Search

EP-4546189-B1 - SYSTEM AND METHOD FOR PROVIDING THIRD PARTY COMPLIANCE TO COMPUTER AND SOFTWARE ENVIRONMENTS

EP4546189B1EP 4546189 B1EP4546189 B1EP 4546189B1EP-4546189-B1

Inventors

  • REZNIK, Roy
  • SHALEV, MATTAN
  • BERKOVITZ, AVIHAI
  • EYAL, EREZ
  • LUTTWAK, Ami

Dates

Publication Date
20260513
Application Date
20241024

Claims (12)

  1. A method for providing third party compliance to a cloud computing environment (110) implemented on cloud computing infrastructure without providing access thereto by a third party (130) to the cloud computing environment (110) and wherein the third party (130) is outside of the cloud computing environment (110), comprising: generating a representation of the cloud computing environment (110), the cloud computing environment (110) including a plurality of identities; generating a software inventory (128, 220) of the cloud computing environment (110) utilizing a cybersecurity inspection technique; executing a database query (202) on any one of: the representation of the cloud computing environment (110), the software inventory (128, 220), and a combination thereof, wherein the database query (202) is based on query (202) that is received from the third party (130); generating an alert in response to determining that the executed query (202) returns a predetermined result; determining compliance of the cloud computing environment (110) based on the representation, the software inventory (128, 220), and the predetermined result; and providing the determined compliance to a third party (130), wherein the third party (130) is not associated with the plurality of identities.
  2. The method of claim 1, further comprising: receiving, as the query (202) that is received from the third party (130), a natural language query (202); and generating the database query (202) based on the natural language query (202).
  3. The method of claim 2, further comprising: generating the database query (202) further based on a large language model (LLM), the LLM trained on any one of: a security database (126, 230) in which the representation is stored, the software inventory (128, 220), and a combination thereof.
  4. The method of claim 1, further comprising: generating a notification of compliance in response to determining that the executed query (202) returns a second predetermined result.
  5. The method of claim 1, further comprising: initiating inspection for each of a plurality of workloads in the cloud computing environment (110).
  6. The method of claim 5, further comprising: inspecting a first workload of the plurality of workloads for any one of: a cybersecurity object, a cybersecurity threat, a software component, a software application, a software metadata, and a combination thereof.
  7. The method of claim 6, further comprising: generating a software bill of materials based on inspecting the first workload.
  8. A non-transitory computer-readable medium storing a set of instructions for providing third party compliance to a cloud computing environment (110) implemented on cloud computing infrastructure without providing access thereto by a third party (130) to the cloud computing environment (110) and wherein the third party (130) is outside of the cloud computing environment (110), the set of instructions comprising: one or more instructions that, when executed by one or more processors of a device, cause the device to: generate a representation of the cloud computing environment (110), the cloud computing environment (110) including a plurality of identities; generate a software inventory (128, 220) of the cloud computing environment (110) utilizing a cybersecurity inspection technique; execute a database query (202) on any one of: the representation of the cloud computing environment (110), the software inventory (128, 220), and a combination thereof, wherein the database query (202) is based on query (202) that is received from the third party (130); generate an alert in response to determining that the executed query (202) returns a predetermined result; determine compliance of the cloud computing environment (110) based on the representation, the software inventory (128, 220), and the predetermined result; and provide the determined compliance to a third party (130), wherein the third party (130) is not associated with the plurality of identities.
  9. A system for providing third party compliance to a cloud computing environment (110) implemented on cloud computing infrastructure without providing access thereto by a third party (130) to the cloud computing environment (110) and wherein the third party (130) is outside of the cloud computing environment (110) comprising: a processing circuitry (510); a memory (520), the memory (520) containing instructions that, when executed by the processing circuitry (510), configure the system to: generate a representation of the cloud computing environment (110), the cloud computing environment (110) including a plurality of identities; generate a software inventory (128, 220) of the cloud computing environment (110) utilizing a cybersecurity inspection technique; execute a database query (202) on any one of: the representation of the cloud computing environment (110), the software inventory (128, 220), and a combination thereof, wherein the database query (202) is based on query (202) that is received from the third party (130); generate an alert in response to determining that the executed query (202) returns a predetermined result; determine compliance of the cloud computing environment (110) based on the representation, the software inventory (128, 220), and the predetermined result; and provide the determined compliance to a third party (130), wherein the third party (130) is not associated with the plurality of identities.
  10. The system of claim 9, wherein the memory (520) contains further instructions which when executed by the processing circuitry (510) further configure the system to: receive, as the query (202) that is received from from the third party (130), a natural language query (202); and generate the database query (202) based on the natural language query (202).
  11. The system of claim 9, wherein the memory (520) contains further instructions which when executed by the processing circuitry (510) further configure the system to: initiate inspection for each of a plurality of workloads in the cloud computing environment (110); inspect a first workload of the plurality of workloads for any one of: a cybersecurity object, a cybersecurity threat, a software component, a software application, a software metadata, and a combination thereof.
  12. The system of claim 11, wherein the memory (520) contains further instructions which when executed by the processing circuitry (510) further configure the system to: generate a software bill of materials based on inspecting the first workload.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS This application claims the benefit of U.S. Provisional Application No. 63/592,752 filed October 24, 2023. TECHNICAL FIELD The present disclosure relates generally to cybersecurity, and specifically to providing digital trust and compliance to computer and software environments without the need to provide direct access to the environments to a third party auditor for compliance auditing purposes. BACKGROUND Cloud environments provide significant value in the areas of scalability and software integration across the environment. However, in any enterprise cloud environment, it is essential that devices within the cloud maintain compliance with organizational policies. Maintaining compliance with said policies ensures that the environment is better secured from potential intruders, malicious actors, harmful software, and human derived error. In maintaining compliance policies, enterprises will often seek out third party services to provide auditing functions and reporting on compliance status. These third party auditors often require access to the cloud environment. Providing access typically requires creation of an identity within the cloud environment for the third party to use. Additionally, the third party often requires a human to physically perform inspection services when automated compliance monitoring is not available. Furthermore, it is cumbersome to consistently scan cloud environments to detect non-compliant environments, as the monitoring and auditing often requires human intervention or computationally expensive automated monitoring services be used. Additionally, a list of known and allowable software installation policies is necessary in order to create a base line for establishing compliance. It would therefore be advantageous to provide a solution that would overcome the challenges noted above. US2023/140160 A1 relates to managing compliance risk of data stored or processed in a computing system by generating a directed-graph representation of dataset-to-component dependencies. US 2023/161870 A1 relates to automating the inspection and validation of workloads by tracing changes from configuration code to their deployment in production environments. SUMMARY A summary of several example embodiments of the disclosure follows. This summary is provided for the convenience of the reader to provide a basic understanding of such embodiments and does not wholly define the breadth of the disclosure. This summary is not an extensive overview of all contemplated embodiments, and is intended to neither identify key or critical elements of all embodiments nor to delineate the scope of any or all aspects. Its sole purpose is to present some concepts of one or more embodiments in a simplified form as a prelude to the more detailed description that is presented later. For convenience, the term "some embodiments" or "certain embodiments" may be used herein to refer to a single embodiment or multiple embodiments of the disclosure. A system of one or more computers can be configured to perform particular operations or actions by virtue of having software, firmware, hardware, or a combination of them installed on the system that in operation causes or cause the system to perform the actions. One or more computer programs can be configured to perform particular operations or actions by virtue of including instructions that, when executed by data processing apparatus, cause the apparatus to perform the actions. In one general aspect, method may include generating a representation of the computing environment, the computing environment including a plurality of identities. Method may also include generating a software inventory of the computing environment utilizing a cybersecurity inspection technique. Method may furthermore include determining compliance of the computing environment based on the representation and the software inventory. Method may in addition include providing the determined compliance to a third party, where the third party is not associated with the plurality of identities. Other embodiments of this aspect include corresponding computer systems, apparatus, and computer programs recorded on one or more computer storage devices, each configured to perform the actions of the methods. Implementations may include one or more of the following features. Method may include: determining compliance continuously. Method may include: executing a database query on any one of: the representation of the computing environment, the software inventory, and a combination thereof. Method may include: receiving the query from the third party. Method may include: receiving a natural language query; and generating the database query based on the natural language query. Method may include: generating the database query further based on a large language model (LLM), the LLM trained on any one of: the security database, the software inventory, and a combination thereof. Method may