Intelligent security control system for virtualized ecosystems

US 8,336,079 B2
Filed: 12/31/2008
Issued: 12/18/2012
Est. Priority Date: 12/31/2008
Status: Active Grant

First Claim

Patent Images

1. A method for maintaining administrative control over logical assets in a virtualized ecosystem, comprising:

in response to an attempt to manipulate a subject logical asset of the virtualized ecosystem, evaluating, by a computer-based control system communicatively coupled to an underlying physical, computer-based environment abstracted by the virtualized ecosystem, control information for the subject logical asset of the virtualized ecosystem and of an entity attempting administrative manipulation of the subject local asset, wherein the control information includes contextual, behavioral and environmental attributes of the subject logical asset;

deriving from the evaluation, contextualized properties of the subject logical asset, wherein deriving the contextualized properties comprises determining whether (i) the entity attempting the administrative manipulation of the logical asset has sufficient rights to perform such manipulation, and (ii) the attempted administrative manipulation of the subject logical asset will result in a permissible communicative coupling with other logical assets of the virtualized ecosystem or permissible interaction between the subject logical asset and the underlying physical, computer-based environment, thereby determining whether the administrative manipulation is permissible; and

enforcing, by the control system and according to the determination, controls for the subject logical asset to permit or deny the attempted administrative manipulation.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Resources of a virtualized ecosystem are intelligently secured by defining and analyzing object handling security control information for one or more logical resources in the virtualized ecosystem and deriving therefrom object properties for each of the logical resources involved in the execution of a virtual machine in any given context within the virtualized ecosystem.

130 Citations

41 Claims

1. A method for maintaining administrative control over logical assets in a virtualized ecosystem, comprising:
- in response to an attempt to manipulate a subject logical asset of the virtualized ecosystem, evaluating, by a computer-based control system communicatively coupled to an underlying physical, computer-based environment abstracted by the virtualized ecosystem, control information for the subject logical asset of the virtualized ecosystem and of an entity attempting administrative manipulation of the subject local asset, wherein the control information includes contextual, behavioral and environmental attributes of the subject logical asset;
  
  deriving from the evaluation, contextualized properties of the subject logical asset, wherein deriving the contextualized properties comprises determining whether (i) the entity attempting the administrative manipulation of the logical asset has sufficient rights to perform such manipulation, and (ii) the attempted administrative manipulation of the subject logical asset will result in a permissible communicative coupling with other logical assets of the virtualized ecosystem or permissible interaction between the subject logical asset and the underlying physical, computer-based environment, thereby determining whether the administrative manipulation is permissible; and
  
  enforcing, by the control system and according to the determination, controls for the subject logical asset to permit or deny the attempted administrative manipulation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The method of claim 1, wherein the controls are derived from existing controls for like logical assets of the virtualized ecosystem.
  - 3. The method of claim 1, wherein the controls are inherited from like logical assets of the virtualized ecosystem.
  - 4. The method of claim 1, further comprising enforcing learned behaviors for the subject logical asset, said behaviors being learned from systems external to the virtualized ecosystem.
  - 5. The method of claim 4, wherein the systems external to the virtualized ecosystem comprise instances of systems having control systems configured to share information with the computer-based control system for the virtualized ecosystem as part of a virtual community.
  - 6. The method of claim 1, wherein logical and physical assets of the virtualized ecosystem are categorized so that assets with similar properties are grouped together.
  - 7. The method of claim 6, wherein a taxonomy of allowed hierarchical relationships of the groupings defines higher groupings thereof
  - 8. The method of claim 6, wherein various ones of the assets inherit similar ones of the controls according to the groupings.
  - 9. The method of claim 6, wherein the groupings are made according to similarities determined by defined metrics for the assets within the virtualized ecosystem.
  - 10. The method of claim 9, wherein the controls are defined for the groupings within the taxonomy of allowed hierarchical relationships.
  - 11. The method of claim 10, wherein the taxonomy of allowed hierarchical relationships are learned from the virtualized ecosystem.
  - 12. The method of claim 10, wherein the taxonomy of allowed hierarchical relationships are imported from existing systems and subsequently augmented.
  - 13. The method of claim 1, wherein properties of the subject logical asset and the underlying physical, computer-based environment are automatically discovered through available interfaces and management clients for the virtualized ecosystem.
  - 14. The method of claim 1, wherein the controls are literally embedded as control blocks within the subject logical asset, said controls dictating where, when, how and using what resources the subject logical asset can operate within the virtualized ecosystem.
  - 15. The method of claim 1, wherein the controls are logically embedded as control blocks within subject logical asset, said controls dictating where, when, how and using what resources the asset can operate within the virtualized ecosystem.
  - 16. The method of claim 1, wherein logical assets at rest in the virtualized ecosystem are encrypted according to a varying level of protection that depends on an environmental context of the logical assets.
  - 17. The method of claim 1, wherein the controls are enforced after being validated.
  - 18. The method of claim 17, wherein the validation includes verifying digital signatures associated with the controls.
  - 19. The method of claim 17, wherein the enforcement is achieved by evaluating intentions specified in the controls, operations on the subject logical asset being performed and environments in which they are being performed.
  - 20. The method of claim 19, wherein prior to enforcement, the operations and environments are baselined to derive normal behaviors for the controls and subject logical asset.
  - 21. The method of claim 1, wherein the control information comprises security and compliance control information that influences or impacts security of the virtualized ecosystem.

22. A system, comprising one or more computer-based resources hosting a virtualized ecosystem that abstracts physical instantiations of an underlying computer-based environment and a control system communicatively coupled to the one or more computer-based resources hosting the virtualized ecosystem, the control system configured for administratively securing logical assets of the virtualized ecosystem by evaluating attempted manipulations of the logical assets in the context of control information for the subject logical assets and entities attempting administrative manipulation of the subject logical assets, and for determining, for each of the attempted manipulations and subject logical assets within the virtualized ecosystem, whether to permit or deny the attempted manipulation, thereby determining whether the administrative manipulation is permissible, wherein the control information includes, for each subject logical asset, contextual, behavioral and environmental attributes concerning controls for interactions amongst the logical assets and their interactions with the underlying computer-based environment abstracted by the virtualized ecosystem.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
- - 23. The system of claim 22 wherein the logical assets comprise one or more virtual objects executing on one or more virtualization platforms, and the control system is architecturally split so that at least some of said virtualization platforms have associated control system functionality.
  - 24. The system of claim 23 wherein the virtualized ecosystem further includes a storage system used by at least some of the virtual objects, said storage system having its own associated control system functionality.
  - 25. The system of claim 22 wherein at least some of the logical assets comprise virtual objects communicatively coupled to the control system through one or more management clients of a virtualization platform on which the at least some of the virtual objects execute.
  - 26. The system of claim 22, wherein the control system is configured to enforce learned behaviors for the logical assets, said behaviors being learned from systems external to the virtualized ecosystem.
  - 27. The system of claim 26, wherein the systems external to the virtualized ecosystem comprise instances of systems having control systems configured to share information with the control system for the virtualized ecosystem as part of a virtual community.
  - 28. The system of claim 22, wherein logical and physical assets of the virtualized ecosystem are categorized so that assets with similar properties are grouped together.
  - 29. The system of claim 28, wherein a taxonomy of allowed relationships of the groupings defines other groupings thereof
  - 30. The system of claim 28, wherein various ones of the logical and physical assets inherit similar ones of the controls according to the groupings.
  - 31. The system of claim 28, wherein the groupings are made according to similarities determined by defined metrics for the logical and physical assets within the virtualized ecosystem.
  - 32. The system of claim 29, wherein the controls are defined for the groupings within the taxonomy of allowed relationships.
  - 33. The system of claim 29, wherein the taxonomy of allowed relationships are learned from the virtualized ecosystem.
  - 34. The system of claim 29, wherein the taxonomy of allowed relationships are imported from existing systems and subsequently augmented.
  - 35. The system of claim 22, wherein the virtualized ecosystem has one or more interfaces and the control system is configured to automatically discover properties of the logical assets and the underlying physical, computer-based environment through said interfaces.
  - 36. The system of claim 35, wherein the controls are logically embedded as control blocks within the logical assets, said controls dictating where, when, how and using what resources the logical assets can operate within the virtualized ecosystem.
  - 37. The system of claim 35, wherein the controls are literally embedded as control blocks within the logical assets, said controls dictating where, when, how and using what resources the logical assets can operate within the virtualized ecosystem.
  - 38. The system of claim 25, wherein the control system is configured to encrypt logical assets at rest in the virtualized ecosystem according to a varying level of protection that depends on an environmental context of the logical assets.
  - 39. The system of claim 22, wherein the control system is configured to validate the controls before enforcing the controls.
  - 40. The system of claim 39, wherein the control system is configured to validate the controls by verifying digital signatures associated with the controls.
  - 41. The system of claim 39, wherein the control system is configured to enforce the controls by evaluating intentions specified in the controls, operations on the logical assets being performed and environments in which they are being performed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Entrust Corp.
Original Assignee
HyTrust, Inc. (Entrust Corp.)
Inventors
Budko, Renata, Prafullchandra, Hemma, Chiu, Eric Ming, Strongin, Boris
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Getachew, Abiy

Application Number

US12/347,315
Publication Number

US 20100169948A1
Time in Patent Office

1,448 Days
Field of Search

726/1, 713/189
US Class Current

726/1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/00   Security arrangements for p...

G06F 21/53   by executing in a restricte...

G06F 21/6218   to a system of files or obj...

G06F 9/45558   Hypervisor-specific managem...

H04L 9/088   Usage controlling of secret...

H04L 9/3247   involving digital signatures

Intelligent security control system for virtualized ecosystems

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

130 Citations

41 Claims

Specification

Use Cases

Quick Links

Others

Intelligent security control system for virtualized ecosystems

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

130 Citations

41 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others