TECHNIQUES FOR SECURE DATA EXTRACTION IN A VIRTUAL OR CLOUD ENVIRONMENT

US 20140281509A1
Filed: 05/31/2013
Published: 09/18/2014
Est. Priority Date: 03/15/2013
Status: Active Grant

First Claim

Patent Images

1. A method implemented in a non-transitory machine-readable storage medium and processed by a device configured to perform the method, comprising:

acquiring, by the device, an encryption key tailored for a virtual processing environment;

identifying, by the device, selective data to extract from the virtual processing environment; and

encrypting, by the device, the selective data with the encryption key.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for secure data extraction in a virtual or cloud environment are presented. Desired data from a Virtual Machine (VM) or an entire VM is extracted and encrypted with a key. This key is sealed to a machine or a group of machines. The encrypted data is then migrated and successfully used on startup for instances of the VM by having the ability to access the sealed key (and unsealing it) to decrypt the encrypted data.

26 Citations

View as Search Results

20 Claims

1. A method implemented in a non-transitory machine-readable storage medium and processed by a device configured to perform the method, comprising:
- acquiring, by the device, an encryption key tailored for a virtual processing environment;
  
  identifying, by the device, selective data to extract from the virtual processing environment; and
  
  encrypting, by the device, the selective data with the encryption key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1 further comprising, sealing, by the device, the encryption key.
  - 3. The method of claim 2, wherein sealing further includes tying the sealed encryption key to a defined set of devices.
  - 4. The method of claim 1, wherein acquiring further includes registering the virtual processing environment to obtain the encryption key.
  - 5. The method of claim 4, wherein registering further includes registering the virtual processing environment with a local environment of the device.
  - 6. The method of claim 4, wherein registering further includes registering the virtual processing environment with a third-party credential arbiter.
  - 7. The method of claim 1, wherein acquiring further includes obtaining the encryption key from a Trusted Platform Module (TPM) of the device.
  - 8. The method of claim 1, wherein identifying further includes generating the selective data as a difference between a current state of the virtual processing environment and a base image/state for the virtual processing environment.
  - 9. The method of claim 1, wherein identifying further includes recognizing the selective data as an entire image for the virtual processing environment.
  - 10. The method of claim 1, wherein identifying further includes dynamically recognizing the selective data as the virtual processing environment processes based on one or more of:
    - a policy evaluation, a specific operation being processed within the virtual processing environment, and a type assigned to the selective data.
  - 11. The method of claim 1, wherein encrypting further includes storing the encrypted selective data in a repository.
  - 12. The method of claim 1, wherein encrypting further includes transmitting the encrypted selective data as a stream over a network to a resource.

13. A method implemented in a non-transitory machine-readable storage medium and processed by a machine configured to perform the method, comprising:
- transmitting, by the machine, a base image of a virtual processing environment to a target machine;
  
  communicating, via the machine, selective encrypted data tied to a given state for the base image to the target machine; and
  
  instructing, via the machine, a running image of the virtual processing environment to validate, decrypt, and integrate the selective encrypted data into the running image.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The method of claim 13, wherein transmitting further includes identifying the target machine in response to an authorized cluster of machines that includes the target machine.
  - 15. The method of claim 13, wherein transmitting further includes deciding to transmit the base image to the target machine in response to a dynamically evaluated policy.
  - 16. The method of claim 13, wherein instructing further includes directing the running image to a third-party credential arbiter to assist in validating the selective encrypted data.
  - 17. The method of claim 13, wherein instructing further includes directing the running image to use a sealed Trusted Platform Module key to validate the selective encrypted data.

18. A system, comprising:
- a machine memory configured with a virtual data extractor that processes on one or more processors of the machine;
  
  the machine or a different machine configured with a virtual machine (VM) secure data distributor;
  
  wherein the virtual data extractor is configured to selectively identify, extract, and encrypt data associated with a VM, and the VM secure data distributor is configured to deliver the encrypted data to a target machine that is to run an instance of the VM and instruct the target machine to validate, decrypt, and integrate the encrypted data within the instance.
- View Dependent Claims (19, 20)
- - 19. The system of claim 18, wherein the virtual data extractor is integrated into a base image associated with the VM.
  - 20. The system of claim 19, wherein the encrypted data is encrypted with a key that is tied to a configuration of the target machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NetIQ Corporation (Open Text Corporation)
Original Assignee
Novell Incorporated (Open Text Corporation)
Inventors
Angelo, Michael F., Burch, Lloyd Leon

Granted Patent

US 9,514,313 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/164
CPC Class Codes

G06F 2009/45595   Network integration; Enabli...

G06F 21/57   Certifying or maintaining t...

G06F 21/602   Providing cryptographic fac...

G06F 2221/2107   File encryption

G06F 9/45558   Hypervisor-specific managem...

H04L 63/04   for providing a confidentia...

H04L 63/0428   wherein the data content is...

H04L 63/062   for key distribution, e.g. ...

H04L 9/08   Key distribution or managem...

H04L 9/3234   involving additional secure...

TECHNIQUES FOR SECURE DATA EXTRACTION IN A VIRTUAL OR CLOUD ENVIRONMENT

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

26 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

TECHNIQUES FOR SECURE DATA EXTRACTION IN A VIRTUAL OR CLOUD ENVIRONMENT

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others