Systems and methods for optimizing security controls for virtual data centers

US 9,171,178 B1
Filed: 05/14/2012
Issued: 10/27/2015
Est. Priority Date: 05/14/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for optimizing security controls for virtual data centers, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

identifying a security policy that applies to at least one workload, operating within a virtual data center, that is configured to store data on a first storage appliance and to execute on a host system;

determining that the first storage appliance does not natively implement a data security requirement specified by the security policy on data stored on the first storage appliance;

identifying a second storage appliance that natively implements the data security requirement specified by the security policy on data stored on the second storage appliance;

migrating the data from the first storage appliance to the second storage appliance for access by the workload from the host system in response to determining that the first storage appliance does not natively implement the data security requirement specified by the security policy and further in response to determining that the second storage appliance natively implements the data security requirement specified by the security policy.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for optimizing security controls for virtual data centers may include 1) identifying a security policy that applies to at least one workload configured to store data on a first storage appliance, 2) identifying at least one storage-appliance functionality capable of implementing at least a part of the security policy, 3) identifying a second storage appliance that possesses the storage-appliance functionality, and 4) migrating the data from the first storage appliance to the second storage appliance in response to identifying the security policy and the storage-appliance functionality. Variants include methods, systems, and computer-readable media.

Citations

20 Claims

1. A computer-implemented method for optimizing security controls for virtual data centers, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- identifying a security policy that applies to at least one workload, operating within a virtual data center, that is configured to store data on a first storage appliance and to execute on a host system;
  
  determining that the first storage appliance does not natively implement a data security requirement specified by the security policy on data stored on the first storage appliance;
  
  identifying a second storage appliance that natively implements the data security requirement specified by the security policy on data stored on the second storage appliance;
  
  migrating the data from the first storage appliance to the second storage appliance for access by the workload from the host system in response to determining that the first storage appliance does not natively implement the data security requirement specified by the security policy and further in response to determining that the second storage appliance natively implements the data security requirement specified by the security policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method of claim 1, wherein:
    - implementing the security policy comprises encrypting sensitive data stored by the workload;
      
      determining that the second storage appliance natively implements the data security requirement specified by the security policy comprises determining that the data security requirement specifies an encryption requirement for data stored by the workload and that the second storage appliance natively implements the encryption requirement.
  - 3. The computer-implemented method of claim 1, wherein:
    - implementing the security policy comprises scanning the data stored by the workload;
      
      determining that the second storage appliance natively implements the data security requirement specified by the security policy comprises determining that the data security requirement specifies a scanning requirement for data stored by the workload and that the second storage appliance natively implements the scanning requirement.
  - 4. The computer-implemented method of claim 1, wherein identifying the security policy that applies to the workload comprises:
    - identifying sensitive data that is stored by the workload;
      
      identifying, in response to identifying the sensitive data, a security policy to encrypt sensitive data stored by the workload.
  - 5. The computer-implemented method of claim 1, wherein identifying the security policy that applies to the workload comprises:
    - identifying potentially malicious data stored by the workload;
      
      identifying, in response to identifying the potentially malicious data, a security policy to scan data stored by the workload for malware.
  - 6. The computer-implemented method of claim 1, wherein migrating the data from the first storage appliance to the second storage appliance comprises performing a live migration of the data from the first storage appliance to the second storage appliance without taking the workload offline.
  - 7. The computer-implemented method of claim 1, wherein identifying the second storage appliance further comprises:
    - identifying an additional security policy that prohibits a predetermined storage location of the data;
      
      determining that the predetermined storage location does not comprise a location of the second storage appliance.

8. A system for optimizing security controls for virtual data centers, the system comprising:
- an identification module programmed to identify a security policy that applies to at least one workload, operating within a virtual data center, that is configured to store data on a first storage appliance and to execute on a host system;
  
  a matching module programmed to;
  
  determine that the first storage appliance does not natively implement a data security requirement specified by the security policy on data stored on the first storage appliance;
  
  identify a second storage appliance that natively implements the data security requirement specified by the security policy on data stored on the second storage appliance;
  
  a migration module programmed to migrate the data from the first storage appliance to the second storage appliance for access by the workload from the host system in response to determining that the first storage appliance does not natively implement the data security requirement specified by the security policy and further in response to determining that the second storage appliance natively implements the data security requirement specified by the security policy;
  
  at least one hardware processor device configured to execute the identification module, the matching module, and the migration module.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein:
    - implementing the security policy comprises encrypting sensitive data stored by the workload;
      
      determining that the second storage appliance natively implements the data security requirement specified by the security policy comprises determining that the data security requirement specifies an encryption requirement for data stored by the workload and that the second storage appliance natively implements the encryption requirement.
  - 10. The system of claim 8, wherein:
    - implementing the security policy comprises scanning the data stored by the workload;
      
      determining that the second storage appliance natively implements the data security requirement specified by the security policy comprises determining that the data security requirement specifies a scanning requirement for data stored by the workload and that the second storage appliance natively implements the scanning requirement.
  - 11. The system of claim 8, wherein identifying the security policy that applies to the workload comprises:
    - identifying sensitive data that is stored by the workload;
      
      identifying, in response to identifying the sensitive data, a security policy to encrypt sensitive data stored by the workload.
  - 12. The system of claim 8, wherein identifying the security policy that applies to the workload comprises:
    - identifying potentially malicious data stored by the workload;
      
      identifying, in response to identifying the potentially malicious data, a security policy to scan data stored by the workload for malware.
  - 13. The system of claim 8, wherein migrating the data from the first storage appliance to the second storage appliance comprises performing a live migration of the data from the first storage appliance to the second storage appliance without taking the workload offline.
  - 14. The system of claim 8, wherein identifying the second storage appliance further comprises:
    - identifying an additional security policy that prohibits a predetermined storage location of the data;
      
      determining that the predetermined storage location does not comprise a location of the second storage appliance.

15. A computer-readable-storage medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- identify a security policy that applies to at least one workload, operating within a virtual data center, that is configured to store data on a first storage appliance and to execute on a host system;
  
  determine that the first storage appliance does not natively implement a data security requirement specified by the security policy on data stored on the first storage appliance;
  
  identify a second storage appliance that natively implements the data security requirement specified by the security policy on data stored on the second storage appliance;
  
  migrate the data from the first storage appliance to the second storage appliance for access by the workload from the host system in response to determining that the first storage appliance does not natively implement the data security requirement specified by the security policy and further in response to determining that the second storage appliance natively implements the data security requirement specified by the security policy.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer-readable-storage medium of claim 15, wherein:
    - the one or more computer-executable instructions cause the computing device to implement the security policy by causing the computing device to encrypt sensitive data stored by the workload;
      
      the one or more computer-executable instructions cause the computing device to determine that the second storage appliance natively implements the data security requirement specified by the security policy by causing the computing device to determine that the data security requirement specifies an encryption requirement for data stored by the workload and that the second storage appliance natively implements the encryption requirement.
  - 17. The computer-readable-storage medium of claim 15, wherein:
    - the one or more computer-executable instructions cause the computing device to implement the security policy by causing the computing device to scan the data stored by the workload;
      
      the one or more computer-executable instructions cause the computing device to determine that the second storage appliance natively implements the data security requirement specified by the security policy by causing the computing device to determine that the data security requirement specifies a scanning requirement for data stored by the workload and that the second storage appliance natively implements the scanning requirement.
  - 18. The computer-readable-storage medium of claim 15, wherein the one or more computer-executable instructions cause the computing device to identify the security policy that applies to the workload by causing the computing device to:
    - identify sensitive data that is stored by the workload;
      
      identify, in response to identifying the sensitive data, a security policy to encrypt sensitive data stored by the workload.
  - 19. The computer-readable-storage medium of claim 15, wherein the one or more computer-executable instructions cause the computing device to identify the security policy that applies to the workload by causing the computing device to:
    - identify potentially malicious data stored by the workload;
      
      identify, in response to identifying the potentially malicious data, a security policy to scan data stored by the workload for malware.
  - 20. The computer-readable-storage medium of claim 15, wherein the one or more computer-executable instructions cause the computing device to migrate the data from the first storage appliance to the second storage appliance by causing the computing device to perform a live migration of the data from the first storage appliance to the second storage appliance without taking the workload offline.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Banerjee, Deb
Primary Examiner(s)
Nalven, Andrew
Assistant Examiner(s)
MALINOWSKI, WALTER J

Application Number

US13/471,166
Time in Patent Office

1,261 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/62   Protecting access to data v...

G06F 21/6218   to a system of files or obj...

H04L 63/20   for managing network securi...

H04L 67/1097   for distributed storage of ...

Systems and methods for optimizing security controls for virtual data centers

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for optimizing security controls for virtual data centers

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links