Systems and methods for securely provisioning the geographic location of physical infrastructure elements in cloud computing environments

US 9,621,347 B2
Filed: 09/02/2015
Issued: 04/11/2017
Est. Priority Date: 09/03/2014
Status: Active Grant

First Claim

Patent Images

1. A method for provisioning physical geographic location of a physical infrastructure device associated with a hypervisor host, the method comprising:

performing processing to obtain initial geo location data of the device, including;

invoking one or more attestation service component(s) to issue a unique geo acquisition code that is only valid for a predefined time;

sending a request for the initial geo location data including the acquisition code to a geographic data acquisition component; and

receiving the initial geo location data from the geographic data acquisition component in response to the request, the initial geo location data comprising location, date, time data, and the acquisition code, and being signed by a key of the geo data acquisition component;

determining verified geo location data of the device by performing validation, via the attestation service component(s), of the initial geo location data to provide the verified geo location data upon successful validation;

writing, via the attestation service component(s), the verified geo location data into a Hardware Security Module of the hypervisor host.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods relating to improved security in cloud computing environments are disclosed. According to one illustrative implementation, a method for provisioning physical geographic location of a physical infrastructure device associated with a hypervisor host is provided. Further, the method may include performing processing to obtain initial geo location data of the device, determining verified geo location data of the device by performing validation, via an attestation service component, of the initial geo location data to provide verified geo location data, and writing the verified geo location data into HSM or TPM space of the hypervisor host.

22 Citations

View as Search Results

46 Claims

1. A method for provisioning physical geographic location of a physical infrastructure device associated with a hypervisor host, the method comprising:
- performing processing to obtain initial geo location data of the device, including;
  
  invoking one or more attestation service component(s) to issue a unique geo acquisition code that is only valid for a predefined time;
  
  sending a request for the initial geo location data including the acquisition code to a geographic data acquisition component; and
  
  receiving the initial geo location data from the geographic data acquisition component in response to the request, the initial geo location data comprising location, date, time data, and the acquisition code, and being signed by a key of the geo data acquisition component;
  
  determining verified geo location data of the device by performing validation, via the attestation service component(s), of the initial geo location data to provide the verified geo location data upon successful validation;
  
  writing, via the attestation service component(s), the verified geo location data into a Hardware Security Module of the hypervisor host.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 39, 40, 41, 42, 43, 44)
- - 2. The method of claim 1 wherein the unique geo acquisition code includes date, Host MAC, Host BIOS SERIAL NUMBER, and verification or check information.
  - 3. The method of claim 2 wherein the verification or check information includes or involves a public key of the attestation service component(s).
  - 4. The method of claim 2 wherein the verification or check information includes or involves a RANDOM(6) code or value.
  - 5. The method of claim 1 further comprising encrypting the initial geo location data transmitted from the geographic data acquisition component with a private key of the attestation service component and/or a public key of geographic location application software or mobile application software.
  - 6. The method of claim 1 wherein the performing processing to obtain the initial geo location data of the device, further includes, at the geographic data acquisition component:
    - processing preliminary geo location data along with the acquisition code to provide a concatenated data object or sequence, the data object or sequence including latitude, longitude, date, time, and the acquisition code;
      
      signing of the data object or sequence by the geographic data acquisition component using a private key;
      
      transmitting the signed data object or sequence to a provisioning component for validation and writing of the verified geo location data into the hypervisor host.
  - 7. The method of claim 1 wherein the performing validation comprises:
    - obtaining current time from a valid time source; and
      
      utilizing the obtained present time to verify that the time data within the received initial geo location data is within an allotted threshold.
  - 8. The method of claim 7 wherein the valid time source is the attestation service component(s).
  - 9. The method of claim 7 wherein the allotted threshold is set as a fixed number of hours, minutes and/or seconds defined by a system owner based on accuracy requirements.
  - 10. The method of claim 1 wherein the performing validation comprises:
    - validating that the geographic data acquisition component which signed the initial geo location data is an approved provider of location information.
  - 11. The method of claim 1 wherein the performing validation comprises:
    - validating that the signing of the initial geo location data was performed by a public key assigned to the geographic data acquisition component.
  - 12. The method of claim 1 further comprising:
    - utilizing, via virtual data center orchestration service software, the verified geographic data values stored in the Hardware Security Module as true and attested location of virtual machines running on or associated with the hypervisor host.
  - 13. The method of claim 12 wherein the virtual data center orchestration software includes or utilizes xStream application(s).
  - 14. The method of claim 1 wherein the provisioning of the physical geographic location is performed by provisioning application software executed via the device'"'"'s pixi boot and/or physical media insertion process.
  - 15. The method of claim 1 wherein the predefined time is a current time plus a specified period of additional time.
  - 16. The method of claim 15 wherein the specified period of additional time is defined as a function of tolerance requirements for accuracy of a system owner using the verified geo location data.
  - 17. The method of claim 1 wherein characters of the unique geo acquisition code and an encryption public key are emailed to an owner of a data center operating the hypervisor host via the attestation service.
  - 18. The method of claim 1 wherein the Hardware Security Module comprises a Trusted Platform Module.
  - 19. The method of claim 18 wherein the Trusted Platform Module executes using TXT technology.
  - 20. The method of claim 1 wherein the geo location data includes GPS data and the geographic data acquisition component is a GPS acquisition component.
  - 21. The method of claim 1 further comprising:
    - managing a virtual environment associated with the hypervisor host via virtualization management software that utilizes a set of allowed geo tag locations configured according to proscribed geo fencing policy information, the proscribed policy information including location(s) where one or more associated virtual machines may launch and/or perform computing operations based on one or more computing resource requirements.
  - 22. The method of claim 21 wherein the one or more computing resource requirements include one or both of a legal requirement and/or a compliance related requirement.
  - 23. The method of claim 21 further comprising, in connection with a compute migration:
    - checking the geo fencing policy information to ensure that a computing workload can launch in a target geographic location;
      
      determining whether or not the workload is allowed; and
      
      disallowing the computing resource migration when it is determined that the workload cannot be launched in the target geographic location.
  - 24. The method of claim 1 further comprising:
    - processing information regarding enforcement of geographic execution of a virtual machine guest based on the verified geo location data.
  - 25. The method of claim 1 further comprising:
    - processing information regarding enforcement of geographic execution of a virtual machine guest based on the verified geo location data and proscribed policy information including location(s) where one or more associated virtual machines may launch and/or perform computing operations.
  - 26. The method of claim 1 further comprising securely processing the geo location and time data using one or more signatures or keys to provide confirmation of a real physical location of the device running on the hypervisor host.
  - 27. The method of claim 1 wherein, in instances where the device cannot directly receive communications or location information from GPS satellites, the performing processing to obtain initial geo location data of the device further includes a first step comprising:
    - providing an actual geographic position of the device via a mobile application device having an enabled GPS receiver and an associated mobile application software process.
  - 28. The method of claim 27 wherein the associated mobile application software process includes:
    - launching the geographic location provisioning process via the mobile application device and/or associated mobile application software upon installation of the server; and
      
      providing the administrator a set period of time to bring the mobile device into communication or GPS range to establish initial geographic information of the physical location where the server was deployed.
  - 29. The method of claim 1 wherein, as a function of analyzing time relativity based on attested times of geographic tagging provisioning activity relative to physical device time, GPS data acquisition time, acquisition system device time, and unique acquisition code data, high integrity of the verified geo location data is achieved.
  - 39. A method for establishing a physical geographic location of a data processing device associated with a hypervisor host, the method comprising:
    - receiving the data processing device at a data center;
      
      integrating the device into a physical rack of the data center; and
      
      performing a geographic location provisioning process in accordance with claim 1 to establish the physical geographic location of the device.
  - 40. The method of claim 39 further comprising performing repeated attestation of the device'"'"'s location.
  - 41. The method of claim 40 wherein the repeated attestation is performed periodically based on a system defined frequency.
  - 42. The method of claim 40 wherein the repeated attestation is performed when a trigger event is initiated or occurs.
  - 43. The method of claim 39 wherein, in instances where the device cannot directly receive communications or location information from GPS satellites, the performing processing to obtain initial geo location data of the device further includes a first step comprising:
    - providing an actual geographic position of the device via a mobile application device having an enabled GPS receiver and an associated mobile application software process.
  - 44. The method of claim 43 wherein the associated mobile application software process includes:
    - launching the geographic location provisioning process via the mobile application device and/or associated mobile application software upon installation of the server; and
      
      providing the administrator a set period of time to bring the mobile device into communication or GPS range to establish initial geographic information of the physical location where the server was deployed.

30. A method for provisioning physical geographic location of a physical infrastructure device associated with a hypervisor host, the method comprising:
- invoking one or more attestation service component(s) to issue a unique geo acquisition code that is only valid for a predefined time;
  
  sending a request for initial geo location data including the acquisition code to a geographic data acquisition component;
  
  processing the initial geo location data from the geographic data acquisition component in response to the request, the initial geo location data comprising location, date, time data, and the acquisition code, and being signed by a key of the geo data acquisition component;
  
  performing validation, via the attestation service component(s), of the initial geo location data to provide the verified geo location data upon successful validation;
  
  writing, via the attestation service component(s), the verified geo location data into the hypervisor host.
- View Dependent Claims (31, 32, 33)
- - 31. The method of claim 30 wherein the verified geo location data is written into a Hardware Security Module of the hypervisor host.
  - 32. The method of claim 31 wherein the verified geo location data is written into a Trusted Platform Module of the Hardware Security Module.
  - 33. The method of claim 32 wherein the verified geo location data is written into a PCR of the Trusted Platform Module.

34. A method for provisioning physical geographic location of a physical infrastructure device associated with a hypervisor host, the method comprising:
- invoking one or more attestation service component(s) to issue a unique geo acquisition code that is only valid for a predefined time;
  
  performing processing regarding utilization of the unique geo acquisition code and secure signature from the attestation service component(s) to obtain initial geo location data from a geographic data acquisition component;
  
  transmitting the initial geo location data and the signature to the attestation service component(s);
  
  performing validation, via the attestation service component(s), of the initial geo location data to provide the verified geo location data upon successful validation;
  
  writing, via the attestation service component(s), the verified geo location data into the hypervisor host.
- View Dependent Claims (35, 36, 37, 38)
- - 35. The method of claim 34 further comprising utilizing, via virtual data center or orchestration service software, the verified geo location data as a true and attested location of the device.
  - 36. The method of claim 34 wherein the verified geo location data is written into a Hardware Security Module of the hypervisor host.
  - 37. The method of claim 36 wherein the verified geo location data is written into a Trusted Platform Module of the Hardware Security Module.
  - 38. The method of claim 37 wherein the verified geo location data is written into a PCR of the Trusted Platform Module.

45. A system comprising:
- at least one hypervisor host with one or more physical infrastructure devices; and
  
  one or more processing devices and/or computer readable media containing computer readable instructions executable by one or more processors to provision the hypervisor host with actual geographic location information of a physical infrastructure device, the instructions executable for;
  
  performing processing to obtain initial geo location data of the device, including;
  
  invoking one or more attestation service component(s) to issue a unique geo acquisition code that is only valid for a predefined time;
  
  sending a request for the initial geo location data including the acquisition code to a geographic data acquisition component; and
  
  receiving the initial geo location data from the geographic data acquisition component in response to the request, the initial geo location data comprising location, date, time data, and the acquisition code, and being signed by a key of the geo data acquisition component;
  
  determining verified geo location data of the device by performing validation, via the attestation service component(s), of the initial geo location data to provide the verified geo location data upon successful validation;
  
  writing, via the attestation service component(s), the verified geo location data into a Hardware Security Module of the hypervisor host.

46. One or more computer readable media containing computer readable instructions executable by one or more processors to provision a hypervisor host with actual geographic location information of a physical infrastructure device associated with the hypervisor host, the instructions executable for:
- performing processing to obtain initial geo location data of the device, including;
  
  invoking one or more attestation service component(s) to issue a unique geo acquisition code that is only valid for a predefined time;
  
  sending a request for the initial geo location data including the acquisition code to a geographic data acquisition component; and
  
  receiving the initial geo location data from the geographic data acquisition component in response to the request, the initial geo location data comprising latitude, longitude, date, time data, and the acquisition code, and being signed by a key of the geo data acquisition component;
  
  determining verified geo location data of the device by performing validation, via the attestation service component(s), of the initial geo location data to provide the verified geo location data upon successful validation; and
  
  writing, via the attestation service component(s), the verified geo location data into a Hardware Security Module of the hypervisor host.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VIRTUSTREAM IP HOLDING COMPANY LLC (Dell Technologies Inc.)
Original Assignee
VIRTUSTREAM IP HOLDING COMPANY LLC (Dell Technologies Inc.)
Inventors
Leighton, Gregsie, Lubsey, Vincent George, Reid, Kevin
Primary Examiner(s)
Abrishamkar, Kaveh

Application Number

US14/843,776
Publication Number

US 20160065589A1
Time in Patent Office

587 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/64   Protecting data integrity, ...

G06F 21/83   input devices, e.g. keyboar...

G06F 9/45558   Hypervisor-specific managem...

H04L 2209/24   Key scheduling, i.e. genera...

H04L 63/0876   based on the identity of th...

H04L 63/123   received data contents, e.g...

H04L 9/0872   using geo-location informat...

H04L 9/0897   involving additional device...

H04L 9/3247   involving digital signatures

H04W 12/104   Location integrity, e.g. se...

H04W 4/02   Services making use of loca...

H04W 4/029   Location-based management o...

Systems and methods for securely provisioning the geographic location of physical infrastructure elements in cloud computing environments

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

22 Citations

46 Claims

Specification

Use Cases

Quick Links

Others

Systems and methods for securely provisioning the geographic location of physical infrastructure elements in cloud computing environments

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

46 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others