System and method for multi-layered sensitive data protection in a virtual computing environment
First Claim
1. A method to provide data protection in a virtual computing environment, the method executed by a processing device configured to perform a plurality of operations, the method comprising:
- activating a guest virtual machine in the virtual computing environment, wherein the guest virtual machine is associated with a virtual appliance machine that administers sensitive data controls for the virtual computing environment, and wherein the virtual appliance machine comprises a sensitive data control monitor;
generating a certificate that uniquely identifies the guest virtual machine;
associating, at the sensitive data control monitor, an encryption key with the certificate; and
passing the encryption key and the certificate from the virtual appliance machine to the guest virtual machine,wherein sensitive data stored by the guest virtual machine is encrypted on a virtual disc associated with the guest virtual machine using the encryption key and encryption of the sensitive data is maintained when the guest virtual machine is deactivated.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods for providing sensitive data protection in a virtual computing environment. The systems and methods utilize a sensitive data control monitor on a virtual appliance machine administering guest virtual machines in a virtual computing environment, wherein each of the guest virtual machines may include a local sensitive data control agent. The sensitive data control monitor generates encryption keys for each guest virtual machine which are sent to the local sensitive data control agents and used to encrypt data locally on a protected guest virtual machine. In this manner the data itself on the virtual (or physical) disc associated with the guest virtual machine is encrypted while access attempts are gated by a combination of the local agent and the environment-based monitor, providing for secure yet administrable sensitive data protection.
66 Citations
27 Claims
-
1. A method to provide data protection in a virtual computing environment, the method executed by a processing device configured to perform a plurality of operations, the method comprising:
-
activating a guest virtual machine in the virtual computing environment, wherein the guest virtual machine is associated with a virtual appliance machine that administers sensitive data controls for the virtual computing environment, and wherein the virtual appliance machine comprises a sensitive data control monitor; generating a certificate that uniquely identifies the guest virtual machine; associating, at the sensitive data control monitor, an encryption key with the certificate; and passing the encryption key and the certificate from the virtual appliance machine to the guest virtual machine, wherein sensitive data stored by the guest virtual machine is encrypted on a virtual disc associated with the guest virtual machine using the encryption key and encryption of the sensitive data is maintained when the guest virtual machine is deactivated. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A system to provide data protection in a virtual computing environment, the system comprising:
-
a hardware processor; and computer readable code executable by the processor, the computer readable code configured to; activate a guest virtual machine in a virtual computing environment, wherein the guest virtual machine is associated with a virtual appliance machine that administers sensitive data controls for the virtual computing environment, and wherein the virtual appliance machine comprises a sensitive data control monitor, generate a certificate that uniquely identifies the guest virtual machine, associate, at the sensitive data control monitor, an encryption key with the certificate, and pass the encryption key from the virtual appliance machine to the guest virtual machine, wherein sensitive data stored by the guest virtual machine is encrypted on a virtual disc associated with the guest virtual machine using the encryption key and encryption of the sensitive data is maintained when the guest virtual machine is deactivated. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A non-transitory computer readable storage medium having computer readable program code embodied therewith, the computer readable program code comprising:
-
computer readable program code configured to activate a guest virtual machine in a virtual computing environment, wherein the guest virtual machine is associated with a virtual appliance machine that administers sensitive data controls for the virtual computing environment, and wherein the virtual appliance machine comprises a sensitive data control monitor; computer readable program code configured to generate a certificate that uniquely identifies the guest virtual machine; computer readable program code configured to associate, at the sensitive data control monitor, an encryption key with the certificate; and computer readable program code configured to pass the encryption key and the certificate from the virtual appliance machine to the guest virtual machine, wherein sensitive data stored by the guest virtual machine is encrypted on a virtual disc associated with the guest virtual machine using the encryption key and encryption of the sensitive data is maintained when the guest virtual machine is deactivated. - View Dependent Claims (12, 13, 14, 15)
-
-
16. A method to provide data protection in a virtual computing environment, the method executed by a processing device configured to perform a plurality of operations, the method comprising:
-
receiving, at a guest virtual machine in the virtual computing environment, a certificate from a virtual appliance machine associated with the guest virtual machine, wherein the virtual appliance machine administers sensitive data controls for the virtual computing environment, the certificate uniquely identifies the guest virtual machine, and the guest virtual machine comprises a local sensitive data control agent; receiving, at the guest virtual machine, an encryption key from the virtual appliance machine, the encryption key associated, at the virtual appliance machine, with the certificate; and encrypting, by the local sensitive data control agent, sensitive data stored by the guest virtual machine on a virtual disc associated with the guest virtual machine using the encryption key, encryption of the sensitive data being maintained when the guest virtual machine is deactivated. - View Dependent Claims (17, 18, 19, 20, 21)
-
-
22. A non-transitory computer readable storage medium having computer readable program code embodied therewith, the computer readable program code comprising:
-
computer readable program code configured to receive, at a guest virtual machine in a virtual computing environment, a certificate from a virtual appliance machine associated with the guest virtual machine, wherein the virtual appliance machine administers sensitive data controls for the virtual computing environment, the certificate uniquely identifies the guest virtual machine, and the guest virtual machine comprises a local sensitive data control agent; computer readable program code configured to receive, at the guest virtual machine, an encryption key from the virtual appliance machine, the encryption key associated, at the virtual appliance machine, with the certificate; and computer readable program code configured to encrypt, by the local sensitive data control agent, sensitive data stored by the guest virtual machine on a virtual disc associated with the guest virtual machine using the encryption key, encryption of the sensitive data being maintained when the guest virtual machine is deactivated. - View Dependent Claims (23, 24, 25, 26, 27)
-
Specification