Systems, Methods and Computer Readable Medium To Implement Secured Computational Infrastructure for Cloud and Data Center Environments

US 20170005990A1
Filed: 07/01/2015
Published: 01/05/2017
Est. Priority Date: 07/01/2015
Status: Active Grant

First Claim

Patent Images

1. A method of computer security executed on one or more servers of a cloud or data center provider, comprising:

receiving a network identifier for a plurality of functions from a cloud or data center manager;

requesting a network key for each function from key server(s) or from a local key generator based on one or multiple secrets;

allocating a plurality of isolated network interfaces based on a cloud or data center provider'"'"'s and/or a customer'"'"'s requirements;

requesting a virtual network interface controller allocation per function per virtual machine;

requesting from the key server a network key for each cloud or data center function;

receiving a storage identifier for a plurality of functions from a cloud or data center manager;

requesting a storage key for each function from key server(s) or from a local key generator based on one or multiple secrets;

allocating a plurality of isolated virtual storage disks based on cloud or data center provider and/or customer requirements;

requesting a storage controller allocation per function per virtual machine;

requesting from the key server a storage key(s) for each cloud or data center function; and

encrypting each function with either the network key or the storage key.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and non-transitory computer-readable medium are provided to secure data centers and cloud computing. A method receives network identifiers for functions, requests a network key for each function, allocates network interfaces, requests a virtual network interface controller allocation, requests a network key for each cloud function, receives storage identifiers for functions, requests a storage key for each cloud function, allocates virtual storage disks, requests a storage interface controller allocation, requests a storage key for each cloud function. Methods secure migration of a virtual machine from a source to a target server. A server includes multiple cores where each core is dedicated to a compute function and a unique key encrypts data of each compute function. A non-transitory computer-readable medium encodes programs that execute the above methods.

93 Citations

View as Search Results

25 Claims

1. A method of computer security executed on one or more servers of a cloud or data center provider, comprising:
- receiving a network identifier for a plurality of functions from a cloud or data center manager;
  
  requesting a network key for each function from key server(s) or from a local key generator based on one or multiple secrets;
  
  allocating a plurality of isolated network interfaces based on a cloud or data center provider'"'"'s and/or a customer'"'"'s requirements;
  
  requesting a virtual network interface controller allocation per function per virtual machine;
  
  requesting from the key server a network key for each cloud or data center function;
  
  receiving a storage identifier for a plurality of functions from a cloud or data center manager;
  
  requesting a storage key for each function from key server(s) or from a local key generator based on one or multiple secrets;
  
  allocating a plurality of isolated virtual storage disks based on cloud or data center provider and/or customer requirements;
  
  requesting a storage controller allocation per function per virtual machine;
  
  requesting from the key server a storage key(s) for each cloud or data center function; and
  
  encrypting each function with either the network key or the storage key.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the network key(s) are obtained from key server(s) and/or from a local key generator based on one or multiple secrets from cloud or data center provider and/or customer.
  - 3. The method of claim 1, wherein the storage key(s) are obtained from key server(s) and/or from a local key generator based on one or multiple secrets from cloud or data center provider and/or customer.
  - 4. The method of claim 1, wherein each network key and each storage key is retrieved from a key management server that resides on premises only accessible to a customer of the cloud or data center provider.
  - 5. The method of claim 1, wherein each network key and each storage key is retrieved from a key management server that resides on one or more servers.
  - 6. The method of claim 1, wherein the network key is retrieved from a key management server that resides on customer premises for customer storage and connectivity.
  - 7. The method of claim 5, wherein the network key is retrieved from a key management server that resides on customer premises for customer storage and connectivity.

8. A computer-implemented method for a secure migration of a virtual machine from a source server to a target server, comprising executing on one or more servers the steps of:
- requesting a public key from the target server;
  
  transmitting the target'"'"'s public key to the source server;
  
  encrypting the virtual machine descriptor with the target'"'"'s public key;
  
  decrypting the virtual machine descriptor using the target'"'"'s private key; and
  
  restoring a virtual machine associated with the virtual machine descriptor on the target server.
- View Dependent Claims (9)
- - 9. The method of claim 8, further comprising where source server is in one data center and the destination server is in another.

10. A non-transitory computer-readable medium for secure migration of a virtual machine from a source server to a target server, comprising instructions stored thereon that when executed on server(s) perform the steps of:
- requesting a public key from the target server;
  
  transmitting the target'"'"'s public key to the source server;
  
  encrypting the virtual machine descriptor with the target'"'"'s public key;
  
  decrypting the virtual machine descriptor using the target'"'"'s private key; and
  
  restoring a virtual machine associated with the virtual machine descriptor on the target server.

11. A computing system, comprising:
- a server including multiple cores dedicated to compute functions, wherein each core is dedicated to a single compute function;
  
  a key management server configured to generate and issue a unique secret key to each core to encrypt the data of each compute function to isolate the data from another compute function; and
  
  a shared memory accessed by one or more of the multiple cores configured to store the data of each function, wherein the security of the encrypted data of each compute function is isolated by a secret key obtained from the key management server.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The system of claim 11, wherein the multiple cores include a hypervisor dedicated core, a cloud or data center management agent core, an orchestration core, a self service agent core, and a network function virtualization (NFV) core.
  - 13. The system of claim 11, further comprising virtual or physical walls between the multiple cores to isolate the function performed on each core and to prevent a security breach from propagating from one core to another core.
  - 14. The system of claim 13, wherein the physical walls prevent the sharing of cache among any two cores to provide further security.
  - 15. The system of claim 13, wherein the virtual walls are dynamic and prevent the sharing of cache among any two cores to provide further security.
  - 16. The system of claim 11, wherein the key management server is generating the keys is secure on the server or the customer premises.
  - 17. The system of claim 14, further comprising a physically shared data storage subsystem accessed by the multiple cores, wherein the encrypted data is isolated in the data storage subsystem by each secret key.
  - 18. The system of claim 11, further comprising a FPGA that implements one or more of the cores and implements the compute functions during run time.

19. A method of transferring a virtual machine descriptor and associated keys through a key management server from a first physical server to a second physical server, comprising:
- sending a storage key management server (KMS) public key to a first physical server;
  
  sending the storage KMS public key to a second physical server;
  
  encrypting the first physical server key with the KMS public key and sending the encrypted first physical server key to the storage KMS;
  
  encrypting the second physical server key with the KMS public key and sending the encrypted second physical server key to the storage KMS;
  
  sending the first physical server key to a virtual machine (VM) to encrypt the VM descriptor;
  
  encrypting the VM storage key(s) with the first physical server key and sending it to the VM KMS;
  
  sending the encrypted VM storage key(s) to the storage KMS;
  
  decrypting the VM storage key(s) with the first physical server key and encrypting it with the second physical server key;
  
  sending the VM storage key(s) encrypted with the second physical server key to the VM KMS;
  
  sending the VM storage key(s) encrypted with the second physical server key to the second physical server;
  
  sending the second physical server key to the VM at the second physical server to decrypt the VM storage key(s);
  
  transferring the VM descriptor from the first physical server to the second physical server; and
  
  decrypting VM storage key(s) using the second physical server key.

20. A non-transitory computer-readable medium for transferring a virtual machine from a first physical server to a second physical server comprising instructions stored thereon that when executed on server(s) perform the steps of:
- sending a storage key management server (KMS) public key to a first physical server;
  
  sending the storage KMS public key to a second physical server;
  
  encrypting the first physical server key with the KMS public key and sending the encrypted first physical server key to the storage KMS;
  
  encrypting the second physical server key with the KMS public key and sending the encrypted second physical server key to the storage KMS;
  
  sending the first physical server key to a virtual machine (VM) to encrypt the VM descriptor;
  
  encrypting the VM storage key(s) with the first physical server key and sending it to the VM KMS;
  
  sending the encrypted VM storage key(s) to the storage KMS;
  
  decrypting the VM storage key(s) with the first physical server key and encrypting it with the second physical server key;
  
  sending the VM storage key(s) encrypted with the second physical server key to the VM KMS;
  
  sending the VM storage key(s) encrypted with the second physical server key to the second physical server;
  
  sending the second physical server key to the VM at the second physical server to decrypt the VM storage key(s);
  
  transferring the VM descriptor from the first physical server to the second physical server; and
  
  decrypting VM storage key(s) using the second physical server key.

21. A secured server suitable for a cloud or data center, comprised:
- a processor;
  
  a memory coupled to the processor;
  
  wherein the processor is adapted to execute objects of the cloud, wherein each object of the cloud has a unique identity and cloud function cryptography key(s), wherein each cloud function uses a unique key that is generated by a cloud key management system (KMS) or by a customer KMS or by a combination of cloud KMS and customer KMS.
- View Dependent Claims (22, 23, 24, 25)
- - 22. The server of claim 21, wherein the server is tamperproof, wherein each cloud function is signed and the signature is periodically verified for integrity, and the behavior of each cloud function is monitored by deep packet inspection for logical or behavioral changes.
  - 23. The server of claim 21, further comprising a virtual probe giving the customer the ability to monitor the behavior of the processes of the server.
  - 24. The server of claim 23, wherein the virtual probe is implemented in a field-programmable gate array.
  - 25. The server of claim 23, wherein the probe points of the virtual probe are determined by the customers of the cloud and data center.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ari Birger
Original Assignee
Ari Birger
Inventors
Dror, Haim, Birger, Ari

Granted Patent

US 9,667,606 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 13/1663   Access to shared memory

G06F 2009/45562   Creating, deleting, cloning...

G06F 2009/4557   Distribution of virtual mac...

G06F 2009/45587   Isolation or security of vi...

G06F 21/57   Certifying or maintaining t...

G06F 21/6209   to a single file or object,...

G06F 21/74   operating in dual or compar...

G06F 21/78   to assure secure storage of...

G06F 3/0619   in relation to data integri...

G06F 3/0647   Migration mechanisms

G06F 3/067   Distributed or networked st...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/0428   wherein the data content is...

H04L 63/045   wherein the sending and rec...

H04L 63/06   for supporting key manageme...

H04L 63/061   for key exchange, e.g. in p...

H04L 67/10   in which an application is ...

H04L 67/1097   for distributed storage of ...

H04L 9/0819   Key transport or distributi...

H04L 9/14   using a plurality of keys o...

H04L 9/30 : Public key, i.e. encryption...

View All

Systems, Methods and Computer Readable Medium To Implement Secured Computational Infrastructure for Cloud and Data Center Environments

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

93 Citations

25 Claims

Specification

Use Cases

Quick Links

Others

Systems, Methods and Computer Readable Medium To Implement Secured Computational Infrastructure for Cloud and Data Center Environments

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

93 Citations

25 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others