Secure virtual sector erasure method and system

US 9,519,433 B2
Filed: 05/13/2015
Issued: 12/13/2016
Est. Priority Date: 05/13/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

presenting a virtual resource in a user interface;

receiving a selection of the virtual resource, the selection indicating that the virtual resource is to be securely erased;

isolating the selected virtual resource, wherein the isolating comprises;

exclusively locking the selected virtual resource,stopping execution of virtual machine processes associated with the selected virtual resource, anddisabling a dynamic redistribution of resources to ensure uninterrupted operation;

obtaining access to the selected virtual resource;

securely erasing the selected virtual resource by overwriting all virtual sectors of the selected virtual resource; and

confirming that all virtual sectors of the selected virtual resource have been overwritten.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for sanitizing physical storage in cloud computing and virtual environments. When logical storage is decommissioned in a virtual environment, the underlying physical storage is logically disassociated. However, the underlying physical data blocks remain intact until they are overwritten. Since there is no control over when, or even if, the physical data is ever overwritten, the remaining data is susceptible to compromise. The present disclosure provides a secure erase application that securely erases physical storage associated with to-be deleted resources, such as virtual data stores, virtual images, snapshots and raw virtual disks.

Citations

25 Claims

1. A method comprising:
- presenting a virtual resource in a user interface;
  
  receiving a selection of the virtual resource, the selection indicating that the virtual resource is to be securely erased;
  
  isolating the selected virtual resource, wherein the isolating comprises;
  
  exclusively locking the selected virtual resource,stopping execution of virtual machine processes associated with the selected virtual resource, anddisabling a dynamic redistribution of resources to ensure uninterrupted operation;
  
  obtaining access to the selected virtual resource;
  
  securely erasing the selected virtual resource by overwriting all virtual sectors of the selected virtual resource; and
  
  confirming that all virtual sectors of the selected virtual resource have been overwritten.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, further comprising mapping the overwriting to a physical layer associated with the virtual sectors of the selected virtual resource.
  - 3. The method of claim 2, wherein mapping the overwriting is contemporaneous with the overwriting of the virtual sectors.
  - 4. The method of claim 1, further comprising issuing a certificate of sanitization indicating secure erasure of the selected virtual resource.
  - 5. The method of claim 1, further comprising dereferencing a unique identifier of the selected virtual resource, thereby disassociating a logical layer having the selected virtual resource from the physical layer.
  - 6. The method of claim 5, wherein dereferencing the unique identifier is after overwriting all virtual sectors of the selected virtual resource.
  - 7. The method of claim 1, wherein overwriting all virtual sectors of the selected virtual resource includes overwriting in compliance with a NIST 800-88 standard.
  - 8. The method of claim 7, wherein overwriting all virtual sectors of the selected virtual resource includes overwriting with two passes of random bits and one pass of zero bits.
  - 9. The method of claim 1, wherein the confirming that all virtual sectors of the selected virtual resource have been overwritten uses a hash value.
  - 10. The method of claim 9, the confirming comprising comparing a first hash value determined from a similarly sized zero-byte data file as the selected virtual resource to another hash value of the selected virtual resource after the overwriting.
  - 11. The method of claim 1, further comprising receiving a target host and user credentials.
  - 12. The method of claim 11, further comprising identifying access privileges identified with the user credentials and wherein presenting the virtual resource in accordance with the access privileges.
  - 13. The method of claim 12, wherein presenting virtual resource corresponding to the access privileges includes presenting only if the user has alteration or deletion privileges.
  - 14. The method of claim 1, further comprising determining an environment processing capacity and throttling the overwriting based on the environment processing capacity.
  - 15. The method of claim 1, further comprising identifying the virtual sectors based on usage in an environment distinguishing between allocation and usage.
  - 16. The method of claim 1, further comprising installing an application for performing the method into a user environment.

17. A non-transitory computer readable storage medium programmed with computer readable code that, when executed by a computer processor, causes the processor to:
- present a virtual resource in a user interface;
  
  receive a selection of the virtual resource, the selection indicating that the virtual resource is to be securely erased;
  
  isolate the selected virtual resource, wherein to isolate the selected virtual resource, the processor;
  
  exclusively locks the selected virtual resource,stops execution of virtual machine processes associated with the selected virtual resource, anddisables a dynamic redistribution of resources to ensure uninterrupted operation;
  
  obtain access to the selected virtual resource;
  
  securely erase the selected virtual resource by overwriting all virtual sectors of the selected virtual resource; and
  
  confirm that all virtual sectors of the selected virtual resource have been overwritten.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25)
- - 18. The non-transitory computer readable storage medium of claim 17, wherein the computer readable code further configures the processor to:
    - map the overwriting to a physical layer associated with the virtual sectors of the selected virtual resource.
  - 19. The non-transitory computer readable storage medium of claim 17, wherein the computer readable code further configures the processor to:
    - issue a certificate of sanitization indicating secure erasure of the selected virtual resource.
  - 20. The non-transitory computer readable storage medium of claim 17, wherein the computer readable code further configures the processor to:
    - dereference a unique identifier of the selected virtual resource, to disassociate a logical layer having the selected virtual resource from the physical layer.
  - 21. The non-transitory computer readable storage medium of claim 17, wherein the computer readable code further configures the processor to:
    - overwrite all virtual sectors of the selected virtual resource in compliance with a NIST 800-88 standard.
  - 22. The non-transitory computer readable storage medium of claim 17, wherein the computer readable code further configures the processor to:
    - confirm that all virtual sectors of the selected virtual resource have been overwritten using a hash value.
  - 23. The non-transitory computer readable storage medium of claim 17, wherein the computer readable code further configures the processor to:
    - receive a target host and user credentials.
  - 24. The non-transitory computer readable storage medium of claim 17, wherein the computer readable code further configures the processor to:
    - determine an environment processing capacity and throttle the overwriting based on the environment processing capacity.
  - 25. The non-transitory computer readable storage medium of claim 17, wherein the computer readable code further configures the processor to:
    - identify the virtual sectors based on usage in an environment distinguishing between allocation and usage.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vsector Security Technologies, LLC
Original Assignee
Vsector Security Technologies, LLC
Inventors
Jones, Jeffrey A., Oken, Michael Lawrence, Weber, Martin
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
Shayanfar, Ali

Application Number

US14/711,153
Publication Number

US 20160335004A1
Time in Patent Office

580 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 12/1458   by checking the subject acc...

G06F 12/1475   in a virtual system, e.g. w...

G06F 2009/45562   Creating, deleting, cloning...

G06F 2009/45579   I/O management, e.g. provid...

G06F 2009/45587   Isolation or security of vi...

G06F 21/00   Security arrangements for p...

G06F 21/62   Protecting access to data v...

G06F 2212/1052   Security improvement

G06F 2221/2143   Clearing memory, e.g. to pr...

G06F 3/0608   Saving storage space on sto...

G06F 3/0619   in relation to data integri...

G06F 3/0641   De-duplication techniques

G06F 3/0665   at area level, e.g. provisi...

G06F 3/067   Distributed or networked st...

G06F 9/45558   Hypervisor-specific managem...

G06F 9/50   Allocation of resources, e....

H04L 9/3239   involving non-keyed hash fu...

Secure virtual sector erasure method and system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Secure virtual sector erasure method and system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links