System and method for multi-layered sensitive data protection in a virtual computing environment

US 8,700,898 B1
Filed: 10/02/2012
Issued: 04/15/2014
Est. Priority Date: 10/02/2012
Status: Active Grant

First Claim

Patent Images

1. A method for providing sensitive data protection in a virtual computing environment, the method executed by a processing device configured to perform a plurality of operations, the method comprising:

activating a guest virtual machine in the virtual computing environment, wherein the guest virtual machine comprises a local sensitive data control agent, wherein the guest virtual machine is associated with a virtual appliance machine that administers sensitive data controls for the virtual computing environment, and wherein the virtual appliance machine comprises a sensitive data control monitor;

generating a certificate that uniquely identifies the guest virtual machine;

identifying, at the sensitive data control monitor, a sensitive data protection policy for the guest virtual machine;

associating, at the sensitive data control monitor, an encryption key with the certificate, wherein the encryption key is generated in accordance with the identified sensitive data protection policy; and

passing the generated encryption key, the sensitive data protection policy, and the certificate from the virtual appliance machine to the guest virtual machine,wherein sensitive data stored by the guest virtual machine is encrypted on a virtual disc of the guest virtual machine using the generated encryption key and the sensitive data protection policy and encryption of the sensitive data is maintained when the guest virtual machine is deactivated.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for providing sensitive data protection in a virtual computing environment. The systems and methods utilize a sensitive data control monitor on a virtual appliance machine administering guest virtual machines in a virtual computing environment, wherein each of the guest virtual machines may include a local sensitive data control agent. The sensitive data control monitor generates encryption keys for each guest virtual machine which are sent to the local sensitive data control agents and used to encrypt data locally on a protected guest virtual machine. In this manner the data itself on the virtual (or physical) disc associated with the guest virtual machine is encrypted while access attempts are gated by a combination of the local agent and the environment-based monitor, providing for secure yet administrable sensitive data protection.

65 Citations

View as Search Results

21 Claims

1. A method for providing sensitive data protection in a virtual computing environment, the method executed by a processing device configured to perform a plurality of operations, the method comprising:
- activating a guest virtual machine in the virtual computing environment, wherein the guest virtual machine comprises a local sensitive data control agent, wherein the guest virtual machine is associated with a virtual appliance machine that administers sensitive data controls for the virtual computing environment, and wherein the virtual appliance machine comprises a sensitive data control monitor;
  
  generating a certificate that uniquely identifies the guest virtual machine;
  
  identifying, at the sensitive data control monitor, a sensitive data protection policy for the guest virtual machine;
  
  associating, at the sensitive data control monitor, an encryption key with the certificate, wherein the encryption key is generated in accordance with the identified sensitive data protection policy; and
  
  passing the generated encryption key, the sensitive data protection policy, and the certificate from the virtual appliance machine to the guest virtual machine,wherein sensitive data stored by the guest virtual machine is encrypted on a virtual disc of the guest virtual machine using the generated encryption key and the sensitive data protection policy and encryption of the sensitive data is maintained when the guest virtual machine is deactivated.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - identifying, at the sensitive data control agent, the sensitive data stored by the guest virtual machine; and
      
      creating, by the sensitive data control agent, a sensitive data pool of the virtual disc, wherein the encrypted sensitive data is stored in the sensitive data pool.
  - 3. The method of claim 2, wherein identifying sensitive data stored by the guest virtual machine further comprises receiving parameters for classification of sensitive data from a user of the guest virtual machine.
  - 4. The method of claim 1, further comprising:
    - identifying a data access attempt;
      
      determining whether the data access attempt is directed to the sensitive data;
      
      determining whether the data access attempt complies with the sensitive data protection policy when the data access attempt is directed to the sensitive data;
      
      obtaining the generated encryption key when the data access attempt complies with the sensitive data protection policy; and
      
      decrypting the sensitive data using the generated encryption key.
  - 5. The method of claim 4, wherein obtaining the generated encryption key comprises:
    - transmitting the certificate to the sensitive data control monitor; and
      
      receiving the generated encryption key from the sensitive data control monitor in response to the transmitted certificate, wherein the transmitted certificate is used to locate the generated encryption key.
  - 6. The method of claim 4, wherein obtaining the generated encryption key includes locating the generated encryption key on the guest virtual machine.
  - 7. The method of claim 1, wherein generating the encryption key associated with the certificate includes passing the certificate from the guest virtual machine to the virtual appliance machine prior to generating the encryption key.

8. A system to provide sensitive data protection in a virtual computing environment, the system comprising:
- a processing device configured to;
  
  activate a guest virtual machine in a virtual computing environment, wherein the guest virtual machine comprises a local sensitive data control agent, wherein the guest virtual machine is associated with a virtual appliance machine that administers sensitive data controls for the virtual computing environment, and wherein the virtual appliance machine comprises a sensitive data control monitor,generate a certificate that uniquely identifies the guest virtual machine,identify, at the sensitive data control monitor, a sensitive data protection policy for the guest virtual machine,associate, at the sensitive data control monitor, an encryption key with the certificate, wherein the encryption key is generated in accordance with the identified sensitive data protection policy, andpass the generated encryption key, the sensitive data protection policy, and the certificate from the virtual appliance machine to the guest virtual machine,wherein sensitive data stored by the guest virtual machine is encrypted on a virtual disc of the guest virtual machine using the generated encryption key and the sensitive data protection policy and encryption of the sensitive data is maintained when the guest virtual machine is deactivated.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the processing device is further configured to:
    - identify, at the sensitive data control agent, the sensitive data stored by the guest virtual machine; and
      
      create, by the sensitive data control agent, a sensitive data pool of the virtual disc, wherein the encrypted sensitive data is stored in the sensitive data pool.
  - 10. The system of claim 9, wherein identification of sensitive data stored by the guest virtual machine further comprises reception of parameters for classification of sensitive data from a user of the guest virtual machine.
  - 11. The system of claim 8, wherein the processing device is further configured to:
    - identify a data access attempt,determine whether the data access attempt is directed to the sensitive data,determine whether the data access attempt complies with the sensitive data protection policy when the data access attempt is directed to the sensitive data,obtain the generated encryption key when the data access attempt complies with the sensitive data protection policy, anddecrypt the sensitive data using the generated encryption key.
  - 12. The system of claim 11, wherein the generated encryption key is obtained when the processing device transmits the certificate to the sensitive data control monitor and receives the generated encryption key from the sensitive date control monitor in response to the transmitted certificate, wherein the transmitted certificate is used to locate the generated encryption key.
  - 13. The system of claim 11, wherein the generated encryption key is obtained when the processing device locates the generated encryption key on the guest virtual machine.
  - 14. The system of claim 8, wherein generation of the encryption key associated with the certificate includes the certificate being passed from the guest virtual machine to the virtual appliance machine prior to generation of the encryption key.

15. A computer program product comprising:
- a non-transitory computer readable storage medium having computer readable program code embodied therewith, the computer readable program code comprising;
  
  computer readable program code configured to activate a guest virtual machine in a virtual computing environment, wherein the guest virtual machine comprises a local sensitive data control agent, wherein the guest virtual machine is associated with a virtual appliance machine that administers sensitive data controls for the virtual computing environment, and wherein the virtual appliance machine comprises a sensitive data control monitor;
  
  computer readable program code configured to generate a certificate that uniquely identifies the guest virtual machine;
  
  computer readable program code configured to identify, at the sensitive data control monitor, a sensitive data protection policy for the guest virtual machine;
  
  computer readable program code configured to associate, at the sensitive data control monitor, an encryption key with the certificate, wherein the encryption key is generated in accordance with the identified sensitive data protection policy; and
  
  computer readable program code configured to pass the generated encryption key, the sensitive data protection policy, and the certificate from the virtual appliance machine to the guest virtual machine,wherein sensitive data stored by the guest virtual machine is encrypted on a virtual disc of the guest virtual machine using the generated encryption key and the sensitive data protection policy and encryption of the sensitive data is maintained when the guest virtual machine is deactivated.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The computer program product of claim 15, further comprising:
    - computer readable program code configured to identify, at the sensitive data control agent, the sensitive data stored by the guest virtual machine; and
      
      computer readable program code configured to create, by the sensitive data control agent, a sensitive data pool of the virtual disc, wherein the encrypted sensitive data is stored in the sensitive data pool.
  - 17. The computer program product of claim 16, wherein identification of sensitive data stored by the guest virtual machine further comprises reception of parameters for classification of sensitive data from a user of the guest virtual machine.
  - 18. The computer program product of claim 15, further comprising:
    - computer readable program code configured to identify a data access attempt;
      
      computer readable program code configured to determine whether the data access attempt is directed to the sensitive data;
      
      computer readable program code configured to determine whether the data access attempt complies with the sensitive data protection policy when the data access attempt is directed to the sensitive data;
      
      computer readable program code configured to obtain the generated encryption key when the data access attempt complies with the sensitive data protection policy; and
      
      computer readable program code configured to decrypt the sensitive data using the generated encryption key.
  - 19. The computer program product of claim 18, wherein the generated encryption key is obtained when the certificate is transmitted to the sensitive data control monitor and the generated encryption key is received from the sensitive date control monitor in response to the transmitted certificate;
    - wherein the transmitted certificate is used to locate the generated encryption key.
  - 20. The computer program product of claim 18, wherein the generated encryption key is obtained when the generated encryption key is located on the guest virtual machine.
  - 21. The computer program product of claim 15, wherein generation of the encryption key associated with the certificate includes the certificate being passed from the guest virtual machine to the virtual appliance machine prior to generation of the encryption key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Inventors
Korthny, Alex, Barak, Nir, Jerbi, Amir
Primary Examiner(s)
Zecher, Cordelia
Assistant Examiner(s)
DOAN, TRANG T

Application Number

US13/633,454
Publication Number

US 20140095868A1
Time in Patent Office

560 Days
Field of Search

None
US Class Current

713/165
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/6218   to a system of files or obj...

G06F 21/64   Protecting data integrity, ...

G06F 2221/2115   Third party

G06F 9/45545   Guest-host, i.e. hypervisor...

G06F 9/45558   Hypervisor-specific managem...

System and method for multi-layered sensitive data protection in a virtual computing environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

65 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

System and method for multi-layered sensitive data protection in a virtual computing environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

65 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others