Systems and methods for workload security in virtual data centers

US 9,021,546 B1
Filed: 11/08/2011
Issued: 04/28/2015
Est. Priority Date: 11/08/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for workload security in virtual data centers, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

identifying a virtual data center that hosts a plurality of workloads sharing a common computing infrastructure;

identifying a workload within the plurality of workloads that is subject to a sensitivity assessment, the sensitivity assessment pertaining to an application of at least one security policy to at least one computing resource used by the identified workload;

performing the sensitivity assessment for the identified workload by determining that a first resource that provides computing infrastructure within the common computing infrastructure and that is provisioned to the identified workload shares a portion of the common computing infrastructure with a second resource that provides computing infrastructure within the common computing infrastructure and that handles sensitive data and determining that the identified workload is sensitive because the first resource is provisioned to the identified workload; and

applying the security policy to the at least one computing resource based at least in part on the sensitivity assessment for the identified workload.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for workload security in virtual data centers may include (1) identifying a virtual data center that hosts a plurality of workloads sharing a common computing infrastructure, (2) identifying a workload within the plurality of workloads that is subject to a sensitivity assessment that pertains to an application of at least one security policy to at least one computing resource used by the workload, (3) performing the sensitivity assessment for the workload based at least in part on an attribute of an allocated resource within the common computing infrastructure provisioned to the workload, and (4) applying the security policy to the computing resource based at least in part on the sensitivity assessment for the workload. Various other methods, systems, and encoded computer-readable media are also disclosed.

Citations

20 Claims

1. A computer-implemented method for workload security in virtual data centers, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- identifying a virtual data center that hosts a plurality of workloads sharing a common computing infrastructure;
  
  identifying a workload within the plurality of workloads that is subject to a sensitivity assessment, the sensitivity assessment pertaining to an application of at least one security policy to at least one computing resource used by the identified workload;
  
  performing the sensitivity assessment for the identified workload by determining that a first resource that provides computing infrastructure within the common computing infrastructure and that is provisioned to the identified workload shares a portion of the common computing infrastructure with a second resource that provides computing infrastructure within the common computing infrastructure and that handles sensitive data and determining that the identified workload is sensitive because the first resource is provisioned to the identified workload; and
  
  applying the security policy to the at least one computing resource based at least in part on the sensitivity assessment for the identified workload.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer-implemented method of claim 1, wherein performing the sensitivity assessment comprises:
    - identifying sensitive content in a data store used by the identified workload for storage; and
      
      determining that the identified workload is sensitive based on the sensitive content.
  - 3. The computer-implemented method of claim 2, wherein identifying the sensitive content in the data store comprises:
    - identifying a virtual disk exposed to a virtual machine allocated for the identified workload; and
      
      identifying the sensitive content on the virtual disk.
  - 4. The computer-implemented method of claim 1, wherein performing the sensitivity assessment comprises:
    - identifying sensitive content in a data store provisioned on a hypervisor host system that is used for the identified workload;
      
      determining that the hypervisor host system is sensitive based on the sensitive content; and
      
      determining that the identified workload is sensitive based on the determination that the hypervisor host system is sensitive.
  - 5. The computer-implemented method of claim 1, wherein performing the sensitivity assessment comprises:
    - identifying a first virtual machine within the virtual data center, the first virtual machine being allocated for the identified workload;
      
      identifying a second virtual machine within the virtual data center, the second virtual machine being identified as handling sensitive content;
      
      identifying a virtual network connecting a first guest operating system of the first virtual machine to a second guest operating system of the second virtual machine;
      
      determining, based at least in part on the identification of the second virtual machine as handling sensitive content and based at least in part on the virtual network connecting the first guest operating system and the second guest operating system, that the first virtual machine is sensitive; and
      
      determining that the identified workload is sensitive based on the determination that the first virtual machine is sensitive.
  - 6. The computer-implemented method of claim 1, wherein performing the sensitivity assessment comprises:
    - identifying a first hypervisor host within the virtual data center, the first hypervisor host being used for the identified workload;
      
      identifying a second hypervisor host within the virtual data center, the second hypervisor host being identified as handling sensitive content;
      
      determining, based at least in part on a firewall rule on at least one of the first and second hypervisor hosts, that the second hypervisor host is configured to communicate with the first hypervisor host;
      
      determining, based at least in part on the determination that the second hypervisor host is configured to communicate with the first hypervisor host and based at least in part on the second hypervisor host being identified as handling sensitive content, that the first hypervisor host is sensitive; and
      
      determining that the identified workload is sensitive based on the determination that the first hypervisor host is sensitive.
  - 7. The computer-implemented method of claim 1, further comprising:
    - identifying a new computing resource used by the identified workload within the common computing infrastructure; and
      
      applying the security policy to the new computing resource based at least in part on the sensitivity assessment for the identified workload.
  - 8. The computer-implemented method of claim 1, further comprising:
    - identifying an additional workload using the at least one computing resource;
      
      identifying an additional sensitivity assessment for the additional workload; and
      
      applying an additional security policy to the at least one computing resource based on the additional sensitivity assessment.
  - 9. The computer-implemented method of claim 1, wherein applying the security policy to the at least one computing resource comprises at least one of:
    - allocating the at least one computing resource for use by the identified workload based at least in part on a security feature, required by the security policy, of the at least one computing resource;
      
      orallocating the at least one computing resource for use by the identified workload based at least in part on a data preservation feature, required by the security policy, of the at least one computing resource.

10. A system for workload security in virtual data centers, the system comprising:
- an identification module programmed to;
  
  identify a virtual data center that hosts a plurality of workloads sharing a common computing infrastructure;
  
  identify a workload within the plurality of workloads that is subject to a sensitivity assessment, the sensitivity assessment pertaining to an application of at least one security policy to at least one computing resource used by the identified workload;
  
  an assessment module programmed to perform the sensitivity assessment for the identified workload by determining that a first resource that provides computing infrastructure within the common computing infrastructure and that is provisioned to the identified workload shares a portion of the common computing infrastructure with a second resource that provides computing infrastructure within the common computing infrastructure and that handles sensitive data and determining that the identified workload is sensitive because the first resource is provisioned to the identified workload;
  
  an application module programmed to apply the security policy to the at least one computing resource based at least in part on the sensitivity assessment for the identified workload; and
  
  at least one processor configured to execute the identification module, the assessment module, and the application module.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, wherein the assessment module is programmed to perform the sensitivity assessment by:
    - identifying sensitive content in a data store used by the identified workload for storage; and
      
      determining that the identified workload is sensitive based on the sensitive content.
  - 12. The system of claim 11, wherein the identification module is programmed to identify the sensitive content in the data store by:
    - identifying a virtual disk exposed to a virtual machine allocated for the identified workload; and
      
      identifying the sensitive content on the virtual disk.
  - 13. The system of claim 10, wherein the assessment module is programmed to perform the sensitivity assessment by:
    - identifying sensitive content in a data store provisioned on a hypervisor host system that is used for the identified workload;
      
      determining that the hypervisor host system is sensitive based on the sensitive content; and
      
      determining that the identified workload is sensitive based on the determination that the hypervisor host system is sensitive.
  - 14. The system of claim 10, wherein the assessment module is programmed to perform the sensitivity assessment by:
    - identifying a first virtual machine within the virtual data center, the first virtual machine being allocated for the identified workload;
      
      identifying a second virtual machine within the virtual data center, the second virtual machine being identified as handling sensitive content;
      
      identifying a virtual network connecting a first guest operating system of the first virtual machine to a second guest operating system of the second virtual machine;
      
      determining, based at least in part on the identification of the second virtual machine as handling sensitive content and based at least in part on the virtual network connecting the first guest operating system and the second guest operating system, that the first virtual machine is sensitive; and
      
      determining that the identified workload is sensitive based on the determination that the first virtual machine is sensitive.
  - 15. The system of claim 10, wherein the assessment module is programmed to perform the sensitivity assessment by:
    - identifying a first hypervisor host within the virtual data center, the first hypervisor host being used for the identified workload;
      
      identifying a second hypervisor host within the virtual data center, the second hypervisor host being identified as handling sensitive content;
      
      determining, based at least in part on a firewall rule on at least one of the first and second hypervisor hosts, that the second hypervisor host is configured to communicate with the first hypervisor host;
      
      determining, based at least in part on the determination that the second hypervisor host is configured to communicate with the first hypervisor host and based at least in part on the second hypervisor host being identified as handling sensitive content, that the first hypervisor host is sensitive; and
      
      determining that the identified workload is sensitive based on the determination that the first hypervisor host is sensitive.
  - 16. The system of claim 10, wherein the application module is further programmed to:
    - identify a new computing resource used by the identified workload within the common computing infrastructure; and
      
      apply the security policy to the new computing resource based at least in part on the sensitivity assessment for the identified workload.
  - 17. The system of claim 10, wherein the application module is further programmed to:
    - identify an additional workload using the at least one computing resource;
      
      identify an additional sensitivity assessment for the additional workload; and
      
      apply an additional security policy to the at least one computing resource based on the additional sensitivity assessment.
  - 18. The system of claim 10, wherein the application module is programmed to apply the security policy to the at least one computing resource by at least one of:
    - allocating the at least one computing resource for use by the identified workload based at least in part on a security feature, required by the security policy, of the at least one computing resource;
      
      orallocating the at least one computing resource for use by the identified workload based at least in part on a data preservation feature, required by the security policy, of the at least one computing resource.

19. A non-transitory computer-readable-storage medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- identify a virtual data center that hosts a plurality of workloads sharing a common computing infrastructure;
  
  identify a workload within the plurality of workloads that is subject to a sensitivity assessment, the sensitivity assessment pertaining to an application of at least one security policy to at least one computing resource used by the identified workload;
  
  perform the sensitivity assessment for the identified workload by determining that a first resource that provides computing infrastructure within the common computing infrastructure and that is provisioned to the identified workload shares a portion of the common computing infrastructure with a second resource that provides computing infrastructure within the common computing infrastructure and that handles sensitive data and determining that the identified workload is sensitive because the first resource is provisioned to the identified workload; and
  
  apply the security policy to the at least one computing resource based at least in part on the sensitivity assessment for the identified workload.
- View Dependent Claims (20)
- - 20. The computer-readable-storage medium of claim 19, wherein the one or more computer-executable instructions cause the computing device to perform the sensitivity assessment by causing the computing device to:
    - identify sensitive content in a data store used by the identified workload for storage; and
      
      determine that the identified workload is sensitive based on the sensitive content.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Banerjee, Deb
Primary Examiner(s)
Davis, Zachary A

Application Number

US13/291,716
Time in Patent Office

1,267 Days
Field of Search

726/1, 726/26, 726/27, 726/29, 726/30, 713/164, 713/166, 718/1
US Class Current

726/1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/6218   to a system of files or obj...

G06F 2221/2113   Multi-level security, e.g. ...

G06F 2221/2145   Inheriting rights or proper...

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

Systems and methods for workload security in virtual data centers

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for workload security in virtual data centers

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links