Method and system for ensuring an application conforms with security and regulatory controls prior to deployment

US 9,374,389 B2
Filed: 04/25/2014
Issued: 06/21/2016
Est. Priority Date: 04/25/2014
Status: Active Grant

First Claim

Patent Images

1. A system for ensuring an application conforms with security and regulatory controls prior to deployment comprising:

at least one memory coupled to the at least one processor, the at least one memory having stored therein instructions which when executed by any set of the one or more processors, perform a process for ensuring an application conforms with security and regulatory controls prior to deployment, the process for ensuring an application conforms with security and regulatory controls prior to deployment including;

defining one or more virtual asset security policies to be applied to the creation and instantiation of virtual assets to be used in a cloud computing environment;

generating virtual asset security compliance data representing instructions for ensuring compliance with the one or more virtual asset security policies;

applying the generated virtual asset security data to a virtual asset template configured to determine one or more operational parameters of a virtual asset during instantiation of that virtual asset;

instantiating, using the generated virtual asset security data of the virtual asset template, at least one virtual asset complying with the virtual asset security policies;

defining one or more application deployment security policies associated with the deployment and operational coupling and interconnectivity of virtual assets used to implement an application in the cloud computing environment, the application deployment security policies including at least an application deployment security policy requiring that all virtual assets used to implement an application are deployed within a network container that isolates them from other applications;

generating application deployment security compliance data representing instructions for ensuring compliance with the one or more application deployment security policies, the generated application deployment security compliance data representing codified machine readable instructions and data for scanning and otherwise ensuring implementation of the application deployment security policies;

providing the generated application deployment security compliance data to the virtual asset; and

implementing and deploying, using at least one virtual asset including the virtual asset, an application that complies with the one or more application deployment security policies.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Asset security compliance data ensuring defined asset security policies are applied to the creation and/or operation of assets to be used to implement an application and application deployment security compliance data for ensuring compliance with one or more application deployment security policies associated with the deployment of assets used to implement the application is generated. The asset security compliance data is then used to ensure each asset used to implement the application is created and used in compliance with asset security policies and the application deployment security compliance data is used to ensure that each asset used to implement the application is deployed in compliance with the application deployment security policies.

168 Citations

18 Claims

1. A system for ensuring an application conforms with security and regulatory controls prior to deployment comprising:
- at least one memory coupled to the at least one processor, the at least one memory having stored therein instructions which when executed by any set of the one or more processors, perform a process for ensuring an application conforms with security and regulatory controls prior to deployment, the process for ensuring an application conforms with security and regulatory controls prior to deployment including;
  
  defining one or more virtual asset security policies to be applied to the creation and instantiation of virtual assets to be used in a cloud computing environment;
  
  generating virtual asset security compliance data representing instructions for ensuring compliance with the one or more virtual asset security policies;
  
  applying the generated virtual asset security data to a virtual asset template configured to determine one or more operational parameters of a virtual asset during instantiation of that virtual asset;
  
  instantiating, using the generated virtual asset security data of the virtual asset template, at least one virtual asset complying with the virtual asset security policies;
  
  defining one or more application deployment security policies associated with the deployment and operational coupling and interconnectivity of virtual assets used to implement an application in the cloud computing environment, the application deployment security policies including at least an application deployment security policy requiring that all virtual assets used to implement an application are deployed within a network container that isolates them from other applications;
  
  generating application deployment security compliance data representing instructions for ensuring compliance with the one or more application deployment security policies, the generated application deployment security compliance data representing codified machine readable instructions and data for scanning and otherwise ensuring implementation of the application deployment security policies;
  
  providing the generated application deployment security compliance data to the virtual asset; and
  
  implementing and deploying, using at least one virtual asset including the virtual asset, an application that complies with the one or more application deployment security policies.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system for ensuring an application conforms with security and regulatory controls prior to deployment of claim 1 wherein at least one virtual asset used to implement the application is selected from the group of the virtual assets consisting of:
    - a virtual machine;
      
      a virtual server;
      
      a database or data store;
      
      an instance in a cloud environment;
      
      a cloud environment access system;
      
      part of a mobile device;
      
      part of a remote sensor;
      
      part of a server computing system; and
      
      part of a desktop computing system.
  - 3. The system for ensuring an application conforms with security and regulatory controls prior to deployment of claim 1 wherein at least one of the defined virtual asset security policies is selected from the group of virtual asset security policies consisting of:
    - a virtual asset security policy indicating required connectivity and communication features for the virtual assets;
      
      a virtual asset security policy indicating specific storage capability to be allocated to the virtual assets;
      
      a virtual asset security policy indicating a specific processing capability to be allocated to the virtual assets;
      
      a virtual asset security policy requiring specific hardware be allocated to the virtual assets;
      
      a virtual asset security policy requiring specific software be allocated to virtual assets;
      
      a virtual asset security policy requiring specific operational parameters be used with the virtual assets;
      
      a virtual asset security policy prohibiting a known weakness pattern in the virtual assets;
      
      a virtual asset security policy prohibiting a non-existent or incorrect buffer length;
      
      a virtual asset security policy prohibiting the inability of a virtual asset vulnerability to be successfully remediated;
      
      a virtual asset security policy requiring specific security requirements, or security level requirement, be associated with the virtual assets;
      
      a virtual asset security policy prohibiting the use or existence of a known vulnerable version of software or code in the virtual assets;
      
      a virtual asset security policy prohibiting the use or existence of code written in a language, or version of a language, known to be vulnerable to attack in the virtual assets;
      
      a virtual asset security policy requiring specific encryption, or a proper level of encryption, for data associated with the virtual assets;
      
      a virtual asset security policy requiring checks of buffer lengths; and
      
      a virtual asset security policy requiring checks of the integrity of arguments.
  - 4. The system for ensuring an application conforms with security and regulatory controls prior to deployment of claim 1 wherein at least one of the application deployment security policies is selected from the group of application deployment security policies consisting of:
    - the application deployment security policy that all virtual assets used to implement an application are deployed within a Virtual Public Cloud (VPC);
      
      the application deployment security policy that all virtual assets must be deployed using a sanctioned secure baseline;
      
      the application deployment security policy that all virtual assets in a compute tier are network-isolated from other virtual assets of the application;
      
      the application deployment security policy that all virtual assets in a web tier or in a compute tier are accessed exclusively through the use of a virtualized load balancer;
      
      the application deployment security policy that only applications that are to have Internet access must have an IP address that is Internet accessible;
      
      the application deployment security policy that the application deploys its different virtual assets in a network manner, separating the web and/or compute tiers from data via network isolation;
      
      the application deployment security policy that all virtual asset deployments must have multi-factor authentication enabled to operate the console of the virtual assets;
      
      the application deployment security policy that all virtual asset deployments must have multi-factor authentication enabled to modify the data tier;
      
      the application deployment security policy that all virtual assets must produce log records that track all modifications to the configurations of the virtual assets;
      
      the application deployment security policy that all accesses to virtual assets must be authenticated;
      
      the application deployment security policy that all accesses to the virtual assets must be for roles authorized; and
      
      the application deployment security policy that for each of the controls in a regulatory compliance regime, the virtual asset must produce log records supporting the controls.
  - 5. The system for ensuring an application conforms with security and regulatory controls prior to deployment of claim 1 wherein the virtual asset security compliance data and/or the application deployment security compliance data is provided by providing a security policy library to the application, and/or one or more virtual assets used to implement the application.
  - 6. The system for ensuring an application conforms with security and regulatory controls prior to deployment of claim 1 wherein the virtual asset security compliance data and/or the application deployment security compliance data is provided through a virtual asset creation template used to instantiate at least one virtual asset used to implement the application.
  - 7. The system for ensuring an application conforms with security and regulatory controls prior to deployment of claim 1 wherein the virtual asset security compliance data and/or the application deployment security compliance data is provided to the application, and/or one or more virtual assets used to implement the application, by the owner of the application.
  - 8. The system for ensuring an application conforms with security and regulatory controls prior to deployment of claim 1 wherein the virtual asset security compliance data and/or the application deployment security compliance data is provided by a provider of at least part of the cloud computing environment.
  - 9. The system for ensuring an application conforms with security and regulatory controls prior to deployment of claim 1 wherein the virtual asset security compliance data and/or the application deployment security compliance data is provided by a third party service provider.

10. A system for ensuring an application conforms with security and regulatory controls prior to deployment comprising:
- an application;
  
  a cloud computing environment in which at least part of the application is deployed;
  
  a data store including virtual asset security compliance data representing instructions for implementing one or more virtual asset security policies and/or ensuring compliance with the one or more virtual asset security policies;
  
  a data store including application deployment security compliance data representing codified machine readable instructions for scanning and otherwise ensuring implementation one or more application deployment security policies and/or ensuring compliance with the one or more application deployment security policies, the application deployment security policies including at least an application deployment security policy requiring that all virtual assets used to implement an application are deployed within a network container that isolates them from other applications;
  
  at least one memory coupled to the at least one processor, the at least one memory having stored therein instructions which when executed by any set of the one or more processors, perform a process for ensuring an application conforms with security and regulatory controls prior to deployment, the process for ensuring an application conforms with security and regulatory controls prior to deployment including;
  
  applying the generated virtual asset security data to a virtual asset template configured to determine one or more operational parameters of a virtual asset during instantiation of that virtual asset;
  
  instantiating, using the generated virtual asset security data of the virtual asset template, at least one virtual asset complying with the virtual asset security policies;
  
  providing the generated application deployment security compliance data to the virtual asset; and
  
  implementing and deploying, using at least one virtual asset including the instantiated virtual asset, an application that complies with the one or more application deployment security policies.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system for ensuring an application conforms with security and regulatory controls prior to deployment of claim 10 wherein at least one virtual asset used to implement the application is selected from the group of the virtual assets consisting of:
    - a virtual machine;
      
      a virtual server;
      
      a database or data store;
      
      an instance in a cloud environment;
      
      a cloud environment access system;
      
      part of a mobile device;
      
      part of a remote sensor;
      
      part of a server computing system; and
      
      part of a desktop computing system.
  - 12. The system for ensuring an application conforms with security and regulatory controls prior to deployment of claim 10 wherein at least one of the defined virtual asset security policies is selected from the group of virtual asset security policies consisting of:
    - a virtual asset security policy indicating required connectivity and communication features for the virtual assets;
      
      a virtual asset security policy indicating specific storage capability to be allocated to the virtual assets;
      
      a virtual asset security policy indicating a specific processing capability to be allocated to the virtual assets;
      
      a virtual asset security policy requiring specific hardware be allocated to the virtual assets;
      
      a virtual asset security policy requiring specific software be allocated to virtual assets;
      
      a virtual asset security policy requiring specific operational parameters be used with the virtual assets;
      
      a virtual asset security policy prohibiting a known weakness pattern in the virtual assets;
      
      a virtual asset security policy prohibiting a non-existent or incorrect buffer length;
      
      a virtual asset security policy prohibiting the inability of a virtual asset vulnerability to be successfully remediated;
      
      a virtual asset security policy requiring specific security requirements, or security level requirement, be associated with the virtual assets;
      
      a virtual asset security policy prohibiting the use or existence of a known vulnerable version of software or code in the virtual assets;
      
      a virtual asset security policy prohibiting the use or existence of code written in a language, or version of a language, known to be vulnerable to attack in the virtual assets;
      
      a virtual asset security policy requiring specific encryption, or a proper level of encryption, for data associated with the virtual assets;
      
      a virtual asset security policy requiring checks of buffer lengths; and
      
      a virtual asset security policy requiring checks of the integrity of arguments.
  - 13. The system for ensuring an application conforms with security and regulatory controls prior to deployment of claim 10 wherein at least one of the application deployment security policies is selected from the group of application deployment security policies consisting of:
    - the application deployment security policy that all virtual assets used to implement an application are deployed within a Virtual Public Cloud (VPC);
      
      the application deployment security policy that all virtual assets must be deployed using a sanctioned secure baseline;
      
      the application deployment security policy that all virtual assets in a compute tier are network-isolated from other virtual assets of the application;
      
      the application deployment security policy that all virtual assets in a web tier or in a compute tier are accessed exclusively through the use of a virtualized load balancer;
      
      the application deployment security policy that only applications that are to have Internet access must have an IP address that is Internet accessible;
      
      the application deployment security policy that the application deploys its different virtual assets in a network manner, separating the web and/or compute tiers from data via network isolation;
      
      the application deployment security policy that all virtual asset deployments must have multi-factor authentication enabled to operate the console of the virtual assets;
      
      the application deployment security policy that all virtual asset deployments must have multi-factor authentication enabled to modify the data tier;
      
      the application deployment security policy that all virtual assets must produce log records that track all modifications to the configurations of the virtual assets;
      
      the application deployment security policy that all accesses to virtual assets must be authenticated;
      
      the application deployment security policy that all accesses to the virtual assets must be for roles authorized; and
      
      the application deployment security policy that for each of the controls in a regulatory compliance regime, the virtual asset must produce log records supporting the controls.
  - 14. The system for ensuring an application conforms with security and regulatory controls prior to deployment of claim 10 wherein the virtual asset security compliance data and/or the application deployment security compliance data is provided by providing a security policy library to the application, and/or one or more virtual assets used to implement the application.
  - 15. The system for ensuring an application conforms with security and regulatory controls prior to deployment of claim 10 wherein the virtual asset security compliance data and/or the application deployment security compliance data is provided through a virtual asset creation template used to instantiate at least one virtual asset used to implement the application.
  - 16. The system for ensuring an application conforms with security and regulatory controls prior to deployment of claim 10 wherein the virtual asset security compliance data and/or the application deployment security compliance data is provided to the application, and/or one or more virtual assets used to implement the application, by the owner of the application.
  - 17. The system for ensuring an application conforms with security and regulatory controls prior to deployment of claim 10 wherein the virtual asset security compliance data and/or the application deployment security compliance data is provided by a provider of at least part of the cloud computing environment.
  - 18. The system for ensuring an application conforms with security and regulatory controls prior to deployment of claim 10 wherein the virtual asset security compliance data and/or the application deployment security compliance data is provided by a third party service provider.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intuit, Inc.
Original Assignee
Intuit, Inc.
Inventors
Bishop, Thomas, Weaver, Brett, Price, Christian, Godinez, Javier, Brinkley, Capen, Lietz, M. Shannon, Cabrera, Luis Felipe
Primary Examiner(s)
Abrishamkar, Kaveh

Application Number

US14/261,621
Publication Number

US 20150312274A1
Time in Patent Office

788 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

H04L 41/5009   Determining service level p...

H04L 41/5096   wherein the managed service...

H04L 63/20   for managing network securi...

Method and system for ensuring an application conforms with security and regulatory controls prior to deployment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

168 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for ensuring an application conforms with security and regulatory controls prior to deployment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

168 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links