RESOURCE ACCESS CONTROL FOR VIRTUAL MACHINES

US 20150350188A1
Filed: 10/08/2014
Published: 12/03/2015
Est. Priority Date: 05/28/2014
Status: Active Grant

First Claim

Patent Images

1. A method of operating a computing system to control access data resources by virtual machines, the method comprising:

in an interface system, receiving an access token and an instantiation command from an end user system;

responsive to the instantiation command, instantiating a virtual machine identified by the instantiation command using the access token as user data for the virtual machine during instantiation;

in the virtual machine, executing a security module responsive to instantiation that transfers the access token for delivery to an authorization system; and

in the virtual machine, receiving credentials responsive to the access token, and accessing a data resource using the credentials.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

To provide enhanced operation of virtualized computing systems, various systems, apparatuses, methods, and software are provided herein. In a first example, a method of operating a computing system to control access to data resources by virtual machines is provided. The method includes receiving an access token and an instantiation command from an end user system. Responsive to the instantiation command, the method includes instantiating a virtual machine identified by the instantiation command using the access token as user data for the virtual machine during instantiation. The method also includes, in the virtual machine, executing a security module responsive to instantiation that transfers the access token for delivery to an authorization system, receiving credentials responsive to the access token, and accessing a data resource using the credentials.

24 Citations

View as Search Results

20 Claims

1. A method of operating a computing system to control access data resources by virtual machines, the method comprising:
- in an interface system, receiving an access token and an instantiation command from an end user system;
  
  responsive to the instantiation command, instantiating a virtual machine identified by the instantiation command using the access token as user data for the virtual machine during instantiation;
  
  in the virtual machine, executing a security module responsive to instantiation that transfers the access token for delivery to an authorization system; and
  
  in the virtual machine, receiving credentials responsive to the access token, and accessing a data resource using the credentials.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the access token is passed to the virtual machine as a user parameter during instantiation of the virtual machine.
  - 3. The method of claim 1, wherein the access token is provided by the authorization system to the end user system prior to the end user issuing the instantiation command.
  - 4. The method of claim 1, wherein the security module comprises a startup script run by the virtual machine responsive to instantiation.
  - 5. The method of claim 4, further comprising:
    - providing the access token to the startup script;
      
      in the startup script, responsive to receiving the access token, requesting the credentials from the authorization system using the access token.
  - 6. The method of claim 1, wherein accessing the data resource using the credentials comprises requesting data from the data resource using the credentials.
  - 7. The method of claim 1, wherein accessing the data resource using the credentials comprises establishing a communication session between the data resource and the virtual machine using the credentials.
  - 8. The method of claim 1, further comprising:
    - in the authorization system, responsive to receiving the token, identifying the credentials and transferring the credentials for delivery to the data resource and for delivery to the virtual machine.
  - 9. The method of claim 1, wherein the virtual machine is instantiated from a shared virtual machine image;
    - and further comprising;
      
      in a second interface system, receiving a second access token and a second instantiation command from an second end user system to instantiate a second virtual machine from the shared virtual machine image, wherein the second access token is different than the access token;
      
      responsive to the second instantiation command, instantiating the second virtual machine identified by the second instantiation command using the second access token as second user data for the second virtual machine during instantiation;
      
      in the second virtual machine, executing a security module responsive to instantiation that transfers the second access token for delivery to the authorization system; and
      
      in the second virtual machine, receiving second credentials responsive to the second access token, and accessing the data resource using the second credentials, wherein the second credentials are different than the credentials.
  - 10. The method of claim 1, wherein the virtual machine is instantiated from a shared virtual machine image;
    - and further comprising;
      
      replicating the virtual machine from the shared virtual machine image to instantiate a second virtual machine from the shared virtual machine image, where the second virtual machine uses a second access token different than the access token when executing a security module of the second virtual machine;
      
      in the second virtual machine, transferring the second access token for delivery to the authorization system; and
      
      in the second virtual machine, receiving second credentials responsive to the second access token, and accessing the data resource using the second credentials, wherein the second credentials are different than the credentials.

11. A computer apparatus to operate a computing system to control access data resources by virtual machines, the apparatus comprising:
- software instructions configured, when executed by one or more computing systems, to direct the one or more computing systems to;
  
  receive, in an interface system, an access token and an instantiation command from an end user system;
  
  responsive to the instantiation command, instantiate a virtual machine identified by the instantiation command using the access token as user data for the virtual machine during instantiation;
  
  execute, in the virtual machine, a security module responsive to instantiation that transfers the access token for delivery to an authorization system; and
  
  receive, in the virtual machine, one or more credentials responsive to the access token, and accessing a data resource using the one or more credentials; and
  
  at least one non-transitory computer-readable storage medium storing the software instructions.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The computer apparatus of claim 11, wherein the access token is passed to the virtual machine as a user parameter during instantiation of the virtual machine.
  - 13. The computer apparatus of claim 11, wherein the access token is provided by the authorization system to the end user system prior to the end user issuing the instantiation command.
  - 14. The computer apparatus of claim 11, wherein the security module comprises a startup script run by the virtual machine responsive to instantiation.
  - 15. The computer apparatus of claim 14, with further software instructions configured, when executed by one or more computing systems, to direct the one or more computing systems to:
    - provide the access token to the startup script;
      
      in the startup script, responsive to receiving the access token, request the credentials from the authorization system using the access token.
  - 16. The computer apparatus of claim 11, wherein the software instructions are configured, when executed by one or more computing systems, to direct the one or more computing systems to:
    - access the data resource using the credentials by at least requesting data from the data resource using the credentials.
  - 17. The computer apparatus of claim 11, wherein the software instructions are configured, when executed by one or more computing systems, to direct the one or more computing systems to:
    - access the data resource using the credentials by at least establishing a communication session between the data resource and the virtual machine using the credentials.
  - 18. The computer apparatus of claim 11, with further software instructions configured, when executed by one or more computing systems, to direct the one or more computing systems to:
    - responsive to receiving the token, in the authorization system, identify the credentials and transfer the credentials for delivery to the data resource and for delivery to the virtual machine.
  - 19. The computer apparatus of claim 11, wherein the virtual machine is instantiated from a shared virtual machine image;
    - and with further software instructions configured, when executed by one or more computing systems, to direct the one or more computing systems to;
      
      in a second interface system, receive a second access token and a second instantiation command from an second end user system to instantiate a second virtual machine from the shared virtual machine image, wherein the second access token is different than the access token;
      
      responsive to the second instantiation command, instantiate the second virtual machine identified by the second instantiation command using the second access token as second user data for the second virtual machine during instantiation;
      
      in the second virtual machine, execute a security module responsive to instantiation that transfers the second access token for delivery to the authorization system; and
      
      in the second virtual machine, receive second credentials responsive to the second access token, and access the data resource using the second credentials, wherein the second credentials are different than the credentials.
  - 20. The computer apparatus of claim 11, wherein the virtual machine is instantiated from a shared virtual machine image;
    - and with further software instructions configured, when executed by one or more computing systems, to direct the one or more computing systems to;
      
      replicate the virtual machine from the shared virtual machine image to instantiate a second virtual machine from the shared virtual machine image, where the second virtual machine uses a second access token different than the access token when executing a security module of the second virtual machine;
      
      in the second virtual machine, transfer the second access token for delivery to the authorization system; and
      
      in the second virtual machine, receive second credentials responsive to the second access token, and access the data resource using the second credentials, wherein the second credentials are different than the credentials.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Conjur, Inc. (CyberArk Software Ltd.)
Original Assignee
Conjur, Inc. (CyberArk Software Ltd.)
Inventors
Gilpin, Kevin, Lawler, Elizabeth

Granted Patent

US 9,680,821 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/33   using certificates

G06F 21/53   by executing in a restricte...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/083   using passwords cryptograph...

H04L 63/10   for controlling access to d...

RESOURCE ACCESS CONTROL FOR VIRTUAL MACHINES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

24 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

RESOURCE ACCESS CONTROL FOR VIRTUAL MACHINES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

24 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links