Patent Issued for Secure service isolation between instances of cloud products using a SaaS model (USPTO 11347560): ForgeRock Inc.

2022 JUN 22 (NewsRx) -- By a News Reporter-Staff News Editor at Insurance Daily News -- ForgeRock Inc. (San Francisco, California, United States) has been issued patent number 11347560, according to news reporting originating out of Alexandria, Virginia, by NewsRx editors.

The patent’s inventors are Croteau, Beau (Bay Shore, NY, US), Culp, Scott (Bellevue, WA, US), White, Steve (Battle Ground, WA, US).

This patent was filed on October 12, 2020 and was published online on May 31, 2022.

From the background information supplied by the inventors, news correspondents obtained the following quote: “The subject matter discussed in this section should not be assumed to be prior art merely as a result of its mention in this section. Similarly, a problem mentioned in this section or associated with the subject matter provided as background should not be assumed to have been previously recognized in the prior art. The subject matter in this section merely represents different approaches, which in and of themselves can also correspond to implementations of the claimed technology.

“Businesses depend on computing systems to survive, and enterprise companies often utilize software as a service (SaaS) solutions in the cloud instead of installing servers within the corporate network to deliver services. According to International Data Corporation, almost half of all information technology (IT) spending will be cloud-based in 2018, “reaching 60% of all IT infrastructures and 60-70% of all software, services and technology spending by 2020.”

“Customer data and information created and stored in the cloud is an attractive target for attackers. The service provider for a SaaS app is an important attack vector, so it is especially useful to protect data from the service provider itself. Two attack scenarios to consider include onslaughts from an attacker who compromises the service provider in order to obtain access to the cloud service data, and a second potential strike by an employee of the service provider who already has access. Consequently, a need exists for secure authentication and authorization for customers who utilize cloud-based services, and for isolation of customer data, even from the service provider itself of secure authentications and authorizations.

“An opportunity arises to enable organizations to build trusted relationships with people, services and things, utilizing an identity management service delivered via a SaaS model, to run an identity management instance under sovereign control of the organization. The customer can also pull maintenance updates for the organization’s identity management instance from the identity management service provider without exposing data secured by the customer organization to the service provider.”

Supplementing the background information on this patent, NewsRx reporters also obtained the inventors’ summary information for this patent: “The following detailed description is made with reference to the figures. Sample implementations are described to illustrate the technology disclosed, not to limit its scope, which is defined by the claims. Those of ordinary skill in the art will recognize a variety of equivalent variations on the description that follows.

“As more and more essential services like banking and commerce move to the cloud, more of people’s personal data and financial instruments, such as credit cards, are housed in the cloud but these same capabilities make the cloud an attractive target for attackers trying to spread malware and carry out other malicious activity. SaaS solutions offer many business applications, including office software for documents, presentations, worksheets, databases, charts, graphs, digital paintings, electronic music and digital video. Additional SaaS services include messaging software, payroll processing software, DBMS software, management software, CAD software, development software, gamification, virtualization, accounting, customer relationship management (CRM), Management Information Systems (MIS), enterprise resource planning (ERP), invoicing, human resource management (HRM), talent acquisition, learning management, content management (CM), Geographic Information Systems (GIS) and service desk management. In one example, customers regularly create, edit and save files via Microsoft Office 365 and Google Apps, among others, in a cloud environment.

“When enterprise companies utilize SaaS solutions to deliver services, they need to be able to protect the private data of their customers in the cloud environment. For the disclosed technology described, when a new customer registers for SaaS, the cloud service creates a new customer environment for the customer. Before the new tenant can begin to use the new customer environment, security resources must be provisioned. Although a straightforward way to provide customer identity and access management would be for the cloud service that creates the new customer environment to provision security resources, this approach would create a point of potential compromise. Inadvertently or through an attacker’s directions, the cloud service that creates the new customer environment might retain information such as service account credentials, decryption keys, etc.

“The disclosed technology is implemented in a cloud service that offers identity and access management services as a SaaS model in the cloud. In that service, every customer’s identity management instance has the services it needs at hand, and the instance controls them, thus transforming the way organizations build trusted relationships. The disclosed technology includes pulling up the drawbridge before the customer’s private data is accessible to even the identity and access management services, to secure the data of the customer’s users. The customer environments’ locus of control is internal. Nothing outside the instance has administrative control over the instance. In one example of using the disclosed technology, a bank may utilize identity and access management (IAM) while shielding the private data of each customer of the bank from the IAM provider as well as from other potential attackers. Identity and access management (IAM) refers to authentication of a user along with confirmation that the user is authorized to access the data they request. The disclosed technology delivers a sovereign instance of a cloud service, in this case identity management (IDM) and access management (AM) and the data services that support those functions, as a product referred to as FR-IDM in this application. In another use case, the disclosed security model could also support a cloud service that provides a different service, such as online games instead of identity and access management services.

“The disclosed identity cloud creates a new customer environment by deploying a vanilla cloud-based computing cluster project with the needed APIs enabled, and then launching a bootstrapper of the security infrastructure for the project configures the cloud-based identity and access management components and then launches a manager that tends to the health of the customer’s identity management instance moving forward. This cloud-based digital identity management service addresses stringent regulations for privacy and consent, including General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act of 1996 (HIPAA), Open Banking, etc. for storing data securely, as well as enabling the monetization of customer relationships.”

The claims supplied by the inventors are:

“1. A computer-implemented method of initializing an identity management instance using a software as a service (abbreviated SaaS) model in a project implemented on a cloud-based computing service, including: at a first time, running a SaaS cluster configuration engine that links a service provider for SaaS identity management to set configuration parameters for the project implemented on the cloud-based computing service and initializing the project in which an identity management instance will be built, then removing authorization of the SaaS cluster configuration engine to access to the project, including removing access to set the configuration parameters; at a second time following the first time, running a SaaS identity management infrastructure builder autonomously, without the service provider having access to the builder, to build the identity management instance in the project; and after the identity management instance is built, delivering identity management services.

“2. The computer-implemented method of claim 1, further including a customer organization controlling installation of maintenance updates, from the service provider, to the identity management instance delivering identity management services.

“3. The computer-implemented method of claim 1, further including the SaaS identity management infrastructure builder locking down and securing the project in which an identity management instance is built.

“4. The computer-implemented method of claim 1, wherein the cloud-based computing service is one of Google Cloud Platform (abbreviated GCP), Amazon Web Services (abbreviated AWS) or Microsoft Azure Virtual Platform.

“5. The computer-implemented method of claim 1, wherein the identity management instance provides authentication and authorization services to customers.

“6. The computer-implemented method of claim 1, further including the identity management instance delivering identity management services to end user apps visiting a customer’s web site.

“7. The computer-implemented method of claim 1, further including the identity management instance delivering identity management services to a customer’s web site that is in communication with the identity management instance running in the project.

“8. The computer-implemented method of claim 1, further including: the service provider for SaaS identity management utilizing a “break glass” scenario for accessing escrowed project access credentials, stored on a different platform than the cloud-based computing service, at a time when a customer organization requests support that requires access to the project and/or configuration parameters of the project; and generating one or more notices to the customer organization and a security administrator for the service provider that the “break glass” scenario has been invoked.

“9. The computer-implemented method of claim 8, wherein at least two people must collaborate with the service provider for SaaS identity management to retrieve the credentials for the customer organization.

“10. A tangible non-transitory computer readable storage media, including program instructions loaded into memory that, when executed on processors cause the processors to implement a method of initializing an identity management instance using a software as a service (abbreviated SaaS) model in a project implemented on a cloud-based computing service, the method including: at a first time, running a SaaS cluster configuration engine that links a service provider for SaaS identity management to set configuration parameters for the project implemented on the cloud-based computing service and initializing the project in which an identity management instance will be built, then removing authorization of the SaaS cluster configuration engine to access to the project, including removing access to set the configuration parameters; at a second time following the first time, running a SaaS identity management infrastructure builder autonomously, without the service provider having access to the builder, to build the identity management instance in the project; and after the identity management instance is built, delivering identity management services.

“11. The tangible non-transitory computer readable storage media of claim 10, further including a customer organization controlling installation of maintenance updates, from the service provider, to the identity management instance delivering identity management services.

“12. The tangible non-transitory computer readable storage media of claim 10, further including the SaaS identity management infrastructure builder locking down and securing the project in which an identity management instance is built.

“13. The tangible non-transitory computer readable storage media of claim 10, wherein the cloud-based computing service is one of Google Cloud Platform (abbreviated GCP), Amazon Web Services (abbreviated AWS) or Microsoft Azure Virtual Platform.

“14. The tangible non-transitory computer readable storage media of claim 10, wherein the identity management instance provides authentication and authorization services to customers.

“15. The tangible non-transitory computer readable storage media of claim 10, further including the identity management instance delivering identity management services to end user apps visiting a customer’s web site.

“16. The tangible non-transitory computer readable storage media of claim 10, further including the identity management instance delivering identity management services to a customer’s web site that is in communication with the identity management instance running in the project.

“17. The tangible non-transitory computer readable storage media of claim 10, further including: the service provider for SaaS identity management utilizing a “break glass” scenario for accessing escrowed project access credentials, stored on a different platform than the cloud-based computing service, at a time when a customer organization requests support that requires access to the project and/or configuration parameters of the project; and generating one or more notices to the customer organization and a security administrator for the service provider that the “break glass” scenario has been invoked.

“18. The tangible non-transitory computer readable storage media of claim 17, wherein at least two people must collaborate with the service provider for SaaS identity management to retrieve the credentials for the customer organization.

“19. A system for initializing an identity management instance using a software as a service (abbreviated SaaS) model in a project implemented on a cloud-based computing service, the system including a processor, memory coupled to the processor and computer instructions from the non-transitory computer readable storage media of claim 10 loaded into the memory.

“20. The system of claim 19, further including a customer organization controlling installation of maintenance updates, from the service provider, to the identity management instance delivering identity management services.

“21. The system of claim 19, further including the SaaS identity management infrastructure builder locking down and securing the project in which an identity management instance is built.

“22. The system of claim 19, further including the identity management instance delivering identity management services to end user apps visiting a customer’s web site.

“23. The system of claim 19, further including the identity management instance delivering identity management services to a customer’s web site that is in communication with the identity management instance running in the project.

“24. A computer-implemented method of initializing a secure application instance isolated from malicious code and interacting with a server, the initializing managed using a software as a service (abbreviated SaaS) model in a project implemented on a cloud-based computing service, including: at a first time, running a SaaS cluster configuration engine that links a service provider for SaaS service to set configuration parameters for the project implemented on the cloud-based computing service and initializing the project in which the secure application instance will be built, then removing authorization of the SaaS cluster configuration engine to access to the project, including removing access to set the configuration parameters; at a second time following the first time, running a SaaS service infrastructure builder autonomously, without the service provider having access to the builder, to build the secure application instance in the project; and after the secure application instance is built, delivering secure application services for interacting with the server.

“25. The computer-implemented method of claim 24, further including a customer organization controlling installation of maintenance updates, from the service provider, to the secure application instance delivering identity management services.”

For the URL and additional information on this patent, see: Croteau, Beau. Secure service isolation between instances of cloud products using a SaaS model. U.S. Patent Number 11347560, filed October 12, 2020, and published online on May 31, 2022. Patent URL: http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.htm&r=1&f=G&l=50&s1=11347560.PN.&OS=PN/11347560RS=PN/11347560

(Our reports deliver fact-based news of research and discoveries from around the world.)