System and method for virtual image security in a cloud environment

US 9,436,832 B2
Filed: 07/22/2014
Issued: 09/06/2016
Est. Priority Date: 02/27/2012
Status: Active Grant

First Claim

Patent Images

1. A method to provide secure access in a virtual computing environment, the method executed by a processor comprising hardware, the processor configured to perform a plurality of operations, the operations comprising:

assigning, by a virtual access control machine of a virtual computing environment, a status to a guest virtual machine supporting a service, wherein the guest virtual machine is accessible to a user through a network;

receiving, at the virtual access control machine, information from the guest virtual machine representative of an attempted use of the guest virtual machine;

receiving, at the virtual access control machine, a request, by the guest virtual machine, for the status of the guest virtual machine;

determining, at the virtual access control machine, an action to take based on the status; and

sending, from the virtual access control machine, information to the guest virtual machine regarding the (i) status of the guest virtual machine in response to the request, or (ii) the action, or (iii) both (i) and (ii).

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods enabling secure virtual image access in a virtual or cloud computing environment. The systems and methods include assigning a status to indicator to guest virtual machines (virtual images) that provide applications and other services to cloud consumers in the cloud environment. A virtual appliance machine in the cloud environment maintains the status of the guest virtual machines and makes decisions based on the status as to whether to allow access to the guest virtual machines. These decisions are transmitted to local elements on the guest virtual machines, which enforce access control on a local level. In this manner, unauthorized virtual image access is prevented providing increased security and data integrity.

91 Citations

20 Claims

1. A method to provide secure access in a virtual computing environment, the method executed by a processor comprising hardware, the processor configured to perform a plurality of operations, the operations comprising:
- assigning, by a virtual access control machine of a virtual computing environment, a status to a guest virtual machine supporting a service, wherein the guest virtual machine is accessible to a user through a network;
  
  receiving, at the virtual access control machine, information from the guest virtual machine representative of an attempted use of the guest virtual machine;
  
  receiving, at the virtual access control machine, a request, by the guest virtual machine, for the status of the guest virtual machine;
  
  determining, at the virtual access control machine, an action to take based on the status; and
  
  sending, from the virtual access control machine, information to the guest virtual machine regarding the (i) status of the guest virtual machine in response to the request, or (ii) the action, or (iii) both (i) and (ii).
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein assigning a status includes assigning, after the guest virtual machine is created and ready for use, a status indicating that the guest virtual machine is able to be accessed by an authorized user, and wherein the action includes allowing the attempted use of the guest virtual machine to an authorized user.
  - 3. The method of claim 1, wherein assigning a status includes assigning a status indicating that the guest virtual machine is not to be used by anyone, and wherein the action includes preventing the attempted use of the guest virtual machine.
  - 4. The method of claim 3, further comprising recording an indication of the prevented attempted use of the guest virtual machine.
  - 5. The method of claim 3, wherein the action further comprises sending an alert regarding the unauthorized attempt to start the guest virtual machine.
  - 6. The method of claim 1, wherein assigning a status includes assigning a status indicating that an alert is to be sent upon receipt of any attempted use of the guest virtual machine, and wherein the action includes sending the alert.
  - 7. The method of claim 1, wherein assigning a status includes changing a status of the guest virtual machine from a status indicating that the guest virtual machine is able to be accessed by an authorized user to a status indicating that the guest virtual machine is not to be used by anyone, and wherein the action includes preventing the attempted use of the guest virtual machine.
  - 8. The method of claim 1, further comprising providing a report regarding a plurality of guest virtual machines in the virtual machine environment, wherein the report includes information regarding one or more selected from:
    - attempted use of any of the plurality of guest virtual machines, denied use attempts of any of the plurality of guest virtual machines, or any of the plurality of guest virtual machines that have not been used in a predetermined amount of time.

9. A system to provide secure access in a virtual computing environment, the system comprising:
- a processor comprising hardware, the processor configured to;
  
  assign, by a virtual access control machine of a virtual computing environment, a status to a guest virtual machine supporting a service, wherein the guest virtual machine is accessible to a user through a network,receive, at the virtual access control machine, information from the guest virtual machine representative of an attempted use of the guest virtual machine,receive, at the virtual access control machine, a request, by the guest virtual machine, for the status of the guest virtual machine,determine, at the virtual access control machine, an action to take based on the status, andsend, from the virtual access control machine, information to the guest virtual machine regarding the (i) status of the guest virtual machine in response to the request, or (ii) the action, or (iii) both (i) and (ii).
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, wherein the processor configured to assign a status is further configured to assign, after the guest virtual machine is created and ready for use, a status indicating that the guest virtual machine is able to be accessed by an authorized user, and wherein the action includes allowance of the attempted use of the guest virtual machine to an authorized user.
  - 11. The system of claim 9, wherein the processor configured to assign a status is further configured to assign a status indicating that the guest virtual machine is not to be used by anyone and wherein the action includes prevention of the attempted use of the guest virtual machine.
  - 12. The system of claim 11, wherein the processor is further configured to record an indication of the prevented attempted use of the guest virtual machine.
  - 13. The system of claim 11, wherein the action further comprises sending of an alert regarding the unauthorized attempt to start the guest virtual machine.
  - 14. The system of claim 9, wherein the processor configured to assign a status is further configured to assign a status indicating that an alert is to be sent upon receipt of any attempted use of the guest virtual machine, and wherein the action includes sending the alert.
  - 15. The system of claim 9, wherein the processor configured to assign a status is further configured to change a status of the guest virtual machine from a status indicating that the guest virtual machine is able to be accessed by an authorized user to a status indicating that the guest virtual machine is not to be used by anyone, and wherein the action includes prevention of the attempted use of the guest virtual machine.
  - 16. The system of claim 9, wherein the processor is further configured to provide a report regarding a plurality of guest virtual machines in the virtual machine environment, wherein the report includes information regarding one or more selected from:
    - attempted use of any of the plurality of guest virtual machines, denied use attempts of any of the plurality of guest virtual machines, or any of the plurality of guest virtual machines that have not been used in a predetermined amount of time.

17. A non-transitory computer-readable medium including computer-executable instructions thereon, the computer-executable instructions, when executed, causing a processor to:
- assign, by a virtual access control machine of a virtual computing environment, a status to a guest virtual machine supporting a service, wherein the guest virtual machine is accessible to a user through a network;
  
  receive, at the virtual access control machine, information from the guest virtual machine representative of an attempted use of the guest virtual machine;
  
  receive, at the virtual access control machine, a request, by the guest virtual machine, for the status of the guest virtual machine;
  
  determine, at the virtual access control machine, an action to take based on the status; and
  
  send, from the virtual access control machine, information to the guest virtual machine regarding the (i) status of the guest virtual machine in response to the request, or (ii) the action, or (iii) both (i) and (ii).
- View Dependent Claims (18, 19, 20)
- - 18. The computer-readable medium of claim 17, wherein the instructions to assign a status include instructions to assign a status indicating that the guest virtual machine is not to be used by anyone, and wherein the action includes preventing the attempted use of the guest virtual machine.
  - 19. The computer-readable medium of claim 17, wherein the instructions to assign a status include instructions to assign a status indicating that an alert is to be sent upon receipt of any attempted use of the guest virtual machine, and wherein the action includes sending the alert.
  - 20. The computer-readable medium of claim 17, wherein the instructions to assign a status include instructions to change a status of the guest virtual machine from a status indicating that the guest virtual machine is able to be accessed by an authorized user to a status indicating that the guest virtual machine is not to be used by anyone, and wherein the action includes preventing the attempted use of the guest virtual machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Inventors
Barak, Nir, Hadar, Eitan
Primary Examiner(s)
Poltorak, Peter

Application Number

US14/337,771
Publication Number

US 20140373180A1
Time in Patent Office

777 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45595   Network integration; Enabli...

G06F 21/60   Protecting data

G06F 9/45558   Hypervisor-specific managem...

G06F 9/468   Specific access rights for ...

H04L 63/0823   using certificates cryptogr...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04W 4/60   Subscription-based services...

System and method for virtual image security in a cloud environment

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

91 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

System and method for virtual image security in a cloud environment

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

91 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others