METHODS AND SYSTEMS FOR SECURELY MANAGING VIRTUALIZATION PLATFORM

US 20100071035A1
Filed: 09/12/2008
Published: 03/18/2010
Est. Priority Date: 09/12/2008
Status: Active Grant

First Claim

Patent Images

1. A system, comprising a plurality of virtualization platforms and one or more management clients for said virtualization platforms, the virtualization platforms and the management clients being communicatively coupled to one another via a control layer logically disposed therebetween and configured to proxy virtualization management commands from the one or more management clients to said virtualization platforms, but only after successful authentication of users issuing said commands and privileges of those users as defined by access control information accessible to said control layer.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Virtualization platforms and management clients therefor are communicatively coupled to one another via a control layer logically disposed therebetween. The control layer is configured to proxy virtualization management commands from the management clients to the virtualization platforms, but only after successful authentication of users (which may include automated agents and processes) issuing those commands and privileges of those users as defined by access control information accessible to the control layer. The control layer may be instantiated as an application running on a physical appliance logically interposed between the virtualization platforms and management clients, or a software package running on dedicated hardware logically interposed between the virtualization platforms and management clients, or as an application encapsulated in a virtual machine running on a compatible virtualization platform logically interposed between the virtualization platforms and management clients.

Citations

37 Claims

1. A system, comprising a plurality of virtualization platforms and one or more management clients for said virtualization platforms, the virtualization platforms and the management clients being communicatively coupled to one another via a control layer logically disposed therebetween and configured to proxy virtualization management commands from the one or more management clients to said virtualization platforms, but only after successful authentication of users issuing said commands and privileges of those users as defined by access control information accessible to said control layer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The system of claim 1, wherein one or more of the users comprise automated processes or agents.
  - 3. The system of claim 1, wherein the control layer is instantiated as an application running on a physical appliance logically disposed between the virtualization platforms and management clients.
  - 4. The system of claim 1, wherein the control layer is instantiated as a software application, packaged to run on dedicated hardware logically disposed between the virtualization platforms and management clients.
  - 5. The system of claim 1, wherein the control layer is instantiated as a software application, encapsulated as a virtual machine to run on a compatible virtualization platform.
  - 6. The system of claim 1, wherein the control layer operates at the application layer to scrutinize management access and operation attempts made via the one or more management clients.
  - 7. The system of claim 1, wherein the control layer is configured to inspect each attempted access to perform management operations by the management clients to determine whether or not an asserted command or operation is one that is valid schematically and authorized for a respective one of the users issuing the asserted command.
  - 8. The system of claim 7, wherein the control layer is further configured to drop the asserted command if it is either invalid, unauthorized, or both.
  - 9. The system of claim 8, wherein the control layer is further configured to notify a network administrator of a failed attempt to access one or more of the virtualization platforms.
  - 10. The system of claim 1, wherein authentication mechanisms for the users comprise some or all of user name/passwords, two-factor authentications, authentications involving digital certificates, authentications involving presentment of a biometric indicator, and a hardware trusted platform module.
  - 11. The system of claim 1, wherein the access control information comprises restrictions based on some or all of:
    - time of day, target virtualization platform, target virtualized resource, attempted management operation or command, and location of management client.
  - 12. The system of claim 1, wherein upon successful authentication of a subject one of the users, the control layer is configured to negotiate one or more log-in sessions with one or more of the virtualization platforms on behalf of the subject user.
  - 13. The system of claim 12, wherein the control layer is further configured to log-in the subject user with the one or more of the virtualization platforms at an appropriate level of each of the one or more virtualization platforms.
  - 14. The system of claim 13, wherein the appropriate level comprises a root level.
  - 15. The system of claim 1, wherein the control layer is configured to provide desired platform configurations to one or more of the virtualization platforms from a single instance of a configuration file or template.
  - 16. The system of claim 1, wherein the control layer is further configured to monitor configuration decisions and activities of the virtualization platforms.
  - 17. The system of claim 16, wherein, in the event of an alarm condition, the control layer is further configured to alert an administrator or other designated contact.
  - 18. The system of claim 1, wherein the control layer is further configured to log attempts to access the virtualization platforms.
  - 19. The system of claim 1, wherein the control layer is further configured to log failed attempts to access the virtualization platforms.
  - 20. The system of claim 18, wherein the logs are stored by an appliance at which the control layer is instantiated prior to being transferred to a remote system.

21. A method of securely managing one or more virtualization platforms, comprising authenticating, at a control layer disposed between the one or more virtualization platforms and one or more management clients for said virtualization platforms and configured to proxy virtualization management commands from the one or more management clients to said virtualization platforms, users issuing said commands and privileges of those users as defined by access control information accessible to said control layer before permitting management access to said virtualization platforms.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
- - 22. The method of claim 21, wherein one or more of the users comprise automated processes or agents.
  - 23. The method of claim 21, wherein the control layer operates at the application layer to scrutinize management access and operation attempts made via the one or more management clients permitting management access to said virtualization platforms.
  - 24. The method of claim 21, wherein the control layer inspects each attempted access to perform management operations by the management clients to determine whether or not an asserted command or operation is one that is valid schematically and authorized for a respective one of the users issuing the asserted command.
  - 25. The method of claim 24, wherein the control layer drops the asserted command if it is either invalid, unauthorized, or both.
  - 26. The method of claim 25, wherein the control layer notifies a network administrator of a failed attempt to access one or more of the virtualization platforms.
  - 27. The method of claim 21, wherein the control layer authenticates the users using one or more of the following authentication mechanisms:
    - user name/passwords, two-factor authentications, authentications involving digital certificates, authentications involving presentment of a biometric indicator, and authentications involving a hardware trusted platform module.
  - 28. The method of claim 21, wherein the access control information comprises restrictions based on some or all of:
    - time of day, target virtualization platform, target virtualized resource, attempted management operation or command, and location of management client.
  - 29. The method of claim 21, wherein upon successful authentication of a subject one of the users, the control layer negotiates one or more log-in sessions with one or more of the virtualization platforms on behalf of the subject user.
  - 30. The method of claim 29, wherein the control layer logs-in the subject user with the one or more of the virtualization platforms at an appropriate level of each of the one or more virtualization platforms.
  - 31. The method of claim 30, wherein the appropriate level comprises a root level.
  - 32. The method of claim 21, wherein the control layer provides desired platform configurations to one or more of the virtualization platforms from a single instance of a configuration file or template.
  - 33. The method of claim 21, wherein the control layer monitors configuration decisions and activities of the virtualization platforms.
  - 34. The method of claim 33, wherein, in the event of an alarm condition, the control layer alerts an administrator or other designated contact.
  - 35. The method of claim 21, wherein the control layer logs attempts to access the virtualization platforms.
  - 36. The method of claim 21, wherein the control layer logs failed attempts to access the virtualization platforms.
  - 37. The method of claim 35, further comprising storing the logs at an appliance at which the control layer is instantiated prior to transferring the logs to a remote system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Entrust Corp.
Original Assignee
HyTrust, Inc. (Entrust Corp.)
Inventors
Strongin, Boris, Belov, Boris, Budko, Renata, Chiu, Eric Ming, Prafullchandra, Hemma

Granted Patent

US 8,065,714 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

H04L 63/0281   Proxies

H04L 63/08   for authentication of entit...

H04L 63/0823   using certificates cryptogr...

H04L 63/083   using passwords cryptograph...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

METHODS AND SYSTEMS FOR SECURELY MANAGING VIRTUALIZATION PLATFORM

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

37 Claims

Specification

Solutions

Use Cases

Quick Links

METHODS AND SYSTEMS FOR SECURELY MANAGING VIRTUALIZATION PLATFORM

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

37 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links