SAFEMASHUPS CLOUD TRUST BROKER
First Claim
1. A method for enforcing security policies in a virtualized or cloud environment wherein:
- a) the infrastructure is divided into layers encompassing physical facilities, hardware, virtualization, guest operating system, applications, user desktop and browser;
b) each layer is divided into security units;
c) each security unit contains security profiles with attestations about the security of the said unit, including attestations about the floor, ceiling and wall security properties;
d) each security unit has an agent that can be used to establish communications with other security units for the transfer of data or processing; and
e) a cloud trust broker is present to mediate such communications.
0 Assignments
0 Petitions
Accused Products
Abstract
The present invention provides a new method for policy enforcement in a virtualized or cloud environment. We break down the environment into layers, which are further sub-divided into security units. Each security unit has a security profile based on its own security properties and those of the layers below. The security profile also reflects the floor, ceiling and wall security properties. Each security unit has an agent which is used to establish communications with other security units. Such communication is mediated by a cloud trust broker which determines if the communication is permitted based on access control list or else retrieves the security profiles and applies pre-defined rules. If the communications are allowed the cloud trust broker runs a mutual authentication and key distribution protocol that results in the two security units obtaining a session key which they can then use for further communications which can proceed directly.
44 Citations
3 Claims
-
1. A method for enforcing security policies in a virtualized or cloud environment wherein:
-
a) the infrastructure is divided into layers encompassing physical facilities, hardware, virtualization, guest operating system, applications, user desktop and browser; b) each layer is divided into security units; c) each security unit contains security profiles with attestations about the security of the said unit, including attestations about the floor, ceiling and wall security properties; d) each security unit has an agent that can be used to establish communications with other security units for the transfer of data or processing; and e) a cloud trust broker is present to mediate such communications. - View Dependent Claims (2, 3)
-
Specification
-
- Resources
-
Current AssigneeBoard of Regents of the University of Texas System (University of Texas System)
-
Original AssigneeBoard of Regents of the University of Texas System (University of Texas System)
-
InventorsGANESAN, Ravi, Wolff, Todd
-
Application NumberUS12/859,986Publication NumberTime in Patent OfficeDaysField of SearchUS Class Current713/169CPC Class CodesG06F 21/6218 to a system of files or obj...H04L 63/061 for key exchange, e.g. in p...H04L 63/0869 for achieving mutual authen...H04L 63/101 Access control lists [ACL]H04L 63/102 Entity profilesH04L 69/32 Architecture of open system...H04L 69/321 Interlayer communication pr...H04L 9/0819 Key transport or distributi...H04L 9/321 involving a third party or ...H04L 9/3273 for mutual authentication n...
