System and method for virtual image security in a cloud environment

US 8,839,447 B2
Filed: 02/27/2012
Issued: 09/16/2014
Est. Priority Date: 02/27/2012
Status: Active Grant

First Claim

Patent Images

1. A method to provide secure access in a virtual computing environment, the method executed by a processor comprising hardware, the processor configured to perform a plurality of operations, the operations comprising:

assigning, by a virtual access control machine of a virtual computing environment, a status to a guest virtual machine supporting a service, wherein the guest virtual machine is accessible to a user through a network and wherein assigning a status includes assigning a status indicating that the guest virtual machine is unavailable for use by a user;

receiving, at the virtual access control machine, information from the guest virtual machine representative of an attempted use of the guest virtual machine;

receiving, at the virtual access control machine, a request, by the guest virtual machine, for the status of the guest virtual machine; and

determining, at the virtual access control machine, an action to take based on the status.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided herein are systems and method enabling secure virtual image access in a virtual or cloud computing environment. The systems and methods include assigning a status to indicator to guest virtual machines (virtual images) that provide applications and other services to cloud consumers in the cloud environment. A virtual appliance machine in the cloud environment maintains the status of the guest virtual machines and makes decisions based on the status as to whether to allow access to the guest virtual machines. These decisions are transmitted to local elements on the guest virtual machines, which enforce access control on a local level. In this manner, unauthorized virtual image access is prevented providing increased security and data integrity.

51 Citations

View as Search Results

24 Claims

1. A method to provide secure access in a virtual computing environment, the method executed by a processor comprising hardware, the processor configured to perform a plurality of operations, the operations comprising:
- assigning, by a virtual access control machine of a virtual computing environment, a status to a guest virtual machine supporting a service, wherein the guest virtual machine is accessible to a user through a network and wherein assigning a status includes assigning a status indicating that the guest virtual machine is unavailable for use by a user;
  
  receiving, at the virtual access control machine, information from the guest virtual machine representative of an attempted use of the guest virtual machine;
  
  receiving, at the virtual access control machine, a request, by the guest virtual machine, for the status of the guest virtual machine; and
  
  determining, at the virtual access control machine, an action to take based on the status.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein assigning a status includes assigning, after the guest virtual machine is created and ready for use, a status indicating that the guest virtual machine is able to be accessed by an authorized user, and wherein the action includes allowing the attempted use of the guest virtual machine to an authorized user.
  - 3. The method of claim 1, wherein assigning the status indicating that the guest virtual machine is unavailable for use by a user occurs after a deactivation trigger, and wherein the action includes preventing the attempted use of the guest virtual machine.
  - 4. The method of claim 3, further comprising recording an indication of the prevented attempted use of the guest virtual machine.
  - 5. The method of claim 3, wherein the action further comprises sending an alert regarding the unauthorized attempt to start the guest virtual machine.
  - 6. The method of claim 1, wherein assigning a status includes assigning a status indicating that an alert is to be sent upon receipt of any attempted use of the guest virtual machine, and wherein the action includes sending the alert.
  - 7. The method of claim 1, wherein assigning a status includes changing a status of the guest virtual machine from a status indicating that the guest virtual machine is able to be accessed by an authorized user to a status indicating that the guest virtual machine is not to be used by anyone, and wherein the action includes preventing the attempted use of the guest virtual machine.
  - 8. The method of claim 1, further comprising providing a report regarding a plurality of guest virtual machines in the virtual machine environment, wherein the report includes information regarding one or more selected from:
    - attempted use of any of the plurality of guest virtual machines, denied use attempts of any of the plurality of guest virtual machines, or any of the plurality of guest virtual machines that have not been used in a predetermined amount of time.

9. A system to provide secure access in a virtual computing environment, the system comprising:
- a processor comprising hardware, the processor configured to;
  
  assign, by a virtual access control machine of a virtual computing environment, a status to a guest virtual machine supporting a service, wherein the guest virtual machine is accessible to a user through a network and wherein the processor configured to assign the status is configured to assign a status indicating that the guest virtual machine is unavailable for use by a user,receive, at the virtual access control machine, information from the guest virtual machine representative of an attempted use of the guest virtual machine,receive, at the virtual access control machine, a request, by the guest virtual machine, for the status of the guest virtual machine, anddetermine, at the virtual access control machine, an action to take based on the status.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, wherein the processor configured to assign a status is further configured to assign, after the guest virtual machine is created and ready for use, a status indicating that the guest virtual machine is able to be accessed by an authorized user, and wherein the action includes allowance of the attempted use of the guest virtual machine to an authorized user.
  - 11. The system of claim 9, wherein the processor configured to assign a status is further configured to assign the status indicating that the guest virtual machine is unavailable for use by a user occurs, after a deactivation trigger, and wherein the action includes prevention of the attempted use of the guest virtual machine.
  - 12. The system of claim 11, wherein the processor is further configured to record an indication of the prevented attempted use of the guest virtual machine.
  - 13. The system of claim 11, wherein the action further comprises sending of an alert regarding the unauthorized attempt to start the guest virtual machine.
  - 14. The system of claim 9, wherein the processor configured to assign a status is further configured to assign a status indicating that an alert is to be sent upon receipt of any attempted use of the guest virtual machine, and wherein the action includes sending the alert.
  - 15. The system of claim 9, wherein the processor configured to assign a status is further configured to change a status of the guest virtual machine from a status indicating that the guest virtual machine is able to be accessed by an authorized user to a status indicating that the guest virtual machine is not to be used by anyone, and wherein the action includes prevention of the attempted use of the guest virtual machine.
  - 16. The system of claim 9, wherein the processor is further configured to provide a report regarding a plurality of guest virtual machines in the virtual machine environment, wherein the report includes information regarding one or more selected from:
    - attempted use of any of the plurality of guest virtual machines, denied use attempts of any of the plurality of guest virtual machines, or any of the plurality of guest virtual machines that have not been used in a predetermined amount of time.

17. A non-transitory computer-readable medium including computer-executable instructions thereon, the computer-executable instructions, when executed, causing a processor to:
- assign, by a virtual access control machine of a virtual computing environment, a status to a guest virtual machine supporting a service, wherein the guest virtual machine is accessible to a user through a network and wherein the instructions to assign the status includes instructions to assign a status indicating that the guest virtual machine is unavailable for use by a user;
  
  receive, at the virtual access control machine, information from the guest virtual machine representative of an attempted use of the guest virtual machine;
  
  receive, at the virtual access control machine, a request, by the guest virtual machine, for the status of the guest virtual machine; and
  
  determine, at the virtual access control machine, an action to take based on the status.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The computer-readable medium of claim 17, wherein the instructions to assign a status includes instructions to assign, after the guest virtual machine is created and ready for use, a status indicating that the guest virtual machine is able to be accessed by an authorized user, and wherein the action includes allowance of the attempted use of the guest virtual machine to an authorized user.
  - 19. The computer-readable medium of claim 17, wherein the instructions to assign a status includes instructions to assign the status indicating that the guest virtual machine is unavailable for use by a user occurs after a deactivation trigger, and wherein the action includes preventing the attempted use of the guest virtual machine.
  - 20. The computer-readable medium of claim 19, wherein the instructions further cause the processor to record an indication of the prevented attempted use of the guest virtual machine.
  - 21. The computer-readable medium of claim 19, wherein the action further comprises sending of an alert regarding the unauthorized attempt to start the guest virtual machine.
  - 22. The computer-readable medium of claim 17, wherein the instructions to assign a status includes instructions to assign a status indicating that an alert is to be sent upon receipt of any attempted use of the guest virtual machine, and wherein the action includes sending the alert.
  - 23. The computer-readable medium of claim 17, wherein the instructions to assign a status includes instructions to change a status of the guest virtual machine from a status indicating that the guest virtual machine is able to be accessed by an authorized user to a status indicating that the guest virtual machine is not to be used by anyone, and wherein the action includes preventing the attempted use of the guest virtual machine.
  - 24. The computer-readable medium of claim 17, wherein the instructions further cause the processor to provide a report regarding a plurality of guest virtual machines in the virtual machine environment, wherein the report includes information regarding one or more selected from:
    - attempted use of any of the plurality of guest virtual machines, denied use attempts of any of the plurality of guest virtual machines, or any of the plurality of guest virtual machines that have not been used in a predetermined amount of time.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Inventors
Barak, Nir, Hadar, Eitan
Primary Examiner(s)
Poltorak, Peter

Application Number

US13/405,973
Publication Number

US 20130227699A1
Time in Patent Office

932 Days
Field of Search

None
US Class Current

726/26
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45595   Network integration; Enabli...

G06F 21/60   Protecting data

G06F 9/45558   Hypervisor-specific managem...

G06F 9/468   Specific access rights for ...

H04L 63/0823   using certificates cryptogr...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04W 4/60   Subscription-based services...

System and method for virtual image security in a cloud environment

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

51 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for virtual image security in a cloud environment

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

51 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links