Methods and systems for securely managing virtualization platform
First Claim
1. A system, comprising:
- a plurality of virtualization platforms, andone or more administration clients for said plurality of virtualization platforms,each of the plurality of virtualization platforms and the one or more administration clients being communicatively coupled to one another via a control layer logically disposed therebetween, said control layer configured to transparently control execution of virtualization administration commands from the one or more administration clients to said plurality of virtualization platforms, but only after successful authentication of system administrators issuing said virtualization administration commands and privileges of those system administrators, as defined by access control information accessible to said control layer,wherein each of the one or more administration clients is a client through which virtualization administration commands are issued to the plurality of virtualization platforms,the virtualization platforms comprise computer-based resources configured to abstract resources of a computer system or network from one or more operating systems and/or applications executing thereon or therein, andthe control layer is configured to inspect and log each attempted access, including failed attempts, to perform administration operations by the one or more administration clients to determine whether or not an asserted administration command or operation is one that is valid and authorized for a respective one of the system administrators issuing the asserted command.
6 Assignments
0 Petitions
Accused Products
Abstract
Virtualization platforms and management clients therefor are communicatively coupled to one another via a control layer logically disposed therebetween. The control layer is configured to proxy virtualization management commands from the management clients to the virtualization platforms, but only after successful authentication of users (which may include automated agents and processes) issuing those commands and privileges of those users as defined by access control information accessible to the control layer. The control layer may be instantiated as an application running on a physical appliance logically interposed between the virtualization platforms and management clients, or a software package running on dedicated hardware logically interposed between the virtualization platforms and management clients, or as an application encapsulated in a virtual machine running on a compatible virtualization platform logically interposed between the virtualization platforms and management clients.
-
Citations
31 Claims
-
1. A system, comprising:
-
a plurality of virtualization platforms, and one or more administration clients for said plurality of virtualization platforms, each of the plurality of virtualization platforms and the one or more administration clients being communicatively coupled to one another via a control layer logically disposed therebetween, said control layer configured to transparently control execution of virtualization administration commands from the one or more administration clients to said plurality of virtualization platforms, but only after successful authentication of system administrators issuing said virtualization administration commands and privileges of those system administrators, as defined by access control information accessible to said control layer, wherein each of the one or more administration clients is a client through which virtualization administration commands are issued to the plurality of virtualization platforms, the virtualization platforms comprise computer-based resources configured to abstract resources of a computer system or network from one or more operating systems and/or applications executing thereon or therein, and the control layer is configured to inspect and log each attempted access, including failed attempts, to perform administration operations by the one or more administration clients to determine whether or not an asserted administration command or operation is one that is valid and authorized for a respective one of the system administrators issuing the asserted command. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A method of securely managing one or more virtualization platforms, comprising at a control layer disposed between the one or more virtualization platforms and one or more administration clients for said one or more virtualization platforms, said virtualization platforms comprising computer-based resources configured to abstract resources of a computer system or network from one or more operating systems and/or applications executing thereon or therein and said control layer configured to transparently control execution of virtualization administration commands from the one or more administration clients to said one or more virtualization platforms, authenticating system administrators issuing said virtualization administration commands and privileges of those system administrators as defined by access control information accessible to said control layer before permitting administration access to said one or more virtualization platforms, and inspecting and logging each attempted access, including failed attempts, to perform administration operations by the one or more administration clients to determine whether or not an asserted administration command is one that is valid and authorized for a respective one of the system administrators issuing the asserted command,
wherein each of the one or more administration clients is a client through which virtualization administration commands are issued to the one or more virtualization platforms.
Specification