System and method for a cloud computing abstraction layer with security zone facilities

US 9,069,599 B2
Filed: 01/19/2012
Issued: 06/30/2015
Est. Priority Date: 06/19/2008
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

providing at least one processor capable of executing computing code in data communication with a nontransitory computer readable storage medium having encoded thereon computer executable instructions which, when executed on the processor, provide a virtualization environment adapted for development of a software workload to be deployed using at least one resource of a computing cloud, the software workload including a software unit of computing processing performed via at least one of an Infrastructure-as-a-Service (IaaS), a Platform-as-a-Service (PaaS), or a Service-as-a-Service (SaaS), the virtualization environment having a metamodel framework that allows for the association of at least one policy to the software workload, the policy to be applied to the software workload upon its deployment;

defining a security zone including at least one of the cloud resource(s), wherein one or more boundaries of the security zone are updatable, wherein one or more updated policies are applicable to the software workload when deployed within the security zone, and wherein the security zone is definable at differing levels of abstraction;

determining at least one of a plurality of security zone policy types, each type comprising at least one security policy that may be applied to the software workload using at least one resource within the security zone;

including the at least one security zone policy type in the metamodel framework;

associating a security policy of the at least one security zone policy type(s) with the software workload upon development of the software workload; and

automatically applying the security policy to the software workload when the software workload is deployed within the security zone.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In embodiments of the present invention improved capabilities are described for a virtualization environment adapted for development and deployment of at least one software workload, the virtualization environment having a metamodel framework that allows the association of a policy to the software workload upon development of the workload that is applied upon deployment of the software workload. This allows a developer to define a security zone and to apply at least one type of security policy with respect to the security zone including the type of security zone policy in the metamodel framework such that the type of security zone policy can be associated with the software workload upon development of the software workload, and if the type of security zone policy is associated with the software workload, automatically applying the security policy to the software workload when the software workload is deployed within the security zone.

228 Citations

20 Claims

1. A method, comprising:
- providing at least one processor capable of executing computing code in data communication with a nontransitory computer readable storage medium having encoded thereon computer executable instructions which, when executed on the processor, provide a virtualization environment adapted for development of a software workload to be deployed using at least one resource of a computing cloud, the software workload including a software unit of computing processing performed via at least one of an Infrastructure-as-a-Service (IaaS), a Platform-as-a-Service (PaaS), or a Service-as-a-Service (SaaS), the virtualization environment having a metamodel framework that allows for the association of at least one policy to the software workload, the policy to be applied to the software workload upon its deployment;
  
  defining a security zone including at least one of the cloud resource(s), wherein one or more boundaries of the security zone are updatable, wherein one or more updated policies are applicable to the software workload when deployed within the security zone, and wherein the security zone is definable at differing levels of abstraction;
  
  determining at least one of a plurality of security zone policy types, each type comprising at least one security policy that may be applied to the software workload using at least one resource within the security zone;
  
  including the at least one security zone policy type in the metamodel framework;
  
  associating a security policy of the at least one security zone policy type(s) with the software workload upon development of the software workload; and
  
  automatically applying the security policy to the software workload when the software workload is deployed within the security zone.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 14)
- - 2. The method of claim 1, wherein the security zone is at least one of a geographic zone, a network zone, an enterprise zone, an operational zone, or an organizational zone.
  - 3. The method of claim 1, wherein the security policy is at least one of an access policy, a write-permission policy, a resource utilization policy, or an editing permission policy.
  - 4. The method of claim 1, wherein the security policy determines whether the software workload is allowed to operate in a specified security zone.
  - 5. The method of claim 1, further comprising automatically establishing firewall rules across multiple firewalls in multiple security zones for newly deployed applications by tagging application software workloads that are deployed within the security zones.
  - 6. The method of claim 5, wherein the firewalls are of types provided by different vendors and employ at least one of different operating system, communication protocols, and programming languages.
  - 7. The method of claim 1, further comprising automatically removing firewall rules across multiple firewalls in multiple security zones when the firewall rules do not apply to software workloads within the security zones.
  - 8. The method of claim 7, wherein the firewalls are of types provided by different vendors and employ at least one of different operating system, communication protocols, and programming languages.
  - 9. The method of claim 1, further comprising providing an alert when the software workload is planned to be deployed in a particular security zone in a manner that is inconsistent with at least one of a security zone policy applicable to the security zone and a security policy associated with the software workload.
  - 10. The method of claim 1, wherein the security policy prohibits export of data associated with the software workload executed in the security zone.
  - 11. The method of claim 1, wherein the security policy is a policy associated with a required encryption level or type.
  - 14. The system of claim 10, wherein the security policy is at least one of an access policy, a write-permission policy, a resource utilization policy, or an editing permission policy.

12. A system, comprising:
- at least one processor capable of executing computing code; and
  
  a non-transitory computer readable storage medium in data communication with the processor and having encoded thereon computer executable instructions for providing a virtualization environment adapted for development of a software workload to be deployed using at least one resource of a computing cloud, the software workload including a software unit of computing processing performed via at least one of an Infrastructure-as-a-Service (IaaS), a Platform-as-a-Service (PaaS), or a Service-as-a-Service (SaaS), the virtualization environment having a meta model framework that allows the association of at least one policy to the software workload, the policy to be applied to the software workload upon its deployment, and which allows for the defining of a security zone including at least one of the cloud resource(s), wherein one or more boundaries of the security zone are updatable, wherein one or more updated policies are applicable to the software workload when deployed within the security zone, and wherein the security zone is definable at differing levels of abstraction, and the determining of at least one of a plurality of security zone policy types, each type comprising at least one security policy that may be applied to the software workload using at least one resource within the security zone, including the security zone policy type in the metamodel framework such that a security policy of the at least one security zone policy type(s) can be associated with the software workload upon development of the software workload, and allows for automatically applying the security policy to the software workload when the software workload is deployed within the security zone.
- View Dependent Claims (13, 15, 16, 17, 18, 19, 20)
- - 13. The system of claim 12, wherein the security zone is at least one of a geographic zone, a network zone, an enterprise zone, an operational zone, or an organizational zone.
  - 15. The system of claim 12, wherein the security policy determines whether the software workload is allowed to operate in a specified security zone.
  - 16. The system of claim 12, further comprising automatically establishing firewall rules across multiple firewalls in multiple security zones for newly deployed applications by tagging application software workloads that are deployed within the security zones.
  - 17. The system of claim 16, wherein the firewalls are of types provided by different vendors and employ at least one of different operating system, communication protocols, and programming languages.
  - 18. The system of claim 12, further comprising automatically removing firewall rules across multiple firewalls in multiple security zones when the firewall rules do not apply to software workloads within the security zones.
  - 19. The system of claim 18, wherein the firewalls are of types provided by different vendors and employ at least one of different operating system, communication protocols, and programming languages.
  - 20. The system of claim 12, further comprising providing an alert when the software workload is planned to be deployed in a particular security zone in a manner that is inconsistent with at least one of a security zone policy applicable to the security zone and a security policy associated with the software workload.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VideoLabs, Inc.
Original Assignee
Servicemesh Incorporated (DXC Technology Company)
Inventors
Martinez, Frank R., Pulier, Eric
Primary Examiner(s)
CERVETTI, DAVID GARCIA

Application Number

US13/354,275
Publication Number

US 20120185913A1
Time in Patent Office

1,258 Days
Field of Search

726/1, 726/4, 726/5, 726/7, 726/8
US Class Current

1/1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 9/455   Emulation; Interpretation; ...

G06F 9/45558   Hypervisor-specific managem...

G06F 9/5072   Grid computing

H04L 12/4633   Interconnection of networks...

H04L 12/6418   Hybrid transport

H04L 12/66   Arrangements for connecting...

H04L 63/0209   Architectural arrangements,...

H04L 63/0272   Virtual private networks

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

H04L 67/02   based on web technology, e....

H04L 67/10   in which an application is ...

H04L 67/34   involving the movement of s...

H04L 67/51   Discovery or management the...

System and method for a cloud computing abstraction layer with security zone facilities

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

228 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

System and method for a cloud computing abstraction layer with security zone facilities

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

228 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others