Systems and methods for implementing security in a cloud computing environment

US 9,065,804 B2
Filed: 04/01/2013
Issued: 06/23/2015
Est. Priority Date: 08/09/2011
Status: Active Grant

First Claim

Patent Images

1. A server computer system comprising:

one or more processing units;

a memory, coupled to at least one of the one or more processing units, the memory storing a virtual machine, wherein an agent executive runs within the virtual machine, the agent executive executed by at least one of the one or more processing units, the agent executive comprising instructions for;

receiving an agent identity token from a grid computer system, wherein the agent identity token includes a unique cryptographic key assigned to the agent executive;

collecting information about the server computer system for an evaluation of integrity of the agent executive, according to a plurality of agent self-verification factors;

encrypting the collected information using the cryptographic key;

transmitting the encrypted information to the grid computer system;

retrieving an encrypted first set of commands from the grid computer system;

decrypting the encrypted first set of commands using the cryptographic key; and

executing, at the server computer system, each command in the first set of commands.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Computer systems and methods are provided in which an agent executive, when initially executed in a virtual machine, obtains an agent API key from a user. This key is communicated to a grid computer system. An agent identity token, generated by a cryptographic token generation protocol when the key is valid, is received from the grid and stored in a secure data store associated with the agent executive. Information that evaluates the integrity of the agent executive is collected using agent self-verification factors. The information, encrypted and signed with a cryptographic signature, is communicated to the grid. Commands are sent from the grid to the agent executive to check the security, compliance, and integrity of the virtual machine processes and data structures. Based on these check results, additional commands are sent by the grid to the agent executive to correct security, compliance or integrity problems and/or to prevent security compromises.

92 Citations

View as Search Results

40 Claims

1. A server computer system comprising:
- one or more processing units;
  
  a memory, coupled to at least one of the one or more processing units, the memory storing a virtual machine, wherein an agent executive runs within the virtual machine, the agent executive executed by at least one of the one or more processing units, the agent executive comprising instructions for;
  
  receiving an agent identity token from a grid computer system, wherein the agent identity token includes a unique cryptographic key assigned to the agent executive;
  
  collecting information about the server computer system for an evaluation of integrity of the agent executive, according to a plurality of agent self-verification factors;
  
  encrypting the collected information using the cryptographic key;
  
  transmitting the encrypted information to the grid computer system;
  
  retrieving an encrypted first set of commands from the grid computer system;
  
  decrypting the encrypted first set of commands using the cryptographic key; and
  
  executing, at the server computer system, each command in the first set of commands.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The server computer system of claim 1, wherein a command in the first set of commands updates a firewall policy for the virtual machine.
  - 3. The server computer system of claim 1, wherein a command in the first set of commands is a corrective or proactively protective action.
  - 4. The server computer system of claim 1, wherein a command in the first set of commands repeats the collecting, encrypting, and transmitting at a predetermined time.
  - 5. The server computer system of claim 1, wherein a command in the first set of commands repeats the collecting, encrypting, and transmitting at a predetermined time interval.
  - 6. The server computer system of claim 1, wherein the first set of commands includes a plurality of commands and wherein:
    - a first command in the plurality of commands updates the plurality of agent self-verification factors; and
      
      a second command in the plurality of commands repeats the collecting, encrypting, and transmitting at a predetermined time using the update to the plurality of agent self-verification factors.
  - 7. The server computer system of claim 1, wherein the first set of commands includes a plurality of commands and wherein:
    - a first command in the plurality of commands updates the plurality of agent self-verification factors; and
      
      a second command in the plurality of commands repeats the collecting, encrypting, and transmitting at predetermined time intervals using the update to the plurality of agent self-verification factors.
  - 8. The server computer system of claim 1, wherein a command in the first set of commands reinitializes the agent executive and repeats the receiving, collecting, encrypting, and transmitting after re-initialization of the agent executive is complete.
  - 9. The server computer system of claim 1, wherein a command in the first set of commands terminates execution of the virtual machine.
  - 10. The server computer system of claim 1, wherein the first set of commands checks a status of a data structure accessible to the virtual machine.
  - 11. The server computer system of claim 1, wherein the first set of commands checks a status of a setting associated with a file stored in a memory accessible to the virtual machine, checks a setting of a directory stored in a memory accessible to the virtual machine, or checks an existence or a status of a process running on the virtual machine.
  - 12. The server computer system of claim 1, wherein the first set of commands checks a password associated with a user of the virtual machine or a password associated with a group of users of the virtual machine.
  - 13. The server computer system of claim 1, wherein the first set of commands validates a name-value pair in a file in a memory accessible by the virtual machine.
  - 14. The server computer system of claim 1, wherein the first set of commands checks a status of a network communication port that is associated with the virtual machine.
  - 15. The server computer system of claim 1, wherein the retrieving, decrypting, and executing are repeated at a predetermined time.
  - 16. The server computer system of claim 1, wherein the retrieving, decrypting, and executing are repeated at predetermined time intervals.
  - 17. The server computer system of claim 1, wherein the encrypting further uses data shared with the grid computer system to digitally sign and encrypt the collected information prior to transmitting the encrypted information.
  - 18. The server computer system of claim 1, wherein the first set of commands checks a status of a process running on the virtual machine.

19. A grid computer system comprising:
- one or more processing units;
  
  a memory, coupled to at least one of the one or more processing units, the memory storing a grid node, the grid node executed by at least one of the one or more processing units, the grid node comprising instructions for;
  
  receiving a request from an agent executive running on a virtual machine that is running on a computer other than the grid computer system;
  
  generating a unique agent identity token, which includes a cryptographic key;
  
  transmitting the agent identity token to the agent executive running on the virtual machine;
  
  receiving encrypted information, signed with a cryptographic digital signature, from the virtual machine for an evaluation of the integrity of the agent executive based upon a plurality of agent self-verification factors;
  
  decrypting the received encrypted information using the cryptographic key to form decrypted information; and
  
  verifying the integrity of the agent executive based on the decrypted information.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 20. The grid computer system of claim 19, the grid node further comprising instructions for:
    - creating, using the agent identity token, a command queue on the grid computer system, wherein the command queue is unique to the agent executive; and
      
      posting to the command queue one or more commands to be executed by the agent executive.
  - 21. The grid computer system of claim 20, wherein a command in the one or more commands updates a firewall policy for the virtual machine.
  - 22. The grid computer system of claim 20, wherein a command in the one or more commands is a corrective or proactively protective action to be executed by the agent executive running on the virtual machine.
  - 23. The grid computer system of claim 20, wherein the one or more commands instruct the agent executive running on the virtual machine to:
    - collect data for an evaluation of integrity of the agent executive using a plurality of agent self-verification factors; and
      
      communicate the data to the grid node.
  - 24. The grid computer system of claim 23, wherein the one or more commands further specify that the collection and communication be repeated at a predetermined time.
  - 25. The grid computer system of claim 23, wherein the one or more commands further specify that the collection and communication be repeated at predetermined time intervals.
  - 26. The grid computer system of claim 20, wherein the one or more commands is a plurality of commands and whereina first command in the plurality of commands updates the plurality of agent self-verification factors;
    - a second command in the plurality of commands instructs the agent executive to collect data for an evaluation of integrity of the agent executive using the update to the plurality of agent self-verification factors; and
      
      a third command in the plurality of commands instructs the agent executive to communicate the data to the grid node as part of a process in which no network connection may be initiated from the grid computer system to the agent executive, but may only be initiated from the agent executive to the grid computer system.
  - 27. The grid computer system of claim 20, wherein the one or more commands reinitialize the agent executive and repeat:
    - receiving a request from the agent executive;
      
      generating a unique agent identity token;
      
      transmitting the agent identity token;
      
      receiving encrypted information;
      
      decrypting the received encrypted information; and
      
      verifying the integrity of the agent executive.
  - 28. The grid computer system of claim 20, wherein a command in the one or more commands terminates execution of the virtual machine.
  - 29. The grid computer system of claim 20, wherein the one or more commands check a status of a data structure accessible to the virtual machine.
  - 30. The grid computer system of claim 20, wherein the one or more commands check a status of a setting associated with a file stored in a memory accessible to the virtual machine, check a setting of a directory stored in a memory accessible to the virtual machine, or check an existence or a status of a process running on the virtual machine.
  - 31. The grid computer system of claim 20, wherein the one or more commands check a password associated with a user of the virtual machine or check a password associated with a group of users of the virtual machine.
  - 32. The grid computer system of claim 20, wherein the one or more commands validates a name-value pair in a file in a memory accessible by the virtual machine.
  - 33. The grid computer system of claim 20, wherein the one or more commands check a status of a network communication port that is associated with the virtual machine.
  - 34. The grid computer system of claim 19, wherein decrypting the encrypted information further uses data shared with the agent executive running on the virtual machine.
  - 35. The grid computer system of claim 20, wherein the one or more commands check a status of a process running on the virtual machine.
  - 36. The grid computer system of claim 19, wherein the verifying comprises applying to the decrypted information one or more rules stored on the grid computer system;
    - wherein, when a rule of the one or more rules fails, the verifying further comprises posting a corrective or proactively protective action to a command queue on the grid computer system that is uniquely associated with the virtual machine.
  - 37. The grid computer system of claim 19, wherein the grid computer system comprises a plurality of computers networked to each other by a network connection.
  - 38. The grid computer system of claim 19, wherein the grid node further comprises instructions for verifying the digital signature, thereby obtaining decrypted, authenticated and integrity-verified information.

39. A computer program product for use in conjunction with a computer system, the computer program product comprising a non-transitory computer readable storage medium and a computer program mechanism embedded therein, the computer program mechanism comprising a virtual machine running an agent executive, the agent executive comprising the instructions for:
- receiving an agent identity token from a grid computer system, wherein the agent identity token includes a unique cryptographic key assigned to the agent executive;
  
  collecting information for an evaluation of integrity of the agent executive according to a plurality of agent self-verification factors;
  
  encrypting the collected information using the cryptographic key;
  
  transmitting the encrypted information to the grid computer system;
  
  retrieving an encrypted first set of commands from the grid computer system;
  
  decrypting the encrypted first set of commands using the cryptographic key; and
  
  executing, at the server computer system, each command in the first set of commands.

40. A computer program product for use in conjunction with a first computer system, the computer program product comprising a non-transitory computer readable storage medium and a computer program mechanism embedded therein, the computer program mechanism comprising instructions for:
- (A) receiving a request from an agent executive running on a virtual machine that is running on a second computer system, wherein the request includes a unique identifier of the agent executive;
  
  generating an agent identity token, which includes a cryptographic key;
  
  transmitting the agent identity token to the agent executive running on the virtual machine;
  
  receiving encrypted information from the virtual machine for an evaluation of integrity of the agent executive based upon a plurality of agent self-verification factors;
  
  decrypting the received encrypted information using the cryptographic key to form decrypted information; and
  
  verifying the integrity of the agent executive based on the decrypted information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Runway Growth Finance Corporation
Original Assignee
CloudPassage Inc.
Inventors
Sweet, Carson, Geraymovych, Vitaliy
Primary Examiner(s)
Lewis, Lisa
Assistant Examiner(s)
LWIN, MAUNG T

Application Number

US13/854,513
Publication Number

US 20130268763A1
Time in Patent Office

813 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/55   Detecting local intrusion o...

G06F 21/56   Computer malware detection ...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/034   Test or assess a computer o...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/083   using passwords cryptograph...

H04L 63/126   the source of the received ...

H04L 63/166   at the transport layer

H04L 63/20   for managing network securi...

Systems and methods for implementing security in a cloud computing environment

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

92 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for implementing security in a cloud computing environment

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

92 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links