Search

US-12627716-B2 - Enabling security policies on cloud security provider based on SD-WAN context

US12627716B2US 12627716 B2US12627716 B2US 12627716B2US-12627716-B2

Abstract

The present technology provides solutions for enabling software-defined wide area network (SD-WAN) policies on a cloud security provider. An example method includes collecting, by a SD-WAN controller, contextual data associated with at least one user account of a SD-WAN, wherein the contextual data includes at least one of a virtual private network (VPN) identifier or a security group tag; and transmitting, by the SD-WAN controller, the contextual data over a secure application programming interface to a cloud security engine of a cloud network for enforcement of security policies on the cloud network based on the contextual data. Systems and computer-readable media are also provided.

Inventors

  • Shailendra Vinod Pardeshi
  • Venkatesh Nataraj
  • Saravanan Radhakrishnan
  • Pritam Baruah
  • Kannan Kumar

Assignees

  • CISCO TECHNOLOGY, INC.

Dates

Publication Date
20260512
Application Date
20240621

Claims (20)

  1. 1 . A method for enabling software-defined wide area network (SD-WAN) policies on a cloud security provider, the method comprising: collecting, by a SD-WAN controller, contextual data associated with at least one user account of a SD-WAN, wherein the contextual data includes at least one of a virtual private network (VPN) identifier or a security group tag; and transmitting, by the SD-WAN controller, the contextual data over a secure application programming interface to a cloud security engine of a cloud network for enforcement of security policies on the cloud network based on the contextual data.
  2. 2 . The method of claim 1 , further comprising: setting, by the SD-WAN controller, the security policies for the SD-WAN, wherein the security policies are associated with the at least one user account; and transmitting, by the SD-WAN controller, the security policies over the secure application programming interface to the cloud security engine for enforcement of the security policies on the cloud network based on the contextual data.
  3. 3 . The method of claim 1 , wherein the security group tag is associated with a user profile.
  4. 4 . The method of claim 1 , further comprising: updating, by the SD-WAN controller, a database storing the contextual data; and transmitting, by the SD-WAN controller, an update of the database over the secure application programming interface to the cloud security engine of the cloud network for enforcement of the security policies on the cloud network based on the contextual data.
  5. 5 . The method of claim 1 , wherein the contextual data is inserted into a metadata header of an Internet Protocol Security (IPsec) payload of a packet associated with the at least one user account as the at least one user account accesses the SD-WAN.
  6. 6 . The method of claim 5 , wherein the packet is received by the cloud security engine from a SD-WAN device associated with the at least one user account through a secure Internet gateway (SIG) tunnel established between the SD-WAN device and the cloud security engine.
  7. 7 . The method of claim 5 , wherein enforcement of the security policies includes the cloud security engine decrypting the packet to determine the contextual data.
  8. 8 . The method of claim 1 , wherein the security policies are defined using the contextual data.
  9. 9 . The method of claim 1 , wherein the virtual private network (VPN) identifier is associated with a location or a sub-location.
  10. 10 . A non-transitory computer-readable storage medium including instructions that, when executed by a processor, cause the processor to: collect, by a SD-WAN controller, contextual data associated with at least one user account of a SD-WAN, wherein the contextual data includes at least one of a virtual private network (VPN) identifier or a security group tag; and transmit, by the SD-WAN controller, the contextual data over a secure application programming interface to a cloud security engine of a cloud network for enforcement of security policies on the cloud network based on the contextual data.
  11. 11 . The non-transitory computer-readable storage medium of claim 10 , wherein the instructions further configure the processor to: set, by the SD-WAN controller, the security policies for the SD-WAN, wherein the security policies are associated with the at least one user account; and transmit, by the SD-WAN controller, the security policies over the secure application programming interface to the cloud security engine for enforcement of the security policies on the cloud network based on the contextual data.
  12. 12 . The non-transitory computer-readable storage medium of claim 10 , wherein the security group tag is associated with a user profile.
  13. 13 . The non-transitory computer-readable storage medium of claim 10 , wherein the instructions further configure the processor to: update, by the SD-WAN controller, a database storing the contextual data; and transmit, by the SD-WAN controller, an update of the database over the secure application programming interface to the cloud security engine of the cloud network for enforcement of the security policies on the cloud network based on the contextual data.
  14. 14 . The non-transitory computer-readable storage medium of claim 10 , wherein the contextual data is inserted into a metadata header of an Internet Protocol Security (IPsec) payload of a packet associated with the at least one user account as the at least one user account accesses the SD-WAN.
  15. 15 . The non-transitory computer-readable storage medium of claim 14 , wherein the packet is received by the cloud security engine from a SD-WAN device associated with the at least one user account through a secure Internet gateway (SIG) tunnel established between the SD-WAN device and the cloud security engine.
  16. 16 . The non-transitory computer-readable storage medium of claim 14 , wherein enforcement of the security policies includes the cloud security engine decrypting the packet to determine the contextual data.
  17. 17 . The non-transitory computer-readable storage medium of claim 10 , wherein the security policies are defined using the contextual data.
  18. 18 . The non-transitory computer-readable storage medium of claim 10 , wherein the virtual private network (VPN) identifier is associated with a location or a sub-location.
  19. 19 . A system comprising: a processor; and a memory storing instructions that, when executed by the processor, cause the processor to: collect, by a SD-WAN controller, contextual data associated with at least one user account of a SD-WAN, wherein the contextual data includes at least one of a virtual private network (VPN) identifier or a security group tag; and transmit, by the SD-WAN controller, the contextual data over a secure application programming interface to a cloud security engine of a cloud network for enforcement of security policies on the cloud network based on the contextual data.
  20. 20 . The system of claim 19 , wherein the instructions, when executed by the processor, further cause the processor to: set, by the SD-WAN controller, the security policies for the SD-WAN, wherein the security policies are associated with the at least one user account; and transmit, by the SD-WAN controller, the security policies over the secure application programming interface to the cloud security engine for enforcement of the security policies on the cloud network based on the contextual data.

Description

TECHNICAL FIELD The present technology relates to enabling security policies for cloud security providers based on software-defined wide area network (SD-WAN) context and to generating and providing SD-WAN contextual data to a cloud security provider for enforcement in a cloud environment. BACKGROUND SD-WAN has become the de facto standard for inter-site secure WAN connectivity for digital enterprises today. SD-WAN uses a centralized controller architecture for control and data plane separation for scalability, single pane of glass management and orchestration. Secure Internet gateway (SIG)/security service edge (SSE) providers use the concept of location and sub-location as a basis for security policies. These concepts provide some degree of segmentation and micro-segmentation within a SD-WAN but are less useful in the datacenters of the SIG/SSE providers. BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS To easily identify the discussion of any particular element or act, the most significant digit or digits in a reference number refer to the figure number in which that element is first introduced. FIG. 1 illustrates an example of a high-level network architecture according to some aspects of the present technology. FIG. 2 illustrates an example environment for sharing SD-WAN context to a cloud network according to some aspects of the present technology. FIG. 3 illustrates an example environment for sharing SD-WAN context to a cloud network according to some aspects of the present technology. FIG. 4 illustrates a method for enabling SD-WAN security policies on a cloud security provider according to some aspects of the present technology. FIG. 5 illustrates a method for enabling SD-WAN security policies on a cloud security provider according to some aspects of the present technology. FIG. 6 shows an example of a system for implementing certain aspects of the present technology. DETAILED DESCRIPTION The detailed description set forth below is intended as a description of various configurations of embodiments and is not intended to represent the only configurations in which the subject matter of this disclosure can be practiced. The appended drawings are incorporated herein and constitute a part of the detailed description. The detailed description includes specific details for the purpose of providing a more thorough understanding of the subject matter of this disclosure. However, it will be clear and apparent that the subject matter of this disclosure is not limited to the specific details set forth herein and may be practiced without these details. In some instances, structures and components are shown in block diagram form in order to avoid obscuring the concepts of the subject matter of this disclosure. Overview Disclosed herein are systems, methods, and computer-readable media for enabling software-defined wide area network (SD-WAN) policies on a cloud security provider. In one aspect, a method for enabling software-defined wide area network (SD-WAN) policies on a cloud security provider, the method includes collecting, by a SD-WAN controller, contextual data associated with at least one user account of a SD-WAN, wherein the contextual data includes at least one of a virtual private network (VPN) identifier or a security group tag, and transmitting, by the SD-WAN controller, the contextual data over a secure application programming interface to a cloud security engine of a cloud network for enforcement of security policies on the cloud network based on the contextual data. In another aspect, the method can also include setting, by the SD-WAN controller, the security policies for the SD-WAN, wherein the security policies are associated with the at least one user account, and transmitting, by the SD-WAN controller, the security policies over the secure application programming interface to the cloud security engine for enforcement of the security policies on the cloud network based on the contextual data. In another aspect, the security group tag is associated with a user profile. In another aspect, the method can also include updating, by the SD-WAN controller, a database storing the contextual data, and transmitting, by the SD-WAN controller, an update of the database over the secure application programming interface to the cloud security engine of the cloud network for enforcement of the security policies on the cloud network based on the contextual data. In another aspect, the contextual data is inserted into a metadata header of an Internet Protocol Security (IPsec) payload of a packet associated with the at least one user account as the at least one user account accesses the SD-WAN. In another aspect, the packet is received by the cloud security engine from a SD-WAN device associated with the at least one user account through a secure Internet gateway (SIG) tunnel established between the SD-WAN device and the cloud security engine. In another aspect, enforcement of the security policies includes