SAFEMASHUPS CLOUD TRUST BROKER
First Claim
1. A method for enforcing security policies in a virtualized or cloud environment wherein:
- a) the infrastructure is divided into layers encompassing physical facilities, hardware, virtualization, guest operating system, applications, user desktop and browser;
b) each layer is divided into security units;
c) each security unit contains security profiles with attestations about the security of the said unit, including attestations about the floor, ceiling and wall security properties;
d) each security unit has an agent that can be used to establish communications with other security units for the transfer of data or processing; and
e) a cloud trust broker is present to mediate such communications.
0 Assignments
0 Petitions
Accused Products
Abstract
The present invention provides a new method for policy enforcement in a virtualized or cloud environment. We break down the environment into layers, which are further sub-divided into security units. Each security unit has a security profile based on its own security properties and those of the layers below. The security profile also reflects the floor, ceiling and wall security properties. Each security unit has an agent which is used to establish communications with other security units. Such communication is mediated by a cloud trust broker which determines if the communication is permitted based on access control list or else retrieves the security profiles and applies pre-defined rules. If the communications are allowed the cloud trust broker runs a mutual authentication and key distribution protocol that results in the two security units obtaining a session key which they can then use for further communications which can proceed directly.
-
Citations
3 Claims
-
1. A method for enforcing security policies in a virtualized or cloud environment wherein:
-
a) the infrastructure is divided into layers encompassing physical facilities, hardware, virtualization, guest operating system, applications, user desktop and browser; b) each layer is divided into security units; c) each security unit contains security profiles with attestations about the security of the said unit, including attestations about the floor, ceiling and wall security properties; d) each security unit has an agent that can be used to establish communications with other security units for the transfer of data or processing; and e) a cloud trust broker is present to mediate such communications. - View Dependent Claims (2, 3)
-
Specification