Application deployment and monitoring in a cloud environment to satisfy integrity and geo-fencing constraints

US 10,228,924 B2
Filed: 04/19/2016
Issued: 03/12/2019
Est. Priority Date: 04/19/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for deploying an application on a cloud environment satisfying integrity and geo-fencing constraints, the method comprising:

receiving a guest application for deployment on a cloud environment;

receiving the integrity constraints on the integrity of each of a plurality of hosts where the application is to be deployed;

receiving geo-fencing constraints identifying a geographic location where the guest application is to be deployed;

verifying integrity of at least one of the plurality of hosts based at least in part on the integrity constraints by receiving a checksum from a trusted platform module (TPM) and a virtual TPM for each of the plurality of hosts, decrypting the checksum, verifying the checksum by comparing the decrypted checksum against a checksum received from a digital signature associated with the guest application, and certifying results of the comparison of the decrypted checksum against a checksum received from the digital signature associated with the guest application by signing the results with a private key;

determining for which of the plurality of hosts the integrity constraints and the geo-fencing constraints are satisfied;

deploying the guest application on at least one of the plurality of hosts that satisfy the integrity constraints and the geo-fencing constraints, the guest application being specified as a workload pattern of virtual machines and interconnections between them;

performing monitoring of a deployed workload pattern at execution time to mitigate against integrity modifications;

detecting an integrity violation of the deployed workload pattern; and

responsive to detecting the integrity violation, initiating a corrective action, the corrective action comprising destroying the deployed workload pattern on the at least one of the plurality of hosts to which the workload pattern was deployed and redeploying the workload pattern to another of the plurality of hosts that satisfy the integrity constraints and the geo-fencing constraints.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Examples of techniques for deploying an application on a cloud environment satisfying integrity and geo-fencing constraints are disclosed herein. A computer implemented method may include: receiving a guest application for deployment on a cloud environment; receiving the integrity constraints on the integrity of each of the plurality of host where the application is to be deployed; receiving geo-fencing constraints identifying a geographic location where the guest application is to be deployed; determining for which of the plurality of hosts the integrity constraints and the geo-fencing constraints are satisfied; and deploying the guest application on at least one of the plurality of hosts that satisfy the integrity constraints and the geo-fencing constraints.

25 Citations

View as Search Results

12 Claims

1. A computer-implemented method for deploying an application on a cloud environment satisfying integrity and geo-fencing constraints, the method comprising:
- receiving a guest application for deployment on a cloud environment;
  
  receiving the integrity constraints on the integrity of each of a plurality of hosts where the application is to be deployed;
  
  receiving geo-fencing constraints identifying a geographic location where the guest application is to be deployed;
  
  verifying integrity of at least one of the plurality of hosts based at least in part on the integrity constraints by receiving a checksum from a trusted platform module (TPM) and a virtual TPM for each of the plurality of hosts, decrypting the checksum, verifying the checksum by comparing the decrypted checksum against a checksum received from a digital signature associated with the guest application, and certifying results of the comparison of the decrypted checksum against a checksum received from the digital signature associated with the guest application by signing the results with a private key;
  
  determining for which of the plurality of hosts the integrity constraints and the geo-fencing constraints are satisfied;
  
  deploying the guest application on at least one of the plurality of hosts that satisfy the integrity constraints and the geo-fencing constraints, the guest application being specified as a workload pattern of virtual machines and interconnections between them;
  
  performing monitoring of a deployed workload pattern at execution time to mitigate against integrity modifications;
  
  detecting an integrity violation of the deployed workload pattern; and
  
  responsive to detecting the integrity violation, initiating a corrective action, the corrective action comprising destroying the deployed workload pattern on the at least one of the plurality of hosts to which the workload pattern was deployed and redeploying the workload pattern to another of the plurality of hosts that satisfy the integrity constraints and the geo-fencing constraints.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer implemented method of claim 1, further comprising:
    - providing evidence of compliance with the integrity constraints and the geo-fencing constraints to an attestation service and policy enforcement service which attest the compliance of at least one of the plurality of hosts on which the guest application was deployed in the cloud environment.
  - 3. The computer implemented method of claim 1, further comprising:
    - preventing initial deployment of the guest application when at least one of the integrity constraints and the geo-fencing constraints are not satisfied; and
      
      sending a notification that the at least one of the integrity constraints and the geo-fencing constraints are not satisfied.
  - 4. The computer implemented method of claim 1, further comprising:
    - specifying the guest application as a workload pattern of Linux containers and interconnections between the Linux containers.
  - 5. The computer implemented method of claim 1, wherein the integrity constraints and the geo-fencing constraints are combined with a plurality of deployment constraints on the deployment of the workload pattern in a hybrid cloud environment.
  - 6. The computer-implemented method of claim 1, wherein the corrective action further comprises destroying the guest application deployment.
  - 7. The computer-implemented method of claim 1, wherein the corrective action is initiated responsive to a change to a geo-location of the at least one of the plurality of hosts.

8. A system for deploying an application on a cloud environment satisfying integrity and geo-fencing constraints, the system comprising:
- a processor in communication with one or more types of memory, the processor configured to;
  
  receive a guest application for deployment on a cloud environment;
  
  receive the integrity constraints on the integrity of each of the plurality of host where the application is to be deployed;
  
  receive geo-fencing constraints identifying a geographic location where the guest application is to be deployed;
  
  verify integrity of at least one of the plurality of hosts based at least in part on the integrity constraints by receiving a checksum from a trusted platform module (TPM) and a virtual TPM for each of the plurality of hosts, decrypting the checksum, verifying the checksum by comparing the decrypted checksum against a checksum received from a digital signature associated with the guest application, and certifying results of the comparison of the decrypted checksum against a checksum received from the digital signature associated with the guest application by signing the results with a private key;
  
  determine for which of the plurality of hosts the integrity constraints and the geo-fencing constraints are satisfied;
  
  deploy the guest application on at least one of the plurality of hosts that satisfy the integrity constraints and the geo-fencing constraints, the guest application being specified as a workload pattern of virtual machines and interconnections between them;
  
  perform monitoring of a deployed workload pattern at execution time to mitigate against integrity modifications;
  
  detect an integrity violation of the deployed workload pattern; and
  
  responsive to detecting the integrity violation, initiate a corrective action, the corrective action comprising destroying the deployed workload pattern on the at least one of the plurality of hosts to which the workload pattern was deployed and redeploying the workload pattern to another of the plurality of hosts that satisfy the integrity constraints and the geo-fencing constraints.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The system of claim 8, wherein the processor is further configured to:
    - provide evidence of compliance with the integrity constraints and the geo-fencing constraints to an attestation service and policy enforcement service which attest the compliance of at least one of the plurality of hosts on which the guest application was deployed in the cloud environment.
  - 10. The system of claim 8, wherein the processor is further configured to:
    - prevent initial deployment of the guest application when at least one of the integrity constraints and the geo-fencing constraints are not satisfied; and
      
      sending a notification that the at least one of the integrity constraints and the geo-fencing constraints are not satisfied.
  - 11. The system of claim 8, wherein the processor is further configured to:
    - specify the guest application as a workload pattern of Linux containers and interconnections between the Linux containers.
  - 12. The system of claim 8, wherein the integrity constraints and the geo-fencing constraints are combined with a plurality of deployment constraints on the deployment of the workload pattern in a hybrid cloud environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Berger, Stefan, Goldman, Kenneth A., Kofkin-Hansen, Simon J., Lei, Hui, Naik, Vijay K., Pendarakis, Dimitrios, Radhakrishnan, Jayaram Kallapalayam, Safford, David R., Tao, Shu
Primary Examiner(s)
Louie, Jue

Application Number

US15/132,321
Publication Number

US 20170300309A1
Time in Patent Office

1,057 Days
Field of Search

717100-178, 709200-253
US Class Current
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/57   Certifying or maintaining t...

G06F 2221/2111   Location-sensitive, e.g. ge...

G06F 8/60   Software deployment

G06F 8/61   Installation

G06F 9/45533   Hypervisors; Virtual machin...

G06F 9/45558   Hypervisor-specific managem...

H04L 41/00   Arrangements for maintenanc...

H04L 41/40   using virtualisation of net...

H04L 63/107   wherein the security polici...

H04L 63/20   for managing network securi...

H04L 67/10   in which an application is ...

H04L 67/34   involving the movement of s...

H04W 4/021   Services related to particu...

Application deployment and monitoring in a cloud environment to satisfy integrity and geo-fencing constraints

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

25 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Application deployment and monitoring in a cloud environment to satisfy integrity and geo-fencing constraints

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

25 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links