Just-in-time access based on screening criteria to maintain control of restricted data in cloud computing environments
US-2017244760-A1 · Aug 24, 2017 · US
Incident management to maintain control of restricted data in cloud computing environments
US10560463B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10560463-B2 |
| Application number | US-201514933803-A |
| Country | US |
| Kind code | B2 |
| Filing date | Nov 5, 2015 |
| Priority date | Nov 5, 2015 |
| Publication date | Feb 11, 2020 |
| Grant date | Feb 11, 2020 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Techniques allow DevOps personnel to perform incident management for cloud computing environments in a manner that maintains control over restricted data and the data plane. The DevOps personnel do not have access to restricted data or the ability to modify the cloud computing environment to gain access to restricted data. The incident management techniques include executing automatic operations to resolve an incident and allowing DevOps personnel to execute remote operations without providing the DevOps personnel access. A further incident management technique provides DevOps personnel with just-in-time (JIT) access that is limited to a certain level or type of access and limited in time. Still another technique for incident management is using an escort model, in which an escort session between operating personnel and DevOps personnel is established and connected to the cloud computing environment to allow the DevOps personnel access to the production environment while escorted by the operating personnel.
First claim
Opening claim text (preview).
What is claimed is: 1. One or more computer storage media storing computer-useable instructions that, when used by one or more computing devices, cause the one or more computing devices to perform operations comprising: receiving incident information regarding an incident in a cloud computing environment; providing the incident information to a portal on a DevOps device for review by a DevOps personnel who does not have persistent access to restricted data in the cloud computing environment; receiving, at a service within the cloud computing environment, a request for a just-in-time (JIT) access session to access a resource in a production environment of the cloud computing environment from the portal on the DevOps device, wherein the request specifies request parameters including a level or type of access requested and information regarding the incident including a type of the incident and whether the incident is active; accessing, from a database of JIT policies stored in the cloud computing environment for a plurality of resources within the production environment of the cloud computing environment, a JIT policy for the resource specified by the request, the JIT policy stored in the database for processing by the service within the cloud computing environment to allow the service to automatically determine whether to grant JIT access to the resource; determining, by the service within the cloud computing environment, whether to approve the request for the JIT access session based at least in part on automatically evaluating the request parameters using the JIT policy for the resource to determine whether the level or type of access requested is automatically approved depending on the type of the incident and whether the incident is active; if it is determined to approve the request for the JIT access session, provisioning JIT access for the DevOps personnel including setting a time limit for the JIT access; and if it is determined to not approve the request for the JIT access session, providing a notice to the portal on the DevOps device. 2. The one or more computer storage media of claim 1 , wherein the request for the JIT access session specifies at least one selected from the following: information regarding the DevOps personnel and an identification of the incident. 3. The one or more computer storage media of claim 2 , wherein the information regarding the DevOps personnel identifies a role of the DevOps personnel. 4. The one or more computer storage media of claim 1 , wherein the JIT access session is revoked when the time limit for the JIT access expires. 5. The one or more computer storage media of claim 1 , wherein the JIT access session is revoked in response to a command from the DevOps personnel during the JIT access session. 6. The one or more computer storage media of claim 1 , the operations further comprising: if it is determined to approve the request for the JIT access session, providing a notice regarding approval of the request to operating personnel having persistent access to restricted data. 7. The one or more computer storage media of claim 1 , the operations further comprising: if it is determined to not approve the request for the JIT access session, sending the request for the JIT access session to operating personnel having persistent access to restricted data. 8. A computer-implement method comprising: receiving incident information regarding an incident in a cloud computing environment; providing the incident information to a portal on a DevOps device for review by a DevOps personnel who does not have persistent access to restricted data in the cloud computing environment; receiving, at a service within the cloud computing environment, a request for a just-in-time (JIT) access session to access a resource in a production environment of the cloud computing environment from the portal on the DevOps device, wherein the request specifies request parameters including a level or type of access requested and information regarding the incident including a type of the incident and whether the incident is active; accessing, from a database of JIT policies stored in the cloud computing environment for a plurality of resources within the production environment of the cloud computing environment, a JIT policy for the resource specified by the request, the JIT policy stored in the database for processing by the service within the cloud computing environment to allow the service to automatically determine whether to grant JIT access to the resource; determining, by the service within the cloud computing environment, whether to approve the request for the JIT access session based at least in part on automatically evaluating the request parameters using the JIT policy for the resource to determine whether the level or type of access requested is automatically approved depending on the type of the incident and whether the incident is active; if it is determined to approve the request for the JIT access session, provisioning JIT access for the DevOps personnel including setting a time limit for the JIT access; and if it is determined to not approve the request for the JIT access session, providing a notice to the portal on the DevOps device. 9. The method of claim 8 , wherein the request for the JIT access session specifies at least one selected from the following: information regarding the DevOps personnel and an identification of the incident. 10. The method of claim 9 , wherein the information regarding the DevOps personnel identifies a role of the DevOps personnel. 11. The method of claim 8 , wherein the JIT access session is revoked when the time limit for the JIT access expires. 12. The method of claim 8 , wherein the JIT access session is revoked in response to a command from the DevOps personnel during the JIT access session. 13. The method of claim 8 , the method further comprising: if it is determined to approve the request for the JIT access session, providing a notice regarding approval of the request to operating personnel having persistent access to restricted data. 14. The method of claim 8 , the method further comprising: if it is determined to not approve the request for the JIT access session, sending the request for the JIT access session to operating personnel having persistent access to restricted data. 15. A system comprising: one or more hardware processors; and one or more computer storage media storing computer-usable instructions that, when used by the one or more processors, cause the one or more processors to: receive incident information regarding an incident in a cloud computing environment; provide the incident information to a portal on a DevOps device for review by a DevOps personnel who does not have persistent access to restricted data in the cloud computing environment; receive, at a service within the cloud computing environment, a request for a just-in-time (JIT) access session to access a resource in a production environment of the cloud computing environment from the portal on the DevOps device, wherein the request specifies request parameters including a level or type of access requested and information regarding the incident including a type of the incident and whether the incident is active; access, from a database of JIT policies stored in the cloud computing environment for a plurality of resources within the production environment of the cloud computing environment, a JIT policy for the resource specified by the request, the JIT policy stored in the database for processing by the service within the cloud computing environment to allow the
Assignees
Inventors
Classifications
- H04L63/108Primary
when the policy decisions are valid for a limited amount of time · CPC title
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
Multiple levels of security · CPC title
Software deployment · CPC title
Software maintenance or management · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10560463B2 cover?
- Techniques allow DevOps personnel to perform incident management for cloud computing environments in a manner that maintains control over restricted data and the data plane. The DevOps personnel do not have access to restricted data or the ability to modify the cloud computing environment to gain access to restricted data. The incident management techniques include executing automatic operation…
- Who is the assignee on this patent?
- Microsoft Technology Licensing Llc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/108. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Feb 11 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 4 related publications on this page (citations in our corpus or others sharing the same primary CPC).