Security layer for containers in multi-tenant environments
First Claim
1. An apparatus comprising:
- at least one container host device implementing containers for respective tenants of a multi-tenant environment, wherein the containers comprise reconfigurable virtual resources of at least one processing platform comprising the at least one container host device;
the containers being configured to utilize storage resources of at least one storage platform;
wherein a given one of the containers comprises;
at least one application; and
an application file system security layer configured to communicate with the at least one storage platform;
the application file system security layer comprising;
a container storage volume supported by the at least one storage platform; and
an encryption engine configured to encrypt and decrypt data of the container storage volume utilizing one or more data encryption keys that are encrypted under a tenant-specific key encryption key;
wherein the tenant-specific key encryption key is provided to the application file system security layer by a tenant key manager that is external to the given container;
wherein at least a portion of a given file of the container storage volume is encrypted by the encryption engine using a particular one of the one or more data encryption keys;
wherein the encryption engine is configured to provide, in association with the given file, metadata comprising the particular one of the one or more data encryption keys encrypted under the tenant-specific key encryption key; and
wherein the at least one container host device comprises at least one hardware processor coupled to a memory.
5 Assignments
0 Petitions
Accused Products
Abstract
An apparatus comprises at least one container host device implementing containers for respective tenants of a multi-tenant environment. The containers are configured to utilize storage resources of at least one storage platform. A given one of the containers comprises at least one application, and an application file system security layer configured to communicate with the storage platform. The application file system security layer comprises a container storage volume supported by the storage platform, and an encryption engine configured to encrypt and decrypt data of the container storage volume utilizing one or more data encryption keys that are encrypted under a tenant-specific key encryption key. The tenant-specific key encryption key is provided to the application file system security layer by a tenant key manager that is external to the container. The tenant key manager is illustratively controlled by the tenant for which the given container is implemented.
102 Citations
20 Claims
-
1. An apparatus comprising:
-
at least one container host device implementing containers for respective tenants of a multi-tenant environment, wherein the containers comprise reconfigurable virtual resources of at least one processing platform comprising the at least one container host device; the containers being configured to utilize storage resources of at least one storage platform; wherein a given one of the containers comprises; at least one application; and an application file system security layer configured to communicate with the at least one storage platform; the application file system security layer comprising; a container storage volume supported by the at least one storage platform; and an encryption engine configured to encrypt and decrypt data of the container storage volume utilizing one or more data encryption keys that are encrypted under a tenant-specific key encryption key; wherein the tenant-specific key encryption key is provided to the application file system security layer by a tenant key manager that is external to the given container; wherein at least a portion of a given file of the container storage volume is encrypted by the encryption engine using a particular one of the one or more data encryption keys; wherein the encryption engine is configured to provide, in association with the given file, metadata comprising the particular one of the one or more data encryption keys encrypted under the tenant-specific key encryption key; and wherein the at least one container host device comprises at least one hardware processor coupled to a memory. - View Dependent Claims (2, 3, 4, 5, 8, 9, 10, 11, 12, 13, 14)
-
-
6. An apparatus comprising:
-
at least one container host device implementing containers for respective tenants of a multi-tenant environment, wherein the containers comprise reconfigurable virtual resources of at least one processing platform comprising the at least one container host device; the containers being configured to utilize storage resources of at least one storage platform; wherein a given one of the containers comprises; at least one application; and an application file system security layer configured to communicate with the at least one storage platform; the application file system security layer comprising; a container storage volume supported by the at least one storage platform; and an encryption engine configured to encrypt and decrypt data of the container storage volume utilizing one or more data encryption keys that are encrypted under a tenant-specific key encryption key; wherein the tenant-specific key encryption key is provided to the application file system security layer by a tenant key manager that is external to the given container; wherein the given container and one or more encrypted files of the container storage volume of the given container are movable from the at least one container host device to another container host device preserving access of the application file system security layer to the tenant key manager for decrypting the one or more encrypted files of the container storage volume by the encryption engine subsequent to movement of the given container to the other container host device; wherein movement of the given container and one or more encrypted files of the container storage volume from the at least one container host device to the other container host device is controlled responsive to one or more tenant-specified trigger conditions; and wherein the at least one container host device comprises at least one hardware processor coupled to a memory. - View Dependent Claims (7)
-
-
15. A method comprising:
-
implementing containers for respective tenants of a multi-tenant environment on at least one container host device, wherein the containers comprise reconfigurable virtual resources of at least one processing platform comprising the at least one container host device; configuring the containers to utilize storage resources of at least one storage platform including for each of the containers at least one container storage volume; for a given one of the containers, encrypting and decrypting data of the at least one container storage volume utilizing one or more data encryption keys that are encrypted under a tenant-specific key encryption key; wherein the tenant-specific key encryption key is provided by a tenant key manager that is external to the given container and controlled by a given one of the respective tenants for which the given container is implemented; wherein at least a portion of a given file of the at least one container storage volume is encrypted using a particular one of the one or more data encryption keys; and providing, in association with the given file, metadata that includes the particular one of the one or more data encryption keys encrypted under the tenant-specific key encryption key; wherein the method is implemented using at least one processing device comprising a hardware processor coupled to a memory. - View Dependent Claims (16, 18)
-
-
17. A non-transitory processor-readable storage medium having stored therein program code of one or more software programs, wherein the program code when executed by at least one processing device causes the processing device:
-
to implement containers for respective tenants of a multi-tenant environment on at least one container host device, wherein the containers comprise reconfigurable virtual resources of at least one processing platform comprising the at least one container host device; to configure the containers to utilize storage resources of at least one storage platform including for each of the containers at least one container storage volume; for a given one of the containers, to encrypt and decrypt data of the at least one container storage volume utilizing one or more data encryption keys that are encrypted under a tenant-specific key encryption key; wherein the tenant-specific key encryption key is provided by a tenant key manager that is external to the given container and controlled by a given one of the respective tenants for which the given container is implemented; wherein at least a portion of a given file of the at least one container storage volume is encrypted using a particular one of the one or more data encryption keys; and to provide, in association with the given file, metadata that includes the particular one of the one or more data encryption keys encrypted under the tenant-specific key encryption key. - View Dependent Claims (19, 20)
-
Specification