Virtual identity of a user based on disparate identity services
US-2015215348-A1 · Jul 30, 2015 · US
Cloud application control using man-in-the-middle identity brokerage
US9654507B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9654507-B2 |
| Application number | US-201414448012-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jul 31, 2014 |
| Priority date | Jul 31, 2014 |
| Publication date | May 16, 2017 |
| Grant date | May 16, 2017 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A cloud-based method, a system, and a cloud-based security system include receiving a request from a user for a cloud application at a proxy server; determining whether the user is authenticated based on a presence of cookies in the request; if the cookies are present, un-transforming the cookies by the proxy server and forwarding the request with the un-transformed cookies to the cloud application; and, if the cookies are not present, forwarding the request to the cloud application by the proxy server for authentication and transforming the cookies subsequent to the authentication prior to sending the cookies to the user.
First claim
Opening claim text (preview).
What is claimed is: 1. A cloud-based method, comprising: receiving a request from a user for a cloud application at a proxy server located in a distributed security system which is in an external network from the user and an external network from the cloud application, wherein the distributed security system is located between the user and the cloud application; determining whether the user is authenticated based on a presence of cookies in the request; if the cookies are present, un-transforming the cookies by the proxy server and forwarding the request with the un-transformed cookies to the cloud application; and if the cookies are not present, forwarding the request to the cloud application by the proxy server for authentication and transforming the cookies subsequent to the authentication prior to sending the cookies to the user; monitoring for data leakage, for policy compliance, and for security threats between the user and the cloud application through the distributed security system; and preventing direct access to the cloud application except through the distributed security system based on the transforming the cookies, wherein the cookies are only accessible through the distributed security system and wherein communication between the user and the distributed security system is secure separate from the cookies. 2. The cloud-based method of claim 1 , wherein the proxy server is a transparent proxy between the user and the cloud application acting as a man-in-the-middle. 3. The cloud-based method of claim 1 , further comprising: performing the authentication through identity federation mechanisms via the proxy server. 4. The cloud-based method of claim 3 , wherein the identity federation comprises the proxy server. 5. The cloud-based method of claim 1 , wherein the proxy server is part of the distributed security system comprising a Cloud access security broker, and wherein the transforming the cookies is done via crypto algorithms such that the cloud application or the user cannot un-transform the cookies. 6. The cloud-based method of claim 1 , further comprising: preventing access to the cloud application by the proxy server based on a plurality of factors. 7. The cloud-based method of claim 6 , wherein the plurality of factors comprise a location of the user, an access level of the user, a device type of the user, and an application type used by the user. 8. A system comprising a proxy server, comprising: a network interface; a data store; a processor communicatively coupled to the network interface and the data store; memory storing instructions that, when executed, cause the processor to: receive a request from a user for a cloud application at the proxy server located in a distributed security system which is in an external network from the user and an external network from the cloud application, wherein the distributed security system is located between the user and the cloud application; determine whether the user is authenticated based on a presence of cookies in the request; if the cookies are present, un-transform the cookies by the proxy server and forwarding the request with the un-transformed cookies to the cloud application; monitor for data leakage, for policy compliance, and for security threats between the user and the cloud application through the distributed security system; if the cookies are not present, forward the request to the cloud application by the proxy server for authentication and transform the cookies subsequent to the authentication prior to sending the cookies to the user; and prevent direct access to the cloud application except through the distributed security system based on the transformed cookies, wherein the cookies are only accessible through the distributed security system and wherein communication between the user and the distributed security system is secure separate from the cookies. 9. The system of claim 8 , wherein the system comprise a transparent proxy between the user and the cloud application acting as a man-in-the-middle. 10. The system of claim 8 , wherein the memory storing instructions that, when executed, further cause the processor to: forward the request to the cloud application by the proxy server for authentication through an identity federation. 11. The system of claim 10 , wherein the identity federation comprises the system. 12. The system of claim 8 , wherein the system is part of the distributed security system comprising a Cloud access security broker. 13. The system of claim 8 , wherein the memory storing instructions that, when executed, further cause the processor to: prevent access to the cloud application by the proxy server based on a plurality of factors, wherein the plurality of factors comprise a location of the user, an access level of the user, a device type of the user, and an application type used by the user, and wherein transforming the cookies is done via crypto algorithms such that the cloud application or the use cannot un-transform the cookies. 14. A cloud-based security system, comprising: a plurality of nodes communicatively coupled to one or more users, wherein the plurality of nodes each perform inline monitoring for one of the one or more users for security as a Cloud access security broker, and wherein each of the plurality of nodes is located in an external network from the user and an external network from a cloud application, wherein the plurality of nodes are located between the user and the cloud application; wherein each of the plurality of nodes is configured to: receive a request from a user for cloud application; determine whether the user is authenticated based on a presence of cookies in the request; if the cookies are present, un-transform the cookies by the proxy server and forwarding the request with the un-transformed cookies to the cloud application; if the cookies are not present, forward the request to the cloud application by the proxy server for authentication and transform the cookies subsequent to the authentication prior to sending the cookies to the user; monitor for data leakage, for policy compliance, and for security threats between the user and the cloud application through the distributed security system; and prevent direct access to the cloud application except through the plurality of nodes based on the transformed cookies, wherein the cookies are only accessible through the plurality of nodes and wherein communication between the user and the plurality of nodes is secure separate from the cookies.
Assignees
Inventors
Classifications
- H04L63/20Primary
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
Electricity · mapped topic
Markers for unambiguous identification of a particular session, e.g. session cookie or URL-encoding · CPC title
using passwords (cryptographic mechanisms or cryptographic arrangements for entity authentication using a predetermined code H04L9/3226) · CPC title
Brokering proxy services · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9654507B2 cover?
- A cloud-based method, a system, and a cloud-based security system include receiving a request from a user for a cloud application at a proxy server; determining whether the user is authenticated based on a presence of cookies in the request; if the cookies are present, un-transforming the cookies by the proxy server and forwarding the request with the un-transformed cookies to the cloud applica…
- Who is the assignee on this patent?
- Gangadharappa Tejus, Udupa Sivaprasad, Sharma Dhawal, and 3 more
- What technology area does this patent fall under?
- Primary CPC classification H04L63/20. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue May 16 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).