Search

WO-2026096019-A1 - PROACTIVELY DETERMINING SECURITY RISKS AND DEPLOYMENT IMPACTS ACROSS CLOUD COMPUTING ENVIRONMENTS

WO2026096019A1WO 2026096019 A1WO2026096019 A1WO 2026096019A1WO-2026096019-A1

Abstract

This disclosure describes a proactive deployment impact system that detects and addresses the security impact of candidate code-based infrastructure changes before they are deployed in a production environment within a cloud computing system. The proactive deployment impact system implements a lightweight preemptive security framework, based on runtime resource information, to determine whether a requested candidate code-based infrastructure change would introduce new security risks, attack patterns, or breach vulnerabilities. Furthermore, the proactive deployment impact system can actively block the deployment of negatively impacting candidate changes, report potential security breaches, and/or automatically modify the candidate changes to eliminate security vulnerabilities.

Inventors

  • COPTY, FADY
  • ELDAN, Aviv David
  • NAKASH, ASAF
  • SAROYA, Yoav

Assignees

  • MICROSOFT TECHNOLOGY LICENSING, LLC

Dates

Publication Date
20260507
Application Date
20250724
Priority Date
20241029

Claims (20)

  1. 1. A computer-implemented method for preventing resource breaches in a cloud computing system (116) (202), comprising: receiving a cloud resource deployment request (114) to deploy a candidate code-based infrastructure change (112) in a cloud infrastructure environment; generating a security map (124) of a target portion of the cloud infrastructure environment that indicates secunty information of nodes and edges within the target portion; based on determining that the cloud resource deployment request (114) corresponds to the target portion, generating a candidate security map (132) by merging security information from the candidate code-based infrastructure change (1 12) into the security map (124); determining a security risk (144) based on performing a security pattern analysis on one or more pattern-based data structures generated from the candidate security map (132); and preventing the cloud resource deployment request (114) from deploying in the cloud infrastructure environment based on determining the security risk (144).
  2. 2. The computer-implemented method of claim 1, wherein performing the security pattern analysis includes performing a what-if analysis on the candidate security map that provides expected impacts of implementing the candidate code-based infrastructure change.
  3. 3. The computer-implemented method of any of claims 1-2, further comprising: determining a target resource within the cloud resource deployment request; identifying the target resource within the target portion of the cloud infrastructure environment, w herein the target portion corresponds to a target tenant of the cloud infrastructure environment: and obtaining the security map for the target portion, wherein the security map is a subset of a target tenant security map.
  4. 4. The computer-implemented method of claim 3, wherein the security' map is stored as a table in a security database.
  5. 5. The computer-implemented method of any of claims 1-4, wherein merging the security information from the candidate code-based infrastructure change into the security map includes: identify ing target cloud resources and surrounding target cloud resources affected by a change within the candidate code-based infrastructure change; identifying changes from the candidate code-based infrastructure change to the target cloud resources and the surrounding target cloud resources; and generating the candidate security map to indicate updated security information to the nodes and the edges within the target portion based on the changes.
  6. 6. The computer-implemented method of any of claims 1 -5, wherein determining the security risk includes comparing patern-based data structures from the security map to the one or more patern-based data structures generated from the candidate security map to determine changes in the security information.
  7. 7. The computer-implemented method of any of claims 1-6, wherein performing the security patern analysis includes: comparing a set of known resource vulnerability paterns to the one or more patern-based data structures; and identifying a match between a resource vulnerability patern of the set of known resource vulnerability paterns and the one or more pattern-based data structures.
  8. 8. The computer-implemented method of any of claims 1-7, further comprising providing a security threat notification based on determining that the security risk meets a security threat threshold.
  9. 9. The computer-implemented method of claim 8, wherein: the security threat threshold is based on a current threat level of a subscription identifier or a tenant identifier associated with the target portion of the cloud infrastructure environment; and the security threat threshold is met based on the one or more patern-based data structures generated from the candidate security map having a threat level above the current threat level.
  10. 10. The computer-implemented method of claim 8, wherein the security threat threshold is met based on the one or more patern-based data structures generated from the candidate security map having a critical breach threat level.
  11. 11. The computer-implemented method of any of claims 1-10, wherein the cloud resource deployment request is received from an administrator device, a client device associated with a developer, or a recommendation system.
  12. 12. The computer-implemented method of any of claims 1-11, wherein the cloud resource deployment request is provided as a code-based infrastructure file with corresponding parameters.
  13. 13. The computer-implemented method of any of claims 1-12. wherein the security information of a node includes security contexts and security risks of the node.
  14. 14. The computer-implemented method of any of claims 1-13, further comprising: receiving an additional cloud resource deployment request; based on determining that the additional cloud resource deployment request corresponds to the target portion, generating an additional candidate security map from additional security information in the additional cloud resource deployment request; determining that the additional cloud resource deployment request includes a low-security risk based on performing the security pattern analysis with the candidate security map; and allowing the additional cloud resource deployment request to deploy in the cloud infrastructure environment based on the low-security risk.
  15. 15. A system for preventing resource breaches in a cloud computing system (116) (202) comprising: a processing system having a processor (701); and a computer memory (703) including instructions (705) that, when executed by the processing system, cause the system to cany' out operations comprising: receiving a candidate code-based infrastructure for changing resources in a cloud infrastructure environment; generating a security map (124) of a target portion of the cloud infrastructure environment; generating a candidate security map (132) by merging security information from the candidate code-based infrastructure into the security map (124) of the target portion; determining a security risk (144) based on performing a security pattern analysis on a pattern-based data structure generated from the candidate security map (132); and based on determining the security 7 risk (144), providing security 7 notification indicating that deploying the candidate code-based infrastructure will result in a negative change to a security risk (144) profile.
  16. 16. The system of claim 15, wherein the security risk introduces a new vulnerability into the cloud infrastructure environment if the candidate code-based infrastructure is implemented.
  17. 17. The system of any of claims 15-16, wherein the security 7 risk violating a best practices policy of the cloud infrastructure environment if the candidate code-based infrastructure is implemented.
  18. 18. The system of any of claims 15-17, further comprising generating the pattern-based data structure from the candidate security map into a pattern-based data structure by converting a portion of the candidate security map into a format that is compatible with performing the security 7 pattern analysis.
  19. 19. A non-transitory computer-readable storage medium comprising instructions (705) that, when executed by a processor (701), cause a computer device to carry 7 out operations comprising: receiving a cloud resource deployment request (114) with a candidate code-based infrastructure change (112) for changing resources within a cloud infrastructure environment; generating a security map (124) of a target portion of the cloud infrastructure environment that indicates security information of nodes and edges within the target portion; based on determining that the cloud resource deployment request (114) corresponds to the target portion, generating a candidate security map (132) by: identifying target cloud resources and surrounding target cloud resources affected by a change within the candidate code-based infrastructure change (112); identifying changes from the candidate code-based infrastructure change (112) to the target cloud resources and the surrounding target cloud resources ; and generating the candidate security map (132) to indicate updated security information to the nodes and the edges within the target portion based on the changes; determining a security risk (144) based on performing a security pattern analysis on one or more pattern-based data structures generated from the candidate security map (132); and preventing the cloud resource deployment request (114) from deploying in the cloud infrastructure environment based on determining the security risk (144).
  20. 20. The non-transitory computer-readable storage medium of claim 19, wherein performing the security pattern analysis includes: comparing a set of known resource vulnerability patterns to the one or more pattern-based data structures; and identifying a match between a resource vulnerability pattern of the set of know n resource vulnerability 7 patterns and the one or more pattern-based data structures.

Description

PROACTIVELY DETERMINING SECURITY RISKS AND DEPLOYMENT IMPACTS ACROSS CLOUD COMPUTING ENVIRONMENTS BACKGROUND [0001] In recent years, advancements in both hardware and software have significantly transformed cloud computing environments, enabling the use of code-based infrastructure to provide scalable resources and services. One benefit of using code-based infrastructure is the ability to modify various components and resources through patches and change requests. For instance, a developer might submit a change request to modify portions of the infrastructure by updating one or more resources. However, modifications to one resource can inadvertently introduce unanticipated vulnerabilities to other resources. These vulnerabilities can impact a cloud computing environment by introducing security risks, such as best practice violations or exposing sensitive data. Indeed, due to the extensive relationships and interconnections between nodes and resources in a cloud computing environment, coupled with limited visibility of the full environment, systems and users that provide change requests commonly struggle to assess the broader impact of their changes. These issues, among others, exist in current cloud computing environments. BRIEF DESCRIPTION OF THE DRAWINGS [0002] The following detailed description provides specific and detailed implementations accompanied by drawings. Additionally, each of the figures listed below corresponds to one or more implementations discussed in this disclosure. [0003] FIG. 1 illustrates an example overview of implementing the proactive deployment impact system to determine and prevent security threats that could arise from implementing requested candidate code-based infrastructure changes in a production cloud environment of a cloud computing system. [0004] FIG. 2 illustrates an example computing environment of a cloud computing system where a proactive deployment impact system is implemented. [0005] FIG. 3 illustrates an example high-level block diagram of the proactive deployment impact system performing predictive risk assessment to prevent security threats that could arise from implementing requested candidate code-based infrastructure changes. [0006] FIGS. 4A-4D illustrate example diagrams of security maps and pattern-based data structures based on requested candidate code-based infrastructure changes. [0007] FIG. 5 illustrates an example diagram of preventing security resource breaches in a production cloud environment based on performing security pattern analysis on security graphs and pattern-based data structures. [0008] FIGS. 6A-6B illustrate example series of acts of computer-implemented methods for preventing resource breaches in a cloud computing system. [0009] FIG. 7 illustrates example components included within a computer system that implements the proactive deployment impact system. DETAILED DESCRIPTION [0010] This disclosure describes a proactive deployment impact system that detects and addresses the security impact of candidate code-based infrastructure changes before they are deployed in a production environment within a cloud computing system. The proactive deployment impact system implements a lightweight preemptive security framework that incorporates runtime resource information to determine whether a requested candidate code-based infrastructure change could introduce new security’ risks, attack patterns, or breach vulnerabilities. Furthermore, the proactive deployment impact system can proactively protect the cloud computing system by blocking the deployment of harmful candidate changes, reporting potential security breaches, and/or automatically modifying the candidate changes to eliminate security vulnerabilities. [0011] Accordingly, implementations of the present disclosure provide benefits and solve problems in the art with systems, computer-readable media, and computer-implemented methods that utilize a proactive deployment impact system that detects and addresses the security impact of candidate code-based infrastructure changes based on runtime resource properties and relationships. As described below, the proactive deployment impact system predicts the impact of potential deployments by representing candidate changes in a code-based infrastructure format, generating security maps or graphs indicating potential security characteristic changes, and determining new potential risks within the cloud computing system based on the security maps. Additionally, because the proactive deployment impact system is lightweight and executes in real time, the system can identify' resource breaches and vulnerabilities before deployment and more quickly than existing systems. [0012] To elaborate, consider this example of the proactive deployment impact system preventing resource breaches in a cloud computing system. Based on receiving a cloud resource deployment request (“request'’) with a candidate code-based infrastructure change (“candidate change”) to a cloud