System for accessing multi-cloud accounts and controlling resources via user account authentication
Patent Information
- Authority / Receiving Office
- WO · WO
- Patent Type
- Applications
- Current Assignee / Owner
- MEGAZONE CLOUD CORP
- Filing Date
- 2024-12-02
- Publication Date
- 2026-06-04
Smart Images

Figure KR2024019467_04062026_PF_FP_ABST
Abstract
Description
Multi-cloud account access and resource control system through user account authentication
[0001] An embodiment of the present invention relates to a multi-cloud account access and resource control system through user account authentication, and more specifically, to a system that integrates multi-cloud accounts into a single user account in various CSP environments such as AWS, Azure, Google Cloud Platform (GCP), Alibaba Cloud, NHN, and Naver Cloud Platform (NCP), and enables efficient access to and management of accounts and resources using temporary security credentials.
[0002] Most existing Cloud Management Platforms (CMPs) that support multi-cloud environments have had to follow different authentication schemes and access control methods depending on the Cloud Service Provider (CSP). For example, Azure manages access rights through Azure AD, while AWS defines access rights for individual accounts through Identity Access Management (IAM). In such environments, since access rights must be configured separately for each CSP, it is difficult to establish unified access rights in a multi-cloud environment, resulting in a lack of consistency in security management.
[0003] Currently, popular CMP solutions (such as Morpheusdata, Flexera, Snow Commander, and Scalr) prioritize support for major CSPs like AWS, Azure, and GCP. However, support for CSPs like Alibaba Cloud, NHN, and NCP is insufficient or restricted. For instance, Morpheusdata supports only AWS, Azure, and GCP, while Flexera provides support for only five CSPs (AWS, Azure, GCP, OCI, and Alibaba). This results in dependency on specific CSPs and makes integrated management across the entire cloud environment difficult.
[0004] Most CMPs manage accounts and permissions using their own tenant structures. For example, Morpheusdata requires access permissions to be set using its own tenant, but this necessitates separate account management and configuration per CSP without integration with CSP accounts. This approach increases the complexity of user and permission management by requiring individual account management for each CSP, making it difficult to establish consistent account and permission settings in a multi-cloud environment.
[0005] Since many CMPs do not directly integrate the IAM capabilities of CSPs, the unique security and IAM policies of each CSP cannot be used efficiently. Tools such as 'Snow Commander' and 'Scalr' support limited API access to CSP resources rather than cloud accounts, which reveals the limitation that the use of CSP IAM accounts is impossible. As a result, access to resources in the cloud is restricted, and there is a problem of reduced consistency in security settings.
[0006] Some CMPs, such as 'Scalr', enable authentication integration with specific CSPs via the SAML protocol, but this is limited to CSPs that support SAML. For CSPs that do not support SAML, authentication and access control through existing CMPs are difficult, and the need for additional authentication methods increases the burden on administrators. Such limited protocol support becomes a factor that makes integrated account management difficult in multi-cloud environments requiring Single Sign-On (SSO) functionality.
[0007] Existing CMPs face difficulties in automated provisioning and configuration management because it is challenging to comprehensively handle the unique APIs and authentication methods of each CSP. In particular, management costs increase because automation scripts tailored to various CSP environments must be written and configuration management is decentralized. Consequently, the efficient operation of multiple resources within the enterprise is limited, and issues regarding the scalability of the operational infrastructure may arise.
[0008] If the security audit and logging capabilities provided by each CSP are not integrated with the CMP, it is difficult to consistently track activity history across the cloud. For example, since Flexera and Scalr must use logging capabilities provided by their respective CSPs, it is difficult to quickly identify security incidents in a multi-cloud environment, which can lead to issues regarding auditing and regulatory compliance.
[0009] The aforementioned problems reveal limitations that make it difficult for companies using multiple cloud platforms to maintain consistency in access rights and resource management across CSPs, hinder the efficiency of account management, and increase the complexity of security management.
[0010] Prior art related to the present invention includes Registered Patent Publication No. 10-2524540 (Registration date: April 18, 2023) and Registered Patent Publication No. 10-1844786 (Registration date: March 28, 2018).
[0011] An embodiment of the present invention provides a multi-cloud account access and resource control system through user account authentication that enables enterprises using a multi-cloud platform to maintain consistency in access rights and resource management by Cloud Service Provider (CSP), increase the efficiency of account management, and minimize the complexity of security management.
[0012] A multi-cloud account access and resource control system through user account authentication according to an embodiment of the present invention includes: a user terminal receiving a multi-cloud integrated service using trust relationship linkage information for linking with a plurality of Cloud Service Providers (CSPs); and a multi-cloud platform server that performs trust relationship linkage authentication of cloud authentication centers for each of the plurality of CSPs based on the trust relationship linkage information, issues resource access rights for cloud resources for each CSP of the linkage target upon successful authentication, receives the resources, and transmits them to the user terminal to mediate the multi-cloud integrated service.
[0013] Additionally, the user terminal may include: a user account information generation unit that generates user account information by receiving information required for creating a user account; a user login unit that performs a login to the multi-cloud platform server by receiving the user account information; a trust relationship linkage information generation unit that generates the trust relationship linkage information based on the selected linkage target information and the user account information, and transmits the trust relationship linkage information to the multi-cloud platform server to request and receive resource access rights for cloud resources of the linkage target CSP; and a multi-cloud integrated service execution unit that requests resource collection by using the multi-cloud platform server or by directly accessing cloud resources of the linkage target CSP through an API or SDK provided by the linkage target CSP, and receives the requested resources.
[0014] In addition, the multi-cloud platform server may include a multi-cloud integrated authentication module that establishes trust relationship linkages with multiple CSP-specific cloud authentication centers based on the trust relationship linkage information, performs trust relationship linkage authentication with the CSP-specific cloud authentication center of the linkage target using the trust relationship linkage information when the user terminal requests resource access rights after successful login of the user terminal, and, upon successful authentication, obtains resource access rights for the CSP-specific cloud resources of the linkage target from the CSP-specific authentication sensor of the linkage target and transmits them to the user terminal.
[0015] In addition, the multi-cloud platform server may further include a multi-cloud integrated interface module that controls the user terminal to request the collection of resources from cloud resources of the CSP to be integrated based on resource access rights issued by the cloud authentication center of the CSP to be integrated, and to collect the requested resources.
[0016] In addition, the multi-cloud platform server can establish a trusted relationship with multiple CSPs using at least one of the OIDC (rfc6749) and SAML (rfc7522) protocols according to the standard certification of the IETF (Internet Engineering Task Force).
[0017] According to the present invention, various useful effects such as the following can be provided by improving user account management and resource access methods in a multi-cloud environment.
[0018] First, unique authentication schemes and access control methods provided by various Cloud Service Providers (CSPs) can be managed on a single integrated platform, enabling consistent centralized management of user account creation and access control. Furthermore, user-based integrated access control is possible on the platform without the need for additional user-specific settings for each CSP. This ease of integrated access control significantly reduces management complexity in multi-cloud environments and further enhances security and consistency.
[0019] Second, by supporting protocols such as OIDC and SAML, it enables compatibility with authentication methods and APIs that differ across CSPs, thereby allowing for consistent security management even in multi-cloud environments. This significantly enhances security by resolving security configuration inconsistencies found in existing CMPs; furthermore, by reducing the complexity of multi-cloud environments through integrated security settings while simultaneously increasing security consistency, it can improve the overall level of security management.
[0020] Third, from an administrator's perspective, access rights to various CSPs can be managed integrally at once, minimizing complex tasks such as individually setting up accounts or matching authentication methods. This reduces the burden of management tasks in a simplified work environment and improves management efficiency.
[0021] Finally, by utilizing the CSP's security audit capabilities as is and employing CMP authentication methods, all activity logs occurring in a multi-cloud environment can be consistently tracked by user across each CSP. This enables not only the effective management of audit information required for regulatory compliance but also a rapid response in the event of a security incident.
[0022] FIG. 1 is a schematic diagram showing the overall configuration of a multi-cloud account access and resource control system through user account authentication according to an embodiment of the present invention.
[0023] FIG. 2 is a block diagram showing the configuration of a user terminal according to an embodiment of the present invention.
[0024] FIG. 3 is a diagram illustrating the sequence of multi-cloud user account registration, trust relationship linkage registration, and trust relationship linkage setting according to an embodiment of the present invention.
[0025] FIG. 4 is a diagram illustrating a multi-cloud resource access sequence according to an embodiment of the present invention.
[0026] FIG. 5 is a diagram illustrating a multi-cloud resource collection sequence according to an embodiment of the present invention.
[0027] FIG. 1 is a schematic diagram showing the overall configuration of a multi-cloud account access and resource control system through user account authentication according to an embodiment of the present invention, FIG. 2 is a block diagram showing the configuration of a user terminal according to an embodiment of the present invention, FIG. 3 is a diagram showing the sequence of multi-cloud user account registration, trust relationship linkage registration, and trust relationship linkage setting according to an embodiment of the present invention, FIG. 4 is a diagram showing the sequence of multi-cloud resource access according to an embodiment of the present invention, and FIG. 5 is a diagram showing the sequence of multi-cloud resource collection according to an embodiment of the present invention.
[0028] Referring to FIG. 1, a multi-cloud account access and resource control system (1000) through user account authentication may include at least one of a user terminal (100) and a multi-cloud platform server (200).
[0029] The above user terminal (100) can receive multi-cloud integrated services by using trust relationship linkage information for linking with a plurality of CSPs (Cloud Service Providers) (10).
[0030] To this end, the user terminal (100) may include at least one of a user account information generation unit (110), a user login unit (120), a trust relationship linkage information generation unit (130), a multi-cloud resource authority request unit (140), and a multi-cloud integrated service execution unit (150), as shown in FIG. 2.
[0031] The above user account information generation unit (110) can generate user account information by receiving information necessary for creating a user account as shown in FIG. 3, and can register the generated user account information to the multi-cloud integrated authentication module (210) of the multi-cloud platform server (200).
[0032] The above user account information is a dedicated or self-owned account used in the multi-cloud account access and resource control system (1000) according to the present embodiment, and can perform the role of an integrated account for receiving multi-cloud services by linking with multiple CSPs (10). This user account information may include an ID, password, and various personal information (name, age, gender, address, affiliation, etc.) according to the registration procedure of the multi-cloud account access and resource control system (1000).
[0033] The above user login unit (120) can receive user account information (ID, password) through an input means of a user terminal (100) as shown in FIG. 3, and transmit the entered user account information to a multi-cloud platform server (200) to perform login through an authentication procedure for the user account.
[0034] The above trust relationship linkage information generation unit (130) can receive a linkage target among a plurality of CSPs (10) as shown in FIG. 3, and generate trust relationship linkage information based on the selected linkage target information and user account information.
[0035] The above multi-cloud resource authority request unit (140) can collectively request and receive resource access rights for cloud resources (12) corresponding to CSPs (10) by transmitting trust relationship linkage information to the multi-cloud platform server (200) as shown in FIG. 4.
[0036] The above trust relationship linkage information is configuration information regarding which of the multiple CSPs (10) will be used to establish a trust relationship linkage based on user account information, and when configured through the multi-cloud integrated authentication module (210), it enables the trust relationship linkage with the CSPs (10) corresponding to the pre-configured linkage targets to be automatically configured when logging in through the user account.
[0037] The above trust relationship linkage information may vary depending on the protocol used by the CSP (10). In this case, the protocol used provides the most stable linkage provided by each CSP (10) and may change over time. The protocol supported in this embodiment can perform trust relationship linkage with multiple CSPs (10) using at least one of the OIDC (rfc6749) and SAML (rfc7522) protocols according to the standard certification of the IETF (Internet Engineering Task Force).
[0038] However, the protocol according to the present embodiment is, in principle, to use IETF standard authentication means such as OIDC (rfc6749) and SAML (rfc7522) protocols, but if the CSP (10) does not use the protocol of the above means, it may use temporary authentication means supported by the CSP (10) or use an API access control method recommended by the CSP (10) by encryption.
[0039] The above multi-cloud integration service execution unit (150) can request resource collection by using a multi-cloud platform server (200) as shown in FIG. 5, or by directly accessing cloud resources (12) for each CSP (10) for integration through an API or SDK provided by the CSP (10) for integration as shown in FIG. 1, and can receive the requested resources.
[0040] That is, the multi-cloud integration service execution unit (150) can access cloud resources (12) for each CSP (10) of the integration target through the multi-cloud integration interface module (220) of the multi-cloud platform server (200), request resource collection through this, and receive the requested resources, or can use a multi-cloud service that directly accesses cloud resources (12) for each CSP (10) of the integration target through an API or SDK recommended by the CSP (10) without going through the multi-cloud integration interface module (220) to request the collection of necessary resources and receive the resources.
[0041] The above multi-cloud platform server (200) performs trust relationship linkage authentication of multiple CSP (10) cloud authentication centers (11) based on trust relationship linkage information received from the user terminal (100), and after successful authentication of the trust relationship linkage, issues resource access rights for cloud resources (12) for each CSP (10) of the linkage target in accordance with the resource access right request of the user terminal (100), and receives resources in accordance with the resource collection request of the user terminal (100) and delivers them to the user terminal (100) to mediate multi-cloud integrated services.
[0042] To this end, the multi-cloud platform server (200) may include at least one of a multi-cloud integrated authentication module (210) and a multi-cloud integrated interface module (220), as illustrated in FIG. 1.
[0043] The above multi-cloud integrated authentication module (210) can establish a trust relationship linkage with multiple CSP (10) cloud authentication centers (11) based on the trust relationship linkage information provided by the user terminal (10) when the user terminal (10) successfully logs in as shown in FIG. 3.
[0044] More specifically, the multi-cloud integrated authentication module (210) uses trust relationship linkage information to set which of the multiple CSPs (10) will be linked with trust relationships to use the multi-cloud service, and when logging in through a user account, the trust relationship linkage with the CSPs (10) corresponding to the linkage target can be automatically configured based on the trust relationship linkage information.
[0045] The multi-cloud integrated authentication module (210) can perform a trust relationship linkage authentication of a cloud authentication center (11) (or a separate CSP self-authentication means) for each CSP (10) of the linkage target using the trust relationship linkage information provided by the user terminal (10) when a user terminal (10) requests resource access rights as illustrated in FIG. 4, and upon successful authentication of the trust relationship linkage, can issue resource access rights for a cloud resource (12) for each CSP (10) of the linkage target using the linked user account and transmit (report) to the user terminal (10).
[0046] The above multi-cloud integrated authentication module (210) may use at least one of the OIDC (rfc6749) and SAML (rfc7522) protocols according to the standard certification of the IETF (Internet Engineering Task Force).
[0047] Table 1 below shows the authentication protocols supported by commercial CSPs in 2024.
[0048] [Table 1]
[0049]
[0050] However, the protocol according to the present embodiment is, in principle, to use IETF standard authentication means such as OIDC (rfc6749) and SAML (rfc7522) protocols, but if the CSP (10) does not use the protocol of the above means, it may use temporary authentication means supported by the CSP (10) or use an API access control method recommended by the CSP (10) by encryption.
[0051] The above multi-cloud integrated interface module (220) can control the user terminal (10) to request resource collection for cloud resources (12) for each CSP (10) for the connection target based on resource access rights issued by the cloud authentication center (11) for each CSP (10) for the connection target as shown in FIG. 4, and to collect the requested resources.
[0052] Accordingly, the user terminal (100) can manage resources by accessing the cloud resources (20) of the target for integration through the multi-cloud integration interface module (220) using the issued access permission (access authority), or by directly accessing the cloud resources (20) of the target for integration to manage resources.
[0053] **Explanation of Drawing Symbols**
[0054] 1000: Multi-cloud account access and resource control system
[0055] 100: User terminal
[0056] 110: User Account Information Creation Section
[0057] 120: User Login Section
[0058] 130: Trust Relationship Linkage Information Generation Section
[0059] 140: Multi-cloud resource permission request section
[0060] 150: Multi-cloud Integration Service Execution Unit
[0061] 200: Multi-cloud platform server
[0062] 210: Multi-cloud Integrated Authentication Module
[0063] 220: Multi-cloud integration interface module
[0064] 10: CSP
[0065] 11: CSP's Cloud Authentication Center
[0066] 12: CSP's Cloud Resources
[0067] [National R&D projects that supported inventions]
[0068] Project ID: 2710008053
[0069] Project No.: RS-2023-00237123
[0070] Ministry Name: Ministry of Science and ICT
[0071] Project Management (Specialized) Agency Name: Institute of Information & Communications Technology Planning & Evaluation (IITP)
[0072] Research Project Name: SW Computing Industry Core Technology Development Project
[0073] Research Project Title: Development of Core Technologies to Support Software-as-a-Service Transition Based on Hyper-connected Distributed Computing
[0074] Project Executing Organization Name: Megazone Cloud Co., Ltd.
[0075] Research Period: April 1, 2023 – December 31, 2028
Claims
1. A user terminal receiving multi-cloud integrated services using trust relationship linkage information for linking with multiple CSPs (Cloud Service Providers); and A multi-cloud account access and resource control system through user account authentication, characterized by including a multi-cloud platform server that performs trust relationship linkage authentication of multiple CSP-specific cloud authentication centers based on the above-mentioned trust relationship linkage information, issues resource access rights for cloud resources of the linked target CSP-specific cloud resources upon successful authentication according to a request from the above-mentioned user terminal, receives the resources, and delivers them to the above-mentioned user terminal to mediate a multi-cloud integrated service.
2. In Paragraph 1, The above user terminal is, User account information generation unit that receives information required for user account creation and generates user account information; A user login unit that receives the above user account information and performs a login to the above multi-cloud platform server; A trust relationship linkage information generation unit that receives a linkage target selected from among a plurality of CSPs and generates the trust relationship linkage information based on the selected linkage target information and the user account information; A multi-cloud resource authority request unit that transmits the trust relationship linkage information to the multi-cloud platform server to request and receive resource access rights for cloud resources by CSP of the linkage target; and A multi-cloud account access and resource control system through user account authentication, characterized by including a multi-cloud integrated service execution unit that requests resource collection by directly accessing cloud resources for each target CSP through the use of the multi-cloud platform server or via APIs or SDKs provided by the target CSP, and receives the requested resources.
3. In Paragraph 1, The above multi-cloud platform server is, A multi-cloud account access and resource control system through user account authentication, characterized by including a multi-cloud integrated authentication module that establishes trust relationship linkages with multiple CSP-specific cloud authentication centers based on the above trust relationship linkage information, performs trust relationship linkage authentication of the CSP-specific cloud authentication center of the linkage target using the above trust relationship linkage information when the user terminal requests resource access rights after successful login of the user terminal, and, upon successful authentication, issues resource access rights for the CSP-specific cloud resources of the linkage target from the CSP-specific authentication sensor of the linkage target and transmits them to the user terminal.
4. In Paragraph 3, The above multi-cloud platform server is, A multi-cloud account access and resource control system through user account authentication, characterized by further including a multi-cloud integrated interface module that controls the user terminal to request resource collection of cloud resources by the CSP of the interconnection target based on resource access rights issued by a cloud authentication center by the CSP of the interconnection target, and to collect the requested resources.
5. In Paragraph 1, The above multi-cloud platform server is, A multi-cloud account access and resource control system through user account authentication, characterized by performing trusted relationship linkage with multiple CSPs using at least one of the OIDC (rfc6749) and SAML (rfc7522) protocols according to the standard certification of the IETF (Internet Engineering Task Force).