TECHNIQUES FOR SECURE DATA EXTRACTION IN A VIRTUAL OR CLOUD ENVIRONMENT

US 20170180331A1
Filed: 12/05/2016
Published: 06/22/2017
Est. Priority Date: 03/15/2013
Status: Active Grant

First Claim

Patent Images

1-20. -20. (canceled)

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for secure data extraction in a virtual or cloud environment are presented. Desired data from a Virtual Machine (VM) or an entire VM is extracted and encrypted with a key. This key is sealed to a machine or a group of machines. The encrypted data is then migrated and successfully used on startup for instances of the VM by having the ability to access the sealed key (and unsealing it) to decrypt the encrypted data.

11 Citations

40 Claims

1-20. -20. (canceled)

21. A method, comprising:
- securely maintaining a delta between a running instance of a virtual environment on a first machine and a base image for the virtual environment;
  
  transferring the base image to a second machine;
  
  separately providing the delta to the second machine; and
  
  applying the delta to the base image on the second machine and initiating the base image with the integrated delta as a second running instance of the virtual environment on the second machine.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28)
- - 22. The method of claim 21, wherein securely maintaining further includes sealing a key for accessing the delta based on identifiers for the first machine and the second machine.
  - 23. The method of claim 21, wherein securely maintaining further includes maintaining the delta and the base image on a third machine.
  - 24. The method of claim 21, wherein securely maintaining further includes obtaining the delta as a confidential file accessible from the running instance.
  - 25. The method of claim 21, wherein securely maintaining further includes obtaining the delta as a change in a state while the running instance processes on the first machine.
  - 26. The method of claim 21, wherein securely maintaining further includes obtaining the delta as selective data custom defined for the base image.
  - 27. The method of claim 21, wherein separately providing further includes providing the delta in response to a request made from the second machine for the delta after the second machine receives the base image.
  - 28. The method of claim 21, wherein providing further includes providing the delta to the second machine in an encrypted format that is specific to the second machine and that can only be decrypted for use by the second machine.

29. A method, comprising:
- establishing secure keys between a group of machines;
  
  identifying delta data in a base image of a virtual environment, wherein the delta data is maintained separately from the base image in an encrypted format using the secure keys;
  
  transferring the base image to a first machine of the group of machines;
  
  providing the delta data in the encrypted format to the first machine; and
  
  initiating, by the first machine, a first running instance of the virtual environment by decrypting the delta data in the encrypted format with one of the keys available from the first machine, integrating the decrypted delta data into the base image, and initiating the first running instance.
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37)
- - 30. The method of claim 29 further comprising:
    - receiving changes made to the delta data in the encrypted format from the first running instance during processing of the first running instance on the first machine.
  - 31. The method of claim 30 further comprising:
    - transferring the base image to a second machine of the group of machines;
      
      providing the changed delta data in the encrypted format to the second machine; and
      
      initiating, by the second machine, a second running instance of the virtual environment by decrypting the changed delta data in the encrypted format with another one of the keys available from the second machine, integrating the decrypted changed delta into the base image, and initiating the second running instance.
  - 32. The method of claim 29 further comprising:
    - receiving changes made to the delta data in the encrypted format from a second machine of the group of machines.
  - 33. The method of claim 32 further comprising:
    - providing the changed delta data in the encrypted format to the first machine; and
      
      decrypting, by the first machine, the changed delta data in the encrypted format using the one key available from the first machine; and
      
      updating, by the first machine, the first running instance of the virtual environment with the decrypted changed delta data.
  - 34. The method of claim 29, wherein identifying further includes maintaining the delta data as executable instructions.
  - 35. The method of claim 29, wherein identifying further includes maintaining the delta data as file data.
  - 36. The method of claim 29, wherein identifying further includes maintaining the delta data based on evaluation of a policy that selectively defines the delta data within the base image.
  - 37. The method of claim 29, wherein identifying further includes maintaining the delta data as state changes made to selective data included within the base image during processing of the first running instance on the first machine.

38. A system, comprising:
- a first machine;
  
  a delta data manager configured to;
  
  i) execute on one or more processors of the first machine, ii) extract selective data from a base image of a virtual environment, iii) maintain the selective data separately from the base image in an encrypted format for which access requires keys and each key specific to a particular machine defined in a group of machines, and iv) provide the base image separate from the selective data to machines in the group of machines, wherein each machine in the group of machines;
  
  decrypts the selective data using that machine'"'"'s specific key from the keys, integrates the decrypted selective data into the base image, and initiates a running instance of the virtual environment.
- View Dependent Claims (39, 40)
- - 39. The system of claim 38, wherein the selective data is defined by a policy.
  - 40. The system of claim 38, wherein the selective data is one of:
    - executable code and one or more data files.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NetIQ Corporation (Open Text Corporation)
Original Assignee
NetIQ Corporation (Open Text Corporation)
Inventors
Burch, Lloyd Leon, Angelo, Michael F.

Granted Patent

US 10,454,902 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 2009/45595   Network integration; Enabli...

G06F 21/57   Certifying or maintaining t...

G06F 21/602   Providing cryptographic fac...

G06F 2221/2107   File encryption

G06F 9/45558   Hypervisor-specific managem...

H04L 63/04   for providing a confidentia...

H04L 63/0428   wherein the data content is...

H04L 63/062   for key distribution, e.g. ...

H04L 9/08   Key distribution or managem...

H04L 9/3234   involving additional secure...

TECHNIQUES FOR SECURE DATA EXTRACTION IN A VIRTUAL OR CLOUD ENVIRONMENT

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

11 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

TECHNIQUES FOR SECURE DATA EXTRACTION IN A VIRTUAL OR CLOUD ENVIRONMENT

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

11 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links