MODEL BASED SECURITY FOR CLOUD SERVICES

US 20100251328A1
Filed: 03/31/2009
Published: 09/30/2010
Est. Priority Date: 03/31/2009
Status: Active Grant

First Claim

Patent Images

1. A method for applying a security scheme to a network environment within which an application is to be instantiated comprising:

creating a security scheme based upon an application service model corresponding to an application which is to be instantiated within the network environment; and

applying the security scheme to the network environment.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Applications, such as cloud services, may be deployed within a network environment (e.g., a cloud computing environment). Unfortunately, when the applications are instantiated within the network environment, they have the ability to compromise the security of other applications and/or the infrastructure of the network environment. Accordingly, as provided herein, a security scheme may be applied to a network environment within which an application is to be instantiated. The security scheme may comprise one or more security layers (e.g., virtual machine level security, application level security, operating system level security, etc.) derived from an application service model describing the application and/or resources allocated to the application.

115 Citations

View as Search Results

20 Claims

1. A method for applying a security scheme to a network environment within which an application is to be instantiated comprising:
- creating a security scheme based upon an application service model corresponding to an application which is to be instantiated within the network environment; and
  
  applying the security scheme to the network environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, the application service model comprising an application description and a resource allocation plan.
  - 3. The method of claim 2, the resource allocation plan comprising at least one of:
    - a CPU allocation;
      
      a disk size allocation;
      
      network endpoints; and
      
      memory allocation.
  - 4. The method of claim 2, the application description comprising a description of the application and one or more constituent applications.
  - 5. The method of claim 1, the applying the security scheme comprising:
    - enforcing one or more limitations of computing resources upon the application; and
      
      enforcing one or more restrictions of computing resources upon the application; and
      
      enforcing one or more restrictions of execution privilege upon the application.
  - 6. The method of claim 1, the creating a security scheme comprising:
    - deriving a network filter security configured to isolate resources of a virtual machine in which the application is to be instantiated.
  - 7. The method of claim 1, the creating a security scheme comprising:
    - deriving a virtual machine security configured to define resource access of a virtual machine within which the application is to be instantiated based upon the application service model; and
      
      deriving an operating system security configured to define access to system resources based upon the application service model.
  - 8. The method of claim 7, comprising:
    - deriving a file security configured to define access to files, directories, and volume resources based upon the application service model; and
      
      deriving a file resource management security configured to define file size limitations based upon the application service model.
  - 9. The method of claim 7, comprising:
    - deriving an endpoint security configured to define access to one or more network endpoints based upon the application service model.
  - 10. The method of claim 7, comprising:
    - deriving a virtual account security configured to restrict the application from accessing operating system specific operations and resources not specified in the application security model.
  - 11. The method of claim 7, comprising:
    - deriving a process security configured to define at least one of memory access, CPU limits, and global object access within the virtual machine based upon the resource allocation plan; and
      
      deriving an application security configured to;
      
      restrict access to operating system resources; and
      
      restrict execution of privileged operations specified within the application service model.

12. A system for applying a security scheme to a network environment within which an application is to be instantiated comprising:
- a security component configured to;
  
  create a security scheme based upon an application service model corresponding to an application which is to be instantiated within the network environment; and
  
  apply the security scheme to the network environment.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The system of claim 12, the security scheme configured to:
    - enforce one or more limitations of computing resources upon the application; and
      
      enforce one or more restrictions of computing resources upon the application.
  - 14. The system of claim 12 the security scheme comprising:
    - a network filter security configured to isolate resources of a virtual machine in which the application is to be instantiated.
  - 15. The system of claim 12 the security scheme comprising:
    - a virtual machine security configured to define resource access of a virtual machine within which the application is to be instantiated based upon the application service model; and
      
      an operating system security configured to define access to system resources based upon the application service model.
  - 16. The system of claim 12 the security scheme comprising:
    - a file security configured to define access to files, directories, and volume resources based upon the application service model; and
      
      a file resource management security configured to define file size limitations based upon the application service model.
  - 17. The system of claim 12 the security scheme comprising:
    - an endpoint security configured to define access to one or more network endpoints based upon the application service model.
  - 18. The system of claim 12 the security scheme comprising:
    - a virtual account security configured to restrict the application from accessing operating system specific operations and resources not specified in the application security model.
  - 19. The system of claim 12 the security scheme comprising:
    - a process security configured to define at least one of memory access, CPU limits, and global object access within the virtual machine based upon the resource allocation plan; and
      
      an application security configured to;
      
      restrict access to operating system resources; and
      
      restrict execution of privileged operations specified within the application service model.

20. A method for applying a security scheme to a network environment within which an application is to be instantiated comprising:
- creating a security scheme based upon an application service model corresponding to an application which is to be instantiated within the network environment, wherein the security scheme comprises;
  
  a network filter security configured to isolate resources of a virtual machine in which the application is to be instantiated;
  
  a virtual machine security configured to define resource access of a virtual machine within which the application is to be instantiated based upon the application service model;
  
  an operating system security configured to define access to system resources based upon the application service model;
  
  a file security configured to define access to files, directories, and volume resources based upon the application service model;
  
  a file resource management security configured to define file size limitations based upon the application service model;
  
  an endpoint security configured to define access to one or more network endpoints based upon the application service model;
  
  a virtual account security configured to restrict the application from accessing operating system specific operations and resources not specified in the application security model;
  
  a process security configured to define at least one of memory access, CPU limits, and global object access within the virtual machine based upon the resource allocation plan; and
  
  an application security configured to;
  
  restrict access to operating system resources; and
  
  restrict execution of privileged operations specified within the application service model; and
  
  applying the security scheme to the network environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Shankar, Chetan, Azad, Muhammad Umer, Rewaskar, Sushant P., Syed, Saad, Bernabeu-Auban, Jose M.

Granted Patent

US 8,621,553 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

H04L 63/20   for managing network securi...

H04L 67/10   in which an application is ...

MODEL BASED SECURITY FOR CLOUD SERVICES

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

115 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

MODEL BASED SECURITY FOR CLOUD SERVICES

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

115 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others