SECURING CUSTOMER VIRTUAL MACHINES IN A MULTI-TENANT CLOUD
First Claim
1. A method of securing virtual machines in a multi-tenant data center including a plurality of server computers and persistent data stores, comprising:
- configuring a server computer with an attestation module;
installing a software stack on the server computer;
measuring, with the attestation module, a static property of the software stack and storing the measurement;
transmitting the measurement to an external entity and, in response thereto, receiving from the external entity a key for running a virtual machine on top of the software stack; and
running the virtual machine on top of the software stack using the key.
1 Assignment
0 Petitions
Accused Products
Abstract
A trusted virtualization platform protects sensitive customer data during operation of virtual machines in a multi-tenant cloud computing center. The trusted virtualization platform limits administrator access to the data and state of the virtual machines running thereon, reports any changes made thereto, and requires keys provided by the customer or a trusted third party of the customer to perform management operations on the virtual machines. By requiring cloud computing centers to use such trusted virtualization platforms, customers uploading their virtual machines into the cloud computing center can be assured that cloud administrators will not be able to access or tamper with their private data. Furthermore, customers can directly audit all important state or configuration changes for their virtual machines as the trusted virtualization platform can be configured to report all such changes according to a security policy set by the customer.
234 Citations
23 Claims
-
1. A method of securing virtual machines in a multi-tenant data center including a plurality of server computers and persistent data stores, comprising:
-
configuring a server computer with an attestation module; installing a software stack on the server computer; measuring, with the attestation module, a static property of the software stack and storing the measurement; transmitting the measurement to an external entity and, in response thereto, receiving from the external entity a key for running a virtual machine on top of the software stack; and running the virtual machine on top of the software stack using the key. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A non-transitory machine readable storage medium for securing virtual machines in a multi-tenant data center including a plurality of server computers and persistent data stores, the machine readable storage medium having computer instructions encoded thereon causing a computer configured as a trusted virtualization platform to perform a method, the method comprising:
-
receiving a request for a key to run a virtual machine on a server computer configured with an attestation module, the key request including a customer ID associated with the virtual machine; requesting the server computer for static property measurements of a software stack on top which the virtual machine will be run and, in response thereto, receiving the static property measurements; and confirming from the static property measurements that the software stack is a trusted software stack and, after said confirming, transmitting to the server computer the key to run the virtual machine on the server computer.
-
-
11. The machine readable storage medium of 10, wherein the method further comprises:
-
receiving a public key of the attestation module from the server computer; and searching for the public key in an inventory associated with the multi-tenant data center, wherein the key to run the virtual machine on the server computer is transmitted to the server computer after it is confirmed that the public key has been found in the inventory of associated with the multi-tenant data center.
-
-
12. The machine readable storage medium of 10, wherein the method further comprises:
-
receiving a request to perform an operation on the virtual machine running on the server computer; and examining a policy associated with the virtual machine and transmitting a key for performing the operation on the virtual machine if the policy permits the operation and transmitting a message denying the request if the policy does not permit the operation.
-
-
13. The machine readable storage medium of 12, wherein each of the keys has an associated lease period, after the expiration of which the key is no longer valid.
-
14. The machine readable storage medium of 10, wherein the method further comprises:
receiving and recording a report of operations performed on the virtual machine.
-
15. The machine readable storage medium of 10, wherein the method further comprises:
after the virtual machine is running on the server computer, transmitting a key for encrypting and decrypting data stored in a virtual disk of the virtual machine.
-
16. The machine readable storage medium of 10, wherein the method further comprises:
-
receiving a request to transmit a network packet to another virtual machine running in a different server computer; confirming that the different server computer is running a trusted software stack and said another virtual machine is running on top of the trusted software stack; and upon said confirming, transmitting to the server computer a key for encrypting the network packet to be transmitted to said another virtual machine.
-
-
17. The machine readable storage medium of 10, wherein the method further comprises:
-
receiving a public portion of an attestation identification key (AIK) from the server computer, wherein the static property measurements are encrypted with a private portion of the AIK and decrypted using the public portion of the AIK.
-
-
18. The machine readable storage medium of 10, wherein the method further comprises:
-
transmitting a random nonce to the server computer; and confirming that the static property measurements were actually transmitted by the server computer when the random nonce is also received from the server computer.
-
-
19. A multi-tenant data center comprising:
-
a plurality of server computers, each of which is configured with a trusted platform module and a trusted virtualization platform having one or more software layers on top of which a customer application is to be executed; and a persistent storage system coupled to the server computers, in which files for launching the customer application are stored, the files including an encrypted portion and a plain text portion that identifies the customer and a network location associated with the customer, wherein the trusted virtualization platform is programmed to;
(i) report any changes to the trusted virtualization platform to the network location associated with the customer;
(ii) obtain keys from the network location associated with the customer to decrypt the encrypted portion of the files for launching the customer application; and
(iii) prohibit direct inspection of memory of the virtual machine. - View Dependent Claims (20, 21, 22, 23)
-
Specification