Method and system for providing access to data stored in a security data zone of a cloud platform

In many use cases, an operator or a service provider may pro vide an application to a user. Such an application needs ac cess rights to operate in particular on a cloud platform. An application may be executed to analyze data generated by an automation system, e.g. of a user of the cloud platform. Ac cordingly, an application provided by a service provider to a user needs access rights to perform a read and/or write ac cess of relevant data of the respective user. For a plurality of users, this may prove difficult to be implemented because each user may have his own credentials to provide read and/or write rights for one or more applications when executed by the user.

Accordingly, it is an object of the present invention to pro vide efficient access by an application to data, in particu lar to data of a plurality (of different) users or to data stored in different storages, e.g. storages having different security access levels.

This object is achieved according to a first aspect of the present invention by a method comprising the features of claim 1.

The invention provides a method for providing access by an application to data stored in a security data zone of a cus tomer of a cloud platform. The method comprising the steps of :

determining, preferably retrieving, by an access manager mod ule of the cloud platform in response to a query received from a querying application of the cloud platform credentials for the security data zone based on determining, by the ac cess manager module, whether a first access token included in the received query belongs to an application registered at the access manager module and whether the user specified in the received query is allowed to use the registered applica tion and

determining, preferably returning, by the access manager mod ule of the cloud platform a second access token generated on the basis of the retrieved credentials to the querying appli cation to obtain access to data stored in the security data zone to be processed by the querying application.

In a possible embodiment of the method according to the first aspect of the present invention, the application is regis tered by a service provider module at the access manager mod ule of the cloud platform for assignment of at least one first access token comprising a manager access login name and/or a manager access password.

In a possible embodiment of the method according to the first aspect of the present invention, the access manager module of the cloud platform is notified by a service provider module of the service provider of the respective application about a relationship between a first user and a second user, in par ticular the service provider and a customer, which allows the respective user, e.g. customer, to use the application of the service provider registered at the access manager module.

In a possible embodiment of the method according to the first aspect of the present invention, the query is transmitted by the querying application to the access manager module when the application is initiated on a client device of a user.

In a possible embodiment of the method according to the first aspect of the present invention, the credentials for the se curity data zone of the user comprise a user name and/or a password .

In a still further possible embodiment of the method accord ing to the first aspect of the present invention, the second access token is generated by an identity and access manage ment unit of the cloud platform.

In a further possible embodiment of the method according to the first aspect of the present invention, the returned sec ond access token is used by the querying application to per form a read access and/or a write access to data stored in the security data zone of the respective user.

In a still further possible embodiment of the method accord ing to the first aspect of the present invention, the data stored in the security data zone of the user accessed by the querying application are processed by the application to evaluate and/or to manipulate data, in particular Internet of Things IoT data, of the user.

In a still further possible embodiment of the method accord ing to the first aspect of the present invention, the securi ty data zone of a user comprises a logically separated data storage area in a data storage resource connected with the cloud platform or forming part of the cloud platform.

In a possible embodiment of the method according to the first aspect of the present invention, the generated unique second access token is valid for a predefined time period.

In a still further possible embodiment of the method accord ing to the first aspect of the present invention, credentials for the security data zone of the user undergo an automatic rotation .

The invention further provides according to a second aspect a system for providing access by an application to data stored in a security data zone of a cloud platform, the system com prising an access manager module adapted to determine in re sponse to a query received from a querying application of the cloud platform credentials for the security data zone if the access manager module determines that a first access token included in the received query belongs to an application reg istered at the access manager module and that the user speci fied by the received query is allowed to use the registered application wherein the access manager module is further adapted to return a second access token generated on the ba sis of the determined credentials to the querying application which uses the returned second access token to obtain access to data stored in the security data zone of the respective user to be processed by the querying application.

In a possible embodiment of the system according to the sec ond aspect of the present invention, the application is reg istered by a service provider module at the access manager module of the cloud platform for assignment of at least one first access token comprising a manager access login name and/or a manager access password, wherein the access manager module of the cloud platform is notified by a service provid er module of the service provider of the respective applica tion about a relationship between the service provider and the user which allows the respective user to use the regis tered application of the service provider.

In a further possible embodiment of the system according to the second aspect of the present invention, the application is adapted to use the returned second access token to perform a read access and/or a write access to data stored in the se curity data zone of the respective user wherein the data stored in the security data zone of the user is accessed by the application and processed by the application to evaluate and/or to manipulate data, in particular Internet of Things IoT data, of the user.

In a further possible embodiment of the system according to the second aspect of the present invention, the security data zone of a user comprises a logical separated data storage ar ea in a data storage resource connected with the cloud plat form or forming part of the cloud platform. The invention further provides a computer program product having a program code which when executed on a microprocessor performs the method according to the first aspect of the pre sent invention.

The invention further provides a system configured to perform the method according to the first aspect of the present in vention .

In the following, possible embodiments of the different as pects of the present invention are described in more detail with reference to the enclosed figures.

FIG 1 shows a block diagram of a possible exemplary embodi ment of a system according to the present invention; FIG 2 shows a flowchart of a possible exemplary embodiment of a method for providing access to data stored in a security data zone of a customer according to an as pect of the present invention.

As can be seen in the block diagram of FIG 1, a system 1 ac cording to the present invention provides access by an appli cation APP to data stored in a security data zone SDZ, e.g., of a customer, using a cloud platform 2. The application APP can be provided by a service provider module of a service provider to the user. The application APP can be executed on a user device 3, such as a user device of a respective cus tomer. The device 3 of the user or customer can be equipped with the application APP by the service provider module. The application APP can be used to evaluate and/or to manipulate data of the respective user stored in a data storage area as signed to the respective user. After having provided the user with the application APP, the service provider module can register the application APP with an access manager module 4 of the cloud platform 2 for assignment of at least one first access token (manager access token) FAT. The first access to ken FAT can comprise in a possible embodiment a manager ac cess login name and/or a manager access password. The access manager module 4 of the cloud platform 2 is notified in a possible embodiment by the service provider module of the re spective application APP about an existing relationship be tween the service provider and a specific user or customer which allows the respective user to use the registered appli cation APP of the service provider. The relationship can be for instance a contract, in particular a machine-readable contract, allowing the respective user to use the application APP provided by the service provider module. The registered application APP can be installed on a hardware platform of the user, in particular a terminal or a mobile user device 3 of the user. The user device 3 comprises a processor adapted to execute the application APP. In a possible embodiment, the application APP can be downloaded from a server of the ser vice provider and stored in a local program memory of the us er device 3. In a possible embodiment, the access manager module 4 of the cloud platform 2 is notified by the service provider module implemented on the server of the service pro vider about the established relationship between the service provider and the specific customer or user wherein the rela tionship allows the respective user to use the registered ap plication APP of the service provider.

When the application APP is started or initiated on a client device or user device 3 of the customer, a query Q is gener ated by the application APP and transmitted by the applica tion APP to the access manager module 4. The query Q trans mitted by the application APP to the access manager module 4 comprises the assigned first access token FAT, in particular a manager access login name and/or a manager access password. The access manager module 4 of the cloud platform 2 deter mines, preferably retrieves, in response to the received que ry Q credentials C for a security data zone 7 of the user if the access manager module 4 determines that the received first access token FAT included in the received query Q be longs to a registered application APP of a service provider and further determines that the user specified in the re ceived query Q is allowed to use the registered application APP. The access manager module 4 can retrieve the credentials C in a possible embodiment from a lookup table LUT stored in a memory 5 of the cloud platform 2 as shown in FIG 1. In a possible embodiment, the retrieved credentials C are supplied to an identity and access management, IAM, unit 6 of the cloud platform 2 which generates the second access token SAT (zone access token) on the basis of the retrieved credentials C. The second access token SAT generated by the identity and access management, IAM, unit 6 can be returned to the access manager module 4 which forwards the second access token SAT back to the querying application APP as also illustrated in FIG 1. The access manager module 4 of the cloud platform 2 returns the second access token SAT to the querying applica tion APP which uses the returned second access token SAT to obtain access to data stored in the security data zone 7 of the respective customer. The returned second access token SAT can be used by the querying application APP executed on the processor of the user device 3 to perform a read access and/or to perform a write access to data stored in the secu rity data zone 7 of the respective user. The data stored in the security data zone 7 of the user accessed by the applica tion APP can be processed by the application APP to evaluate and/or to manipulate data of the customer. The data can com prise in a possible embodiment Internet of Things IoT data of the respective user stored in the security data zone 7 of the customer. The security data zone 7 of the user comprises a logical separated data storage area in a data storage re source connected with the cloud platform 2 or forming part of the cloud platform 2. In a possible embodiment, the second access token SAT is a unique zone access token being valid only for a predefined time period. After the time period has elapsed, the second access token SAT becomes invalid. This increases the security of the system 1 according to the pre sent invention. In a possible embodiment, the credentials C for a security data zone 7 of a user can undergo an automatic rotation. In a possible embodiment, the access manager module 4 can form part of a key manager API of the cloud platform 2. The key manager API can issue access tokens for IoT data con- suming users which have access to the respective application (after provisioning) . In a possible embodiment, access to the access manager module 4, e.g. key manager access token and user name, can be preconfigured. An operator or service pro vider can automatically create an entry in the configuration of the access manager module 4 for applications and can also add in a possible embodiment credentials C for any operator, tenant or user. During provisioning an application, an IoT value plan tenant or user or operator can add a further entry into the configuration of the access manager module 4 for the new user. The application can query the access manager module 4 by means of the first access token FAT provided by the op erator to retrieve a list of tenants or customers and using the retrieved first access token FAT to process their data. The first access tokens FATs can be application specific. In a possible embodiment, the application APP can for example continuously calculate key performance indicators KPI based on incoming time series data for multiple tenants for calcu lating results. Another use case can be the training of an analytical data model periodically which may take multiple hours to finish. In a possible embodiment, a secure and ex clusive background data processing only for a certain user or customer can be provided using a key manager module for a key rotation for every call or request for data by an application APP.

FIG 2 shows a flowchart of a possible exemplary embodiment of a method according to a further aspect of the present inven tion. The method illustrated in FIG 2 is used for providing an efficient access by an application APP of a service pro vider to data stored in a security data zone 7 of a customer using a cloud platform 2. In the illustrated exemplary embod iment, the method comprises two main steps.

In a first step SI, credentials for a security data zone 7 of a customer are retrieved by an access manager module 4 of the cloud platform 2 in response to a query Q received from an application APP in case that the access manager module 4 de- termines that a first access token FAT included in the re ceived query Q belongs to an application APP of a service provider registered at the access manager module 4 and that the user specified in the received query Q is further allowed to use the registered application APP.

In a further step S2, the access manager module 4 of the cloud platform 2 returns a second access token SAT generated on the basis of the retrieved credentials to the querying ap plication APP which uses the returned second access token SAT to obtain access to data stored in the security data zone 7 of the respective user to be processed by the querying appli cation APP. The second access token SAT can also provide ac cess to other resources of a network, in particular data storage resources and/or data processing resources.

In a setup phase, the application APP is first registered by a service provider module at the access manager module 4 of the cloud platform 2 for assignment of at least one first ac cess token FAT. This first access token FAT can comprise a manager access login name and/or a manager access password. Further, in the setup phase, the access manager module 4 of the cloud platform 2 is notified by the respective service provider module of the service provider of the application APP about the existing relationship between the service pro vider and the user wherein the relationship allows the re spective user to use the registered application APP of the service provider.

In a possible embodiment, credentials C or any other kind of secret information stored in the memory 5 can be rotated in response to a query Q received from an application APP re questing a new second access token (SDZ access token) and it turns out that the stored credential C is outdated. In a pos sible embodiment, the credentials C are stored in encrypted form and are decrypted before being supplied to the IAM unit 6. In a possible embodiment, credentials C can be rotated in configurable time intervals.