Performing a security action with regard to an access token based on clustering of access requests
US-2024406160-A1 · Dec 5, 2024 · US
Authentication and authorization methods for cloud computing platform security
US9288214B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9288214-B2 |
| Application number | US-201414319235-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jun 30, 2014 |
| Priority date | Jun 30, 2011 |
| Publication date | Mar 15, 2016 |
| Grant date | Mar 15, 2016 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
An authentication and authorization plug-in model for a cloud computing environment enables cloud customers to retain control over their enterprise information when their applications are deployed in the cloud. The cloud service provider provides a pluggable interface for customer security modules. When a customer deploys an application, the cloud environment administrator allocates a resource group for the customer's application and data. The customer registers its own authentication and authorization security module with the cloud security service, and that security module is then used to control what persons or entities can access information associated with the deployed application. To further balance the rights of the various parties, a third party notary service protects the privacy and the access right of the customer when its application and information are deployed in the cloud.
First claim
Opening claim text (preview).
Having described our invention, what we now claim is as follows: 1. A method for authentication and authorization in an environment wherein computing resources are hosted in a shared pool of configurable computing resources, comprising: receiving a request from a first entity for access to the shared pool of configurable computing resources managed by a second entity; upon execution of an agreement among the first entity, the second entity and a third entity that is distinct from the first entity and the second entity, assigning the first entity a resource group; receiving and storing in the resource group information associated with permitted users of the first entity; registering a plug-in security module associated with the first entity in a plug-in service operated by the second entity in association with the shared pool of configurable computing resources; enabling access to the resource group via the plug-in security module; and upon receiving a permission to disassociate the first entity from the resource group, returning the resource group to the shared pool. 2. The method as described in claim 1 wherein returning the resource group to the shared pool occurs upon occurrence of an event that is one of: a violation of the agreement by the first entity, and termination of the agreement. 3. The method as described in claim 1 wherein the step of returning the resource group comprises: upon occurrence of an event, issuing a request to the third party, the request seeking permission to disassociate the first entity from the resource group; and receiving a response from the third party, the response indicating that the second entity has permission to disassociate the first entity from the resource group. 4. The method as described in claim 3 further including deleting the information associated with permitted users of the first entity prior to returning the resource group to the shared pool. 5. The method as described in claim 1 wherein access to the resource group by users associated with the second entity is restricted. 6. The method as described in claim 1 wherein the agreement is secured cryptographically so that it cannot be repudiated by either the first entity or the second entity. 7. Apparatus for authentication and authorization in an environment wherein computing resources are hosted in a shared pool of configurable computing resources, comprising: a processor; computer memory holding computer program instructions that when executed by the processor perform a method comprising: receiving a request from a first entity for access to the shared pool of configurable computing resources managed by a second entity; upon execution of an agreement among the first entity, the second entity and a third entity that is distinct from the first entity and the second entity, assigning the first entity a resource group; receiving and storing in the resource group information associated with permitted users of the first entity; registering a plug-in security module associated with the first entity in a plug-in service operated by the second entity in association with the shared pool of configurable computing resources; and enabling access to the resource group via the plug-in security module; and upon receiving a permission to disassociate the first entity from the resource group, returning the resource group to the shared pool. 8. The apparatus as described in claim 7 wherein returning the resource group to the shared pool occurs upon occurrence of an event that is one of: a violation of the agreement by the first entity, and termination of the agreement. 9. The apparatus as described in claim 7 wherein the step of returning the resource group comprises: upon occurrence of an event, issuing a request to the third party, the request seeking permission to disassociate the first entity from the resource group; and receiving a response from the third party, the response indicating that the second entity has permission to disassociate the first entity from the resource group. 10. The apparatus as described in claim 9 wherein the method further includes deleting the information associated with permitted users of the first entity prior to returning the resource group to the shared pool. 11. The apparatus as described in claim 7 wherein access to the resource group by users associated with the second entity is restricted. 12. The apparatus as described in claim 7 wherein the agreement is secured cryptographically so that it cannot be repudiated by either the first entity or the second entity. 13. A computer program product in a non-transitory computer readable medium for use in a data processing system for authentication and authorization in an environment wherein computing resources are hosted in a shared pool of configurable computing resources, the computer program product holding computer program instructions which, when executed by the data processing system, perform a method comprising: receiving a request from a first entity for access to the shared pool of configurable computing resources managed by a second entity; upon execution of an agreement among the first entity, the second entity and a third entity that is distinct from the first entity and the second entity, assigning the first entity a resource group; receiving and storing in the resource group information associated with permitted users of the first entity; registering a plug-in security module associated with the first entity in a plug-in service operated by the second entity in association with the shared pool of configurable computing resources; enabling access to the resource group via the plug-in security module; and upon receiving a permission to disassociate the first entity from the resource group, returning the resource group to the shared pool. 14. The computer program product as described in claim 13 wherein returning the resource group to the shared pool upon occurrence of an event that is one of: a violation of the agreement, and termination of the agreement. 15. The computer program product as described in claim 13 wherein returning the resource group comprises: upon occurrence of an event, issuing a request to the third party, the request seeking permission to disassociate the first entity from the resource group; and receiving a response from the third party, the response indicating that the second entity has permission to disassociate the first entity from the resource group. 16. The computer program product as described in claim 15 wherein the method further includes deleting the information associated with permitted users of the first entity prior to returning the resource group to the shared pool. 17. The computer program product as described in claim 13 wherein access to the resource group by users associated with the second entity is restricted. 18. The computer program product as described in claim 13 wherein the agreement is secured cryptographically so that it cannot be repudiated by either the first entity or the second entity.
Assignees
Inventors
Classifications
Electricity · mapped topic
in which an application is distributed across nodes in the network (software deployment G06F8/60; multiprogramming arrangements G06F9/46) · CPC title
Third party · CPC title
for authentication of entities (cryptographic mechanisms or cryptographic arrangements for entity authentication H04L9/32) · CPC title
- H04L63/0815Primary
providing single-sign-on or federations · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9288214B2 cover?
- An authentication and authorization plug-in model for a cloud computing environment enables cloud customers to retain control over their enterprise information when their applications are deployed in the cloud. The cloud service provider provides a pluggable interface for customer security modules. When a customer deploys an application, the cloud environment administrator allocates a resource …
- Who is the assignee on this patent?
- IBM
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0815. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Mar 15 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).