Systems, Methods and Computer Readable Medium To Implement Secured Computational Infrastructure for Cloud and Data Center Environments
First Claim
1. A method of computer security executed on one or more servers of a cloud or data center provider, comprising:
- receiving a network identifier for a plurality of functions from a cloud or data center manager;
requesting a network key for each function from key server(s) or from a local key generator based on one or multiple secrets;
allocating a plurality of isolated network interfaces based on a cloud or data center provider'"'"'s and/or a customer'"'"'s requirements;
requesting a virtual network interface controller allocation per function per virtual machine;
requesting from the key server a network key for each cloud or data center function;
receiving a storage identifier for a plurality of functions from a cloud or data center manager;
requesting a storage key for each function from key server(s) or from a local key generator based on one or multiple secrets;
allocating a plurality of isolated virtual storage disks based on cloud or data center provider and/or customer requirements;
requesting a storage controller allocation per function per virtual machine;
requesting from the key server a storage key(s) for each cloud or data center function; and
encrypting each function with either the network key or the storage key.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems, methods, and non-transitory computer-readable medium are provided to secure data centers and cloud computing. A method receives network identifiers for functions, requests a network key for each function, allocates network interfaces, requests a virtual network interface controller allocation, requests a network key for each cloud function, receives storage identifiers for functions, requests a storage key for each cloud function, allocates virtual storage disks, requests a storage interface controller allocation, requests a storage key for each cloud function. Methods secure migration of a virtual machine from a source to a target server. A server includes multiple cores where each core is dedicated to a compute function and a unique key encrypts data of each compute function. A non-transitory computer-readable medium encodes programs that execute the above methods.
93 Citations
25 Claims
-
1. A method of computer security executed on one or more servers of a cloud or data center provider, comprising:
-
receiving a network identifier for a plurality of functions from a cloud or data center manager; requesting a network key for each function from key server(s) or from a local key generator based on one or multiple secrets; allocating a plurality of isolated network interfaces based on a cloud or data center provider'"'"'s and/or a customer'"'"'s requirements; requesting a virtual network interface controller allocation per function per virtual machine; requesting from the key server a network key for each cloud or data center function; receiving a storage identifier for a plurality of functions from a cloud or data center manager; requesting a storage key for each function from key server(s) or from a local key generator based on one or multiple secrets; allocating a plurality of isolated virtual storage disks based on cloud or data center provider and/or customer requirements; requesting a storage controller allocation per function per virtual machine; requesting from the key server a storage key(s) for each cloud or data center function; and encrypting each function with either the network key or the storage key. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer-implemented method for a secure migration of a virtual machine from a source server to a target server, comprising executing on one or more servers the steps of:
-
requesting a public key from the target server; transmitting the target'"'"'s public key to the source server; encrypting the virtual machine descriptor with the target'"'"'s public key; decrypting the virtual machine descriptor using the target'"'"'s private key; and restoring a virtual machine associated with the virtual machine descriptor on the target server. - View Dependent Claims (9)
-
-
10. A non-transitory computer-readable medium for secure migration of a virtual machine from a source server to a target server, comprising instructions stored thereon that when executed on server(s) perform the steps of:
-
requesting a public key from the target server; transmitting the target'"'"'s public key to the source server; encrypting the virtual machine descriptor with the target'"'"'s public key; decrypting the virtual machine descriptor using the target'"'"'s private key; and restoring a virtual machine associated with the virtual machine descriptor on the target server.
-
-
11. A computing system, comprising:
-
a server including multiple cores dedicated to compute functions, wherein each core is dedicated to a single compute function; a key management server configured to generate and issue a unique secret key to each core to encrypt the data of each compute function to isolate the data from another compute function; and a shared memory accessed by one or more of the multiple cores configured to store the data of each function, wherein the security of the encrypted data of each compute function is isolated by a secret key obtained from the key management server. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
-
-
19. A method of transferring a virtual machine descriptor and associated keys through a key management server from a first physical server to a second physical server, comprising:
-
sending a storage key management server (KMS) public key to a first physical server; sending the storage KMS public key to a second physical server; encrypting the first physical server key with the KMS public key and sending the encrypted first physical server key to the storage KMS; encrypting the second physical server key with the KMS public key and sending the encrypted second physical server key to the storage KMS; sending the first physical server key to a virtual machine (VM) to encrypt the VM descriptor; encrypting the VM storage key(s) with the first physical server key and sending it to the VM KMS; sending the encrypted VM storage key(s) to the storage KMS; decrypting the VM storage key(s) with the first physical server key and encrypting it with the second physical server key; sending the VM storage key(s) encrypted with the second physical server key to the VM KMS; sending the VM storage key(s) encrypted with the second physical server key to the second physical server; sending the second physical server key to the VM at the second physical server to decrypt the VM storage key(s); transferring the VM descriptor from the first physical server to the second physical server; and decrypting VM storage key(s) using the second physical server key.
-
-
20. A non-transitory computer-readable medium for transferring a virtual machine from a first physical server to a second physical server comprising instructions stored thereon that when executed on server(s) perform the steps of:
-
sending a storage key management server (KMS) public key to a first physical server; sending the storage KMS public key to a second physical server; encrypting the first physical server key with the KMS public key and sending the encrypted first physical server key to the storage KMS; encrypting the second physical server key with the KMS public key and sending the encrypted second physical server key to the storage KMS; sending the first physical server key to a virtual machine (VM) to encrypt the VM descriptor; encrypting the VM storage key(s) with the first physical server key and sending it to the VM KMS; sending the encrypted VM storage key(s) to the storage KMS; decrypting the VM storage key(s) with the first physical server key and encrypting it with the second physical server key; sending the VM storage key(s) encrypted with the second physical server key to the VM KMS; sending the VM storage key(s) encrypted with the second physical server key to the second physical server; sending the second physical server key to the VM at the second physical server to decrypt the VM storage key(s); transferring the VM descriptor from the first physical server to the second physical server; and decrypting VM storage key(s) using the second physical server key.
-
-
21. A secured server suitable for a cloud or data center, comprised:
-
a processor; a memory coupled to the processor; wherein the processor is adapted to execute objects of the cloud, wherein each object of the cloud has a unique identity and cloud function cryptography key(s), wherein each cloud function uses a unique key that is generated by a cloud key management system (KMS) or by a customer KMS or by a combination of cloud KMS and customer KMS. - View Dependent Claims (22, 23, 24, 25)
-
Specification