JP7516677B2 - Unified Policy Enforcement Management in the Cloud - Google Patents

Description

Cross References

This application is a continuation of U.S. Nonprovisional Patent Application No. 17/384,618, entitled “Computer-Based Policy Manager for Cloud-Based Unified Functions,” filed on July 23, 2021 (Attorney Docket No. NSKO1035-2), which is a continuation of U.S. Patent Application No. 17/163,408, entitled “Unified Policy Enforcement Management in the Cloud,” filed on January 30, 2021 (Attorney Docket No. NSKO1035-1), now U.S. Patent No. 11,159,576, issued on October 26, 2022;
U.S. Nonprovisional Patent Application No. 17/163,411, entitled “Dynamic Distribution of Unified Policies in a Cloud-Based Policy Enforcement System,” filed on January 30, 2021 (Attorney Docket No. NSKO1041-1);
This application claims the benefit of U.S. Non-provisional Patent Application No. 17/163,415, entitled "Dynamic Routing of Access Request Streams in a Unified Policy Enforcement System," filed on January 30, 2021 (Attorney Docket No. NSKO1042-1), and U.S. Non-provisional Patent Application No. 17/163,416, entitled "Unified System for Detecting Policy Enforcement Issues in a Cloud-Based Environment," filed on January 30, 2021 (Attorney Docket No. NSKO1043-1).

Reference

The following materials are incorporated by reference for all purposes as if fully set forth herein:

U.S. Nonprovisional Patent Application No. 16/807,128, entitled “Load Balancing in a Dynamic Scalable Services Mesh,” filed March 2, 2020 (Attorney Docket No. NSKO1025-3), which claims the benefit of U.S. Patent Application No. 62/812,760, entitled “Load Balancing in a Dynamic Scalable Services Mesh,” filed March 1, 2019 (Attorney Docket No. NSKO1025-1);
U.S. Nonprovisional Patent Application No. 16/807,132, entitled “Recovery From Failure in a Dynamic Scalable Services Mesh,” filed March 2, 2020 (Attorney Docket No. NSKO1025-4), now U.S. Patent No. 10,868,845, issued December 15, 2020, which claims the benefit of U.S. Provisional Patent Application No. 62/812,791, entitled “Recovery from Failure in a Dynamic Scalable Services Mesh,” filed March 1, 2019 (Attorney Docket No. NSKO1025-2);
U.S. Non-Provisional Patent Application No. 14/198,508, entitled “Security for Network Delivered Services,” filed March 5, 2014 (Attorney Docket No. NSKO1000-3), which is now U.S. Patent No. 9,270,765, issued February 23, 2016;
U.S. Provisional Patent Application No. 14/198,499, entitled "Security for Network Delivered Services," filed March 5, 2014 (Attorney Docket No. NSKO1000-2), which is now U.S. Patent No. 9,398,102, issued July 19, 2016;
U.S. Non-Provisional Patent Application No. 14/835,640, entitled “Systems and Methods of Monitoring and Controlling Enterprise Information Stored on a Cloud Computing Service (CCS),” filed on August 25, 2015 (Attorney Docket No. NSKO1001-2), which is now U.S. Patent No. 9,928,377, issued on March 27, 2018;
No. 15/368,246, entitled "Middle Ware Security Layer for Cloud Computing Services," filed on December 2, 2016 (Attorney Docket No. NSKO1003-3), which claims the benefit of U.S. Provisional Patent Application No. 62/307,305, entitled "Systems and Methods of Enforcing Multi-Part Policies om Data-Deficient Transactions of Cloud Computing Services," filed on March 11, 2016 (Attorney Docket No. NSKO1003-1);
"Cloud Security for Dummies, Netskope Special Edition" by Cheng, Ithal, Narayanaswamy, and Malmskog, John Wiley & Sons, Inc. 2015,
"Netskope Introspection" by Netskop, Inc. ，
“Data Loss Prevention and Monitoring in the Cloud” by Netskop, Inc. ，
“Cloud Data Loss Prevention Reference Architecture” by Netskop, Inc. ，
“The 5 Steps to Cloud Confidence” by Netskope, Inc. ，
“The Netskope Active Platform” by Netskop, Inc.
“The Netskope Advantage: Three “Must-Have” Requirements for Cloud Access Security Brokers” by Netskop, Inc. ，
“The 15 Critical CASB Use Cases” by Netskope, Inc.
“Netskope Active Cloud DLP” by Netskope, Inc. ，
“Repave the Cloud-Data Breach Collision Course” by Netskope, Inc. , and “Netskope Cloud Confidence Index(TM)” by Netskope, Inc.

The disclosed technology relates generally to policy enforcement for network-delivered services, and specifically to providing a cloud-based policy enforcement system that integrates packet- and protocol-based access control and traffic inspection, threat detection, and activity contextualization capabilities for inspectable and uninspectable traffic.

The subject matter discussed in this section should not be assumed to be prior art merely as a result of its mention in this section. Similarly, it should not be assumed that the problems mentioned in this section, or related to the subject matter provided as background, have been previously recognized in the prior art. The subject matter in this section merely represents different approaches and may, as such, correspond to implementations of the claimed technology.

The use of cloud services for corporate functions is common. Research suggests that 80% of enterprise workloads will reside in the cloud by 2025. According to International Data Corporation, "spending on public cloud information technology (IT) infrastructure surpassed spending on traditional IT infrastructure for the first time in the second quarter of 2020." For example, enterprise companies often utilize software-as-a-service (SaaS) solutions instead of installing servers within the corporate network to deliver services.

Data is the lifeblood of many businesses and must be effectively managed and protected. With the increasing adoption of cloud services, businesses of all sizes are relying on the cloud to create, edit, and store data. This creates new challenges as users access cloud services from multiple devices, including sharing data with people outside the organization. It is easy for data to leave an organization's control.

As customers want to be able to securely transmit all of their data between customer branches and data centers, enterprises face the daunting challenge of seamlessly securing the critical data that traverses the network to access SaaS apps, IaaS, and the web from any endpoint. *All* data includes peer-to-peer file sharing (P2P) via protocols for portal traffic such as BitTorrent (BT), User Datagram Protocol (UDP) streaming, and File Transfer Protocol (FTP), voice, video, and messaging multimedia communication sessions such as instant messages over Internet Protocol (IP) and mobile phone calling over LTE (VoLTE) via Session Initiation Protocol (SIP) and Skype, Internet traffic, cloud application data, and Generic Routing Encapsulation (GRE) data. As an example of the size of P2P files sharing segments of data that need to be handled securely, BitTorrent is one popular protocol for transferring large files, such as digital video files containing TV shows or video clips, or digital audio files containing songs, and has between 15 and 27 million concurrent users at any given time, and was used by 150 million active users as of 2013. Based on this figure, the total number of monthly BitTorrent users is estimated to be more than a quarter of a billion, and BitTorrent is responsible for 3.35% of the world's bandwidth, or more than half of 6% of the total bandwidth dedicated to file sharing.

With more data sources, there are hundreds of ways data can be compromised. Employees may send the wrong file, not be careful when rushing to meet deadlines, or share and collaborate on data with people outside the organization. Cloud storage native sync clients also pose a big risk to organizations. With continuous syncing between the endpoint and the cloud service, employees are unaware that sensitive company information may be leaking. In one use case that illustrates the need for integrated policy enforcement capabilities, an enterprise may want to allow employees and contractors to make voice calls and participate in video conferences, but may not want to allow employees and contractors to transfer files over LTE via SIP and Skype. In another example, an enterprise may want to allow its users to watch videos but not be able to upload or download video content files.

It is therefore essential to promote the use of cloud services so that people can remain productive and continue to use the best tools for their jobs without putting at risk sensitive information such as intellectual property, non-public accounts, strategic plans, client lists, or personally identifiable information belonging to customers or employees.

Opportunities arise to integrate packet- and protocol-based access control and traffic inspection for inspectable and uninspectable traffic, threat detection and activity contextualization, and inspection capabilities, extending beyond cloud app and web traffic firewalls to provide a cloud-based policy enforcement system that securely handles P2P traffic over BT, FTP, and UDP-based streaming protocols, as well as Skype, voice, video, and messaging multimedia communication sessions over SIP, and web traffic over other protocols.

In the drawings, like reference characters generally refer to like parts throughout the different views. Also, the drawings are not necessarily to scale, with emphasis instead generally being placed upon illustrating the principles of the disclosed technology. In the following description, various implementations of the disclosed technology are described with reference to the following drawings:

For one embodiment of the disclosed technology, an architecture level schematic diagram of a system for providing a cloud-based policy enforcement system that integrates packet- and protocol-based access control and traffic inspection, threat detection, and activity contextualization capabilities for inspectable and uninspectable traffic is shown. FIG. 1 illustrates a block diagram of an exemplary distributed network of secure services. A disclosed policy enforcement layer for managing a cloud-based policy enforcement system that integrates the capabilities of access control and traffic inspection for inspectable and uninspectable traffic, threat detection, activity contextualization, and data loss prevention analytics is shown. For one embodiment of the disclosed technology, a disclosed policy enforcement stack is shown with a comprehensive suite of policy enforcement components and example logical traffic flows for a cloud-based policy enforcement system that integrates the capabilities of packet-level and protocol-level access control and traffic inspection, threat detection, and activity contextualization for inspectable and uninspectable traffic. 1 illustrates an example of a common field for expressing a unified policy in the disclosed cloud-based policy enforcement system that integrates the capabilities of packet-level and protocol-level access control and traffic inspection, threat detection, and activity contextualization for inspectable and uninspectable traffic. A representative user interface that can be used to configure policy specifications for a cloud-based policy enforcement system that integrates the capabilities of packet- and protocol-based access control and traffic inspection, threat detection, and activity contextualization for inspectable and uninspectable traffic is shown. 1 illustrates a block diagram of a disclosed policy manager device for a cloud-based policy enforcement system that consolidates policy enforcement functions. FIG. 1 is a block diagram illustrating the disclosed integrated policy enforcement system of cloud-based components for packet-level access control and traffic inspection, protocol-level access control and traffic inspection, threat detection, and activity contextualization. For one embodiment of the disclosed technology, an exemplary logical traffic flow is shown for a cloud-based policy enforcement system that integrates the capabilities of access control and traffic inspection, threat detection and activity contextualization for inspectable and uninspectable traffic, and performs data loss prevention analysis. An exemplary computer-implemented method of unified security policy management in the cloud is illustrated, as applied by a policy manager to a cloud-based policy enforcement system that integrates packet-level and protocol-level access control and traffic inspection, threat detection, and activity contextualization capabilities for inspectable and uninspectable traffic. An exemplary method is presented for dynamic distribution of integrated enforcement policies in a cloud-based policy enforcement system that is applied by a policy manager to a cloud-based policy enforcement system that integrates the capabilities of access control and traffic inspection, threat detection, and activity contextualization for inspectable and uninspectable traffic. 1 illustrates an exemplary method for processing incoming access requests for packets through a cloud-based component that performs: (a) packet-level access control and traffic inspection; (b) protocol-level access control and traffic inspection; (c) threat detection; and (d) activity contextualization. 1 illustrates an exemplary method for dynamically routing access request streams through cloud-based components for (a) packet-level access control and traffic inspection, (b) protocol-level access control and traffic inspection, (c) threat detection, and (d) activity contextualization. FIG. 1 is a simplified block diagram of a computer system that may be used to implement the disclosed integrated policy enforcement system of cloud-based components for packet-level access control and traffic inspection, protocol-level access control and traffic inspection, threat detection, and activity contextualization.

The following detailed description is provided with reference to the drawings. Exemplary implementations are described to illustrate the disclosed technology, but not to limit its scope, which is defined by the claims. Those skilled in the art will recognize various equivalent variations based on the following description.

Existing approaches for applying policy enforcement services to customer traffic include security devices points of presence (PoPs) in the path of data flow between customer branches of an organization's network and data centers accessed in the cloud over the Internet.

Each application also has unique requirements for network performance that must be considered. For example, webinar (one-to-many) streaming requires high bandwidth, real-time collaboration requires low latency, and back-end systems hosted in a virtual private cloud may have very high resiliency and redundancy requirements. To further complicate the issue, unlike private applications, cloud applications do not have a predictable set of IP addresses and ports, but are constantly changing and evolving, making them a fuzzy and ever-shifting target.

Customers want to know how to support and secure a complex mix of applications: managed (IT-driven), unmanaged (shadow IT), on-prem, private apps in the cloud, and third-party SaaS. Organizations want to leverage a single policy enforcement service that can extend beyond cloud app and web traffic firewalls to apply policy enforcement services to all customer traffic to securely handle P2P traffic over BT, FTP, and UDP-based streaming protocols, as well as Skype, voice, video, and messaging multimedia communication sessions over SIP, and web traffic over other protocols.

Web security vendors have attempted to address this problem by packaging and moving their legacy solutions to the cloud, but this approach does not address the policy enforcement challenges created by the use of SaaS and IaaS, or the way the dynamic web is currently built. To realize this new network vision, a fundamentally different approach to policy enforcement is needed - one that enables organizations to address these changes directly with a unified cloud and web policy enforcement platform designed from the ground up for today's next-generation cloud-first enterprise.

In one example, a policy enforcement service needs to allow employees and contractors of an organization to make phone calls, but not transfer files. This policy can be enforced by the service by encoding the SIP control and data channels. Enforcing this policy requires more than a SIP proxy to allow the ability to predict where data is being transferred and the ability to avoid or block the channel based on information in the channel. The streaming agent sending the traffic only sees the port, so it needs to know all available ports before sending. If it handles all protocols, the policy enforcement service can capture web traffic through non-standard ports, but it is difficult to collect traffic. The existing workaround to protect against file transfer is to block access to ports, but the policy enforcement service wants to load everything safely rather than block ports. P2P data packets try standard ports first, then often fall back, hopping from port to port, which also limits the usefulness of blocking ports, since P2P data services can hop to different ports.

A security administrator can install policy enforcement service devices at the data center and headquarters at each of the customer branches of the organization's network to create a management network for applying enforcement policies so that all traffic passes through the security devices. The on-premise policy enforcement administrator is then responsible for managing the deployment to ensure high availability of the devices with failover management, managing the software lifecycle with patches, and managing upgrades to respond to the hardware lifecycle. Issues with this hands-on approach to policy enforcement include scaling as the company size changes and load balancing to ensure sufficient service availability as data loads fluctuate.

The disclosed technology provides unified policy management in the cloud and dynamic distribution of unified policies in a cloud-based policy enforcement system using a policy manager that integrates packet- and protocol-based access control and traffic inspection for inspectable and uninspectable traffic, threat detection, and activity contextualization capabilities. The disclosed policy enforcement service platform scales horizontally and uniformly to manage customized security services and policies for organizations and avoid single points of failure.

The present technology also discloses a system for dynamic routing and integration of access request streams to detect policy enforcement issues in a cloud-based environment.
Acronyms

Acronyms used in this disclosure are identified the first time they are used. These acronyms are technical terms often used in standard documents. Except where these terms are used in a way that is clearly and clearly different from their meaning in the art, they adopt the meaning they have in the security systems environment. For the convenience of the reader, many of them are listed here (Tables 1A and 1B).

Security service customers using the disclosed technology can specify which policy enforcement services apply to different types of tenant data and customize security policies for data transmitted through their organization's devices. In the context of this application, policy enforcement and security are used interchangeably in most contexts. An exemplary system for managing a cloud-based policy enforcement system that integrates packet- and protocol-based access control for inspectable and uninspectable traffic and traffic inspection, threat detection, and activity contextualization capabilities is described below.

Architecture Figure 1 shows an architecture level schematic diagram of a system 100 for providing a cloud-based policy enforcement system that integrates packet- and protocol-based access control and traffic inspection for inspectable and uninspectable traffic, threat detection, and activity contextualization capabilities. Because Figure 1 is an architecture diagram, some details have been intentionally omitted for greater clarity. The description of Figure 1 is structured as follows: First, the elements of the diagram are described, followed by a description of their interconnections. Next, the use of the elements in the system is described in more detail.

The system 100 includes an organizational network 102, a data center 152 having an integrated cloud-based security system 805 with a security stack 153 having a Netscope Policy Manager 157 and a Netscope Cloud Access Security Broker (N-CASB) 155, and a cloud-based service 108. The system 100 includes multiple organizational networks 104 for multiple subscribers, also referred to as multi-tenant networks, of a security service provider, and multiple data centers 154. The organizational network 102 includes computers 112a-n, tablets 122a-n, mobile phones 132a-n, and smart watches 142a-n. In another organizational network, organizational users can utilize additional devices. The cloud services 108 include a cloud-based hosting service 118, a web email service 128, a video, messaging, and voice calling service 138, a streaming service 148, a file transfer service 158, and a cloud-based storage service 168. The data center 152 connects to the organizational network 102 and the cloud-based services 108 via a public network 145. A Netscope Cloud Access Security Broker (N-CASB) 155 between the cloud service consumer and the cloud service provider combines and interposes enterprise security policies when cloud-based resources are accessed. The integrated cloud-based security system 805 with security stack 153 is also referred to in this document as an integrated cloud-based policy enforcement system with a policy enforcement stack.

Continuing with the description of FIG. 1, the disclosed integrated cloud-based security system 805 is described in detail below with respect to FIG. 8, and the Netscope Policy Manager 157 is described in detail below with respect to FIG. 7. The enhanced Netscope Cloud Access Security Broker (N-CASB) 155 governs access and activity in authorized and unauthorized cloud apps, secures sensitive data, prevents its loss, and protects against internal and external threats, as well as safely handles P2P traffic over BT, FTP and UDP-based streaming protocols, and Skype, voice, video and messaging multimedia communication sessions over SIP, and web traffic over other protocols. The N-CASB 155 includes an active analyzer 165 and an internal inspection analyzer 175 that identify users of the system and set app policies. The internal inspection analyzer 175 interacts directly with the cloud-based service 108 to inspect data at rest. In the polling mode, the internal inspection analyzer 175 calls the cloud-based service using the API connector to crawl the data present in the cloud-based service and check for changes. As an example, the Box™ storage application provides an administration API called Box Content API™ that provides visibility into the organization's accounts for all users, including audit logs of the Box folder, and this administration API can be inspected to determine whether a sensitive file was downloaded after a specific date when the certificate was compromised. The internal inspection analyzer 175 polls this API to discover changes made to any of the accounts. If changes are discovered, the Box Events API™ is polled to discover detailed data changes. In the callback model, the internal inspection analyzer 175 registers with the cloud-based service via the API connector to be notified of any important events. For example, the internal inspection analyzer 175 can learn when files are shared externally using the Microsoft Office 365 WebSphere API™. The internal inspection analyzer 175 also includes a DLP engine with deep API inspection (DAPII), deep packet inspection (DPI), and log inspection capabilities that apply different content inspection techniques to the remaining files in the cloud-based service to determine which documents and files are sensitive based on the policies and rules stored in storage 186. The result of the inspection by the internal inspection analyzer 175 is the generation of per-user and per-file data.

Continuing with the description of FIG. 1, N-CASB 155 further includes monitor 184, which includes extraction engine 171, classification engine 172, security engine 173, management plane 174, and data plane 180. Storage 186 included in N-CASB 155 also includes content policies 187, content profiles 188, content inspection rules 189, enterprise data 197, client information 198, and user identity information 199. Enterprise data 197 can include organizational data, including, but not limited to, intellectual property, non-public accounting, strategic plans, customer lists, personally identifiable information (PII) belonging to customers or employees, patient health data, source code, trade secrets, reservation information, partner agreements, corporate plans, merger and acquisition documents, and other confidential data. In particular, the term "enterprise data" refers to documents, files, folders, web pages, collections of web pages, images, or any other text-based documents. User identity refers to an indicator provided to a client device by a network security system in the form of a token, a unique identifier such as a UUID, a public key certificate, etc. In some cases, a user identity may be linked to a particular user and a particular device, so the same individual may have different user identities for their mobile phone and computer. A user identity may be linked to, but is distinct from, an entry or corporate identity directory. In one implementation, a cryptographic certificate signed by network security is used as the user identity. In other implementations, the user identity may be unique only to the user and identical across devices.

Embodiments may also interoperate with single sign-on (SSO) solutions and/or corporate identity directories, e.g., Microsoft's Active Directory. Such embodiments may allow policies to be defined in the directory, e.g., at either the group or user level, using custom attributes. Hosted services configured with the system are also configured to require traffic through the system. This can be done by setting IP range restrictions on the hosted services to the IP range of the system and/or through integration between the system and the SSO system. For example, integration with an SSO solution may enforce client presence requirements before authorizing sign-on. Other embodiments may use a "proxy account" with the SaaS vendor, e.g., a dedicated account held by the system that holds the only credentials to sign in to the service. In other embodiments, the client may encrypt a signature on the credentials before passing the login to the hosted service, meaning that the networking security system "owns" the password.

Storage 186 can store information from one or more tenants in tables of a common database image to form an on-demand database service (ODDS), which can be implemented in many ways, such as a multi-tenant database system (MTDS). The database image can include one or more database objects. In other implementations, the database can be a relational database management system (RDBMS), an object-oriented database management system (OODBMS), a distributed file system (DFS), a no-schema database, or any other data storage system or computing device. In some implementations, the collected metadata is processed and/or normalized. In some cases, the metadata includes structured data and the functions target specific data structures provided by the cloud service 108. Unstructured data, such as free text, can also be provided by and targeted to the cloud service 108. Both structured and unstructured data can be aggregated by the internal inspection analyzer 175. For example, the assembled metadata may be stored in a semi-structured data format such as JSON (Javascript Object Notation), BSON (Binary JSON), XML, Protobuf, Avro, or Thrift objects, which consist of string fields (or columns) and corresponding values of potentially different types such as numbers, strings, arrays, objects, etc. In other implementations, JSON objects may be nested and fields may be multi-valued, e.g., arrays, nested arrays, etc. These JSON objects are stored in a schemaless or NoSQL key-value metadata store 178, such as Apache Cassandra™, Google's Bigtable™, HBase™, Voldemort™, CouchDB™, MongoDB™, Redis™, Riak™, Neo4j™, etc., which stores the parsed JSON objects using keyspaces equivalent to SQL databases. Each keyspace is similar to a table and is divided into column families, which consist of a set of rows and columns.

In one implementation, the internal inspection analyzer 175 includes a metadata parser (omitted for clarity) that analyzes incoming metadata and identifies keywords, events, user IDs, locations, demographics, file types, timestamps, etc. in the received data. Parsing is the process of breaking down and analyzing a stream of text into keywords or other meaningful elements called "targetable parameters." In one implementation, a list of target parameters is input for further processing, such as parsing by a matching engine (not shown) or text mining. Parsing extracts meaning from the available metadata. In one implementation, tokenization operates as the first step of parsing to identify granular elements (e.g., tokens) in the stream of metadata, but parsing then proceeds to use the context in which the tokens are found to determine the meaning and/or type of information being referenced. Because the metadata analyzed by the internal inspection analyzer 175 is not homogenous (e.g., there are many different sources in many different formats), certain implementations employ at least one metadata parser per cloud service, and possibly more than one. In other implementations, the internal inspection analyzer 175 uses the monitor 184 to inspect the cloud service and assemble the content metadata. In one use case, the identification of sensitive documents is based on a previous inspection of the document. A user can manually tag a document as sensitive, which updates the document metadata in the cloud service. The document metadata can then be retrieved from the cloud service using exposed APIs and used as an indicator of sensitivity.

Continuing with the description of FIG. 1, the system 100 can include any number of cloud-based services 108, namely, point-to-point streaming services, host services, cloud applications, cloud stores, cloud collaboration and messaging platforms, and cloud customer relationship management (CRM) platforms. The services can include peer-to-peer file sharing (P2P) via protocols for portal traffic such as BitTorrent (BT), User Datagram Protocol (UDP) streaming and File Transfer Protocol (FTP), and voice, video and messaging multimedia communication sessions such as instant messages over Internet Protocol (IP) and mobile phone calling over LTE (VoLTE) via Session Initiation Protocol (SIP) and Skype. The services can handle Internet traffic, cloud application data, and generic routing encapsulation (GRE) data. The network services or applications can be web-based (e.g., accessed via a Uniform Resource Locator (URL)) or native, such as a sync client. Examples include software-as-a-service (SaaS), platform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS) offerings, as well as internal enterprise applications exposed via URLs. Examples of common cloud-based services today include Salesforce.com™, Box™, Dropbox™, Google Apps™, Amazon AWS™, Microsoft Office 365™, Workday™, Oracle on Demand™, Taleo™, Yammer™, Jive™, and Concur™.

In interconnecting the elements of the system 100, the network 145 communicatively couples the computers 112a-n, the tablets 122a-n, the mobile phones 132a-n, the smart watches 142a-n, the cloud-based hosting service 118, the web email service 128, the video, messaging, and voice calling service 138, the streaming service 148, the file transfer service 158, the cloud-based storage service 168, and the N-CASB 155. The communication paths can be point-to-point over public and/or private networks. The communication can occur over a variety of networks, e.g., private networks, VPNs, MPLS circuits, or the Internet, and can use appropriate application program interfaces (APIs) and data exchange formats, e.g., REST, JSON, XML, SOAP, and/or JMS. All communications can be encrypted. This communication is generally over networks such as local area networks (LANs), wide area networks (WANs), telephone networks (public switched telephone networks (PSTN)), session initiation protocol (SIP), wireless networks, point-to-point networks, star networks, token ring networks, hub networks, and the Internet, including mobile Internet, via protocols such as EDGE, 3G, 4G LTE, Wi-Fi, and WiMAX. In addition, various authorization and authentication technologies such as username/password, OAuth, Kerberos, SecureID, digital certificates, and the like, may be used to secure the communication.

Continuing with the description of the system architecture of FIG. 1, N-CASB 155 includes monitor 184 and storage 186, which may include one or more computers and computer systems coupled to communicate with each other. They may also be one or more virtual computing and/or storage resources. For example, monitor 184 may be one or more Amazon EC2 instances, and storage 186 may be Amazon S3™ storage. Rather than implementing N-CASB 155 directly on a physical computer or traditional virtual machine, other computing-as-a-service platforms such as Salesforce's Rackspace, Heroku, or Force.com may be used. In addition, one or more engines may be used to implement security functions, and one or more points of presence (POPs) may be established. The engines or system components of FIG. 1 are implemented by software running on various types of computing devices. Exemplary devices are workstations, servers, computing clusters, blade servers, and server farms, or any other data processing system or computing device. The engines may be communicatively coupled to the database via different network connections. For example, the extraction engine 171 may be coupled via a network 145 (e.g., the Internet), the classification engine 172 may be coupled via a direct network link, and the security engine 173 may be coupled by yet another different network connection. With respect to the disclosed technology, the POPs of the data plane 180 are located within a virtual private network hosted on the client's premises or controlled by the client.

N-CASB 155 provides various functions through management plane 174 and data plane 180. According to one implementation, data plane 180 includes extraction engine 171, classification engine 172, and security engine 173. Other functions such as a control plane may also be provided. These functions collectively provide a secure interface between cloud services 108 and organization network 102. Although the term "network security system" is used to describe N-CASB 155, more generally the system provides application visibility and control as well as security. In one example, 35,000 cloud applications reside in a library that intersects with the servers used by computers 112a-n, tablets 122a-n, mobile phones 132a-n, and smart watches 142a-n in organization network 102.

According to one implementation, computers 112a-n, tablets 122a-n, mobile phones 132a-n, and smart watches 142a-n in organization network 102 include administration clients with web browsers having a secure web delivery interface provided by N-CASB 155 to define and manage content policies 187. N-CASB 155 is a multi-tenant system, and thus, according to some implementations, users of administration clients can only modify content policies 187 associated with their organization. In some implementations, APIs may be provided to programmatically define and/or update policies. In such implementations, the administration clients may include one or more servers, e.g., a corporate identity directory such as Microsoft Active Directory, to push updates and/or respond to pull requests for updates to content policies 187. Both systems can coexist, for example some companies use a corporate identity directory to automate the identification of users within the organization while at the same time using a web interface to tailor policies to the needs of the users. Administrative clients are assigned roles and access to N-CASB155 data is controlled based on the role, for example read-only/read-write.

In addition to periodically generating per-user and per-file data and persisting it in metadata store 178, the active analyzer and in-house inspection analyzer (not shown) also enforce security policies on cloud traffic. For more information regarding the capabilities of active analyzers and in-house analyzers, see, e.g., commonly assigned U.S. Pat. Nos. 9,398,102 (NSKO1000-2), 9,270,765 (NSKO1000-3), and 9,928,377 (NSKO1001-2), and U.S. patent application Ser. No. 15/368,246 (NSKO1003-3); Cheng, Ithal, Narayanaswamy and Malmskog Cloud Security For Dummies, Netskope Special Edition, John Wiley & Sons, Inc. 2015, “Netskope Introspection” by Netskop, Inc. , “Data Loss Prevention and Monitoring in the Cloud” by Netskop, Inc. , “Cloud Data Loss Prevention Reference Architecture” by Netskope, Inc. , “The 5 Steps to Cloud Confidence” by Netskope, Inc. , “The Netskope Active Platform” by Netskop, Inc. , “The Netskope Advantage: Three “Must-Have” Requirements for Cloud Access Security Brokers” by Netskope, Inc. , “The 15 Critical CASB Use Cases” by Netskope, Inc. , “Netskope Active Cloud DLP” by Netskope, Inc. , “Repave the Cloud-Data Breach Collision Course” by Netskope, Inc. , and "Netskope Cloud Confidence Index™" by Netskope, Inc., which are incorporated by reference for all purposes as if fully set forth herein.

With respect to system 100, the control plane may be used in conjunction with or in place of management plane 174 and data plane 180. The particular division of functionality between these groups is an implementation choice. Similarly, functionality may be highly distributed across a number of points of presence (POPs) to improve locality, performance, and/or security. In one implementation, the data plane is on a premises or virtual private network, and the management plane of the network security system is located in a cloud service or with the corporate network, as described herein. In another secure network implementation, the POPs may be distributed differently.

While system 100 is described herein with reference to particular blocks, it should be understood that the blocks are defined for convenience of description and are not intended to require a particular physical arrangement of components. Moreover, the blocks need not correspond to physically separate components. To the extent that physically separate components are used, connections between the components can be wired and/or wireless as appropriate. Different elements or components can be combined into a single software module, and multiple software modules can execute on the same processor.

Additionally, the techniques may be implemented using two or more separate and distinct computer-implemented systems that cooperate and communicate with each other. The techniques may be implemented in numerous ways, including as a process, a method, an apparatus, a system, a device, a computer-readable medium such as a computer-readable storage medium that stores computer-readable instructions or computer program code, or as a computer program product that comprises a computer usable medium having computer-readable program code embodied therein. The disclosed technology can be implemented in connection with any computer implemented system including a database system or relational database implementation, such as an Oracle™ compatible database implementation, an IBM DB2 Enterprise Server™ compatible relational database implementation, a MySQL™ or PostgreSQL™ compatible relational database implementation, or a Microsoft SQL Server™ compatible relational database implementation, or a Vampire™ compatible non-relational database implementation, an Apache Cassandra™ compatible non-relational database implementation, a BigTable™ compatible non-relational database implementation, or a NoSQL non-relational database implementation such as an HBase™ or DynamoDB™ compatible non-relational database implementation. Additionally, the disclosed techniques can be implemented using different programming models such as MapReduce™, bulk synchronous programming, MPI primitives, etc., or different scalable batch and stream management systems such as Amazon Elasticsearch Service™ and Amazon Web Services (AWS™), including Amazon Kinesis™, Apache Storm™, Apache Spark™, Apache Kafka™, Apache Flink™, Truviso™, IBM Info-Sphere™, Borealis™, and Yahoo! S4™.

2 shows an example block diagram of a distributed network of secure services for a data center. The network includes a security headquarters 272, points of presence (POPs) 222, 226, 242, 246, and 256, a public cloud/virtual private cloud 202, a private data center 208, remote users 228, 238, and a multi-user aggregation of branch offices 252, 254, 248, and 266. The security headquarters 272 utilizes IPsec protocols for security associations (SAs) and includes a server 282 and a network device 292 that connects end devices 264, 274, 284, and 294, which may be computers, tablets, mobile phones, smart watches, or any other device not explicitly enumerated herein. Points of presence (POPs) 222, 226, 242, 246, and 256 implement a data center, referring to where servers or network equipment reside. POPs may be referred to as a cluster or set of nodes, where a node refers to a physical machine that runs multiple pods. In one implementation, a node runs two to three pods, and each pod contains a set of containers that run processes. In one implementation, three to four containers run in a pod, and a single process runs in a container. Each process runs a set of threads, and one core is often provisioned per thread. In another exemplary case, configurations with different numbers of pods and containers and processes can be configured in a distributed system. In the example of FIG. 2, micro Pop A 222 connects to a public cloud or virtual private cloud 202 via IPSec, and connects to POP B 226 and POP E 242. POP B 226 includes IPSec access to private data center 208 and is one of a set of nodes that also includes POP C 246 and POP E 242. POP C 246 connects with remote users 228, 238 and branch services 248 via SSL/IPSec. POP D 256 is a node in a cluster that includes micro POP C 246, micro POP E 242, and headquarters 272. POP D 256 also includes branch services 266 that connect via IPSec.

Figure 3 illustrates a disclosed policy enforcement layer for a cloud-based policy enforcement system that integrates packet-level and protocol-level access control and traffic inspection for inspectable and uninspectable traffic, threat detection, activity contextualization, and data loss prevention analysis capabilities. The disclosed policy enforcement layer addresses concerns for traffic traveling outside the enterprise data center and whether the user is behind a corporate firewall by delivering consistent visibility and security policy enforcement. The cloud-based policy enforcement system includes delivery of networking and security services for traffic en route to the Internet, cloud applications, or data center. When a user accesses an application, the packet has an ingress point at the Secure Access Service Edge (SASE) and a SASE egress egress point.

Packets flow through multiple logical components and boundaries within the system 302, and multiple security functions provide identity-based secure access and deliver cloud-based security services. A stream of data can arrive at the IPSec termination 315 in the POP 302 from a branch server 304, from a data center 305, or from a remote user 306. The user may be in any of several different locations, such as an office or home, and needs to use a cloud-based application. The user's request to access the application then traverses the local area network to the edge of the network. In one example, the user and the network edge are in the same building due to the user's telecommuting.

Continuing with FIG. 3, IPSec termination 315 routes to network layer 314 for service lookup 324, which routes all traffic for all protocols to firewall 344, and routes secure packets to the Internet 308 and between other points of presence (POPs) 328 based on the results of service lookup 324 for service layer 334. Firewall 344 utilizes IP ranges expressible via a compact representation of an IP address and its associated routing prefix (CIDR) for a network mask, using application ID 354 and user ID 356 to determine user policy and access control 364, and maps packet streams to intrusion prevention system (IPS) antivirus (AV) 374. Service layer 334 includes a secure web gateway (SWG) for all web apps, CASB for cloud apps, and data loss prevention (DLP) 384, thereby achieving network security using a single gateway.

Figure 4 illustrates the disclosed security stack with a comprehensive suite of policy enforcement components and example logical traffic flows for the disclosed cloud-based security system that integrates packet-level and protocol-level access control and traffic inspection, threat detection, and activity contextualization capabilities for inspectable and uninspectable traffic for one implementation of the disclosed technology. The security stack 153 layers, in one embodiment, include a network firewall 455, an app firewall 445, a secure web gateway (SWG) 176, and an N-CASB 155. The network firewall 455 analyzes IP packets and connections to detect anomalies and apply policies based on packet headers. The app firewall 445 analyzes application protocols and data streams to detect protocol anomalies for HTTP/S and other network protocols such as Server Message Block (SMB), File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), and Domain Name Service (DNS). The SWG 176 analyzes web operations to detect data anomalies and prevent unauthorized access to risky websites.

N-CASB 155 can control web applications and operations such as login, file transfer and sharing, and detect anomalies in data and access. Security functions include access control 401, risk assessment 402, malware detection 403, intrusion prevention system (IPS) 404, data loss prevention (DLP) 406, fingerprinting 407, and behavior analysis 408, and can include additional policy enforcement features. Access control 401 can be applied to any type of traffic and can be based on multiple criteria. Risk assessment 402 is applied to all traffic based on the destination accessed. Malware detection 403 evaluates the security of inspectable and decrypted traffic. IPS 404 is applied to decrypted and undecrypted traffic, evaluating signatures of anomalous or misdirected packet flows/message exchanges. DLP 406 performs security functions on decrypted files. Fingerprinting 407 performs file-level hashes on the decrypted protocols, and behavior analysis 408 analyzes any traffic that varies based on the amount of information that can be collected for a session.

Continuing with FIG. 4, traffic travels up and down from client 472 through the layers of security stack 153 to server 478. Each security layer can detect problems and enforce policies when it first sees the traffic on its way up security stack 153 or after a higher layer has done some processing on the traffic and thus on its way down, in various implementations of security policies. For example, app firewall 445 can detect HTTP/S protocol problems for traffic routed between client 472 and server 478 at SWG176/N-CASB155 or SWG176/N-CASB155.

Continuing with FIG. 4, response traffic flows from server 478 to client 472 through the layers of security stack 153 and is handed off to security layers network firewall 455, app firewall 445, SWG 176, and N-CASB 155 for problem detection and policy enforcement. Policy enforcement can be applied when security stack 153 receives a response from server 478. In one example, app firewall 445 can find malicious content returned from server 478 that can cause the response to be in a restricted state. Similarly, N-CASB 155 can detect sensitive data in a file download that will respond to a download activity. That is, an incoming access request can pass all service checks, but the response can fail the checks and trigger a restrictive action. Certain information that can only be discovered by a particular security layer is passed along the chain of security functions, so that enforcement can occur at any layer whenever a complete set of policy criteria matching can be completed. For example, if user information for some traffic can only be discovered by N-CASB 155 after proxying and decrypting the traffic, network firewall 455 can combine that discovered information with other packet header information to enforce policy after the packet stream passes through N-CASB 155. Conversely, information from lower security layers in the stack can be discovered and passed to higher layers, which can then complete security enforcement. Depending on the traffic type, traffic may not go all the way to N-CASB 155. Cloud app traffic passes through all of the network security layers in the stack. Other web traffic goes to SWG 176. Non-HTTP/S traffic is inspected at app firewall 445. Each layer of security stack 153 can apply policy enforcement functions to the traffic it sees. Examples of security functions that apply to various traffic types are described below.

The network firewall 455 controls access based on packet header fields and applies risk assessment to traffic based on the destination accessed, as specified by destination IP, port, and protocol. The network firewall 455 can share IP addresses, TCP/UDP ports, protocols, VLANs, and priorities.

The disclosed security system of cloud-based components enforces security policies in multiple scenarios. The security system routes data packets for inspection to detect malformed packet headers, malicious signatures, and incoming access requests directed to threat destinations, and to recognize and process activity, including content, to classify the activity as risky or not. In one scenario, the packet stream traverses a full set of tiers of cloud-based components, some of which may not take action on the packet stream. In another scenario, the packet stream can be selectively directed through cloud-based components that apply to the type of data in the packets. Responses are also routed through a full set of tiers of cloud-based components in some scenarios.

The disclosed NetScope policy manager 157 manages packet flows and matches traffic to policy rules. The policy manager is configured to validate, store, and distribute policy specifications applicable to each cloud-based integrated function for packet-level and protocol-level access control and traffic inspection for inspectable and uninspectable traffic, threat detection, and activity contextualization. The integrated policy is expressed using a set of policy fields for (a) the source of the traffic to be inspected, (b) the destination of the traffic, (c) the protocol used by the traffic, (d) the activity specified in the inspectable traffic, (e) a profile for a particular function, and (f) an action to be triggered in case of an exception resulting from the inspection. Values for (a) the source or (b) the destination of the traffic to be inspected include any traffic, a specified user, a specified group, an IP address or range, or a port number. For (c) the protocol used by the traffic, the values include HTTP, TCP, UDP, or ICMP. (d) The activity value specified in the inspectable traffic includes upload, download, preview, or share, and (e) the profile value of one or more of the following: specific features, access control and traffic inspection, threat detection, activity contextualization, and data loss prevention analysis. In addition, (f) the value of the action to be triggered in case of an exception resulting from the inspection includes allow, block, alert, bypass, coach, or quarantine. In some cases, the configured policy for the blocking action can be applied to uploads and downloads, and in other cases, the configured policy for blocking can be applied to uploads only or downloads only.

5 shows examples of common fields for expressing a unified policy in the disclosed cloud-based security system that integrates the functionality of packet-level and protocol-level access control and traffic inspection, threat detection, and activity contextualization and inspection for potentially inspectable and uninspectable traffic. The data manager 715 processes a superset of fields 522, 523, 524, 525, 526, 528 used to specify security policies, including common fields shared by two or more of the integration functions across the cloud-based integration functions of the N-CASB 155, the Secure Web Gateway (SWG) 176, and the firewall 556. Multiple source fields may be used for a particular packet. Examples of policy fields are listed below:
Src [user, group, organizational unit, IP/port, ...]
Dst [app, category, IP/port, domain, ...]
Protocol {TCP, UDP, ICMP, ...]
Activity [upload, download, preview, …]
Action [Allow, Block, Alert, Bypass, Quarantine, Coach, …]

Cloud-based security features can generate actions such as allow, block, alert, bypass, quarantine, coach, and encrypt, as previously enumerated. Below is a tabular overview of the use of exemplary policy fields to express an integrated policy for cloud-based security features, with the action criteria enumerated across the top. N-CASB 155 can match and apply actions on source (Src), destination application (Dst App), destination (Dst) IP/port/domain, activity, and profile fields for HTTP/S traffic. Secure Web Gateway (SWG) 176 can match and apply actions on all Src/Dst fields, apart from Dst App, as well as activity and profile for HTTP/S traffic. Firewall 556 can represent a combination of integrated functionality for app firewall 445 and network firewall 455, which can match and apply actions on Src/Dst fields, apart from Dst category, for all traffic and non-HTTP/S profiles.

In the first example, the unified policy allows a user to access Office 365, a set of applications that have both HTTP/S and non-HTTP/S traffic, so both N-CASB 155 and Firewall 556 will attempt to match the traffic with Office 365 and apply actions depending on the protocol. SWG 176 will also categorize the traffic as safe and allow it. The rules for this policy are listed below:
Src=any, dst=0365, protocol=any, action=allow

In a second example, the unified policy in the rule is a specific DLP profile, such as DLP_PII_Profile, which allows a user to use a storage app but DLP specific content for download activity. The rules for this policy are listed below:
Src=Any, Category=Storage, Protocol=Any, Activity=Download, Profile=DLP, Action=Block

SWG176 inspects the HTTP/S traffic to determine if it is for any storage app and since the activity field is set, N-CASB155 will do DLP. This category is shared with N-CASB155, which will do DLP for download activity to prevent personally identifiable information (PII) from being transferred.

In a third example, an integration policy allows certain users to access Google Apps. The rules for this policy are listed below:
Src=user group 1, dst app=Google apps, protocol=any, activity=any, profile=any, action=allow

N-CASB 155 identifies users and all Google apps HTTP/S traffic for them. User information is shared with firewall 556 so that firewall 556 can allow those users to access Google non-HTTP/S services as well.

FIG. 6 illustrates an exemplary graphical user interface (GUI) 600 that can be used to configure policy specifications for the disclosed cloud-based policy enforcement system that integrates the functionality of access control and traffic inspection for inspectable and uninspectable traffic, threat detection, and activity contextualization. The GUI 600 can present common fields in a consistent order with consistent value completion options across integrated functions, contextualized to the fields required for specification of policies used by the particular function, and can trigger delivery of the GUI to a user of the cloud-based policy enforcement system. The GUI 600 can represent normalization across policies and service provider dialect protocols so that policy definitions can be uniformly represented. The user interface can be utilized to enter real-time protection policies 624 for the enterprise. In one example, a firewall 644 can be added as a source of non-HTTP/S traffic to application TCP_54000 with a policy action that allows the flow of non-HTTP/S packets. The policy name can represent a specific set of policies, as shown in examples 1-6 of the GUI 600. The activities and actions available in the GUI depend on the profile and type of application selected. A rule can be a firewall defined by subnet, and the destination can be an application such as TCP_54000 with configurable activities and constraints, and a profile and action configured for the packet such as "Allow". Each policy can be assigned a unique name, and policies can be enabled or disabled as specified by the organization. The GUI can display pull-down menus for adding firewalls or other components.

FIG. 7 illustrates a block diagram 700 of a disclosed policy manager device for a cloud-based policy enforcement system that consolidates policy enforcement functions. The policy manager 157 is utilized to validate, store, and distribute policy specifications applicable to each of the functions in the integrated functions of packet-based and protocol-based access control and traffic inspection for inspectable and uninspectable traffic, threat detection, and activity contextualization. The policies can be distributed to the respective backend services using the JSON integrated policy parsed to generate three different instruction sets for packet-based and protocol-based access control and traffic inspection, threat detection, and activity contextualization. Each functional component can receive a complete list of configured integrated policies. In one implementation, an organization's customers can customize the parsing logic, thereby customizing the customer's policy expression.

The block diagram 700 includes a disclosed policy manager device 157 having a data manager 715, a graphical user interface (GUI) generator 725, an application program interface (API) 735, a data structure parser 745, a command line interface (CLI) 755, threat detection logic 765, activity contextualization logic 775, access control and traffic inspection logic 785, and policy specification storage 795. The policy manager 157 is configured to validate, store, and distribute policy specifications applicable to each function in the integrated functions of packet-level and protocol-level access control and traffic inspection, threat detection, and activity contextualization. The policy manager 157 utilizes common fields, such as the source of the traffic to be inspected, the destination of the traffic, the protocol used by the traffic, the category of the traffic, the activities specified in the inspectable traffic, and a profile of specific functions and actions to be triggered in the event of an exception resulting from the inspection, as previously described. These common field values include IP addresses or ranges or port numbers for the source or destination of the traffic to be inspected, and HTTP, TCP, UDP, and ICMP for the protocol used by the traffic. Additional values for the source or destination of the traffic to be inspected include dst hostname, dst domain name, src user, src organization group, and src country. Values for the category of traffic can include business, finance, storage, collaboration, and email, among others. Values for the activity specified in the inspectable traffic include upload, download, preview, or share. For profiles of specific capabilities, values include one or more of access control and traffic inspection, threat detection, and activity contextualization. Values for the action to be triggered in case of an exception resulting from the inspection include allow, block, alert, bypass, encrypt, coach, or quarantine. Additional values such as "allow with granular control" can be included. The data manager 715 handles fields used to specify policies across the cloud-based integrated features, including common fields shared by two or more of the integrated features, and stores policy specifications applicable to each feature among the integrated features in the policy specification storage 795. The policy manager 157 can be configured to save the state of the packet stream in a global cache and/or a cache local to the cloud-based component.

Continuing with the description of the blocks of FIG. 7, the policy manager 157 can receive the policy specification via a GUI generator 725 that presents common fields in a consistent order with consistent value completion options across integrated functions, contextualized to the fields required for the specification of the policy used by the particular function. In another case, the policy manager 157 receives the policy specification via an API interface 735 configured to receive a data structure of key-value pairs in which the required fields used by the particular function are contextualized to each of the integrated functions with consistent key tags and consistent value completion options across integrated functions. In a third example, the policy manager 157 receives the policy specification via a data structure parser 745 configured to receive a data structure in which the required fields used by the particular function are contextualized to each of the integrated functions with consistent field names and consistent field value options across integrated functions. In yet another example, the command line interface (CLI) 755 is configured to accept and parse policy configuration commands that are used to populate a data structure of key-value pairs where the required fields used by a particular function are contextualized to each of the integrated functions with consistent key tags and consistent value completion options across the integrated functions. In another implementation, the data structure can utilize different data representations to store the data security policy configuration.

Continuing with the description of the blocks of FIG. 7, the access control and traffic inspection logic 785 is configured to inspect packet headers in an incoming access request for malformations, with or without any pre-processing, and classify the incoming access request as inspectable or uninspectable. Then, based on the inspection, the access control and traffic inspection logic 785 sets a first restriction state or passes the incoming access request. The access control and traffic inspection logic 785 can also be configured to perform deep packet inspection of the incoming access request for malicious signatures, with or without any pre-processing, and can be configured to set a second restriction state or pass the incoming access request. The threat detection logic 765 can be configured to classify the incoming access request as being directed to a threat destination or not when the incoming access request is an HTTP/S stream, and then, based on the classification, set a third restriction state or pass the incoming access request.

The activity contextualization logic 775 is configured to recognize and process an activity including content when the incoming access request is an HTTP/S stream seeking access to a cloud-based application, and classify the activity as risky or non-risky. Then, based on the classification, the activity contextualization logic 775 can be configured to set a fourth restriction state or pass the incoming access request.

Policy manager 157 may be configured to route packets through components of security stack 153, some of which may be configured to take no action or selectively route packets through layers that apply to the type of access request being inspected. In one example, a configuration of policy manager 157, which may be stored in policy specification storage 795, may specify that packets traverse security stack 153 from client 472, through network firewall 455, through app firewall 445, SWG 176, and N-CASB 155, and then back through SWG 176, app firewall 445, and network firewall 455 before any action is taken. Different configurations may take action upon encountering the first exception, such as blocking the packet, alerting of a detected problem, or quarantining the packet, or coaching. In one embodiment, coach actions in SWG and N-CASB may be utilized to ensure that "if not allowed, use X instead" or "not allowed by default, but the user can provide justification if they need to use it." Yet another action may be to require authentication or multi-factor authentication depending on the traffic context. Additionally, the combined components of security stack 153 may provide incentives to change the level of authentication required.

In different configurations of the policy manager 157, packets can be selectively routed through layers that apply to that type of packet, and the resulting state of each inspection and classification is stored in the restriction state. The access control and traffic inspection logic 785 is configured to inspect packet headers in the incoming access request for anomalies, with or without any pre-processing, classify the incoming access request as inspectable or uninspectable, and then set a first restriction state or pass the incoming access request based on the inspection. The access control and traffic inspection logic 785 is also configured to perform deep packet inspection on the incoming access request for malicious signatures, with or without any pre-processing, which is configured to set a second restriction state or pass the incoming access request. The threat detection logic 765 is configured to classify the incoming access request as directed to a threat destination or not when the incoming access request is an HTTP/S stream, and then set a third restriction state or pass the incoming access request based on the classification. The activity contextualization logic 775 is configured to recognize and process the activity, including the content, when the incoming access request is an HTTP/S stream seeking access to a cloud-based application, classify the activity as dangerous or not, and then, based on the classification, set a fourth restriction state or pass the incoming access request. The state information can be stored in the layer where the restriction state is applied, passed as a message to subsequent components, or stored in a common database of states.

Policy manager 157 works across mobile devices, laptop devices, office devices, and other devices, enforcing a single unified policy across device types and locations. N-CASB, network firewall, app firewall, and SWG can run separately, with coordinated application of policy, utilizing a single engine that passes policy to a set of configured and enabled security services.

8 is a block diagram illustrating a disclosed integrated policy enforcement system of cloud-based components for packet-level access control and traffic inspection, protocol-level access control and traffic inspection, threat detection, and activity contextualization. The cloud-based integrated security system 805 can include a packet and stream router 825 configured to convey each incoming access request of a packet through the components that apply to that type of packet, at least until one of the components sets a restricted state for at least one object corresponding to the incoming access request or until all of the applied components pass the incoming access request. The system 805 has components for packet-level access control and traffic inspection 842, protocol-level access control and traffic inspection 844, threat detection 846, and activity contextualization 848. The access control and traffic inspection components perform firewall functions. Threat detection 846 is a secure web gateway (SWG) component that analyzes web behavior to detect anomalies in the data and prevent unauthorized access to dangerous web sites. Activity Contextualization 848 is the Netscope Cloud Access Security Broker (N-CASB), as previously described with respect to FIG. 1, a component that processes and controls activities involving content, such as logins, file transfers, and sharing actions, and detects anomalies in the data to classify activities as risky or not.

Continuing with the block diagram of FIG. 8, the packet-level access control and traffic inspection 842 is configured to inspect packet headers in or in responses to access requests (collectively, requests or responses), with or without any pre-processing, and classify the request or response as inspectable or uninspectable. Then, based on the classification, the packet-level access control and traffic inspection 842 is configured to set a first restricted state when the packet header is malformed, and in addition to looking for malformed and uninspectable packets, the packet-level access control and traffic inspection 842 can also apply an access control policy that results in a restricted state. When the packet header is well-formed but the request or response is uninspectable, the packet-level access control and traffic inspection 842 is configured to bypass threat detection 846 and activity contextualization 848 and pass the request or response to the destination server, and when the packet header is well-formed and the request or response is inspectable, pass the request or response to protocol-level access control and traffic inspection 844. Protocol-level access control and traffic inspection 844 is configured to perform deep packet inspection on the request or response, with or without any pre-processing. When the packet bears one or more malicious signatures, protocol-level access control and traffic inspection 844 is configured to set a second restricted state, otherwise pass the request or response. In addition to looking for threat signatures, protocol-level access control and traffic inspection 844 can also apply access control policies at the application level, and if the access control policies match, put the request in a restricted state. Threat detection 846 is configured to classify the request or response as being directed to a threat destination or not, when the request or response is an HTTP/S stream, and then, based on the classification, set a third restricted state when the request or response is directed to a threat destination, otherwise pass the request or response. Sometimes, a less commonly applied time-based policy can be used to prevent users from accessing YouTube between 9:00 a.m. and 5:00 p.m. Activity Contextualization 848 is configured to recognize and process content-containing activities and classify the activities as risky or non-risky if the request or response is an HTTP/S stream seeking access to a cloud-based application. Activity Contextualization 848 is configured to set a fourth restriction state if the request or response is risky, and pass the request or response otherwise. Activity Contextualization 848 by N-CASB can apply policies to both content-containing and non-content-containing activities. In one example, non-content activities are logging in or creating/editing a document. Restriction State 865 stores the restriction state of the cloud-based component. Restriction State Analyzer 875 determines whether a first, second, third, or fourth restriction state is set, and takes a restriction step in response to the request or response based on the setting of any of the states.

Continuing with the description of the cloud-based unified policy enforcement system of FIG. 8, the packet and stream router 825 is configured in some implementations to pass the incoming access stream through the packet-level access control and traffic inspection component 842 before the protocol-level access control and traffic inspection 844, threat detection 846, and activity contextualization 848 components. The packet-level access control and traffic inspection component 842 is configured in some implementations to pass the restriction state message to a subsequent component or restriction state analyzer 875 as the incoming access stream processing progresses, before the protocol-level access control and traffic inspection 844, threat detection 846, and activity contextualization 848 components. The packet-level access control and traffic inspection component 842, protocol-level access control and traffic inspection 844, threat detection 846, and activity contextualization 848 components are configured in other implementations to send the restriction state message to the restriction state 865, a common state store, for processing by the restriction state analyzer 875 as the incoming access stream processing progresses. The components are configured to set the restriction state flags in the restriction flag 866, common flag store for processing by the restriction state analyzer 875 as the incoming access stream processing progresses. In a different implementation, the packet level access control and traffic inspection component 842, the protocol level access control and traffic inspection 844, the threat detection 846, and the activity contextualization 848 components are configured to save the restriction state flags in the restriction flag 866 as the incoming access stream processing progresses from the first component to the last component, and then call the restriction state analyzer 875 with the saved restriction state flags to perform the restriction steps as the incoming access stream processing progresses from the last component to the first component. The restriction steps performed by the restriction state analyzer 875 include, but are not limited to, blocking packets, warning of restrictions, bypassing, encrypting, coaching the user on the action of selecting and quarantining the traffic.

9 illustrates an exemplary logical traffic flow for a cloud-based policy enforcement system that integrates the functionality of access control and traffic inspection, threat detection and activity contextualization for inspectable and uninspectable traffic, and performs data loss prevention analysis for one embodiment of the disclosed technology. In this example of packet flow, all traffic enters through a network firewall 962 to an IP address that can be defined by an IP address or a hostname. In another implementation, the network firewall 962 can be defined by a domain name. In yet another implementation, a combination of domain and IP addressing can be utilized to access the network firewall 962. The firewall 962 performs deep packet inspection, which in one example includes checking for correct origin and well-formed packets, since malformed packets can be designed to crash the firewall. Even for HTTP/S traffic, the network firewall 962 continues to inspect subsequent packets to detect malformed traffic as the packets proceed to the SWG 176 and N-CASB 155, and in some implementations can recognize activities including uploading, downloading, previewing traffic, etc., along with inspecting routing protocols. The firewall 962, SWG 176 and N-CASB 155 can apply their respective policies in parallel and can allow, block, warn and apply other actions when determining which policy to apply.

Continuing with the logical traffic flow description, the firewall 962 analyzes traffic 963 and routes web traffic utilizing hypertext transfer protocol (http) and hypertext transfer protocol secure (https) to the secure web gateway (SWG) 176. Non-http/https traffic is routed separately and filtered to determine if it can be decrypted and inspected (954). An example of non-web traffic utilizes TCP_54000 for port 54000, which is not an HTTP/S port. The SWG 176 identifies acceptable categories of destination white/blacklist for web browsing with granular policy controls to manage web traffic that can include threat protection, URL filtering, and DLP policies. Cloud apps are specified by web domain and traffic is analyzed to determine packets for cloud apps 953, such as software as a service (SaaS). Identified packets are routed to the Netscope Cloud Access Security Broker (N-CASB) 155, which governs access and activity in authorized and unauthorized cloud apps, protects and prevents loss of sensitive data, and securely handles traffic over streaming protocols and web traffic over other protocols in addition to protecting against internal and external threats as described above. N-CASB 155 identifies users, authorizes traffic for them, and shares user information with firewall 962 so that firewall 962 can allow those users to access non-HTTP/S services as well. After inspection at N-CASB 155, the traffic is filtered to determine if it can be decrypted and inspected (954), and if it can be decrypted and inspected, the packets are routed for Data Loss Prevention (DLP) 964 and Intrusion Prevention System (IPS) 966 inspection. DLP/IPS is performed asynchronously and when a problem is detected, the firewall 962, SWG 176, and N-CASB 155 take action based on the restriction state and restriction flags, as well as the configured and enabled policies. Packets that are deemed safe are allowed to pass to the Internet 968. Other actions, including blocking, alert bypass, quarantine, and coaching, are described previously.

Next, we describe a workflow for unified policy management in the cloud and dynamic distribution of unified policies in a cloud-based policy enforcement system using a policy manager that integrates the capabilities of packet- and protocol-based access control and traffic inspection for inspectable and uninspectable traffic, threat detection, and activity contextualization. The disclosed policy enforcement services platform manages customized security services and policies for organizations and scales horizontally and uniformly to avoid single points of failure.

A workflow for dynamic routing of access request streams is disclosed, as well as an integrated system for detecting security issues in a cloud-based environment.

Workflow FIG. 10 illustrates an exemplary computer-implemented method of unified security policy management in the cloud, as applied by a policy manager to a cloud-based security system that integrates packet-level and protocol-level access control and traffic inspection for inspectable and uninspectable traffic, threat detection, and activity contextualization capabilities. Flowchart 1000 may be implemented, at least in part, with a computer or other data processing system, i.e., by one or more processors configured to receive or retrieve information, process information, store results, and transmit results. Other implementations may perform actions in a different order and/or with different, fewer, or additional actions than those shown in FIG. 10. In some implementations, multiple actions may be combined. For convenience, the flowchart is described with reference to a system including the unified cloud-based security system 805 described above.

The methods described in this and other sections of the disclosed technology may include one or more of the following features and/or features described in connection with the additional methods disclosed. For brevity, combinations of features disclosed in this application are not individually recited and are not repeated with each base set of features.

FIG. 10 begins with action 1010 to maintain a data structure that includes a superset of fields used to specify security policies across cloud-based integrated features, including common fields shared by two or more of the integrated features.

Process 1000 proceeds to action 1020, where the policy manager receives policy specifications in a common format for values of common fields that apply to each of the integrated functions, thereby enabling the user to specify security policies that govern the cloud-based integrated functions of access control and traffic inspection for inspectable and uninspectable traffic, threat detection, and activity contextualization.

Action 1030 includes the policy manager validating, storing, and distributing among the integrated functions the policy specifications applicable to each function.

Other implementations may perform actions in a different order than shown in FIG. 10 and/or with different, fewer, or additional actions. In some implementations, multiple actions may be combined. For convenience, this flowchart is described with reference to a system that performs the method. The system is not necessarily part of the method.

11 illustrates an exemplary method for dynamic distribution of integrated security policies in a cloud-based security system, as applied by a policy manager to a cloud-based security system that integrates the functionality of access control and traffic inspection for inspectable and uninspectable traffic, threat detection, and activity contextualization. Flowchart 1100 may be implemented, at least in part, with a computer or other data processing system, i.e., by one or more processors configured to receive or retrieve information, process information, store results, and transmit results. Other implementations may perform actions in a different order and/or with different, fewer, or additional actions than those illustrated in FIG. 11. In some implementations, multiple actions may be combined. For convenience, the flowchart is described with reference to a system including the integrated cloud-based security system 805 described above.

FIG. 11 begins with action 1110 in which a data manager coupled to a policy manager stores a superset of fields used to specify security policies across cloud-based integrated features, including common fields shared by two or more of the integrated features.

Process 1100 proceeds to action 1120, where the policy manager validates, stores, and distributes among the integrated functions the policy specifications applicable to each function.

In action 1130, the policy manager receives requests for the policy specifications stored in the common fields from each of the integrated functions, converts the common fields to values used by the respective requesting functions, and returns the values of the fields used by the respective requesting functions to any requesting functions among the cloud-based integrated functions of access control and traffic inspection for inspectable and uninspectable traffic, threat detection, and activity contextualization.

Other implementations may perform the actions in a different order than shown in FIG. 11 and/or with different, fewer, or additional actions. In some implementations, multiple actions may be combined.

12 illustrates an exemplary method for processing incoming access requests for packets via cloud-based components that perform (a) packet-level access control and traffic inspection, (b) protocol-level access control and traffic inspection, (c) threat detection, and (d) activity contextualization. Flowchart 1200 may be implemented, at least in part, with a computer or other data processing system, i.e., by one or more processors configured to receive or retrieve information, process the information, store the results, and transmit the results. Other implementations may perform actions in a different order and/or with different, fewer, or additional actions than those illustrated in FIG. 12. In some implementations, multiple actions may be combined. For convenience, the flowchart is described with reference to a system that includes the integrated cloud-based security system 805 described above.

Figure 12 begins with action 1210, where the packet and stream router conveys each incoming access request of a packet through all of the applicable components (a)-(d) at least until one of the components sets a restriction state for at least one object corresponding to the incoming access request or until all of the applicable components pass on the incoming access request.

Process 1200 proceeds to action 1220, where (a) the packet-level access control and traffic inspection component is configured to inspect packet headers in the incoming access request, with or without any pre-processing, classify the incoming access request as inspectable or uninspectable, and then, based on the classification, set a first restriction state when the packet header is malformed.

Action 1230 includes passing the incoming access request to the destination server and bypassing threat detection and activity contextualization if the packet header is well formed but the incoming access request is uninspectable.

The process 1200 proceeds to action 1240 and passes the incoming access request if the packet header is well formed and the incoming access request can be inspected.

Process 1200 further proceeds to action 1250, where (b) the protocol-level access control and traffic inspection component performs deep packet inspection on the incoming access request, with or without any pre-processing, configured to set a second restriction state when the packet bears one or more malicious signatures, and pass the incoming access request otherwise.

Process 1200 proceeds to action 1260, where (c) the threat detection is configured to classify the incoming access request, when the incoming access request is an HTTP/S stream, as being directed to a threat destination or not, and then, based on the classification, set a third restriction state when the incoming access request is directed to a threat destination, and pass the incoming access request otherwise.

Process 1200 further proceeds to action 1270, where (d) activity contextualization is configured to recognize and process activity including content when the incoming access request is an HTTP/S stream seeking access to a cloud-based application, classify the activity as hazardous or not, and then, based on the classification, set a fourth restriction state when the incoming access request is hazardous and pass the incoming access request otherwise.

Process 1200 completes at action 1280 with the restriction state analyzer determining whether a first, second, third, or fourth restriction state is set and performing a restriction step in response to the incoming access request based on the setting of any of the states.

Other implementations may perform the actions in a different order than shown in FIG. 12 and/or with different, fewer, or additional actions. In some implementations, multiple actions may be combined.

13 illustrates an exemplary method for dynamically routing access request streams through cloud-based components for (a) packet-level access control and traffic inspection, (b) protocol-level access control and traffic inspection, (c) threat detection, and (d) activity contextualization. Flowchart 1300 may be implemented, at least in part, with a computer or other data processing system, i.e., with one or more processors configured to receive or retrieve information, process information, store results, and transmit results. Other implementations may perform actions in a different order than shown in FIG. 13 and/or with different, fewer, or additional actions. In some implementations, multiple actions may be combined. For convenience, the flowchart is described with reference to a system including the integrated cloud-based security system 805 described above.

FIG. 13 begins with action 1310, where (a) a cloud-based packet-level access control and traffic inspection component inspects packet headers in an incoming access request or in response to an access request, collectively the request or response, with or without any pre-processing, for anomalies, classifies the request or response as inspectable or uninspectable, and then sets a first restriction state or passes the request or response based on the inspection.

Process 1300 proceeds to action 1320, where the cloud-based protocol-level access control and traffic inspection component performs deep packet inspection on the request or response for malicious signatures, with or without any pre-processing, and sets a second restriction state or passes the request or response.

At action 1330, process 1300 uses cloud-based threat detection to classify the request or response as being directed to a threat destination or not when the request or response is an HTTP/S stream, and then continues to set a third restriction state or pass the request or response based on the classification.

Action 1340 includes contextualizing the cloud-based activity, recognizing and processing the activity including content when the request or response is an HTTP/S stream seeking access to a cloud-based application, classifying the activity as risky or unsafe, and then setting a fourth restriction state or passing the request or response based on the classification.

Process 1300 completes with action 1350, where the restriction state analyzer determines whether a first, second, third, or fourth restriction state is set and performs a restriction step in response to the request or response based on the setting of any of the states.

Other implementations may perform the actions in a different order than shown in FIG. 13 and/or with different, fewer, or additional actions. In some implementations, multiple actions may be combined.

Computer System Figure 14 is a simplified block diagram of a computer system 1400 that can be used to implement a policy manager device for a cloud-based security system that integrates the functions of packet-level and protocol-level access control and traffic inspection for inspectable and uninspectable traffic, threat detection, and activity contextualization. The computer system 1400 can also be used to implement dynamic distribution of integrated security policies in the cloud-based security system, dynamically route access request streams in the integrated security system, and detect security issues in the cloud-based environment. The computer system 1400 includes at least one central processing unit (CPU) 1472 that communicates with some peripheral devices via a bus subsystem 1455, and a cloud-based integrated security system 805 for providing the network security services described herein. These peripheral devices can include, for example, a storage subsystem 1410 including a memory device and a file storage subsystem 1436, a user interface input device 1438, a user interface output device 1476, and a network interface subsystem 1474. The input and output devices enable user interaction with the computer system 1400. Network interface subsystem 1474 provides an interface to external networks, including interfaces to corresponding interface devices in other computer systems.

In one embodiment, the cloud-based integrated security system 805 of FIG. 1 is communicatively linked to the storage subsystem 1410 and the user interface input device 1438.

User interface input devices 1438 may include pointing devices such as keyboards, mice, trackballs, touchpads, or graphic tablets, scanners, touch screens integrated into displays, audio input devices such as voice recognition systems and microphones, and other types of input devices. In general, use of the term "input device" is intended to include all possible types of devices and methods for inputting information into computer system 1400.

The user interface output devices 1476 may include a display subsystem, a printer, a fax machine, or a non-visual display such as an audio output device. The display subsystem may include a flat panel device such as an LED display, a cathode ray tube (CRT), a liquid crystal display (LCD), a projection device, or some other mechanism for creating a visible image. The display subsystem may also provide a non-visual display such as an audio output device. In general, use of the term "output device" is intended to include all possible types of devices and methods for outputting information from the computer system 1400 to a user or to another machine or computer system.

Storage subsystem 1410 stores programming and data structures that provide some or all of the functionality of the modules and methods described herein. Subsystem 1478 may be a graphics processing unit (GPU) or a field programmable gate array (FPGA).

The memory subsystem 1422 used within the storage subsystem 1410 may include some memory, including a main random access memory (RAM) 1432 for storing instructions and data during program execution, and a read-only memory (ROM) 1434 in which fixed instructions are stored. The file storage subsystem 1436 may provide persistent storage for program and data files, and may include a hard disk drive, a floppy disk drive with associated removable media, a CD-ROM drive, an optical drive, or a removable media cartridge. Modules implementing the functionality of a particular implementation may be stored by the file storage subsystem 1436, within the storage subsystem 1410, or within another machine accessible by the processor.

Bus subsystem 1455 provides a mechanism for allowing the various components and subsystems of computer system 1400 to communicate with each other as intended. Although bus subsystem 1455 is shown diagrammatically as a single bus, alternative implementations of the bus subsystem may use multiple buses.

The computer system 1400 itself can be of various types, including a personal computer, a portable computer, a workstation, a computer terminal, a network computer, a television, a mainframe, a server farm, a widely distributed set of loosely networked computers, or any other data processing system or user device. Due to the ever-changing nature of computers and networks, the description of the computer system 1400 shown in FIG. 14 is intended only as a specific example to illustrate a preferred embodiment of the invention. Many other configurations of computer system 1400 are possible, having more or fewer components than the computer system shown in FIG. 14.

Specific Implementations Some specific implementations and features for a cloud-based security system that integrates the capabilities of packet-level and protocol-level access control and traffic inspection for inspectable and uninspectable traffic, threat detection and activity contextualization, and content inspection are described in the following discussion.

In one disclosed implementation, a computer-implemented policy manager device for a cloud-based security system integrating packet-level and protocol-level access control and traffic inspection for inspectable and uninspectable traffic, threat detection and activity contextualization, and content inspection functions for inspectable and uninspectable traffic includes a data manager for a superset of fields used to specify security policies across the cloud-based integrated functions, the data manager including common fields shared by two or more of the integrated functions. The disclosed device also includes a means for receiving policy specifications in a common format for values of the common fields that apply to each of the integrated functions, thereby enabling a user interacting with the means for receiving to specify security policies that govern the cloud-based integrated functions of access control and traffic inspection for inspectable and uninspectable traffic, threat detection and activity contextualization, and inspection, and a policy manager configured to validate, store, and distribute the policy specifications applicable to each of the integrated functions among the integrated functions.

The devices described in this and other sections of the disclosed technology may include one or more of the following features and/or features described in connection with the additional features disclosed. For brevity, combinations of features disclosed in this application are not individually recited and are not repeated with each base set of features. The reader will understand how features identified in this manner can be readily combined with the set of base features identified as an implementation.

In some implementations of the disclosed policy manager device, structures used to alternatively and more broadly implement the device may include common fields shared by two or more of the integrated functions, including the source of the traffic to be inspected, the destination of the traffic, the protocol used by the traffic, the category of the traffic, the activity specified in the inspectable traffic, the profile for the particular function, and the action to be triggered in case of an exception resulting from the inspection. The value of the common field includes an IP address or range, or a port number, for the source or destination of the inspected traffic. Additional values for the source or destination of the inspected traffic may include a destination hostname, a destination domain name, a source user, a source organizational group, and a source country. For the protocol used by the traffic, the value of the common field includes HTTP/S, TCP, UDP, or ICMP. The value of the common field for the activity specified in the inspectable traffic includes upload, download, preview, or share. For the profile of a particular function, the value of the common field includes one or more of access control and traffic inspection, threat detection, and activity contextualization and inspection. Common field values for actions triggered in case of exceptions resulting from inspection include allow, block, alert, bypass, encrypt, coach, or quarantine. In one embodiment, for a particular functional traffic category, the common field values include one or more of business, finance, storage, collaboration, and email. Policies can also include user-specific rules.

In one implementation of the disclosed policy manager device, the means for receiving includes a GUI generator configured to generate a graphical user interface (GUI) that presents common fields in a consistent order with consistent value completion options across integrated functions, contextualized to fields required for the specification of policies used by a particular function. In this case, the GUI generator can cause delivery of the GUI to the user and receive a selection from the GUI that specifies policies applicable to one or more of the integrated functions from the user. In one implementation of the disclosed policy manager device, a structure used to alternatively and more broadly implement the device may include a GUI generator configured to generate a graphical user interface (GUI) that presents common fields in a consistent order with consistent value completion options across integrated functions, contextualized to fields required for the specification of policies used by a particular function.

In another implementation of the disclosed policy manager device, the means for receiving includes an application program interface (API) configured to receive a data structure in which the required fields used by a particular function are contextualized to each of the integrated functions with consistent key tags and consistent value completion options across the integrated functions. In some cases, the data structure is organized in key-value pairs. In one implementation of the disclosed policy manager device, a structure used to alternatively and more broadly implement the device may include an application program interface (API) configured to receive a data structure in which the required fields used by a particular function are contextualized to each of the integrated functions with consistent key tags and consistent value completion options across the integrated functions.

In another implementation of the disclosed policy manager device, the means for receiving includes a data structure parser configured to receive a data structure in which required fields used by a particular function are contextualized to each of the integrated functions with consistent field names and consistent field value options across the integrated functions. In one implementation of the disclosed policy manager device, a structure used to alternatively and more broadly implement the device may include a data structure parser configured to receive a data structure in which required fields used by a particular function are contextualized to each of the integrated functions with consistent field names and consistent field value options across the integrated functions.

In yet another implementation of the disclosed policy manager device, the means for receiving includes a command line interface (CLI) configured to accept and parse policy configuration commands used to populate a key-value pair data structure in which the required fields used by a particular function are contextualized to each of the integrated functions with consistent key tags and consistent value completion options across the integrated functions. In one implementation of the disclosed policy manager device, a structure used to alternatively, more broadly implement the device may include a command line interface (CLI) configured to accept and parse policy configuration commands used to populate a key-value pair data structure in which the required fields used by a particular function are contextualized to each of the integrated functions with consistent key tags and consistent value completion options across the integrated functions.

In some implementations of the disclosed policy manager device, (a) a packet-level access control and traffic inspection component (network firewall) is configured to inspect packet headers in an incoming access request or in a response to an access request, collectively a request or response, for anomalies, with or without any pre-processing, classify the request or response as inspectable or uninspectable, and then set a first restriction state or pass the request or response based on the inspection. (b) a protocol-level access control and traffic inspection component (such as an application firewall) is configured to perform deep packet inspection on the request or response for malicious signatures, with or without any pre-processing, configured to set a second restriction state or pass the request or response. The protocol-level access control and traffic inspection component can also perform application identification and recognition as a connection-level inspection, for example, analyzing application protocols and data streams to detect protocol anomalies in HTTP/S and other network protocols such as SMB, FTP, SMTP, and DNS when an app-ID signature crosses a packet boundary. (c) Threat detection (secure web gateway and/or application firewall) is configured to classify a request or response as directed to a threat destination or not when the request or response is an HTTP/S stream, and then configure to set a third restriction state or pass the request or response based on the classification. (d) Activity contextualization (e.g., Netscope cloud access security broker) is configured to recognize and process activity including content when the request or response is an HTTP/S stream seeking access to a cloud-based application, classify the activity as dangerous or not, and then configure to set a fourth restriction state or pass the request or response based on the classification.

One implementation of the disclosed computer-implemented method applied to a cloud-based security system integrating packet-level and protocol-level access control and traffic inspection for inspectable and uninspectable traffic, threat detection and activity contextualization, and content inspection functions by a policy manager includes maintaining a data structure including a superset of fields used to specify security policies across the cloud-based integrated functions, including common fields shared by two or more of the integrated functions. The disclosed method also includes the policy manager receiving policy specifications in a common format for values of the common fields that apply to each of the integrated functions, thereby enabling a user to specify security policies that govern the cloud-based integrated functions of access control and traffic inspection for inspectable and uninspectable traffic, threat detection, and activity contextualization and inspection. The method further includes the policy manager validating, storing, and distributing policy specifications applicable to each function among the integrated functions.

One implementation of a computer-implemented method applied to a cloud-based security system by a policy manager includes a data manager that integrates the functions of access control and traffic inspection for inspectable and uninspectable traffic, threat detection, and activity contextualization and inspection and is coupled to the policy manager, the data manager storing a superset of fields used to specify security policies across the cloud-based integrated functions, the superset including common fields shared by two or more of the integrated functions. The method includes the policy manager validating, storing, and distributing policy specifications applicable to each function in the integrated functions. The method also includes the policy manager receiving requests for the policy specifications stored in the common fields from each of the integrated functions, converting the common fields to values used by the respective requesting functions, and returning to any requesting functions in the cloud-based integrated functions of access control and traffic inspection for inspectable and uninspectable traffic, threat detection, and activity contextualization the values of the fields used by the respective requesting functions.

In some implementations of the disclosed computer-implemented method, common fields shared by two or more of the integrated features include the source of the traffic to be inspected, the destination of the traffic, the protocol used by the traffic, the activity specified in the inspectable traffic, a profile for the particular feature, and an action to be triggered in case of an exception resulting from the inspection. The values of the common fields include an IP address or range, or a port number, for the source or destination of the traffic to be inspected; for the protocol used by the traffic, HTTP, TCP, UDP, or ICMP; for the activity specified in the inspectable traffic, upload, download, preview, or share; for the profile for the particular feature, one or more of access control and traffic inspection, threat detection, and activity contextualization and inspection; and for the action to be triggered in case of an exception resulting from the inspection, allow, block, request additional authentication, alert, bypass, encrypt, coach, or quarantine.

One embodiment of the computer-implemented method further includes a browser-based or client-based GUI generator that generates a graphical user interface (GUI) that presents common fields in a consistent order for consistent value reporting across integrated functions, contextualized to fields required for the specification of policies used by a particular function. The method also includes the GUI receiving from a user a query and an identification of at least one of the integrated functions for which one or more policy specifications responsive to the query are to be returned, populating the GUI with the policy specifications responsive to the query, and triggering delivery of the GUI to the user. The present disclosure may include a fat-client or thin-client based GUI generator.

Another implementation of the computer-implemented method includes an application program interface receiving a query and an identification of at least one of the integrated functions to which a specification of one or more policies responsive to the query is to be returned, populating a data structure of key-value pairs for the one or more policies responsive to the query, and triggering the distribution. Yet another implementation of the computer-implemented method includes a data structure parser receiving a data structure including a query and an identification of at least one of the integrated functions to which a specification of one or more policies responsive to the query is to be returned, populating a data structure of key-value pairs for the one or more policies responsive to the query, and triggering the distribution. Some implementations of the computer-implemented method further include a command line interface (CLI) accepting and parsing the query and an identification of at least one of the integrated functions to which a specification of one or more policies responsive to the query is to be returned. The method also includes the CLI accepting the parsed query and specification, querying a key-value pair data structure in which the required fields used by a particular function are contextualized to each of the integrated functions with consistent key tags and consistent value completion options across the integrated functions, and returning the results of the query.

In another implementation of the computer-implemented method, (a) the cloud-based packet-level access control and traffic inspection component is configured to inspect packet headers in an incoming access request for anomalies, with or without any pre-processing, classify the incoming access request as potentially inspectable or uninspectable, and then set a first restriction state or pass the incoming access request based on the inspection. With respect to the disclosed method, (b) the cloud-based protocol-level access control and traffic inspection component is configured to perform deep packet inspection on the incoming access request for malicious signatures, with or without any pre-processing, which is configured to set a second restriction state or pass the incoming access request. And (c) the cloud-based threat detection is configured to classify the incoming access request as directed to a threat destination or not when the incoming access request is an HTTP/S stream, and then set a third restriction state or pass the incoming access request based on the classification. Further, (d) the cloud-based activity contextualization and inspection is configured to recognize and process the activity including the content when the incoming access request is an HTTP/S stream for access to a cloud-based application, classify the activity as risky or not, and then set a fourth restriction state or pass the incoming access request based on the classification. In some implementations of the disclosed method, the output firewall function can apply the output policy after the threat detection and cloud-based activity contextualization functions are completed. In some cases, it may be necessary to remap the IP address space to another space by filtering the destination IP or performing a network address translation (NAT) function on the source IP address and modifying the network address information in the IP header of the packet while the packet is passing through the routing device.

One implementation of the disclosed method of processing incoming access requests of packets through cloud-based components that perform (a) packet-level access control and traffic inspection, (b) protocol-level access control and traffic inspection, (c) threat detection, and (d) activity contextualization and inspection includes a packet and stream router conveying each incoming access request of a packet through all of the applicable components (a)-(d) at least until one of the components sets a restriction state for at least one object corresponding to the incoming access request or until all of the applicable components pass the incoming access request on. The method also includes (a) the packet-level access control and traffic inspection component is configured to inspect packet headers in the incoming access request, with or without any pre-processing, classify the incoming access request as inspectable or uninspectable, and then based on the classification, set a first restrictive state when the packet header is malformed, pass the incoming access request to the destination server when the packet header is well formed but the incoming access request is uninspectable, bypass threat detection and activity contextualization and inspection, and pass the incoming access request when the packet header is well formed and the incoming access request is inspectable. The disclosed method further includes (b) the protocol-level access control and traffic inspection component performs deep packet inspection on the incoming access request, with or without any pre-processing, configured to set a second restrictive state when the packet bears one or more malicious signatures, and pass the incoming access request otherwise. The method also includes (c) the threat detection is configured to classify the incoming access request as directed to a threat destination or not when the incoming access request is an HTTP/S stream, and then based on the classification, set a third restriction state when the incoming access request is directed to a threat destination, and pass the incoming access request if not. In addition, (d) the activity contextualization and inspection is configured to recognize and process an activity including the content when the incoming access request is an HTTP/S stream for access to a cloud-based application, classify the activity as hazardous or not, and then based on the classification, set a fourth restriction state when the incoming access request is hazardous, and pass the incoming access request if not. Furthermore, the disclosed method includes the restriction state analyzer determining whether the first, second, third, or fourth restriction state is set, and performing a restriction step in response to the incoming access request based on the setting of any of the states. In another embodiment, the untestable determination can be completed using components in a different order than described above. As an incoming access request passes through each of the services (a)-(d), the previous service may also add context state for the next service to use to aid in processing at the next component. In one example, a packet-level access control and traffic inspection service may set the user's IP address that may be used elsewhere. A protocol-level access control and traffic inspection component may set the application name detected using its signature that may be used by N-CASB 155.

In some implementations of the method, the packet and stream router is configured to pass the incoming access stream through the (a) packet-level access control and traffic inspection component before the components (b)-(d). In some implementations, the components (a)-(d) are configured to pass the restriction state message to a subsequent component or to a restriction state analyzer as the incoming access stream processing progresses. In other implementations, the components (a)-(d) are configured to send the restriction state message to a common state store for processing by the restriction state analyzer as the incoming access stream processing progresses. In still other implementations, the components (a)-(d) are configured to set the restriction state flag in the common flag store for processing by the restriction state analyzer as the incoming access stream processing progresses. In still other implementations, the components (a)-(d) are configured to save the restriction state flag when the incoming access stream processing proceeds from the first component to the last component, and then to invoke the restriction state analyzer with the saved restriction state flag to perform the restriction step when the incoming access stream processing proceeds from the last component to the first component. Multiple configurations described herein may be present in a single implementation. In some implementations of the disclosed methods, the restrictive steps taken by the restrictive analyzer include blocking, alerting, requiring further authentication, bypassing, encrypting, coaching, or quarantining.

In one implementation, the disclosed method of dynamically routing access request streams through cloud-based components for (a) packet-level access control and traffic inspection, (b) protocol-level access control and traffic inspection, (c) threat detection, and (d) activity contextualization and content inspection includes (a) the cloud-based packet-level access control and traffic inspection component inspecting packet headers in an incoming access request or in a response to an access request, collectively the request or response, for anomalies, with or without any pre-processing, classifying the request or response as potentially inspectable or uninspectable, and then setting a first restriction state or passing the request or response based on the inspection. The method also includes (b) the cloud-based protocol-level access control and traffic inspection component performing deep packet inspection on the request or response for malicious signatures, with or without any pre-processing, and setting a second restriction state or passing the request or response. The cloud-based protocol-level access control and traffic inspection component can also perform deep packet inspection on the request or response for application identification and/or recognition. The disclosed method further includes (c) cloud-based threat detection classifying the request or response as directed to a threat destination or not when the request or response is an HTTP/S stream, and then setting a third restriction state or passing the request or response based on the classification. In addition, the disclosed method includes (d) cloud-based activity contextualization and inspection, recognizing and processing the activity including content when the request or response is an HTTP/S stream seeking access to a cloud-based application, classifying the activity as dangerous or not, and then setting a fourth restriction state or passing the request or response based on the classification. The disclosed method further includes a restriction state analyzer determining whether a first, second, third, or fourth restriction state is set, and taking a restriction step in response to the request or response based on the setting of any of the states. In some implementations, the method also includes (a) passing the incoming access stream through a cloud-based packet-level access control and traffic inspection component prior to components (b)-(d). In some implementations, the components (a)-(d) are configured to pass the restriction state message to a subsequent component or to a restriction state analyzer as the incoming access stream processing progresses. In other implementations, the components (a)-(d) are configured to send the restriction state message to a common state store for processing by the restriction state analyzer as the incoming access stream processing progresses. In some implementations, the components (a)-(d) are configured to set a restriction state flag in the common flag store for processing by the restriction state analyzer as the incoming access stream processing progresses. In other implementations, the components (a)-(d) are configured to save the restriction state flag when the incoming access stream processing proceeds from the first component to the last component, and then to invoke the restriction state analyzer with the saved restriction state flag to perform the restriction step when the incoming access stream processing proceeds from the last component to the first component.

Another implementation of the disclosed technology described in this section can include a tangible, non-transitory computer-readable storage medium that includes program instructions loaded into a memory that, when executed on a processor, causes the processor to perform any of the methods described above. Yet another implementation of the disclosed technology described in this section can include a system that includes a memory and one or more processors operable to execute computer instructions stored in the memory to perform any of the methods described above.

The foregoing description is presented to enable making and using the disclosed technology. Various modifications to the disclosed implementations will become apparent, and the general principles defined herein may be applied to other implementations and applications without departing from the spirit and scope of the disclosed technology. Thus, the disclosed technology is not intended to be limited to the implementations shown, but is to be accorded the widest scope consistent with the principles and features disclosed herein. The scope of the disclosed technology is defined by the appended claims.

Provisions The following provisions are disclosed:
Clause Set 1
1. A computer-implemented policy manager device for a cloud-based security system that integrates packet-level and protocol-level access control and traffic inspection, threat detection, and activity contextualization capabilities for inspectable and uninspectable traffic, the device comprising:
A computing processor;
a data manager for a superset of fields used to specify security policies across the cloud-based integrated features, the data manager being implemented by the computing processor and including a common field shared by two or more of the integrated features;
a designated receiver and storage component implemented by a computing processor that processes policy specifications in a common format for values of common fields that apply to each of the integrated functions, thereby enabling a user interacting with the designated receiver to specify security policies that govern access control for inspectable and uninspectable traffic and the cloud-based integrated functions of traffic inspection, threat detection, and activity contextualization;
a policy manager implemented by a computing processor and configured to validate, store, and distribute among the cloud-based integrated functions policy specifications applicable to each of the functions;
(a) a packet level access control and traffic inspection component implemented by the computing processor inspects packet headers in an incoming access request or in a response to an access request, collectively the request or response, with or without any pre-processing, for malformations, classifies the request or response as inspectable or uninspectable, and then sets a first restriction state or passes the request or response based on the inspection;
(b) a protocol-level access control and traffic inspection component implemented by the computing processor performs deep packet inspection, with or without any pre-processing, on the request or response for the malicious signature, and then sets a second restriction state or passes the request or response based on the deep packet inspection;
(c) the threat detection implemented by the computing processor classifies the request or response as being directed to a threat destination or not when the request or response is an HTTP/S stream, and then sets a third restriction state or passes the request or response based on the classification;
(d) A computer-implemented policy manager device for activity contextualization implemented by a computing processor that recognizes and processes activity including content when the request or response is an HTTP/S stream seeking access to a cloud-based application, classifies the activity as risky or not, and then sets a fourth restriction state or passes the request or response based on the classification.
2. The policy manager device of clause 1, wherein the common fields include the source of the traffic to be inspected, the destination of the traffic, the protocol used by the traffic, the activities specified in the inspectable traffic, and specific functions and actions to be triggered in the event of an exception resulting from the inspection.
3. The value of the common field is
The IP address or range, or port number, for the source or destination of the traffic to be inspected;
The protocol used by the traffic: HTTP/S, TCP, UDP, or ICMP;
For activities specified in the inspectable traffic, upload, download, preview, or share,
For a particular functional profile, one or more of access control and traffic inspection, threat detection, and activity contextualization;
2. The policy manager device of claim 1, wherein actions triggered in case of an exception resulting from the inspection include allow, block, alert, bypass, encrypt, coach, or quarantine.
4. Generating a Graphical User Interface (GUI for short) that presents common fields in a consistent order with consistent value completion options across integrated functions, contextualized to the fields required for the specification of policies used by a particular function;
Causing delivery of a GUI to a user;
and receiving a selection from a user from a GUI that specifies a policy applicable to one or more of the integrated functions.
5. The method further includes an application program interface, the application program interface comprising:
2. The policy manager device of claim 1, receiving a data structure of key-value pairs in which required fields used by a particular function are contextualized to each of the integrated functions with consistent key tags and consistent value completion options across the integrated functions.
6. The method further includes a data structure parser, the data structure parser comprising:
2. The policy manager device of claim 1, receiving a data structure in which required fields used by a particular function are contextualized to each of the integrated functions with consistent field names and consistent field value options across the integrated functions.
7. A command line interface (CLI for short) is further included, the CLI being:
The policy manager device of clause 1, which accepts and parses policy configuration commands used to populate a key-value pair data structure in which the required fields used by a particular function are contextualized to each of the integrated functions with consistent key tags and consistent value completion options across the integrated functions.
8. A computer-implemented method for application to a cloud-based security system that integrates packet-level and protocol-level access control and traffic inspection, threat detection, and activity contextualization capabilities for inspectable and uninspectable traffic by a policy manager, the method comprising:
maintaining a data structure including a superset of fields used to specify security policies across the cloud-based integrated features, including common fields shared by two or more of the integrated features;
a policy manager receiving policy specifications in a common format for values of common fields that are applied to each of the integrated functions, thereby enabling a user to specify security policies that govern the cloud-based integrated functions of access control and traffic inspection, threat detection, and activity contextualization for inspectable and uninspectable traffic;
a policy manager for validating, storing, and distributing among the integrated functions policy specifications applicable to each of the functions;
(a) packet-level access control and traffic inspection includes inspecting packet headers in incoming access requests or responses to access requests, collectively requests or responses, with or without any pre-processing, for malformations, classifying the request or response as inspectable or uninspectable, and then setting a first restriction state or passing the request or response based on the inspection;
(b) protocol-level access control and traffic inspection includes performing deep packet inspection, with or without any pre-processing, on requests or responses for malicious signatures, and then setting a second restriction state or passing the request or response based on the deep packet inspection;
(c) the threat detection includes classifying the request or response as being directed to a threat destination or not when the request or response is an HTTP/S stream, and then setting a third restriction state or passing the request or response based on the classification;
(d) Activity Contextualization is a computer-implemented method that recognizes and processes activity including content when the request or response is an HTTP/S stream seeking access to a cloud-based application, classifies the activity as risky or unrisky, and then sets a fourth restriction state or passes the request or response based on the classification.
9. Common fields are:
9. The computer-implemented method of claim 8, including a source of the traffic to be inspected, a destination of the traffic, a protocol used by the traffic, activities specified in the inspectable traffic, a profile of specific functions, and actions to be triggered in the event of an exception resulting from the inspection.
10. The value of the common field is
The IP address or range, or port number, for the source or destination of the traffic to be inspected;
The protocol used by the traffic: HTTP/S, TCP, UDP, or ICMP;
For activities specified in the inspectable traffic, upload, download, preview, or share,
For a particular functional profile, one or more of access control and traffic inspection, threat detection, and activity contextualization;
9. The computer-implemented method of claim 8, wherein the actions triggered in case of an exception resulting from the inspection include: allow, block, alert, bypass, encrypt, coach, or quarantine.
11. The GUI generator:
Generating a graphical user interface (GUI for short) that presents common fields in a consistent order with consistent value completion options across integrated functions, contextualized to the fields required for the specification of policies used by a particular function;
Causing delivery of a GUI to a user;
9. The computer-implemented method of claim 8, further comprising receiving a selection from a user from the GUI that specifies a policy applicable to one or more of the integrated features.
12. An application program interface,
9. The computer-implemented method of claim 8, further comprising receiving a data structure of key-value pairs in which required fields used by a particular function are contextualized to each of the integrated functions with consistent key tags and consistent value completion options across the integrated functions.
13. A data structure parser:
9. The computer-implemented method of claim 8, further comprising receiving a data structure in which required fields used by particular functions are contextualized to each of the integrated functions with consistent field names and consistent field value options across the integrated functions.
14. Receiving includes using a command line interface (CLI for short), the CLI comprising:
9. The computer-implemented method of claim 8, configured to accept and parse policy configuration commands to populate a key-value pair data structure where required fields used by a particular function are contextualized to each of the integrated functions with consistent key tags and consistent value completion options across the integrated functions.
15. A tangible, non-transitory computer readable medium containing program instructions that, when executed on a processor, cause the processor to implement a method of policy management for a cloud-based security system that integrates packet-level and protocol-level access control and traffic inspection for inspectable and uninspectable traffic, threat detection, and activity contextualization capabilities, the method comprising:
maintaining a data structure including a superset of fields used to specify security policies across the cloud-based integrated features, including common fields shared by two or more of the integrated features;
a policy manager receiving policy specifications in a common format for values of common fields that are applied to each of the integrated functions, thereby enabling a user to specify security policies that govern the cloud-based integrated functions of access control and traffic inspection, threat detection, and activity contextualization for inspectable and uninspectable traffic;
a policy manager for validating, storing, and distributing among the integrated functions policy specifications applicable to each of the functions;
(a) packet-level access control and traffic inspection includes inspecting packet headers in incoming access requests or responses to access requests, collectively requests or responses, with or without any pre-processing, for malformations, classifying the request or response as inspectable or uninspectable, and then setting a first restriction state or passing the request or response based on the inspection;
(b) protocol-level access control and traffic inspection includes performing deep packet inspection, with or without any pre-processing, on requests or responses for malicious signatures, and then setting a second restriction state or passing the request or response based on the deep packet inspection;
(c) the threat detection includes classifying the request or response as being directed to a threat destination or not when the request or response is an HTTP/S stream, and then setting a third restriction state or passing the request or response based on the classification;
(d) Activity contextualization includes recognizing and processing activity including content when the request or response is an HTTP/S stream seeking access to a cloud-based application, classifying the activity as risky or unrisky, and then setting a fourth restriction state or passing the request or response based on the classification.
16. Common fields are:
16. The tangible, non-transitory computer-readable medium of claim 15, comprising the source of the traffic to be inspected, the destination of the traffic, the protocol used by the traffic, the activity specified in the inspectable traffic, a profile of specific functions, and actions to be triggered in the event of an exception resulting from the inspection.
17. The value of the common field is
The IP address or range, or port number, for the source or destination of the traffic to be inspected;
The protocol used by the traffic: HTTP/S, TCP, UDP, or ICMP;
For activities specified in the inspectable traffic, upload, download, preview, or share,
For a particular functional profile, one or more of access control and traffic inspection, threat detection, and activity contextualization;
16. The tangible, non-transitory computer readable medium of clause 15, wherein the actions triggered in the event of an exception resulting from the inspection include allow, block, alert, bypass, encrypt, coach, or quarantine.
18. Generating a Graphical User Interface (GUI for short) that presents common fields in a consistent order with consistent value completion options across integrated functions, contextualized to the fields required for the specification of policies used by a particular function;
Causing delivery of a GUI to a user;
20. The tangible, non-transitory computer-readable medium of claim 15, further comprising: a GUI generator that receives a selection from a user from a GUI that specifies a policy applicable to one or more of the integrated features.
19. The method further includes an application program interface, the application program interface comprising:
16. The tangible, non-transitory computer-readable medium of claim 15, receiving a data structure of key-value pairs in which required fields used by a particular function are contextualized to each of the integrated functions with consistent key tags and consistent value completion options across the integrated functions.
20. The method further includes a data structure parser, the data structure parser comprising:
16. The tangible, non-transitory computer-readable medium of claim 15, receiving a data structure in which required fields used by a particular function are contextualized to each of the integrated functions with consistent field names and consistent field value options across the integrated functions.
21. Receiving includes using a command line interface (CLI for short), the CLI including:
16. The tangible, non-transitory computer-readable medium of claim 15, configured to accept and parse policy configuration commands to populate a key-value pair data structure in which required fields used by a particular function are contextualized to each of the integrated functions with consistent key tags and consistent value completion options across the integrated functions.
Clause Set 2
1. A computer-implemented policy manager device for a cloud-based security system that integrates packet-level and protocol-level access control and traffic inspection, threat detection, and activity contextualization capabilities for inspectable and uninspectable traffic, the device comprising:
a data manager coupled to the policy manager device that stores a superset of fields used to specify security policies across the cloud-based integrated functions, including common fields shared by two or more of the integrated functions;
a policy manager configured to validate, store, and distribute policy specifications applicable to each of the integrated functions;
and means for receiving from each of the integrated functions a request for the policy specification stored in the common field, converting the common field into a value used by the respective requesting function, and returning a value responsive to the request to the respective requesting function among the cloud-based integrated functions of access control and traffic inspection, threat detection, and activity contextualization.
2. A common field shared by two or more of the integrated features is
The computer-implemented policy manager device of clause 1 includes information about the source of the traffic to be inspected, the destination of the traffic, the protocol used by the traffic, activities specified in the inspectable traffic, a profile of specific functions, and actions to be triggered in the event of an exception resulting from the inspection.
3. The value of the common field is
For the source or destination of the traffic to be inspected, any traffic, a specified user, a specified group, an IP address or range, or a port number;
The protocol used by the traffic: HTTP/S, TCP, UDP, or ICMP;
For activities specified in the inspectable traffic, upload, download, preview, or share,
For a particular functional profile, one or more of access control and traffic inspection, threat detection, and activity contextualization;
2. The computer implemented policy manager device of claim 1, wherein actions triggered in the event of an exception resulting from the inspection include allow, block, alert, bypass, encrypt, coach, or quarantine.
4. The means for receiving is:
generating a GUI that presents common fields in a consistent order for consistent value reporting across integrated functions, contextualized to fields required for specification of policies used by a particular function;
receiving from a user a query and an identification of at least one of the integrated functions to return a designation of one or more policies responsive to the query;
The computer-implemented policy manager device of clause 1 includes one of a browser-based and a client-based graphical user interface (abbreviated GUI) generator configured to: respond to a query, populate a GUI with policy specifications, and cause delivery of the GUI to a user.
5. Receiving a query and an identification of at least one of the integrated functions to which a specification of one or more policies responsive to the query is returned;
13. The computer-implemented policy manager device of claim 1, including an application program interface configured to: populate a key-value pair data structure for one or more policies in response to a query and trigger a distribution.
6. Receiving a data structure including a query and an identification of at least one of the integrated functions to which a specification of one or more policies responsive to the query is to be returned;
13. The computer-implemented policy manager device of claim 1, comprising: a data structure parser configured to: populate a data structure of key-value pairs for one or more policies in response to a query and trigger a distribution.
7. The means for receiving includes a command line interface (CLI for short), the CLI comprising:
accepting and parsing a query and an identification of at least one of the integrated functions from which a specification of one or more policies responsive to the query is to be returned; and accepting the parsed query and specification;
Querying a key-value pair data structure where the required fields used by a particular function are contextualized to each of the integrated functions with consistent key tags and consistent value completion options across the integrated functions;
2. The computer-implemented policy manager device of claim 1, configured to:
8. (a) the cloud-based packet-level access control and traffic inspection component is configured to inspect packet headers in incoming access requests for anomalies, with or without any pre-processing, classify the incoming access request as inspectable or uninspectable, and then set a first restriction state or pass the incoming access request based on the inspection;
(b) a cloud-based protocol-level access control and traffic inspection component is configured to perform deep packet inspection on the incoming access request for malicious signatures, with or without any pre-processing, configured to set a second restriction state or pass the incoming access request;
(c) the cloud-based threat detection is configured to classify the incoming access request as being directed to a threat destination or not when the incoming access request is an HTTP/S stream, and then configure to set a third restriction state or pass the incoming access request based on the classification;
(d) The computer-implemented policy manager device of clause 1, wherein the contextualization of cloud-based activity is configured to recognize and process activity including content when the incoming access request is an HTTP/S stream seeking access to a cloud-based application, classify the activity as dangerous or not, and then, based on the classification, set a fourth restriction state or pass the incoming access request.
9. A computer-implemented method applied by a policy manager to a cloud-based security system that integrates functions of access control and traffic inspection, threat detection, and activity contextualization for inspectable and uninspectable traffic, the method comprising:
a data manager coupled to the policy manager storing a superset of fields used to specify security policies across the cloud-based integrated features, the superset including common fields shared by two or more of the integrated features;
a policy manager for validating, storing, and distributing policy specifications applicable to each of the integrated functions;
A computer-implemented method comprising: a policy manager receiving a request for a policy specification stored in a common field from each of the integrated functions, converting the common field to a value used by the respective requesting function, and returning to any requesting function among the cloud-based integrated functions of access control and traffic inspection for inspectable and uninspectable traffic, threat detection, and activity contextualization the value of the field used by the respective requesting function.
10. A common field shared by two or more of the integrated features is
10. The computer-implemented method of claim 9, including a source of the traffic to be inspected, a destination of the traffic, a protocol used by the traffic, activities specified in the inspectable traffic, a profile of specific functions, and actions to be triggered in the event of an exception resulting from the inspection.
11. The value of the common field is
The IP address or range, or port number, for the source or destination of the traffic to be inspected;
The protocol used by the traffic: HTTP/S, TCP, UDP, or ICMP;
For activities specified in the inspectable traffic, upload, download, preview, or share,
For a particular functional profile, one or more of access control and traffic inspection, threat detection, and activity contextualization;
10. The computer-implemented method of claim 9, wherein the actions triggered in case of an exception resulting from the inspection include allow, block, alert, bypass, encrypt, coach, or quarantine.
12. The GUI generator:
generating a graphical user interface (GUI for short) that presents common fields in a consistent order for consistent value reporting across integrated functions, contextualized to fields required for specification of policies used by a particular function;
receiving from a user a query and an identification of at least one of the integrated functions to return a designation of one or more policies responsive to the query;
10. The computer-implemented method of claim 9, comprising: in response to the query, populating the GUI with a specification of the policy and causing delivery of the GUI to the user.
13. An application program interface,
receiving a query and an identification of at least one of the integrated functions to which a designation of one or more policies responsive to the query is returned;
10. The computer-implemented method of claim 9, further comprising: in response to the query, populating a data structure of key-value pairs for the one or more policies and triggering the distribution.
14. A data structure parser:
receiving a data structure including a query and an identification of at least one of the integrated functions to which a specification of one or more policies responsive to the query is to be returned;
10. The computer-implemented method of claim 9, further comprising: in response to the query, populating a data structure of key-value pairs for the one or more policies and triggering the distribution.
15. The present invention further includes a command line interface (CLI for short), which is
accepting and parsing a query and an identification of at least one of the integrated functions for which a specification of one or more policies responsive to the query is to be returned;
accepting the parsed query and specification;
Querying a key-value pair data structure where the required fields used by a particular function are contextualized to each of the integrated functions with consistent key tags and consistent value completion options across the integrated functions;
and returning results of the query.
16. (a) the cloud-based packet-level access control and traffic inspection component is configured to inspect packet headers in incoming access requests for anomalies, with or without any pre-processing, classify the incoming access request as inspectable or uninspectable, and then set a first restriction state or pass the incoming access request based on the inspection;
(b) a cloud-based protocol-level access control and traffic inspection component is configured to perform deep packet inspection on the incoming access request for malicious signatures, with or without any pre-processing, configured to set a second restriction state or pass the incoming access request;
(c) the cloud-based threat detection is configured to classify the incoming access request as being directed to a threat destination or not when the incoming access request is an HTTP/S stream, and then configure to set a third restriction state or pass the incoming access request based on the classification;
(d) the contextualization of cloud-based activity is configured to recognize and process activity including content when the incoming access request is an HTTP/S stream seeking access to a cloud-based application, classify the activity as dangerous or not, and then set a fourth restriction state or pass the incoming access request based on the classification.
17. A tangible, non-transitory computer readable medium containing program instructions that, when executed on a processor, cause the processor to implement a method of policy management for a cloud-based security system that integrates packet-level and protocol-level access control and traffic inspection for inspectable and uninspectable traffic, threat detection, and activity contextualization capabilities, the method comprising:
a data manager coupled to the policy manager storing a superset of fields used to specify security policies across the cloud-based integrated features, the superset including common fields shared by two or more of the integrated features;
a policy manager for validating, storing, and distributing policy specifications applicable to each of the integrated functions;
A policy manager receiving a request for a policy specification stored in a common field from each of the integrated functions, converting the common field to a value used by the respective requesting function, and returning to any requesting function among the cloud-based integrated functions of access control and traffic inspection for inspectable and uninspectable traffic, threat detection, and activity contextualization the value of the field used by the respective requesting function.
18. A common field shared by two or more of the integrated functions is
18. The tangible, non-transitory computer-readable medium of claim 17, comprising the source of the traffic to be inspected, the destination of the traffic, the protocol used by the traffic, the activity specified in the inspectable traffic, a profile of specific functions, and actions to be triggered in the event of an exception resulting from the inspection.
19. The value of the common field is
The IP address or range, or port number, for the source or destination of the traffic to be inspected;
The protocol used by the traffic: HTTP/S, TCP, UDP, or ICMP;
For activities specified in the inspectable traffic, upload, download, preview, or share,
For a particular functional profile, one or more of access control and traffic inspection, threat detection, and activity contextualization;
20. The tangible, non-transitory computer readable medium of clause 17, wherein the actions triggered in the event of an exception resulting from the inspection include allow, block, alert, bypass, encrypt, coach, or quarantine.
20. Generating a Graphical User Interface (GUI for short) that presents common fields in a consistent order for consistent value reporting across integrated functions, contextualized to fields required for specification of policies used by a particular function;
receiving from a user a query and an identification of at least one of the integrated functions to return a designation of one or more policies responsive to the query;
20. The tangible, non-transitory computer-readable medium of claim 17, further comprising: a GUI generator responsive to a query to populate the GUI with a specification of the policy and cause delivery of the GUI to the user.
21. The method further includes an application program interface, the application program interface comprising:
receiving a query and an identification of at least one of the integrated functions to which a designation of one or more policies responsive to the query is returned;
20. The tangible, non-transitory computer-readable medium of clause 17, further comprising: in response to a query, populating a data structure of key-value pairs for one or more policies and triggering distribution.
22. The method further comprising:
receiving a data structure including a query and an identification of at least one of the integrated functions to which a specification of one or more policies responsive to the query is to be returned;
20. The tangible, non-transitory computer-readable medium of clause 17, further comprising: in response to a query, populating a data structure of key-value pairs for one or more policies and triggering distribution.
23. The method further includes a command line interface (CLI for short), the CLI being:
accepting and parsing a query and an identification of at least one of the integrated functions for which a specification of one or more policies responsive to the query is to be returned;
accepting the parsed query and specification;
Querying a key-value pair data structure where the required fields used by a particular function are contextualized to each of the integrated functions with consistent key tags and consistent value completion options across the integrated functions;
and returning results of the query.
24. (a) the cloud-based packet-level access control and traffic inspection component is configured to inspect packet headers in incoming access requests for anomalies, with or without any pre-processing, classify the incoming access request as inspectable or uninspectable, and then set a first restriction state or pass the incoming access request based on the inspection;
(b) a cloud-based protocol-level access control and traffic inspection component is configured to perform deep packet inspection on the incoming access request for malicious signatures, with or without any pre-processing, configured to set a second restriction state or pass the incoming access request;
(c) the cloud-based threat detection is configured to classify the incoming access request as being directed to a threat destination or not when the incoming access request is an HTTP/S stream, and then configure to set a third restriction state or pass the incoming access request based on the classification;
(d) The tangible, non-transitory computer-readable medium of clause 17, wherein the contextualization of cloud-based activity is configured to recognize and process activity including content when the incoming access request is an HTTP/S stream seeking access to a cloud-based application, classify the activity as risky or not, and then, based on the classification, set a fourth restriction state or pass the incoming access request.
Clause Set 3
1. A cloud-based component security system configurable for (a) packet-level access control and traffic inspection, (b) protocol-level access control and traffic inspection, (c) threat detection, and (d) activity contextualization, the system comprising:
a packet and stream router configured to convey each incoming access request of a packet through all of the applicable components (a)-(d) at least until one of the components sets a restriction state for at least one object corresponding to the incoming access request or until all of the applicable components pass on the incoming access request,
(a) a packet-level access control and traffic inspection component is configured to inspect packet headers in incoming access requests, with or without any pre-processing, and classify the incoming access request as inspectable or uninspectable, and then, based on the classification:
setting a first limiting state when the packet header is malformed;
if the packet header is well formed but the incoming access request is uninspectable, passing the incoming access request to a destination server and bypassing threat detection (SWG) and activity contextualization;
passing the incoming access request when the packet header is well formed and the incoming access request is inspectable;
(b) a protocol-level access control and traffic inspection component is configured to perform deep packet inspection, with or without any pre-processing, on incoming access requests;
setting a second restriction state when the packet bears one or more malicious signatures;
otherwise, passing the incoming access request; and
(c) the threat detection is configured to classify the incoming access request as being directed to a threat destination or not when the incoming access request is an HTTP/S stream, and then, based on the classification,
setting a third restriction state when the incoming access request is directed to a threat destination;
otherwise, passing the incoming access request; and
(d) the activity contextualization is configured to recognize and process an activity including content when the incoming access request is an HTTP/S stream seeking access to a cloud-based application, and classify the activity as risky or not, and then, based on the classification,
setting a fourth restriction state when the incoming access request is jeopardizing; and
otherwise, passing the incoming access request; and
and a restriction state analyzer that determines whether a first, second, third, or fourth restriction state is set and performs a restriction step in response to an incoming access request based on the setting of any of the states.
2. The system of clause 1, wherein the packet and stream router is configured to pass the incoming access stream through (a) a packet-level access control and traffic inspection component prior to components (b) through (d).
3. The system of clause 1, wherein components (a)-(d) are configured to pass throttling state messages to subsequent components or to a throttling state analyzer as incoming access stream processing progresses.
4. The system of clause 1, wherein components (a)-(d) are configured to send throttling state messages to a common state store for processing by the throttling state analyzer as incoming access stream processing progresses.
5. The system of claim 1, wherein components (a)-(d) are configured to set throttling state flags in a common flag store for processing by the throttling state analyzer as incoming access stream processing progresses.
6. The system of claim 1, wherein components (a)-(d) are configured to preserve a throttling state flag when the incoming access stream processing proceeds from the first component to the last component, and then invoke a throttling state analyzer with the preserved throttling state flag to perform the throttling step when the incoming access stream processing proceeds from the last component to the first component.
7. The system of clause 1, wherein the restrictive steps taken by the restrictive analyzer include block, alert, bypass, encrypt, coach, or quarantine.
8. A method for processing incoming access requests for packets through a cloud-based component that performs: (a) packet-level access control and traffic inspection; (b) protocol-level access control and traffic inspection; (c) threat detection; and (d) activity contextualization, the method comprising:
a packet and stream router conveying each incoming access request of a packet through all of the applicable components (a)-(d) at least until one of the components sets a restriction state for at least one object corresponding to the incoming access request or until all of the applicable components pass on the incoming access request;
(a) a packet-level access control and traffic inspection component inspects packet headers in an incoming access request, with or without any pre-processing, and classifies the incoming access request as inspectable or uninspectable, and then, based on the classification:
setting a first limiting state when the packet header is malformed;
if the packet header is well formed but the incoming access request is uninspectable, passing the incoming access request to a destination server and bypassing threat detection and activity contextualization;
passing the incoming access request when the packet header is well formed and the incoming access request is inspectable;
(b) a protocol-level access control and traffic inspection component performs deep packet inspection, with or without any pre-processing, on incoming access requests;
setting a second restriction state when the packet bears one or more malicious signatures;
otherwise, passing the incoming access request; and
(c) the threat detection classifies the incoming access request as being directed to a threat destination or not when the incoming access request is an HTTP/S stream, and then, based on the classification,
setting a third restriction state when the incoming access request is directed to a threat destination;
otherwise, passing the incoming access request; and
(d) activity contextualization, when an incoming access request is an HTTP/S stream seeking access to a cloud-based application, recognizing and processing an activity including content, classifying the activity as risky or non-risky, and then, based on the classification,
setting a fourth restriction state when the incoming access request is jeopardizing; and
otherwise, passing the incoming access request; and
a restriction state analyzer determining whether a first, second, third, or fourth restriction state is set and performing a restriction step in response to an incoming access request based on the setting of any of the states.
9. The method of clause 8, wherein the packet and stream router is configured to pass the incoming access stream through (a) a packet level access control and traffic inspection component prior to components (b) through (d).
10. The method of claim 8, wherein components (a)-(d) are configured to pass throttling state messages to subsequent components or to a throttling state analyzer as the incoming access stream processing progresses.
11. The method of claim 8, wherein components (a)-(d) are configured to send throttling state messages to a common state store for processing by a throttling state analyzer as incoming access stream processing progresses.
12. The method of claim 8, wherein components (a)-(d) are configured to set throttling state flags in a common flag store for processing by the throttling state analyzer as incoming access stream processing progresses.
13. The method of claim 8, wherein components (a)-(d) are configured to preserve a throttling state flag when the incoming access stream processing passes from the first component to the last component, and then to invoke a throttling state analyzer with the preserved throttling state flag to perform the throttling step when the incoming access stream processing passes from the last component to the first component.
14. The method of clause 8, wherein the restrictive steps taken by the restrictive analyzer include blocking, alerting, bypassing, encrypting, coaching, or quarantining.
15. A tangible, non-transitory computer readable medium comprising program instructions that, when executed on a processor, cause the processor to perform a method for processing incoming access requests for packets via a cloud-based component that performs (a) packet-level access control and traffic inspection, (b) protocol-level access control and traffic inspection, (c) threat detection, and (d) activity contextualization, the method comprising:
a packet and stream router conveying each incoming access request of a packet through all of the applicable components (a)-(d) at least until one of the components sets a restriction state for at least one object corresponding to the incoming access request or until all of the applicable components pass on the incoming access request;
(a) a packet-level access control and traffic inspection component inspects packet headers in an incoming access request, with or without any pre-processing, and classifies the incoming access request as inspectable or uninspectable, and then, based on the classification:
setting a first limiting state when the packet header is malformed;
if the packet header is well formed but the incoming access request is uninspectable, passing the incoming access request to a destination server and bypassing threat detection (SWG) and activity contextualization;
passing the incoming access request when the packet header is well formed and the incoming access request is inspectable;
(b) a protocol-level access control and traffic inspection component performs deep packet inspection, with or without any pre-processing, on incoming access requests;
setting a second restriction state when the packet bears one or more malicious signatures;
otherwise, passing the incoming access request; and
(c) the threat detection classifies the incoming access request as being directed to a threat destination or not when the incoming access request is an HTTP/S stream, and then, based on the classification,
setting a third restriction state when the incoming access request is directed to a threat destination;
otherwise, passing the incoming access request; and
(d) activity contextualization, when an incoming access request is an HTTP/S stream seeking access to a cloud-based application, recognizing and processing an activity including content, classifying the activity as risky or non-risky, and then, based on the classification,
setting a fourth restriction state when the incoming access request is jeopardizing; and
otherwise, passing the incoming access request; and
a restriction state analyzer determining whether a first, second, third, or fourth restriction state is set and performing a restriction step in response to an incoming access request based on the setting of any of the states.
16. The tangible, non-transitory computer-readable medium of clause 15, wherein the packet and stream router is configured to pass the incoming access stream through (a) a packet-level access control and traffic inspection component prior to components (b) through (d).
17. The tangible, non-transitory computer readable medium of clause 15, wherein components (a)-(d) are configured to pass throttling state messages to subsequent components or throttling state analyzers as incoming access stream processing progresses.
18. The tangible, non-transitory computer-readable medium of clause 15, wherein components (a)-(d) are configured to send throttling state messages to a common state store for processing by a throttling state analyzer as incoming access stream processing progresses.
19. The tangible, non-transitory computer-readable medium of clause 15, wherein components (a)-(d) are configured to set throttling state flags in a common flag store for processing by a throttling state analyzer as incoming access stream processing progresses.
20. The tangible, non-transitory computer-readable medium of clause 15, wherein components (a)-(d) are configured to preserve a throttling state flag when incoming access stream processing proceeds from the first component to the last component, and then invoke a throttling state analyzer with the preserved throttling state flag to perform a throttling step when incoming access stream processing proceeds from the last component to the first component.
Clause Set 4
1. An integrated security system of cloud-based components configurable for (a) packet-level access control and traffic inspection, (b) protocol-level access control and traffic inspection, (c) threat detection, and (d) activity contextualization and content inspection, the system comprising:
(a) a cloud-based packet-level access control and traffic inspection component is configured to inspect packet headers in incoming access requests or responses to the access requests, collectively the requests or responses, with or without any pre-processing, for malformations, classify the request or response as inspectable or uninspectable, and then set a first restriction state or pass the request or response based on the inspection;
(b) a cloud-based protocol-level access control and traffic inspection component is configured to perform deep packet inspection on the request or response for malicious signatures, with or without any pre-processing, configured to set a second restriction state or pass the request or response;
(c) the cloud-based threat detection is configured to classify the request or response as being directed to a threat destination or not when the request or response is an HTTP/S stream, and then configure to set a third restriction state or pass the request or response based on the classification;
(d) cloud-based activity contextualization and content inspection is configured to recognize and process activity including content when the request or response is an HTTP/S stream seeking access to a cloud-based application, classify the activity as risky or not, and then set a fourth restriction state or pass the request or response based on the classification;
a restriction state analyzer that determines whether a first, second, third, or fourth restriction state is set and performs a restriction step in response to a request or response based on the setting of any of the states.
2. The system of clause 1, wherein the packet and stream router is configured to pass the request or response through (a) a cloud-based packet-level access control and traffic inspection component prior to components (b) through (d).
3. The system of clause 1, wherein components (a)-(d) are configured to pass throttling state messages to subsequent components or throttling state analyzers as request or response processing progresses.
4. The system of clause 1, wherein components (a)-(d) are configured to send throttled state messages to a common state store as request or response processing progresses for processing by the throttled state analyzer.
5. The system of claim 1, wherein components (a)-(d) are configured to set restricted state flags in a common flag store as request or response processing progresses for processing by the restricted state analyzer.
6. The system of claim 1, wherein components (a)-(d) are configured to preserve throttling state flags as request or response processing proceeds from the first component to the last component, and then invoke a throttling state analyzer with the preserved throttling state flags to perform the throttling step when incoming access stream processing proceeds from the last component to the first component.
7. A method for dynamically routing access request streams through cloud-based components for (a) packet-level access control and traffic inspection, (b) protocol-level access control and traffic inspection, (c) threat detection, and (d) activity contextualization and content inspection, the method comprising:
(a) a cloud-based packet-level access control and traffic inspection component inspects packet headers in an incoming access request or in a response to the access request, collectively the request or response, with or without any pre-processing, for malformations, classifies the request or response as inspectable or uninspectable, and then sets a first restriction state or passes the request or response based on the inspection;
(b) a cloud-based protocol-level access control and traffic inspection component performs deep packet inspection, with or without any pre-processing, on the request or response for a malicious signature and sets a second restriction state or passes on the request or response;
(c) the cloud-based threat detection classifies the request or response as being directed to a threat destination or not when the request or response is an HTTP/S stream, and then sets a third restriction state or passes the request or response based on the classification;
(d) cloud-based activity contextualization and content inspection, recognizing and processing activity including content when the request or response is an HTTP/S stream seeking access to a cloud-based application, classifying the activity as risky or unrisky, and then setting a fourth restriction state or passing the request or response based on the classification;
The method includes a restriction state analyzer determining whether a first, second, third, or fourth restriction state is set and performing a restriction step in response to the request or response based on the setting of any of the states.
8. The method of clause 7, further comprising, prior to components (b) through (d), (a) passing the incoming access stream through a cloud-based packet-level access control and traffic inspection component.
9. The method of claim 7, wherein components (a)-(d) are configured to pass throttling state messages to subsequent components or to a throttling state analyzer as the incoming access stream processing progresses.
10. The method of clause 7, wherein components (a)-(d) are configured to send throttling state messages to a common state store for processing by the throttling state analyzer as incoming access stream processing progresses.
11. The method of clause 7, wherein components (a)-(d) are configured to set throttling state flags in a common flag store for processing by the throttling state analyzer as incoming access stream processing progresses.
12. The method of claim 7, wherein components (a)-(d) are configured to preserve a throttling state flag when the incoming access stream processing passes from the first component to the last component, and then to invoke a throttling state analyzer with the preserved throttling state flag to perform the throttling step when the incoming access stream processing passes from the last component to the first component.
13. A tangible, non-transitory computer readable medium comprising program instructions that, when executed on a processor, cause the processor to perform a method for dynamically routing access request streams through cloud-based components for (a) packet-level access control and traffic inspection, (b) protocol-level access control and traffic inspection, (c) threat detection, and (d) activity contextualization, the method comprising:
(a) a cloud-based packet-level access control and traffic inspection component inspects packet headers in an incoming access request or in a response to the access request, collectively the request or response, with or without any pre-processing, for malformations, classifies the request or response as inspectable or uninspectable, and then sets a first restriction state or passes the request or response based on the inspection;
(b) a cloud-based protocol-level access control and traffic inspection component performs deep packet inspection, with or without any pre-processing, on the request or response for a malicious signature and sets a second restriction state or passes on the request or response;
(c) the cloud-based threat detection classifies the request or response as being directed to a threat destination or not when the request or response is an HTTP/S stream, and then sets a third restriction state or passes the request or response based on the classification;
(d) contextualizing the cloud-based activity by recognizing and processing the activity including the content when the request or response is an HTTP/S stream seeking access to a cloud-based application, classifying the activity as risky or unrisky, and then setting a fourth restriction state or passing the request or response based on the classification;
A tangible, non-transitory computer-readable medium, comprising: a restriction state analyzer determining whether a first, second, third, or fourth restriction state is set and performing a restriction step in response to a request or response based on the setting of any of the states.
14. The tangible, non-transitory computer-readable medium of clause 13, further comprising, prior to components (b) through (d), (a) passing the incoming access stream through a cloud-based packet-level access control and traffic inspection component.
15. The tangible, non-transitory computer readable medium of clause 13, wherein components (a)-(d) are configured to pass throttling state messages to subsequent components or throttling state analyzers as incoming access stream processing progresses.
16. The tangible, non-transitory computer-readable medium of clause 13, wherein components (a)-(d) are configured to send throttling state messages to a common state store for processing by a throttling state analyzer as incoming access stream processing progresses.
17. The tangible, non-transitory computer-readable medium of clause 13, wherein components (a)-(d) are configured to set throttling state flags in a common flag store for processing by a throttling state analyzer as incoming access stream processing progresses.
18. The tangible, non-transitory computer-readable medium of clause 13, wherein components (a)-(d) are configured to preserve a throttling state flag when incoming access stream processing proceeds from the first component to the last component, and then invoke a throttling state analyzer with the preserved throttling state flag to perform a throttling step when incoming access stream processing proceeds from the last component to the first component.

Claims (15)

1. A computer-implemented policy manager device for a cloud-based security system that manages a cloud-based integrated function of packet-level and protocol-level access control and traffic inspection for inspectable and uninspectable traffic, threat detection, and activity contextualization, wherein the security stack of the integrated function is implemented with the packet-level access control inspecting packet headers for malformations, the protocol-level access control performing deep packet inspection for malicious signatures, the threat detection determining whether traffic in an HTTP/S stream is directed to a threat destination, and the activity contextualization recognizing whether activity in an HTTP/S stream accessing a cloud-based application is threatening activity, each of the integrated functions setting a restrictive state upon detecting threatening traffic ;
a computer implemented data manager for a superset of fields used to specify security policies across the cloud-based integrated functions, the superset including common fields shared by two or more of the integrated functions;
a computer-implemented designated receiver that processes policy specifications in a common format for values of the common fields that apply to each of the integrated functions, thereby enabling a user interacting with the computer- implemented designated receiver to specify security policies that govern the cloud-based integrated functions of access control and traffic inspection for inspectable and uninspectable traffic, threat detection, and activity contextualization;
a computer-implemented policy manager configured to validate, store, and distribute the policy specifications applicable to each of the cloud-based integrated functions among the cloud-based integrated functions; The common field is:
2. The computer-implemented policy manager device of claim 1, including a source of traffic to be inspected, a destination of the traffic, a protocol used by the traffic, activities specified in the inspectable traffic, and specific functions and actions to be triggered in the event of an exception resulting from the inspection. The value of the common field is
The IP address or range, or port number, for the source or destination of the traffic to be inspected;
The protocol used by the traffic: HTTP/S, TCP, UDP, or ICMP;
For activities specified in the inspectable traffic, upload, download, preview, or share,
For a particular functional profile, one or more of the access control and traffic inspection, the threat detection, and the activity contextualization;
The computer implemented policy manager device of claim 1 , wherein actions triggered in case of an exception resulting from the inspection include: allow, block, alert, bypass, encrypt, coach, or quarantine. generating a graphical user interface (GUI for short) that presents the common fields in a consistent order with consistent value completion options across the integrated functions, contextualized to the fields required for the specification of policies used by a particular function;
causing delivery of said GUI to a user;
and receiving a selection from the user from the GUI specifying a policy applicable to one or more of the integrated features. The method further includes an application program interface, the application program interface comprising:
2. The computer-implemented policy manager device of claim 1, receiving a data structure of key-value pairs in which required fields used by a particular function are contextualized to each of the integrated functions with consistent key tags and consistent value completion options across the integrated functions. The method further includes the steps of:
2. The computer-implemented policy manager device of claim 1, receiving a data structure in which required fields used by a particular function are contextualized to each of the integrated functions with consistent field names and consistent field value options across the integrated functions. The method further includes a command line interface (CLI for short), the CLI comprising:
2. The computer-implemented policy manager device of claim 1, which accepts and parses policy configuration commands used to populate a key-value pair data structure in which required fields used by a particular function are contextualized to each of the integrated functions with consistent key tags and consistent value completion options across the integrated functions. 1. A computer-implemented method applied by a policy manager device for a cloud-based security system that manages a cloud-based integrated function of packet and protocol level access control and traffic inspection for inspectable and uninspectable traffic, threat detection, and activity contextualization, wherein the security stack of the integrated function is implemented with the packet level access control inspecting packet headers for malformations, the protocol level access control performing deep packet inspection for malicious signatures, the threat detection determining whether traffic in an HTTP/S stream is directed to a threat destination, and the activity contextualization recognizing whether activity in an HTTP/S stream accessing a cloud-based application is threatening activity, and each of the integrated functions sets a restrictive state upon detecting threatening traffic, the computer-implemented method comprising :
maintaining a data structure including a superset of fields used to specify security policies across the cloud-based integrated functions, the superset including common fields shared by two or more of the integrated functions;
a computer-implemented policy manager receiving policy specifications in a common format for values of the common fields that are applied to each of the integrated functions, thereby enabling a user to specify security policies that govern the cloud-based integrated functions of access control and traffic inspection for inspectable and uninspectable traffic, threat detection, and activity contextualization;
the computer-implemented policy manager validating, storing and distributing among the integrated functions the policy specifications applicable to each function. The common field is:
9. The computer-implemented method of claim 8, including a source of traffic to be inspected, a destination of the traffic, a protocol used by the traffic, activities specified in the inspectable traffic, a profile of specific functions, and actions to be triggered in the event of an exception resulting from the inspection. The value of the common field is
The IP address or range, or port number, for the source or destination of the traffic to be inspected;
The protocol used by the traffic: HTTP/S, TCP, UDP, or ICMP;
For activities specified in the inspectable traffic, upload, download, preview, or share,
For a particular functional profile, one or more of the access control and traffic inspection, the threat detection, and the activity contextualization;
The computer-implemented method of claim 8 , wherein actions triggered in case of an exception resulting from the inspection include: allow, block, alert, bypass, encrypt, coach, or quarantine. The GUI generator
generating a graphical user interface (GUI for short) that presents the common fields in a consistent order with consistent value completion options across the integrated functions, contextualized to the fields required for the specification of policies used by a particular function;
causing delivery of said GUI to a user;
The computer-implemented method of claim 8 , further comprising receiving a selection from the user from the GUI specifying a policy applicable to one or more of the integrated features. The application program interface
10. The computer-implemented method of claim 8, further comprising receiving a data structure of key-value pairs in which required fields used by a particular function are contextualized to each of the integrated functions with consistent key tags and consistent value completion options across the integrated functions. The data structure parser
10. The computer-implemented method of claim 8, further comprising receiving a data structure in which required fields used by a particular function are contextualized to each of the integrated functions with consistent field names and consistent field value options across the integrated functions. The receiving includes using a command line interface (CLI for short), the CLI comprising:
10. The computer-implemented method of claim 8, configured to accept and parse policy configuration commands to populate a key-value pair data structure in which required fields used by a particular function are contextualized to each of the integrated functions with consistent key tags and consistent value completion options across the integrated functions. A tangible, non-transitory computer readable medium comprising program instructions which, when executed on a processor, cause the computer-implemented method of any one of claims 8 to 14 to be performed .

Images