Context aware microsegmentation
First Claim
1. A method for context aware security policy enforcement, the method comprising:
- receiving, by a first enforcement point, network traffic sent to and from a first virtual machine, the first virtual machine providing a first microservice component;
selecting, by the first enforcement point, a first contextual security policy using attributes of the first virtual machine;
receiving, by a second enforcement point, network traffic sent to and from a second virtual machine, the second virtual machine providing a second microservice component;
selecting, by the second enforcement point, a second contextual security policy using attributes of the second virtual machine;
receiving, by a third enforcement point, network traffic sent to and from a third virtual machine, the third virtual machine providing a third microservice component, the first, the second, and the third virtual machines collectively providing a microservice, the microservice comprising the first, the second, and the third microservice components;
selecting, by the third enforcement point, a third contextual security policy using attributes of the third virtual machine; and
controlling, by the first, the second, and the third enforcement points, network traffic to and from the respective first, the second, and the third virtual machines using the respective first, the second, and the third contextual security policies, such that the first, the second, and the third virtual machines are logically partitioned together into one logical subnetwork, the controlling including;
applying a first set of security rules to the network traffic into and out of the logical subnetwork, the first set of security rules determined using at least one of the first, the second, and the third contextual security policies; and
applying a second set of security rules to the network traffic within the logical subnetwork, the second set of security rules determined using one or more of the first, the second, and the third contextual security policies.
4 Assignments
0 Petitions
Accused Products
Abstract
Context aware microservice networks and contextual security policies for microservice networks are provided herein. In some embodiments, a system includes a plurality of microservices, each of the plurality of microservices having a plurality of distributed microservice components. At least a portion of the distributed microservice components execute on different physical or virtual servers in a data center or a cloud. The system also includes a plurality of logical security boundaries, with each of the plurality of logical security boundaries being created by a plurality of enforcement points positioned in association with the plurality of distributed microservice components. Each of plurality of microservices is bounded by one of the plurality of logical security boundaries.
-
Citations
14 Claims
-
1. A method for context aware security policy enforcement, the method comprising:
-
receiving, by a first enforcement point, network traffic sent to and from a first virtual machine, the first virtual machine providing a first microservice component; selecting, by the first enforcement point, a first contextual security policy using attributes of the first virtual machine; receiving, by a second enforcement point, network traffic sent to and from a second virtual machine, the second virtual machine providing a second microservice component; selecting, by the second enforcement point, a second contextual security policy using attributes of the second virtual machine; receiving, by a third enforcement point, network traffic sent to and from a third virtual machine, the third virtual machine providing a third microservice component, the first, the second, and the third virtual machines collectively providing a microservice, the microservice comprising the first, the second, and the third microservice components; selecting, by the third enforcement point, a third contextual security policy using attributes of the third virtual machine; and controlling, by the first, the second, and the third enforcement points, network traffic to and from the respective first, the second, and the third virtual machines using the respective first, the second, and the third contextual security policies, such that the first, the second, and the third virtual machines are logically partitioned together into one logical subnetwork, the controlling including; applying a first set of security rules to the network traffic into and out of the logical subnetwork, the first set of security rules determined using at least one of the first, the second, and the third contextual security policies; and applying a second set of security rules to the network traffic within the logical subnetwork, the second set of security rules determined using one or more of the first, the second, and the third contextual security policies. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
Specification