Providing customers with visibility into the security and compliance of services in their cloud infrastructure environment.

A customer dashboard system filters and presents cloud infrastructure security and compliance information to customers, addressing the lack of visibility and control, ensuring transparency and privacy.

JP2026520293APending Publication Date: 2026-06-23ORACLE INT CORP

Patent Information

Authority / Receiving Office
JP · JP
Patent Type
Applications
Current Assignee / Owner
ORACLE INT CORP
Filing Date
2024-04-29
Publication Date
2026-06-23

AI Technical Summary

Technical Problem

Cloud service provider customers lack visibility into the security and compliance information of their cloud infrastructure environment, while CSP operators have access to this information, creating a gap in transparency and control.

Method used

A system is implemented that provides a customer dashboard with filtered security and compliance information, derived from CSP-level data, ensuring customers can view a subset of this information, excluding sensitive details, thereby bridging the visibility gap.

Benefits of technology

Customers gain insights into their cloud infrastructure's security and compliance status, enhancing transparency and control, while maintaining data privacy and security.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure 2026520293000001_ABST
    Figure 2026520293000001_ABST
Patent Text Reader

Abstract

This document discloses a technology for presenting information on the infrastructure security and compliance of services in a customer cloud environment on a customer dashboard. The information presented on the customer dashboard is a subset of information available to operators associated with the Cloud Service Provider (CSP). A Tier 1 dashboard service retrieves information on the infrastructure security and compliance of services in the customer cloud infrastructure environment. The Tier 1 dashboard service presents this information to CSP operators on the CSP dashboard. The CSP dashboard is inaccessible to customer operators. A Tier 2 dashboard service then retrieves the infrastructure security and compliance information from the Tier 1 dashboard service, filters the infrastructure security information, and generates a subset of information on the security and compliance of services. This subset of infrastructure security and compliance information is presented on the customer dashboard to operators associated with the CSP's customers.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] Claims of Benefit, Related Applications, Incorporation by Reference Each of U.S. Patent Application No. 18 / 648,185, filed Apr. 26, 2024, and U.S. Provisional Patent Application No. 63 / 462,880, filed Apr. 28, 2023, is hereby incorporated by reference herein. Here, the Applicant hereby withdraws any disclaimer of any claim scope in the parent application or during the prosecution of that application, and reports to the United States Patent and Trademark Office that the claim scope in the present application may be broader than any claim in the parent application.

[0002] Here, the Applicant hereby withdraws any disclaimer of any claim scope in the parent application or during the prosecution of that application, and reports to the United States Patent and Trademark Office that the claim scope in the present application may be broader than any claim in the parent application.

[0003] Technical Field This disclosure relates to cloud environments. In particular, this disclosure relates to providing visibility to customers of cloud service providers regarding the security and compliance of services in a customer cloud infrastructure environment.

Background Art

[0004] Background The use of cloud computing environments enables access to a wide range of complementary cloud-based components, such as software applications or services, whereby an organization or enterprise customer can operate their respective applications and services in a highly available hosting environment.

[0005] As an advantage of an organization migrating the needs of its respective applications and services to the cloud environment, the costs and complexities of designing, building, operating, and maintaining its own on-premises data center, software application framework, or other information technology infrastructure are reduced.

[0006] Operators associated with a Cloud Service Provider (CSP), i.e., CSP operators, have access to a large amount of information that demonstrates the security and compliance of services in the customer's cloud infrastructure. This security and compliance information includes data such as logs from many teams across many services. This information may or may not be structured. CSP operators access this information through one or more infrastructure service dashboards. CSP customers do not have the same access to security and compliance information.

[0007] The methods described in this section are pursued, but not necessarily methods that have been conceived or pursued in the past. Therefore, unless otherwise specified, any method described in this section shall not be assumed to be eligible as prior art simply because it is included in this section.

[0008] The embodiments are shown as examples and are not limitations of the figures in the accompanying drawings. It should be noted that a reference to “an or one” embodiment in this disclosure does not necessarily refer to the same embodiment, but rather to at least one. [Brief explanation of the drawing]

[0009] [Figure 1] This figure shows a system for providing a cloud infrastructure environment according to one embodiment. [Figure 2] This figure shows a method, according to one embodiment, of providing cloud-based applications, services, or services by using a cloud infrastructure environment. [Figure 3] This figure shows an exemplary cloud infrastructure architecture according to one embodiment. [Figure 4] This figure shows another exemplary cloud infrastructure architecture according to one embodiment. [Figure 5]This figure shows another exemplary cloud infrastructure architecture according to one embodiment. [Figure 6] This figure shows another exemplary cloud infrastructure architecture according to one embodiment. [Figure 7] This figure shows a method, according to one embodiment, in which a system may provide a dedicated or private label cloud environment for use by tenants or customers of a cloud infrastructure environment. [Figure 8] This figure further illustrates the use of a private label cloud realm by a tenant or customer of a cloud infrastructure environment, according to one embodiment. [Figure 9] This figure further illustrates the use of a private label cloud realm by a tenant or customer of a cloud infrastructure environment, according to one embodiment. [Figure 10] This figure shows a system for providing access to software products or services in cloud computing or other computing environments, according to one embodiment. [Figure 11A] This figure shows a system, according to one or more embodiments, for providing a cloud service provider (CSP) customer with visibility into the security and compliance of services in the customer cloud infrastructure environment. [Figure 11B] This figure shows a system, according to one or more embodiments, for providing a cloud service provider (CSP) customer with visibility into the security and compliance of services in the customer cloud infrastructure environment. [Figure 12] This diagram shows an exemplary set of actions for providing a CSP customer with visibility into the security and compliance of services in the customer's cloud infrastructure environment, according to one or more embodiments. [Figure 13] This figure shows a customer dashboard for presenting security and compliance information associated with services in a customer cloud infrastructure environment to a CSP's customers, according to one or more embodiments. [Modes for carrying out the invention]

[0010] Detailed explanation In the following description, many specific details are included for illustrative purposes and to enable a complete understanding. One or more embodiments may be realized without these specific details. Features described in one embodiment can be combined with features described in a different embodiment. In some examples, well-known structures and devices are described in block diagram form so as not to unnecessarily obscure this disclosure.

[0011] 1. Summary 2. Exemplary Cloud Environment 3. Architecture of Security and Compliance Visibility Systems 4. Providing customers with visibility into the security and compliance of services in their cloud infrastructure environment. 5. Exemplary Customer Dashboard 6. Practical applications, benefits, and improvements 7. Other - Extensions 1. Summary In one or more embodiments, information indicating the infrastructure security and compliance of services in the customer cloud environment is presented on a customer dashboard. The information presented on the customer dashboard is a subset of information available to operators associated with the Cloud Service Provider (CSP), i.e., CSP operators. First, a tier 1 dashboard service retrieves information indicating the infrastructure security and compliance of one or more services in the customer cloud infrastructure environment. Then, a tier 2 dashboard service retrieves the infrastructure security and compliance information from the tier 1 dashboard service, filters the infrastructure security information, and generates a subset of information indicating the security and compliance of one or more services. This subset of infrastructure security and compliance information is presented on the customer dashboard to operators associated with the CSP's customers, i.e., customer operators.

[0012] In one or more embodiments, the first-tier dashboard service presents information indicating infrastructure security and compliance to CSP operators on a dashboard for CSPs. The dashboard for CSPs is inaccessible to customer operators. The first-tier dashboard obtains information indicating infrastructure security and compliance for one or more services by monitoring services and / or obtaining service logs in the customer cloud environment.

[0013] In one or more embodiments, infrastructure security and compliance information for one or more services is filtered to generate a subset of infrastructure security and compliance information presented to the customer operator. The second-tier dashboard service may filter the information by removing sensitive and / or designated information from the infrastructure security information.

[0014] In one or more embodiments, a first compliance regime for a first set of services of a customer cloud infrastructure environment and a second compliance regime for a second set of services of the customer cloud infrastructure environment are selected. In a first customer dashboard, the system presents a first visual representation of a first compliance status of the first set of services according to the first compliance regime. In a second customer dashboard, the system presents a second visual representation of a second compliance status of the second set of services according to the second compliance regime.

[0015] This general term may also include cases where one or more embodiments described herein and / or recited in the claims are not included.

[0016] 2. Exemplary Cloud Environments One or more embodiments provide functions associated with a cloud environment that includes a dedicated or private label cloud (PLC) environment. The cloud environment can be utilized by, for example, customers or tenants of cloud infrastructure providers or resellers to access software products, services, or other cloud services.

[0017] The use of cloud computing or a cloud infrastructure environment enables access to a wide range of complementary cloud-based components, such as software applications or services, which allows an organization or enterprise customer to operate their respective applications and services in a highly available hosting environment.

[0018] As a benefit of an organization migrating the needs of its respective applications and services to a cloud infrastructure environment, the costs and complexities of designing, building, operating, and maintaining its own on-premises data center, software application framework, or other information technology infrastructure are reduced.

[0019] Cloud infrastructure environment Figures 1 and 2 show a system for providing a cloud infrastructure environment according to one embodiment.

[0020] According to one embodiment, the components and processes shown in Figure 1 may be provided as software or program code executable by a computer system or other type of processing device (e.g., a cloud computing system), as will be described separately herein with respect to various embodiments.

[0021] The illustrated examples are provided to illustrate computing environments that may be used by cloud infrastructure tenants to provide a dedicated or private-label cloud environment used for accessing subscription-based software products, services, or other services associated with the cloud infrastructure environment. According to other embodiments, various components, processes, and features described herein may be used in other types of cloud computing environments.

[0022] As shown in Figure 1, according to one embodiment, the cloud infrastructure environment 100 may operate on a cloud computing infrastructure 102 that includes hardware (e.g., processors, memory), software resources, and other application programming interfaces (APIs) that provide access to shared cloud resources via one or more cloud interfaces 104 or one or more load balancers A106, B108. The cloud interface 102 includes user interfaces and APIs provided by the cloud service provider for interacting with its cloud services. This includes tools and platforms that enable users and administrators to manage, configure, and monitor cloud resources and services. The cloud interface 102 may include a console, such as a web-based user interface, that provides a visual way to interact with and manage cloud resources. Through this console, users can create, configure, and monitor cloud services such as compute instances, databases, storage, and networking components. The cloud interface 102 may also include a command-line interface for users who prefer to work with the cloud infrastructure using command-line tools. In one embodiment, the CLI enables the scripting and automation of cloud management tasks.

[0023] According to one embodiment, load balancers A106 and B108 are services that distribute incoming network traffic across multiple servers, instances, or other resources to prevent excessive demand load on a single resource. By uniformly distributing requests across resources, the load balancers enhance the responsiveness and availability of resources such as applications, websites, or databases. Load balancers A106 and B108 may be public load balancers accessible from the internet and used to distribute external traffic, or they may be private load balancers used within a virtual cloud network (VCN) and not accessible from the public internet (making them ideal for distributing internal traffic). In one embodiment, load balancers A106 and B108 are designed for high availability and fault tolerance and are implemented in a redundant configuration spanning multiple availability domains or fault domains.

[0024] According to one embodiment, the cloud infrastructure environment supports the use of availability domains, such as availability domain A180 and availability domain B182, which enable customers to create and access cloud networks 184, 186, and to run cloud instances A192 and B194. In one embodiment, availability domain A180 and availability domain B182 may represent data centers or a set of data centers located within a region. These availability domains may be isolated from each other, meaning they cannot share the same physical infrastructure, such as power or cooling systems. This design provides a high degree of fault independence and robustness. In one embodiment, fault domains may provide additional protection and resilience within a single availability domain by grouping hardware and infrastructure within availability domains that are isolated from other fault domains. This isolation may relate to electricity, cooling, and other potential sources of failure.

[0025] In one embodiment, a tenancy (a container of resources used by a tenant) may be created for each cloud tenant / customer (e.g., tenant A142, tenant B144), which provides a secure, isolated partition within the cloud infrastructure environment, allowing customers to create, organize, and manage their respective cloud resources. Cloud tenants / customers can access each of their respective cloud instances by accessing availability domains and cloud networks. Because tenancies are isolated from other tenancies, each customer's data and resources are secure and inaccessible to others. Within a tenancy, customers can create, manage, and organize a wide range of cloud resources, including compute instances, storage volumes, and networks. Identity and Access Management (IAM) services also enable the management of users, groups, and policies within the tenancy. Through IAM, customers can manage who can access each resource and what actions each can take. Tenancies are also the level at which billing and subscription management are handled. Usage and costs associated with resources within a tenancy are tracked and billed collectively under that tenancy. Each tenancy may be associated with specific service limits and allocations for various resources. These limits can be used to assist with capacity management and facilitate resource distribution among tenants.

[0026] According to one embodiment, a computing device such as a client device 120 having device hardware 122 (for example, a processor and memory) and a graphical user interface 126 can generate or update cloud services by a user such as an administrator communicating with a cloud infrastructure environment via a network such as a wide area network, a local area network, or the internet.

[0027] According to one embodiment, the cloud infrastructure environment provides access to shared cloud resources 140, for example, via a compute resource layer 150, a network resource layer 160, and / or a storage resource layer 170. Customers can meet their compute and application requirements by launching cloud instances as needed. After the customer provisions and launches the cloud instances, client devices such as client device 120 can access the provisioned cloud instances.

[0028] In one embodiment, compute resources 150 may include resources such as a bare metal cloud instance 152, a virtual machine 154, a graphics processing unit (GPU) compute cloud instance 156, and / or a container 158. A bare metal instance represents a physical server with dedicated hardware that is entirely allocated to a single tenant. A bare metal instance provides direct access to the server's processor, memory, storage, and other hardware resources. A virtual machine (VM) is a software emulation of a physical computer that runs applications such as operating systems and physical computers. A VM enables the operation of multiple operating systems on a single physical machine or across multiple machines. A hypervisor layer exists between the hardware and the virtual machine to allocate physical resources (CPU, memory, and storage, etc.) to each VM. In one embodiment, a GPU compute cloud instance provides a GPU in addition to conventional CPU resources. These instances are designed for tasks requiring significant parallel processing capabilities and are ideal for applications such as machine learning, scientific computing, 3D rendering, and video processing. In one embodiment, container 158 uses a virtualization method that enables virtualization of the operating system by running multiple isolated applications on a single control host. Each container is lightweight and efficient because it shares the host system's kernel while operating in an isolated user space.

[0029] The use of compute resource 150 components allows applications to be deployed and run as in an on-premises data center by provisioning and managing bare metal compute cloud instances or cloud instances as needed. For example, according to one embodiment, the cloud infrastructure environment can provide control of physical host (bare metal) machines in the compute resource layer that operate directly as compute cloud instances on bare metal servers without a hypervisor.

[0030] Furthermore, according to one embodiment, the cloud infrastructure environment can provide control over virtual machines in the compute resource layer, which can be launched, for example, from an image, and the type and amount of resources available to the virtual machine cloud instance can be determined, for example, based on the image from which the virtual machine was launched.

[0031] According to one embodiment, the network resource layer may include multiple network-related resources such as a virtual cloud network (VCN) 162, a load balancer 164, edge services 166, and / or connectivity services 168. In one embodiment, the virtual cloud network (VCN) is a customizable private network in a cloud environment. The VCN provides a virtual version of a traditional network and includes subnets, route tables, and gateways. This allows users to configure their own cloud-based network architecture according to their respective requirements. In one embodiment, the edge services 166 include services and technologies designed to bring computing, data storage, and networking capabilities closer to where they are needed. The edge services 166 may be used to optimize traffic, reduce latency, or provide other benefits.

[0032] In one embodiment, the storage resource layer may include several resources, such as a data / block volume 172, file storage 174, object storage 176, and / or local storage 178. The data / block volume 172 provides unformatted block-level storage that can be used to generate a file system that hosts a database or for other purposes that require unformatted storage. In one embodiment, the file storage 174 provides a file system and can also provide a shared file system that can be accessed simultaneously by multiple instances using a standard file storage protocol. The object storage 176 manages data as objects in a storage bucket. An object may have certain attributes and may include data, metadata, and a unique identifier. The local storage 178 represents a storage device that is physically attached to the host computer.

[0033] As shown in Figure 2, according to one embodiment, the cloud infrastructure environment may include a wide range of complementary cloud-based components, such as cloud infrastructure applications and services 200, enabling organizations or enterprise customers to operate their respective applications and services in a highly available host environment.

[0034] According to one embodiment, a self-contained cloud region may be provided as a fully dedicated (e.g., OCI) region within an organization's data center, providing data center operators with the agility, scalability, and cost-effectiveness of, for example, an OCI (Oracle Cloud Infrastructure) public cloud, while maintaining complete control over data and applications to meet security, regulatory, or data residency requirements.

[0035] For example, according to one embodiment, such an environment may include racks physically and logically managed by a cloud infrastructure provider (e.g., Oracle), customer racks, access for cloud operators for configuration and hardware support, power and cooling for the customer's data center, customer floor space, areas for customer data center personnel, and physical access cages.

[0036] In one embodiment, a dedicated region provides tenants / customers with the same set of Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) products or services (e.g., ERP, Financial, HCM, and SCM) available in the public cloud region of a cloud infrastructure provider (e.g., Oracle). Customers can seamlessly lift and shift legacy workloads by using the cloud infrastructure provider's services (e.g., bare metal compute, VMs, and GPUs), database services (e.g., Oracle Autonomous Database), or container-based services (e.g., Oracle Container Engine for Kubernetes).

[0037] According to one embodiment, the cloud infrastructure environment may operate according to an Infrastructure as a Service (IaaS) model that enables the provision of virtualized computing resources over a public network (e.g., the Internet).

[0038] In the IaaS model, a cloud infrastructure provider can host infrastructure components (e.g., servers, storage devices, network nodes (e.g., hardware), deployment software, platform virtualization (e.g., hypervisor layer)). Additionally, the cloud infrastructure provider may offer a variety of services associated with these infrastructure components (examples include billing software, monitoring software, logging software, load balancing software, or clustering software). Because these services can be policy-driven, IaaS users can maintain application availability and performance by implementing policies that promote load balancing.

[0039] In one embodiment, an IaaS customer can access resources and services through a wide area network (WAN), such as the internet, and use the cloud infrastructure provider's services to install other elements of their application stack. For example, a user can log in to the IaaS platform and create virtual machines (VMs), install operating systems (OS) on each VM, deploy middleware such as databases, create storage buckets for workloads and backups, and install enterprise software on those VMs. The customer can then use the provider's services to perform various functions, such as distributing network traffic, troubleshooting application issues, monitoring performance, or managing disaster recovery.

[0040] In one embodiment, the cloud infrastructure provider may, but does not have to be, a third-party service specializing in providing IaaS (e.g., granting, leasing, or selling). Alternatively, an entity could deploy a private cloud and become its own infrastructure service provider.

[0041] In one embodiment, IaaS deployment is the process of placing a new application or a new version of an application on a prepared application server, etc. It may also include the process of preparing the server (e.g., installing libraries or daemons). This is often managed by the cloud infrastructure provider under the hypervisor layer (e.g., servers, storage, network hardware, and virtualization). Therefore, the customer may be responsible for handling (OS), middleware, and / or application deployment (e.g., on self-service virtual machines that can be spun up on demand).

[0042] In one embodiment, IaaS provisioning may represent acquiring the computers or virtual hosts to be used, and further, installing the necessary libraries or services for them. In most cases, deployment does not include provisioning, and provisioning may need to be performed first.

[0043] According to one embodiment, the challenges of IaaS provisioning include, firstly, the provisioning of an initial set of infrastructure before anything is operational. Secondly, after all provisioning is complete, the challenge of developing the existing infrastructure (e.g., adding new services, modifying services, removing services, etc.). In some cases, these two challenges can be addressed by enabling the declarative definition of infrastructure configuration. In other words, the infrastructure (e.g., required components and the manner in which those components interact) can be defined by one or more configuration files. Thus, the overall topology of the infrastructure (e.g., resource dependencies and the manner in which each resource acts as a whole) can be described declaratively. In some cases, once the topology is defined, a workflow can be generated to form and / or manage the various components described in the configuration files.

[0044] In one embodiment, a cloud infrastructure can have many interconnected elements. For example, there may be one or more virtual private clouds (VPCs), also known as core networks (e.g., potential on-demand pools of configurable and / or shared computing resources). In some examples, there may also be one or more inbound / outbound traffic group rules that provision the way inbound and / or outbound network traffic is configured, as well as one or more virtual machines (VMs). Other infrastructure elements such as load balancers and databases may also be provisioned. The infrastructure can evolve gradually as there is a demand for and / or addition of more infrastructure elements.

[0045] According to one embodiment, the adoption of sequential deployment technology can enable the deployment of infrastructure code across various virtual computing environments. Furthermore, the described technology can enable infrastructure management within these environments. In some examples, a service team may write code that is desirable to be deployed to one or more (but often many) different generation environments (e.g., across various geographical locations). However, in some examples, the infrastructure to which the code is deployed requires provisioning. In some cases, provisioning can be performed manually, using provisioning tools to provision resources, and / or using deployment tools to deploy code after the infrastructure has been provisioned.

[0046] Figure 3 shows an exemplary cloud infrastructure architecture according to one embodiment. As shown in Figure 3, according to one embodiment, the service operator 202 may be connected to a secure host tenancy 204 which may include a virtual cloud network (VCN) 206 and a secure host subnet 208.

[0047] In some cases, a service operator may use one or more client computing devices, which may be portable handheld devices (e.g., telephones, computing tablets, personal digital assistive devices (PDAs)) or wearable devices (e.g., head-mounted displays) capable of running software such as Microsoft Windows and / or a variety of mobile operating systems such as iOS and Android, and capable of using email, short message service (SMS), or other communication protocols. Alternatively, a general-purpose personal computer (PC) may be a client computing device, such as a PC and / or laptop computer running various versions of Microsoft Windows®, Apple Macintosh®, and / or Linux® operating systems. A workstation computer may also be a client computing device running any of a variety of commercially available UNIX® or UNIX-like operating systems, such as, but not limited to, various GNU / Linux operating systems such as Chrome OS. As an addition or alternative, a client computing device may be any other electronic device, such as a thin client computer that can communicate over a network with access to a VCN and / or the Internet, an internet-enabled gaming system (e.g., a Microsoft Xbox game console), and / or a personal messaging device.

[0048] According to one embodiment, the VCN may comprise an LPG that can be connected to an SSH VCN via a local peering gateway (LPG) 210 included in a Secure Shell (SSH) VCN 212. The SSH VCN may comprise an SSH subnet 214, and the SSH VCN may be connected to a control plane VCN via an LPG included in a control plane VCN 216. The SSH VCN may also be connected to a data plane VCN 218 via an LPG. The control plane VCN and the data plane VCN may be included in a service tenancy 219 that is owned and / or operated by a cloud infrastructure provider.

[0049] According to one embodiment, the control plane VCN may comprise a control plane buffer zone (DMZ) layer 220 that functions as a perimeter network (e.g., part of the corporate network between the corporate intranet and the external network). DMZ-based servers have limited liability and can help contain potential breaches. The DMZ layer may also comprise a control plane application layer 224 that may include one or more load balancer (LB) subnets 222, an application subnet 226, and a control plane data layer 228 that may include a database (DB) subnet 230 (e.g., a front-end DB subnet and / or a back-end DB subnet). The LB subnets included in the control plane DMZ layer may be connected to application subnets included in the control plane application layer and an internet gateway 234 that may be included in the control plane VCN. The application subnets may be connected to DB subnets, a service gateway 236, and a network address translation (NAT) gateway 238 included in the control plane data layer. The control plane VCN may comprise a service gateway and a NAT gateway.

[0050] According to one embodiment, the control plane VCN may comprise a data plane mirror application layer 240 which may include application subnets. The application subnets included in the data plane mirror application layer may comprise virtual network interface controllers (VNICs) capable of running compute instances. The compute instances may communicate-couple the application subnets of the data plane mirror application layer to the application subnets that may be included in the data plane application layer.

[0051] According to one embodiment, a data plane VCN may comprise a data plane application layer, a data plane DMZ layer, and a data plane data layer. The data plane DMZ layer may comprise an LB subnet that can be connected to the application subnet of the data plane application layer and the internet gateway of the data plane VCN. The application subnet may be connected to the service gateway and the NAT gateway of the data plane VCN. The data plane data layer may comprise a DB subnet that can be connected to the application subnet of the data plane application layer.

[0052] According to one embodiment, the internet gateways of the control plane VCN and the data plane VCN can be connected to a metadata management service 252 which can be connected to the public internet 254. The public internet can be connected to the NAT gateways of the control plane VCN and the data plane VCN. The service gateways of the control plane VCN and the data plane VCN can be connected to a cloud service 256.

[0053] According to one embodiment, a service gateway of a control plane VCN or a data plane VCN can make application programming interface (API) calls to a cloud service without using the public internet. API calls from the service gateway to the cloud service can be unidirectional. The service gateway can make API calls to the cloud service, and the cloud service can send the requested data to the service gateway. Generally, the cloud service does not need to initiate the API call to the service gateway.

[0054] According to one embodiment, a secure host tenancy may be directly connected to or otherwise isolated from a service tenancy. The secure host subnet can communicate with an SSH subnet via an LPG that can enable two-way communication through a system that is otherwise isolated. By connecting the secure host subnet to the SSH subnet, the secure host subnet becomes accessible to other entities within the service tenancy.

[0055] According to one embodiment, the control plane VCN may enable users of a service tenancy to configure or provision desired resources. Desired resources provisioned in the control plane VCN may be deployed or used in the data plane VCN. In some examples, the control plane VCN can be isolated from the data plane VCN, and the data plane mirror application layer of the control plane VCN can communicate with the data plane application layer of the data plane VCN via VNICs that may be included in the data plane mirror application layer and the data plane application layer.

[0056] According to one embodiment, a user of the system, i.e., a customer, can make a request (e.g., create, read, update, or erase an action (CRUD)) over the public internet, and the public internet can send the request to a metadata management service. The metadata management service can send the request to the control plane VCN through an internet gateway. The request may be received by an LB subnet included in the control plane DMZ layer. The LB subnet may determine that the request is valid, and in response to this determination, the LB subnet can send the request to an application subnet included in the control plane application layer. If the request is validated and a call to the public internet is required, the call to the public internet may be sent to a NAT gateway capable of making calls to the internet. The metadata to be stored in the request may be stored in a DB subnet.

[0057] According to one embodiment, the data plane mirror application layer can facilitate direct communication between the control plane VCN and the data plane VCN. For example, it is desirable that configuration changes, updates, or other preferred modifications be applied to resources contained in the data plane VCN. The control plane VCN can perform configuration changes, updates, or other preferred modifications to resources by communicating directly with the resources contained in the data plane VCN via the VNIC.

[0058] According to one embodiment, the control plane VCN and the data plane VCN may be included in the service tenancy. In this case, the system user, i.e., the customer, does not have to own either the control plane VCN or the data plane VCN, or does not have either of them running. Alternatively, the cloud infrastructure provider may own both the control plane VCN and the data plane VCN, or have both running, or both may be included in the service tenancy. This embodiment can enable network isolation that can prevent interaction between the user, i.e., the customer, and other users, i.e., other customers' resources. Furthermore, this embodiment can enable private storage of databases by the system user, i.e., the customer, without having to rely on the public internet, which may not have the desired level of threat prevention for storage.

[0059] According to one embodiment, the LB subnet included in the control plane VCN can be configured to receive signals from the service gateway. In this embodiment, the control plane VCN and the data plane VCN may be configured to be invoked by the cloud infrastructure provider's customers without calling the public internet. The cloud infrastructure provider's customers may desire this embodiment because the databases they use can be stored in a service tenancy that is controlled by the cloud infrastructure provider and isolated from the public internet.

[0060] Figure 4 shows another exemplary cloud infrastructure architecture according to one embodiment.

[0061] As shown in Figure 4, according to one embodiment, the data plane VCN may be included in the customer tenancy 221. In this case, the cloud infrastructure provider may provide a control plane VCN for each customer, or the cloud infrastructure provider may configure a unique compute instance included in the service tenancy for each customer. Each compute instance may enable communication between the control plane VCN included in the service tenancy and the data plane VCN included in the customer tenancy. The compute instance may enable the deployment or use of resources provisioned in the control plane VCN included in the service tenancy in the data plane VCN included in the customer tenancy.

[0062] According to one embodiment, a customer of a cloud infrastructure provider may have a database managed and operated within the customer tenancy. In this example, the control plane VCN may comprise a data plane mirror application layer that may include application subnets. The data plane mirror application layer may reside in the data plane VCN, but does not have to reside in the data plane VCN. That is, the data plane mirror application layer may be accessible to the customer tenancy, but does not have to reside in the data plane VCN, nor does it have to be owned or operated by the customer. The data plane mirror application layer may be configured to make calls to the data plane VCN, but may not be configured to make calls to any entities included in the control plane VCN. The customer may want to deploy or use resources in the data plane VCN that are provisioned in the control plane VCN, and the data plane mirror application layer may facilitate the deployment or other use of the resources desired by the customer.

[0063] According to one embodiment, a customer of a cloud infrastructure provider can apply filters to a data plane VCN. In this embodiment, the customer can determine what the data plane VCN can access, and may also restrict the data plane VCN's access to the public internet. The cloud infrastructure provider may not be able to apply filters or control the data plane VCN's access to any external network or database. The application of filters and controls by the customer to the data plane VCN included in the customer tenancy may help isolate the data plane VCN from other customers and the public internet.

[0064] According to one embodiment, a cloud service can access services that do not exist on the public internet, a control plane VCN, or a data plane VCN through a call from a service gateway. The connection between the cloud service and the control plane VCN or data plane VCN does not have to be continuous. The cloud service may reside on different networks owned or operated by the cloud infrastructure provider. The cloud service may be configured to receive calls from a service gateway and may be configured not to receive calls from the public internet. Some cloud services may be isolated from other cloud services, and a control plane VCN may be isolated from cloud services that cannot be in the same region as the control plane VCN.

[0065] For example, according to one embodiment, the control plane VCN may be located in "Region 1," and the cloud service "Deployment 1" may be located in both Region 1 and "Region 2." If a call to Deployment 1 is made by a service gateway included in the control plane VCN located in Region 1, the call may be sent to Deployment 1 in Region 1. In this example, the control plane VCN or Deployment 1 in Region 1 does not have to be communication-coupled to Deployment 1 in Region 2, nor does it have to communicate with Deployment 1 in Region 2.

[0066] Figure 5 shows another exemplary cloud infrastructure architecture according to one embodiment.

[0067] As shown in Figure 5, according to one embodiment, the trusted application subnet 260 can be connected to a service gateway included in the data plane VCN, a NAT gateway included in the data plane VCN, and a DB subnet included in the data plane data layer. The untrusted application subnet 264 can be connected to a service gateway included in the data plane VCN and a DB subnet included in the data plane data layer. The data plane data layer may include a DB subnet that can be connected to a service gateway included in the data plane VCN.

[0068] According to one embodiment, a non-trusted application subnet may comprise one or more primary VNICs (1) to (N) that can be connected to tenant virtual machines (VMs). Each tenant VM may be connected to each of the application subnets 267 (1) to (N) that may be included in each of the container output VCNs 268 (1) to (N) that may be included in each of the customer tenancies 270 (1) to (N). Each secondary VNIC can facilitate communication between the non-trusted application subnet included in the data plane VCN and the application subnet included in the container output VCN. Each container output VCN may comprise a NAT gateway that can be connected to the public internet.

[0069] According to one embodiment, the public internet can be connected to a NAT gateway included in the control plane VCN and the data plane VCN. The service gateway included in the control plane VCN and the data plane VCN can be connected to a cloud service.

[0070] According to one embodiment, a data plane VCN can be integrated with a customer tenancy. This integration may be useful or desirable for a cloud infrastructure provider's customer when additional support may be required when executing code. For example, the customer may provide code to be executed, which may be destructive, communicate with other customer resources, or have undesirable effects.

[0071] According to one embodiment, a customer of a cloud infrastructure provider may grant temporary network access to the cloud infrastructure provider and request functionality to be granted to the data plane application layer. The code that performs this functionality may run on a VM and may not be configured to run elsewhere on the data plane VCN. Each VM may be connected to one customer tenancy. Each container (1) to (N) contained within a VM may be configured to run code. In this case, a double isolation may exist (for example, the container running the code may be contained in a VM that is at least in a non-trusted application subnet), which may help prevent damage to the cloud infrastructure provider's network or the networks of other customers by erroneous or undesirable code. The containers may be communication-coupled to the customer tenancy and may be configured to send or receive data to or from the customer tenancy. The containers may be configured not to send or receive data to or from any other entity in the data plane VCN. Upon completion of code execution, the cloud infrastructure provider may destroy the containers.

[0072] In one embodiment, a trusted application subnet may execute code owned or operated by the cloud infrastructure provider. In this embodiment, the trusted application subnet may be connected to a DB subnet and may be configured to perform CRUD operations in the DB subnet. A non-trusted application subnet may be connected to a DB subnet and may be configured to perform read operations in the DB subnet. Containers contained within each customer's VM and capable of executing code from the customer do not need to be connected to a DB subnet.

[0073] In one embodiment, the control plane VCN and the data plane VCN do not have to be directly connected, nor do they have to have direct communication with each other. However, indirect communication is possible, and an LPG (Landing Platform) that facilitates communication between the control plane VCN and the data plane VCN may be established by the cloud infrastructure provider. In another example, the control plane VCN or the data plane VCN can make calls to cloud services via a service gateway. For example, a call from the control plane VCN to a cloud service may include a request for a service that can communicate with the data plane VCN.

[0074] Figure 6 shows another exemplary cloud infrastructure architecture according to one embodiment.

[0075] As shown in Figure 6, according to one embodiment, a trusted application subnet can be connected to a service gateway included in the data plane VCN, a NAT gateway included in the data plane VCN, and a DB subnet included in the data plane data layer. A non-trusted application subnet can be connected to a service gateway included in the data plane VCN and a DB subnet included in the data plane data layer. The data plane data layer may include a DB subnet that can be connected to a service gateway included in the data plane VCN.

[0076] According to one embodiment, a non-trusted application subnet may have a primary VNIC that can be connected to tenant virtual machines (VMs) residing within the non-trusted application subnet. Each tenant VM is capable of executing code in each container and can be connected to an application subnet that may be included in the data plane application layer, which may be included in the container output VCN 280. Secondary VNICs 282(1) to (N) can each facilitate communication between the non-trusted application subnet included in the data plane VCN and the application subnet included in the container output VCN. The container output VCN may have a NAT gateway that can be connected to the public internet.

[0077] According to one embodiment, the Internet gateway included in the control plane VCN and the data plane VCN can be connected to a metadata management service that can be connected to the public internet. The public internet can be connected to the NAT gateway included in the control plane VCN and the data plane VCN. The service gateway included in the control plane VCN and the data plane VCN can be connected to a cloud service.

[0078] According to one embodiment, the pattern shown in Figure 6 can be considered an exception to the pattern shown in Figure 5 and is considered desirable for customers when the cloud infrastructure provider cannot communicate directly with the customer (for example, in an unconnected region). Each container contained in a VM for each customer is accessible to the customer in real time. The container may be configured to make calls to each of the secondary VNICs contained in the application subnet of the data plane application layer, which may be contained in the container output VCN. The secondary VNIC can send the calls to a NAT gateway, which may send the calls to the public internet. In this example, the containers accessible to the customer in real time can be isolated from the control plane VCN, as well as from other entities contained in the data plane VCN. The containers can also be isolated from the resources of other customers.

[0079] In other examples, a customer can use a container to invoke a cloud service. In this example, a customer can execute code in a container that requests a service from the cloud service. The container can send this request to a secondary VNIC, the secondary VNIC can send the request to a NAT gateway, and the NAT gateway can send the request to the public internet. The public internet can be used to send the request to an LB subnet included in the control plane VCN via an internet gateway. In response to a determination that the request is valid, the LB subnet can send the request to an application subnet, and the application subnet can send the request to the cloud service via a service gateway.

[0080] Naturally, the IaaS architecture shown in the above drawings may have components other than those shown. Furthermore, the embodiments shown in the drawings are merely examples of cloud infrastructure systems that may encompass one embodiment of this disclosure. In some other embodiments, the IaaS system may have more or fewer components than shown, may combine two or more components, or may have different configurations or arrangements of components.

[0081] In one embodiment, the IaaS system described herein may include a set of applications, middleware, and database services delivered to the customer in a self-service, subscription-based, elastically scalable, reliable, highly available, and secure manner.

[0082] Private label cloud environment According to one embodiment, the use of a cloud infrastructure environment can provide a dedicated cloud environment as one or more private-label cloud environments used by tenants of the cloud infrastructure environment when accessing subscription-based software products, services, or other services associated with the cloud infrastructure environment.

[0083] Figure 7 illustrates, according to one embodiment, how a system may provide a dedicated or private label cloud environment for use by tenants or customers of a cloud infrastructure environment.

[0084] As shown in Figure 7, according to one embodiment, a cloud infrastructure provider (e.g., OCI (Oracle Cloud Infrastructure)) can supply one or more Private Label Cloud (PLC) environments to a PLC operator 320 (e.g., an OCI customer acting as a reseller). The PLC operator / reseller can then customize and expand the Private Label Cloud used by each of their customers 330 for accessing subscription-based software products, services, or other services associated with the cloud infrastructure environment.

[0085] For illustrative purposes, examples of subscription-based products, services, or other services include various Oracle Cloud Infrastructure software products, Oracle Fusion Applications products, or other products or services that enable customers to register for the use of these products or services.

[0086] Figure 8 further illustrates the use of a private label cloud realm by a tenant or customer of a cloud infrastructure environment, according to one embodiment.

[0087] As shown in Figure 8, according to one embodiment, the system may include a cloud subscription service or component (referred to herein as an OCS (Oracle Cloud Subscriptions) service or component in some embodiments) that exposes one or more subscription management APIs or other components used in the PLC realm 400 to generate orders used to initiate a workflow for integrating new customers or generating subscriptions to organize billing and pricing services.

[0088] According to one embodiment, when a PLC operator or their respective customers request a PLC environment, the system generates a PLC realm for use in one or more provider-owned tenancies. A realm is a logical set of one or more cloud regions that are isolated from each other, ensuring that customer content does not cross realm boundaries into regions outside of that realm. Each realm is accessed separately. PLC operators access cloud resources and services through cloud tenancies. A cloud tenancy is a secure, isolated partition of OCI and exists in only one realm. Within this tenancy, operators can access services and deploy workloads across all regions within that realm, if policies permit.

[0089] According to one embodiment, the first step of this process is to generate an operator tenancy for the PLC operator before the realm and associated regions are transferred for subsequent management. The PLC operator then becomes the administrator of this tenancy and can view and manage everything that happens within the realm (each customer account for cloud resources and their use by those customers).

[0090] Generally, once a realm is transferred to or provided to a PLC operator, the cloud infrastructure provider cannot access the data within the operator tenancy unless the operator grants that cloud infrastructure provider authorization (for example, permission to troubleshoot potential problems).

[0091] According to one embodiment, the PLC operator can then generate additional internal tenancies intended for internal use (e.g., evaluating the end customer experience, providing sales demo tenancies, or operating a database for internal use). The operator can also generate one or more customer tenancies where the end customer is the administrator. Cloud infrastructure usage criteria (e.g., compute usage, storage usage, and usage of each infrastructure resource) can, through integration by the operator, reflect both operator and customer usage. Cloud infrastructure usage may be reported to the cloud infrastructure provider.

[0092] According to one embodiment, a user interface or console may be provided that allows the PLC operator to manage their customer accounts and customer-provided services. Furthermore, a cloud infrastructure provider may use a cloud infrastructure tenancy (e.g., a Fusion Applications tenancy) to install any required infrastructure services used by the operator and their respective customers.

[0093] Figure 9 further illustrates the use of a private label cloud realm by a tenant or customer of a cloud infrastructure environment, according to one embodiment.

[0094] As shown in Figure 9, according to one embodiment, the OCS (Oracle Cloud Subscriptions) service or component exposes one or more subscription management APIs or other components for generating orders used to initiate a workflow that generates new customer integrations or subscriptions and organizes billing and pricing services.

[0095] Furthermore, according to one embodiment, the system may include a billing service or component that operates on a subscription and preferred billing account or logical container used to generate customer invoices.

[0096] Furthermore, according to one embodiment, the system may include a subscription pricing service (SPS) or component that operates on a product catalog defining products available for purchase by customers. The subscription pricing service may also be used to provide price lists (e.g., rate cards) owned by the pricing service.

[0097] In one embodiment, products may be selected from a product hub to support the sales process used to generate subscriptions in the PLC realm. Once an order is generated, a subscription is created in the OCS, which later manages the lifecycle of the subscription and provisions any necessary provisioning in downstream services. The SPS component then manages the pricing and usage patterns used in billing the final cost to the PLC operator or to each customer. Usage events are forwarded to the billing service or component, an invoice is generated according to the subscription's billing preference, and pushed to the account receivables component.

[0098] In one embodiment, services provided within a realm report their usage to a metering service or component, but such usage is not associated with a price. For example, by applying a rate card, the valuation process determines the cost of each specific event, determines the unit and cost of the subscription, associates the cost with the record, and then forwards it to the billing service or component.

[0099] As further shown in Figure 9, according to one embodiment, a PLC operator may control multiple realms A, B. For example, an operator operating in multiple countries may want to operate a completely isolated data center for the United States and a separate completely isolated data center for Europe, for example, to meet governance or regulatory requirements. According to one embodiment, usage associated with these multiple realms can be aggregated and used for billing the operator.

[0100] The various system examples described above are provided to illustrate computing environments that may be used by cloud infrastructure tenants to provide a dedicated or private-label cloud environment used for accessing subscription-based software products, services, or other services associated with the cloud infrastructure environment. According to other embodiments, various components, processes, and features described herein may be used in other types of cloud computing environments.

[0101] Private Label Cloud Subscription Figure 10 shows a system, according to one embodiment, for providing access to software products or services in cloud computing or other computing environments.

[0102] As shown in Figure 10, according to one embodiment, the system may be provided as a cloud computing or other computing environment that supports the use of subscription-based products, services, or other services, but in some embodiments herein, it will be referred to as a platform.

[0103] Examples of subscription-based products, services, or other services as described above include various Oracle Cloud Infrastructure software products, Oracle Fusion Applications products, or other products or services that enable customers to register to use these products or services.

[0104] According to one embodiment, a subscription may include artifacts such as products, commits, billing models, and status. The OCS service may expose one or more subscription management APIs or other components for generating orders used to initiate workflows that integrate new customers or generate subscriptions to create a proper footprint in billing and pricing services, as described separately below.

[0105] According to one embodiment, a billing service or component operates on subscription and preference billing accounts or logical containers used to generate invoices. Each billing account generates one or more invoices per billing cycle. The billing service includes a first pipeline that accepts usage and costs from the metering service or component. Usage may be accepted through a REST API or another interface. The billing service writes usage to a database which may serve as the basis for calculating or aggregating balances by the billing service or other services. The billing service may also include a second pipeline responsible for retrieving aggregated usage and commits and calculating charges across one or more billing intervals.

[0106] In one embodiment, a subscription pricing service (SPS) or component operates on a product catalog that defines the products available to the customer for purchase. The product catalog forms the framework of the price list (i.e., rate cards) owned by the pricing service. The rate cards are modeled as pricing rules on publicly available prices. The pricing service maintains a single price list for each product, and new product prices may be added as well as existing prices may be changed. The price list has a full history, and the latest version is the current rate card. Some contracts may require taking a snapshot of the rate card, so the pricing service handles this by recording the time the customer's rate card was generated and then querying the price list for that time.

[0107] According to one embodiment, the SPS or pricing service is responsible for providing information on products, global price lists, end-customer subscription-specific price lists, and discounts. For example, according to one embodiment, the SPS can synchronize product information from Oracle Fusion Product Hub and global price lists from Oracle Fusion Pricing Hub.

[0108] In one embodiment, the OCS service operates as an upstream service that receives new order requests from, for example, an Oracle Fusion Order Management environment. The OCS service can provide subscription information to the SPS service. Based on subscription details such as estimated time, configuration, and subscription type (Commitment, PayG), the SPS determines the effective base price (rate card) of the subscription. The OCS service can also send discounts on subscriptions received from, for example, Oracle Fusion Order Management, which the SPS stores as a pricing rule entity.

[0109] According to one embodiment, the SPS service operates as a background process managing a rate card service or component responsible for generating rate cards for new subscriptions and updating them when new price changes occur. The SPS service can expose APIs to access rate cards and pricing rules. By utilizing these APIs, the instrumentation inline rating engine can obtain subscription-specific rate cards and pricing rules and use this data for cost calculations.

[0110] According to one embodiment, additional SPS components may include, for example, a Pricing / Product Hub OIC (Oracle Integration Cloud) integration component, which enables PLC operator entities providing subscription-based products, services, or other services within the environment to manage product and pricing lists, such as those provided by Oracle Fusion Product Hub and Oracle Fusion Pricing Hub, respectively.

[0111] For example, according to the embodiment described above, the SPS OIC product integration flow can listen for generation / update events in the product hub and make calls to the SPS product API. Similarly, the SPS OIC pricing integration flow can pull new price list generation from the pricing hub and make calls to the SPS pricing API.

[0112] Furthermore, according to one embodiment, the system may comprise an SPS core module that provides an API for managing and accessing pricing entities. Pricing can be accessed by internal services such as an inline rating engine.

[0113] Furthermore, according to one embodiment, the system may include a rate card management component. The SPS service maintains a single base price for a product over a given period of time. However, the product price for a subscription is determined by the base price at the estimated configuration time and the subscription's price list change policy attribute. The SPS service uses these properties to internally maintain the prices used for subscriptions. Such price lists are grouped in rate cards. The rate card manager can generate and maintain rate cards, as well as listen for price list changes and update existing rate cards with new prices. It can also listen for new subscriptions and assign rate cards based on subscription properties.

[0114] Furthermore, according to one embodiment, the system may include a rule decoding engine. The SPS service is responsible for managing subscription pricing rules (including discounts offered to end customers). Eligibility for pricing rules may be based on product attributes, such as discount groups, product categories, or specific SKUs. The SPS needs to internally identify a list of products to which these rules apply. To achieve this, the rule decoding engine can compile pricing rules in a format that an inline rating engine can consume for cost calculation. This compilation process may be triggered when a product or pricing rule is generated / updated.

[0115] As illustrated in Figure 10, according to one embodiment, in 441, product and pricing information managed in, for example, Fusion Applications is sent to the SPS component. In 442, the order is sent to the OCS component, generating a subscription, rate card, and billing account. In 443, pricing configuration and pricing rules are sent to the SPS for the new order. In 444, the use of OCS sets up a billing account in the billing service or component. In 445, OCS issues an event to the OCI streaming component. In 446, the billing data is sent to the account receivable component, generating an invoice. In 447, OCS consumes collection and subscription lifecycle (RASL) events from OCI streaming. In 448, the activation service reads the OCS event stream. In 449, the customer obtains activation data from the portal. In 450, the tenancy lifecycle service provisions the tenancy as part of subscription activation. In 451, the tenancy lifecycle service generates an account footprint during account provisioning. In 452, the tenancy lifecycle service sets the limit template during account provisioning. In 453, the account component acts as a downstream RASL client handling legacy reuse. In 454, aggregated costs and usage are sent to the billing service or component. In 455, the organization can create child tenancies using the tenancy lifecycle service. In 456, the metering service or component obtains subscription mapping data. In 457, the subscription service obtains organization data for subscription mapping. In 458, RASL reads the OCS event stream.In 459, the subscription service reads the OCS event stream, and in 460, the measurement service or component obtains rate card data per subscription, which is then used in billing the PLC operator for the final cost or in billing each customer.

[0116] The above examples are provided to illustrate computing environments that may be used by cloud infrastructure tenants to provide a dedicated or private-label cloud environment used for accessing subscription-based software products, services, or other services associated with the cloud infrastructure environment. According to other embodiments, various components, processes, and features described herein may be used in other types of cloud computing environments.

[0117] 3. Architecture of Security and Compliance Visibility Systems Figure 11A shows a system 1100 according to one or more embodiments. As shown in Figure 11A, the system 1100 comprises a cloud infrastructure environment 1102, a customer operator interface 1104, and a CSP operator interface 1106. In one or more embodiments, the components comprising the system 1100 may be more or fewer than those shown in Figure 11A. The components shown in Figure 11A may be local or remote to each other. The components shown in Figure 11A may be implemented in software and / or hardware. The components may be distributed across multiple applications and / or machines. Alternatively, multiple components may be combined as a single application and / or machine. Also, the operations described for one component may be performed by another component as an alternative.

[0118] In one or more embodiments, the cloud infrastructure environment 1102 represents hardware, software, networking, and storage components that enable the delivery of cloud computing services. The cloud infrastructure environment 1102 further comprises hardware and / or software configured to perform the operations described herein for providing the CSP's customers with visibility into the infrastructure security and compliance of the services in the cloud infrastructure environment 1102. An example of operations for providing customers with visibility into the infrastructure security and compliance of the services in the cloud infrastructure environment 1102 is described later with reference to Figure 12.

[0119] In one or more embodiments, the cloud infrastructure environment 1102 is implemented on one or more digital devices. The term “digital device” generally refers to any hardware device comprising a processor. A digital device may also refer to a physical device running an application or virtual machine. Examples of digital devices include computers, tablets, laptops, desktops, notebooks, servers, web servers, network policy servers, proxy servers, general-purpose machines, function-specific hardware devices, hardware routers, hardware switches, hardware firewalls, hardware network address converters (NATs), hardware load balancers, mainframes, televisions, content receivers, set-top boxes, printers, mobile phones, smartphones, personal digital assistive devices (PDAs), wireless receivers and / or transmitters, base stations, communication management devices, routers, switches, controllers, access points, and / or client devices.

[0120] In one or more embodiments, the cloud infrastructure environment 1102 is a cloud computing infrastructure provided by a first entity (e.g., a CSP) to a second entity (e.g., a CSP's customer). The CSP's customer provides cloud services to a third entity (e.g., an organization or business operator). The CSP develops and provides cloud infrastructure technologies that power the cloud infrastructure environment 1102. The CSP's customer owns and deploys the cloud infrastructure environment 1102. The CSP's operator, i.e., the CSP operator, maintains and updates the core functionality of the cloud infrastructure environment 1102. The operator associated with the CSP's customer, i.e., the customer operator, is responsible for managing the cloud infrastructure environment 1102, including providing Level 1 and Level 2 support. Level 1 support may include initial contact with users or customers of cloud resources and may provide assistance with basic troubleshooting and common issues. Level 2 support may include handling raised support tickets, conducting thorough analysis and troubleshooting of technical issues, and identifying potential issues by performing root cause analysis. Level 2 support includes advanced technical guidance and solutions, and may further include higher-level support or collaboration with a special team for complex issues requiring additional expertise. Higher-level support is provided by CSP operators, i.e., CSP operators.

[0121] In one or more embodiments, a CSP operator can access extensive security and compliance information for services in the cloud infrastructure environment 1102 through a CSP dashboard 1144. This information may include data from scanners, audit trails, ZTB audits, and workload protection from many teams across many services. The security and compliance information may be structured or unstructured data. A customer operator can access a subset of this security and compliance information through a customer dashboard 1142. As described in more detail below, a first-tier dashboard service 1112 retrieves the security and compliance information for services and presents it to the CSP dashboard 1144, and a second-tier dashboard service 1118 retrieves a subset of the security and compliance information and presents it to the customer dashboard 1142. The customer operator cannot access the CSP dashboard 1144.

[0122] In one or more embodiments, the infrastructure services 1108 of the cloud infrastructure environment 1102 include resources that enable the delivery, management, and operation of cloud-based solutions. The infrastructure services 1108 include a wide range of services, including (a) compute services (e.g., virtual machines, containers), (b) storage services (e.g., object storage, block storage), (c) networking services (e.g., virtual networks, load balancing), (d) database services (e.g., relational databases, NoSQL databases), (e) identity and access management (e.g., authentication, authorization), (f) monitoring and logging (e.g., criteria monitoring, logging, and auditing), and / or (g) security services (e.g., firewalls, encryption).

[0123] In embodiments, the infrastructure service 1108 includes exploitation services, fraud services, security services, and compliance services. The exploitation service or exploitation management service addresses and mitigates various forms of exploitation or misuse of cloud resources and services. Exploitation may include activities such as spam, phishing, malware distribution, denial-of-service (DoS) attacks, unauthorized access, or any behavior that violates the CSP's terms of service or usage rules. The fraud service or fraud detection service detects, prevents, and mitigates fraudulent activity occurring within the cloud infrastructure environment 1102 or fraudulent activity associated with cloud-based services. Fraudulent activity may include unauthorized access, data breaches, identity theft, financial fraud, and other forms of malicious behavior aimed at exploiting cloud resources or compromising cloud-based systems. The security service protects cloud-based resources, applications, and data from various security threats and vulnerabilities. The security service can mitigate risks, enforce security policies, and maintain compliance with regulatory requirements. Compliance services ensure adherence to data protection, privacy, security, and governance-related regulatory requirements, industry standards, and internal policies.

[0124] In one or more embodiments, the data collector 1110 is a component or software tool that collects various types of data from cloud resources for purposes such as monitoring, security analysis, compliance audits, and performance evaluation. The data collector 1110 may comprise a data collection agent, a detector, a scanning engine, and a scanner. The data collection agent is a software component installed on a cloud resource or service that collects security-related data. The data collection agent can collect a wide range of information, including system logs, configuration settings, and specific security events. The detector is a special tool and mechanism used to detect and address potential security threats, performance issues, or operational inefficiencies. The scanning engine is a tool that analyzes the cloud infrastructure environment 1102 to identify vulnerabilities, misconfigurations, and compliance with security best practices.

[0125] In one or more embodiments, the data collection agent includes a monitoring agent, a log collection agent, and a security agent. The monitoring agent is deployed with virtual machines, containers, or cloud services and collects performance and health status information. The monitoring agent monitors CPU usage, memory utilization, disk I / O, network traffic, and other resource criteria to ensure optimal performance and availability of cloud resources. The log collection agent collects logs generated by cloud services, virtual machines, containers, and Platform as a Service (PaaS) services. The log collection agent collects application events, system behavior, security incidents, API calls, and configuration changes and associated logs within the cloud infrastructure environment. The security agent collects security-related data and events from various cloud services and resources. The security agent monitors security threats, vulnerabilities, and compliance violations within the cloud environment. The security agent may also collect data such as firewall logs, intrusion detection alerts, access control events, encryption status, and identity and access management (IAM) behavior.

[0126] In one or more embodiments, the data collection agent further includes a configuration management agent, a performance monitoring agent, and a compliance and governance agent. The configuration management agent collects data on configuration settings and resource provisioning within the cloud environment. The configuration management agent collects information on virtual machine settings, network settings, storage settings, access control, and compliance settings. The performance monitoring agent collects data on application performance, response time, latency, and user experience within the cloud environment. The performance monitoring agent monitors application dependencies, database performance, API performance, and transaction throughput. The compliance and governance agent collects data related to compliance requirements, regulatory standards, and governance policies within the cloud environment. The compliance and governance agent monitors compliance breaches, security risks, and policy deviations.

[0127] In one or more embodiments, the first-tier dashboard service 1112 is a tool or platform that provides a CSP operator with an interface for monitoring and managing various components of the cloud infrastructure environment 1102. The first-tier dashboard service 1112 provides real-time visibility into the performance, availability, security, and compliance of infrastructure resources such as servers, networks, databases, applications, and cloud services. The first-tier dashboard service 1112 may be associated with one or more of the infrastructure services 1108. The cloud infrastructure environment 1102 may include multiple first-tier dashboard services.

[0128] In one or more embodiments, the first-tier dashboard service 1112 displays real-time data and metrics related to the health and performance of one or more infrastructure services 1108 of the cloud infrastructure environment 1102 on a dashboard 1144 for the CSP. The data and metrics may include CPU usage, memory utilization, disk I / O, network traffic, and application performance metrics. The first-tier dashboard service 1112 may include alert and notification mechanisms to notify administrators and operators of important events, performance issues, security incidents, and compliance violations. Alerts may be configured based on predetermined thresholds and conditions. The first-tier dashboard service 1112 may generate charts, graphs, tables, and other visual information that represent the data and metrics in the dashboard 1144 for the CSP in a meaningful and intuitive manner.

[0129] In one or more embodiments, the first-tier dashboard service 1112 can be configured to display relevant information and criteria based on specific requirements and / or operator preferences. The first-tier dashboard service 1112 may generate custom dashboards for various services, projects, or use cases. With respect to infrastructure data, the first-tier dashboard service 1112 may be integrated with one or more data collection agents. The first-tier dashboard service 1112 may also include monitoring tools and logging systems for collecting data.

[0130] In one or more embodiments, the Application Programming Interface (API) 1114 is a set of rules, protocols, and tools that enable communication between various services and software applications. The API 1114 defines the methods and data formats that applications use to request and exchange information, perform actions, and access services provided by other software components, systems, or platforms. The API 1114 acts as an intermediary, facilitating interoperability and integration between heterogeneous software systems to enable seamless connectivity.

[0131] In embodiments, API 1114 defines interfaces or endpoints through which services interact with each other. These interfaces specify supported methods, parameters, and data formats for communication. API 1114 can ensure interoperability between various systems, regardless of the underlying technology, by using standardized protocols for communication, such as HTTP (Hypertext Transfer Protocol) or HTTPS (HTTP Secure). API interactions may follow a request-response model in which one service (e.g., a second-tier dashboard service 1118) uses the API to send a request to another service (e.g., a first-tier dashboard service 1112). In response to receiving the request, the first-tier dashboard service 1112 processes the request and returns a response to the second-tier dashboard service 1118 containing the requested data or performing the requested action.

[0132] In an embodiment, API 1114 uses HTTP methods (GET, POST, PUT, DELETE, etc.) to define the type of operation to be performed. For example, a GET request is used to read data, while a POST request is used to submit data to be processed. Each API endpoint is identified by a unique URL (Uniform Resource Location Specifier) ​​or URI (Uniform Resource Identifier) ​​corresponding to a specific resource or operation provided by the API. Clients interact with the API by accessing these endpoints. Depending on the API design, an API request may include parameters passed in the request URL, request headers, or request body. These parameters provide additional information or context about the request, such as search criteria, authentication tokens, or data to be processed.

[0133] In one or more embodiments, the authorization service 1116 is a system and component responsible for managing access control and authorization for operators, applications, and resources in the cloud infrastructure environment 1102. The authorization service 1116 ensures that authorized users or entities have an appropriate level of access to cloud resources, data, and functionality. The authorization service 1116 may include Identity and Access Management (IAM), Access Control Lists (ACLs), Key Management Services (KMS), API authorization and authentication, and Network Security Groups (NSGs).

[0134] In embodiments, the IAM service manages user identities, access rights, and permissions for accessing cloud services and resources. The IAM service includes a variety of functions such as user authentication, authorization, user provisioning and deprovisioning, role-based access control, multi-factor authentication, and centralized policy management. The IAM service enables organizations to define and enforce granular access control based on roles, groups, or individual users, ensuring that access to specific resources or the ability to perform certain actions is restricted to authorized users.

[0135] In some embodiments, ACLs are used to define and enforce access control policies at the resource level, such as for storage buckets, virtual machines, or databases. ACLs specify which users or entities have access rights to a particular resource, and which actions (e.g., read, write, execute) these users or entities are permitted to perform. The KMS service manages cryptographic keys used for encrypting and decrypting data in a cloud environment. By controlling access to cryptographic keys through access policies, the KMS service allows organizations to define who can manage and use cryptographic keys, thereby protecting highly sensitive data.

[0136] In some embodiments, APIs provide programmatic access to resources and functionalities. API authorization and authentication services manage access to these APIs, ensuring that interactions with cloud resources through the APIs are restricted to authorized applications or services. API authorization and authentication services may use standards such as OAuth 2.0 or JSON Web Tokens to secure API access. NSGs are used to define and enforce network-level access control within the cloud environment. NSGs specify rules that control inbound and outbound traffic to cloud resources based on source and destination IP addresses, ports, and protocols.

[0137] In one or more embodiments, the second-tier dashboard service 1118 is a tool or platform that provides customer operators with an interface for monitoring and managing various components of infrastructure services 1108 in a cloud infrastructure environment 1102. The second-tier dashboard service 1118 provides real-time visibility into the performance, availability, security, and compliance of infrastructure resources such as servers, networks, databases, applications, and cloud services through a customer dashboard 1142. The second-tier dashboard service 1118 provides a subset of security and compliance information available to the CSP provider. The second-tier dashboard service 1118 may comprise one or more components for filtering, sorting, or organizing security and compliance information collected by the data collector 1110. For example, the second-tier dashboard service 1118 may comprise a configuration manager 1122, a privacy filtering engine 1124, a security insights engine 1126, and a universal compliance engine 1128 for generating a subset of security and compliance information associated with infrastructure services 1108 and presenting it on the customer dashboard 1142.

[0138] In one or more embodiments, the configuration manager 1122 of the second-tier dashboard service 1118 manages and controls dashboard settings, user preferences, data sources, and the visual presentation of data. The configuration manager 1122 performs a variety of functions, including customization and personalization, data integration and management, customer operator access control and security management, configuration templates, performance optimization, compliance, and regulatory compliance. With the configuration manager, customer operators can personalize their respective dashboard experiences, including widget setup, definition of key criteria, selection of visual representations (graphs, charts, etc.), and configuration notifications and alerts. The configuration manager can ensure seamless integration of various data sources into the dashboard. This includes configuring APIs, setting up data feeds, and optimizing the data refresh rate to keep information up-to-date without overloading the data sources. The configuration manager 1122 may also ensure that customer operator access is restricted to appropriate data and functions by managing customer operator roles and permissions. Role and permission management may include implementing authentication mechanisms and enforcing security and compliance policies through integration with existing identity management systems.

[0139] In embodiments, the configuration manager 1122 monitors and optimizes the performance of the second-tier dashboard service 1118 to ensure the service runs efficiently across devices and networks. This includes managing how data is cached, how queries are executed, and how results are delivered. The configuration manager 1122 may ensure that dashboards comply with data governance and privacy laws, which is particularly important when dealing with highly sensitive or personal data. Depending on the configuration settings, data can be displayed in a way that complies with regional and international compliance standards. The configuration manager 1122 may also provide templates or predetermined configurations to help new customer operators quickly set up dashboards relevant to their needs. Templates may be based on job descriptions, departmental needs, or industry-specific standards.

[0140] In one or more embodiments, the privacy filtering engine 1124 masks or edits sensitive information (e.g., personally identifiable information (PII) and confidential information) in security and compliance reports, logs, and dashboards. Masking and editing include preventing unauthorized access or disclosure by replacing sensitive data with placeholder values ​​or obfuscating the information. For example, in security logs or compliance reports, PII such as names, email addresses, and identification numbers may be masked. Tokenization includes replacing sensitive data with randomly generated tokens or placeholder values. Tokenization preserves the format and length of the original data while protecting confidentiality. Tokenization of security and compliance information in cloud infrastructure can hide PII and confidential data while still allowing analysis and monitoring. Dynamic data masking technology dynamically obfuscates sensitive information based on user permissions and roles. Dynamic data masking restricts the viewing of full data to authorized users, while other users see masked or edited data. Applying dynamic data masking to security and compliance information allows restricting access to sensitive data based on user permissions. The privacy filtering engine 1124 allows CSPs to selectively disclose non-confidential information while concealing PII and sensitive data. This ensures that relevant security and compliance information remains available for analysis and reporting without disclosing confidential data to unauthorized parties.

[0141] In one or more embodiments, the privacy filtering engine 1124 comprises a feature detection component that uses a machine learning model trained on policies that define feature detection rules for identifying and filtering highly sensitive information. These policies enable automated filtering and editing based on predetermined conditions and thresholds by specifying criteria for recognizing PII and sensitive data within security and compliance information. This enables real-time or near-real-time filtering of PII and sensitive information.

[0142] In one or more embodiments, the security insight engine 1126 analyzes security and compliance information of infrastructure services 1108 provided by the data collector 1110 to identify potential security breaches or threats, i.e., insights. More specifically, the security insight engine 1126 comprises a first component that analyzes security and compliance information (e.g., audit logs provided to the second-tier dashboard service 1118) by understanding logs using semantic analysis. A second component of the security insight engine 1126 identifies patterns through correlations of behavior or actions among one or more of the infrastructure services 1108. A third component of the security insight engine 1126 identifies security breaches and potential threats corresponding to the identified patterns. The security insight engine 1126 may also provide an alert to the operator when a threat is detected. Alternatively, the security insight engine 1126 may determine the probability of a threat and warn the operator if the probability of a threat exceeds a threshold.

[0143] In one embodiment, the security insight engine 1126 uses a machine learning model trained on policies that define rules for semantic analysis of security and compliance information, correlation of behavior between services, and identification of security breaches and threats. These policies enable automated alerts to customer operators based on predetermined conditions and thresholds by specifying criteria for recognizing security breaches and threats within security and compliance information.

[0144] In one or more embodiments, the universal compliance engine 1128 determines compliance of infrastructure services 1108 in the cloud infrastructure environment 1102 with respect to one or more compliance regimes 1140. The cloud infrastructure environment and / or customers of the cloud infrastructure environment may be subject to one or more compliance regimes 1140. Customer operators may determine compliance of one or more of the infrastructure services 1108 by selecting one or more compliance regimes. The universal compliance engine 1128 may provide compliance details to a first customer for a first compliance regime and compliance details to a second customer for a second compliance regime.

[0145] In one embodiment, the universal compliance engine 1128 uses a machine learning model trained on policies that define rules for compliance regimes 1140. These policies specify criteria for identifying infrastructure services associated with a compliance regime, and information necessary to determine the compliance level of the infrastructure services.

[0146] In one or more embodiments, the compliance rules used by the universal compliance engine 1128 are defined by a matrix. The rows of the matrix correspond to different compliance regimes, and the columns correspond to the type of security control for each compliance regime.

[0147] In one or more embodiments, the data repository 1120 is any type of storage unit and / or device for storing data (e.g., a file system, database, table set, or any other storage mechanism). Furthermore, the data repository 1120 may include multiple different storage units and / or devices. The multiple different storage units and / or devices may be of the same type or not, and may be located at the same physical site or not. Furthermore, the data repository 104 may be implemented or running on the same computing system as the cloud infrastructure environment 1102. As an addition or alternative, the data repository 104 may be implemented or running on a computing system separate from the cloud infrastructure environment 1102. The data repository 104 may be communicated and coupled to the cloud infrastructure environment 1102, either directly or via a network.

[0148] Information representing the provision of visibility to customers regarding security and compliance information for services in the cloud infrastructure environment 1102 may be implemented across any of the components within system 1100. However, for clarity and explanatory purposes, this information is presented in the data repository 1120.

[0149] In one or more embodiments, the configuration information 1132 includes information associated with the dashboard layout and user interface. The dashboard may have a pre-configured or standard layout that can be selected by the customer operator. Alternatively, the dashboard layout may be customizable by the operator. This may include customizable widgets or sections. These adjustments allow the operator to display the information most relevant to the customer. For example, the customer operator may customize various features, including UI settings, data visualization options, alerts and notifications, and user management settings.

[0150] In one or more embodiments, configuration information 1132 includes operator selections for customizing the dashboard layout and visual elements according to their respective preferences or operational needs. Configuration information 1132 may include options to adjust the dashboard to various accessibility needs, such as font size, color contrast, and screen reader support. Configuration information may include customer operator selections for various types of data visualizations, such as line graphs, bar graphs, pie charts, and maps, based on the type of data to be displayed. Configuration information may include configuration settings for enabling or disabling real-time data updates. Configuration information may include operator selections that define how data is aggregated and filters that can be applied when focusing on a particular data subset. Configuration information may include operator selections for custom alerts based on identified thresholds or events. Configuration information may include operator preferences regarding how and when notifications are received.

[0151] In one or more embodiments, the authorization database 1130 is a centralized repository of authorization, access control, and approval settings for various resources within the cloud infrastructure environment 1102. The authorization database 1130 can be used by the authorization service 1116 to enforce security policies, manage user access, and ensure compliance with regulatory requirements. The authorization database 1130 may store information about users, groups, roles, and associated authorizations for accessing specific resources or performing certain actions. The authorization information may include various details such as user IDs, resource identifiers, granted authorizations (e.g., read, write, erase), and any conditions or restrictions associated with the authorizations. This database provides a centralized location for managing access control and approval policies across the entire cloud infrastructure environment 1102.

[0152] In one or more embodiments, the machine learning algorithm 1134 is an algorithm capable of training a target model f that optimally maps a set of input variables to output variables through iteration. In particular, the machine learning algorithm 1134 is configured to generate and / or train models used by the privacy filtering engine 1124, the security insight engine 1126, and the universal compliance engine 1128.

[0153] A machine learning algorithm is an algorithm that, through iteration, can train a target model f that optimally maps a set of input variables to output variables using a set of training data. The training data includes a dataset and associated labels. The dataset is associated with the input variables of the target model f. The associated labels are associated with the output variables of the target model f. The training data may be updated, for example, based on predictions by the target model f and feedback on the current accuracy of the target model f. The updated training data is fed back into the machine learning algorithm, which updates the target model f.

[0154] The machine learning algorithm 1134 generates a target model f that best fits the training data dataset to the labels of the training data. Alternatively, the machine learning algorithm 1134 may generate a target model f that, when applied to the training data dataset, determines the maximum number of results that match the labels of the training data. Furthermore, different target models may be generated based on different machine learning algorithms and / or different sets of training data.

[0155] Machine learning algorithms may include supervised and / or unsupervised components. Various types of algorithms may be used, such as linear regression, logistic regression, linear discriminant analysis, classification and regression trees, naive Bayes, k-nearest neighbors, learning vector quantization, support vector machines, bagging and random forests, boosting, backpropagation, and / or clustering.

[0156] In one or more embodiments, the privacy rule 1136 is a framework that aligns data usage with privacy standards by clearly indicating data elements, their respective privacy classifications, intended use, and applicable controls. The privacy rule 1136 may be provided in a structured format such as a table.

[0157] In one or more embodiments, the security rules 1138 used by the security insight engine 1126 are defined by a matrix. Rows in the matrix correspond to different services, and columns correspond to different types of attacks. The security rules 1138 may be associated with the identification of unusual access patterns, vulnerability trends, changes in network traffic, failed login attempts, compliance deviations, anomalous user behavior, anomalies in software and hardware inventories, and security misconfigurations.

[0158] In one or more embodiments, Compliance Regime 1140 includes a set of laws, regulations, standards, and best practices that define how data and infrastructure in the cloud should be managed for data protection, privacy, and security. Compliance Regime 1140 varies depending on the industry, the type of data handled, and the geographical location of both the CSP and its customers.

[0159] Examples of compliance regimes that impact cloud infrastructure environments on a regional basis include, in the United States, the Health Insurance Portability and Accountability Act (HIPAA), the Federal Information Security Management Act (FISM), the Federal Information Security Management Program (FedRAMP), the Open Security Management Assessment Language (OSCAL), and the Children's Online Privacy Protection Act (COPPA); in the European Union, the General Data Protection Regulation (GDPR); in the United Kingdom, the UK General Data Protection Regulation (UKGDPR) and the Data Protection Act (DPA) 2018; in Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA); in the Asia Pacific region, the Personal Data Protection Act (PDPA) and the Personal Information Protection Act (APPI); and in Australia, the Privacy Act 1988 (including the Australian Privacy Principles). HIPAA applies to healthcare providers, payers, and their respective business partners. HIPPA sets standards for protecting highly confidential patient data. FISMA governs the security of information systems used by U.S. federal government agencies and emphasizes the importance of information security management. FedRAMP provides a standardized methodology for security assessment, approval, and ongoing monitoring of cloud products and services used by U.S. federal government agencies. OSCAL is a set of formats developed by the U.S. National Institute of Standards and Technology that standardizes the representation, implementation, and assessment of security controls and compliance in information systems and environments, including cloud infrastructure. OSCAL provides a framework for describing system security controls, security implementation details, and security assessment results in a structured, machine-readable format. COPPA imposes certain requirements on operators of websites or online services targeting children under the age of 13, as well as operators of other websites or online services that are aware of collecting personal information online from children under the age of 13. GDPR is a regulation that requires businesses to protect the personal data and privacy of EU citizens in transactions occurring within EU member states.It also regulates the export of personal data outside the EU and the European Economic Area. Post-Brexit Britain has a UK version of the GDPR that faithfully reflects the EU's GDPR, which applies particularly to data protection in the UK. DPA 2018 complements the UK GDPR and sets out UK-specific exemptions and additional data protection rules. PIPEDA regulates how private sector organizations collect, use, and disclose personal information in the course of their commercial operations. Countries such as Singapore and Thailand have their own versions of PDPA designed to protect individual personal data and ensure organizations comply with data protection requirements. Japan's Data Protection Act, APPI, regulates the use of personal information. The Privacy Act 1988 regulates the handling of personal information by businesses and government agencies in Australia.

[0160] Examples of compliance regimes that impact cloud infrastructure environments based on global and industry-specific standards include ISO / IEC 27001 and PCI DSS (Payment Card Industry Data Security Standard). ISO / IEC 27001 is an international standard for information security management methods. PCI DSS is a mandatory compliance for entities that store, process, or transmit cardholder data.

[0161] In one or more embodiments, the customer operator interface 1104 represents hardware and / or software configured to facilitate interaction between the customer operator and the cloud infrastructure environment 1102. The customer operator interface 1104 provides user interface elements and accepts input through these user interface elements. Examples of interfaces include graphical user interfaces (GUIs), command-line interfaces (CLIs), haptic interfaces, and voice command interfaces. Examples of user interface elements include checkboxes, radio buttons, drop-down lists, list boxes, buttons, toggles, text fields, date and time selectors, command lines, sliders, pages, and forms.

[0162] In one embodiment, different components of the customer operator interface 1104 are defined in different languages. The behavior of user interface elements is defined in a dynamic programming language such as JavaScript. The content of user interface elements is defined in a markup language such as Hypertext Markup Language (HTML) or XML User Interface Language (XUL). The layout of user interface elements is defined in a stylesheet language such as Cascading Style Sheets (CSS). Alternatively, the customer operator interface 1104 is defined in one or more other languages ​​such as Java, C, or C++.

[0163] In one or more embodiments, the customer operator interface 1104 includes a customer dashboard 1142. The customer dashboard 1142 includes widgets 1142 for providing customer operators with visibility into security and compliance information for infrastructure services 1108 of the cloud infrastructure environment 1102. Widgets 1144 are standalone applications or components that display content or provide specific functions on the customer dashboard 1142. Widgets 1144 are interactive and used to improve the customer operator experience by providing fast access to frequently used functions or critical information. Widgets 1144 provide real-time insights, alerts, and analysis regarding the security posture and compliance status of the cloud infrastructure environment 1102. Widgets 1144 may correspond to individual infrastructure services.

[0164] In one or more embodiments, the CSP operator interface 1106 represents hardware and / or software configured to facilitate communication between the CSP operator and the cloud infrastructure environment 1102. The CSP operator interface 1106 provides user interface elements on the CSP dashboard 1146 and accepts input through these user interface elements. Examples of interfaces include graphical user interfaces (GUIs), command-line interfaces (CLIs), haptic interfaces, and voice command interfaces. Examples of user interface elements include checkboxes, radio buttons, drop-down lists, list boxes, buttons, toggles, text fields, date / time selectors, command lines, sliders, pages, and forms.

[0165] In one embodiment, different components of the CSP operator interface 1106 are defined in different languages. The behavior of user interface elements is defined in a dynamic programming language such as JavaScript. The content of user interface elements is defined in a markup language such as Hypertext Markup Language (HTML) or XML User Interface Language (XUL). The layout of user interface elements is defined in a stylesheet language such as Cascading Style Sheets (CSS). Alternatively, the CSP operator interface 1106 is defined in one or more other languages ​​such as Java, C, or C++.

[0166] Figure 11B shows a cloud infrastructure environment 1102a according to one or more embodiments. As shown in Figure 11B, the cloud infrastructure environment 1102 includes a realm R which includes a first region Region 1 and one or more additional regions Region N. Cloud regions are isolated from each other. A realm is a logical set of one or more cloud regions. Realms are accessed separately. Customers in a region cannot cross realm boundaries to regions outside of that realm.

[0167] As shown in the diagram, Region 1 includes customer-owned tenancies 1150 and provider-owned tenancies 1152. Customer-owned tenancies 1150 may include customer tenancies 1154, one or more internal tenancies 1156, and one or more end-user tenancies 1158. Customer-owned tenancies 1150 represent tenancies owned by the CSP's customers, and end-user tenancies 1158 represent tenancies owned by the CSP's customers' end-users or clients.

[0168] The provider-owned tenancy 1152 may include authorization services 1116a, infrastructure services, a second-tier dashboard service 1118a, and a customer dashboard 1142a. Authorization services 1116a provide customer operators 1160 and CSP operators 1162 with access to various components in the cloud infrastructure environment 1102a. As indicated by the arrows starting from authorization services 1116a, CSP operators 1162 have access to one or more of the infrastructure services. The infrastructure services include exploitation services 1108a, fraud services 1108b, security services 1108c, compliance services 1108d, and "N" services 1108e. Customer operators 1162 have access to the customer dashboard 1142a.

[0169] Infrastructure services 1108a to 1108e communicate with the second-tier dashboard service 1118a via APIs. An infrastructure service may include one or more APIs for communicating with the second-tier dashboard service 1118a. Although not shown in the diagram, an infrastructure service may include one or more first-tier dashboard services and one or more dashboards for CSPs.

[0170] The second-tier dashboard service 1118a communicates with the customer dashboard 1142a to provide security and compliance information for infrastructure services to various widgets on the customer dashboard 1142a. These widgets may include an exploit widget 1144a, a malware widget 1144b, a security widget 1144c, a compliance widget 1144d, and an "N" widget 1144e. The widgets on the customer dashboard 1142a may correspond to each infrastructure service.

[0171] 4. Providing customers with visibility into the security and compliance of services in their cloud infrastructure environment. Figure 12 illustrates an exemplary set of actions to provide a customer with visibility into the security and compliance of services in their cloud infrastructure environment, according to one or more embodiments. One or more actions shown in Figure 12 may be modified, reconfigured, or omitted. Therefore, the specific order of the actions shown in Figure 12 should not be construed as limiting the scope of one or more embodiments.

[0172] In one or more embodiments, information indicating the infrastructure security of one or more services is acquired (operation 1202). The acquisition of information indicating the infrastructure security and compliance of one or more services may be performed by using data collectors deployed across the cloud infrastructure environment. The data collectors may include various agents, scanners, detectors, and scanning engines. Infrastructure security and compliance information may include logs, audit logs, reports, and other information useful for identifying security breaches and threats to infrastructure services and for determining compliance with infrastructure services. The information may be acquired in real time or near real time. Real-time or near real-time information allows operators to access the most up-to-date information.

[0173] In one or more embodiments, a first-tier dashboard service generates a dashboard for the CSP (operation 1204). The first-tier dashboard service uses information indicating the security and compliance of one or more services and displays the information on a dashboard that is visible to the CSP operator. The first-tier dashboard service may include a single dashboard service for receiving information indicating the security and compliance of one or more services from one or more services. Alternatively, the first-tier dashboard service may include a dashboard service for each of the one or more services.

[0174] In one or more embodiments, a first-tier dashboard service presents a dashboard for the CSP to the CSP operator associated with the CSP (operation 1206). The dashboard for the CSP is made available to the CSP operator through an authorization service. The authorization service authenticates the CSP operator and authorizes access to the dashboard for the CSP. Access to the dashboard for the CSP allows the CSP operator to view information indicating the security and compliance of one or more services. The dashboard for the CSP may include a single dashboard for displaying information from a service, or a dashboard for each individual service.

[0175] In one or more embodiments, it is determined whether information indicating the infrastructure security of one or more services includes sensitive information or personally identifiable information (operation 1208). Information indicating the infrastructure security and compliance of one or more services may include sensitive information and personally identifiable information. The privacy filtering engine of the second-tier dashboard service analyzes the security and compliance information to identify sensitive information and personally identifiable information.

[0176] In one or more embodiments, information indicating the infrastructure security of one or more services is filtered to remove or mask sensitive and / or personally identifiable information (operation 1210). The privacy filtering engine removes or masks the identified sensitive and personally identifiable information.

[0177] In one or more embodiments, information indicating infrastructure security and compliance for one or more services is filtered to generate a subset of information indicating infrastructure security (operation 1212). In addition to filtering sensitive and personally identifiable information, the security insights engine may filter infrastructure security and compliance information to identify security threats and breaches. The universal compliance engine may also filter infrastructure security and compliance information to identify compliance issues and determine the compliance status of one or more infrastructure services. The filtering of infrastructure security and compliance information obtained by the second-tier dashboard by the privacy filtering engine, security insights engine, and universal compliance engine generates a subset of information indicating infrastructure security and compliance.

[0178] In one or more embodiments, a customer dashboard is generated that includes a visual representation of a subset of information demonstrating infrastructure security (operation 1214). The second-tier dashboard service uses a subset of information demonstrating the security and compliance of one or more services to generate a visual representation (e.g., a table, chart, and / or graph) of the subset of information demonstrating infrastructure security. The second-tier dashboard service displays the information on a dashboard that is visible to the customer operator. The second-tier dashboard service may include one or more widgets for displaying a subset of information demonstrating the security and compliance of one or more services. The customer dashboard may be customizable by the customer and may include widgets for each of the one or more infrastructure services.

[0179] In one or more embodiments, a customer dashboard is presented to a customer operator associated with a CSP customer (operation 1216). The customer dashboard is made available to the customer operator through an authorization service. The authorization service authenticates the customer operator and authorizes the customer operator's access to the customer dashboard. Access to the customer dashboard allows the customer operator to view a subset of information indicating the security and compliance of one or more services.

[0180] 5. Exemplary Customer Dashboard For clarity, a detailed example is provided below. The components and / or operations described below should be understood as specific examples of what may be inapplicable to certain embodiments. Accordingly, the components and / or operations described below should not be construed as limiting the scope of any of the claims.

[0181] Figure 13 shows a dashboard provided to operators and administrators associated with a CSP customer. As shown, the security monitoring dashboard 1300 provides customer operators and administrators with real-time or near-real-time information related to the infrastructure security of the customer's cloud infrastructure environment. More specifically, the dashboard 1300 includes an interface or widget for providing security notifications 1302. The dashboard 1300 may also provide a security support ticket interface 1304 for customer operators to view and generate support tickets to address security issues in the cloud infrastructure environment. The dashboard 1300 provides indicators 1306 of the operational status of systems within the cloud infrastructure environment. The dashboard 1300 may further provide an interface 1308 for customer operators to obtain assistance from a CSP operator.

[0182] 6. Practical applications, benefits, and improvements In one or more embodiments, the customer dashboard provides customer operators with insights and management relevant to their specific services and environments. The customer dashboard provides information about the performance of services used by the customer, such as virtual machines, databases, and applications. The customer dashboard assists in budget management and understanding spending patterns by visualizing customer resource usage and associated costs. The customer dashboard provides real-time or near-real-time updates on the customer's compliance status against various industry and data-related standards and regulations. The customer dashboard also provides specific alerts and reports regarding the security status of the customer's environment, including any incidents and responses to those incidents.

[0183] In one or more embodiments, the functionality of a cloud infrastructure environment is enhanced. Security and compliance information is essential for the cloud infrastructure environment to continue operating as intended. When security and / or compliance issues occur, it is crucial to address these issues quickly. The technology described herein provides security and / or compliance information directly to the customer in real time or near real time, enabling the customer to take swift action and correct any problems that may arise. Thus, according to one or more embodiments, the risk of the cloud infrastructure environment being exposed to security and / or compliance issues that, if left unaddressed, could result in system downtime, data breaches, etc., is reduced.

[0184] In one or more embodiments, customer dashboards are tailored to present customer operators with the most relevant data, reducing confusion and improving usability. Customer operators can monitor and manage specific resources and applications in real time or near real time.

[0185] 7. Other - Extensions Unless otherwise defined, all terms (including technical and scientific terms) shall have the meanings that are common and customary to those skilled in the art, and shall not be limited to any special or specific meanings unless explicitly defined herein.

[0186] This application may include references to certain trademarks. While the use of the trademark is permitted in this patent application, the proprietary nature of the trademark should be respected, and all efforts should be made to prevent its use in a manner that could adversely affect its validity.

[0187] Embodiments relate to a system having one or more devices comprising a hardware processor and configured to perform any of the operations described herein and / or enumerated in any of the following claims.

[0188] In one embodiment, one or more non-temporary computer-readable storage media include instructions, when executed by one or more hardware processors, that cause one of the operations described herein and / or enumerated in any of the claims to be performed.

[0189] In one embodiment, the method comprises operations described herein and / or enumerated in any of the claims, and is performed by at least one device having a hardware processor.

[0190] In one or more embodiments, any combination of the features and functions described herein may be used. The embodiments described above have been illustrated with reference to many specific details that may differ from one embodiment to another. Therefore, this specification and the drawings are intended to be illustrative and not limiting in any way. The sole and exclusive indicator of the scope of this disclosure, and what the applicants intend as the scope of this disclosure, is the verbatim and equivalent scope of a set of claims derived from this application, having the specific form from which such claims are derived, and encompassing any subsequent amendments.

Claims

1. One or more non-temporary computer-readable media comprising instructions for performing an action when executed by one or more hardware processors, The operation described above includes obtaining information from the first-tier dashboard service indicating the infrastructure security of one or more services of a first set, A first visual representation of the information showing the infrastructure security of one or more of the first set of services is made available for a dashboard for cloud service providers (CSPs), and the operation further includes: Filtering the information indicating the infrastructure security of one or more services in the first set obtained from the first-tier dashboard service to generate a subset of the information indicating infrastructure security, To generate a first customer dashboard that includes a second visual representation of the subset of information indicating infrastructure security, One or more non-temporary computer-readable media, including presenting the first customer dashboard to a first customer operator associated with the first customer of the CSP.

2. The aforementioned operation is, The above first-tier dashboard service is at least Monitoring one or more of the aforementioned first set of services, Obtaining logs of one or more of the aforementioned first set of services, By doing so, the information indicating the infrastructure security of the service is obtained, The first-tier dashboard service generates the dashboard for the CSP, The first-tier dashboard service presents the CSP-specific dashboard to the CSP operator associated with the CSP, The one or more non-temporary computer-readable media according to claim 1, further comprising:

3. One or more non-temporary computer-readable media according to claim 1, wherein, based on one or more access policies, (a) the first customer dashboard is accessible to the first customer operator, and (b) the CSP dashboard is accessible to a CSP operator associated with the CSP and not accessible to the first customer operator.

4. The aforementioned operation is, The CSP's first customer further includes selecting a first compliance regime for one or more of the first set of services, The first customer dashboard includes a third visual representation of the first compliance status of one or more services of the first set in accordance with the first compliance regime, and the operation further includes: The CSP's second customer selects a second compliance regime for one or more services of a second set, This includes generating a second customer dashboard that includes a fourth visual representation of the second infrastructure status of one or more services in the second set, The second customer dashboard includes a fifth visual representation of the second compliance status of one or more services in the second set of services according to the second compliance regime, and the operation further includes: One or more non-temporary computer-readable media according to claim 1, comprising presenting the second customer dashboard to a second customer operator associated with the second customer of the CSP.

5. Filtering the aforementioned information indicating infrastructure security is One or more non-temporary computer-readable media according to claim 1, comprising removing one or more confidential information or personally identifiable information to generate the subset of the information indicating infrastructure security.

6. The CSP is a first entity, the first customer of the CSP is a second entity, and the first customer of the CSP provides cloud services to end users associated with a third entity, according to one or more non-temporary computer-readable media according to claim 1.

7. The first set of one or more services is hosted by the CSP, and is one or more non-temporary computer-readable media according to claim 1.

8. The first customer of the CSP registers for one or more of the first set of one or more services in one or more non-temporary computer-readable media according to claim 1.

9. The end customer of the first customer of the CSP uses one or more non-temporary computer-readable media according to claim 1, wherein the end customer of the first customer uses one or more of the first set of services.

10. The information relating to infrastructure security is made available to the first customer dashboard service via one or more APIs associated with the first tier dashboard service, according to one or more non-temporary computer-readable media according to claim 1.

11. Obtaining the information indicating the infrastructure security of one or more services of the first set from the first tier dashboard service comprises making calls to one or more APIs associated with the first tier dashboard service for the information indicating the infrastructure security of one or more services of the first set, in one or more non-temporary computer-readable media according to claim 1.

12. The one or more non-temporary computer-readable media according to claim 1, wherein the first set of one or more services includes one or more of security services, abuse detection services, fraud detection services, or compliance services.

13. A method comprising the operation described in any one of claims 1 to 13, the method being performed by at least one device including a hardware processor.

14. A system comprising at least one device including a hardware processor, configured to perform the operation described in any one of claims 1 to 13.

15. A system comprising means for performing the operation described in any one of claims 1 to 13.