Security layer for containers in multi-tenant environments

US 10,326,744 B1
Filed: 03/21/2016
Issued: 06/18/2019
Est. Priority Date: 03/21/2016
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising:

at least one container host device implementing containers for respective tenants of a multi-tenant environment, wherein the containers comprise reconfigurable virtual resources of at least one processing platform comprising the at least one container host device;

the containers being configured to utilize storage resources of at least one storage platform;

wherein a given one of the containers comprises;

at least one application; and

an application file system security layer configured to communicate with the at least one storage platform;

the application file system security layer comprising;

a container storage volume supported by the at least one storage platform; and

an encryption engine configured to encrypt and decrypt data of the container storage volume utilizing one or more data encryption keys that are encrypted under a tenant-specific key encryption key;

wherein the tenant-specific key encryption key is provided to the application file system security layer by a tenant key manager that is external to the given container;

wherein at least a portion of a given file of the container storage volume is encrypted by the encryption engine using a particular one of the one or more data encryption keys;

wherein the encryption engine is configured to provide, in association with the given file, metadata comprising the particular one of the one or more data encryption keys encrypted under the tenant-specific key encryption key; and

wherein the at least one container host device comprises at least one hardware processor coupled to a memory.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus comprises at least one container host device implementing containers for respective tenants of a multi-tenant environment. The containers are configured to utilize storage resources of at least one storage platform. A given one of the containers comprises at least one application, and an application file system security layer configured to communicate with the storage platform. The application file system security layer comprises a container storage volume supported by the storage platform, and an encryption engine configured to encrypt and decrypt data of the container storage volume utilizing one or more data encryption keys that are encrypted under a tenant-specific key encryption key. The tenant-specific key encryption key is provided to the application file system security layer by a tenant key manager that is external to the container. The tenant key manager is illustratively controlled by the tenant for which the given container is implemented.

102 Citations

View as Search Results

20 Claims

1. An apparatus comprising:
- at least one container host device implementing containers for respective tenants of a multi-tenant environment, wherein the containers comprise reconfigurable virtual resources of at least one processing platform comprising the at least one container host device;
  
  the containers being configured to utilize storage resources of at least one storage platform;
  
  wherein a given one of the containers comprises;
  
  at least one application; and
  
  an application file system security layer configured to communicate with the at least one storage platform;
  
  the application file system security layer comprising;
  
  a container storage volume supported by the at least one storage platform; and
  
  an encryption engine configured to encrypt and decrypt data of the container storage volume utilizing one or more data encryption keys that are encrypted under a tenant-specific key encryption key;
  
  wherein the tenant-specific key encryption key is provided to the application file system security layer by a tenant key manager that is external to the given container;
  
  wherein at least a portion of a given file of the container storage volume is encrypted by the encryption engine using a particular one of the one or more data encryption keys;
  
  wherein the encryption engine is configured to provide, in association with the given file, metadata comprising the particular one of the one or more data encryption keys encrypted under the tenant-specific key encryption key; and
  
  wherein the at least one container host device comprises at least one hardware processor coupled to a memory.
- View Dependent Claims (2, 3, 4, 5, 8, 9, 10, 11, 12, 13, 14)
- - 2. The apparatus of claim 1, wherein the tenant key manager is controlled by a given one of the respective tenants for which the given container is implemented but is outside the control of the at least one container host device and one or more associated administrative entities.
  - 3. The apparatus of claim 1, wherein the tenant key manager stores a plurality of tenant-specific key encryption keys for at least one of the respective tenants associated with the tenant key manager.
  - 4. The apparatus of claim 1, wherein each of the respective tenants of the multi-tenant environment is associated with a separate tenant key manager that is external to the containers implemented for the respective tenants.
  - 5. The apparatus of claim 1, wherein the given container and one or more encrypted files of the container storage volume of the given container are movable from the at least one container host device to another container host device preserving access of the application file system security layer to the tenant key manager for decrypting the one or more encrypted files of the container storage volume by the encryption engine subsequent to movement of the given container to the other container host device.
  - 8. The apparatus of claim 1, wherein the application file system security layer is configured to communicate with an application programming interface of a file system of the at least one storage platform.
  - 9. The apparatus of claim 1, wherein the at least one storage platform comprises at least one of:
    - a local file share controlled by the at least one container host device;
      
      at least one of a network file share, network object storage and network block storage controlled by a given one of the respective tenants.
  - 10. The apparatus of claim 1, wherein the application file system security layer provides secure file folders to the one or more applications of the given container with the secure file folders being inaccessible to one or more containers of the multi-tenant environment other than the given container and to an administrative entity of the at least one container host device.
  - 11. The apparatus of claim 1, wherein the application file system security layer is configured to directly access a file system of the at least one storage platform while bypassing a union file system of the at least one container host device.
  - 12. The apparatus of claim 1, wherein configuration and operation of the application file system security layer is in accordance with one or more policies specified by a given one of the respective tenants for which the given container is implemented.
  - 13. The apparatus of claim 1, wherein the application file system security layer is implemented at least in part within the at least one application of the given container.
  - 14. The apparatus of claim 1, wherein one or more encrypted files of the container storage volume are movable from a first storage platform to a second storage platform preserving access of the application file system security layer to the tenant key manager for decryption of the one or more encrypted files of the container storage volume by the encryption engine subsequent to movement of the one or more encrypted files from the first storage platform to the second storage platform, and wherein movement of the one or more encrypted files is controlled responsive to one or more tenant-specified trigger conditions.

6. An apparatus comprising:
- at least one container host device implementing containers for respective tenants of a multi-tenant environment, wherein the containers comprise reconfigurable virtual resources of at least one processing platform comprising the at least one container host device;
  
  the containers being configured to utilize storage resources of at least one storage platform;
  
  wherein a given one of the containers comprises;
  
  at least one application; and
  
  an application file system security layer configured to communicate with the at least one storage platform;
  
  the application file system security layer comprising;
  
  a container storage volume supported by the at least one storage platform; and
  
  an encryption engine configured to encrypt and decrypt data of the container storage volume utilizing one or more data encryption keys that are encrypted under a tenant-specific key encryption key;
  
  wherein the tenant-specific key encryption key is provided to the application file system security layer by a tenant key manager that is external to the given container;
  
  wherein the given container and one or more encrypted files of the container storage volume of the given container are movable from the at least one container host device to another container host device preserving access of the application file system security layer to the tenant key manager for decrypting the one or more encrypted files of the container storage volume by the encryption engine subsequent to movement of the given container to the other container host device;
  
  wherein movement of the given container and one or more encrypted files of the container storage volume from the at least one container host device to the other container host device is controlled responsive to one or more tenant-specified trigger conditions; and
  
  wherein the at least one container host device comprises at least one hardware processor coupled to a memory.
- View Dependent Claims (7)
- - 7. The apparatus of claim 6, wherein the one or more tenant-specified trigger conditions include at least one trigger condition based at least in part on detection of a current location of a corresponding tenant device.

15. A method comprising:
- implementing containers for respective tenants of a multi-tenant environment on at least one container host device, wherein the containers comprise reconfigurable virtual resources of at least one processing platform comprising the at least one container host device;
  
  configuring the containers to utilize storage resources of at least one storage platform including for each of the containers at least one container storage volume;
  
  for a given one of the containers, encrypting and decrypting data of the at least one container storage volume utilizing one or more data encryption keys that are encrypted under a tenant-specific key encryption key;
  
  wherein the tenant-specific key encryption key is provided by a tenant key manager that is external to the given container and controlled by a given one of the respective tenants for which the given container is implemented;
  
  wherein at least a portion of a given file of the at least one container storage volume is encrypted using a particular one of the one or more data encryption keys; and
  
  providing, in association with the given file, metadata that includes the particular one of the one or more data encryption keys encrypted under the tenant-specific key encryption key;
  
  wherein the method is implemented using at least one processing device comprising a hardware processor coupled to a memory.
- View Dependent Claims (16, 18)
- - 16. The method of claim 15, wherein the given container and one or more encrypted files of the at least one container storage volume of the given container are movable from the at least one container host device to another container host device preserving access of an application file system security layer to the tenant key manager for decryption of the one or more encrypted files of the at least one container storage volume by the encryption engine subsequent to movement of the given container to the other container host device.
  - 18. The method of claim 16, wherein movement of the given container and one or more encrypted files of the at least one container storage volume from the at least one container host device to the other container host device is controlled responsive to one or more tenant-specified trigger conditions.

17. A non-transitory processor-readable storage medium having stored therein program code of one or more software programs, wherein the program code when executed by at least one processing device causes the processing device:
- to implement containers for respective tenants of a multi-tenant environment on at least one container host device, wherein the containers comprise reconfigurable virtual resources of at least one processing platform comprising the at least one container host device;
  
  to configure the containers to utilize storage resources of at least one storage platform including for each of the containers at least one container storage volume;
  
  for a given one of the containers, to encrypt and decrypt data of the at least one container storage volume utilizing one or more data encryption keys that are encrypted under a tenant-specific key encryption key;
  
  wherein the tenant-specific key encryption key is provided by a tenant key manager that is external to the given container and controlled by a given one of the respective tenants for which the given container is implemented;
  
  wherein at least a portion of a given file of the at least one container storage volume is encrypted using a particular one of the one or more data encryption keys; and
  
  to provide, in association with the given file, metadata that includes the particular one of the one or more data encryption keys encrypted under the tenant-specific key encryption key.
- View Dependent Claims (19, 20)
- - 19. The non-transitory processor-readable storage medium of claim 17, wherein the given container and one or more encrypted files of the at least one container storage volume of the given container are movable from the at least one container host device to another container host device preserving access of an application file system security layer to the tenant key manager for decryption of the one or more encrypted files of the at least one container storage volume by the encryption engine subsequent to movement of the given container to the other container host device.
  - 20. The non-transitory processor-readable storage medium of claim 19, wherein movement of the given container and one or more encrypted files of the container storage volume from the at least one container host device to the other container host device is controlled responsive to one or more tenant-specified trigger conditions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Inventors
Nossik, Misha, Du, Lejin, Lincourt, Jr., Robert Anthony, Wallner, Ryan
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Beheshti Shirazi, Sayed Aresh

Application Number

US15/075,858
Time in Patent Office

1,184 Days
Field of Search
US Class Current
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 9/455   Emulation; Interpretation; ...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/0435   wherein the sending and rec...

H04L 63/06   for supporting key manageme...

H04L 63/062   for key distribution, e.g. ...

H04L 9/0822   using key encryption key

H04L 9/14   using a plurality of keys o...

Security layer for containers in multi-tenant environments

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

102 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Security layer for containers in multi-tenant environments

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

102 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others