Methods and systems for securely managing virtualization platform

US 8,065,714 B2
Filed: 09/12/2008
Issued: 11/22/2011
Est. Priority Date: 09/12/2008
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a plurality of virtualization platforms, andone or more administration clients for said plurality of virtualization platforms,each of the plurality of virtualization platforms and the one or more administration clients being communicatively coupled to one another via a control layer logically disposed therebetween, said control layer configured to transparently control execution of virtualization administration commands from the one or more administration clients to said plurality of virtualization platforms, but only after successful authentication of system administrators issuing said virtualization administration commands and privileges of those system administrators, as defined by access control information accessible to said control layer,wherein each of the one or more administration clients is a client through which virtualization administration commands are issued to the plurality of virtualization platforms,the virtualization platforms comprise computer-based resources configured to abstract resources of a computer system or network from one or more operating systems and/or applications executing thereon or therein, andthe control layer is configured to inspect and log each attempted access, including failed attempts, to perform administration operations by the one or more administration clients to determine whether or not an asserted administration command or operation is one that is valid and authorized for a respective one of the system administrators issuing the asserted command.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Virtualization platforms and management clients therefor are communicatively coupled to one another via a control layer logically disposed therebetween. The control layer is configured to proxy virtualization management commands from the management clients to the virtualization platforms, but only after successful authentication of users (which may include automated agents and processes) issuing those commands and privileges of those users as defined by access control information accessible to the control layer. The control layer may be instantiated as an application running on a physical appliance logically interposed between the virtualization platforms and management clients, or a software package running on dedicated hardware logically interposed between the virtualization platforms and management clients, or as an application encapsulated in a virtual machine running on a compatible virtualization platform logically interposed between the virtualization platforms and management clients.

Citations

31 Claims

1. A system, comprising:
- a plurality of virtualization platforms, andone or more administration clients for said plurality of virtualization platforms,each of the plurality of virtualization platforms and the one or more administration clients being communicatively coupled to one another via a control layer logically disposed therebetween, said control layer configured to transparently control execution of virtualization administration commands from the one or more administration clients to said plurality of virtualization platforms, but only after successful authentication of system administrators issuing said virtualization administration commands and privileges of those system administrators, as defined by access control information accessible to said control layer,wherein each of the one or more administration clients is a client through which virtualization administration commands are issued to the plurality of virtualization platforms,the virtualization platforms comprise computer-based resources configured to abstract resources of a computer system or network from one or more operating systems and/or applications executing thereon or therein, andthe control layer is configured to inspect and log each attempted access, including failed attempts, to perform administration operations by the one or more administration clients to determine whether or not an asserted administration command or operation is one that is valid and authorized for a respective one of the system administrators issuing the asserted command.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The system of claim 1, wherein one or more of the system administrators comprise automated processes or agents.
  - 3. The system of claim 1, wherein the control layer is instantiated as software application running on a physical appliance logically disposed between the plurality of virtualization platforms and the one or more administration clients.
  - 4. The system of claim 1, wherein the control layer is instantiated as a software application, packaged to run on dedicated hardware logically disposed between the plurality of virtualization platforms and the one or more administration clients.
  - 5. The system of claim 1, wherein the control layer is instantiated as a software application, encapsulated as a virtual machine to run on a compatible virtualization platform.
  - 6. The system of claim 1, wherein the control layer operates at an application layer to scrutinize administration access and operation attempts made via the one or more administration clients.
  - 7. The system of claim 1, wherein the control layer is further configured to drop the asserted command if it is either invalid, unauthorized, or both.
  - 8. The system of claim 7, wherein the control layer is further configured to notify a designated contact of a failed attempt to access one or more of the plurality of virtualization platforms.
  - 9. The system of claim 1, wherein authentication mechanisms for the system administrators comprise some or all of:
    - user name/passwords, two-factor authentications, authentications involving digital certificates, authentications involving presentment of a biometric indicator, and a hardware trusted platform module.
  - 10. The system of claim 1, wherein the access control information comprises restrictions based on some or all of:
    - time of day, target virtualization platform, target virtualized resource, attempted management operation or command, and location of administration client.
  - 11. The system of claim 1, wherein upon successful authentication of a subject one of the system administrators, the control layer is configured to enable one or more log-in sessions with one or more of the plurality of virtualization platforms on behalf of the subject system administrator.
  - 12. The system of claim 11, wherein the control layer is further configured to log-in the subject system administrator with the one or more of the plurality of virtualization platforms at an appropriate level of each of the one or more plurality of virtualization platforms.
  - 13. The system of claim 12, wherein the appropriate level comprises a root level.
  - 14. The system of claim 1, wherein the control layer is configured to provide desired platform configurations to one or more of the plurality of virtualization platforms from a single instance of a configuration file or template.
  - 15. The system of claim 1, wherein the control layer is further configured to monitor configuration decisions and activities of the plurality of virtualization platforms.
  - 16. The system of claim 15, wherein, in an event of an alarm condition, the control layer is further configured to alert a designated contact.
  - 17. The system of claim 1, wherein logs of the attempted accesses are stored by an appliance at which the control layer is instantiated prior to being transferred to a remote system.

18. A method of securely managing one or more virtualization platforms, comprising at a control layer disposed between the one or more virtualization platforms and one or more administration clients for said one or more virtualization platforms, said virtualization platforms comprising computer-based resources configured to abstract resources of a computer system or network from one or more operating systems and/or applications executing thereon or therein and said control layer configured to transparently control execution of virtualization administration commands from the one or more administration clients to said one or more virtualization platforms, authenticating system administrators issuing said virtualization administration commands and privileges of those system administrators as defined by access control information accessible to said control layer before permitting administration access to said one or more virtualization platforms, and inspecting and logging each attempted access, including failed attempts, to perform administration operations by the one or more administration clients to determine whether or not an asserted administration command is one that is valid and authorized for a respective one of the system administrators issuing the asserted command,wherein each of the one or more administration clients is a client through which virtualization administration commands are issued to the one or more virtualization platforms.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
- - 19. The method of claim 18, wherein one or more of the system administrators comprise automated processes or agents.
  - 20. The method of claim 18, wherein the control layer operates at an application layer to scrutinize administration access and operation attempts made via the one or more administration clients.
  - 21. The method of claim 18, wherein the control layer drops the asserted command if it is either invalid, unauthorized, or both.
  - 22. The method of claim 21, wherein the control layer notifies a designated contact of a failed attempt to access the one or more virtualization platforms.
  - 23. The method of claim 18, wherein the control layer authenticates the system administrators using one or more of the following authentication mechanisms:
    - user name/passwords, two-factor authentications, authentications involving digital certificates, authentications involving presentment of a biometric indicator, and authentications involving a hardware trusted platform module.
  - 24. The method of claim 18, wherein the access control information comprises restrictions based on some or all of:
    - time of day, target virtualization platform, target virtualized resource, attempted administration operation or command, and location of administration client.
  - 25. The method of claim 18, wherein upon successful authentication of a subject one of the system administrators, the control layer enables one or more log-in sessions with the one or more virtualization platforms on behalf of the subject system administrator.
  - 26. The method of claim 25, wherein the control layer logs-in the subject system administrator with the one or more virtualization platforms at an appropriate level of each of the one or more virtualization platforms.
  - 27. The method of claim 26, wherein the appropriate level comprises a root level.
  - 28. The method of claim 18, wherein the control layer provides desired platform configurations to the one or more virtualization platforms from a single instance of a configuration file or template.
  - 29. The method of claim 21, wherein the control layer monitors configuration decisions and activities of the one or more virtualization platforms.
  - 30. The method of claim 29, wherein, in an event of an alarm condition, the control layer alerts a designated contact.
  - 31. The method of claim 21, further comprising storing logs of the attempted accesses at an appliance at which the control layer is instantiated prior to transferring the logs to a remote system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Entrust Corp.
Original Assignee
HyTrust, Inc. (Entrust Corp.)
Inventors
Strongin, Boris, Belov, Boris, Budko, Renata, Chiu, Eric Ming, Prafullchandra, Hemma
Primary Examiner(s)
Vu; Kim
Assistant Examiner(s)
Paliwal; Yogesh

Application Number

US12/210,084
Publication Number

US 20100071035A1
Time in Patent Office

1,166 Days
Field of Search

726/4, 726/2
US Class Current

726/4
CPC Class Codes

H04L 63/0281   Proxies

H04L 63/08   for authentication of entit...

H04L 63/0823   using certificates cryptogr...

H04L 63/083   using passwords cryptograph...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

Methods and systems for securely managing virtualization platform

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for securely managing virtualization platform

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links