Pod communication graph
US-11188571-B1 · Nov 30, 2021 · US
Systems and methods for generating sub-identities for workloads
US12568085B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12568085-B2 |
| Application number | US-202318502280-A |
| Country | US |
| Kind code | B2 |
| Filing date | Nov 6, 2023 |
| Priority date | Nov 6, 2023 |
| Publication date | Mar 3, 2026 |
| Grant date | Mar 3, 2026 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Systems and methods for generating sub-identities for workloads in a cloud-based system. Various embodiments include receiving a key from an external system; generating one or more sub-identities from the key; assigning the one or more sub-identities to one or more workloads; and enforcing policies on the one or more workloads and traffic associated therewith based on the one or more sub-identities.
First claim
Opening claim text (preview).
What is claimed is: 1 . A method comprising steps of: receiving a key from an external system, the key is associated with a customer; generating one or more sub-identities from the key, wherein the one or more sub-identities are specific to the customer and used only within a cloud-based system; assigning the one or more sub-identities to one or more workloads of the customer, wherein the one or more sub-identities are used within the cloud-based system to prevent exposure of the key to the customer and the one or more workloads, and to enable lifecycle management of the key, granular security controls for the key, and centralized enforcement of access policies within the cloud-based system; enforcing policies in the cloud-based system on the one or more workloads and one or more payloads associated therewith based on the one or more sub-identities; and converting the sub-identity back to the key prior to the one or more payloads reaching the external system. 2 . The method of claim 1 , wherein the steps further comprise: performing, via the cloud-based system, inline monitoring of the one or more workloads; extracting identification information from one or more payloads originating from the one or more workloads, wherein the identification information includes a sub-identity of the one or more sub-identities; and enforcing policies on the one or more payloads based thereon. 3 . The method of claim 1 , wherein the one or more payloads originate from the one or more workloads operating in a cloud-based system and are directed to the external system, and wherein the one or more payloads are intercepted by the cloud-based system. 4 . The method of claim 1 , wherein enforcing policies comprises rate limiting, and access control based on a sub-identity of the one or more sub-identities identified in traffic. 5 . The method of claim 1 , wherein the one or more workloads are associated with an enterprise having a plurality of departments, and wherein the steps further comprise: assigning each of the plurality of departments a sub-identity of the one or more sub-identities to utilize in payloads originating from workloads associated therewith. 6 . The method of claim 5 , wherein the enforcing policy is based on a department to which a workload is assigned. 7 . The method of claim 5 , wherein the enforcing policy includes allowing or blocking traffic from a workload to the external system based on a department to which the workload is assigned. 8 . The method of claim 1 , wherein the one or more sub-identities are customer specific, and wherein the one or more sub-identities are only utilized within a cloud-based system. 9 . The method of claim 8 , wherein the steps further comprise: converting a sub-identity of the one or more sub-identities within a payload to the key prior to the payload reaching the external system. 10 . The method of claim 1 , wherein the key is not shared with the one or more workloads. 11 . A non-transitory computer-readable medium comprising instructions that, when executed, cause one or more processors to perform steps of: receiving a key from an external system, the key is associated with a customer; generating one or more sub-identities from the key, wherein the one or more sub-identities are specific to the customer and used only within a cloud-based system; assigning the one or more sub-identities to one or more workloads of the customer, wherein the one or more sub-identities are used within the cloud-based system to prevent exposure of the key to the customer and the one or more workloads and to enable lifecycle management of the key, granular security controls for the key, and centralized enforcement of access policies within the cloud-based system; enforcing policies in the cloud-based system on the one or more workloads and one or more payloads associated therewith based on the one or more sub-identities; and converting the sub-identity back to the key prior to the one or more payloads reaching the external system. 12 . The non-transitory computer-readable medium of claim 11 , wherein the steps further comprise: performing, via the cloud-based system, inline monitoring of the one or more workloads; extracting identification information from one or more payloads originating from the one or more workloads, wherein the identification information includes a sub-identity of the one or more sub-identities; and enforcing policies on the one or more payloads based thereon. 13 . The non-transitory computer-readable medium of claim 11 , wherein the one or more payloads originate from the one or more workloads operating in a cloud-based system and are directed to the external system, and wherein the one or more payloads are intercepted by the cloud-based system. 14 . The non-transitory computer-readable medium of claim 11 , wherein enforcing policies comprises rate limiting, and access control based on a sub-identity of the one or more sub-identities identified in traffic. 15 . The non-transitory computer-readable medium of claim 11 , wherein the one or more workloads are associated with an enterprise having a plurality of departments, and wherein the steps further comprise: assigning each of the plurality of departments a sub-identity of the one or more sub-identities to utilize in payloads originating from workloads associated therewith. 16 . The non-transitory computer-readable medium of claim 15 , wherein the enforcing policy is based on a department to which a workload is assigned. 17 . The non-transitory computer-readable medium of claim 15 , wherein the enforcing policy includes allowing or blocking traffic from a workload to the external system based on a department to which the workload is assigned. 18 . The non-transitory computer-readable medium of claim 11 , wherein the one or more sub-identities are customer specific, and wherein the one or more sub-identities are only utilized within a cloud-based system. 19 . The non-transitory computer-readable medium of claim 18 , wherein the steps further comprise: converting a sub-identity of the one or more sub-identities within a payload to the key prior to the payload reaching the external system. 20 . The non-transitory computer-readable medium of claim 11 , wherein the key is not shared with the one or more workloads.
Assignees
Inventors
Classifications
by monitoring network traffic (monitoring network traffic per se H04L43/00) · CPC title
Filtering policies (mail message filtering H04L51/212) · CPC title
Flow control; Congestion control · CPC title
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
- H04L63/10Primary
for controlling access to devices or network resources · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12568085B2 cover?
- Systems and methods for generating sub-identities for workloads in a cloud-based system. Various embodiments include receiving a key from an external system; generating one or more sub-identities from the key; assigning the one or more sub-identities to one or more workloads; and enforcing policies on the one or more workloads and traffic associated therewith based on the one or more sub-identi…
- Who is the assignee on this patent?
- Zscaler Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/10. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Mar 03 2026 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).