cloud provider to the enterprise can be processed while applying policy (via the PDP) to all requests. In either case (one way or two ways) all requests can be evaluated according to identity (rights, permissions, roles, etc.).
  • The token supplied as specified above may be a Globally Unique Identifier (GUID) or a more complex structure, which is provided with subsequent requests. Receiving processes can validate the request by establishing the relationship between the token and trust relationship (perhaps by a table look up or request to the IDP to verify). The intent is to replace the heavy-weight identity (e.g., SAML) process with something much easier and quicker to implement/process. The token may or may not be encrypted. If it is encrypted, the token can be encrypted via a symmetric key since the processing load of a symmetric key cryptogram is much less than that of an asymmetric cryptogram. Although if desired, the token in other embodiments can also be encrypted using asymmetric mechanisms as well.
  • Note that the token may have an expiration specification that is different from the identity expiration specification. This particular expiration specification is handled internal to the Agent 420 or Security Manager 225 within the CSP Interface 220 because the renewal of the token is based on the already established identity. However, if the identity expiration specification is to expire before the next token expiration, the mechanism specified above for obtaining a new identity is performed followed by the steps to obtain a new token.
  • With the invention, a secure and identity-enabled processing environment can be established between an enterprise and a cloud provider.
  • FIG. 2 is a method 200 for identity-enabled interface deployment, according to an example embodiment. The method 200 (herein after referred to as “cloud interface deployment manager”) is implemented, programmed, and resides within a non-transitory computer-readable storage medium. One or more processors of a network are specifically configured to execute the cloud interface deployment manager. The network may be wired, wireless, or a combination of wired and wireless.
  • At 210, the cloud interface deployment manager configures a cloud agent for deployment to a target cloud environment. The cloud agent is configured to process on the processors of the target cloud environment and to use interfaces that the target cloud environment uses.
  • At 220, the cloud interface deployment manager authenticates the cloud agent and obtains a cloud agent identity. This can occur in a variety of manners and through a variety of interactions as discussed above with reference to the FIG. 1.
  • For example, at 221, the cloud interface deployment manager interacts with a third-party identity service. Credentials are supplied for the cloud agent. In one case, the credentials are supplied to the identity service via an administrator that uses an agent console (as discussed and presented above with reference to the FIG. 1).
  • At 230, the cloud interface deployment manager assigns an expiration condition to the cloud agent identity. When the expiration condition is satisfied, the cloud agent identity becomes invalid or unusable.
  • According to an embodiment, at 231, the cloud interface deployment manager receives an event from a cloud agent that it will extend beyond the expiration condition. In response to this event, the cloud interface deployment manager re-authenticates the cloud agent to obtain a new and updated expiration condition that lasts for a length of time that the cloud agent anticipates to extend processing for.
  • In another case, at 232, the cloud interface deployment manager assigns the expiration condition as a time-to-live (TTL) attribute to the cloud agent identity.
  • At 240, the cloud interface deployment manager deploys the cloud agent to the target cloud environment for enforcement of enterprise policy within the target cloud environment.
  • In an embodiment, at 250, the cloud interface deployment manager requests, via the deployed cloud agent, a security token from a security manager of the target cloud environment. The security token is unique to the target cloud environment.
  • Continuing with the embodiment of 250 and at 251, the cloud interface deployment manager uses, via the deployed cloud agent, the security token with each request issued within the target cloud environment to validate each request and to enforce the enterprise policy with each request.
  • Continuing with the embodiment of 250 and at 252, the cloud interface deployment manager receives, via the deployed cloud agent, a token expiration condition with the security token. The security token becomes invalid for use within the target cloud environment when the token expiration condition is met.
  • Continuing with the embodiment of 252 and at 253, the cloud interface deployment manager identifies, via the deployed cloud agent, the token expiration condition as being different from the expiration condition of the cloud agent identity.
  • Still continuing with the embodiment of 250 and at 254, the cloud interface deployment manager recognizes, via the deployed cloud agent, the security token as a globally unique identifier for the target cloud environment.
  • Again continuing with the embodiment of 250 and at 255, the cloud interface deployment manager uses, via the deployed cloud agent, a cloud provider interface dictated by the target cloud environment to interact with the security manager of the target cloud environment.
  • FIG. 3 is a diagram of another method 300 for identity-enabled interface deployment, according to an example embodiment. The method 300 (herein after referred to as “enterprise interface deployment manager”) is implemented, programmed, and resides within a non-transitory computer-readable storage medium. One or more processors of a network are specifically configured to execute the cloud interface deployment manager.
  • The cloud interface deployment manager represented by the method 200 of the FIG. 2 is presented from the perspective of an enterprise deploying an interface for policy enforcement in a cloud environment. Whereas the enterprise interface deployment manager is presented from the perspective of a cloud interface being deployed in an enterprise environment. It is not that the two methods 200 and 300 are not mutually exclusive such that both can be operational to establish a bi-directional deployment of identity based interfaces.
  • At 310, the enterprise interface deployment manager interacts with a cloud agent. The cloud agent previously deployed to a cloud environment by an enterprise environment using a cloud provider interface. The mechanism for deploying the cloud agent was presented above with respect to the FIGS. 1 and 2.
  • At 320, the enterprise interface deployment manager requests that the cloud agent authenticate a security manager of the cloud environment to the enterprise environment. So, the deployed cloud agent is now authenticating a cloud provider's security manager.
  • According to an embodiment, at 321, the enterprise interface deployment manager authenticates the security manager to specific rights, roles, and permissions within the enterprise environment.
  • At 330, the enterprise interface deployment manager receives, via the security manager, an enterprise token that is specific to the enterprise environment. This is done in response to the successful authentication of the security manager as presented with the processing of 320.
  • In an embodiment, at 331, the enterprise interface deployment manager obtains the enterprise token in an encrypted format.
  • Continuing with the embodiment of 331 and at 332, the enterprise interface deployment manager uses a symmetric key to decrypt the encrypted format of the enterprise token.
  • At 340, the enterprise interface deployment manager uses, via the security manager, the enterprise token to enforce cloud policy within the enterprise environment.
  • In an embodiment, at 350, the enterprise interface deployment manager uses a PDP manager to enforce the cloud policy within the enterprise environment.
  • In another situation, at 360, the enterprise interface deployment manager operates the security manager as a particular cloud environment interface within the enterprise environment.
  • So, one can now see via the discussions of FIGS. 1-3 how policy can be enforced from an enterprise environment within a cloud environment and from a cloud environment within an enterprise environment. The policy is identity-enabled via the authentication and identity mechanisms presented above.
  • FIG. 4 is a diagram of an identity-enabled interface deployment system 400, according to an example embodiment. Components of the identity-enabled interface deployment system 400 are implemented, reside, and programmed within non-transitory computer-readable storage medium as instructions that are executed on one or more processors of a network. The network can be wired, wireless, or a combination of wired and wireless.
  • In an embodiment, the identity-enabled interface deployment system 400 implements, inter alia, portions of the architecture presented above with respect to the FIG. 1 and the methods 200 and 300 of the FIGS. 2 and 3, respectively.
  • The identity-enabled interface deployment system 400 includes an enterprise processing environment 401 and a cloud processing environment 402. Each of these components and their interactions with one another will now be discussed in turn.
  • The enterprise processing environment 401 includes a plurality of enterprise processing devices. Example processing associated with the enterprise processing environment 401 was presented above with respect to the FIGS. 1 and 2.
  • The enterprise processing environment 401 configures a cloud agent for deployment to the cloud processing environment for purposes of enforcing enterprise policy within the cloud processing environment 402.
  • According to an embodiment, the cloud agent acquires a cloud token that is specific to the cloud processing environment 402 from a security manager to enforce the enterprise policy.
  • The cloud processing environment 402 includes a plurality of cloud processing devices. Example processing associated with the cloud processing environment 402 was presented above with respect to the FIGS. 1 and 3.
  • The cloud processing environment 402 uses a security manager of the cloud processing environment 402 to interact with the cloud agent for purposes of enforcing cloud policy in the enterprise processing environment 401.
  • In an embodiment, the security manager acquires an enterprise token that is specific to the enterprise processing environment 401 from the cloud agent for purposes of enforcing the cloud policy within the enterprise processing environment 401.
  • The above description is illustrative, and not restrictive. Many other embodiments will be apparent to those of skill in the art upon reviewing the above description. The scope of embodiments should therefore be determined with reference to the appended claims, along with the full scope of equivalents to which such claims are entitled.

Claims (21)

1. (canceled)
2. A method, comprising:
authenticating, by a cloud agent, for operation within a cloud environment;
obtaining, by the cloud agent, security policy for the cloud environment; and
enforcing, by the cloud agent, the security policy within the cloud environment
3. The method of claim 2, wherein authenticating further includes obtaining a credential that expires when authenticating.
4. The method of claim 3, wherein obtaining further includes using a mechanism for obtaining a new credential when the credential expires and re-authenticating, by the cloud agent, for operating within the cloud environment.
5. The method of claim 2, wherein authenticating further includes obtaining a token when authenticating that is unique to the cloud environment and the cloud agent, wherein the token required for operation of the cloud agent within the cloud environment.
6. The method of claim 2, wherein authenticating further includes receiving a Time-To-Live setting that defines how long the cloud agent is permitted to process within cloud environment.
7. The method of claim 6, wherein enforcing further includes sending an even indicating by the cloud agent that the cloud agent expects to processing longer than a time identified in the TTL setting.
8. The method of claim 7, wherein sending further includes receiving a credential by the cloud agent in response to the event.
9. The method of claim 8 further comprising, detecting, by the cloud agent, a lapse in the time and re-authenticating, by the cloud agent, for processing within the cloud environment.
10. The method of claim 9, wherein detecting further includes obtaining, by the cloud agent, a new TTL with a new time for the cloud agent to process within the cloud environment.
11. The method of claim 2, wherein authenticating further includes receiving, by the cloud agent, a token in response to authenticating, wherein the token is encrypted and includes identity information for the cloud agent and an expiration specification that identifies conditions for which the authentication of the cloud agent expires for processing with the cloud environment.
12. A method, comprising:
receiving a request for authentication of a cloud agent for processing within a cloud environment;
providing the cloud agent with a token having encrypted identity information cloud agent and an expiration specification defining conditions that revoke authentication of the cloud agent in response to successful authentication of the cloud agent;
obtaining a second request from the cloud agent subsequent to the successful authentication of the cloud agent requesting modification to the expiration specification; and
sending the cloud agent, a new token having the modified expiration specification.
13. The method of claim 12 further comprising, receiving the new token from the cloud environment and re-authenticating the cloud agent for processing within the cloud environment in accordance with the modified expiration specification.
14. The method of claim 12, wherein providing further includes associating access rights for the cloud agent when processing within the cloud environment with the token.
15. The method of claim 14, wherein associating further includes identifying at least some access rights as permissions that authorize the cloud agent to authenticate other applications for processing within the cloud environment.
16. The method of claim 14, wherein associating further includes identifying at least some access rights as permissions that authorize the cloud agent to enforce security policies within the cloud environment.
17. The method of claim 14, wherein associating further includes identifying at least some access rights as permission that authorize the cloud agent to interact with an existing security manager of the cloud environment to augment security enforcement within the cloud environment.
18. The method of claim 12, wherein providing further includes augmenting the token with identify information that is unique to the cloud environment.
19. A system comprising:
a server; and
an identity manager configured to: i) execute on one or more processors of the server, ii) provide a mechanism for authenticating a cloud agent for enforcing security policy within a cloud environment, and iii) provide a mechanism for the cloud agent to extend authentication for enforcing the security policy within the cloud environment before a condition occurs that invalidates the cloud agent for enforcing security policy within the cloud environment.
20. The system of claim 19, wherein the mechanism at least in part includes an encrypted token identifying a unique identity for the cloud agent, a unique identity for the cloud environment, a credential, and the condition.
21. The system of claim 19, wherein the mechanism also includes access rights permitting the cloud agent to enforce additional security within the cloud environment beyond what is performed by an existing security manager that processes within the cloud environment.
US14/935,581 2010-07-15 2015-11-09 Techniques for identity-enabled interface deployment Abandoned US20160261607A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US14/935,581 US20160261607A1 (en) 2010-07-15 2015-11-09 Techniques for identity-enabled interface deployment

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US36463210P 2010-07-15 2010-07-15
US13/182,090 US9183374B2 (en) 2010-07-15 2011-07-13 Techniques for identity-enabled interface deployment
US14/935,581 US20160261607A1 (en) 2010-07-15 2015-11-09 Techniques for identity-enabled interface deployment

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US13/182,090 Continuation US9183374B2 (en) 2010-07-15 2011-07-13 Techniques for identity-enabled interface deployment

Publications (1)

Publication Number Publication Date
US20160261607A1 true US20160261607A1 (en) 2016-09-08

Family

ID=44584013

Family Applications (2)

Application Number Title Priority Date Filing Date
US13/182,090 Expired - Fee Related US9183374B2 (en) 2010-07-15 2011-07-13 Techniques for identity-enabled interface deployment
US14/935,581 Abandoned US20160261607A1 (en) 2010-07-15 2015-11-09 Techniques for identity-enabled interface deployment

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US13/182,090 Expired - Fee Related US9183374B2 (en) 2010-07-15 2011-07-13 Techniques for identity-enabled interface deployment

Country Status (2)

Country Link
US (2) US9183374B2 (en)
EP (1) EP2410454A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180288025A1 (en) * 2017-03-31 2018-10-04 Hyland Software, Inc. Methods and apparatuses for utilizing a gateway integration server to enhance application security

Families Citing this family (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9215235B1 (en) 2011-05-23 2015-12-15 Palo Alto Networks, Inc. Using events to identify a user and enforce policies
US10560478B1 (en) 2011-05-23 2020-02-11 Palo Alto Networks, Inc. Using log event messages to identify a user and enforce policies
US9660992B1 (en) * 2011-05-23 2017-05-23 Palo Alto Networks, Inc. User-ID information propagation among appliances
US8677447B1 (en) 2011-05-25 2014-03-18 Palo Alto Networks, Inc. Identifying user names and enforcing policies
US8832447B2 (en) * 2011-08-10 2014-09-09 Sony Corporation System and method for using digital signatures to assign permissions
US8813205B2 (en) * 2012-02-06 2014-08-19 International Business Machines Corporation Consolidating disparate cloud service data and behavior based on trust relationships between cloud services
US11803786B2 (en) * 2013-04-10 2023-10-31 eData Platform, Corp. Enterprise integration platform
US9716728B1 (en) * 2013-05-07 2017-07-25 Vormetric, Inc. Instant data security in untrusted environments
US10397278B2 (en) * 2016-07-27 2019-08-27 BanyanOps, Inc. Transparently enhanced authentication and authorization between networked services
US10484382B2 (en) 2016-08-31 2019-11-19 Oracle International Corporation Data management for a multi-tenant identity cloud service
US10594684B2 (en) * 2016-09-14 2020-03-17 Oracle International Corporation Generating derived credentials for a multi-tenant identity cloud service
US10831789B2 (en) 2017-09-27 2020-11-10 Oracle International Corporation Reference attribute query processing for a multi-tenant cloud service
US10715564B2 (en) 2018-01-29 2020-07-14 Oracle International Corporation Dynamic client registration for an identity cloud service
US11423111B2 (en) 2019-02-25 2022-08-23 Oracle International Corporation Client API for rest based endpoints for a multi-tenant identify cloud service
US11792226B2 (en) 2019-02-25 2023-10-17 Oracle International Corporation Automatic api document generation from scim metadata
US20200372531A1 (en) * 2019-05-23 2020-11-26 Capital One Services, Llc System and method for providing consistent pricing information
US11281788B2 (en) * 2019-07-01 2022-03-22 Bank Of America Corporation Transient pliant encryption with indicative nano display cards
US11870770B2 (en) 2019-09-13 2024-01-09 Oracle International Corporation Multi-tenant identity cloud service with on-premise authentication integration
US11687378B2 (en) 2019-09-13 2023-06-27 Oracle International Corporation Multi-tenant identity cloud service with on-premise authentication integration and bridge high availability
WO2022005914A1 (en) * 2020-06-29 2022-01-06 Illumina, Inc. Temporary cloud provider credentials via secure discovery framework

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030200465A1 (en) * 2001-08-06 2003-10-23 Shivaram Bhat Web based applications single sign on system and method
US20050018768A1 (en) * 2001-09-26 2005-01-27 Interact Devices, Inc. Systems, devices and methods for securely distributing highly-compressed multimedia content
US20060235796A1 (en) * 2005-04-19 2006-10-19 Microsoft Corporation Authentication for a commercial transaction using a mobile module
US20080178004A1 (en) * 2006-01-24 2008-07-24 Huawei Technologies Co., Ltd. Method, system and authentication centre for authenticating in end-to-end communications based on a mobile network
US20100100461A1 (en) * 2007-03-16 2010-04-22 Txn Pty Ltd Payment transaction system
US20100131948A1 (en) * 2008-11-26 2010-05-27 James Michael Ferris Methods and systems for providing on-demand cloud computing environments
US20110072487A1 (en) * 2009-09-23 2011-03-24 Computer Associates Think, Inc. System, Method, and Software for Providing Access Control Enforcement Capabilities in Cloud Computing Systems
US20110202991A1 (en) * 2010-02-18 2011-08-18 Microsoft Corporation Preserving privacy with digital identities
US20120011578A1 (en) * 2010-07-08 2012-01-12 International Business Machines Corporation Cross-protocol federated single sign-on (F-SSO) for cloud enablement
US20140181267A1 (en) * 2012-12-22 2014-06-26 Edgewater Networks, Inc. Methods and systems to split equipment control between local and remote processing units

Family Cites Families (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6760840B1 (en) * 1994-03-15 2004-07-06 Kabushiki Kaisha Toshiba File editing system and shared file editing system with file content secrecy, file version management, and asynchronous editing
US6601171B1 (en) * 1999-02-18 2003-07-29 Novell, Inc. Deputization in a distributed computing system
EP1145519B1 (en) * 1999-06-10 2005-08-31 Alcatel Internetworking, Inc. System and method for policy-based network management of virtual private networks
US7574496B2 (en) * 2001-11-30 2009-08-11 Surgient, Inc. Virtual server cloud interfacing
US8447630B2 (en) * 2004-02-26 2013-05-21 Payment Pathways, Inc. Systems and methods for managing permissions for information ownership in the cloud
US8271797B2 (en) * 2003-07-14 2012-09-18 Sony Corporation Service use method and management method
US8087068B1 (en) * 2005-03-08 2011-12-27 Google Inc. Verifying access to a network account over multiple user communication portals based on security criteria
US7945952B1 (en) * 2005-06-30 2011-05-17 Google Inc. Methods and apparatuses for presenting challenges to tell humans and computers apart
US20090119500A1 (en) * 2007-11-02 2009-05-07 Microsoft Corporation Managing software configuration using mapping and repeatable processes
US8321933B2 (en) * 2007-11-14 2012-11-27 Caterpillar Inc. Securing electronic control unit code
US7886038B2 (en) 2008-05-27 2011-02-08 Red Hat, Inc. Methods and systems for user identity management in cloud-based networks
US8301759B2 (en) * 2008-10-24 2012-10-30 Microsoft Corporation Monitoring agent programs in a distributed computing platform
US8726170B2 (en) * 2008-10-30 2014-05-13 Sap Ag Delivery of contextual information
US8429650B2 (en) * 2008-11-14 2013-04-23 Oracle International Corporation System and method of security management for a virtual environment
US8266301B2 (en) * 2009-03-04 2012-09-11 International Business Machines Corporation Deployment of asynchronous agentless agent functionality in clustered environments
US9311162B2 (en) 2009-05-27 2016-04-12 Red Hat, Inc. Flexible cloud management
US8504609B2 (en) * 2009-08-21 2013-08-06 Fusionops Inc. System and method for facilitating secure integration and communication of cloud services and enterprise applications
US9094292B2 (en) 2009-08-31 2015-07-28 Accenture Global Services Limited Method and system for providing access to computing resources
US9875671B2 (en) 2009-12-17 2018-01-23 Google Llc Cloud-based user interface augmentation
US11922196B2 (en) * 2010-02-26 2024-03-05 Red Hat, Inc. Cloud-based utilization of software entitlements
US20110213687A1 (en) * 2010-02-26 2011-09-01 James Michael Ferris Systems and methods for or a usage manager for cross-cloud appliances
US8332517B2 (en) * 2010-03-31 2012-12-11 Incnetworks, Inc. Method, computer program, and algorithm for computing network service value pricing based on communication service experiences delivered to consumers and merchants over a smart multi-services (SMS) communication network
US8997196B2 (en) * 2010-06-14 2015-03-31 Microsoft Corporation Flexible end-point compliance and strong authentication for distributed hybrid enterprises
US8583788B2 (en) * 2011-04-20 2013-11-12 Novell, Inc. Techniques for auditing and controlling network services

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030200465A1 (en) * 2001-08-06 2003-10-23 Shivaram Bhat Web based applications single sign on system and method
US20050018768A1 (en) * 2001-09-26 2005-01-27 Interact Devices, Inc. Systems, devices and methods for securely distributing highly-compressed multimedia content
US20060235796A1 (en) * 2005-04-19 2006-10-19 Microsoft Corporation Authentication for a commercial transaction using a mobile module
US20080178004A1 (en) * 2006-01-24 2008-07-24 Huawei Technologies Co., Ltd. Method, system and authentication centre for authenticating in end-to-end communications based on a mobile network
US20100100461A1 (en) * 2007-03-16 2010-04-22 Txn Pty Ltd Payment transaction system
US20100131948A1 (en) * 2008-11-26 2010-05-27 James Michael Ferris Methods and systems for providing on-demand cloud computing environments
US20110072487A1 (en) * 2009-09-23 2011-03-24 Computer Associates Think, Inc. System, Method, and Software for Providing Access Control Enforcement Capabilities in Cloud Computing Systems
US20110202991A1 (en) * 2010-02-18 2011-08-18 Microsoft Corporation Preserving privacy with digital identities
US20120011578A1 (en) * 2010-07-08 2012-01-12 International Business Machines Corporation Cross-protocol federated single sign-on (F-SSO) for cloud enablement
US20140181267A1 (en) * 2012-12-22 2014-06-26 Edgewater Networks, Inc. Methods and systems to split equipment control between local and remote processing units

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"DMTF: Architecture for Managing Clouds - A White Paper from the Open Cloud Standards Incubator" [Online], published 06/18/2010 [Retrieved on: Dec. 10, 2016], www.dmtf.org, Retrieved from: < http://www.dmtf.org/sites/default/files/standards/documents/DSP-IS0102_1.0.0.pdf > *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180288025A1 (en) * 2017-03-31 2018-10-04 Hyland Software, Inc. Methods and apparatuses for utilizing a gateway integration server to enhance application security
US10511574B2 (en) * 2017-03-31 2019-12-17 Hyland Software, Inc. Methods and apparatuses for utilizing a gateway integration server to enhance application security

Also Published As

Publication number Publication date
US20120017085A1 (en) 2012-01-19
EP2410454A1 (en) 2012-01-25
US9183374B2 (en) 2015-11-10

Similar Documents

Publication Publication Date Title
US20160261607A1 (en) Techniques for identity-enabled interface deployment
US11641361B2 (en) Dynamic access control to network resources using federated full domain logon
US11695757B2 (en) Fast smart card login
US10523656B2 (en) Session migration between network policy servers
US10904240B2 (en) System and method of verifying network communication paths between applications and services
US9787659B2 (en) Techniques for secure access management in virtual environments
US10122703B2 (en) Federated full domain logon
Ertaul et al. Security Challenges in Cloud Computing.
JP6349579B2 (en) Conditional login promotion
JP5038531B2 (en) Authentication limited to trusted equipment
US9288193B1 (en) Authenticating cloud services
EP2328107B1 (en) Identity controlled data center
CN113316783A (en) Two-factor identity authentication using a combination of active directory and one-time password token
US9781096B2 (en) System and method for out-of-band application authentication
US20060230438A1 (en) Single sign-on to remote server sessions using the credentials of the local client
US8387130B2 (en) Authenticated service virtualization

Legal Events

Date Code Title Description
AS Assignment

Owner name: MICRO FOCUS SOFTWARE INC., DELAWARE

Free format text: CHANGE OF NAME;ASSIGNOR:NOVELL, INC.;REEL/FRAME:040020/0703

Effective date: 20160718

AS Assignment

Owner name: JPMORGAN CHASE BANK, N.A., DELAWARE

Free format text: SECURITY INTEREST;ASSIGNORS:ATTACHMATE CORPORATION;BORLAND SOFTWARE CORPORATION;NETIQ CORPORATION;AND OTHERS;REEL/FRAME:044183/0718

Effective date: 20170901

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION

AS Assignment

Owner name: NETIQ CORPORATION, WASHINGTON

Free format text: RELEASE OF SECURITY INTEREST REEL/FRAME 044183/0718;ASSIGNOR:JPMORGAN CHASE BANK, N.A.;REEL/FRAME:062746/0399

Effective date: 20230131

Owner name: MICRO FOCUS SOFTWARE INC. (F/K/A NOVELL, INC.), WASHINGTON

Free format text: RELEASE OF SECURITY INTEREST REEL/FRAME 044183/0718;ASSIGNOR:JPMORGAN CHASE BANK, N.A.;REEL/FRAME:062746/0399

Effective date: 20230131

Owner name: ATTACHMATE CORPORATION, WASHINGTON

Free format text: RELEASE OF SECURITY INTEREST REEL/FRAME 044183/0718;ASSIGNOR:JPMORGAN CHASE BANK, N.A.;REEL/FRAME:062746/0399

Effective date: 20230131

Owner name: SERENA SOFTWARE, INC, CALIFORNIA

Free format text: RELEASE OF SECURITY INTEREST REEL/FRAME 044183/0718;ASSIGNOR:JPMORGAN CHASE BANK, N.A.;REEL/FRAME:062746/0399

Effective date: 20230131

Owner name: MICRO FOCUS (US), INC., MARYLAND

Free format text: RELEASE OF SECURITY INTEREST REEL/FRAME 044183/0718;ASSIGNOR:JPMORGAN CHASE BANK, N.A.;REEL/FRAME:062746/0399

Effective date: 20230131

Owner name: BORLAND SOFTWARE CORPORATION, MARYLAND

Free format text: RELEASE OF SECURITY INTEREST REEL/FRAME 044183/0718;ASSIGNOR:JPMORGAN CHASE BANK, N.A.;REEL/FRAME:062746/0399

Effective date: 20230131

Owner name: MICRO FOCUS LLC (F/K/A ENTIT SOFTWARE LLC), CALIFORNIA

Free format text: RELEASE OF SECURITY INTEREST REEL/FRAME 044183/0718;ASSIGNOR:JPMORGAN CHASE BANK, N.A.;REEL/FRAME:062746/0399

Effective date: 20230131