Identity-based enforcement of network communication in serverless workloads
US-2022294828-A1 · Sep 15, 2022 · US
Managing a segmentation policy for workloads in a secure enclave
US12568176B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12568176-B2 |
| Application number | US-202418409729-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jan 10, 2024 |
| Priority date | Jan 28, 2020 |
| Publication date | Mar 3, 2026 |
| Grant date | Mar 3, 2026 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A policy management server manages a segmentation policy and automatically configures an enclave protection device consistently with the segmentation policy so that that the segmentation policy can be enforced with respect to workloads within a secure enclave protected by the enclave protection device. The policy management server identifies protected workloads that are members of a secure enclave and external workloads that are external to the secure enclave. The policy management server identifies cross-boundary rules of the segmentation policy affecting traffic between the protected workloads and external workloads. The policy management server generates and distributes a configuration of the enclave protection device to enable enforcement of the cross-boundary rules pertaining to traffic passing through the enclave protection device.
First claim
Opening claim text (preview).
The invention claimed is: 1 . A method comprising: generating an enclave protection rule that permits traffic between a first workload group identified by a first group identifier and a second workload group identified by a second group identifier that meets specified traffic criteria; generating membership information specifying first workload identifiers for first workloads in the first workload group and second workload identifiers for second workloads in the second workload group; generating, based on the enclave protection rule and membership information, a configuration for an enclave protection device; detecting a change in the first workloads in the first workload group; and transmitting updated membership information to the enclave protection device reflecting the change. 2 . The method of claim 1 , wherein the updated membership information is transmitted to the enclave protection device without transmitting the enclave protection rule. 3 . The method of claim 1 , wherein the specified traffic criteria comprises at least one of: a service, a port, or a protocol. 4 . The method of claim 1 , wherein the first workload identifiers and second workload identifiers are internet protocol (IP) addresses. 5 . The method of claim 1 , wherein generating the configuration for the enclave protection device comprises: identifying that the enclave protection rule is a duplicate of a different enclave protection rule; combining the duplicate rules into a combined rule; and replacing the enclave protection rule and the different enclave protection rule with the combined rule, the configuration for the enclave protection device being based on the combined rule. 6 . The method of claim 5 , wherein the enclave protection rule and different enclave protection rule share a common set of services, ports, and protocols. 7 . The method of claim 1 , wherein detecting the change in the first workloads in the first workload group comprises detecting that at least one workload in the first workload group is re-assigned to a different workload group. 8 . The method of claim 1 , wherein detecting the change in the first workloads in the first workload group comprises detecting that at least one workload in the first workload group comes online or goes offline. 9 . A non-transitory computer-readable storage medium storing instructions for managing a segmentation policy, the instructions, when executed by a computing system, causing the computing system to perform operations comprising: generating an enclave protection rule that permits traffic between a first workload group identified by a first group identifier and a second workload group identified by a second group identifier that meets specified traffic criteria; generating membership information specifying first workload identifiers for first workloads in the first workload group and second workload identifiers for second workloads in the second workload group; generating, based on the enclave protection rule and membership information, a configuration for an enclave protection device; detecting a change in the first workloads in the first workload group; and transmitting updated membership information to the enclave protection device reflecting the change. 10 . The non-transitory computer-readable storage medium of claim 9 , wherein the updated membership information is transmitted to the enclave protection device without transmitting the enclave protection rule. 11 . The non-transitory computer-readable storage medium of claim 9 , wherein the specified traffic criteria comprises at least one of: a service, a port, or a protocol. 12 . The non-transitory computer-readable storage medium of claim 9 , wherein the first workload identifiers and second workload identifiers are internet protocol (IP) addresses. 13 . The non-transitory computer-readable storage medium of claim 9 , wherein generating the configuration for the enclave protection device comprises: identifying that the enclave protection rule is a duplicate of a different enclave protection rule; combining the duplicate rules into a combined rule; and replacing the enclave protection rule and the different enclave protection rule with the combined rule, the configuration for the enclave protection device being based on the combined rule. 14 . The non-transitory computer-readable storage medium of claim 13 , wherein the enclave protection rule and different enclave protection rule share a common set of services, ports, and protocols. 15 . The non-transitory computer-readable storage medium of claim 9 , wherein detecting the change in the first workloads in the first workload group comprises detecting that at least one workload in the first workload group is re-assigned to a different workload group. 16 . The non-transitory computer-readable storage medium of claim 9 , wherein detecting the change in the first workloads in the first workload group comprises detecting that at least one workload in the first workload group goes offline or comes online. 17 . A computer system comprising: one or more processors; and a non-transitory computer-readable storage medium storing instructions for managing a segmentation policy, the instructions when executed by the one or more processors causing the computer system to perform steps including: generating an enclave protection rule that permits traffic between a first workload group identified by a first group identifier and a second workload group identified by a second group identifier that meets specified traffic criteria; generating membership information specifying first workload identifiers for first workloads in the first workload group and second workload identifiers for second workloads in the second workload group; generating, based on the enclave protection rule and membership information, a configuration for an enclave protection device; detecting a change in the first workloads in the first workload group; and transmitting updated membership information to the enclave protection device reflecting the change. 18 . The computer system of claim 17 , wherein the updated membership information is transmitted to the enclave protection device without transmitting the enclave protection rule. 19 . The computer system of claim 17 , wherein generating the configuration for the enclave protection device comprises: identifying that the enclave protection rule is a duplicate of a different enclave protection rule; combining the duplicate rules into a combined rule; and replacing the enclave protection rule and the different enclave protection rule with the combined rule, the configuration for the enclave protection device being based on the combined rule. 20 . The computer system of claim 17 , wherein detecting the change in the first workloads in the first workload group comprises detecting that at least one workload in the first workload group comes online, goes offline, or is re-assigned to a different workload group.
Assignees
Inventors
Classifications
Traffic policing · CPC title
Rule management · CPC title
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
Policy-and-charging control [PCC] architecture · CPC title
the condition being updates or upgrades of network functionality · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12568176B2 cover?
- A policy management server manages a segmentation policy and automatically configures an enclave protection device consistently with the segmentation policy so that that the segmentation policy can be enforced with respect to workloads within a secure enclave protected by the enclave protection device. The policy management server identifies protected workloads that are members of a secure encl…
- Who is the assignee on this patent?
- Illumio Inc
- What technology area does this patent fall under?
- Primary CPC classification H04M15/66. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Mar 03 2026 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 6 related publications on this page (citations in our corpus or others sharing the same primary CPC).