View All Documents & Correspondence
A System And Method Of Providing Security To Cloud Data To Prevent Unauthorized Access
Abstract: A method and system for providing security to cloud data to prevent unauthorized access is provided. The method includes identifying an environment of a client, determining an address size and an address range of a memory, for example, a virtual memory, a flash memory or a RAM, storing a process state of a cloud process, monitoring the cloud process to ensure accessibility of the cloud process into the cloud for delivering the cloud service to the client and protecting the cloud service from the unauthorized access. The system includes a communication interface for establishing communication, a memory that stores instructions and a processor responsive to the instructions to identify an environment, determine an address size and an address range of a virtual memory, store a process state of a cloud process, monitor the cloud process and protect the cloud service from the unauthorized access.
Notices, Deadlines & Correspondence
Patent Information
Applicants
SAMSUNG ELECTRONICS COMPANY
Inventors
1. SARIYA ANSARI
2. MANOJ KHANDELWAL
3. SUMIT AGGARWAL
4. VARUN MAHAJAN
Specification
A SYSTEM AND METHOD OF PROVIDING SECURITY TO CLOUD DATA TO PREVENT UNAUTHORIZED ACCESS
FIELD OF THE INVENTION
[0001] The present invention relates to the field of cloud computing, and more specifically to the field of security controls employed while providing cloud services.
BACKGROUND
[0002] In the recent days, cloud based computing is been widely utilized for rapid and scalable deployment of services. Examples of such services include, but are not limited to, IPTV services, virtual web store, media outlets, e-store, internet shop, web-shop and other online sites. Conventionally, cloud based architecture deploys resources that can be hosted by a cloud service provider. Examples of resources include, but are not limited to, one or more processors, operating system, display devices, one or more storage devices and the like. The resources are coupled to each other to form a virtual machine.
[0003] The user can request the virtual machine from the cloud service provider for obtaining the services. The user can also request the virtual machine for performing one or more intended tasks. The virtual machine is controlled by a central server present in the cloud for providing the resources to perform the one or more intended tasks by the user. Further, the cloud based architecture includes several virtual machines that can be scaled on demand. Furthermore, the virtual machines included in the cloud architecture are communicably connected to a user utilizing an internet protocol (IP) network. However, security of data to prevent unauthorized access, for example, hacking of data from the cloud, is a major issue.
[0004] Conventional method includes providing security at the central server side. The method provides various approaches for providing security controls, at the central server side, to prevent the unauthorized access. The various approaches include a network filter security, a virtual machine security, an operating system security, a file security, a file resource management security, an endpoint security, a virtual account security, a process security, and an application security. The central server can use one approach or a combination of approaches for providing the security controls. However, the method is retrained from providing security controls once the service, including an application or a processed data, is delivered to an electronic device, for example, a personal computer, a television, and a mobile phone, of the user. Upon delivering the application, the user can redirect the application to another client willingly or unwillingly. Hence, the method does not monitor unauthorized access once the application is delivered.
[0005] Further, other security controls, for example, anti-viruses, firewalls and the like also provide security of the data from the unauthorized access. Such security controls is employed for providing the security controls when the user complies security licenses, for preventing the unauthorized access, provided by the cloud service provider.
[0006] In one example, a first user can be accessing a cloud application provided by the cloud service provider. However, a second user can also be accessing the cloud application simultaneously by executing one or more processes. In this scenario, the second user is performing an unauthorized access to the cloud application. In one case, the first user may be ignorant of the unauthorized access performed by the second user. In another case the first user may intentionally share the cloud application with the second user. However, in both cases, the cloud service provider will be losing his revenue, thereby incurring loss. Further, the unauthorized access poses several threats to cloud business.
[0007] In the light of the foregoing discussion there is a need for an efficient method and a system for monitoring and preventing unauthorized access of cloud services.
SUMMARY
[0008] Embodiments of the present disclosure described herein provide system for providing security to cloud data to prevent unauthorized access.
[0009] An example of a method of providing security to cloud data to prevent unauthorized access includes identifying an environment of a client for providing a cloud service, the cloud service being obtained from cloud. The method also includes determining at least one of an address size and an address range of a virtual memory, wherein the virtual memory is used to execute a cloud process for obtaining the cloud service by the client. The method further includes storing a process state of the cloud process in response to execution of the cloud process in the virtual memory, the process state being stored in a cloud client management system database associated with the client. Further, the method includes monitoring the cloud process to ensure accessibility of the cloud process into the cloud for delivering the cloud service to the client. Moreover, the method includes protecting the cloud service from the unauthorized access.
[0010] An example of a system for providing security to cloud data to prevent unauthorized access includes a communication interface for establishing communication. The system also includes a memory that stores instructions. The system further includes a processor responsive to the instructions to identify an environment of a client for providing a cloud service, determine at least one of an address size and an address range of a virtual memory, wherein the virtual memory is used to execute a cloud process for obtaining the cloud service by the client, store a process state of the cloud process in response to execution of the cloud process in the virtual memory, monitor the cloud process to ensure accessibility of the cloud process into the cloud for delivering the cloud service to the client and protect the cloud service from the unauthorized access.
BRIEF DESCRIPTION OF FIGURES
[0011] The accompanying figure, similar reference numerals may refer to identical or functionally similar elements. These reference numerals are used in the detailed description to illustrate various embodiments and to explain various aspects and advantages of the present disclosure.
[0012] FIG. 1 is a block diagram of an environment in accordance with which various embodiments can be implemented;
[0013] FIG. 2 is a block diagram of an electronic device for providing security to cloud data to prevent unauthorized access, in accordance with one embodiment;
[0014] FIG. 3 is a flowchart illustrating a method of providing security to cloud data to prevent unauthorized access, in accordance with one embodiment;
[0015] FIG. 4A-4B is flowchart illustrating a method of delivering a cloud service to a user, in accordance with one embodiment;
[0016] FIG. 5A-5D is flowchart illustrating a method of monitoring the cloud process to ensure accessibility of the cloud process into the cloud prior to delivering the cloud service to a user;
[0017] FIG. 6A-6B is flowchart illustrating a method of enabling security of cloud data, in accordance with one embodiment;
[0018] FIG. 7A-7D is flowchart illustrating a method of monitoring and protecting a cloud application from unauthorized access, in accordance with one embodiment.
DETAILED DESCRIPTION
[0019] It should be observed the method steps and system components have been represented by conventional symbols in the figure, showing only specific details which are relevant for an understanding of the present disclosure. Further, details may be readily apparent to person ordinarily skilled in the art may not have been disclosed. In the present disclosure, relational terms such as first and second, and the like, may be used to distinguish one entity from another entity, without necessarily implying any actual relationship or order between such entities.
[0020] Embodiments of the present disclosure described herein provide system and method of providing security to cloud data to prevent unauthorized access.
[0021] FIG. 1 is a block diagram of an environment 100 in accordance with which various embodiments can be implemented. The environment 100 includes various electronic devices, for example, a digital television 105a, a computer 105b, a mobile device 105c, a personal digital assistant 105d and a laptop 105e. The electronic devices are configured to obtain various cloud services from cloud 110.
[0022] Examples of the cloud services include, but are not limited to, IPTV services, various cloud applications, computing services, virtual web store, media outlets, e-store, internet shop, web-shop and other online sites that are present in the cloud 110. A user of an electronic device subscribes with a cloud service provider for obtaining the cloud services. The user of the electronic device subscribed with the cloud service provider can also be referred to as a client. The user makes a request for obtaining a cloud service. Upon making the request, by the user, the cloud service provider, begins to process the request. Processing includes preparation of a virtual machine. Further upon preparation, the virtual machine is assigned to the user. One or more cloud processes associated with the cloud service, requested by the user, is executed in the virtual machine for providing the cloud service to the user.
[0023] In one embodiment, the electronic device is operable to provide security controls at the user end. The security controls are enabled prior to providing the cloud services to the user. The security controls prevents the user from performing unauthorized access to the cloud. Further, the security controls enables the cloud service provider to monitor unauthorized access to the cloud by the user, violation of terms and conditions associated with the cloud services and the like. Furthermore, the security controls also enable the cloud service provider to provide a feedback to the user when the user violates the terms and conditions or when the user performs unauthorized access to the cloud 110.
[0024] In one example, a television channel service provider provides multiple television channels to the user. However, the television channels provided may be limited. Further, the television channel service provider may be unable to provide foreign channels, for example, a Korean channel or a Dutch channel that the user wishes to watch. In such cases, the user can use IPTV services to obtain the foreign channels along with the television channels from the cloud 110. The cloud service provider ensures the IPTV services from the cloud 110 are provided to the user. The cloud service provider provides a license defining terms and conditions for accessing the IPTV services. Further, the security controls provided in accordance with one embodiment of the present invention ensures that the user is prevented from violating the license. Further, the security controls also ensures that the user is restrained from breaching the security and further hacking the IPTV services from the cloud 110 for sharing with other users in an unauthorized manner.
[0025] In one embodiment, the electronic device is operable to identify an environment of the user. The environment is identified to determine functioning of the cloud services. Examples of the functioning include, but are not limited to, determining state of the cloud services, determining a category of unauthorized access, for example, directing the cloud services to the other users and determining violation of the terms and conditions, by the user.
[0026] Upon identifying the environment of the user, an address size and an address range of a memory, for example, a virtual memory, a flash memory or a random access memory (RAM) is determined. In one example, the memory can include a video random access memory (VRAM). The memory is used to execute various cloud processes that support the cloud services. Further, the state of the cloud services are determined and stored. In one example, number of cloud services that are in an active state is determined. The state of the cloud services are stored in a database, for example, a cloud client management system database. Hence, each user is associated with a cloud client management system database. Further, the database also includes a list of processes running in the environment of the user that are authorized to access the cloud 110. The database may be updated in real time to add processes to the list of processes that are authorized to access the cloud 110.
[0027] Furthermore, the electronic device is configured to monitor the list of processes to prevent unauthorized access to the client. In some embodiments, the list of processes authorized to access the cloud 110 is monitored for violation of the terms and conditions, for example, redirecting the cloud data to the other users, provided by the cloud service provider.
[0028] In some embodiments, processes included in the list of processes are blocked if the processes attempt an unauthorized access to the cloud 110. Further, the processes violating the terms and conditions are also prevented access to the cloud 110.
[0029] An electronic device including a plurality of elements for providing security to cloud data to prevent unauthorized access is explained in detail in conjunction with FIG. 2.
[0030] FIG. 2 is a block diagram of an electronic device for providing security to cloud data to prevent unauthorized access, in accordance with one embodiment.
[0031] The electronic device includes a bus 205 or other communication mechanism for communicating information, and a processor 210 coupled with the bus 205 for processing information. The electronic device also includes a memory 215, for example a random access memory (RAM) or other dynamic storage device, coupled to the bus 205 for storing information and instructions to be executed by the processor 210. The memory 215 can be used for storing temporary variables or other intermediate information during execution of instructions by the processor 210. The electronic device further includes a read only memory (ROM) 220 or other static storage device coupled to the bus 205 for storing static information and instructions for the processor 210. A storage unit 225, for example a magnetic disk or optical disk, is provided and coupled to the bus 205 for storing information, for example information associated with various processes, running on the electronic device of a user, authorized to access the cloud 110.
[0032] The electronic device can be coupled via the bus 205 to a display 230, for example a cathode ray tube (CRT), for displaying cloud content requested by the user. The input device 235, including alphanumeric and other keys, is coupled to the bus 205 for communicating information and command selections to the processor 210. Another type of user input device is the cursor control 240, for example a mouse, a trackball, or cursor direction keys for communicating direction information and command selections to the processor 210 and for controlling cursor movement on the display 230.
[0033] Various embodiments are related to the use of the electronic device for implementing the techniques described herein. In some embodiments, the techniques are performed by the electronic device in response to the processor 210 executing instructions included in the memory 215. Such instructions can be read into the memory 215 from another machine-readable medium, for example the storage unit 225. Execution of the instructions included in the memory 215 causes the processor 210 to perform the process steps described herein.
[0034] In some embodiments, the processor 210 can include one or more processing units for performing one or more functions of the processor 210. The processing units are hardware circuitry used in place of or in combination with software instructions to perform specified functions.
[0035] The term "machine-readable medium" as used herein refers to any medium that participates in providing data that causes a machine to perform a specific function. In an embodiment implemented using the electronic device, various machine-readable media are involved, for example, in providing instructions to the processor 210 for execution. The machine-readable medium can be a storage medium, either volatile or non-volatile. A volatile medium includes, for example, dynamic memory, such as the memory 215. A non-volatile medium includes, for example, optical or magnetic disks, for example the storage unit 225. All such media must be tangible to enable the instructions carried by the media to be detected by a physical mechanism that reads the instructions into a machine.
[0036] Common forms of machine-readable media include, for example, a floppy disk, a flexible disk, hard disk, magnetic tape, or any other magnetic media, a CD-ROM, any other optical media, punchcards, papertape, any other physical media with patterns of holes, a RAM, a PROM, and EPROM, a FLASH-EPROM, any other memory chip or cartridge.
[0037] In another embodiment, the machine-readable media can be transmission media including coaxial cables, copper wire and fiber optics, including the wires that include the bus 205. Transmission media can also take the form of acoustic or light waves, such as those generated during radio-wave and infra-red data communications. Examples of machine-readable media may include, but are not limited to, a carrier wave as described hereinafter or any other media from which the electronic device can read. For example, the instructions can initially be carried on a magnetic disk of a remote computer. The remote computer can load the instructions into its dynamic memory and send the instructions over a telephone line using a modem. A modem local to the electronic device can receive the data on the telephone line and use an infra-red transmitter to convert the data to an infra-red signal. An infra-red detector can receive the data carried in the infra-red signal and appropriate circuitry can place the data on the bus 205. The bus 205 carries the data to the memory 215, from which the processor 210 retrieves and executes the instructions. The instructions received by the memory 215 can optionally be stored on the storage unit 225 either before or after execution by the processor 210. All such media must be tangible to enable the instructions carried by the media to be detected by a physical mechanism that reads the instructions into a machine.
[0038] The electronic device also includes a communication interface 245 coupled to the bus 205. The communication interface 245 provides a two-way data communication coupling to the cloud 110. For example, the communication interface 245 can be an integrated services digital network (ISDN) card or a modem to provide a data communication connection to a corresponding type of telephone line. As another example, the communication interface 245 can be a local area network (LAN) card to provide a data communication connection to a compatible LAN. In any such implementation, the communication interface 245 sends and receives electrical, electromagnetic or optical signals that carry digital data streams representing various types of information.
[0039] The processor 210 in the electronic device is operable to identify an environment of a client for providing a cloud service from the cloud 110. The processor 210 is further operable to determine an address size and an address range of a virtual memory. The virtual memory is used to execute a cloud process for obtaining the cloud service by the user. Further, the processor 210 is operable to store a process state of the cloud process in response to execution of the cloud process in the virtual memory.
In one embodiment, the processor 210 can include a cloud client management system database for storing the process state. Further, the cloud client management system database included in the processor 210 can also store a list of processes authorized to access the cloud 110. Furthermore, the processor 210 is configured to monitor the ; cloud process to ensure accessibility of the cloud process into the cloud for delivering the cloud service to the client. Moreover, the processor 210 is operable to protect the cloud service from the unauthorized access.
[0040] In some embodiments, the processor 210 is also operable to determine various processes executing in the electronic device of the user. The processor 210 is further operable to monitor the processes to ensure accessibility of each of the processes into the cloud 110. Further, the processor 210 is operable to block one or more processes of the various processes that are denied to access the cloud 110.
Furthermore, the processor 210 is operable suspend or resume monitoring of the processes in real time.
[0041] In some embodiments, the processor 210 can be a part of a standalone operating system (OS), a cloud OS or a browser, for example, firefox, internet explorer, chrome and the like. The processor 210 configured for providing security to the cloud data can also be delivered as a cloud service, obtained from the cloud 110, provided by the cloud service provider.
[0042] A method of providing security to cloud data to prevent unauthorized access is explained in detail in conjunction with FIG. 3.
[0043] FIG. 3 is a flowchart illustrating a method of providing security to cloud data to prevent unauthorized access, in accordance with one embodiment. The method starts at step 305. At step 310 an environment of a client for providing a cloud service is identified. The client can obtain the cloud service by accessing the cloud 110. Examples of the cloud service include, but are not limited to, an IPTV service, a mail service, a computation service, a storage service and the like. Examples of the environment include, but are not limited to, a browser, cloud OS associated with a user and the like. Further, a state of the cloud service is also identified. The environment is identified for providing security of the cloud data while the user accesses the cloud 110.
[0044] At step 315 an address size and an address range of a memory, for example, a virtual memory, a flash memory or a RAM is determined. The memory is used to execute a cloud process for obtaining the cloud service by the client. In one example, the address range and the address size of a VRAM is determined. In some embodiments, metadata supporting the cloud process is also determined. The memory and the metadata are used to identify the client such that the cloud service is secured from unauthorized access. Further, the memory and the metadata are used to identify malicious users accessing the cloud service in an unauthorized manner. Various mechanisms, for example, a calling graph mechanism and an access control mechanism can be used to identify the malicious users.
[0045] At step 320 a process state of the cloud process in response to execution of the cloud process in the memory is determined. In one example, the cloud process may be in an active state. Hence, the active state of the cloud process is determined and thus stored. In another example, the cloud process may be in an inactive state. Hence, the inactive state of the cloud process is determined and thus stored.
[0046] The process state may be stored in a cloud client management system database associated with the client. Hence each client is associated with a corresponding cloud client management system database for storing a corresponding process state. In some embodiments, the cloud client management system database stores a list of processes, running on an electronic device of the client, authorized to access the cloud 110. If one or more processes included in the list of processes make a call to the cloud service, then the one or more processes are monitored to determine if the processes are authorized to access the cloud 110. Further, processes are monitored to determine if the processes are violating terms and conditions provided by a cloud service provider for accessing the cloud service.
[0047] At step 325 the cloud process is monitored to ensure accessibility of the cloud process into the cloud for delivering the cloud service to the client. In one example, the client may enable a remote sharing application for sharing the cloud service to other users. In such cases, the client is violating the terms and conditions. Hence, the cloud process is monitored to identify the activation of the remote sharing application and further the remote sharing application is blocked such that other users are unable to access the cloud service. The cloud process is monitored in real time to prevent unauthorized access to the cloud 110. Further, the cloud process is also monitored to determine violation of the terms and conditions.
[0048] At step 330 the cloud service is protected from the unauthorized access by the other users. Protection is performed by blocking one or more processes attempting to perform the unauthorized access into the cloud 110. The cloud service is also protected by notifying, to the cloud service provider, about the violation of the terms and conditions by the client. Further, step 330 also includes providing a feedback to the cloud service provider that includes various cloud services used by the client. Further, the feedback can also include violation of the terms and conditions by the client.
[0049] In some embodiments, the client may enable one or more new processes. In such cases prior to accessing the cloud 110, the new processes are monitored to determine if the new processes are authorized to access the cloud. Upon monitoring, processes among the new processes that are denied access to the cloud are blocked.
[0050] In some embodiments, system specific information and software specific information associated with the client is stored. The system specific information and the software specific information are used to monitor various processes and further used for preventing one or more processes from performing the unauthorized access to the cloud 110. The system specific information and the software specific information may be stored in a cloud client management system database. The system specific information and the software specific information are updated in real time prior to storing in the cloud client management system database. Further, one or more modifications in the system specific information and the software specific information are also updated in real time and further stored in the cloud client management system database.
[0051] In some embodiments, monitoring, of the cloud process can be suspended and resumed in real time. The method also defines a level of security controls that requires to be enforced on the client. The level of security controls can be defined in, for example, a license provided to the client.
[0052] In some embodiments, intrusions into the address space is identified and further reported to the cloud service provider for preventing the unauthorized access to the cloud 110.
[0053] In some embodiments, the method also determines if a VRAM driver associated with the cloud process complies with security controls enforced prior to accessing the cloud 110. The method stops at step 335.
[0054] FIG. 4A-4B is flowchart illustrating a method of delivering a cloud service to a user, in accordance with one embodiment. The method starts at step 405.
[0055] At step 410 a request for a cloud service is received from a user. Examples of the cloud service include, but are not limited to, an IPTV service, a mail service, a computation service, a storage service and the like. The request is made using an electronic device of a user.
[0056] At step 415 the request is parsed to obtain system specific information. The request is also analyzed to obtain software specific information. Various parsing techniques can be used for parsing the request. The system specific information and the software specific information is used to determine various processes authorized to access the cloud 110. Further, the system specific information and the software specific information is used to determine processes that requires to be blocked from accessing the cloud 110.
[0057] At step 420 a mode of service included in the request is identified. Examples of the mode of service include, but are not limited to, a cloud IPTV service, a data manipulation service, a main service, a computation service and the like. The mode of service is determined to process the request further.
[0058] At step 425 a virtual machine is prepared based on the mode of service identified in step 420. The virtual machine is used to execute one or more processes for delivering the cloud service to the user.
[0059] At step 430 a license is prepared to monitor the cloud service. The license includes terms and conditions for a list of processes authorized to access the cloud 110. The license further prevents unauthorized access to one or more processes that are denied access to the cloud 110.
[0060] At step 435 it is determined if a new license is required. If yes, then the method branches to step 440. If no, then the method branches to step 450. The new license is required when the user executes a new process.
[0061] At step 440, a new license is prepared to monitor the cloud service. The new process is monitored to determine if the new process is authorized to access the cloud 110. The new license is prepared based on the accessibility of the new process into the cloud 110.
[0062] At step 445, the new license is transmitted to the user. In one example, if the new process is authorized to access the cloud 110 then the new license is updated such that the new process is added to the list of processes authorized to access the cloud 110.
[0063] At step 450 the system specific information is updated. The system specific information is updated to determine a list of processes authorized to access the cloud 110 and a list of processes that are denied access to the cloud 110.
[0064] At step 445, the cloud service is delivered to the user. The method stops at step 460.
[0065] FIG. 5A-5D is flowchart illustrating a method of monitoring the cloud process to ensure accessibility of the cloud process into the cloud prior to delivering the cloud service to a user.
[0066] The method starts at step 502. At step 504 a request for a cloud service is received from a user. In one example, the request can include an IPTV service.
[0067] At step 506, security controls are configured to monitor the cloud service. Configuring includes determining an address size and an address range of a memory, for example, a virtual memory, a flash memory or a RAM that is used to execute a cloud process to deliver the cloud service to the user. Configuring also includes determining a process state of the cloud process in response to execution of the cloud process in virtual memory.
[0068] At step 508, system specific information and software specific information is collected. Examples of the system specific information and the software specific information include, but are not limited to, various process executing on an electronic device of the user, an address range associated with each of the various process, map, VRAM driver details, user specific information and one or more user initiated processes. The system specific information and the software specific information are used to monitor various processes and further preventing one or more processes from performing an unauthorized access to the cloud 110. The system specific information and the software specific information also include a list of processes associated with the user authorized to access the cloud 110. Further, at step 508, the system specific information and software specific information is stored.
[0069] At step 510, various processes that require to be monitored are identified. The various processes may be executing on the electronic device of the user. The various processes that require to be monitored are stored in a storage device.
[0070] At step 514, the various processes are monitored. Monitoring includes identifying if the various processes are authorized to access the cloud 110. The monitoring further includes identifying one or more processes that are denied access to the cloud 110. The monitoring can be performed by comparing process identifiers associated with each of the various processes to a list of process identifiers that are authorized to access the cloud 110.
[0071] At step 516, it is determined if an unauthorized access to the storage device being performed. If yes, then the method branches to step 518. If no, then the method branches to step 520.
[0072] At step 518, information associated with the various processes is extracted. The information is used to determine if the various processes are permitted to access cloud 110.
[0073] At step 520, it is determined if an unauthorized access to a cloud application that provides the cloud service is being performed. If yes, then the method branches to step 522. If no, then the method branches to step 544.
[0074] At step 522, type of the unauthorized access is determined. Examples of the type of the unauthorized access includes, but are not limited to, violation of the terms and conditions by the user, unauthorized access performed by other user, for example, a hacker and the like.
[0075] At step 524, it is determined if cloud content is shared by the user. The cloud content includes the cloud service, for example, a video included in a cloud television. If yes, then the method branches to step 526. If no, then the method branches to step 534.
[0076] At step 526, it is determined if a license of the user permit the user to share the cloud content with other users. The license may be provided by a cloud service provider. If yes, then the method branches to step 532. If no, then the method branches to step 528.
[0077] At step 528, the cloud content is blocked to prevent sharing. The cloud content is blocked since the license of the user prevents sharing of the cloud content with the other users. Further, blocking the cloud content enables the user from violating the license.
[0078] At step 530, a feedback is transmitted to the user. The feedback indicates, to the user, about violation of the license. Further, the feedback indicates, to the user, to cease sharing of the cloud content.
[0079] At step 532, the cloud content is redirected to enable sharing. Sharing of the cloud content is enabled since the license of the user permits sharing. The license may also specify number of users permitted to access the cloud client thereby preventing numerous unauthorized accesses.
[0080] At step 534, it is determined if an unauthorized access is being performed by other user, for example, a hacker. If yes, then the method branches to step 536. If no, then the method branches to step 540.
[0081] At step 536, the cloud content is blocked to prevent the unauthorized access. One or more algorithms can be used for enabling blocking of the cloud content from the unauthorized access.
[0082] At step 538, the user is intimated about the unauthorized access that is being performed by the other user. Intimation is performed so that the user is aware of the unauthorized access. Further, the intimation enables the user to take precautionary measures to prevent the unauthorized access.
[0083] At step 540, a cloud service provider is updated about the unauthorized access that is being performed by the other user.
[0084] At step 542, security controls are updated to prevent the unauthorized access. The security controls is updated by the cloud service provider.
[0085] At step 544, the cloud service is delivered to the user. The method stops at step 546.
[0086] FIG. 6A-6B is flowchart illustrating a method of enabling security of cloud data, in accordance with one embodiment. The method starts at step 605.
[0087] At step 610 a cloud service of a user is activated at the user's side. Activation includes preparing terms and conditions, for accessing the cloud 110, by a cloud service provider.
[0088] At step 615 a security control for a video random access memory (VRAM) associated with the cloud service is enabled. In one example, the security control for the VRAM is performed by checking a process identifier (ID) of the VRAM. If the process ID of the VRAM is included in a list of processes that are authorized to access the cloud 110 then the cloud service can be accessed by the user.
[0089] At step 620 a backtrace security is enabled. The backtrace security enable the user with an easy access to a comprehensive and large collection of security-related tools, for example, port scanners, password crackers and the like.
[0090] At step 625 an address space associated with the cloud service of the user is protected. The address space is used to execute a process that provides the cloud service to the user. Protection is provided by monitoring unauthorized access to the cloud. Further, the protection is enabled by ensuring the user is not violating terms and conditions, for accessing the cloud, provided by the cloud service provider.
[0091] At step 630 a request for a cloud service is received from the user. The user can send the request using an electronic device capable of accessing the cloud 110.
[0092] At step 635 it is determined if an unauthorized access to the cloud 110 is being performed by the user. Examples of the unauthorized access include, but are not limited to, user sharing the cloud service with other users, a remote user hacking content included in the cloud service, unauthorized reading of the content included in the VRAM and the like. Unauthorized access is determined by ensuring process identifiers associated with various process is authorized to access the cloud 110. If yes then the method branches to step 640. If no then the method branches to step 650.
[0093] At step 640 type of the unauthorized access is determined. Examples of the type of the unauthorized access includes, but are not limited to, violation of the terms and conditions by the user, unauthorized access performed by other user, for example, a hacker and the like.
[0094] At step 645 an action is taken against the unauthorized access. Examples, of the action includes, but are not limited to, blocking the cloud process that is violating the terms and conditions, intimating the user about the unauthorized access performed by the other user and the like. The action further includes storing information of the cloud process that is performing the unauthorized access to prevent repeated analysis in future. The method stops at step 650.
[0095] FIG. 7A-7D is flowchart illustrating a method of monitoring and protecting a cloud application from unauthorized access, in accordance with one embodiment. The method starts at step 702.
[0096] At step 704 a request for providing a cloud service is granted to a user. The request may be granted upon, the user, subscribing with a cloud service provider for accessing the cloud 110. A cloud application is executed for delivering the cloud service to the user.
[0097] At step 706 a VRAM driver is updated to support security controls. The VRAM driver enables accessing of a VRAM that stores cloud contents for providing the cloud service.
[0098] At step 708 system specific information, software specific information and metadata associated with the user is transmitted to the VRAM driver. Further, process identifier associated with each of one or more processes is also transmitted to the VRAM driver. The one or more processes may be running on an electronic device of the user.
[0099] At step 710 the one or more processes are checked to determine permissibility of the one or more processes to access the VRAM. The VRAM driver makes a list of the one or more processes that requires to be executed to deliver the cloud service to the user. The permissibility of the one or more processes to access the VRAM is determined by comparing the process identifier of each of the processes with a list of process identifiers authorized to access the cloud 110. The list of process identifiers authorized to access the cloud 110 may be stored in a database associated with the user.
[00100] At step 712 a state associated with the cloud application that delivers the cloud service to the user is identified.
[00101] At step 714 it is determined if the state associated with the cloud application is active. If yes, then the method branches to step 716. If no, then the method branches to step 726.
[00102] At step 716 it is determined if a window, in the electronic device of the user, associated with the cloud application is hidden. If yes, then the method branches to step 718. If no, then the method branches to step 722.
[00103] At step 718 it is determined if an unauthorized access to the cloud application is being performed. If yes, then the method branches to step 720. If no, then the method branches to step 742. One or more processes running in the electronic device of the user may perform the unauthorized access to the cloud application. The unauthorized access includes calling a read function on the VRAM by the one or more processes running in the electronic device of the user. The unauthorized access can also include calling a write function on the VRAM by the one or more processes running in the electronic device of the user.
[00104] At step 720 a process performing the unauthorized access to the cloud application is identified. Further, at step 720, the process is blocked from accessing the cloud application.
[00105] At step 722 the cloud service is delivered to the user and the method stops at 724.
[00106] At step 726 it is determined if one or more cloud services are enabled. Determination is performed when the state associated with the cloud application is inactive or when the window, in the electronic device of the user, associated with the cloud application is not hidden. If yes, then the method branches to step 728. If no, then the method stops at 740. Examples of the one or more cloud services include, but are not limited to, mail services, computing services and the like.
[00107] At step 728 it is determined if the state associated with the cloud application is active. If yes, then the method loops back to step 718. If no, then the method branches to step 730.
[00108] At step 730 the cloud service is delivered to the user and the method stops at 740.
[00109] At step 742 it is determined if the one or more processes, running in the electronic device of the user, are permitted to access the cloud application. If yes then the method branches to step 744. If no then method branches to step 748. Determination of the one or more processes, running in the electronic device of the user, that are permitted to access the cloud application is performed when the unauthorized access to the cloud application is not found.
[00110] At step 744 the one or more processes are enabled to access the cloud service.
[00111] At step 746 the cloud service is delivered to the user and the method stops at step 750.
[00112] At step 748 the one or more processes are blocked from accessing the cloud service since the one or more processes are not permitted to access the cloud application and the method stops at step 750.
[00113] Advantageously, the embodiments specified in the present disclosure provide an efficient method for securing cloud data at the client end. By enabling security controls at the client side, the cloud contents are secured from unauthorized access prior to providing the cloud services to the user. Hence, clients, cloud service providers and third party supporters are ensured with secure accessibility of the cloud contents. Further, the method prevents the user from sharing the cloud data to other users in an unauthorized manner. Furthermore, the method also enables the third party supporters to protect the copyright of the contents of the third party by the cloud service providers.
[00114] In the preceding specification, the present disclosure and its advantages have been described with reference to specific embodiments. However, it will be apparent to a person of ordinary skill in the art that various modifications and changes can be made, without departing from the scope of the present disclosure, as set forth in the claims below. Accordingly, the specification and figures are to be regarded as illustrative examples of the present disclosure, rather than in restrictive sense. All such possible modifications are intended to be included within the scope of present disclosure.
I/We claim:
1 A method of providing security to cloud data to prevent unauthorized access, the method comprising:
identifying an environment of a client for providing a cloud service, the cloud service being obtained from cloud;
determining at least one of an address size and an address range of a virtual memory, wherein the virtual memory is used to execute a cloud process for obtaining the cloud service by the client;
storing a process state of the cloud process in response to execution of the cloud process in the virtual memory, the process state being stored in a cloud client management system database associated with the client;
monitoring the cloud process to ensure accessibility of the cloud process into the cloud for delivering the cloud service to the client; and
protecting the cloud service from the unauthorized access.
2 The method as claimed in claim 1 and further comprising:
determining a plurality of processes executing in the environment of the client;
monitoring the plurality of processes to ensure accessibility of each of the processes into the cloud for delivering for delivering the cloud service to the client; and
blocking one or more processes of the plurality of processes, the one or more processes being denied to access the cloud.
3 The method as claimed in claim 1 and further comprising:
storing at least one of system specific information and software specific information for monitoring a plurality of cloud processes.
4 The method as claimed in claim 1 and further comprising:
suspending the monitoring of a plurality of processes in real time; and resuming the monitoring of the plurality of cloud processes in real time.
5 A system for providing security to cloud data to prevent unauthorized access, the system comprising:
a communication interface for establishing communication;
a memory that stores instructions; and a processor responsive to the instructions to
identify an environment of a client for providing a cloud service, the cloud service being obtained from cloud;
determine at least one of an address size and an address range of a virtual memory, wherein the virtual memory is used to execute a cloud process for obtaining the cloud service by the client;
store a process state of the cloud process in response to execution of the cloud process in the virtual memory, the process state being stored in a cloud client management system database associated with the client;
monitor the cloud process to ensure accessibility of the cloud process into the cloud for delivering the cloud service to the client; and protect the cloud service from the unauthorized access.
6 The system as claimed in claim 1, wherein the processor is further responsive to the instructions to:
determine a plurality of processes executing in the environment of the client;
monitor the plurality of processes to ensure accessibility of each of the processes into the cloud; and
block one or more processes of the plurality of processes, the one or more processes being denied to access the cloud.
7 The system as claimed in claim 1, wherein the processor is further responsive to the instructions to:
suspend monitoring of a plurality of processes in real time; and resume the monitoring of the plurality of processes in real time.
Documents
Application Documents
| # | Name | Date |
|---|---|---|
| 1 | 1750-CHE-2012 POWER OF ATTORNEY 07-05-2012.pdf | 2012-05-07 |
| 1 | 1750-CHE-2012-RELEVANT DOCUMENTS [26-09-2023(online)].pdf | 2023-09-26 |
| 2 | 1750-CHE-2012 FORM-5 07-05-2012.pdf | 2012-05-07 |
| 2 | 1750-CHE-2012-US(14)-HearingNotice-(HearingDate-07-06-2021).pdf | 2021-10-03 |
| 3 | 1750-CHE-2012-IntimationOfGrant18-08-2021.pdf | 2021-08-18 |
| 3 | 1750-CHE-2012 FORM-3 07-05-2012.pdf | 2012-05-07 |
| 4 | 1750-CHE-2012-PatentCertificate18-08-2021.pdf | 2021-08-18 |
| 4 | 1750-CHE-2012 FORM-2 07-05-2012.pdf | 2012-05-07 |
| 5 | 1750-CHE-2012-AMENDED DOCUMENTS [22-06-2021(online)]-1.pdf | 2021-06-22 |
| 5 | 1750-CHE-2012 FORM-1 07-05-2012.pdf | 2012-05-07 |
| 6 | 1750-CHE-2012-AMENDED DOCUMENTS [22-06-2021(online)].pdf | 2021-06-22 |
| 6 | 1750-CHE-2012 DRAWINGS 07-05-2012.pdf | 2012-05-07 |
| 7 | 1750-CHE-2012-FORM 13 [22-06-2021(online)]-1.pdf | 2021-06-22 |
| 7 | 1750-CHE-2012 CORRESPONDENCE OTHERS 07-05-2012.pdf | 2012-05-07 |
| 8 | 1750-CHE-2012-FORM 13 [22-06-2021(online)].pdf | 2021-06-22 |
| 8 | 1750-CHE-2012 CLAIMS 07-05-2012.pdf | 2012-05-07 |
| 9 | 1750-CHE-2012 ABSTRACT 07-05-2012.pdf | 2012-05-07 |
| 9 | 1750-CHE-2012-POA [22-06-2021(online)]-1.pdf | 2021-06-22 |
| 10 | 1750-CHE-2012 DESCRIPTION (COMPLETE) 07-05-2012...pdf | 2012-05-07 |
| 10 | 1750-CHE-2012-POA [22-06-2021(online)].pdf | 2021-06-22 |
| 11 | 1750-CHE-2012 CORRESPONDENCE OTHERS 01-04-2013.pdf | 2013-04-01 |
| 11 | 1750-CHE-2012-RELEVANT DOCUMENTS [22-06-2021(online)].pdf | 2021-06-22 |
| 12 | 1750-CHE-2012 FORM-13 01-04-2013.pdf | 2013-04-01 |
| 12 | 1750-CHE-2012-Written submissions and relevant documents [22-06-2021(online)].pdf | 2021-06-22 |
| 13 | 1750-CHE-2012 FORM-18 25-04-2013.pdf | 2013-04-25 |
| 13 | 1750-CHE-2012-Correspondence to notify the Controller [04-06-2021(online)].pdf | 2021-06-04 |
| 14 | 1750-CHE-2012-FORM-26 [04-06-2021(online)].pdf | 2021-06-04 |
| 14 | Form 13_Address for service.pdf | 2015-07-17 |
| 15 | 1750-CHE-2012-AMENDED DOCUMENTS [04-03-2020(online)].pdf | 2020-03-04 |
| 15 | Amended Form 1.pdf | 2015-07-17 |
| 16 | 1750-CHE-2012 FORM-13 17-07-2015.pdf | 2015-07-17 |
| 16 | 1750-CHE-2012-FORM 13 [04-03-2020(online)].pdf | 2020-03-04 |
| 17 | Form 3 [27-06-2017(online)].pdf | 2017-06-27 |
| 17 | 1750-CHE-2012-RELEVANT DOCUMENTS [04-03-2020(online)].pdf | 2020-03-04 |
| 18 | 1750-CHE-2012-FORM-26 [27-11-2017(online)].pdf | 2017-11-27 |
| 18 | Correspondence by Agent_Power of Attorney_20-09-2019.pdf | 2019-09-20 |
| 19 | 1750-CHE-2012-ABSTRACT [13-09-2019(online)].pdf | 2019-09-13 |
| 19 | 1750-CHE-2012-FORM 3 [28-12-2017(online)].pdf | 2017-12-28 |
| 20 | 1750-CHE-2012-CLAIMS [13-09-2019(online)].pdf | 2019-09-13 |
| 20 | 1750-CHE-2012-RELEVANT DOCUMENTS [19-02-2018(online)].pdf | 2018-02-19 |
| 21 | 1750-CHE-2012-Changing Name-Nationality-Address For Service [19-02-2018(online)].pdf | 2018-02-19 |
| 21 | 1750-CHE-2012-CORRESPONDENCE [13-09-2019(online)].pdf | 2019-09-13 |
| 22 | 1750-CHE-2012-DRAWING [13-09-2019(online)].pdf | 2019-09-13 |
| 22 | 1750-CHE-2012-FER.pdf | 2019-03-13 |
| 23 | 1750-CHE-2012-FER_SER_REPLY [13-09-2019(online)].pdf | 2019-09-13 |
| 23 | 1750-CHE-2012-PETITION UNDER RULE 137 [13-09-2019(online)].pdf | 2019-09-13 |
| 24 | 1750-CHE-2012-OTHERS [13-09-2019(online)].pdf | 2019-09-13 |
| 25 | 1750-CHE-2012-PETITION UNDER RULE 137 [13-09-2019(online)].pdf | 2019-09-13 |
| 25 | 1750-CHE-2012-FER_SER_REPLY [13-09-2019(online)].pdf | 2019-09-13 |
| 26 | 1750-CHE-2012-DRAWING [13-09-2019(online)].pdf | 2019-09-13 |
| 26 | 1750-CHE-2012-FER.pdf | 2019-03-13 |
| 27 | 1750-CHE-2012-Changing Name-Nationality-Address For Service [19-02-2018(online)].pdf | 2018-02-19 |
| 27 | 1750-CHE-2012-CORRESPONDENCE [13-09-2019(online)].pdf | 2019-09-13 |
| 28 | 1750-CHE-2012-CLAIMS [13-09-2019(online)].pdf | 2019-09-13 |
| 28 | 1750-CHE-2012-RELEVANT DOCUMENTS [19-02-2018(online)].pdf | 2018-02-19 |
| 29 | 1750-CHE-2012-ABSTRACT [13-09-2019(online)].pdf | 2019-09-13 |
| 29 | 1750-CHE-2012-FORM 3 [28-12-2017(online)].pdf | 2017-12-28 |
| 30 | 1750-CHE-2012-FORM-26 [27-11-2017(online)].pdf | 2017-11-27 |
| 30 | Correspondence by Agent_Power of Attorney_20-09-2019.pdf | 2019-09-20 |
| 31 | 1750-CHE-2012-RELEVANT DOCUMENTS [04-03-2020(online)].pdf | 2020-03-04 |
| 31 | Form 3 [27-06-2017(online)].pdf | 2017-06-27 |
| 32 | 1750-CHE-2012 FORM-13 17-07-2015.pdf | 2015-07-17 |
| 32 | 1750-CHE-2012-FORM 13 [04-03-2020(online)].pdf | 2020-03-04 |
| 33 | 1750-CHE-2012-AMENDED DOCUMENTS [04-03-2020(online)].pdf | 2020-03-04 |
| 33 | Amended Form 1.pdf | 2015-07-17 |
| 34 | 1750-CHE-2012-FORM-26 [04-06-2021(online)].pdf | 2021-06-04 |
| 34 | Form 13_Address for service.pdf | 2015-07-17 |
| 35 | 1750-CHE-2012 FORM-18 25-04-2013.pdf | 2013-04-25 |
| 35 | 1750-CHE-2012-Correspondence to notify the Controller [04-06-2021(online)].pdf | 2021-06-04 |
| 36 | 1750-CHE-2012-Written submissions and relevant documents [22-06-2021(online)].pdf | 2021-06-22 |
| 36 | 1750-CHE-2012 FORM-13 01-04-2013.pdf | 2013-04-01 |
| 37 | 1750-CHE-2012 CORRESPONDENCE OTHERS 01-04-2013.pdf | 2013-04-01 |
| 37 | 1750-CHE-2012-RELEVANT DOCUMENTS [22-06-2021(online)].pdf | 2021-06-22 |
| 38 | 1750-CHE-2012 DESCRIPTION (COMPLETE) 07-05-2012...pdf | 2012-05-07 |
| 38 | 1750-CHE-2012-POA [22-06-2021(online)].pdf | 2021-06-22 |
| 39 | 1750-CHE-2012 ABSTRACT 07-05-2012.pdf | 2012-05-07 |
| 39 | 1750-CHE-2012-POA [22-06-2021(online)]-1.pdf | 2021-06-22 |
| 40 | 1750-CHE-2012 CLAIMS 07-05-2012.pdf | 2012-05-07 |
| 40 | 1750-CHE-2012-FORM 13 [22-06-2021(online)].pdf | 2021-06-22 |
| 41 | 1750-CHE-2012 CORRESPONDENCE OTHERS 07-05-2012.pdf | 2012-05-07 |
| 41 | 1750-CHE-2012-FORM 13 [22-06-2021(online)]-1.pdf | 2021-06-22 |
| 42 | 1750-CHE-2012-AMENDED DOCUMENTS [22-06-2021(online)].pdf | 2021-06-22 |
| 42 | 1750-CHE-2012 DRAWINGS 07-05-2012.pdf | 2012-05-07 |
| 43 | 1750-CHE-2012-AMENDED DOCUMENTS [22-06-2021(online)]-1.pdf | 2021-06-22 |
| 43 | 1750-CHE-2012 FORM-1 07-05-2012.pdf | 2012-05-07 |
| 44 | 1750-CHE-2012-PatentCertificate18-08-2021.pdf | 2021-08-18 |
| 44 | 1750-CHE-2012 FORM-2 07-05-2012.pdf | 2012-05-07 |
| 45 | 1750-CHE-2012-IntimationOfGrant18-08-2021.pdf | 2021-08-18 |
| 45 | 1750-CHE-2012 FORM-3 07-05-2012.pdf | 2012-05-07 |
| 46 | 1750-CHE-2012-US(14)-HearingNotice-(HearingDate-07-06-2021).pdf | 2021-10-03 |
| 46 | 1750-CHE-2012 FORM-5 07-05-2012.pdf | 2012-05-07 |
| 47 | 1750-CHE-2012 POWER OF ATTORNEY 07-05-2012.pdf | 2012-05-07 |
| 47 | 1750-CHE-2012-RELEVANT DOCUMENTS [26-09-2023(online)].pdf | 2023-09-26 |
Search Strategy
| 1 | SearchStrategy_08-03-2019.pdf |