Security policy enforcement framework for cloud-based information processing systems

US 8,689,282 B1
Filed: 12/23/2011
Issued: 04/01/2014
Est. Priority Date: 12/23/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

identifying at least one security policy associated with a given tenant of a cloud service provider;

analyzing the security policy against configuration information characterizing cloud infrastructure of the cloud service provider, the cloud infrastructure comprising physical infrastructure and associated virtualization infrastructure running on the physical infrastructure; and

controlling execution of one or more applications of the given tenant within the cloud infrastructure of the cloud service provider in accordance with the security policy based at least in part on one or more results of the analyzing step;

wherein the identifying, analyzing and controlling steps are implemented in a security policy enforcement framework of a processing platform of the cloud infrastructure; and

wherein the security policy associated with the given tenant comprises one or more tenant-specified rules related to isolation of the given tenant with respect to one or more other tenants of the cloud service provider.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Cloud infrastructure of a cloud service provider comprises a processing platform implementing a security policy enforcement framework. The security policy enforcement framework comprises a policy analyzer that is configured to identify at least one security policy associated with at least one tenant of the cloud service provider, to analyze the security policy against configuration information characterizing the cloud infrastructure of the cloud service provider, and to control execution of one or more applications of said at least one tenant within the cloud infrastructure in accordance with the security policy, based at least in part on one or more results of the analysis of the security policy. The security policy enforcement framework may be implemented in a platform-as-a-service (PaaS) layer of the cloud infrastructure, and may comprise a runtime controller, an operating system controller, a hypervisor controller and a PaaS controller.

Citations

22 Claims

1. A method comprising:
- identifying at least one security policy associated with a given tenant of a cloud service provider;
  
  analyzing the security policy against configuration information characterizing cloud infrastructure of the cloud service provider, the cloud infrastructure comprising physical infrastructure and associated virtualization infrastructure running on the physical infrastructure; and
  
  controlling execution of one or more applications of the given tenant within the cloud infrastructure of the cloud service provider in accordance with the security policy based at least in part on one or more results of the analyzing step;
  
  wherein the identifying, analyzing and controlling steps are implemented in a security policy enforcement framework of a processing platform of the cloud infrastructure; and
  
  wherein the security policy associated with the given tenant comprises one or more tenant-specified rules related to isolation of the given tenant with respect to one or more other tenants of the cloud service provider.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 21, 22)
- - 2. The method of claim 1 wherein said at least one security policy incorporates at least one of tenant requirement information and service provider enforcement information.
  - 3. The method of claim 1 wherein the analyzing step is implemented in a policy analyzer of the security policy enforcement framework and further comprises determining if the security policy is enforceable based on the configuration information characterizing the cloud infrastructure, and if the security policy is enforceable determining control information to be provided by the policy analyzer to one or more controllers of the security policy enforcement framework to carry out the security policy.
  - 4. The method of claim 3 wherein said one or more controllers comprise at least a runtime controller configured to interface with runtime environments of said one or more applications.
  - 5. The method of claim 4 wherein the runtime environments comprise a virtual machine runtime environment and at least one other runtime environment.
  - 6. The method of claim 3 wherein said one or more controllers comprise at least an operating system controller associated with an operating system utilized by runtime environments of said one or more applications.
  - 7. The method of claim 3 wherein said one or more controllers comprise at least a hypervisor controller configured to interface with a hypervisor that implements a virtual machine utilized by said one or more applications.
  - 8. The method of claim 3 wherein said security policy enforcement framework is implemented in a platform-as-a-service (PaaS) layer of the cloud infrastructure and said one or more controllers comprise at least a PaaS controller configured to interface with a PaaS fabric of the PaaS layer.
  - 9. The method of claim 3 further comprising the step of providing a report from the policy analyzer to the given tenant regarding enforcement of said at least one security policy, wherein the report is provided under the control of a management component of the security policy enforcement framework.
  - 10. The method of claim 3 further comprising the step of determining the configuration information in the policy analyzer based on information received from said one or more controllers.
  - 11. The method of claim 1 wherein the security policy specifies that applications associated with the given tenant are restricted from reading files associated with other tenants.
  - 12. The method of claim 1 wherein the security policy specifies that applications associated with the given tenant only communicate with applications that belong to the given tenant.
  - 13. The method of claim 1 wherein the security policy specifies that an application associated with the given tenant only be scheduled on a physical machine on which no other instances of the same application are running.
  - 14. A computer program product comprising a non-transitory processor-readable storage medium having encoded therein executable code of one or more software programs, wherein the one or more software programs when executed by the processing platform cause the processing platform to perform the steps of the method of claim 1.
  - 21. The method of claim 1 wherein the configuration information comprises information characterizing at least one of an application layer, a platform-as-a-service (PaaS) layer and an infrastructure-as-a-service (IaaS) layer of the virtualization infrastructure.
  - 22. The method of claim 4 wherein the runtime environments comprise a first runtime environment utilizing a first programming language and at least a second runtime environment utilizing a second programming language different than the first programming language.

15. An apparatus comprising:
- a processing platform comprising at least one processing device having a processor coupled to a memory, said processing platform implementing a security policy enforcement framework for cloud infrastructure of a cloud service provider;
  
  wherein the security policy enforcement framework comprises a policy analyzer configured to identify at least one security policy associated with a given tenant of the cloud service provider, to analyze the security policy against configuration information characterizing cloud infrastructure of the cloud service provider, and to control execution of one or more applications of the given tenant within the cloud infrastructure of the cloud service provider in accordance with the security policy based at least in part on one or more results of the analysis of the security policy;
  
  wherein the cloud infrastructure comprises physical infrastructure and associated virtualization infrastructure running on the physical infrastructure; and
  
  wherein the security policy associated with the given tenant comprises one or more tenant-specified rules related to isolation of the given tenant with respect to one or more other tenants of the cloud service provider.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The apparatus of claim 15 wherein the policy analyzer is configured to determine if the security policy is enforceable based on the configuration information characterizing the cloud infrastructure, and if the security policy is enforceable, to determine control information to be provided by the policy analyzer to one or more controllers of the security policy enforcement framework to carry out the security policy.
  - 17. The apparatus of claim 16 wherein said one or more controllers comprise one or more of:
    - a runtime controller configured to interface with runtime environments of said one or more applications;
      
      an operating system controller associated with an operating system utilized by the runtime environments of said one or more applications; and
      
      a hypervisor controller configured to interface with a hypervisor that implements a virtual machine utilized by said one or more applications.
  - 18. The apparatus of claim 16 wherein said security policy enforcement framework is implemented in a platform-as-a-service (PaaS) layer of the cloud infrastructure and said one or more controllers comprise at least a PaaS controller configured to interface with a PaaS fabric of the PaaS layer.
  - 19. The apparatus of claim 16 wherein the policy analyzer is configured to determine the configuration information based on information received from said one or more controllers.
  - 20. A cloud-based information processing system comprising the apparatus of claim 15.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.), University of North Carolina At Chapel Hill (University of North Carolina System)
Original Assignee
EMC Corporation (Dell Technologies Inc.), University of North Carolina At Chapel Hill (University of North Carolina System)
Inventors
Oprea, Alina M., Juels, Ari, Zhang, Yinqian, Ganti, Vijay, Field, John P., Reiter, Michael Kendrick
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
GUIRGUIS, MICHAEL M

Application Number

US13/336,692
Time in Patent Office

830 Days
Field of Search

726/1, 726/30
US Class Current

726/1
CPC Class Codes

H04L 63/20 for managing network securi...

Security policy enforcement framework for cloud-based information processing systems

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Security policy enforcement framework for cloud-based information processing systems

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links