ENFORCEMENT TN A COMPUTING CLOUD PLATFORM

TECHNICAL FIELD

[0001] The disclosure generally relates to communication networks and, more particularly, to a method and a network node for providing policy enforcement in a computing cloud platform.

BACKGROUND

[0002] Cloud computing is a commonly used technology, providing attractive ways of hosting and delivering services over the Internet by providing an abstraction over the underlying physical infrastructure to the customers. Many organizations and individuals are utilizing cloud services to share information and collaborate with partners. For example, cloud computing provides three main services: Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS).

[0003] IaaS provides virtualized computing resources over the Internet to customers/users. For example, in the IaaS model, a third-party provider (e.g. cloud provider) hosts hardware, software, servers, storage and other infrastructure components on behalf of its users. IaaS providers also host users' applications and handle tasks including system maintenance, backup and resiliency planning. But an application creator/developer has to take care of managing the infrastructure, by installing and instantiating backend services, and creating connectivity between the applications and the backend services, for example.

[0004] SaaS provides cloud users access to software and its functions installed in a cloud environment remotely via a web browser, which allows user flexibility to run multiple tasks and improve support and maintenance of applications. [0005] PaaS provides a platform allowing customers to develop, run, and manage web applications without the complexity of building and maintaining the infrastructure typically associated with developing and launching an application. For example, PaaS provides facilities for packaging, instantiating and scaling applications as well as for managing required backend services. This allows developers to focus on application development only.

[0006] A typical PaaS solution provides some level of governance on the communications between applications and backend services, where the platform provider can define policies to allow or disallow connections between certain applications and backend services.

[0007] Some platforms (e.g., Apcera) go further and target full governance by also allowing the definition of policies on the actual data that flows through the communication channels between the applications and backend services. This level of governance is required, for example, by enterprise and Information Technology (IT) environments, where the cloud provider must make sure that the users adhere to the company policies and government regulations.

[0008] To enforce policies on the communication channels, proxy components are commonly used. These proxies or proxy components are instantiated in the middle of the communication channels between the applications and backend services. As such, all the data/messages coming from the applications flow through the proxy components so that the proxy components can inspect the messages and act based on the content of the messages: they can allow the communication to flow through, or they can block certain messages of the communication.

[0009] However, the use of proxy components has some limitations. For example, the proxy components cannot enforce policies for stateful services. Therefore, it is desirable to improve policy enforcement in a computing cloud, offering a PaaS, for example. SUMMARY

[0010] According to a first aspect of the invention, there is provided a method for providing policy enforcement in a cloud platform offered as a service to users. The method comprises: receiving a policy to be enforced, the policy indicating a permission associated with a backend service connected to the cloud platform; determining if enforcement of the received policy is supported by the backend service connected to the cloud platform; and responsive to determining that enforcement of the received policy is supported by the backend service, adding the received policy to be enforced in the backend service.

[0011] According to a second aspect of the invention, there is provided a computing device for providing policy enforcement in a cloud platform offered as a service to users. The computing device comprises: a network interface for communications with one or more nodes in a cloud computing environment; a processing circuit operationally connected to the network interface, that configures the computing device to: receive a policy to be enforced, the policy indicating a permission associated with a backend service connected to the cloud platform; determine if enforcement of the received policy is supported by the backend service connected to the cloud platform; and responsive to determining that enforcement of the received policy is supported by the backend service, add the received policy to be enforced in the backend service.

[0012] According to a third aspect of the invention, there is provided a computing device for providing policy enforcement in a cloud platform offered as a service to users, the computing device comprises: a receiving module for receiving a policy to be enforced, the policy indicating a permission associated with a backend service connected to the cloud platform; a determining module for determining if enforcement of the received policy is supported by a backend service connected to the cloud platform; and an adding module for adding the received policy in the backend service, in response to determining that enforcement of the received policy is supported by the backend service.

[0013] Other aspects and features of the present invention will become apparent to those ordinarily skilled in the art upon review of the following description of specific embodiments of the invention in conjunction with the accompanying figures.

BRIEF DESCRIPTION OF THE DRAWINGS

[0014] Embodiments of the present invention will now be described, by way of example only, with reference to the attached Figures, wherein:

[0015] Figure 1 is a schematic diagram of a generic computing cloud.

[0016] Figure 2 illustrates a message flow of a method for providing policy enforcement in the computing cloud of Figure 1, according to a first embodiment of the present invention.

[0017] Figure 3 illustrates a message flow of a method for providing policy enforcement in the computing cloud of Figure 1, according to a second embodiment of the present invention.

[0018] Figure 4 illustrates a message flow of a method for providing policy enforcement in the computing cloud of Figure 1, according to a third embodiment of the present invention.

[0019] Figure 5 illustrates a flowchart of a method for providing policy enforcement in the computing cloud of Figure 1, according to an embodiment of the present invention.

[0020] Figure 6 illustrates a network node/computing device for providing policy enforcement in the computing cloud of Figure 1, according to an embodiment of the present invention. [0021] Figure 7 illustrates a network node for providing policy enforcement in the computing cloud of Figure 1, according to another embodiment of the present invention.

DETAILED DESCRIPTION

[0022] The discussion below should be taken to be exemplary in nature, and not as limiting of the scope of the present invention. The scope of the present invention should not be considered as limited by the implementation details described below, which as one skilled in the art will appreciate, can be modified by replacing elements with equivalent functional elements.

[0023] In the discussion that follows, specific details of particular embodiments of the present invention are set forth for purposes of explanation and not limitation. It will be appreciated by those skilled in the art that other embodiments may be employed that differ from these specific embodiments described herein with respect to certain non-essential specific details. Furthermore, in some instances detailed descriptions of well-known methods, nodes, interfaces, circuits, and devices are omitted so as to not obscure the description with unnecessary detail.

[0024] As stated above, the current implementations for enforcing policies in a

PaaS using proxy components have some limitations. A proxy component can be any components, such as servers or virtual machines, that are between two nodes communicating with each other. Proxy components are well-known in the art.

[0025] For example, in the current systems, a proxy component can inspect the communication channel between a user's application and the backend services, but it has no visibility into the state of the backend services. Also, the proxy component can only act on messages visible within the current communication session. As such, the proxy component cannot provide true policy enforcement for stateful services. [0026] For instance, in the case of a Structured Query Language (SQL) database as the backend service, a policy might be "do not allow tenant A to delete tables from database D", where database D is the backend service. A proxy component instantiated on the communication channel from tenant A's apps towards database D will be able to detect when a message containing "a delete operation or instruction" is sent and then reject that message.

[0027] However, SQL databases support remote procedure calls. For example, tenant B can create a procedure, called P, which deletes all tables from database D. Furthermore, tenant B can configure database D to allow tenant A to call this procedure. When tenant A's application calls this procedure, the proxy component only sees a message which states "execute P", but it does not know what the procedure P does. Therefore, the proxy component does not have enough information to decide whether to allow tenant A's application to execute P or not on the database D.

[0028] To solve this problem, one solution could, for example, consist of disallowing by default the use of stateful services, such as remote procedure calls, for database backend services. However, such a solution would severely limit the usability and the performance of the PaaS platform.

[0029] Another problem exists with the use of the proxy component. In order to enforce policies, the proxy component must be able to parse and interpret messages comprising protocol information, commands, etc., being exchanged between the applications and the backend services. This requires the proxy code to be always kept up-to-date with the latest protocol versions, i.e., whenever a communication protocol (e.g., HyperText Transfer Protocol (HTTP), MySQL, etc.) is updated, the proxy code must also be updated as quickly as possible. Being aware of the amount of different communication protocols in use and the current velocity of new protocol versions appearing, this solution is not cost effective, or even feasible, over a long period of time. [0030] To solve that particular problem, the proxy component can be configured, for example, to reject the use of newer protocol versions, forcing thus the applications and backend services to use outdated protocol versions. But this solution would also limit the usability and the developer experience of the overall system provided by the PaaS platform.

[0031] Generally stated, the embodiments of the present invention allow the

PaaS platform to determine or select an appropriate policy enforcement mechanism, depending on the capabilities of the backend services that are connected or attached to the PaaS platform. For example, when a new policy enters the PaaS platform, the PaaS platform determines if the policy can be enforced by the backend service. If so, the PaaS platform configures the backend service to enforce the policy; otherwise, the PaaS platform uses a proxy component to enforce the policy.

[0032] It should be noted that backend services are well-known in the art. For example, a service can be any kinds of service, such as storage, computing, networking, etc. A backend service is a kind of service that is provided by the platform, but not implemented by the platform. The backend service is usually implemented by a third party, but provided through the platform. The users can access or communicate with the backend service through an Application Program Interface (API), for example.

[0033] Now turning to Figure 1, a generic computing cloud 100 will be described. A data network or communication network 102 provides connectivity between various data centers/computers (not shown) that make up the computing cloud 100. The data centers/computers represent the (physical) infrastructure of the computing cloud 100. Generally, a large number of computers host virtual machines that host isolated tenant applications. Various cloud services 104 may provide functions such as communication queues, load balancing, firewalls, etc., within the computing cloud 100. In the context of the present disclosure, the computing cloud 100 offers a platform 106 as a service to its customers/users, such as tenants 110, to use. The tenants 110 can interact with the platform 106 through an interface such as, for example, an Application Program Interface (API), a web browser (or web front- end) (not shown), etc. The platform 106 may be connected to a backend service 108, such as a cloud storage/database. The cloud services 104 may be also connected to the cloud storage 108.

[0034] The backend service 108 may take various forms, for instance, databases such as SQL, relational database services that provide instances of databases controlled and configured by respective tenants, simple blob (binary large object) storage, table storage, file system storage, etc. One or more backend services can be connected to the platform 106. Furthermore, typical backend services are designed with policy enforcement. For example, an SQL server provides a privileges system, or a policy enforcement system, i.e. it will check the current Access Control List (ACL) rules before executing a command. Since policy enforcement is an integral part of such a backend service, the backend service is able to provide true stateful policies. However, the ACL is empty in the current systems since it is not used.

[0035] In the context of PaaS, the backend service is managed by the PaaS platform, so that the tenants 110 do not have to worry about maintaining the backend service. When a tenant 110 uses the platform 106 to develop his/her applications, the tenant's applications can communicate directly with the backend service connected to the platform 106. As cloud providers/operators target full governance or more control over these communications, an improved method for policy enforcement in the computing cloud 100 is needed and will be described with reference to Figure 2.

[0036] For example, Figure 2 illustrates a message flow of a method 250 for providing policy enforcement, according to an embodiment of the present invention. Figure 2 also shows schematically the structure of the platform 106.

[0037] The platform 106 comprises a policy database 202, a policy engine

204, tenants' applications 206, and optionally a policy-enforcement capabilities database 208. It should be noted that the platform 106 may comprise other components or elements which are not shown for the sake of simplicity and because they are not necessarily relevant in the context of policy enforcement. [0038] The policy database 202 is used to keep a list of currently configured policies to be enforced by the platform 106. The policy engine 204 ensures that the current policies are enforced. The platform 106 manages and hosts the applications 206 of the tenants. The applications 206 can communicate with one or more backend services 108 connected to the platform 106. In Figure 2, the platform 106 is shown to host applications of tenant A, for example.

[0039] The policy-enforcement capabilities database 208 is used for storing the policy-enforcement capabilities of a plurality (or list) of backend services connected to the platform 106. As such, the database 208 indicates what policies can be enforced by each of the backend services of the list.

[0040] The policy-enforcement capabilities database 208 can be maintained by the cloud operator/provider 210. The cloud operator 210 can be also responsible for configuring the database 208, and for validating the information regarding policy enforcement capabilities of the list of backend services. Once the information is validated, the information is inserted into the database 208. The information can be validated in different ways. For example, the cloud operator 210 can run a test-suite against the backend services connected to the platform 106. As a result of the tests, the cloud operator 210 compiles a list of policies that can be enforced for each backend service. Then, the list is inserted into the database 208. The test-suite is a collection of tests that are used to test a software program to show some specific behaviours, for example. Test-suites are well-known in the art and as such will not be described further. Other methods could be used as well to discover the policy- enforcement capabilities of the plurality of backend services, as will be appreciated by a skilled person in the art.

[0041] Alternatively, the PaaS platform 106 can also maintain the database

208. The database 208 can be located within the platform 106 or outside of the platform 106. For example, it could be connected to the backend service 108.

[0042] For example, policy-enforcement capability information can be stored in the database 208, in the following format: {Backend ID, Policy, Method} . [0043] The parameter "Backend ID" refers to the identity (ID) of a backend service and as such can be used by the policy engine 204 to identify the backend service for which a policy applies. It can take different forms and formats. For example, the identity of the backend service can be given by its name or its name and version. For example, the "Backend ID" of a SQL database could be given by "MySQL 5.7". The parameter "Backend ID" can be also given by endpoint identifiers, e.g., Internet Protocol (IP) version 4 (v4) or IPv6 addresses, on which the backend service is connected to the platform 106. It will be appreciated by a person skilled in the art that other formats and forms could be used as well.

[0044] The parameter "Policy" is a type of policy that can be enforced by the backend service. For example "disallow table/delete %table_id" can refer to the policy to disallow the deletion of a table with the given identity "table id".

[0045] The parameter "Method" is the method/instructions used to enforce a policy on the backend services. For a SQL database, in order to enforce the above exemplary policy, the method to be executed would be a MySQL command such as: "REVOKE DELETE ON %table_id FROM '%user_id"\

[0046] Therefore, the information stored in the database 208 as {Backend ID,

Policy, Method} means that the backend service with ID "Backend ID" can apply/enforce the policies given by "Policy" by executing the instructions given by "Method".

[0047] It should be understood that other forms and formats can be used to store the policy-enforcement capabilities of the backend services, in the database 208, as will be appreciated by a person skilled in the art.

[0048] Now, consider the message flow of method 250. It is assumed that the backend service connected to the platform 106 is a SQL database, with backend ID as "MySQL 5.7". Also, it is assumed that, initially, when there is no policy in effect, a tenant A's application communicates directly with the backend service 108 (step 249). Furthermore, for each of the backend services that first connects with the platform 106, the policy engine 204 establishes a connection with the backend service. Once the connection is established, the policy engine 204 queries the backend service for its ID, such as its name, its version, its IPv4 or IPv6 address, and/or any other additional and useful information. This information can be held in a memory of the policy engine 204, for example. It is understood that methods of connecting backend services to the platform 106 and methods of establishing a communication between the policy engine 204 and the backend services 108 are well-known in the art.

[0049] Method 250 starts when a policy or a new policy needs to be enforced in the platform 106. For example, the cloud operator 210 sends the new policy to the policy database 202 (step 252) to be inserted therein. The new policy is to be enforced on the backend services connected to the platform 106, for example, the new policy indicates a permission that is associated with the backend service. The new policy can contain the backend service ID for which the policy is to be enforced. As an example, the new policy can read: "Tenant A cannot delete from MySQL 5.7 backend service".

[0050] It should be noted that, in general, policies are used to allow or restrict or deny connections between applications and backend services. As such, policies are generally associated with permissions related to the access of the backend services. An exemplary policy can be to allow access to an object store while having a policy only permitting putting and reading data in the object store but denying deleting or updating the objects in the object store.

[0051] Once the new policy is inserted into the policy database 202, the policy database 202 sends a copy of the new policy to the policy engine 204 (step 254).

[0052] Upon receipt of the new policy, the policy engine 204 determines the appropriate way to enforce the new policy. To do so, the policy engine 204 communicates with the policy enforcement capabilities database 208 to determine if the backend service currently connected to the platform 106 is capable of enforcing the received new policy (step 256).

[0053] For example, the policy engine 204 queries the policy-enforcement capabilities database 208 using the backend service ID of the currently connected backend service as the Backend lD. In this example, the backend ID is given by: MySQL5.7. The backend service ID was acquired when the backend service first connected with the platform 106, for example.

[0054] If the database 208 finds a policy entry corresponding to the given backend service ID, then it sends a positive message (with a true value for example) to the policy engine 204 (step 258). The positive message indicates that the current connected backend service is capable of enforcing the new policy.

[0055] Upon receipt of the positive message, the policy engine 204 establishes a communication with the currently backend service 108 and then adds the new policy, for example, "Tenant A cannot delete", in the backend service (step 260). In other words, the policy engine 204 configures the ACL of the backend service 108 with the new policy. As a result, when receiving the communications coming from tenant A's applications, the backend service 108 is configured to enforce the new policy on these communications (or user incoming messages).

[0056] This method can be repeated for each new policy that is provided by the cloud operator 210 and/or for each backend service connected to the platform 106.

[0057] Now turning to Figure 3, an example message flow of a method 350 for providing policy-enforcement in the PaaS platform 106, according to another embodiment of the present invention will be described.

[0058] The assumptions of Figure 2 are also valid for this case.

[0059] The first three steps (352, 354, 356) of method 300 are similar to steps

252, 254 and 256 of method 250 of Figure 2.

[0060] In response to the query from the police engine 204, if the database

208 does not find any policy entry corresponding to the specified backend ID, then the database 208 returns a false value or negative message to the policy engine 204 (step 358). The negative message indicates that the current backend service is not able to enforce the new policy.

[0061] It should be noted that when querying the database 208, the policy engine 204 may first try, for example, the name of the current backend service as the Backend ID. If the database 208 does not find any policy entry corresponding to the specified name, the policy engine 204 may then try to query the database 208 using the IPv4 or IPv6 address of the current backend service. This address was acquired when the current backend service got connected to the platform 106, for example. If the database 208 does not find any policy entry corresponding to the specified address either, then it returns the negative message of step 358.

[0062] If the database 208 finds a policy entry corresponding to the given

IPv4 or IPv6 address, then a positive message is returned to the policy engine 204. This step corresponds to step 258 of method 250. In this case, the next steps of method 250 follow.

[0063] Back to method 350, in response to receiving the negative message, the police engine 204 creates a proxy component 359 (step 360). The created proxy component 359 is installed on the communication channels between Tenant A's applications and the backend service. It should be noted that if the proxy component 359 exists already due to other/previous policies, the police engine 204 does not need to create a new one, it can simply reconfigure the existing proxy component.

[0064] Next, the policy engine 204 configures the proxy component 359 with the new policy so that it can enforce the new policy (step 362) on messages received from tenant A's applications. As a result, tenant A's applications communicate with the backend service 108 through the proxy component (step 364). As such, the proxy component 359 can inspect all the messages coming from Tenant A's applications towards the backend service, and apply the new policy based on the inspection.

[0065] As noted earlier, the database 208 is optional. Thus, in some embodiments, policy enforcement can be done without the database 208, as illustrated in Figure 4.

[0066] For example, Figure 4 illustrates a message flow of a method 400 for providing policy-enforcement according to another embodiment, e.g. where the database 208 is absent or not used.

[0067] Steps 402 and 404 are similar to steps 352 and 354 of method 350.

When the policy engine 204 receives the new policy, the policy engine 204 can perform a test directly against the current backend service to determine if it supports the new policy (step 406) If the engine policy 204 receives a negative response from the backend service (step 408), then it is determined that the backend service does not support the new policy. As such, the policy engine 204 creates a proxy component 409 (step 410). Then, steps 412 and 414 are similar to steps 362 and 364 of method 300.

[0068] If, in response to the test performed by the policy engine 204 in step

406, the policy engine 204 receives a positive response from the backend service (step 416), it is then determined that the backend service supports the new policy. In this case, the policy engine 204, upon receipt of the positive response, adds the new policy to be enforced in the backend service (step 418). More specifically, the policy engine 204 configures the ACL of the backend service with the new policy, for example.

[0069] The tests used to determine if the backend service supports the new policies can use conventional messages that will be well understood by those skilled in the art.

[0070] In the above examples, a SQL database has been used as the backend service. Of course, it should be noted that other types of backend services can be supported for which policies can be defined. For example, in the case of an object store backend service, a policy can be "to deny access for non-employees to documents that contain the word "private" in their name". For any cloud providers supporting an object store as a backend service, the policy engine will know that it is capable of enforcing ACL rules based on object names. In this case, it will configure the object store with that ACL rule, and will not instantiate a proxy. However, if a dedicated server is used as a backend service, which supports only bucket-level ACL rules (i.e. having file system hierarchy), then the policy engine will instantiate a proxy component to implement some missing policies that are not supported by that backend service. For example, the dedicated server may support policies such as read and put (pictures) in the backend service, but not policies such as delete and update. The policies "delete and update" will be enforced by the proxy component. [0071] It should be noted that arbitrary query/response messages/protocols can be used in the communications between the different databases (208, 202, 108) and the policy engine 204 for methods 250, 350 and 400. For example, the communications can use HTTP, JavaScript Object Notation (JSON) protocols, or tailor-made binary protocols, but they are not restricted to these protocols and can use other protocols well-known in the art.

[0072] In view of the exemplary methods above for providing policy- enforcement, a flowchart for a generalized method is illustrated in Figure 5.

[0073] Method 500 of Figure 5 provides for policy enforcement in a cloud platform offered as a service to users. As an example, the platform offered as a service corresponds to the platform 106.

[0074] Method 500 starts with receiving a policy to be enforced, the policy indicating a permission associated with a backend service (step 502). The policy may be a new policy and given by the cloud operator 210, for example.

[0075] In step 504, method 500 determines if enforcement of the received policy is supported by a backend service connected to the cloud platform. To do so, the policy engine 204 can query a database, such as database 208, that comprises policy entries for a plurality of backend services, regarding the policy-enforcement capabilities of the current backend service, based on the ID of the backend service. Alternatively, the policy engine 204 can perform a test directly against the current backend service to determine if the backend service supports the received policy.

[0076] In step 506, method 500 comprises, responsive to determining that enforcement of the received policy is supported by the backend service, adding the received policy to be enforced in the backend service (step 506). For example, the policy engine 204 can configure the ACL of the backend service with the received policy so that the backend service can enforce that policy on the messages coming from a tenant's applications. As such, method 500 can provide policy -enforcement for stateful services as well. [0077] Method 500 further comprises, responsive to determining that enforcement of the received policy is not supported by the backend service, configuring a proxy component for enforcing the received policy. In such a case, the messages coming from a user/tenant's application (to which the policy applies) in destination to the backend service are intercepted by the proxy component. As such, the proxy component can enforce the policy on the intercepted messages. For example, if the policy to be enforced is "Tenant A cannot delete", whenever tenant A sends a "delete" command, the proxy component does not forward it to the backend service; instead it responds with "denied" to the application.

[0078] In some embodiments, method 500 further comprises receiving a positive message from the database if the database finds a policy entry corresponding to the backend service connected to the cloud platform, in response to the query of step 504. The positive message indicates that the backend service supports policy enforcement of the received policy.

[0079] Alternatively, method 500 may comprise receiving a positive response from the backend service in response to the test performed (directly on the backend service), wherein the positive response indicates that the backend service supports policy enforcement of the received policy.

[0080] However, in some other embodiments, method 500 may comprise receiving a negative message from the database if the database does not find a policy entry corresponding to the backend service connected to the cloud platform, in response to the query of step 504. The negative message indicates that the backend service does not support policy enforcement of the received policy.

[0081] Alternatively, method 500 may comprise receiving a negative response from the backend service in response to the test performed, wherein the negative response indicates that the backend service does not support policy enforcement of the received policy.

[0082] Figure 6 illustrates a computing device 600 for providing policy enforcement in a cloud platform offered as a service to users, according to an embodiment of the present invention. The computing device 600 can be embodied/represented by a network node, or the policy engine 204, for example. The node has a communication interface 602, and a processing circuit 604 connected to the communication interface.

[0083] The communication interface 604 is configured to communicate with other nodes or network elements within the platform or outside the platform, such as the the database 202, database 208 and backend service 108.

[0084] The processing circuit 604 comprises a processor 606 and a memory

608 connected thereto. The memory 608 may contain instructions that, when executed, cause the computing device 600 to perform method 500, for example. As such, the processor 606 is configured to carry out method 500, as described above. Also, the memory 608 can store the current backend service identities, such as the name of the backend service or its IPv4 or IPv6 address. The memory 608 may include one or more of volatile and non-volatile memories, such as Random Access Memory ("RAM"), Read Only Memory ("ROM"), a solid state disk ("SSD"), Flash, Phase Change Memory ("PCM"), or other types of data storage. The memory 608 may be internal or distributed memory.

[0085] It should be noted that the structure of the computing device 600 is part of the infrastructure of the computing cloud 100.

[0086] Furthermore, a computer program comprising non-transitory computer- readable storage medium storing instructions which, when executed by a processor of a computing device, cause the computing device to carry out method 500 is provided. The instructions may be stored in the memory 608, for example.

[0087] It should be appreciated that the processing circuit 604, when configured with appropriate program code, may be understood to comprise several functional "modules," where each module comprises program code for carrying out the corresponding function, when executed by an appropriate processor. [0088] Thus, for example, Figure 7 illustrates a computing device 700 adapted to carry out method 500, may be understood to comprise a receiving module 702, a determining module 704, and an adding module 706.

[0089] The receiving module 702 is configured to receive a policy to be enforced, the policy indicating a permission associated with a backend service connected to the platform. The policy may be a new policy sent by the cloud operator 210, for example.

[0090] The determining module 704 is configured to determine if the enforcement of the received policy is supported by the backend service connected to the cloud platform.

[0091] The adding module 706 is configured to add the received policy in the backend service, in response to determining that the received policy is supported by the backend service.

[0092] Embodiments of the present invention provide for policy enforcement on stateful services and protocols, by configuring the backend service to enforce the policies, for example. They also allow for saving memory and Central Processing Unit (CPU) capacity on the platform 106, since there is no need to instantiate proxy components. Furthermore, the embodiments of the present invention result in lower latency experienced by the applications towards the backend service.

[0093] In the present description of various embodiments of present inventive concepts, it is to be understood that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of present inventive concepts. Unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which present inventive concepts belongs. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of this specification and the relevant art and will not be interpreted in an idealized or overly formal sense expressly so defined herein. [0094] As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. Well- known functions or constructions may not be described in detail for brevity and/or clarity. The term "and/or" includes any and all combinations of one or more of the associated listed items.

[0095] Example embodiments have been described herein, with reference to block diagrams and/or flowchart illustrations of computer-implemented methods, apparatus (systems and/or devices) and/or computer program products. It is understood that a block of the schematic diagrams and/or flowchart illustrations, and combinations of blocks in the schematic diagrams and/or flowchart illustrations, can be implemented by computer program instructions that are performed by one or more computer circuits. These computer program instructions may be provided to a processor circuit of a general purpose computer circuit, special purpose computer circuit, and/or other programmable data processing circuit to produce a machine, such that the instructions, which execute via the processor of the computer and/or other programmable data processing apparatus, transform and control transistors, values stored in memory locations, and other hardware components within such circuitry to implement the functions/acts specified in the block or schematic diagrams and/or flowchart block or blocks, and thereby create means (functionality) and/or structure for implementing the functions/acts specified in the block diagrams and/or flowchart block(s).

[0096] These computer program instructions may also be stored in a tangible computer-readable medium that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable medium produce an article of manufacture including instructions which implement the functions/acts specified in the block diagrams and/or flowchart block or blocks. Accordingly, embodiments of present inventive concepts may be embodied in hardware and/or in software (including firmware, resident software, micro-code, etc.) running on a physical processor such as a digital signal processor, which may collectively be referred to as "circuitry," "a module" or variants thereof.

[0097] The above-described embodiments of the present invention are intended to be examples only. Alterations, modifications and variations may be effected to the particular embodiments by those of skill in the art without departing from the scope of the invention, which is defined solely by the claims appended hereto.