Methods and systems for providing security to distributed microservices

US 10,178,070 B2
Filed: 03/13/2015
Issued: 01/08/2019
Est. Priority Date: 03/13/2015
Status: Active Grant

First Claim

Patent Images

1. A system providing secure virtual boundaries for microservices, the system comprising:

a plurality of hardware processors, anda plurality of memories to process;

a microservice, the microservice comprising a plurality of distributed microservice components, each of the plurality of distributed microservice components communicating with others of the plurality of distributed microservice components, the plurality of distributed microservice components operating collectively to provide a service, the service being at least one of a game, a media service, and an e-commerce application, the plurality of distributed microservice components including;

a first microservice component being at least one of a first web service, a first application, and a first database, the first microservice component associated with a first workload, the first workload being executed on at least one of a first physical server and a first virtual machine; and

a second microservice component being at least one of a second web service, a second application, and a second database, the second microservice component associated with a second workload, the second workload being executed on at least one of a second physical server and a second virtual machine;

a plurality of enforcement points positioned in association with the plurality of distributed microservice components to define a secure virtual boundary around the plurality of distributed microservice components, the plurality of enforcement points including;

a first enforcement point communicatively coupled to the first microservice component, the first enforcement point performing a first analysis on first network traffic associated with the first microservice component and throttling at least some of the first network traffic using the first analysis; and

a second enforcement point communicatively coupled to the second microservice component, the second enforcement point performing a second analysis on second network traffic associated with the second microservice component and throttling at least some of the second network traffic using the second analysis; and

a director module that manages sessions and settings of the plurality of distributed microservice components within the secure virtual boundary.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems for providing security to distributed microservices are provided herein. In some embodiments, a system includes a plurality of microservices, each of the plurality of microservices having a plurality of distributed microservice components. At least a portion of the distributed microservice components execute on different physical or virtual servers in a data center or a cloud. The system also includes a plurality of logical security boundaries, with each of the plurality of logical security boundaries being created by a plurality of enforcement points positioned in association with the plurality of distributed microservice components. Each of plurality of microservices is bounded by one of the plurality of logical security boundaries.

166 Citations

16 Claims

1. A system providing secure virtual boundaries for microservices, the system comprising:
- a plurality of hardware processors, anda plurality of memories to process;
  
  a microservice, the microservice comprising a plurality of distributed microservice components, each of the plurality of distributed microservice components communicating with others of the plurality of distributed microservice components, the plurality of distributed microservice components operating collectively to provide a service, the service being at least one of a game, a media service, and an e-commerce application, the plurality of distributed microservice components including;
  
  a first microservice component being at least one of a first web service, a first application, and a first database, the first microservice component associated with a first workload, the first workload being executed on at least one of a first physical server and a first virtual machine; and
  
  a second microservice component being at least one of a second web service, a second application, and a second database, the second microservice component associated with a second workload, the second workload being executed on at least one of a second physical server and a second virtual machine;
  
  a plurality of enforcement points positioned in association with the plurality of distributed microservice components to define a secure virtual boundary around the plurality of distributed microservice components, the plurality of enforcement points including;
  
  a first enforcement point communicatively coupled to the first microservice component, the first enforcement point performing a first analysis on first network traffic associated with the first microservice component and throttling at least some of the first network traffic using the first analysis; and
  
  a second enforcement point communicatively coupled to the second microservice component, the second enforcement point performing a second analysis on second network traffic associated with the second microservice component and throttling at least some of the second network traffic using the second analysis; and
  
  a director module that manages sessions and settings of the plurality of distributed microservice components within the secure virtual boundary.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system according to claim 1, wherein each of the plurality of enforcement points is configured to control communication of an associated distributed microservice component using stateful inspection.
  - 3. The system according to claim 1, wherein the plurality of distributed microservice components are provided by a plurality of servers in a cloud, each of the servers providing a microservice component type.
  - 4. The system according to claim 1, wherein the plurality of enforcement points intercept data packets entering or exiting the plurality of distributed microservice components.
  - 5. The system according to claim 1, wherein the director module implements a security profile for the microservice.
  - 6. The system according to claim 5, wherein the director module detects malicious acts occurring within the secure virtual boundary by comparing network traffic measured by the plurality of enforcement points with the security profile.

7. A computer-implemented method for providing a logical security boundary for microservices using a plurality of hardware processors executing instructions stored in a plurality of memories, the method comprising:
- locating a plurality of distributed microservice components that belong to associated with a microservice, each of the plurality of distributed microservice components communicating with others of the plurality of distributed microservice components, the plurality of distributed microservice components operating collectively to provide a service, the service being at least one of a game, a media service, and an e-commerce application, the plurality of distributed microservice components including;
  
  a first microservice component being at least one of a first web service, a first application, and a first database, the first microservice component associated with a first workload, the first workload being executed on at least one of a first physical server and a first virtual machine; and
  
  a second microservice component being at least one of a second web service, a second application, and a second database, the second microservice component associated with a second workload, the second workload being executed on at least one of a second physical server and a second virtual machine;
  
  provisioning a plurality of logical enforcement points around the plurality of distributed microservice components, the plurality of logical enforcement points including;
  
  a first logical enforcement point communicatively coupled to the first microservice component, the first logical enforcement point performing a first analysis on first network traffic associated with the first microservice component and throttling at least some of the first network traffic using the first analysis; and
  
  a second logical enforcement point communicatively coupled to the second microservice component, the second logical enforcement point performing a second analysis on second network traffic associated with the second microservice component and throttling at least some of the second network traffic using the second analysis; and
  
  forming a logical security boundary using the plurality of logical enforcement points.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 8. The computer-implemented method according to claim 7, further comprising:
    - intercepting, by the plurality of logical enforcement points, traffic entering or exiting each of the plurality of distributed microservice components; and
      
      detecting malicious behavior by inspection of the traffic.
  - 9. The computer-implemented method according to claim 7, further comprising:
    - implementing a security profile for the microservice.
  - 10. The computer-implemented method according to claim 9, wherein implementing the security profile for the microservice comprises:
    - monitoring traffic within the logical security boundary using the plurality of logical enforcement points;
      
      comparing the traffic to traffic rules included in the security profile; and
      
      providing an alert if the traffic within the logical security boundary is indicative of a malicious attack.
  - 11. The computer-implemented method according to claim 10, further comprising:
    - quarantining one or more of the plurality of distributed microservice components when the malicious attack is detected.
  - 12. The computer-implemented method according to claim 10, further comprising:
    - utilizing stateful inspection to analyze the traffic.
  - 13. The computer-implemented method according to claim 10, further comprising:
    - generating a visual representation of the traffic within the logical security boundary.
  - 14. The computer-implemented method according to claim 7, further comprising:
    - coordinating the plurality of distributed microservice components together to provide a service.
  - 15. The computer-implemented method according to claim 7, further comprising:
    - migrating a logical enforcement point when a distributed microservice component is migrated within a cloud.
  - 16. The computer-implemented method according to claim 7, further comprising:
    - deploying one or more additional logical enforcement points if one or more additional distributed microservice components are added for the microservice.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
vArmour Networks Inc
Original Assignee
vArmour Networks Inc
Inventors
Shieh, Choung-Yaw, Woolward, Marc
Primary Examiner(s)
Lwin, Maung T

Application Number

US14/657,282
Publication Number

US 20160269425A1
Time in Patent Office

1,397 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/0254   Stateful filtering

H04L 63/0263   Rule management

H04L 63/10   for controlling access to d...

Methods and systems for providing security to distributed microservices

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

166 Citations

16 Claims

Specification

Use Cases

Quick Links

Others

Methods and systems for providing security to distributed microservices

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

166 Citations

16 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others