INTELLIGENT SECURITY CONTROL SYSTEM FOR VIRTUALIZED ECOSYSTEMS

US 20100169948A1
Filed: 12/31/2008
Published: 07/01/2010
Est. Priority Date: 12/31/2008
Status: Active Grant

First Claim

Patent Images

1. A method for securing resources of a virtualized ecosystem, comprising defining and analyzing object handling control information for one or more logical resources in the virtualized ecosystem and deriving therefrom object properties for each of the logical resources involved in the execution of a virtual machine in any given context within the virtualized ecosystem.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Resources of a virtualized ecosystem are intelligently secured by defining and analyzing object handling security control information for one or more logical resources in the virtualized ecosystem and deriving therefrom object properties for each of the logical resources involved in the execution of a virtual machine in any given context within the virtualized ecosystem.

270 Citations

82 Claims

1. A method for securing resources of a virtualized ecosystem, comprising defining and analyzing object handling control information for one or more logical resources in the virtualized ecosystem and deriving therefrom object properties for each of the logical resources involved in the execution of a virtual machine in any given context within the virtualized ecosystem.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 2. The method of claim 1, wherein deriving object properties comprises defining, managing and enforcing controls for interactions amongst the logical resources and their interactions with an underlying physical, computer-based environment abstracted by the virtualized ecosystem.
  - 3. The method of claim 2, wherein the controls are derived from existing controls for like logical resources of the virtualized ecosystem.
  - 4. The method of claim 2, wherein the controls are inherited from like logical resources of the virtualized ecosystem.
  - 5. The method of claim 2, further comprising evaluating the controls in response to an attempt to manipulate one or more of the logical resources and enforcing prescribed behavior for the logical resources according to a context within which the attempted manipulation is being performed and one or more properties of the logical resources.
  - 6. The method of claim 2, further comprising enforcing learned behaviors for the logical resources, said behaviors being learned from systems external to the virtualized ecosystem.
  - 7. The method of claim 6, wherein the systems external to the virtualized ecosystem comprise instances of systems having security control systems configured to share information with a security control system for the virtualized ecosystem as part of a virtual community.
  - 8. The method of claim 2, wherein logical and physical objects of the virtualized ecosystem are categorized so that objects with similar properties are grouped together.
  - 9. The method of claim 8, wherein a taxonomy of allowed hierarchical relationships of the groupings defines higher groupings thereof.
  - 10. The method of claim 8, wherein various ones of the objects inherit similar ones of the controls according to the groupings.
  - 11. The method of claim 8, wherein the groupings are made according to similarities determined by defined metrics for the objects within the virtualized ecosystem.
  - 12. The method of claim 9, wherein the controls are defined for the groupings within the taxonomy of allowed hierarchical relationships.
  - 13. The method of claim 12, wherein the taxonomy of allowed hierarchical relationships are learned from the virtualized ecosystem.
  - 14. The method of claim 12, wherein the taxonomy of allowed hierarchical relationships are imported from existing systems and subsequently augmented.
  - 15. The method of claim 2, wherein properties of the logical resources and the underlying physical, computer-based environment, which make up the virtualized ecosystem are automatically discovered through available interfaces and management clients for the virtualized ecosystem.
  - 16. The method of claim 2, wherein the controls are literally embedded as control blocks within the logical resources, said controls dictating where, when, how and using what resources the logical resources can operate within the virtualized ecosystem.
  - 17. The method of claim 2, wherein the controls are logically embedded as control blocks within the logical resources, said controls dictating where, when, how and using what resources the logical resources can operate within the virtualized ecosystem.
  - 18. The method of claim 2, wherein logical resources at rest in the virtualized ecosystem are encrypted according to a varying level of protection that depends on an environmental context of the logical resources.
  - 19. The method of claim 2, wherein the controls are enforced after being validated.
  - 20. The method of claim 19, wherein the validation includes verifying digital signatures associated with the controls.
  - 21. The method of claim 19, wherein the enforcement is achieved by evaluating intentions specified in the controls, operations on the logical resources being performed and environments in which they are being performed.
  - 22. The method of claim 21, wherein prior to enforcement, the operations and environments are baselined to derive normal behaviors for the controls and logical resources.
  - 23. The method of claim 1, wherein the control information comprises security and compliance control information that influences or impacts security of the virtualized ecosystem.
  - 24. The method of claim 1, wherein the virtualized ecosystem comprises one or more virtualization platforms.

25. A system, comprising a virtual infrastructure and a security control system communicatively coupled to the virtual infrastructure, the security control system configured for securing resources of the virtual infrastructure by defining and analyzing object handling control information for one or more logical resources in the virtual infrastructure and deriving therefrom object properties for each of the logical resources involved in the execution of one or more virtual machines in any given context within the virtual infrastructure.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46)
- - 26. The system of claim 25 wherein the one or more virtual machines execute on one or more virtualization platforms, at least some of said virtualization platforms having an associated security control system agent communicatively coupled to the security control system.
  - 27. The system of claim 26 wherein the virtual infrastructure further includes a storage system used by at least some of virtual machines, said storage system having its own associated security control system agent communicatively coupled to the security control system.
  - 28. The system of claim 25 wherein at least some of the virtual machines are communicatively coupled to the security control system through one or more management clients of a virtualization platform on which the at least some of the virtual machines execute.
  - 29. The system of claim 25 wherein the virtual infrastructure abstracts an underlying physical, computer-based environment and the security control system is configured to define, manage and enforce controls for interactions amongst the logical resources and their interactions with the computer-based environment.
  - 30. The system of claim 29, wherein the security control system is configured to evaluate the controls in response to attempts to manipulate one or more of the logical resources and to enforce prescribed behavior for the controls according to a context within which the attempted manipulation is being performed and one or more properties of the logical resources.
  - 31. The system of claim 29, wherein the security control system is configured to enforce learned behaviors for the logical resources, said behaviors being learned from systems external to the virtualized ecosystem.
  - 32. The system of claim 31, wherein the systems external to the virtualized ecosystem comprise instances of systems having security control systems configured to share information with a security control system for the virtualized ecosystem as part of a virtual community.
  - 33. The system of claim 25, wherein logical and physical objects of the virtual infrastructure are categorized so that objects with similar properties are grouped together.
  - 34. The system of claim 33, wherein a taxonomy of allowed hierarchical relationships of the groupings defines higher groupings thereof.
  - 35. The system of claim 33, wherein various ones of the objects inherit similar ones of the controls according to the groupings.
  - 36. The system of claim 33, wherein the groupings are made according to similarities determined by defined metrics for the objects within the virtualized ecosystem.
  - 37. The system of claim 34, wherein the controls are defined for the groupings within the taxonomy of allowed hierarchical relationships.
  - 38. The system of claim 34, wherein the taxonomy of allowed hierarchical relationships are learned from the virtualized ecosystem.
  - 39. The system of claim 34, wherein the taxonomy of allowed hierarchical relationships are imported from existing systems and subsequently augmented.
  - 40. The system of claim 29, wherein the virtual infrastructure has one or more interfaces and the security control system is configured to automatically discover properties of the logical resources and the underlying physical, computer-based environment through said interfaces.
  - 41. The system of claim 40, wherein the controls are logically embedded as control blocks within the logical resources, said controls dictating where, when, how and using what resources the logical resources can operate within the virtual infrastructure.
  - 42. The system of claim 40, wherein the controls are literally embedded as control blocks within the logical resources, said controls dictating where, when, how and using what resources the logical resources can operate within the virtual infrastructure.
  - 43. The system of claim 29, wherein the security control system is configured to encrypt logical resources at rest in the virtual infrastructure according to a varying level of protection that depends on an environmental context of the logical resources.
  - 44. The system of claim 29, wherein the security control system is configured to validate the controls before enforcing the controls.
  - 45. The system of claim 44, wherein the security control system is configured to validate the controls by verifying digital signatures associated with the controls.
  - 46. The system of claim 44, wherein the security control system is configured to enforce the controls by evaluating intentions specified in the controls, operations on the logical resources being performed and a environments in which they are being performed.

47. A method of protecting a virtual machine, comprising on bringing an un-protected virtual machine under control of a security control system, establishing a lock on the virtual machine and its associated virtual disk files;
- determining a required level of protection for the virtual machine and encryption tuning parameters;
  
  selecting a cipher algorithm and generating encryption keys according to the encryption tuning parameters;
  
  applying re-formatting changes, if needed;
  
  encrypting sectors of data based on the determined level of protection;
  
  encrypting a symmetric encryption key with an asymmetric public key; and
  
  adding metadata along with the encrypted symmetric key into the virtual machine.

48. A method of un-protecting a protected virtual machine, comprising retrieving metadata from a protected virtual machine disk file;
- retrieving identity and/or location information of an associated asymmetric private key;
  
  decrypting a symmetric encryption key using the asymmetric private key; and
  
  decrypting the protected virtual machine disk file with the symmetric encryption key.

49. A method, comprising, in response to an attempt to manipulate virtual objects that are in a virtualized ecosystem, evaluating and enforcing controls for the manipulation being attempted according to a context within which the attempted manipulation is being performed and the properties of the virtual objects, the controls being embedded within the virtual objects.
- View Dependent Claims (50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82)
- - 50. The method of claim 49, wherein the controls include entitlements, access policies and use policies for the virtual objects.
  - 51. The method of claim 49, further comprising taking actions according to results of the evaluation of the controls.
  - 52. The method of claim 51, wherein the actions include allow, deny, log, quarantine, lock, scan and remediate.
  - 53. The method of claim 49, wherein the controls are logically embedded within the virtual objects.
  - 54. The method of claim 49, wherein the controls are literally embedded within the virtual objects.
  - 55. The method of claim 49, wherein the virtual objects are categorized so that virtual objects with similar properties are grouped together.
  - 56. The method of claim 55, wherein groupings of the virtual objects are subject to a taxonomy of allowed hierarchical relationships of the groupings into higher classes.
  - 57. The method of claim 56, wherein the classes and taxonomies are independent of other definitions for the virtual objects.
  - 58. The method of claim 56, wherein the classes and taxonomies augment existing definitions for the virtual objects.
  - 59. The method of claim 56, wherein the controls are attached to the virtual objects at any level of the hierarchy.
  - 60. The method of claim 56, wherein if a subject control is not defined for a particular level of the hierarchy, that level inherits the subject control from one of the higher classes within the hierarchy.
  - 61. The method of claim 56, wherein precedence order for controls within the hierarchy is given to classes at deeper layers of the hierarchy.
  - 62. The method of claim 55, wherein each grouping is identified through an associated label.
  - 63. The method of claim 55, wherein groupings are defined according to a metric and controls are propagated among the virtual objects based on a distance determined according to said metric.
  - 64. The method of claim 63, wherein the distance is derived by assigning different weights to various properties of the virtual objects.
  - 65. The method of claim 63, wherein the metric comprises a weighted sum of virtual object classification characteristics.
  - 66. The method of claim 55, wherein the virtualized ecosystem comprises an abstracted representation of a physical computer environment and information regarding the physical environment on which the virtual ecosystem is instantiated is automatically obtained from external services regarding the physical environment.
  - 67. The method of claim 49, wherein the embedded controls prescribe where, when, how and/or using what resources of the virtualized ecosystem or a physical environment which it abstracts the virtual objects in which the controls are embedded can operate.
  - 68. The method of claim 49, wherein at least some of the embedded controls define intents of respective ones of the virtual objects.
  - 69. The method of claim 49, wherein at least some of the embedded controls are security- or compliance-related controls.
  - 70. The method of claim 49, wherein at least some of the controls are logically embedded within at least some of the virtual objects and comprise links to actual controls that are stored in a central repository.
  - 71. The method of claim 49, wherein at least some of the controls are active controls and comprise executable code that executes when corresponding ones of the virtual objects in which the active controls are embedded are instantiated.
  - 72. The method of claim 71, wherein at least some of the active controls are used to operationally regulate behavior of corresponding ones of the virtual objects based on environmental conditions.
  - 73. The method of claim 71, wherein at least some of the active controls are used to decrypt/unprotect an associated disk file.
  - 74. The method of claim 49, wherein the controls are assigned to virtual objects according to groupings of the virtual objects.
  - 75. The method of claim 49, wherein the controls are updated along with updates to corresponding virtual objects to which they pertain and are protected through the use of digital signatures which are verified prior to updating of the controls.
  - 76. The method of claim 49, wherein at least some of the controls concern prevention or restriction of operations that might result in unintended access of the virtualized ecosystem or data used thereby.
  - 77. The method of claim 76, wherein the prevention or restriction of operations is provided by selective, full or minimal encryption of associated virtual machine disk files.
  - 78. The method of claim 49, wherein the controls are verified prior to being enforced.
  - 79. The method of claim 78, wherein enforcement of the controls is achieved by evaluating intentions specified in the controls and,their context.
  - 80. The method of claim 79, wherein the context of the controls includes operations being performed on the virtual objects, the nature of the virtualized ecosystem in which the operations are being performed, date and time, resources available, and/or whether the attempted manipulations are customary for the virtual objects or not.
  - 81. The method of claim 79, wherein evaluation of the controls given the context comprises dynamically assembling control information to produce dynamically generated control maps.
  - 82. The method of claim 81, wherein concrete control maps are developed from the dynamically generated control maps and subsequently persisted for later reference.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Entrust Corp.
Original Assignee
HyTrust, Inc. (Entrust Corp.)
Inventors
Strongin, Boris, Budko, Renata, Chiu, Eric Ming, Prafullchandra, Hemma

Granted Patent

US 8,336,079 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/00   Security arrangements for p...

G06F 21/53   by executing in a restricte...

G06F 21/6218   to a system of files or obj...

G06F 9/45558   Hypervisor-specific managem...

H04L 9/088   Usage controlling of secret...

H04L 9/3247   involving digital signatures

INTELLIGENT SECURITY CONTROL SYSTEM FOR VIRTUALIZED ECOSYSTEMS

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

270 Citations

82 Claims

Specification

Use Cases

Quick Links

Others

INTELLIGENT SECURITY CONTROL SYSTEM FOR VIRTUALIZED ECOSYSTEMS

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

270 Citations

82 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others