Identity-based access control for cloud applications

What is claimed is: 1. A method for application-independent access control in a cloud-services computing environment, the method comprising: at a host computing device configured to operate in the cloud-services computing environment having one or more processors and memory: obtaining, at a web virtual machine that is running in the host computing device and provides an interface for data communication between the cloud-services computing environment and devices external to the cloud-services computing environment, a user identity for accessing the cloud-services computing environment from a device external to the host computing device; forwarding the obtained user identity to an access control virtual machine that is running in the host computing device separately from the web virtual machine and configured to perform application-independent access control in the cloud-services computing environment; receiving a user request to perform a task using an application, wherein the application is executed in an application virtual machine running in the host computing device separately from the web virtual machine and the access control virtual machine, and configured to be accessed in the cloud-services computing environment; in response to receiving the user request at the application virtual machine: collecting, by an agent in the application virtual machine, process-related data for a particular process used by the application to perform the task, wherein the process-related data comprises a process identifier; and obtaining network routing addresses comprising one or more source IP addresses and one or more destination IP addresses; and providing the process-related data and the network routing addresses from the application virtual machine to the access control virtual machine, said providing the process-related data and the network routing addresses comprising: forwarding the process-related data and the network routing addresses from the application virtual machine to a virtual multiplexer that is running in the host computing device separately from the web virtual machine, the application virtual machine, and the access control virtual machine; multiplexing the process-related data and the network routing addresses at the virtual multiplexer; and forwarding multiplexed data of the process-related data and the network routing addresses to the access control virtual machine; prior to initiation of the particular process for performing the task, determining, based on the user identity, the process-related data, and the one or more source IP addresses and the one or more destination IP addresses, whether the task is to be performed, wherein the determining is performed at the access control virtual machine, the determining comprising: constructing a data structure based on a representation of the user identity, the process-related data, and the one or more source IP addresses and destination IP addresses; obtaining an access-control policy; and correlating the constructed data structure to the access-control policy; and in accordance with a determination that the task is to be performed, initiating the particular process causing the task to be performed at the application virtual machine. 2. The method of claim 1 , wherein receiving the user request to perform a task using the application comprises: at the web virtual machine, wherein the web virtual machine is configured to receive user requests from one or more client computing devices external to the cloud-services computing environment, receiving an application program interface (API) call to perform the task using the application; and forwarding the API call to the application virtual machine. 3. The method of claim 1 , wherein collecting the process-related data for performing the task comprises: at the application virtual machine, receiving an application program interface (API) call from the web virtual machine; in response to receiving the API call, detecting one or more process-related events; and collecting the process-related data based on the detected one or more process-related events. 4. The method of claim 3 , wherein the one or more process-related events comprise at least one of: an event indicating a request for initiating a process of the application; and an event indicating a request for accessing at least a portion of a data object associated with the process of the application. 5. The method of claim 3 , wherein collecting the process-related data based on the detected one or more process-related events comprises: determining a process for performing the task using the application; and obtaining a process identification associated with the determined process. 6. The method of claim 3 , wherein collecting the process-related data based on the detected one or more process-related events comprises: identifying at least a portion of a data object associated with a process for performing the task using the application; and obtaining a representation of the data object associated with the process for performing the task using the application. 7. The method of claim 3 , further comprising: forwarding the process-related data from the application virtual machine to the access control virtual machine. 8. The method of claim 1 , further comprising: obtaining one or more source ports and one or more destination ports associated with the user request. 9. The method of claim 1 , wherein determining whether the task is to be performed comprises: at the access control virtual machine, constructing the data structure based on a representation of the user identity, the process-related data, and the one or more source IP addresses and destination IP addresses as data entries in a context table that represents a totality of circumstances associated with the user request; and determining, based on a result of correlating the data structure to the access-control policy, whether the task is to be performed. 10. The method of claim 1 , wherein causing the task to be performed comprises at least one of: initiating a process associated with the application to perform the task; and enabling access to at least a portion of a data object used by the process associated with the application. 11. The method of claim 1 , further comprising in accordance with a determination that the task is not to be performed, denying the user request. 12. The method of claim 11 , wherein denying the user request comprises at least one of: preventing initiating of a process associated with the application to perform the task; and denying access to at least a portion of a data object used by the process associated with the application. 13. The method of claim 11 , wherein denying the user request comprises: denying a user request for uploading of a data object to the cloud-services computing environment, wherein the denying is performed prior to receiving the data object. 14. The method of claim 1 , wherein the virtual multiplexer is in a virtual machine running in the host computing device separately from the web virtual machine, the application virtual machine, and the access control virtual machine. 15. The method of claim 1 , wherein the obtained user identity is forwarded to the access control virtual machine without being multiplexed. 16. A host computing device operating in the cloud-services computing environment, the host computing device comprising: one or more processors; and memory storing one or more programs configured to be executed by the one or more processors, the one or more programs inc