Security within a software-defined infrastructure
First Claim
Patent Images
1. A method comprising:
- identifying, in a software-defined environment, a security container describing a workload and a set of resources required by the workload, the security container including self-describing sub-containers having associated metadata describing content of a respectively corresponding sub-container;
determining, for the workload, a set of resource-divisible portions of the workload including a compute-resource portion;
generating a plurality of sub-containers within the security container, a sub-container within the plurality of sub-containers being a self-describing sub-container having associated metadata describing the content of the sub-container representing only one resource-divisible portion, the sub-container being an operating system sub-container; and
responsive to identifying a security event while processing the workload, adjusting a security mechanism associated with the security container;
wherein;
the plurality of sub-containers represents an end-to-end run time environment for processing the workload.
1 Assignment
0 Petitions
Accused Products
Abstract
There is a method and system that includes establishing a security container that describes a workload and a set of resources that corresponds to the workload in a software-defined environment, determining a set of security criteria for the security container, monitoring the workload and the set of resources for security events based, at least in part, upon the set of security criteria, and responsive to identifying a security event, adjusting one or more security mechanisms. The steps of monitoring and adjusting are operated within the software-defined environment.
14 Citations
18 Claims
-
1. A method comprising:
-
identifying, in a software-defined environment, a security container describing a workload and a set of resources required by the workload, the security container including self-describing sub-containers having associated metadata describing content of a respectively corresponding sub-container; determining, for the workload, a set of resource-divisible portions of the workload including a compute-resource portion; generating a plurality of sub-containers within the security container, a sub-container within the plurality of sub-containers being a self-describing sub-container having associated metadata describing the content of the sub-container representing only one resource-divisible portion, the sub-container being an operating system sub-container; and responsive to identifying a security event while processing the workload, adjusting a security mechanism associated with the security container; wherein; the plurality of sub-containers represents an end-to-end run time environment for processing the workload. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A method comprising:
-
establishing a security container describing a workload and a set of resources in a software-defined environment, the security container including a set of sub-containers that are self-describing sub-containers having associated metadata describing content of a respectively corresponding sub-container, each sub-container of the set of sub-containers respectively corresponds to a resource-divisible portion of the workload, the set of resources being required by the workload, wherein a sub-container of the set of sub-containers is an operating system sub-container; monitoring the workload and the set of resources for security events; and responsive to identifying a security event, adjusting isolation mechanisms provided by the plurality of sub-containers at various layers of a stack; wherein; the set of sub-containers represents an end-to-end run time environment for processing the workload using the set of resources. - View Dependent Claims (13, 14, 15, 16, 17, 18)
-
Specification