Technical Field
The present invention relates to access control for cloud-based services, and more particularly to permission based access control for cloud-based offloaded services.
Description of the Related Art
Cloud computing refers to the practice of transitioning computer services (e.g., computation or data storage) to multiple redundant offsite locations available on the Internet, which allows application software to be operated using internet-enabled devices. Clouds can be classified as public, private, and hybrid. Cloud computing (e.g., “the cloud”), may also involve shared resources, and various access control systems and methods for establishing and/or enforcing permissions when allocating resources to users. In cloud computing, a portion of on-premise services may be offloaded to a public cloud, and these services may require access to on-premise backend services (e.g., database services, representational state transfer (REST) services, etc.) to function properly.
When users use public (e.g., non-trusted) clouds to offload workload of their on-premise applications, the offloaded workload/service accesses the back-end services that the on-premise services call. Because back-end services are accessible to the public cloud, the back-end services are generally protected (e.g., using access control lists (ACLs)) for security purposes for a plurality of reasons. For example, some on-premise back-end services (e.g., services in a private cloud) may be restricted from access by an offloaded service (e.g., services in public cloud) without appropriate permissions. In such situations, conventional systems return an error if unauthorized access to a back-end service from an offloaded service is detected, and the offloaded service is not permitted to access the back-end service.
To allow access to on-premise back-end services from public clouds where applications have offloaded workloads, conventional systems and methods may employ a firewall which knows a complete (e.g., perfect) list of accessible back-end services for each offloaded workload prior to requesting a service. However, such a list is impractical (e.g., prohibitively expensive, resource intensive, etc.), or impossible to determine prior to requesting a service and/or maintain in a plurality of scenarios (e.g., unknown behavior from the public cloud, no knowledge of all back-end services required for a particular offloaded service, etc.). Thus, conventional practice is often to set a firewall policy which accepts all requests from offloaded servers, but offloaded servers may not all be trusted and/or may access illegal backend services, which is unacceptable for users requiring secure offloading of services.