Protection of customer data in cloud virtual machines using a central management server

US 8,826,013 B1
Filed: 09/23/2009
Issued: 09/02/2014
Est. Priority Date: 09/23/2009
Status: Active Grant

First Claim

Patent Images

1. A method to be performed by a computer programmed to protect data in a cloud computer system, the method comprising:

getting virtual machine identity information identifying a virtual machine hosted and running on a computer system providing a cloud computing service;

performing an integrity check on the virtual machine to determine a security posture of the virtual machine;

sending a key request over the Internet from a program module running under an operating system that is operating in the virtual machine to a key management server, the key request being for a key to unlock an encrypted file system in the virtual machine, the key management server being remotely located from the computer system and configured to provide keys to file systems in other computer systems providing cloud computing services;

receiving the key from the key management server when the key management server deems the key request to be valid, the key being received in the virtual machine; and

using the key to unlock the encrypted file system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A cloud computing environment includes a key management server and a cloud computer system running several virtual machines. A virtual machine hosted by the cloud computer system includes an integrity check module for checking the integrity of the virtual machine and getting identity information of the virtual machine. The integrity check module sends a key request to a key management server, which provides key service to different cloud computer systems. The key management server validates the request and, if the request is valid, provides the key to the virtual machine. The key is used to unlock an encrypted file system in the virtual machine.

79 Citations

View as Search Results

20 Claims

1. A method to be performed by a computer programmed to protect data in a cloud computer system, the method comprising:
- getting virtual machine identity information identifying a virtual machine hosted and running on a computer system providing a cloud computing service;
  
  performing an integrity check on the virtual machine to determine a security posture of the virtual machine;
  
  sending a key request over the Internet from a program module running under an operating system that is operating in the virtual machine to a key management server, the key request being for a key to unlock an encrypted file system in the virtual machine, the key management server being remotely located from the computer system and configured to provide keys to file systems in other computer systems providing cloud computing services;
  
  receiving the key from the key management server when the key management server deems the key request to be valid, the key being received in the virtual machine; and
  
  using the key to unlock the encrypted file system.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 wherein the security posture comprises a version of an antivirus on the virtual machine.
  - 3. The method of claim 1 wherein the security posture comprises a patch status of an operating system of the virtual machine.
  - 4. The method of claim 1 wherein the virtual machine identity information comprises an IP (Internet Protocol) address of the virtual machine.
  - 5. The method of claim 1 wherein using the key to unlock the encrypted file system comprises:
    - unlocking the encrypted file system for use by any application running under the operating system in the virtual machine.
  - 6. The method of claim 1 wherein using the key to unlock the encrypted file system comprises:
    - unlocking the encrypted file system for use only by particular applications running under the operating system in the virtual machine.
  - 7. The method of claim 1 further comprising:
    - receiving from the key management server particulars for mounting a storage segment on the virtual machine; and
      
      using the particulars to mount the storage segment for access in the virtual machine.

8. A system for protecting confidential data in a cloud computing environment, the system comprising:
- a cloud computer system programmed to run an integrity check module in a virtual machine in a plurality of virtual machines, the integrity check module being configured to perform an integrity check on the virtual machine and to request a key for unlocking an encrypted file system in the virtual machine after the virtual machine passes the integrity check, the integrity check module running under an operating system that operates in the virtual machine; and
  
  a key management server programmed to receive the request for the key and to provide the key to the virtual machine when the key management server validates the request for the key, the key management server being configured to receive key requests for unlocking encrypted file systems on different virtual machines hosted by different cloud computer systems.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8 wherein the integrity check module is configured to perform the integrity check by checking a version of an antivirus on the virtual machine.
  - 10. The system of claim 8 wherein the integrity check module is configured to perform the integrity check by checking patch status of an operating system of the virtual machine.
  - 11. The system of claim 8 wherein the key management server validates the request for the key by determining whether or not the virtual machine is hosted on a predetermined computer.
  - 12. The system of claim 8 wherein the key management server validates the request for the key by checking the IP address of the virtual machine.
  - 13. The system of claim 8 wherein the integrity check module is configured to use the key to unlock the encrypted file system for any application running on the virtual machine.
  - 14. The system of claim 8 wherein the integrity check module is configured to use the key to unlock the encrypted file system only for particular, authorized applications running under the operating system running in the virtual machine.

15. A method to be performed by a computer programmed to protect data in a cloud computer system, the method comprising:
- receiving over a computer network a key request from a program module running under an operating system that operates in a virtual machine hosted by a remotely located computer, the key request including identity information identifying the virtual machine and a result of an integrity check performed on the virtual machine;
  
  checking the identity information and the result of the integrity check to validate the request; and
  
  providing the virtual machine access information for accessing data in the virtual machine when the request is valid.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15 wherein the access information comprises particulars for mounting a storage segment in the virtual machine.
  - 17. The method of claim 16 wherein the storage segment is mountable on a regular file system of the virtual machine.
  - 18. The method of claim 15 wherein the access information comprises a key for unlocking an encrypted file system in the virtual machine.
  - 19. The method of claim 15 wherein the identity information comprises an IP address of the virtual machine.
  - 20. The method of claim 15 wherein the result of the integrity check indicates whether an antivirus of the virtual machine is current.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
Trend Micro Inc.
Inventors
Kodukula, Narasimham, Dancer, Andrew John, Chandrasekhar, Bharath Kumar
Primary Examiner(s)
Colin, Carl
Assistant Examiner(s)
ZAIDI, SYED A

Application Number

US12/565,561
Time in Patent Office

1,805 Days
Field of Search

713/165
US Class Current

713/165
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/6209   to a single file or object,...

G06F 21/64   Protecting data integrity, ...

Protection of customer data in cloud virtual machines using a central management server

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

79 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Protection of customer data in cloud virtual machines using a central management server

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

79 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links