Virtual Securty Zones for Data Processing Environments

US 20120222084A1
Filed: 01/25/2012
Published: 08/30/2012
Est. Priority Date: 02/25/2011
Status: Active Grant

First Claim

Patent Images

1. A computer program product for selectively providing security and network isolation of data processing environments, comprising:

a computer readable storage medium;

first program instructions to define a number of security zones, wherein each of the number of security zones comprises a security policy defining access of each service instance that is a member of a security zone in the number of security zones;

second program instructions to associate a service instance as a member of a security zone, wherein the service instance comprises a data processing resource provided as a service by a provider of data processing resources, wherein the data processing resource is selected from data processing resources that are part of a data center, data processing resources that are part of a private cloud, data processing resources that are part of a public cloud, or data processing resources that are part of a hybrid cloud comprising a number of public clouds and a number of private clouds; and

wherein the first program instructions and the second program instructions are stored on the computer readable storage medium.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, apparatus, and computer program product for providing security and network isolation for service instances comprising data processing resources provided as a service by a provider of data processing resources. Individual service instances may be associated as members of one or more security zones. The security zones comprise security policies that define access of each service instance that is a member of a security zone.

99 Citations

View as Search Results

20 Claims

1. A computer program product for selectively providing security and network isolation of data processing environments, comprising:
- a computer readable storage medium;
  
  first program instructions to define a number of security zones, wherein each of the number of security zones comprises a security policy defining access of each service instance that is a member of a security zone in the number of security zones;
  
  second program instructions to associate a service instance as a member of a security zone, wherein the service instance comprises a data processing resource provided as a service by a provider of data processing resources, wherein the data processing resource is selected from data processing resources that are part of a data center, data processing resources that are part of a private cloud, data processing resources that are part of a public cloud, or data processing resources that are part of a hybrid cloud comprising a number of public clouds and a number of private clouds; and
  
  wherein the first program instructions and the second program instructions are stored on the computer readable storage medium.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer program product of claim 1, wherein the service instance is a member of a plurality of security zones and wherein the security policy for each of the plurality of security zones is different.
  - 3. The computer program product of claim 1, wherein the security policy allows for access between each service instance that is a member of the security zone and prevents access from entities that are not members of the security zone to any member of the security zone.
  - 4. The computer program product of claim 1, further comprising:
    - third program instructions to receive a request to add an other service instance to the security zone;
      
      fourth program instructions to associate the other service instance to the security zone responsive to receiving the request;
      
      fifth program instructions to apply automatically the security policy to the other service instance; and
      
      wherein the third program instructions, the fourth program instructions, and the fifth program instructions are stored on the computer readable storage medium.
  - 5. The computer program product of claim 1, further comprising:
    - third program instructions to receive a change to the security policy;
      
      fourth program instructions to change the security policy responsive to receiving the change to the security policy;
      
      fifth program instructions to apply automatically the change to the security policy to each service instance that is a member of the security zone; and
      
      wherein the third program instructions, the fourth program instructions, and the fifth program instructions are stored on the computer readable storage medium.
  - 6. The computer program product of claim 1, wherein the first program instructions are provided as a plug-in to a software framework.

7. A method for providing security and network isolation for data processing environments, comprising:
- associating, by a processor unit, a service instance as a member of a security zone, wherein the service instance comprises a data processing resource provided as a service by a provider of data processing resources and wherein the security zone comprises a security policy defining access of each service instance that is a member of the security zone.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7, wherein the service instance is a member of a plurality of security zones and wherein the security policy for each of the plurality of security zones is different.
  - 9. The method of claim 7, wherein the security policy provides for access between each service instance that is a member of the security zone.
  - 10. The method of claim 7, further comprising:
    - receiving, by the processor unit, a request to add an other service instance to the security zone;
      
      responsive to receiving the request, associating, by the processor unit, the other service instance to the security zone; and
      
      applying, by the processor unit, the security policy to the other service instance.
  - 11. The method of claim 7, further comprising:
    - receiving, by the processor unit, a change to the security policy;
      
      responsive to receiving the change to the security policy, changing, by the processor unit, the security policy to include the change to the security policy; and
      
      applying, by the processor unit, the change to the security policy to each service instance that is a member of the security zone.
  - 12. The method of claim 7, further comprising invoking a security service configured to associate the service instance as a member of the security zone, wherein the security manager is provided as a plug-in to a software framework.

13. An apparatus, comprising:
- a processor unit configured to associate a service instance as a member of a security zone, wherein the service instance comprises a data processing resource provided as a service by a provider of data processing resources and wherein the security zone comprises a security policy defining access of each service instance that is a member of the security zone.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The apparatus of claim 13, wherein the service instance is a member of a plurality of security zones and wherein the security policy for each of the plurality of security zones is different.
  - 15. The apparatus of claim 13, wherein the security policy provides for access between each service instance that is a member of the security zone.
  - 16. The apparatus of claim 13, wherein the processor unit is further configured to:
    - receive a request to add an other service instance to the security zone;
      
      associate the other service instance to the security zone responsive to receiving the request; and
      
      apply automatically the security policy to the other service instance.
  - 17. The apparatus of claim 13, wherein the processor unit is further configured to:
    - receive a change to the security policy;
      
      change the security policy responsive to receiving the change to the security policy; and
      
      apply the change to the security policy to each service instance that is a member of the security zone.
  - 18. The apparatus of claim 13, wherein the processor unit comprises:
    - a software framework; and
      
      a plug-in to the software framework configured to associate the service instance as the member of the security zone.

19. A method for selectively providing security and network isolation for data processing environments, comprising:
- defining, by a processor unit, a service instance as a member of a number of security zones, wherein the service instance comprises a data processing resource provided as a service by a provider of data processing resources and wherein each of the number of security zones comprises a security policy; and
  
  applying, by the processor unit, the security policy of the number of security zones, wherein the service instance is defined as a member of the number of security zones.
- View Dependent Claims (20)
- - 20. The method of claim 19, wherein the data processing resource is selected from data processing resources that are part of a data center, data processing resources that are part of a private cloud, data processing resources that are part of a public cloud, or data processing resources that are part of a hybrid cloud comprising a number of public clouds and a number of private clouds.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Beaty, Kirk A., Naik, Vijay K.

Granted Patent

US 9,104,672 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 11/3006   where the computing system ...

G06F 11/302   where the computing system ...

G06F 11/3089   Monitoring arrangements det...

G06F 11/3409   for performance assessment

G06F 11/3476   Data logging G06F11/14, G06...

G06F 11/3495   for systems

G06F 2201/86   Event-based monitoring

H04L 43/0817   by checking functioning

H04L 63/20   for managing network securi...

Virtual Securty Zones for Data Processing Environments

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

99 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Virtual Securty Zones for Data Processing Environments

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

99 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links