Context aware microsegmentation
First Claim
Patent Images
1. A method for context aware security policy enforcement, the method comprising:
- receiving, by a first enforcement point, network traffic sent to and from a first virtual machine, the first virtual machine providing a first microservice component;
selecting, by the first enforcement point, a first contextual security policy using attributes of the first virtual machine;
receiving, by a second enforcement point, network traffic sent to and from a second virtual machine, the second virtual machine providing a second microservice component;
selecting, by the second enforcement point, a second contextual security policy using attributes of the second virtual machine;
receiving, by a third enforcement point, network traffic sent to and from a third virtual machine, the third virtual machine providing a third microservice component, the first, the second, and the third virtual machines collectively providing a microservice, the microservice comprising the first, the second, and the third microservice components;
selecting, by the third enforcement point, a third contextual security policy using attributes of the third virtual machine; and
controlling, by the first, the second, and the third enforcement points, network traffic to and from the respective first, the second, and the third virtual machines using the respective first, the second, and the third contextual security policies, such that the first, the second, and the third virtual machines are logically partitioned together into one logical subnetwork, the controlling including;
applying a first set of security rules to the network traffic into and out of the logical subnetwork, the first set of security rules determined using at least one of the first, the second, and the third contextual security policies; and
applying a second set of security rules to the network traffic within the logical subnetwork, the second set of security rules determined using one or more of the first, the second, and the third contextual security policies.
4 Assignments
0 Petitions
Accused Products
Abstract
Context aware microservice networks and contextual security policies for microservice networks are provided herein. In some embodiments, a system includes a plurality of microservices, each of the plurality of microservices having a plurality of distributed microservice components. At least a portion of the distributed microservice components execute on different physical or virtual servers in a data center or a cloud. The system also includes a plurality of logical security boundaries, with each of the plurality of logical security boundaries being created by a plurality of enforcement points positioned in association with the plurality of distributed microservice components. Each of plurality of microservices is bounded by one of the plurality of logical security boundaries.
-
Citations
14 Claims
-
1. A method for context aware security policy enforcement, the method comprising:
-
receiving, by a first enforcement point, network traffic sent to and from a first virtual machine, the first virtual machine providing a first microservice component; selecting, by the first enforcement point, a first contextual security policy using attributes of the first virtual machine; receiving, by a second enforcement point, network traffic sent to and from a second virtual machine, the second virtual machine providing a second microservice component; selecting, by the second enforcement point, a second contextual security policy using attributes of the second virtual machine; receiving, by a third enforcement point, network traffic sent to and from a third virtual machine, the third virtual machine providing a third microservice component, the first, the second, and the third virtual machines collectively providing a microservice, the microservice comprising the first, the second, and the third microservice components; selecting, by the third enforcement point, a third contextual security policy using attributes of the third virtual machine; and controlling, by the first, the second, and the third enforcement points, network traffic to and from the respective first, the second, and the third virtual machines using the respective first, the second, and the third contextual security policies, such that the first, the second, and the third virtual machines are logically partitioned together into one logical subnetwork, the controlling including; applying a first set of security rules to the network traffic into and out of the logical subnetwork, the first set of security rules determined using at least one of the first, the second, and the third contextual security policies; and applying a second set of security rules to the network traffic within the logical subnetwork, the second set of security rules determined using one or more of the first, the second, and the third contextual security policies. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneevArmour Networks Inc
-
Original AssigneevArmour Networks Inc
-
InventorsShieh, Choung-Yaw, Lian, Jia-Jyi, Sun, Yi, Xu, Meng
-
Primary Examiner(s)Gee, Jason K
-
Application NumberUS14/839,649Time in Patent Office410 DaysField of SearchUS Class Current1/1CPC Class CodesG06F 2009/45587 Isolation or security of vi...G06F 2009/45595 Network integration; Enabli...G06F 21/554 involving event detection a...G06F 9/45558 Hypervisor-specific managem...H04L 63/0254 Stateful filteringH04L 63/107 wherein the security polici...H04L 63/1408 by monitoring network traff...H04L 63/20 for managing network securi...
