(19)
(11)EP 3 648 429 A1

(12)EUROPEAN PATENT APPLICATION

(43)Date of publication:
06.05.2020 Bulletin 2020/19

(21)Application number: 18203102.1

(22)Date of filing:  29.10.2018
(51)International Patent Classification (IPC): 
H04L 29/06(2006.01)
H04W 12/04(2009.01)
H04L 29/08(2006.01)
H04W 12/06(2009.01)
(84)Designated Contracting States:
AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR
Designated Extension States:
BA ME
Designated Validation States:
KH MA MD TN

(71)Applicant: Siemens Aktiengesellschaft
80333 München (DE)

(72)Inventors:
  • Boche, Maik
    90522 Oberasbach (DE)
  • Burger, Stefan
    81241 München (DE)
  • Ebert, Michael
    96450 Coburg (DE)
  • Haberstumpf, Bernd
    90425 Nürnberg (DE)

  


(54)METHOD AND SYSTEM FOR PROVIDING ACCESS TO DATA STORED IN A SECURITY DATA ZONE OF A CLOUD PLATFORM


(57) A method and system for providing access by an application (APP) to data stored in a security data zone, SDZ, (7) of a cloud platform (2), the method comprising the steps of determining (S1) by an access manager module, AM, (4) of the cloud platform (2) in response to a query, Q, received from a querying application (APP) of the cloud platform (2) credentials for a security data zone, SDZ, (7) based on determining, by the access manager module, AM, (4) whether a first access token, FAT, included in the received query, Q, belongs to an application (APP) registered at the access manager module (4) and whether the user specified in the received query, Q, is allowed to use the registered application (APP) and determining (S2) by the access manager module, AM, (4) of the cloud platform (2) a second access token, SAT, generated on the basis of the determined credentials to the querying application (APP) which uses the returned second access token, SAT, to obtain access to data stored in the security data zone, SDZ, (7) to be processed by the querying application (APP).




Description


[0001] In many use cases, an operator or a service provider may provide an application to a user. Such an application needs access rights to operate in particular on a cloud platform. An application may be executed to analyze data generated by an automation system, e.g. of a user of the cloud platform. Accordingly, an application provided by a service provider to a user needs access rights to perform a read and/or write access of relevant data of the respective user. For a plurality of users, this may prove difficult to be implemented because each user may have his own credentials to provide read and/or write rights for one or more applications when executed by the user.

[0002] Accordingly, it is an object of the present invention to provide efficient access by an application to data, in particular to data of a plurality (of different) users or to data stored in different storages, e.g. storages having different security access levels.

[0003] This object is achieved according to a first aspect of the present invention by a method comprising the features of claim 1.

[0004] The invention provides a method for providing access by an application to data stored in a security data zone of a customer of a cloud platform. The method comprising the steps of:

determining, preferably retrieving, by an access manager module of the cloud platform in response to a query received from a querying application of the cloud platform credentials for the security data zone based on determining, by the access manager module, whether a first access token included in the received query belongs to an application registered at the access manager module and whether the user specified in the received query is allowed to use the registered application and

determining, preferably returning, by the access manager module of the cloud platform a second access token generated on the basis of the retrieved credentials to the querying application to obtain access to data stored in the security data zone to be processed by the querying application.



[0005] In a possible embodiment of the method according to the first aspect of the present invention, the application is registered by a service provider module at the access manager module of the cloud platform for assignment of at least one first access token comprising a manager access login name and/or a manager access password.

[0006] In a possible embodiment of the method according to the first aspect of the present invention, the access manager module of the cloud platform is notified by a service provider module of the service provider of the respective application about a relationship between a first user and a second user, in particular the service provider and a customer, which allows the respective user, e.g. customer, to use the application of the service provider registered at the access manager module.

[0007] In a possible embodiment of the method according to the first aspect of the present invention, the query is transmitted by the querying application to the access manager module when the application is initiated on a client device of a user.

[0008] In a possible embodiment of the method according to the first aspect of the present invention, the credentials for the security data zone of the user comprise a user name and/or a password.

[0009] In a still further possible embodiment of the method according to the first aspect of the present invention, the second access token is generated by an identity and access management unit of the cloud platform.

[0010] In a further possible embodiment of the method according to the first aspect of the present invention, the returned second access token is used by the querying application to perform a read access and/or a write access to data stored in the security data zone of the respective user.

[0011] In a still further possible embodiment of the method according to the first aspect of the present invention, the data stored in the security data zone of the user accessed by the querying application are processed by the application to evaluate and/or to manipulate data, in particular Internet of Things IoT data, of the user.

[0012] In a still further possible embodiment of the method according to the first aspect of the present invention, the security data zone of a user comprises a logically separated data storage area in a data storage resource connected with the cloud platform or forming part of the cloud platform.

[0013] In a possible embodiment of the method according to the first aspect of the present invention, the generated unique second access token is valid for a predefined time period.

[0014] In a still further possible embodiment of the method according to the first aspect of the present invention, credentials for the security data zone of the user undergo an automatic rotation.

[0015] The invention further provides according to a second aspect a system for providing access by an application to data stored in a security data zone of a cloud platform, the system comprising an access manager module adapted to determine in response to a query received from a querying application of the cloud platform credentials for the security data zone if the access manager module determines that a first access token included in the received query belongs to an application registered at the access manager module and that the user specified by the received query is allowed to use the registered application wherein the access manager module is further adapted to return a second access token generated on the basis of the determined credentials to the querying application which uses the returned second access token to obtain access to data stored in the security data zone of the respective user to be processed by the querying application.

[0016] In a possible embodiment of the system according to the second aspect of the present invention, the application is registered by a service provider module at the access manager module of the cloud platform for assignment of at least one first access token comprising a manager access login name and/or a manager access password, wherein the access manager module of the cloud platform is notified by a service provider module of the service provider of the respective application about a relationship between the service provider and the user which allows the respective user to use the registered application of the service provider.

[0017] In a further possible embodiment of the system according to the second aspect of the present invention, the application is adapted to use the returned second access token to perform a read access and/or a write access to data stored in the security data zone of the respective user wherein the data stored in the security data zone of the user is accessed by the application and processed by the application to evaluate and/or to manipulate data, in particular Internet of Things IoT data, of the user.

[0018] In a further possible embodiment of the system according to the second aspect of the present invention, the security data zone of a user comprises a logical separated data storage area in a data storage resource connected with the cloud platform or forming part of the cloud platform.

[0019] The invention further provides a computer program product having a program code which when executed on a microprocessor performs the method according to the first aspect of the present invention.

[0020] The invention further provides a system configured to perform the method according to the first aspect of the present invention.

[0021] In the following, possible embodiments of the different aspects of the present invention are described in more detail with reference to the enclosed figures.
FIG 1
shows a block diagram of a possible exemplary embodiment of a system according to the present invention;
FIG 2
shows a flowchart of a possible exemplary embodiment of a method for providing access to data stored in a security data zone of a customer according to an aspect of the present invention.


[0022] As can be seen in the block diagram of FIG 1, a system 1 according to the present invention provides access by an application APP to data stored in a security data zone SDZ, e.g., of a customer, using a cloud platform 2. The application APP can be provided by a service provider module of a service provider to the user. The application APP can be executed on a user device 3, such as a user device of a respective customer. The device 3 of the user or customer can be equipped with the application APP by the service provider module. The application APP can be used to evaluate and/or to manipulate data of the respective user stored in a data storage area assigned to the respective user. After having provided the user with the application APP, the service provider module can register the application APP with an access manager module 4 of the cloud platform 2 for assignment of at least one first access token (manager access token) FAT. The first access token FAT can comprise in a possible embodiment a manager access login name and/or a manager access password. The access manager module 4 of the cloud platform 2 is notified in a possible embodiment by the service provider module of the respective application APP about an existing relationship between the service provider and a specific user or customer which allows the respective user to use the registered application APP of the service provider. The relationship can be for instance a contract, in particular a machine-readable contract, allowing the respective user to use the application APP provided by the service provider module. The registered application APP can be installed on a hardware platform of the user, in particular a terminal or a mobile user device 3 of the user. The user device 3 comprises a processor adapted to execute the application APP. In a possible embodiment, the application APP can be downloaded from a server of the service provider and stored in a local program memory of the user device 3. In a possible embodiment, the access manager module 4 of the cloud platform 2 is notified by the service provider module implemented on the server of the service provider about the established relationship between the service provider and the specific customer or user wherein the relationship allows the respective user to use the registered application APP of the service provider.

[0023] When the application APP is started or initiated on a client device or user device 3 of the customer, a query Q is generated by the application APP and transmitted by the application APP to the access manager module 4. The query Q transmitted by the application APP to the access manager module 4 comprises the assigned first access token FAT, in particular a manager access login name and/or a manager access password. The access manager module 4 of the cloud platform 2 determines, preferably retrieves, in response to the received query Q credentials C for a security data zone 7 of the user if the access manager module 4 determines that the received first access token FAT included in the received query Q belongs to a registered application APP of a service provider and further determines that the user specified in the received query Q is allowed to use the registered application APP. The access manager module 4 can retrieve the credentials C in a possible embodiment from a lookup table LUT stored in a memory 5 of the cloud platform 2 as shown in FIG 1. In a possible embodiment, the retrieved credentials C are supplied to an identity and access management, IAM, unit 6 of the cloud platform 2 which generates the second access token SAT (zone access token) on the basis of the retrieved credentials C. The second access token SAT generated by the identity and access management, IAM, unit 6 can be returned to the access manager module 4 which forwards the second access token SAT back to the querying application APP as also illustrated in FIG 1. The access manager module 4 of the cloud platform 2 returns the second access token SAT to the querying application APP which uses the returned second access token SAT to obtain access to data stored in the security data zone 7 of the respective customer. The returned second access token SAT can be used by the querying application APP executed on the processor of the user device 3 to perform a read access and/or to perform a write access to data stored in the security data zone 7 of the respective user. The data stored in the security data zone 7 of the user accessed by the application APP can be processed by the application APP to evaluate and/or to manipulate data of the customer. The data can comprise in a possible embodiment Internet of Things IoT data of the respective user stored in the security data zone 7 of the customer. The security data zone 7 of the user comprises a logical separated data storage area in a data storage resource connected with the cloud platform 2 or forming part of the cloud platform 2. In a possible embodiment, the second access token SAT is a unique zone access token being valid only for a predefined time period. After the time period has elapsed, the second access token SAT becomes invalid. This increases the security of the system 1 according to the present invention. In a possible embodiment, the credentials C for a security data zone 7 of a user can undergo an automatic rotation. In a possible embodiment, the access manager module 4 can form part of a key manager API of the cloud platform 2. The key manager API can issue access tokens for IoT data consuming users which have access to the respective application (after provisioning). In a possible embodiment, access to the access manager module 4, e.g. key manager access token and user name, can be preconfigured. An operator or service provider can automatically create an entry in the configuration of the access manager module 4 for applications and can also add in a possible embodiment credentials C for any operator, tenant or user. During provisioning an application, an IoT value plan tenant or user or operator can add a further entry into the configuration of the access manager module 4 for the new user. The application can query the access manager module 4 by means of the first access token FAT provided by the operator to retrieve a list of tenants or customers and using the retrieved first access token FAT to process their data. The first access tokens FATs can be application specific. In a possible embodiment, the application APP can for example continuously calculate key performance indicators KPI based on incoming time series data for multiple tenants for calculating results. Another use case can be the training of an analytical data model periodically which may take multiple hours to finish. In a possible embodiment, a secure and exclusive background data processing only for a certain user or customer can be provided using a key manager module for a key rotation for every call or request for data by an application APP.

[0024] FIG 2 shows a flowchart of a possible exemplary embodiment of a method according to a further aspect of the present invention. The method illustrated in FIG 2 is used for providing an efficient access by an application APP of a service provider to data stored in a security data zone 7 of a customer using a cloud platform 2. In the illustrated exemplary embodiment, the method comprises two main steps.

[0025] In a first step S1, credentials for a security data zone 7 of a customer are retrieved by an access manager module 4 of the cloud platform 2 in response to a query Q received from an application APP in case that the access manager module 4 determines that a first access token FAT included in the received query Q belongs to an application APP of a service provider registered at the access manager module 4 and that the user specified in the received query Q is further allowed to use the registered application APP.

[0026] In a further step S2, the access manager module 4 of the cloud platform 2 returns a second access token SAT generated on the basis of the retrieved credentials to the querying application APP which uses the returned second access token SAT to obtain access to data stored in the security data zone 7 of the respective user to be processed by the querying application APP. The second access token SAT can also provide access to other resources of a network, in particular data storage resources and/or data processing resources.

[0027] In a setup phase, the application APP is first registered by a service provider module at the access manager module 4 of the cloud platform 2 for assignment of at least one first access token FAT. This first access token FAT can comprise a manager access login name and/or a manager access password. Further, in the setup phase, the access manager module 4 of the cloud platform 2 is notified by the respective service provider module of the service provider of the application APP about the existing relationship between the service provider and the user wherein the relationship allows the respective user to use the registered application APP of the service provider.

[0028] In a possible embodiment, credentials C or any other kind of secret information stored in the memory 5 can be rotated in response to a query Q received from an application APP requesting a new second access token (SDZ access token) and it turns out that the stored credential C is outdated. In a possible embodiment, the credentials C are stored in encrypted form and are decrypted before being supplied to the IAM unit 6. In a possible embodiment, credentials C can be rotated in configurable time intervals.


Claims

1. A method for providing access by an application (APP) to data stored in a security data zone, SDZ, (7) of a cloud platform (2), the method comprising the steps of:

- determining (S1) by an access manager module, AM, (4) of the cloud platform (2) in response to a query, Q, received from a querying application (APP) of the cloud platform (2) credentials (C) for a security data zone, SDZ, (7) based on determining, by the access manager module, AM, (4) whether a first access token, FAT, included in the received query, Q, belongs to an application (APP) registered at the access manager module (4) and whether the user specified in the received query, Q, is allowed to use the registered application (APP); and

- determining (S2) by the access manager module, AM, (4) of the cloud platform (2) a second access token, SAT, generated on the basis of the determined credentials (C) to the querying application (APP) which uses the returned second access token, SAT, to obtain access to data stored in the security data zone, SDZ, (7) to be processed by the querying application (APP).


 
2. The method according to claim 1,
wherein the application (APP) is registered at the access manager module, AM, (4) of the cloud platform (2) for assignment of at least one first access token, FAT, comprising a manager access login name and/or a manager access password.
 
3. The method according to claim 1 or 2,
wherein the access manager module, AM, (4) of the cloud platform (2) is notified by a service provider module of a service provider of the respective application (APP) about a relationship between the service provider and the user which allows the respective user to use the registered application (APP) of the service provider.
 
4. The method according to any of the preceding claims 1 to 3, wherein the query, Q, is transmitted by an application (APP) to the access manager module, AM, (4) when the application (APP) is initiated on a user device (3) of a user.
 
5. The method according to any of the preceding claims 1 to 4, wherein the credentials (C) for a security data zone, SDZ, (7) of the user comprise a user name and/or a password.
 
6. The method according to any of the preceding claims 1 to 5, wherein the second access token, SAT, is generated by an identity and access management, IAM, unit (6) of the cloud platform (2).
 
7. The method according to any of the preceding claims 1 to 6, wherein the returned second access token SAT, is used by the querying application (APP) to perform a read access and/or a write access to data stored in the security data zone, SDZ, (7) of the respective user.
 
8. The method according to any of the preceding claims 1 to 7, wherein the data stored in the security data zone, SDZ, (7) of the user accessed by the application (APP) are processed by the application (APP) to evaluate and/or to manipulate data, in particular Internet of Things, IOT, data of the user.
 
9. The method according to any of the preceding claims 1 to 8, wherein the security data zone, SDZ, (7) of a user comprises a logically separated data storage area in a data storage resource connected with the cloud platform (2) or forming part of the cloud platform (2).
 
10. The method according to any of the preceding claims 1 to 9, wherein the generated unique second access token, SAT, is valid for a predefined time period.
 
11. The method according to any of the preceding claims 1 to 10, wherein credentials (C) for a security data zone, SDZ, (7) of a user undergo an automatic rotation.
 
12. A computer program product which comprises a program code which when executed performs any one of the method steps of the method of claims 1 to 11.
 
13. A system operative to perform any of the method steps of the method of claims 1 to 11.
 
14. A system for providing access by an application (APP) to data stored in a security data zone (7) of a cloud platform (2), the system (1) comprising:
an access manager module (4) adapted to determine in response to a query, Q, received from a querying application (APP) credentials (C) for a security data zone (7) of a user if the access manager module (4) determines that a first access token, FAT, included in the received query, Q, belongs to a registered application (APP) registered at the access manager module (4) and that the user specified in the received query, Q, is allowed to use the registered application (APP) and wherein the access manager module (4) of the cloud platform (2) is further adapted to return a second access token, SAT, generated on the basis of the retrieved credentials (C) to the querying application (APP) which uses the returned second access token, SAT, to obtain access to data stored in the security data zone (7) of the respective user to be processed by the querying application (APP).
 
15. The system according to claim 14 wherein the application (APP) is registered by a service provider module at the access manager module (4) of the cloud platform (2) for assignment of at least one first access token, FAT, comprising a manager access login name and/or a manager access password, wherein the access manager module (4) of the cloud platform (2) is notified by the service provider module of a service provider of the respective application about an existing relationship between the service provider and the user which allows the respective user to use the registered application (APP) of the service provider.
 
16. The system according to claim 14 or 15 wherein the security data zone (7) stores data of the user accessed by the application (APP) using the returned second access token, SAT, that are processed by the application executed on a processor of a user device (3) to evaluate and/or to manipulate data, in particular Internet of Things, IOT, data of the user.
 
17. The system according to any of the preceding claims 14 to 16 wherein the security data zone (7) comprises a logical separated data storage area in a data storage resource connected with the cloud platform (2) or forming part of the cloud platform (2) of said system (1).
 




Drawing







Search report









Search report