Separation of pod provisioning and service provisioning
US-9501541-B2 · Nov 22, 2016 · US
Application-based security rights in cloud environments
US9762616B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9762616-B2 |
| Application number | US-201514821707-A |
| Country | US |
| Kind code | B2 |
| Filing date | Aug 8, 2015 |
| Priority date | Aug 8, 2015 |
| Publication date | Sep 12, 2017 |
| Grant date | Sep 12, 2017 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
This disclosure provides the ability for a cloud application to specify its security requirements, the ability to have those requirements evaluated, e.g., against a specific cloud deployment environment, and the ability to enable the application to control a cloud-based security assurance service to provision additional security technology in the cloud to support deployment (or re-deployment elsewhere) of the application if the environment does not have the necessary topology and security resources deployed. To this end, the application queries the service by passing a set of application-based security rights. If the security capabilities provided by the security assurance service are sufficient or better than the application's security rights, the application functions normally. If, however, the security environment established by the security assurance service is insufficient for the application, the application is afforded one or more remediation options, e.g., issuing a request to upgrade the security environment, or the like.
First claim
Opening claim text (preview).
The invention claimed is: 1. A method to improve a cloud computing environment by enabling enforcement of security service requirements for a cloud application, comprising: deploying a secure application zone for the cloud application, the secure application zone configuring a set of security resources in an automated manner in response to receipt of a specification of a security assurance level, the security assurance level specifying one or more general security requirements in a manner that does not expose at least some specific tooling requirements necessary to implement the security assurance level security requirement; receiving from the cloud application one of: a set of security service requirements specified by the cloud application, and a changed set of security service requirements specified by the cloud application; evaluating the security service requirements received against one of: the set of security resources configured in the secure application zone, and a changed set of security resources configured in the secure application zone; and responsive to a determination that the set of security resources configured in the secure application zone do not meet the security service requirements specified by the cloud application, receiving from the cloud application a request to take a given action that provides an assurance that the security service requirements specified by the cloud application are satisfied, wherein the given action is a remediation action that attempts to meet the security service requirements specified by the cloud application, the remediation action being one of: requesting upgrade or reconfiguration of the set of security resources configured in the secure application zone, requesting transfer of the cloud application to another specific cloud security environment, and requesting transfer of the cloud application to another cloud platform. 2. The method as described in claim 1 wherein the given action temporarily de-activates the cloud application or prevents the cloud application from starting. 3. The method as described in claim 1 wherein the set of security service requirements specified by the cloud application include one of: a generic security level requirement that as specified does not expose at least some specific security resource requirements necessary to implement the security level, one or more specific security resource requirements, and one or more relationship-specific criteria associated with the cloud application. 4. The method as described in claim 3 further including: evaluating the relationship-specific criteria; and responsive to the evaluation, restricting another cloud application from being hosted in association with the cloud application. 5. The method as described in claim 1 wherein evaluating the security service requirements specified by the cloud application against the set of security resources configured in the secure application zone includes: providing a security assurance service with a query that includes the set of security service requirements specified by the cloud application; and receiving from the security assurance service a response that includes the determination. 6. Apparatus, comprising: a processor; computer memory holding computer program instructions executed by the processor to improve a cloud computing environment by enabling enforcement of security service requirements for a cloud application, the computer program instructions comprising program code operative to: deploy a secure application zone for the cloud application, the secure application zone configuring a set of security resources in an automated manner in response to receipt of a specification of a security assurance level, the security assurance level specifying one or more general security requirements in a manner that does not expose at least some specific tooling requirements necessary to implement the security assurance level security requirement; receive from the cloud application one of: a set of security service requirements specified by the cloud application, and a changed set of security service requirements specified by the cloud application; evaluate the security service requirements received against one of: the set of security resources configured in the secure application zone, and a changed set of security resources configured in the secure application zone; and responsive to a determination that the set of security resources configured in the secure application zone do not meet the security service requirements specified by the cloud application, receiving from the cloud application a request to take a given action that provides an assurance that the security service requirements specified by the cloud application are satisfied, wherein the given action is a remediation action that attempts to meet the security service requirements specified by the cloud application, the remediation action being one of: requesting upgrade or reconfiguration of the set of security resources configured in the secure application zone, requesting transfer of the cloud application to another specific cloud security environment, and requesting transfer of the cloud application to another cloud platform. 7. The apparatus as described in claim 6 wherein the given action temporarily de-activates the cloud application or prevents the cloud application from starting. 8. The apparatus as described in claim 6 wherein the set of security service requirements specified by the cloud application include one of: a generic security level requirement that as specified does not expose at least some specific security resource requirements necessary to implement the security level, one or more specific security resource requirements, and one or more relationship-specific criteria associated with the cloud application. 9. The apparatus as described in claim 8 wherein the program code is further operative to: evaluate the relationship-specific criteria; and responsive to the evaluation, restrict another cloud application from being hosted in association with the cloud application. 10. The apparatus as described in claim 6 wherein the program code operative to evaluate the security service requirements specified by the cloud application against the set of security resources configured in the secure application zone is further operative to: provide a security assurance service with a query that includes the set of security service requirements specified by the cloud application; and receive from the security assurance service a response that includes the determination. 11. A computer program product in a non-transitory computer readable medium for use in a data processing system, the computer program product holding computer program instructions executed by the data processing system to improve a cloud computing environment by enabling enforcement of security service requirements for a cloud application, the computer program instructions comprising program code operative to: deploy a secure application zone for the cloud application, the secure application zone configuring a set of security resources in an automated manner in response to receipt of a specification of a security assurance level, the security assurance level specifying one or more general security requirements in a manner that does not expose at least some specific tooling requirements necessary to implement the security assurance level security requirement; receive from the cloud application one of: a set of security service requirements specified by the cloud application, and a changed set of security service requirements specified by the cloud application; evaluate the security service requ
Assignees
Inventors
Classifications
Filtering policies (mail message filtering H04L51/212) · CPC title
Stateful filtering · CPC title
Protecting distributed programs or content, e.g. vending or licensing of copyrighted material (protection in video systems or pay television H04N7/16) {; Digital rights management [DRM]} · CPC title
Electricity · mapped topic
- H04L63/20Primary
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9762616B2 cover?
- This disclosure provides the ability for a cloud application to specify its security requirements, the ability to have those requirements evaluated, e.g., against a specific cloud deployment environment, and the ability to enable the application to control a cloud-based security assurance service to provision additional security technology in the cloud to support deployment (or re-deployment el…
- Who is the assignee on this patent?
- IBM
- What technology area does this patent fall under?
- Primary CPC classification H04L63/20. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Sep 12 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 5 related publications on this page (citations in our corpus or others sharing the same primary CPC).