WO2014035692A1 - Network system for implementing a cloud platform - Google Patents
Network system for implementing a cloud platform Download PDFInfo
- Publication number
- WO2014035692A1 WO2014035692A1 PCT/US2013/055355 US2013055355W WO2014035692A1 WO 2014035692 A1 WO2014035692 A1 WO 2014035692A1 US 2013055355 W US2013055355 W US 2013055355W WO 2014035692 A1 WO2014035692 A1 WO 2014035692A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- user
- community
- application
- policy
- management module
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/50—Network service management, e.g. ensuring proper service fulfilment according to agreements
- H04L41/5041—Network service management, e.g. ensuring proper service fulfilment according to agreements characterised by the time relationship between creation and deployment of a service
- H04L41/5045—Making service definitions prior to deployment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/50—Network service management, e.g. ensuring proper service fulfilment according to agreements
- H04L41/508—Network service management, e.g. ensuring proper service fulfilment according to agreements based on type of value added network service under agreement
- H04L41/5096—Network service management, e.g. ensuring proper service fulfilment according to agreements based on type of value added network service under agreement wherein the managed service relates to distributed or central networked applications
Definitions
- a cloud infrastructure or cloud platform delivers computing as a ser- vice to one or more clients.
- cloud platform may deliver an infra- structure (e.g. storage media), or provides software or makes particular compu- ting platforms available to the clients. Therefore, by using cloud platforms it be- comes possible to delegate setting up and the maintenance of computing sys- tems to an external provider and therewith to increase significantly the efficiency of the IT (information technology) infrastructure.
- IT information technology
- a cloud platform does not merely connect various com- ponents as in conventional networks, but provides instead computing services and infrastructures, which are independent of the devices used by the clients (or user).
- a user may operate in various contexts, wherein in each of them the user may play a different role and have different responsibilities. These different roles might relate to the personal life of the user or the role of a consum- er or of a parent or of a family member.
- a user may act as an employee or a contractor or a customer or supplier.
- the user may use different client devices (personal com- puters, mobile phones, tablets, etc) or client devices that utilize remote pro- cessing capability (e.g.
- FIG. 1 depicts a network system according to an embodiment of the present invention
- FIG. 2 demonstrates a cloud environment used by various clients;
- Figs. 3a-c depict further components according to further embod- iments;
- FIG. 4 shows a flow diagram implementing a method according to an embodiment
- FIG. 5 shows a block diagram illustrating a computing device for im- plementing at least part of the inventive concept.
- the computing environment defines an interface between a user (or one or more user devices) and the cloud platform and thus relates to an abstract notion in that the computing environment is, in general, not specific for a specific device used by user. However, it may be associated with a particular device that the user uses to connect to the cloud platform, but the same computing environ- ment may likewise be used on various different devices.
- a given de- vice may host many different computing environments. Examples for such com- puting environments are: a Web application (e.g. a browser), a native application, a container, a virtual machine, or BIOS/API. Therefore the computing environ- ment defines the interface through which the user can interact with the cloud plat- form (network system).
- the present invention solves these problems by providing a network system for implementing a cloud platform within a network to which at least one device defining one or more computing environments for one or more users has access.
- the system comprises an application management module to enable access to one or more abstract applications, each abstract application being as- sociated with one or more concrete applications defining implementations of the abstract application for a particular computing environment.
- the system further comprises a community management module to manage one or more communi- ties, the one or more communities are comprised of at least one or more user credentials and at least one abstract application.
- the community defines at least one of the following: one or more policies, one or more management processes, and one or more services, under which the at least one abstract application can be accessed by the one or more users.
- the system further comprises a user en- rolment portal to support an enrolment of the one or more users in the one or more communities from the at least one device, and to orchestrate a policy man- agement mechanism to support an enforcement of the policy under which the user has access to the one or more concrete applications from the at least one device or from the one or more computing environments.
- embodiments of the present invention provides a decou- pling of client device administration and management so that these devices, mul- tiple communities (or IT domains) and applications are managed or administrated separately in a multi-tenant-environment (cloud platform).
- cloud platform multi-tenant-environment
- Such multi-tenancy in cloud environments relates to a structure wherein multiple independent users share a common set of infrastructure, platforms, services/applications, or re- sources in a manner that isolates them from each other securely.
- a user may be a company or an organization but may likewise be a private person, and the de- vice may refer to any of a range of end-user client device.
- Such a cloud platform provides connectivity to be used, for exam- ple, by personal computers, tablets, smart phones, or other end user-connected devices (home entertainment, etc).
- further examples define decou- pled administration models applicable to server blades in a data center or to any distributed connected devices.
- resources of a client device can be shared by multiple independent entities or administrators.
- a container environment representing a closed software environment protected from other software installed on the device may be in- stalled.
- the software environment within such container can be managed from the community management module based on applied policies by employing, for example, particular software modules which ensure that the policies are correctly applied. Therefore, each of such containers can be managed by different (com- munity) administrators, whereas the software environment outside these contain- ers may still be managed by the user itself.
- each of these entities can independently and securely manage and administer its own footprint (e.g. represented by the container envi- ronment) on the device (or on the computing environment) in conjunction with the corresponding private or public cloud-based resources.
- These independent cli- ent-side footprints that participate in this multi-tenant client-cloud environment are referred to as the“communities” (as for example, trust domains, policy domains).
- the“communities” as for example, trust domains, policy domains.
- a community is an independent IT administration domain operated by a provider or an administrator (e.g. an individual private user or a group of in- dustry partners).
- the management of such a multi-tenant client device may relate to controlling the base operating system and/or firmware, enabling or disabling the device or a device feature (e.g. storing/printing of data). According to embodi- ments this management is performed from a cloud-based platform and is decou- pled or separated from the management of individual communities. This allows, for example, a device manufacture or distributor or communication service pro- vider to offer and operate device management for their customers while providing them with the choice of which communities they wish to manage or be users of.
- embodiments relate to a cloud-enabled device architec- ture and a corresponding cloud-based management framework, wherein the cloud-enabled device architecture features independent or isolated containers, independent policy control and a unified user interface.
- This device architecture may, for example, be provided by a device agent (or device module) installed on the device that ensures the compliance with the constraints as required by the policies as defined by the community administrators.
- This cloud platform provides, for example, the following advantages for the cloud-enabled device architecture offered to the end users: (i) the ability to access secure and managed services from a provider (e.g. from an employer, bank or other service provider), while using the same client device for personal use (this eliminates the restriction that a single IT department implements con- trols for the entire device); (ii) the ability to maintain control over personal data and privacy, while allowing business applications to be managed and monitored by the IT-department responsible for protecting these assets; (iii) the ability to choose personal applications and operating systems and access them concur- rently on a single device with different business applications and even operating systems.
- a provider e.g. from an employer, bank or other service provider
- the cloud platform provides inter alia the following advantages: (i) the provider can manage, monitor and control business-critical applications without having to manage an entire client device of a user; (ii) the provider can securely manage end-to-end communities of users, devices and business applications in an integrated manner, from the data center to their end- users own devices.
- devices even end-user personal devices like smart phones, may be managed by an operator or service provider– at least in so far as it is required by the applied policies - while applications are managed by soft- ware suppliers, third parties or organizations providing applications for a specific community. Therefore, embodiments provide a simple control of what applica- tions should be deployed to which users and under which security policies.
- the user may still use the device for other purposes without compromising the integrity of the business ap- plications or violating corporate risk management policies while allowing the user to participate in multiple communities from a single device.
- This network platform provides as further advantage the possibility that multiple end-to-end isolated communities can be managed independently of the physical hardware used on both ends, i.e. on the provider side and on the end-user side, because the hardware-dependent management is decoupled from the application- and community-dependent management.
- the client devices/computing environments may have the client side management agent installed which provides an integrated cloud-based management of the base client software, along with end-user community registration and associated application and security policy deployment.
- the particular community policies to be enforced may, for example, be defined by the community administrator and rely on containment technology on the client side and on a trust model on the cloud platform side or the provider side to provide the cloud platform back end with secure control of the client sys- tem software and a management agent. Therefore, a module as the client site management agent will be installed on the client device/computing environment, thereby allowing multiple independent community administrators to trust the cloud platform for enforcing multi-tenancy all the way to the end-user devices, for isolat- ing community applications, and for enforcing the respective policies.
- the in- stalled agent on the user device/computing environment handles secure commu- nications with the cloud platform and, in addition, manages user rights, controls containerization of community applications and configures the appropriate policy enforcement points to enforce domain-wide as well as individual community poli- cies.
- the cloud platform is designed to allow a secure distributed deployment of a management back-end for an individual com- munity (e.g. inside an enterprise), for those scenarios where such flexibility may be required.
- Fig. 1 depicts a network system 100 for implementing a cloud plat- form connected to a network 200 to which at least one device 205, 207, has ac- cess is connected, wherein on each of the devices 205, 207, one or more compu- ting environments 206a, 206b for particular purposes are implemented.
- the plu- rality of the user devices 205, 207 are connected to the network 200 by a per- manent or temporal communication link, wherein the network 200 (e.g. the inter- net, mobile phone network, etc.) is configured to provide a connection to the net- work system 100.
- the network 200 e.g. the inter- net, mobile phone network, etc.
- the one or more computing envi- ronments 206a, 206b are installed, wherein the different computing environ- ments 206a, 206b, may be employed in different contexts (e.g. providing different security levels) or for connecting to different communities in the network system 100.
- the network system 100 further comprises an application manage- ment module 110 to enable access to one or more abstract applications 112, 114, wherein each abstract application 112 is associated with one or more con- crete applications 113a, 113b, defining implementations of the one or more ab- stract applications 112 for the one or more computing environments 206a, 206b, on the user device 205 (e.g. the respective application binaries).
- the access to the abstract application 112 may include the access to at least one concrete ap- plication 113.
- the application management module 110 may further allow the manipulation of application abstractions at the cloud platform level. For example, an office application is one application which can have different concrete applica- tions (e.g.
- the abstract appli- cation 112 is such an office application each of the concrete application may be defined as the various implementations of this office application for various oper- ating systems and/or various hardware devices.
- the application management module 110 may also be configured to orchestrate access to, and the operation of, a set of applications.
- the application management module 110 may support the man- agement of various types of applications and the network system 100 may be configured to support and federate many such management modules for the var- ious types of applications.
- the network system 100 comprises a community man- agement module 120 which is configured to manage one or more communities 122a, 120b,..., each community 122 is defined at least by the one or more ab- stract applications 112 and a set of user credentials (e.g., a user ID, user name, role of the user, etc.).
- the access of the user to the abstract application 112 is subject that one or more provisions are met, which are defined for each commu- nity 122 and are selected from a group comprising one or more policies, man- agement processes, and services.
- each com- munity 122 may be defined as a managed set of applications.
- the network system 100 comprises a user enrollment portal 130 which is configured to support the enrolment (or registration) of the user in at least one community 122 from the device 205 (or the computing envi- ronment 206) and to orchestrate or enable a policy management mechanism to support an enforcement of the one or more policies under which the user has access to the abstract application 112 from the device 205 (or from the compu- ting environment 206).
- the enrolment portal 130 may upon a community access request from the user from the particular device 205 (or the computing environ- ment 206) map that community’s policies to the use of specific policy manage- ment modules to enforce those policies on that user’s device 205 (or the compu- ting environment 206). This may imply to use particular device management software, or an application container management, or other constraints depend- ing on policy requirements.
- the enrolment portal 130 may comprise a device connector compo- nent to establish the network connection from the device 205 to the network sys- tem 100.
- the device connector may identify the type of devices and feeds this information to a community policy engine.
- the network system 100 may, optionally, be connected to an exter- nal storage 310 to store the one or more concrete applications 113 associated with the abstract application 112. Moreover, the network system 100 may, op- tionally, be connected to one or more community administrators 320, which, upon a further enrolment, connect to the community management module 120 to man- age the at least one community 122. For example, at least one community ad- ministrator 320a is associated with one particular community 122a to define poli- cies for a respective abstract application 112, management processes, and ser- vices related to this particular community 120a without managing the concrete applications 113 or the hardware used by the user.
- the network system 100 may be configured to enable ac- cess to one or more concrete applications 113 and to define one or more policies, wherein the one or more policies may be fixed for the abstract application 112, but vary for concrete applications 113 associated with the particular abstract ap- plication 112.For example, when a particular user uses different devices or differ- ent computing environments (e.g. different operating systems), he might be al- lowed to get access to different concrete applications and, in addition, different policies may be applied to the same user.
- different policies may be applied to the same user.
- the client uses a particular computing envi- ronment 206a on the device 205 to connect to the network system 100 via the network 200
- the enrolment portal 130 may identify the user (for example, based on the user credentials that might be stored on the enrolment portal 130) and the particular computing envi- ronment 206a.
- This information may be provided to the community management module 120, which in turn may impose policies to be enforced on the user based upon the user credential and/or the computing environment 206 and/or the par- ticular context.
- the particular context may relate to the time, place or used type of connection to the device 205 (e.g. wireless or not).
- the community management module 120 may forward policies to be imposed to the application management module 110, which itself allows access to a particular concrete application 113a associated with the particular computing environment 206a of the user. This ac- cess is only provided under the policies imposed by the community management module 120.
- the user may download or access the particular concrete application 113a corresponding to its particular computing environment 206a via the user enrolment portal 130 or, optionally, via a separate network connection (not shown in Fig. 1 ), and may invoke the application only under the particular policy identified by the community management module 120 (e.g. to use particu- lar software on the user device 205/computing environment 206).
- the policy to be enforced depends on the compu- ting environment 206 identified by said enrolment portal 130 so that, when the user uses a different computing environment, a different policy from said plurality of policies is enforced.
- the user enrolment portal 130 may vary the policies to be enforced base upon the computing environment 206 (or the particular device 205) the user uses for accessing the network system 100. For example, if the user uses Web browser environment on a smart phone being connected via a public mobile phone network, the access to remote resources may be more restricted, than if the same user uses a virtual software environ- ment within a secure network environment. Therefore, the user enrolment portal 130 and/or the policy management module may be configured to adjust, for a given user, the one or more policies to the computing environment 206 (or de- vice) used by the given user.
- the concrete applications 113 are down- loaded from an external storage 310 via the network system 100.
- the network system 100 may comprise several access terminals. For example, one of them may be used by the user enrolment portal 130 to enroll the user and identify the user and its computing environment 206, and another one is used to get ac- cess to the concrete application 113 after having mapped the policies under which this particular concrete application 113 can be supplied to the user for the particular computing environment 206.
- Fig. 2 demonstrates a cloud concept, wherein the cloud 400 pro- vides connectivity for several user devices/communities.
- the cloud 400 may be connected to user clients 405a, 405b, to a server blade/data center 406, applications 412, communities (domains) 420a, 420b, a base device 430 and a distributed device 440.
- the multiple users may share a common infrastructure and/or platform and/or service/applications, wherein each entity independently manages its own footprint on a device whose resources are shared with other entities.
- a user device may com- prise a container (a particular, closed software environment which is protected from other software installed on the device) such that the enclosed software envi- ronment is, for example, managed from the community management module 120 (e.g. via the applied policies and the required device software), whereas the soft- ware environment outside the container is still managed by the user itself.
- this personal area may be named as“community 0”.
- This cloud concept is realized in embodiments in that users can en- roll themselves in a managed domain and create their user accounts, which al- lows them to log-in to their client device, and hence into the domain, and browse a catalogue of available communities.
- the users may join communities they might be interested in and have authentication credentials for.
- a do- main administrator can easily pre-register users and their devices/computing en- vironment to mandatory communities and applications.
- the special unmanaged“community 0” supports the user’s personal domain that provides a similar experience a user would expect on a typical personal device (personal appstore, personal OS,...) outside of the control of the cloud platform.
- the community administrator may, moreover, allow the domain to enable simple- sign-on for user to access community applications based on their domain authen- tication, rather than having to re-authenticate every time against the specific en- terprise directory of the community or the user management system.
- Figs. 3a-c depict further embodiments with further optional compo- nents, which may be combined with any features and components descript be- fore (not all components of the network system 100 are depicted in Figs. 3a, b, c).
- the user device 205 is using a particular computing envi- ronment 206 to enroll with the enrolment portal 130.
- the network system 100 comprises in this embodiment a further policy management module 140 (only part of the network system is depicted).
- the policy management module is notified about the user and the computing environment 206.
- the policy management module may re- quest from the community management module 120 information about the ap- plied policy or management processes or allowed services for the user using the particular computing environment 206.
- the policy management module 140 maps the one or more policies to be enforced on behalf of the community on the user.
- mapped policies are, for example, transmitted to the application management module 110 which provides access to the respective concrete applications to the user under the mapped policies.
- the user enrolment portal 130 is configured to identify the computing environment 206 used by the user to get ac- cess to the network system 100, and the user enrolment portal 130 is further con- figured to notify the policy management module 140 about the identified compu- ting environment 206, and the policy management module 140 is configured to map the policy to be enforced on behalf of the community using the identified computing environment 206.
- Fig. 3b illustrates a further embodiment, wherein this mapping is performed by a mapping module 142 being part of the user enrolment portal 130.
- the policy management is performed in the user en- rolment portal 130, which comprises a plurality of policy management modules 140a, 140b,... and a mapping module 142.
- the mapping module 142 is con- nectable to the community management module 120 to receive respective in- structions for defining the mapping of specific policies to particular users (or user credentials) or to user devices 205 or to computing environments 206.
- This map- ping is implemented by assigning a specific policy management modules 140a to be used for the user device 205/computing environment 206 to get access to the concrete application 113 provided by the application management module 110.
- the user connects to the network sys- tem 100 from its device 205 by using the computer environment 206 and enrolls with the user enrolment portal 130.
- the user enrolment portal 130 identifies the user and its computing environment 206 and provides access to the requested concrete application 113 only via a particular policy management module 140a, which is identified by the mapping module 142.
- This particular policy manage- ment module 140a ensures the enforcement of the policies as defined by the community management module 120 on the user device 205. Therefore, the community management module 120 or the respective community administrators 320 define the policies to be enforced for the abstract application 112 and sub- mits this information to the mapping module 142 which maps these policies onto the respective concrete applications 113 and the respective users.
- the user will get access to the concrete application 113 only via the particular policy management module 140a, which is connected to the application module 110 and provides not only the concrete application for the computing environment 206, but enforces also the policies to be applied.
- Fig. 3c depicts further embodiments, wherein the network system 100 comprises an optional rules engine 150 and/or an optional community admin- istrator portal 160.
- the rules engine 150 is configured to manage entitlements to the concrete applications under a predetermined policy according to one of the fol- lowing: the user credential, the device 205 and its computing environment 206 and a context of an access request.
- the user may be entitled to use the particular concrete application 113 or to enable particular functions of the concrete application 113 dependent on its position within a company or depend- ent upon a used particular computing environment 206a or a particular user de- vice 205.
- these particular functions include one or more of the fol- lowing: to access particular data bases or to store or print particular data locally or remotely or other actions (e.g. to allow financial transactions) to be performed by the user using the user device 205 within the computing environment 206.
- the rules engine 150 may also be part of the user enrolment portal 130 or the policy management module 140.
- this device connector may act as the rules engine 150.
- the community administrator portal 160 is configured to allow individ- ual community administrators 320a, 320b,...to define the one or more policies and/or to view a community dashboard.
- the community administrator portal 160 provides access to the community management module 120.
- the de- fined community policies may be associated to applications and particular users by the respective community administrator 320a.
- the dashboard represents, for example, the state of operation/use/security posture of their community.
- the abstract/concrete applications 112 may comprise private applica- tions made available only within one community 122 and public applications 112 made available for multiple communities. These applications may be listed in a catalogue to one or more the community administrators 320.
- the community administrators 320 do not have to deal with the var- ious user devices 205, 207,... or with the various concrete applications 113a, 113b,... for the different computing environments 206a, 206b,.... . Instead, they may only need to identify the policies based upon criteria as the user, their role, the used device or the used computing environment, while delegating the respec- tive consequences for the device-dependent enforcement of these policies and the particular concrete application to be used to the other components in the net- work system 100 (i.e. the user enrolment portal 130 and the application man- agement module 110).
- Further embodiments comprise also an encryption module (not shown) to provide a secure, encrypted connection to the user devices 205/computing environments 206 and/or to the community administrators 320.
- the community administrator 230 may impose a predetermined level of encryption being enabled on the user device 205/computing environment 206, or at least a predetermined encryption is turned on.
- the enforced policies may further comprise that active intrusion prevention is deployed, and that the device is operated on behalf of the community for community applications alone.
- the user enrolment portal 130 is configured to enrol the user with said multiple communities and/or to enrol the user from multi- ple types of devices or computing environments.
- the user enrolment portal 130 is further configured to provide access to the abstract application 112 only if the device/computing environment can ensure that the one more policies are enforced on the device/computing environment or, if not, to deny access or to provide only limited access, wherein particular functions are disabled (e.g. no access to particular information, no transactions are allowed).
- the user enrolment portal 130 may further comprise a module to man- age the computing environment 206 which is configured to provide at least one of the following: issue a set of user credentials (e.g. a user identifier as the user name, role of the user), manage the set of user credentials, manage profiles of different devices/computing environment, and register the user.
- a set of user credentials e.g. a user identifier as the user name, role of the user
- manage the set of user credentials e.g. a user identifier as the user name, role of the user
- manage profiles of different devices/computing environment e.g. a user profile of the user
- the user credentials may be managed by the community management mod- ule 120.
- the user enrolment portal 130 may further be config- ured to present the user with a selection (e.g. a list) of the plurality of communi- ties 122 to be accessed by the user under policies imposed by the community administrator 320. Therefore, the user may enrol for one or more communities 122 from a single device 205/computing environment 206 in that the user select the particular community 122a from the list to enrol for this particular community 122a.
- FIG. 1 Further embodiments relate to a network system 110, wherein the ap- plication management module 110, the community management module 120 and the user enrolment portal 130 are implemented on separate computing devices connected to each other by the network 200 or a different network.
- the different network may also be a public network as the internet, but may also be defined by a closed, particular secured network environment. This separation is made pos- sible, because embodiments of the present invention define a decoupling be- tween the respective functions so that the respective management and enforce- ment functions are delegated on different modules, which may even run under different operating systems and/or in different computing environments (e.g. they may be spatially separated).
- the function of providing an application management may fall within the responsibility of an application provider
- the function of a community management may fall within the responsibility of a content provider or a plurality of independent content provides
- the function of a device man- agement may fall within the responsibility of a device manager managing the network system 100.
- Each of these different management functions is performed in an independent and decoupled way and will only be connected insofar as the respective information or data or policies are supplied from one component (or module) to the other components of the network system 100 as needed.
- the cloud platform should provide a protected environment, i.e. there may be some amount of integration to allow this data and policies to be ex- changed securely between the different components.
- Embodiments relate also to a device comprising a device module be- ing configured to provide a connection to the network system 100 as described before to get access to the concrete application 113, and to enforce the one or more policies on the device 205.
- the device module may include or provide one or more computing environments as application containers to support for exam- ple Web applications, native applications, virtual machines or virtual appliances, or even firmware application.
- the computing environments may also be loaded before access to the concrete application is granted.
- a virtualization software environment may be required to enforce policies over an application that would be an Operating System image or a virtual appliance.
- an appli- cation may also be packed with its own mechanisms to ensure the community policy is enforced.
- the device may get access to the concrete applica- tion only remotely in that the concrete application is run on a remote computing device so that the computing environment for the concrete application is provided by this remote computing device.
- the user may enrol in parallel to multiple communities and the enforced policies may ensure that the multiple communities can operate in- dependently– e.g. in that sufficiently secure container have to be provided by the different computing environments.
- the network system may optionally be configured to en- force simultaneously one or more policies for multiple communities on a given device. Therefore, the user may enrol for different communities at the same time or subsequently and the network system (e.g. the enrolment portal) will ensure that each of the respective policies for the multiple communities are properly en- forced on the given device with one or more computing environments. If the de- vice cannot ensure this, the network system may deny the enrolment to one or more communities or deny the access of the device completely.
- the network system e.g. the enrolment portal
- one or more top communities may comprise one or more sub-communities, wherein certain abstract applications may be made available for all sub-communities whereas other applications may be re- stricted only to one or more sub-communities.
- one or more abstract applications may be defined for the top community. For example, a larger organi- zation comprising various departments may establish one top community with various sub-communities associated with the various departments, each sub- community may have its own specific application, which is accessible via the ap- plication of the top community.
- Fig. 4 depicts a flow diagram, showing an embodiment of steps for im- plementing the method on a cloud platform within a network 200 to which the at least one device 205, defining one or more computing environments 206 for a user has access.
- This method comprises enabling access to a plurality of ab- stract applications 112, wherein each abstract application 112 is associated with one or more concrete applications 113 defining implementations of the abstract application 112 for the one or more computer environments 206.
- the method comprises managing of at least one community122, wherein each com- munity 122 comprised of at least a set of user credentials and a set of abstract applications 112.
- the method further comprises the step of defining, for the community, at least one of the following: a set of policies, management process- es, and services, under which said abstract applications 112 can be accessed by the user.
- the method further comprises the step of supporting an enrolment of the user from the device 205 and orchestrating an appropriate policy manage- ment mechanism to support an enforcement of the set of policies under which the user has access to the concrete applications 113 from the device 205.
- the inventive methods can be implemented in hardware or in software.
- the implementation can be performed using a digital storage medium, in particu- lar a disk or a CD having electronically readable control signals stored thereon, which cooperate with a programmable computer system such that the inventive methods are performed.
- the present invention is, therefore, a comput- er program product with a program code stored on a machine readable carrier, the program code being operative for performing the inventive methods when the computer program product runs on a computer.
- the inventive methods are, therefore, a computer program having a program code for perform- ing at least one of the inventive methods when the computer program runs on a computer.
- Fig. 5 depicts a digital computer as an example of such a hardware comprising an internal memory 510, a communication interface 520, a processor 530 and at least one input/output device 540, wherein these components are connected by a local bus 550.
- the computing device 500 is configured to load software code portions from the computer program product directly into the inter- nal memory 510 of the digital computer to perform the method steps as depicted in Fig. 4.
- various embodiments of the present invention provide a decoupling of the management of individual client devices (and their system software) from the management of which applications should be available to what users under what policies. This allows multiple independent community or IT ad- ministrators to each control their own policies (and thus providing a security man- agement) over their own applications (possibly managed by third parties), even on a user device which is not managed by any one of them.
- the inventive decoupled client management allows to design solutions that can seam- lessly manage the deployment of the right application binaries and configurations to the right type of device according to policy, without exposing that complexity to the IT-administrator (owner of the applications), but whilst allowing them to main- tain control policy.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Information Transfer Between Computers (AREA)
- Storage Device Security (AREA)
- Stored Programmes (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
Description
Claims
Priority Applications (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/424,601 US9571564B2 (en) | 2012-08-31 | 2013-08-16 | Network system for implementing a cloud platform |
JP2015529849A JP2015534669A (en) | 2012-08-31 | 2013-08-16 | Network system for implementing cloud platform |
KR1020157004207A KR20150052010A (en) | 2012-08-31 | 2013-08-16 | Network system for implementing a cloud platform |
EP13832360.5A EP2891073A4 (en) | 2012-08-31 | 2013-08-16 | Network system for implementing a cloud platform |
CN201380045398.4A CN104603770A (en) | 2012-08-31 | 2013-08-16 | Network system for implementing a cloud platform |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US13/601,050 | 2012-08-31 | ||
US13/601,050 US8935764B2 (en) | 2012-08-31 | 2012-08-31 | Network system for implementing a cloud platform |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2014035692A1 true WO2014035692A1 (en) | 2014-03-06 |
Family
ID=50184151
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US2013/055355 WO2014035692A1 (en) | 2012-08-31 | 2013-08-16 | Network system for implementing a cloud platform |
Country Status (6)
Country | Link |
---|---|
US (1) | US8935764B2 (en) |
EP (1) | EP2891073A4 (en) |
JP (1) | JP2015534669A (en) |
KR (1) | KR20150052010A (en) |
CN (1) | CN104603770A (en) |
WO (1) | WO2014035692A1 (en) |
Families Citing this family (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9477710B2 (en) * | 2013-01-23 | 2016-10-25 | Microsoft Technology Licensing, Llc | Isolating resources and performance in a database management system |
US9716728B1 (en) * | 2013-05-07 | 2017-07-25 | Vormetric, Inc. | Instant data security in untrusted environments |
US10410155B2 (en) | 2015-05-01 | 2019-09-10 | Microsoft Technology Licensing, Llc | Automatic demand-driven resource scaling for relational database-as-a-service |
US9866592B2 (en) | 2015-09-28 | 2018-01-09 | BlueTalon, Inc. | Policy enforcement system |
US9871825B2 (en) | 2015-12-10 | 2018-01-16 | BlueTalon, Inc. | Policy enforcement for compute nodes |
US10091212B2 (en) | 2016-03-04 | 2018-10-02 | BlueTalon, Inc. | Policy management, enforcement, and audit for data security |
US11157641B2 (en) | 2016-07-01 | 2021-10-26 | Microsoft Technology Licensing, Llc | Short-circuit data access |
US10803190B2 (en) | 2017-02-10 | 2020-10-13 | BlueTalon, Inc. | Authentication based on client access limitation |
US10291602B1 (en) | 2017-04-12 | 2019-05-14 | BlueTalon, Inc. | Yarn rest API protection |
US10250723B2 (en) | 2017-04-13 | 2019-04-02 | BlueTalon, Inc. | Protocol-level identity mapping |
US10491635B2 (en) | 2017-06-30 | 2019-11-26 | BlueTalon, Inc. | Access policies based on HDFS extended attributes |
US11146563B1 (en) | 2018-01-31 | 2021-10-12 | Microsoft Technology Licensing, Llc | Policy enforcement for search engines |
US11005889B1 (en) | 2018-02-02 | 2021-05-11 | Microsoft Technology Licensing, Llc | Consensus-based policy management |
US11790099B1 (en) | 2018-02-09 | 2023-10-17 | Microsoft Technology Licensing, Llc | Policy enforcement for dataset access in distributed computing environment |
KR102212806B1 (en) * | 2019-03-28 | 2021-02-08 | (주)한국아이티평가원 | Cloud-based application usage management system and method |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100325710A1 (en) * | 2009-06-19 | 2010-12-23 | Etchegoyen Craig S | Network Access Protection |
US20110231899A1 (en) * | 2009-06-19 | 2011-09-22 | ServiceMesh Corporation | System and method for a cloud computing abstraction layer |
US20110307946A1 (en) * | 2010-06-11 | 2011-12-15 | Israel Hilerio | Creating and Launching a Web Application with Credentials |
US20120110059A1 (en) * | 2010-10-29 | 2012-05-03 | Microsoft Corporation | Unified policy over heterogenous device types |
US20120198512A1 (en) * | 2011-01-28 | 2012-08-02 | F5 Networks, Inc. | System and method for combining an access control system with a traffic management system |
Family Cites Families (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2001344033A (en) * | 2000-05-31 | 2001-12-14 | Yuasa Kensetsu Kikai Hanbai Kk | Application service system |
JP2006268116A (en) * | 2005-03-22 | 2006-10-05 | Canon Inc | Content management system and content management method |
WO2008050512A1 (en) * | 2006-09-29 | 2008-05-02 | Nec Corporation | Start control device, method, and program |
US20120005724A1 (en) | 2009-02-09 | 2012-01-05 | Imera Systems, Inc. | Method and system for protecting private enterprise resources in a cloud computing environment |
US8725819B2 (en) * | 2009-03-23 | 2014-05-13 | Sony Corporation | Chat system, server device, chat method, chat execution program, storage medium stored with chat execution program, information processing unit, image display method, image processing program, storage medium stored with image processing program |
US20110258461A1 (en) | 2010-04-16 | 2011-10-20 | Twinstrata, Inc | System and method for resource sharing across multi-cloud arrays |
US20110276885A1 (en) | 2010-05-04 | 2011-11-10 | Qwest Communications International Inc. | Multi-client local network base station |
US8909053B2 (en) | 2010-06-24 | 2014-12-09 | Hewlett-Packard Development Company, L.P. | Tenant isolation in a multi-tenant cloud system |
US8554917B2 (en) | 2010-08-20 | 2013-10-08 | International Business Machines Corporation | Performance isolation for storage clouds |
US8812627B2 (en) | 2010-08-20 | 2014-08-19 | Adobe Systems Incorporated | System and method for installation and management of cloud-independent multi-tenant applications |
WO2012100092A2 (en) * | 2011-01-19 | 2012-07-26 | Servicemesh, Inc. | System and method for a cloud computing abstraction layer with security zone facilities |
-
2012
- 2012-08-31 US US13/601,050 patent/US8935764B2/en active Active
-
2013
- 2013-08-16 JP JP2015529849A patent/JP2015534669A/en active Pending
- 2013-08-16 EP EP13832360.5A patent/EP2891073A4/en not_active Withdrawn
- 2013-08-16 WO PCT/US2013/055355 patent/WO2014035692A1/en active Application Filing
- 2013-08-16 CN CN201380045398.4A patent/CN104603770A/en active Pending
- 2013-08-16 KR KR1020157004207A patent/KR20150052010A/en not_active Application Discontinuation
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100325710A1 (en) * | 2009-06-19 | 2010-12-23 | Etchegoyen Craig S | Network Access Protection |
US20110231899A1 (en) * | 2009-06-19 | 2011-09-22 | ServiceMesh Corporation | System and method for a cloud computing abstraction layer |
US20110307946A1 (en) * | 2010-06-11 | 2011-12-15 | Israel Hilerio | Creating and Launching a Web Application with Credentials |
US20120110059A1 (en) * | 2010-10-29 | 2012-05-03 | Microsoft Corporation | Unified policy over heterogenous device types |
US20120198512A1 (en) * | 2011-01-28 | 2012-08-02 | F5 Networks, Inc. | System and method for combining an access control system with a traffic management system |
Non-Patent Citations (1)
Title |
---|
See also references of EP2891073A4 * |
Also Published As
Publication number | Publication date |
---|---|
KR20150052010A (en) | 2015-05-13 |
CN104603770A (en) | 2015-05-06 |
US8935764B2 (en) | 2015-01-13 |
EP2891073A4 (en) | 2016-04-27 |
US20140068699A1 (en) | 2014-03-06 |
JP2015534669A (en) | 2015-12-03 |
EP2891073A1 (en) | 2015-07-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP2891073A1 (en) | Network system for implementing a cloud platform | |
US11720338B2 (en) | Cloud service automation of common image management | |
US11347560B2 (en) | Secure service isolation between instances of cloud products using a SaaS model | |
CN109565505B (en) | Tenant self-service troubleshooting for multi-tenant identity and data security management cloud services | |
US10484331B1 (en) | Security appliance provisioning | |
US10326845B1 (en) | Multi-layer application management architecture for cloud-based information processing systems | |
US9866547B2 (en) | Controlling a discovery component, within a virtual environment, that sends authenticated data to a discovery engine outside the virtual environment | |
US20190034652A1 (en) | Scrubbing Log Files Using Scrubbing Engines | |
US10542048B2 (en) | Security compliance framework usage | |
US11354300B2 (en) | Mobile auditable and tamper-resistant digital-system usage tracking and analytics | |
CA3073068C (en) | Wrapping continuation tokens to support paging for multiple servers across different geolocations | |
US11296952B2 (en) | System and method for on-demand network communication | |
WO2022147188A1 (en) | Integrated authentication and authorization for cloud data lakes | |
US9571564B2 (en) | Network system for implementing a cloud platform | |
US11023619B2 (en) | Binding a hardware security module (HSM) to protected software | |
Nwobodo | Cloud computing: Models, services, utility, advantages, security issues, and prototype | |
US9843605B1 (en) | Security compliance framework deployment | |
Modi | Azure for Architects: Implementing cloud design, DevOps, containers, IoT, and serverless solutions on your public cloud | |
US20230195493A1 (en) | Virtual device enrollment and management | |
Brinkhoff et al. | Mastering Microsoft Endpoint Manager: Deploy and Manage Windows 10, Windows 11, and Windows 365 on Both Physical and Cloud PCs | |
Udayakumar et al. | Designing and Deploying AVD Solution | |
Roman et al. | Global Journal on Technology |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 13832360 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 20157004207 Country of ref document: KR Kind code of ref document: A |
|
REEP | Request for entry into the european phase |
Ref document number: 2013832360 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2013832360 Country of ref document: EP |
|
ENP | Entry into the national phase |
Ref document number: 2015529849 Country of ref document: JP Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 14424601 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |