Systems and methods for implementing security in a cloud computing environment
First Claim
1. A server computer system comprising:
- one or more processing units;
a memory, coupled to at least one of the one or more processing units, the memory storing a virtual machine, wherein an agent executive runs within the virtual machine, the agent executive executed by at least one of the one or more processing units, the agent executive comprising instructions for;
(A) obtaining an agent API key from a user or by an automated process when the agent executive is executed a first time;
(B) communicating the API key to a remote grid computer system in a first part of a synchronous process;
(C) receiving, in a second part of the synchronous process and responsive to the first part of the synchronous process, an agent identity token from the remote grid computer system, wherein the remote grid computer system generates the agent identity token through a cryptographic token generation protocol when the API key is deemed valid;
(D) storing the agent identity token in a secure data store associated with the agent executive;
(E) collecting information on the server computer system for an evaluation of integrity of the agent executive using a plurality of agent self-verification factors; and
(F) encrypting the information collected by the collecting (E) thereby creating encrypted information;
(G) signing the encrypted information using the agent identity token thereby creating signed encrypted information; and
(H) communicating the signed encrypted information to the remote grid computer system as part of an asynchronous process in which no network connection between the remote grid computer system and the agent executive is established.
4 Assignments
0 Petitions
Accused Products
Abstract
Computer systems and methods are provided in which an agent executive, when initially executed in a virtual machine, obtains an agent API key from a user. This key is communicated to a grid computer system. An agent identity token, generated by a cryptographic token generation protocol when the key is valid, is received from the grid and stored in a secure data store associated with the agent executive. Information that evaluates the integrity of the agent executive is collected using agent self-verification factors. The information, encrypted and signed with a cryptographic signature, is communicated to the grid. Commands are sent from the grid to the agent executive to check the security, compliance, and integrity of the virtual machine processes and data structures. Based on these check results, additional commands are sent by the grid to the agent executive to correct security, compliance or integrity problems and/or to prevent security compromises.
-
Citations
65 Claims
-
1. A server computer system comprising:
-
one or more processing units; a memory, coupled to at least one of the one or more processing units, the memory storing a virtual machine, wherein an agent executive runs within the virtual machine, the agent executive executed by at least one of the one or more processing units, the agent executive comprising instructions for; (A) obtaining an agent API key from a user or by an automated process when the agent executive is executed a first time; (B) communicating the API key to a remote grid computer system in a first part of a synchronous process; (C) receiving, in a second part of the synchronous process and responsive to the first part of the synchronous process, an agent identity token from the remote grid computer system, wherein the remote grid computer system generates the agent identity token through a cryptographic token generation protocol when the API key is deemed valid; (D) storing the agent identity token in a secure data store associated with the agent executive; (E) collecting information on the server computer system for an evaluation of integrity of the agent executive using a plurality of agent self-verification factors; and (F) encrypting the information collected by the collecting (E) thereby creating encrypted information; (G) signing the encrypted information using the agent identity token thereby creating signed encrypted information; and (H) communicating the signed encrypted information to the remote grid computer system as part of an asynchronous process in which no network connection between the remote grid computer system and the agent executive is established. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A grid computer system comprising:
-
one or more processing units; a memory, coupled to at least one of the one or more processing units, the memory storing a grid node, the grid node executed by at least one of the one or more processing units, the grid node comprising instructions for; (A) receiving, in a first part of a synchronous process, an API key from an agent executive running on a virtual machine which, in turn, is running on a computer that is remote to the grid computer system; (B) determining, in a second part of the synchronous process, whether the API key is a valid API key; (C) generating, in a third part of the synchronous process, a unique agent identity token through a cryptographic token generation protocol when the instructions for determining (B) deem the API key to be valid; (D) communicating, in a fourth part of the synchronous process and responsive to the first part of the synchronous process, the agent identity token to the virtual machine running on the remote computer; (E) receiving encrypted information, signed with a cryptographic digital signature, from the virtual machine from an evaluation of the integrity of the agent executive based upon a plurality of agent self-verification factors, wherein the receiving comprises decrypting the information using the agent identity token to form decrypted information and verifying the signature thereby obtaining decrypted, authenticated and integrity-verified information; and (F) verifying the integrity of the agent executive based on the decrypted, authenticated and integrity-verified information. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
-
-
43. A grid computer system comprising:
-
one or more processing units; a memory, coupled to at least one of the one or more processing units, the memory storing a grid node, the grid node executed by at least one of the one or more processing units, the grid node comprising instructions for; (A) receiving an alert from a first agent executive running on a first virtual machine running on a computer that is remote to the grid computer system, the alert (i) indicating that the first agent executive has started running on the first virtual machine and (ii) including a first agent identity token associated with the first agent executive; (B) determining whether the first agent identity token is valid; (C) determining whether the first agent identity token is being used by a second agent executive running on a second virtual machine; (D) generating a second agent identity token through a cryptographic token generation protocol when (i) the first agent identity token is deemed valid by the determining (B) and (ii) the determining (C) determines that the first agent identity token is being used by a second agent executive running on a second virtual machine; (E) communicating the second agent identity token to the first virtual machine; (F) receiving encrypted information signed by a digital signature from the first virtual machine from an evaluation of the integrity of the first agent executive based upon a plurality of agent self-verification factors, wherein the receiving comprises decrypting the information using the second agent identity token in order to form decrypted information and validating the signature; and (G) verifying the integrity of the first agent executive based on the decrypted information when the signature has been validated. - View Dependent Claims (44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63)
-
-
64. A computer program product for use in conjunction with a computer system, the computer program product comprising a non-transitory computer readable storage medium and a computer program mechanism embedded therein, the computer program mechanism comprising a virtual machine running an agent executive, the agent executive comprising the instructions for:
-
(A) obtaining an agent API key from a user or by an automated process when the agent executive is executed a first time; (B) communicating the API key over the Internet to a remote grid computer system in a first part of a synchronous process; (C) receiving, over the Internet in a second part of the synchronous process and responsive to the first part of the synchronous process, an agent identity token from the remote grid computer system, wherein the remote grid computer system generates the agent identity token through a cryptographic token generation protocol when the API key is deemed valid; (D) storing the agent identity token in a secure data store associated with the agent executive; (E) collecting information for an evaluation of integrity of the agent executive using a plurality of agent self-verification factors; and (F) encrypting the information collected by the collecting (E) thereby creating encrypted information; (G) signing the encrypted information using the agent identity token thereby creating signed encrypted information; and (H) communicating the signed encrypted information to the remote grid computer system as part of an asynchronous process in which no network connection between the remote grid computer system and the agent executive is established.
-
-
65. A computer program product for use in conjunction with a computer system, the computer program product comprising a non-transitory computer readable storage medium and a computer program mechanism embedded therein, the computer program mechanism comprising instructions for:
-
(A) receiving over the Internet, in a first part of a synchronous process, an API key from an agent executive running on a virtual machine which, in turn, is running on a remote computer system; (B) determining, in a second part of the synchronous process, whether the API key is a valid API key; (C) generating, in a third part of the synchronous process, an agent identity token through a cryptographic token generation protocol when the instructions for determining (B) deem the API key to be valid; (D) communicating over the Internet, in a fourth part of the synchronous process and responsive to the first part of the synchronous process, the agent identity token to the virtual machine running on the remote computer system; (E) receiving over the Internet encrypted information from the virtual machine from an evaluation of the integrity of the agent executive based upon a plurality of agent self-verification factors, wherein the receiving comprises decrypting the information to form decrypted information and verifying a digital signature associated with the information; and (F) verifying the integrity of the agent executive based on the decrypted information.
-
Specification