US2019116186A1PendingUtilityA1

Enterprise cloud access control and network access control policy using risk based blocking

Assignee: SKYHIGH NETWORKS LLCPriority: May 8, 2014Filed: Dec 10, 2018Published: Apr 18, 2019
Est. expiryMay 8, 2034(~7.8 yrs left)· nominal 20-yr term from priority
H04L 63/0281H04L 63/101H04L 63/20H04L 67/10H04L 63/168
49
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

A cloud access control server and method provides a cloud service access control database to implement cloud services access control policy. The cloud service access control database stores thereon cloud service identifiers associated with cloud service providers having high risk scores. In some embodiments, the cloud service identifiers form a block list of cloud services which is provided to network device of the enterprise data network to implement cloud service access control. In other embodiments, a cloud access control server and method implements cloud services access control policy for an enterprise. The cloud access control server and method receives network traffic data from the installed firewall or proxy at the enterprise and process the network traffic data with respect to cloud service access. The cloud access control server provides instructions to the firewall or proxy to allow or deny the network access at the enterprise.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A method of providing cloud service access control to a network device of an enterprise data network, the method comprising:
 receiving, at a cloud access control server configured outside of the enterprise data network, a request message including a request for resource or a response to a request for resource received at the network device and destined for or originated from a cloud service, the cloud service being configured outside of the enterprise data network;   extracting, at the cloud access control server, information from the request message relating to a destination of the request for resource or an origin of the response to the request for resource;   applying one or more access control policies to the request for resource or the response to the request for resource;   generating a policy enforcement result in response to the application of the one or more access control policies to the request for resource or the response to the request for resource, the policy enforcement result comprising an instruction to allow or deny the request for resource or the response to the request for resource; and   providing the policy enforcement result to the network device.   
     
     
         2 . The method of  claim 1 , wherein receiving, at the cloud access control server configured outside of the enterprise data network, the request message including the request for resource or the response to the request for resource received at the network device and destined for the cloud service comprises:
 receiving an ICAP request message encapsulating the request for resource or the response to the request for resource in the ICAP request message body.   
     
     
         3 . The method of  claim 1 , wherein generating the policy enforcement result in response to the application of the one or more access control policies to the request for resource or the response to the request for resource further comprises:
 generating the policy enforcement result comprising an instruction to allow or deny the request for resource or the response to the request for resource based on the direction of network traffic or the cloud service usage rate.   
     
     
         4 . A system for providing cloud service access control to a network device of an enterprise data network, comprising:
 a cloud access control server configured outside of the enterprise data network and configured to receive a request message including a request for resource or a response to the request for resource received at the network device and destined for or originating from a cloud service, the cloud service being configured outside of the enterprise data network, the cloud access control server comprising:
 a message server configured to receive the request message and to extract information from the request message relating to a destination of the request for resource or an origin of the response to the request for resource; and 
 a policy engine configured to apply one or more access control policies to the request for resource or the response to the request for resource and to generate a policy enforcement result in response to the application of the one or more access control policies to the request for resource or the response to the request for resource, the policy enforcement result comprising an instruction to allow or deny the request for resource or the response to the request for resource, 
   wherein the cloud access control server provides the policy enforcement result to the network device.   
     
     
         5 . The system of  claim 4 , wherein the cloud access control server is configured to receive an ICAP request message as the request message, the ICAP request message encapsulating the request for resource or the response to the request for resource in the ICAP request message body. 
     
     
         6 . The system of  claim 4 , wherein the policy engine is further configured to generate a policy enforcement result comprising an instruction to allow or deny the request for resource or the response to the request for resource based on the direction of network traffic or the cloud service usage rate.

Join the waitlist — get patent alerts

Track US2019116186A1 — get alerts on status changes and closely related new filings.

We store only your email — no account needed. See our privacy policy.