Automated security classification and propagation of virtualized and physical virtual machines

US 8,799,985 B2
Filed: 03/19/2010
Issued: 08/05/2014
Est. Priority Date: 12/09/2009
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented systems management system having a physical storage media, comprising:

a management component that accesses one or more security policies selected from a respective plurality of security models and applies the security policies to appropriate functions of a service and associated virtual machines with appropriate functions over a service lifecycle, wherein the plurality of security model are created with the one or more security policies that define security requirements for one or more computers that comprise the service;

a propagation component that obtains and forwards security classifications associated with model characteristics and workload to the management component for inclusion in the security requirements that provide, at least, resource mappings for the service according to a security classification of the workload, for utilization in applying the one or more security policies for security of the one or more computers during the service lifecycle, which includes initial deployment, expansion, moving of servers, monitoring, and reporting; and

a microprocessor that executes computer-executable instructions associated with at least one of the management component or the propagation component.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Architecture that provides additional data that can be obtained and employed in security models in order to provide security to services over the service lifecycle. The architecture automatically propagates security classifications throughout the lifecycle of the service, which can include initial deployment, expansion, moving servers, monitoring, and reporting, for example, and further include classification propagation from the workload (computer), classification propagation in the model, classification propagation according to the lineage of the storage location (e.g., virtual hard drive), status propagation in the model and classification based on data stored in the machine.

Citations

20 Claims

1. A computer-implemented systems management system having a physical storage media, comprising:
- a management component that accesses one or more security policies selected from a respective plurality of security models and applies the security policies to appropriate functions of a service and associated virtual machines with appropriate functions over a service lifecycle, wherein the plurality of security model are created with the one or more security policies that define security requirements for one or more computers that comprise the service;
  
  a propagation component that obtains and forwards security classifications associated with model characteristics and workload to the management component for inclusion in the security requirements that provide, at least, resource mappings for the service according to a security classification of the workload, for utilization in applying the one or more security policies for security of the one or more computers during the service lifecycle, which includes initial deployment, expansion, moving of servers, monitoring, and reporting; and
  
  a microprocessor that executes computer-executable instructions associated with at least one of the management component or the propagation component.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein the propagation component obtains workload classification information of previously-tagged classification data of a workload for inclusion in the security requirements applied to the one or more computers.
  - 3. The system of claim 2, further comprising a scanning tool that scans a storage location of the workload for the previously-tagged classification data.
  - 4. The system of claim 3, wherein the storage location is a virtual hard disk of a computer that is a virtual machine.
  - 5. The system of claim 1, wherein the propagation component obtains classification information of an entity of a model and propagates the classification information to another entity of the model as part of the security requirements.
  - 6. The system of claim 1, wherein the propagation component obtains lineage information associated with a computer of the service and propagates classification information to another computer associated with the lineage information, as part of the security requirements.
  - 7. The system of claim 1, wherein the propagation component obtains status information of a service entity and propagates the status information to another entity of the service, as part of applying the security requirements.
  - 8. The system of claim 7, wherein the status information includes compromise information that defines if the one or more computers have been compromised, the compromise information propagated in the security requirements to other computers of the service.

9. A computer-implemented system management method performed by a computer system executing machine-readable instructions, the method, comprising acts of:
- accessing one or more security policies selected from a respective plurality of security models, wherein the plurality of security model are created with the one or more security policies;
  
  defining security requirements from the security policies selected from the plurality of security models to apply to appropriate functions of a service and associated virtual machines provided by one or more computers over a service lifecycle;
  
  obtaining and propagating security classifications associated with model characteristics and workload information of the service for inclusion in the security requirements that provide, at least, resource mappings for the service according to a security classification of the workload;
  
  applying the one or more security policies for security of the one or more computers during the service lifecycle, which includes initial deployment, expansion, moving of servers, monitoring, and reporting; and
  
  configuring a hardware processor to perform the acts of accessing, defining, obtaining, and applying.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The method of claim 9, further comprising propagating workload classification information of previously-tagged classification data of a workload for inclusion in the security requirements applied to the one or more computers.
  - 11. The method of claim 9, further comprising obtaining classification data and evaluating the classification data to determine at least one of network assignment, IPSec policy, firewall policy, or auditing level.
  - 12. The method of claim 9, further comprising propagating classification information of an entity of the model to another entity of the model as part of the security requirements.
  - 13. The method of claim 9, further comprising obtaining lineage information associated with a computer of the service and propagating classification information of the computer to another computer associated with the lineage information.
  - 14. The method of claim 9, further comprising tracking a classification source as an indication of source reliability.

15. A computer-implemented system management method, performed by a computer system executing machine-readable instructions, the method comprising acts of:
- accessing one or more security policies selected from a respective plurality of security models, wherein the plurality of security model are created with the one or more security policies;
  
  defining security requirements the security policies selected from the plurality of security models to apply to appropriate functions of a service provided by one or more virtual machines over a service lifecycle;
  
  propagating security classifications associated with model characteristics and workload to the management component for inclusion in the security requirements that provide, at least, resource mappings for the service according to a security classification of the workload;
  
  applying the propagated information for inclusion in the security requirements to secure the service over a lifecycle of the service, which includes initial deployment, expansion, moving servers, monitoring, and reporting; and
  
  configuring a hardware processor to perform at least one of the acts of accessing, defining, propagating, or applying.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15, further comprising scanning a virtual storage location for classification information associated with stored data and automatically deriving machine classification from the classification information.
  - 17. The method of claim 15, further comprising defining propagation rules for the security model that process based on the model characteristics of the security model.
  - 18. The method of claim 15, further comprising obtaining and propagating lineage information based on lineage metadata that defines a lineage relationship between service entities.
  - 19. The method of claim 15, further comprising obtaining compromise information from a security monitoring system and classifying one or more service entities as compromised based on the compromise information.
  - 20. The method of claim 15, further comprising propagating the model characteristics and workload information in the security requirements in combination with network security settings and computer security settings.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Vinberg, Anders B., Neystadt, John, Tor, Yair, Ananiev, Oleg
Primary Examiner(s)
Chai, Longbit

Application Number

US12/727,267
Publication Number

US 20110138442A1
Time in Patent Office

1,600 Days
Field of Search

726/1
US Class Current

726/1
CPC Class Codes

G06F 21/53 by executing in a restricte...

H04L 63/20 for managing network securi...

Automated security classification and propagation of virtualized and physical virtual machines

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Automated security classification and propagation of virtualized and physical virtual machines

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links