Systems and methods for providing container security
First Claim
1. A security system comprising a first server computer system, the first server computer system comprising:
- one or more first processing units; and
a first memory, coupled to at least one of the one or more first processing units, the first memory storing a security module and an agent executive, the agent executive runs concurrently with the security module, and the agent executive executed by one or more of the one or more first processing units, the agent executive comprising instructions for;
(A) obtaining an agent API key from a user or by an automated process when the agent executive is executed for a first time;
(B) communicating the API key to a remote grid computer system;
(C) receiving an agent identity token from the remote grid computer system, wherein the remote grid computer system generates the agent identity token through a cryptographic token generation protocol when the API key is deemed valid by the remote grid computer system;
(D) storing the agent identity token in a secure data store associated with the agent executive;
(E) collecting information on the first server computer system for an evaluation of integrity of the agent executive using a plurality of agent self-verification factors;
(F) encrypting the information collected by the collecting (E) thereby creating encrypted information;
(G) signing the encrypted information using the agent identity token thereby creating signed encrypted information; and
(H) communicating the signed encrypted information to the remote grid computer system, wherein no network connection between the remote grid computer system and the agent executive is established,wherein the security module maintains a plurality of containers and comprises a container engine that instances a container image as a container in the plurality of containers, and wherein the container engine comprises a container manager that manages the plurality of containers.
5 Assignments
0 Petitions
Accused Products
Abstract
Computer systems and methods are provided in which an agent executive running concurrent with a security module, when initially executed, obtains an agent API key from a user. This key is communicated to a grid computer system. An agent identity token, generated by a cryptographic token generation protocol when the API key is valid, is received from the grid and stored in a secure data store associated with the agent executive. Information that evaluates the integrity of the agent executive is collected using agent self-verification factors. The information, encrypted and signed with a cryptographic signature, is communicated to the grid. Commands are obtained from the grid by the agent executive to check the security, compliance, and integrity of the computer system. Based on these check results, additional commands are obtained by the grid by the agent executive to correct security, compliance, and integrity problems and/or to prevent security comprises.
168 Citations
33 Claims
-
1. A security system comprising a first server computer system, the first server computer system comprising:
-
one or more first processing units; and a first memory, coupled to at least one of the one or more first processing units, the first memory storing a security module and an agent executive, the agent executive runs concurrently with the security module, and the agent executive executed by one or more of the one or more first processing units, the agent executive comprising instructions for; (A) obtaining an agent API key from a user or by an automated process when the agent executive is executed for a first time; (B) communicating the API key to a remote grid computer system; (C) receiving an agent identity token from the remote grid computer system, wherein the remote grid computer system generates the agent identity token through a cryptographic token generation protocol when the API key is deemed valid by the remote grid computer system; (D) storing the agent identity token in a secure data store associated with the agent executive; (E) collecting information on the first server computer system for an evaluation of integrity of the agent executive using a plurality of agent self-verification factors; (F) encrypting the information collected by the collecting (E) thereby creating encrypted information; (G) signing the encrypted information using the agent identity token thereby creating signed encrypted information; and (H) communicating the signed encrypted information to the remote grid computer system, wherein no network connection between the remote grid computer system and the agent executive is established, wherein the security module maintains a plurality of containers and comprises a container engine that instances a container image as a container in the plurality of containers, and wherein the container engine comprises a container manager that manages the plurality of containers. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
-
-
31. A grid computer system comprising:
-
one or more processing units; a memory, coupled to at least one of the one or more processing units, the memory storing a grid node, the grid node executed by at least one of the one or more processing units, the grid node comprising instructions for; (A) receiving an API key from an agent executive running concurrently with a security module that maintains a plurality of containers, which, in turn, is running on a computer that is remote to the grid computer system; (B) determining whether the API key is a valid API key; (C) generating a unique agent identity token through a cryptographic token generation protocol when the instructions for determining (B) deem the API key to be valid; (D) communicating the agent identity token to the security module running on the remote computer; (E) receiving encrypted information, signed with a cryptographic digital signature, from the security module from an evaluation of the integrity of the agent executive based upon a plurality of agent self-verification factors, wherein the receiving comprises decrypting the information using the agent identity token to form decrypted information and verifying the signature thereby obtaining decrypted, authenticated and integrity-verified information; and (F) verifying the integrity of the agent executive based on the decrypted, authenticated and integrity-verified information.
-
-
32. A grid computer system comprising:
-
one or more processing units; a memory, coupled to at least one of the one or more processing units, the memory storing a grid node, the grid node executed by at least one of the one or more processing units, the grid node comprising instructions for; (A) receiving an alert from a first agent executive running concurrently with a first security module that maintains a plurality of containers on a computer that is remote to the grid computer system, the alert (i) indicating that the first agent executive has started running concurrently with the first security module and (ii) indicating a first agent identity token associated with the first agent executive; (B) determining whether the first agent identity token is valid; (C) determining whether the first agent identity token is being used by a second agent executive running concurrently with a second security module; (D) generating a second agent identity token through a cryptographic token generation protocol when (i) the first agent identity token is deemed valid by the determining (B) and (ii) the determining (C) determines that the first agent identity token is being used by the second agent running concurrent with the second security module; (E) communicating the second agent identity token to the first security module; (F) receiving encrypted information signed by a digital signature from the first security module from an evaluation of integrity of the first agent executive based upon a plurality of agent self-verification factors, wherein the receiving comprises decrypting the information using the second agent identity token in order to form decrypted information and validating the signature; and (G) verifying the integrity of the first agent executive based on the decrypted information when the signature has been validated. - View Dependent Claims (33)
-
Specification