The present invention relates to security in computer networks and, more particularly, controlling access to resources in a cloud computing environment.
In cloud computing, Internet users access shared resources hosted in a cloud computing environment. The shared resources may include applications, folders and files, by way of example. By default, the shared resources can be accessed by any Internet user who knows the Uniform Resource Locator (URL) of the resources.
Some cloud owners limit access to the shared resources in their cloud computing environment to users who belong to “tenants” of their environment. These tenants are multi-user enterprises that have entered with the cloud owner and are compliant with a tenant license. A tenant license is a contract between the cloud owner and a multi-user enterprise containing legal provisions, such as payment terms and cloud usage terms, that the enterprise and its users must follow as a condition for accessing cloud resources.
When a tenant fails to adhere to the terms of its tenant license, the cloud owner may revoke access to cloud resources by the tenant's users permanently or at least until adherence is reestablished. Access to cloud resources may be revoked by a cloud security framework deployed in the cloud computing environment that verifies, for each request for access to a cloud resource, that the user requesting access belongs to a tenant having a license that is in good standing.
Unfortunately, conventional tenant license verification schemes for cloud computing environments are suboptimal. Some schemes require that each cloud resource have code dedicated to the verification function enabling the resource to interoperate with the cloud security framework. Some schemes require that each user seeking access to a cloud resource submit, in addition to a user credential, information identifying the tenant to which the user belongs. Additionally, some schemes do not allow the rules and policies governing tenant license verification to be adapted without reconfiguring the framework.