Model based systems management in virtualized and non-virtualized environments

US 8,726,334 B2
Filed: 12/09/2009
Issued: 05/13/2014
Est. Priority Date: 12/09/2009
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented systems management system, comprising:

a security component configured to access security policies included in security models, wherein the security models define security requirements for one or more computers that comprise logical services and provide, at least, mappings for the logical services according to a classification of workloads to provide a secured virtualized environment;

a management component configured to associate functional models to the security models to assign the one or more security models to an appropriate function of a service of the logical services and to submit calls to the security component to obtain the security policies, and apply the security policies from one or more of the security models to the service over a lifecycle of the service; and

a microprocessor configured to execute computer-executable instructions associated with at least one of the security component or the management component.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Architecture that provides model-based systems management in virtualized and non-virtualized environments. A security component provides security models which define security requirements for services. A management component applies one or more of the security models during the lifecycle of virtual machines and services. The lifecycle can include initial deployment, expansion, moving servers, monitoring, and reporting. The architecture creates a formal description model of how a virtual machine or a service (composition of multiple virtual machines) is secured. The security requirements information can also be fed back to the general management system which uses this information in its own activities such as to guide the placement of workloads on servers can be security related.

Citations

22 Claims

1. A computer-implemented systems management system, comprising:
- a security component configured to access security policies included in security models, wherein the security models define security requirements for one or more computers that comprise logical services and provide, at least, mappings for the logical services according to a classification of workloads to provide a secured virtualized environment;
  
  a management component configured to associate functional models to the security models to assign the one or more security models to an appropriate function of a service of the logical services and to submit calls to the security component to obtain the security policies, and apply the security policies from one or more of the security models to the service over a lifecycle of the service; and
  
  a microprocessor configured to execute computer-executable instructions associated with at least one of the security component or the management component.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein the services are associated with one or more virtual machines to which policies of the security models are applied to provide a secure virtualized environment.
  - 3. The system of claim 1, wherein the services are mapped to physical machines according to classification of workloads.
  - 4. The system of claim 1, wherein the management component associates functional models to the security models to assign the one or more of the security models to an appropriate function of the service.
  - 5. The system of claim 1, further comprising at least one of:
    - an authoring component configured to author the security models;
      
      an auditing component configured to validate and detect discrepancies between a deployed service and the applied one or more security models;
      
      ormonitoring and reporting components configured to maintain compliance with security practices.
  - 6. The system of claim 1, wherein a security model includes firewall settings that secure communications between virtual machines.
  - 7. The system of claim 1, wherein a security model includes intrusion detection and/or intrusion prevention configuration properties specific to a virtual machine.
  - 8. The system of claim 1, wherein the management component is configured to apply the one or more security models to facilitate deployment of the service, add or remove servers to/from the service, perform configuration update of the service, start/stop of the service, and relocation of the service across physical hosts or networks.
  - 9. The system of claim 1, wherein the one or more of the security models include mapping of the service to physical machines, host configuration lockdown for the service, and configuration of firewall, intrusion detection, and intrusion prevention to secure the service.

10. A computer-implemented systems management system, comprising:
- a security component configured to access security policies included in security models, wherein the security models define security requirements for services and provide, at least, mappings for the services according to a classification of workloads to provide a secured virtualized environment;
  
  a management component configured to associate functional models to the security models to assign the one or more security models to an appropriate function of a service of the logical services and to submit calls to the security component to obtain the security policies, and apply the security policies from one or more of the security models to a service over a lifecycle of the service; and
  
  a microprocessor configured to execute computer-executable instructions associated with at least one of the security component or the management component.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The system of claim 10, wherein the services include virtual machines to which the security models are applied, the virtual machines mapped to physical machines according to classification of workloads.
  - 12. The system of claim 10, further comprising at least one of:
    - an authoring component for authoring the security models;
      
      an auditing component that validates and detects discrepancies between a deployed system and the security model;
      
      ora reporting component for producing reports of compliance to the one or more of the security models applied.
  - 13. The system of claim 10, wherein the one or more of the security models include mapping of the servers the service is comprised of physical machines, networks to which virtual machines are connected, host configuration lockdown for the service and configuration of firewall, intrusion detection, and intrusion prevention subsystems to secure the service.
  - 14. The system of claim 10, wherein the management component provides secure deployment of newly-added services according to a security model, and configuration of a network environment according to the security model.

15. A computer-implemented systems management method, performed by a computer system executing machine-readable instructions, the method comprising acts of:
- accessing security policies included in security models, wherein the security models define security requirements for services and provides, at least, mappings for the services according to a classification of workloads to provide a secured virtualized environment;
  
  receiving calls from a management system component for managing services in the virtualized environment according to functional service models;
  
  associating the functional service models to the security models including security policies with the functional service models to assign the one or more security models to an appropriate function of a service of the logical services;
  
  applying the security policies from the security models to the services through a lifecycle of the services to secure the computing environment; and
  
  configuring a network environment according to one of the security models.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22)
- - 16. The method of claim 15, further comprising:
    - mapping the services to virtual machines; and
      
      mapping the virtual machine to physical machines according to classification of machine workloads.
  - 17. The method of claim 15, further comprising monitoring and reporting compliance of the management system component to security practices.
  - 18. The method of claim 15, further comprising auditing a deployed service to validate and detect a discrepancy between the deployed service and an associated security model.
  - 19. The method of claim 15, further comprising defining the security models to secure network isolation and connectivity, to deploy firewalls for different zones, to configure the firewalls, and configure intrusion detection and prevention systems.
  - 20. The method of claim 15, further comprising managing relocation of a service to a different physical host according to a security model that re-assigns a virtual network to the different physical host.
  - 21. The method of claim 15, further comprising:
    - adding a new virtual machine to a service according to a security model;
      
      deploying the virtual machine to a specific host and network;
      
      locking down the virtual machine; and
      
      configuring firewall, intrusion detection, and intrusion prevention according to the security model.
  - 22. The method of claim 15, further comprising:
    - removing a virtual machine from a service according to a security model; and
      
      configuring firewall, intrusion detection, and intrusion prevention according to the security model.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Neystadt, John, Edery, Yigal, Belinky, Yan, Batchelder, Dennis Scott, Yannay, Shimon, Vinberg, Anders B
Primary Examiner(s)
Chai, Longbit

Application Number

US12/633,805
Publication Number

US 20110138441A1
Time in Patent Office

1,616 Days
Field of Search

726/1
US Class Current

726/1
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 9/5077   Logical partitioning of res...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

Model based systems management in virtualized and non-virtualized environments

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Model based systems management in virtualized and non-virtualized environments

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links