Multiple single levels of security (MSLS) in a multi-tenant cloud

US 10,713,077 B2
Filed: 01/26/2018
Issued: 07/14/2020
Est. Priority Date: 01/26/2017
Status: Active Grant

First Claim

Patent Images

1. A security system for Multiple Single Level Security (MSLS) domains, comprising one or more processors and one or more memory devices configured to implement:

a Secure Kernel Hypervisor (SKH), wherein the SKH configures a single multi-tenant cloud to host the MSLS domains;

a Cloud Orchestration System (COS), wherein the COS configures the single multi-tenant cloud to set up a plurality of separate Virtual Work Packages (VWPs) for the MSLS domains, each of the plurality of separate VWPs is generated using at least the SKH; and

a Key Management System (KMS), wherein the KMS is configured to manage security objects associated with the MSLS domains, the security objects comprise encryption keys, wherein each of the plurality of separate VWPs comprises;

one or more virtual machines;

a disk encryption driver that encrypts first content that is being stored to a disk; and

a network encryption driver that encrypts second content that is being sent over a network.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Apparatus and methods are described herein for multiple single level security (MSLS) domains including, but not limited to, a secure kernel hypervisor (SKH). The SKH configures a single multi-tenant cloud to host the MSLS domains. A cloud orchestration system (COS) configures the single multi-tenant cloud to set up a plurality of separate virtual work packages (VWPs) for the MSLS domains. A key management system (KMS) is configured to manage security objects associated with the MSLS domains.

39 Citations

View as Search Results

19 Claims

1. A security system for Multiple Single Level Security (MSLS) domains, comprising one or more processors and one or more memory devices configured to implement:
- a Secure Kernel Hypervisor (SKH), wherein the SKH configures a single multi-tenant cloud to host the MSLS domains;
  
  a Cloud Orchestration System (COS), wherein the COS configures the single multi-tenant cloud to set up a plurality of separate Virtual Work Packages (VWPs) for the MSLS domains, each of the plurality of separate VWPs is generated using at least the SKH; and
  
  a Key Management System (KMS), wherein the KMS is configured to manage security objects associated with the MSLS domains, the security objects comprise encryption keys, wherein each of the plurality of separate VWPs comprises;
  
  one or more virtual machines;
  
  a disk encryption driver that encrypts first content that is being stored to a disk; and
  
  a network encryption driver that encrypts second content that is being sent over a network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The security system of claim 1, wherein the SKH comprises a separation kernel and a hypervisor.
  - 3. The security system of claim 2, wherein the separation kernel is a kernel that has no API, no interrupts, and no input/output ports.
  - 4. The security system of claim 2, wherein the separation kernel is configured at installation without capabilities to change installed configurations after installation.
  - 5. The security system of claim 2, wherein the hypervisor configures the single multi-tenant cloud to host the MSLS domains by virtualizing the hardware of the single multi-tenant cloud to execute a plurality of different operating systems or applications, where each of the plurality of different operating systems or applications corresponds to one of the MSLS domains.
  - 6. The security system of claim 1, wherein the COS dynamically allocates or de-allocates resources for the MSLS domains, wherein the resources comprise one or more of processing resources, network resources, storage resources, peripherals of the single multi-tenant cloud.
  - 7. The security system of claim 1, wherein the COS assigns VWP slots, the VWP slots correspond to the plurality of separate VWPs.
  - 8. The security system of claim 7, wherein each of the VWP slots supports one or more virtual machines or specialty applications.
  - 9. The security system of claim 1, wherein the KMS manages the security objects associated with the MSLS domains by determining the security objects in response to a VWP being created.
  - 10. The security system of claim 1, wherein the COS is further configured to destroy a VWP by revoking resources assigned to the VWP and security objects associated with the VWP.
  - 11. The security system of claim 1, wherein the KMS encrypts each intra-domain network traffic with a unique security object.

12. A method, comprising:
- configuring a single multi-tenant cloud to host Multiple Single Level Security (MSLS) domains using a Secure Kernel Hypervisor (SKH);
  
  configuring the single multi-tenant cloud to set up a plurality of separate Virtual Work Packages (VWPs) for the MSLS domains, each of the plurality of separate VWPs is generated using at least the SKH; and
  
  managing security objects associated with the MSLS domains, the security objects comprise encryption keys, wherein each of the plurality of separate VWPs comprises;
  
  one or more virtual machines;
  
  a disk encryption driver that encrypts first content that is being stored to a disk; and
  
  a network encryption driver that encrypts second content that is being sent over a network.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The method of claim 12, wherein configuring the single multi-tenant cloud to set up the plurality of separate VWPs for the MSLS domains comprises dynamically allocating or de-allocating resources for the MSLS domains, wherein the resources comprise one or more of processing resources, network resources, storage resources, peripherals of the single multi-tenant cloud.
  - 14. The method of claim 12, wherein configuring the single multi-tenant cloud to set up the plurality of separate VWPs for the MSLS domains comprises assigning VWP slots, the VWP slots correspond to the plurality of separate VWPs.
  - 15. The method of claim 14, wherein each of the VWP slots supports one or more virtual machines or specialty applications.
  - 16. The method of claim 12, wherein managing the security objects associated with the MSLS domains comprises determining the security objects in response to a VWP being created.
  - 17. The method of claim 12, wherein configuring the single multi-tenant cloud to set up the plurality of separate VWPs for the MSLS domains comprises destroying a VWP by revoking resources assigned to the VWP and security objects associated with the VWP.

18. A security system for Multiple Single Level Security (MSLS) domains, comprising:
- one or more processors and one or more memory devices;
  
  means for configuring a single multi-tenant cloud to host the MSLS domains using a Secure Kernel Hypervisor (SKH);
  
  means for configuring the single multi-tenant cloud to set up a plurality of separate Virtual Work Packages (VWPs) for the MSLS domains, each of the plurality of separate VWPs is generated using at least the SKH; and
  
  means for managing security objects associated with the MSLS domains, the security objects comprise encryption keys, wherein each of the plurality of separate VWPs comprises;
  
  one or more virtual machines;
  
  a disk encryption driver that encrypts first content that is being stored to a disk; and
  
  a network encryption driver that encrypts second content that is being sent over a network.

19. A non-transitory processor-readable medium comprising processor-readable instructions such that, when executed, causes one or more processors to:
- configure a single multi-tenant cloud to host Multiple Single Level Security (MSLS) domains using a Secure Kernel Hypervisor (SKH);
  
  configure the single multi-tenant cloud to set up a plurality of separate Virtual Work Packages (VWPs) for the MSLS domains, each of the plurality of separate VWPs is generated using at least the SKH; and
  
  manage security objects associated with the MSLS domains, the security objects comprise encryption keys, wherein each of the plurality of separate VWPs comprises;
  
  one or more virtual machines;
  
  a disk encryption driver that encrypts first content that is being stored to a disk; and
  
  a network encryption driver that encrypts second content that is being sent over a network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Semper Fortis Solutions, LLC
Original Assignee
Semper Fortis Solutions, LLC
Inventors
Pepus, Gregory B., O'Connell, Todd
Primary Examiner(s)
Ghaffari, Abu Zar

Application Number

US15/880,794
Publication Number

US 20180210751A1
Time in Patent Office

900 Days
Field of Search
US Class Current
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/62   Protecting access to data v...

G06F 21/64   Protecting data integrity, ...

G06F 2221/2113   Multi-level security, e.g. ...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/0209   Architectural arrangements,...

H04L 63/06   for supporting key manageme...

H04L 63/062   for key distribution, e.g. ...

H04L 67/10   in which an application is ...

H04L 9/083   involving central third par...

Multiple single levels of security (MSLS) in a multi-tenant cloud

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

39 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Multiple single levels of security (MSLS) in a multi-tenant cloud

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

39 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links