Security within a software-defined infrastructure

US 9,652,612 B2
Filed: 03/25/2015
Issued: 05/16/2017
Est. Priority Date: 03/25/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

establishing a security container in a software-defined environment, the security container describing a workload and a set of resources, the set of resources being required by the workload;

determining a set of resource-divisible portions of the workload including a compute-resource portion, a storage resource portion, and a network resource portion;

generating a plurality of sub-containers within the security container, a sub-container within the plurality of sub-containers representing only one resource-divisible portion of the workload;

determining a set of security criteria for the security container;

monitoring the workload and the set of resources for security events based, at least in part, upon the set of security criteria; and

responsive to identifying a security event, adjusting one or more security mechanisms;

wherein;

the plurality of sub-containers represent an end-to-end run time environment for processing the workload;

the end-to-end run time environment includes bare metal sub-containers and hypervisor-specific sub-containers;

the set of resources are software abstractions; and

at least the steps of monitoring and adjusting are operated within the software-defined environment.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

There is a method and system that includes establishing a security container that describes a workload and a set of resources that corresponds to the workload in a software-defined environment, determining a set of security criteria for the security container, monitoring the workload and the set of resources for security events based, at least in part, upon the set of security criteria, and responsive to identifying a security event, adjusting one or more security mechanisms. The steps of monitoring and adjusting are operated within the software-defined environment.

18 Citations

View as Search Results

16 Claims

1. A method comprising:
- establishing a security container in a software-defined environment, the security container describing a workload and a set of resources, the set of resources being required by the workload;
  
  determining a set of resource-divisible portions of the workload including a compute-resource portion, a storage resource portion, and a network resource portion;
  
  generating a plurality of sub-containers within the security container, a sub-container within the plurality of sub-containers representing only one resource-divisible portion of the workload;
  
  determining a set of security criteria for the security container;
  
  monitoring the workload and the set of resources for security events based, at least in part, upon the set of security criteria; and
  
  responsive to identifying a security event, adjusting one or more security mechanisms;
  
  wherein;
  
  the plurality of sub-containers represent an end-to-end run time environment for processing the workload;
  
  the end-to-end run time environment includes bare metal sub-containers and hypervisor-specific sub-containers;
  
  the set of resources are software abstractions; and
  
  at least the steps of monitoring and adjusting are operated within the software-defined environment.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the set of security criteria includes a container-specific policy specification that is portable throughout the software defined environment.
  - 3. The method of claim 1, wherein the step of monitoring includes one of deep introspection, condition-based monitoring, and applying a behavior model to a resource within the set of resources.
  - 4. The method of claim 3 wherein the step of monitoring includes applying a behavior model to workload behavior, the workload behavior captured by one of a set of spatio-temporal footprints of an infrastructure element in the software-defined environment, a temporal progression of usage of the set of resources, activating a set of components within the workload, and invoking a service performed by the workload.
  - 5. The method of claim 1, wherein the step of adjusting one or more security mechanisms includes one of inserting a security mechanism, and removing a security mechanism.
  - 6. The method of claim 1, wherein the one or more security mechanisms includes isolation mechanisms provided by the plurality of sub-containers at various layers of a stack.

7. A computer program product comprising a computer readable storage medium having stored thereon program instructions programmed to:
- establish a security container in a software-defined environment, the security container describing a workload and a set of resources, the set of resources being required by the workload;
  
  determine a set of resource-divisible portions of the workload including a compute-resource portion, a storage resource portion, and a network resource portion;
  
  generate a plurality of sub-containers within the security container, a sub-container within the plurality of sub-containers representing only one resource-divisible portion of the workload;
  
  determine a set of security criteria for the security container;
  
  monitor the workload and the set of resources for security events based, at least in part, upon the set of security criteria; and
  
  responsive to identifying a security event, adjust one or more security mechanisms;
  
  wherein;
  
  the plurality of sub-containers represent an end-to-end run time environment for processing the workload;
  
  the end-to-end run time environment includes bare metal sub-containers and hypervisor-specific sub-containers; and
  
  the set of resources are software abstractions.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The computer program product of claim 7, wherein the set of security criteria includes a container-specific policy specification that is portable throughout the software defined environment.
  - 9. The computer program product of claim 7, wherein the program instructions programmed to monitor are further programmed to perform one of deep introspection, condition-based monitoring, and applying a behavior model to a resource within the set of resources.
  - 10. The computer program product of claim 7, wherein adjusting one or more security mechanisms includes one of inserting a security mechanism, and removing a security mechanism.
  - 11. The computer program product of claim 7, wherein the one or more security mechanisms includes isolation mechanisms provided by the plurality of sub-containers at various layers of a stack.

12. A computer system comprising:
- a processor(s) set; and
  
  a computer readable storage medium;
  
  wherein;
  
  the processor set is structured, located, connected, and/or programmed to run program instructions stored on the computer readable storage medium; and
  
  the program instructions include program instructions programmed to;
  
  establish a security container in a software-defined environment, the security container describing a workload and a set of resources, the set of resources being required by the workload;
  
  determine a set of resource-divisible portions of the workload including a compute-resource portion, a storage resource portion, and a network resource portion;
  
  generate a plurality of sub-containers within the security container, a sub-container within the plurality of sub-containers representing only one resource-divisible portion of the workload;
  
  determine a set of security criteria for the security container;
  
  monitor the workload and the set of resources for security events based, at least in part, upon the set of security criteria; and
  
  responsive to identifying a security event, adjust one or more security mechanisms;
  
  wherein;
  
  the plurality of sub-containers represent an end-to-end run time environment for processing the workload;
  
  the end-to-end run time environment includes bare metal sub-containers and hypervisor-specific sub-containers; and
  
  the set of resources are software abstractions.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The computer system of claim 12, wherein the set of security criteria includes a container-specific policy specification that is portable throughout the software defined environment.
  - 14. The computer system of claim 12, wherein the program instructions programmed to monitor are further programmed to perform one of deep introspection, condition-based monitoring, and applying a behavior model to a resource within the set of resources.
  - 15. The computer system of claim 12, wherein adjusting one or more security mechanisms includes one of inserting a security mechanism, and removing a security mechanism.
  - 16. The computer system of claim 12, wherein the one or more security mechanisms includes isolation mechanisms provided by the plurality of sub-containers at various layers of a stack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Pendarakis, Dimitrios, Halim, Nagui, Rao, Josyula R., Williams, Michael D., Brech, Brad L., Franke, Hubertus, Li, Chung-Sheng, Crowder, Scott W., Hogstrom, Matt R., Pattnaik, Pratap C., Ratnaparkhi, Radha P.
Primary Examiner(s)
Korsak, Oleg

Application Number

US14/667,877
Publication Number

US 20160283713A1
Time in Patent Office

783 Days
Field of Search
US Class Current
CPC Class Codes

G06F 2009/4557   Distribution of virtual mac...

G06F 2009/45587   Isolation or security of vi...

G06F 21/55   Detecting local intrusion o...

G06F 21/554   involving event detection a...

G06F 2221/034   Test or assess a computer o...

G06F 9/45558   Hypervisor-specific managem...

G06F 9/5083   Techniques for rebalancing ...

Security within a software-defined infrastructure

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

18 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Security within a software-defined infrastructure

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

18 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links