Patent Issued for Secure service isolation between instances of cloud products using a SaaS model (USPTO 11720410): Forgerock Inc.
2023 AUG 30 (NewsRx) -- By a
The patent’s inventors are Croteau, Beau (
This patent was filed on
From the background information supplied by the inventors, news correspondents obtained the following quote: “The subject matter discussed in this section should not be assumed to be prior art merely as a result of its mention in this section. Similarly, a problem mentioned in this section or associated with the subject matter provided as background should not be assumed to have been previously recognized in the prior art. The subject matter in this section merely represents different approaches, which in and of themselves can also correspond to implementations of the claimed technology.
“Businesses depend on computing systems to survive, and enterprise companies often utilize software as a service (SaaS) solutions in the cloud instead of installing servers within the corporate network to deliver services. According to
“Customer data and information created and stored in the cloud is an attractive target for attackers. The service provider for a SaaS app is an important attack vector, so it is especially useful to protect data from the service provider itself. Two attack scenarios to consider include onslaughts from an attacker who compromises the service provider in order to obtain access to the cloud service data, and a second potential strike by an employee of the service provider who already has access. Consequently, a need exists for secure authentication and authorization for customers who utilize cloud-based services, and for isolation of customer data, even from the service provider itself of secure authentications and authorizations.
“An opportunity arises to enable organizations to build trusted relationships with people, services and things, utilizing an identity management service delivered via a SaaS model, to run an identity management instance under sovereign control of the organization. The customer can also pull maintenance updates for the organization’s identity management instance from the identity management service provider without exposing data secured by the customer organization to the service provider.”
Supplementing the background information on this patent, NewsRx reporters also obtained the inventors’ summary information for this patent: “The following detailed description is made with reference to the figures. Sample implementations are described to illustrate the technology disclosed, not to limit its scope, which is defined by the claims. Those of ordinary skill in the art will recognize a variety of equivalent variations on the description that follows.
“As more and more essential services like banking and commerce move to the cloud, more of people’s personal data and financial instruments, such as credit cards, are housed in the cloud but these same capabilities make the cloud an attractive target for attackers trying to spread malware and carry out other malicious activity. SaaS solutions offer many business applications, including office software for documents, presentations, worksheets, databases, charts, graphs, digital paintings, electronic music and digital video. Additional SaaS services include messaging software, payroll processing software, DBMS software, management software, CAD software, development software, gamification, virtualization, accounting, customer relationship management (CRM), Management Information Systems (MIS), enterprise resource planning (ERP), invoicing, human resource management (HRM), talent acquisition, learning management, content management (CM), Geographic Information Systems (GIS) and service desk management. In one example, customers regularly create, edit and save files via Microsoft Office 365 and Google Apps, among others, in a cloud environment.
“When enterprise companies utilize SaaS solutions to deliver services, they need to be able to protect the private data of their customers in the cloud environment. For the disclosed technology described, when a new customer registers for SaaS, the cloud service creates a new customer environment for the customer. Before the new tenant can begin to use the new customer environment, security resources must be provisioned. Although a straightforward way to provide customer identity and access management would be for the cloud service that creates the new customer environment to provision security resources, this approach would create a point of potential compromise. Inadvertently or through an attacker’s directions, the cloud service that creates the new customer environment might retain information such as service account credentials, decryption keys, etc.
“The disclosed technology is implemented in a cloud service that offers identity and access management services as a SaaS model in the cloud. In that service, every customer’s identity management instance has the services it needs at hand, and the instance controls them, thus transforming the way organizations build trusted relationships. The disclosed technology includes pulling up the drawbridge before the customer’s private data is accessible to even the identity and access management services, to secure the data of the customer’s users. The customer environments’ locus of control is internal. Nothing outside the instance has administrative control over the instance. In one example of using the disclosed technology, a bank may utilize identity and access management (IAM) while shielding the private data of each customer of the bank from the IAM provider as well as from other potential attackers. Identity and access management (IAM) refers to authentication of a user along with confirmation that the user is authorized to access the data they request. The disclosed technology delivers a sovereign instance of a cloud service, in this case identity management (IDM) and access management (AM) and the data services that support those functions, as a product referred to as FR-IDM in this application. In another use case, the disclosed security model could also support a cloud service that provides a different service, such as online games instead of identity and access management services.
“The disclosed identity cloud creates a new customer environment by deploying a vanilla cloud-based computing cluster project with the needed APIs enabled, and then launching a bootstrapper of the security infrastructure for the project configures the cloud-based identity and access management components and then launches a manager that tends to the health of the customer’s identity management instance moving forward. This cloud-based digital identity management service addresses stringent regulations for privacy and consent, including General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act of 1996 (HIPAA), Open Banking, etc. for storing data securely, as well as enabling the monetization of customer relationships.”
The claims supplied by the inventors are:
“1. A computer-implemented method of initializing an application instance using a software as a service (abbreviated SaaS) model in a project implemented on a cloud-based computing service, including: at a first time, running a SaaS cluster configuration engine that enables a service provider for a SaaS application to set configuration parameters for the project implemented on the cloud-based computing service and initializing the project in which an application instance will be built, then removing authorization of the SaaS cluster configuration engine to access to the project, including removing access to set the configuration parameters; at a second time following the first time, running a SaaS application infrastructure builder autonomously, without the service provider having access to the builder, to build the application instance in the project; and after the application instance is built, delivering application services.
“2. The computer-implemented method of claim 1, further including a customer organization controlling installation of maintenance updates, from the service provider, to the application instance delivering application services.
“3. The computer-implemented method of claim 1, further including the SaaS application infrastructure builder locking down and securing the project in which an application instance is built.
“4. The computer-implemented method of claim 1, wherein the cloud-based computing service is one of Google Cloud Platform (abbreviated GCP),
“5. The computer-implemented method of claim 1, wherein the application instance provides isolated code and data management services to customers.
“6. The computer-implemented method of claim 1, further including the application instance delivering application services to end user apps visiting a customer’s web site.
“7. The computer-implemented method of claim 1, further including the application instance delivering application services to a customer’s web site that is in communication with the application instance running in the project.
“8. The computer-implemented method of claim 1, further including: the service provider for the SaaS application utilizing a “break glass” scenario for accessing escrowed project access credentials, stored on a different platform than the cloud-based computing service, at a time when a customer organization requests support that requires access to the project and/or configuration parameters of the project; and generating one or more notices to the customer organization and a security administrator for the service provider that the “break glass” scenario has been invoked.
“9. The computer-implemented method of claim 8, wherein at least two people must collaborate with the service provider for the SaaS application to retrieve the credentials for the customer organization.
“10. A tangible non-transitory computer readable storage media, including program instructions loaded into memory that, when executed on processors cause the processors to implement a method of initializing an application instance using a software as a service (abbreviated SaaS) model in a project implemented on a cloud-based computing service, the method including: at a first time, running a SaaS cluster configuration engine that enables a service provider for a SaaS application to set configuration parameters for the project implemented on the cloud-based computing service and initializing the project in which an application instance will be built, then removing authorization of the SaaS cluster configuration engine to access to the project, including removing access to set the configuration parameters; at a second time following the first time, running a SaaS application infrastructure builder autonomously, without the service provider having access to the builder, to build the application instance in the project; and after the application instance is built, delivering application services.
“11. The tangible non-transitory computer readable storage media of claim 10, further including a customer organization controlling installation of maintenance updates, from the service provider, to the application instance delivering application services.
“12. The tangible non-transitory computer readable storage media of claim 10, further including the SaaS application infrastructure builder locking down and securing the project in which an application instance is built.
“13. The tangible non-transitory computer readable storage media of claim 10, wherein the cloud-based computing service is one of Google Cloud Platform (abbreviated GCP),
“14. The tangible non-transitory computer readable storage media of claim 10, wherein the application instance provides isolated code and data management services to customers.
“15. The tangible non-transitory computer readable storage media of claim 10, further including the application instance delivering application services to end user apps visiting a customer’s web site.
“16. The tangible non-transitory computer readable storage media of claim 10, further including the application instance delivering application services to a customer’s web site that is in communication with the application instance running in the project.
“17. The tangible non-transitory computer readable storage media of claim 10, further including: the service provider for SaaS application utilizing a “break glass” scenario for accessing escrowed project access credentials, stored on a different platform than the cloud-based computing service, at a time when a customer organization requests support that requires access to the project and/or configuration parameters of the project; and generating one or more notices to the customer organization and a security administrator for the service provider that the “break glass” scenario has been invoked.
“18. The tangible non-transitory computer readable storage media of claim 17, wherein at least two people must collaborate with the service provider for SaaS application to retrieve the credentials for the customer organization.
“19. A system for initializing an application instance using a software as a service (abbreviated SaaS) model in a project implemented on a cloud-based computing service, the system including a processor, memory coupled to the processor and computer instructions from the non-transitory computer readable storage media of claim 10 loaded into the memory.
“20. The system of claim 19, further including a customer organization controlling installation of maintenance updates, from the service provider, to the application instance delivering application services.
“21. The system of claim 19, further including the SaaS application infrastructure builder locking down and securing the project in which an application instance is built.
“22. The system of claim 19, further including the application instance delivering application services to end user apps visiting a customer’s web site.
“23. The system of claim 19, further including the application instance delivering application services to a customer’s web site that is in communication with the application instance running in the project.
“24. A computer-implemented method of initializing a secure application instance isolated from malicious code and interacting with a server, the initializing managed using a software as a service (abbreviated SaaS) model in a project implemented on a cloud-based computing service, including: at a first time, running a SaaS cluster configuration engine that enables a service provider for a SaaS service to set configuration parameters for the project implemented on the cloud-based computing service and initializing the project in which the secure application instance will be built, then removing authorization of the SaaS cluster configuration engine to access to the project, including removing access to set the configuration parameters; at a second time following the first time, running a SaaS service infrastructure builder autonomously, without the service provider having access to the builder, to build the secure application instance in the project; and after the secure application instance is built, delivering secure application services for interacting with the server.
“25. The computer-implemented method of claim 24, further including a customer organization controlling installation of maintenance updates, from the service provider, to the secure application instance delivering application services.”
For the URL and additional information on this patent, see: Croteau, Beau. Secure service isolation between instances of cloud products using a SaaS model.
(Our reports deliver fact-based news of research and discoveries from around the world.)
“Using Historical Data For Subrogation On A Distributed Ledger” in Patent Application Approval Process (USPTO 20230252577): Patent Application
Insurance Analytics Market Growth, Opportunities Business Scenario, Share, Growth Size, Scope, Key Segments and Forecast to 2026
Advisor News
- Industry groups applaud House passage of Financial Exploitation Prevention Act
- Younger workers more likely to be eligible for a retirement plan after changing jobs
- Bank of America community event unpacks sales tax hike, small business struggles
- CONGRESSMAN VALADAO DEMANDS ANSWERS FROM CALIFORNIA OVER HEALTHCARE TAX HIKE
- How executive benefits impact an estate plan
More Advisor NewsAnnuity News
- State Farm’s agency overhaul: What distribution can learn
- IRI, ACLI express support for CLEAR Forms Act
- A new era at the Federal Reserve
- Globe Life Inc. (NYSE: GL) Making Surprising Moves in Tuesday Session
- Why annuities are gaining traction with younger investors
More Annuity NewsHealth/Employee Benefits News
- Maryland health insurance rates could rise 13.7% in 2027 under proposal
- Millions drop Obamacare health coverage after subsidies expire and costs rise
- Improving how we deliver healthcare in Idaho
- Healthcare system needs a public option
- Public healthcare option overdue
More Health/Employee Benefits NewsLife Insurance News
- AM Best Affirms Credit Ratings of Misr Insurance Company
- State Farm’s agency overhaul: What distribution can learn
- They Allegedly Enrolled People In Life Insurance Without Consent. Then Death Claims Paid Out
- How much do state residents need to retire comfortably?
- How executive benefits impact an estate plan
More Life Insurance News