Systems and methods for securely provisioning the geographic location of physical infrastructure elements in cloud computing environments

US 9,960,921 B2
Filed: 02/24/2017
Issued: 05/01/2018
Est. Priority Date: 09/03/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

obtaining a geographic acquisition code, the geographic acquisition code being valid for a predefined period of time;

sending a request for initial geographic location data of a physical infrastructure device to a geographic data acquisition component, the request comprising the geographic acquisition code;

receiving initial geographic location data of the physical infrastructure device from the geographic data acquisition component, the initial geographic location data being signed utilizing a key of the geographic data acquisition component;

verifying geographic location data of the physical infrastructure device by validating the signature of the initial geographic location data;

writing the verified geographic location data to a hardware security module of a hypervisor host implemented by the physical infrastructure device; and

managing a virtual environment associated with the hypervisor host in accordance with a geofencing policy utilizing the verified geographic location data written to the hardware security module of the hypervisor host, the geofencing policy specifying one or more approved geographic locations where different virtual machines are permitted to at least one of launch and perform computing operations.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods relating to improved security in cloud computing environments are disclosed. According to one illustrative implementation, a method for provisioning physical geographic location of a physical infrastructure device associated with a hypervisor host is provided. Further, the method may include performing processing to obtain initial geo location data of the device, determining verified geo location data of the device by performing validation, via an attestation service component, of the initial geo location data to provide verified geo location data, and writing the verified geo location data into HSM or TPM space of the hypervisor host.

Citations

20 Claims

1. A method comprising:
- obtaining a geographic acquisition code, the geographic acquisition code being valid for a predefined period of time;
  
  sending a request for initial geographic location data of a physical infrastructure device to a geographic data acquisition component, the request comprising the geographic acquisition code;
  
  receiving initial geographic location data of the physical infrastructure device from the geographic data acquisition component, the initial geographic location data being signed utilizing a key of the geographic data acquisition component;
  
  verifying geographic location data of the physical infrastructure device by validating the signature of the initial geographic location data;
  
  writing the verified geographic location data to a hardware security module of a hypervisor host implemented by the physical infrastructure device; and
  
  managing a virtual environment associated with the hypervisor host in accordance with a geofencing policy utilizing the verified geographic location data written to the hardware security module of the hypervisor host, the geofencing policy specifying one or more approved geographic locations where different virtual machines are permitted to at least one of launch and perform computing operations.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 wherein the geographic data acquisition component comprises a mobile device separate from the physical infrastructure device.
  - 3. The method of claim 2 wherein the physical infrastructure device provides the geographic acquisition code to the mobile device in conjunction with the request for the initial geographic location data.
  - 4. The method of claim 1 wherein verifying the geographic location data of the physical infrastructure device comprises:
    - obtaining a current time from a time source; and
      
      verifying that time data in the initial geographic location data is within a designated threshold of the current time.
  - 5. The method of claim 4 wherein the time source comprises one or more attestation service components implemented using the physical infrastructure device.
  - 6. The method of claim 1 wherein the hardware security module comprises a trusted platform module.
  - 7. The method of claim 6 wherein the verified geographic location data is written to a platform configuration register (PCR) of the trusted platform module.
  - 8. The method of claim 1 wherein managing the virtual environment comprises, in connection with a migration of a computing workload associated with a given virtual machine to a target geographic location comprising the physical infrastructure device:
    - checking whether the verified geographic location data written to the hardware security module of the hypervisor host for the physical infrastructure device matches at least one of the approved geographic locations for the given virtual machine.

9. A system comprising:
- a physical infrastructure device implementing a hypervisor host;
  
  the physical infrastructure device being configured;
  
  to obtain a geographic acquisition code, the geographic acquisition code being valid for a predefined period of time;
  
  to send a request for initial geographic location data of the physical infrastructure device to a geographic data acquisition component, the request comprising the geographic acquisition code;
  
  to receive initial geographic location data of the physical infrastructure device from the geographic data acquisition component, the initial geographic location data being signed utilizing a key of the geographic data acquisition component;
  
  to verify geographic location data of the physical infrastructure device by validating the signature of the initial geographic location data;
  
  to write the verified geographic location data to a hardware security module of the hypervisor host; and
  
  to manage a virtual environment associated with the hypervisor host in accordance with a geofencing policy utilizing the verified geographic location data written to the hardware security module of the hypervisor host, the geofencing policy specifying one or more approved geographic locations where different virtual machines are permitted to at least one of launch and perform computing operations.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 20)
- - 10. The system of claim 9 further comprising a mobile device, the mobile device implementing the geographic data acquisition component.
  - 11. The system of claim 10 wherein the physical infrastructure device is further configured to provide the geographic acquisition code to the mobile device in conjunction with the request for the initial geographic location data.
  - 12. The system of claim 9 wherein verifying the geographic location data of the physical infrastructure device comprises:
    - obtaining a current time from a time source; and
      
      verifying that time data in the initial geographic location data is within a designated threshold of the current time.
  - 13. The system of claim 12 wherein the time source comprises one or more attestation service components implemented using the physical infrastructure device.
  - 14. The system of claim 9 wherein the hardware security module comprises a trusted platform module.
  - 15. The system of claim 14 wherein the trusted platform module comprises one or more platform configuration registers (PCRs), and wherein the physical infrastructure device is configured to write the verified geographic location data to one or more of the PCRs of the trusted platform module.
  - 20. The system of claim 9 wherein managing the virtual environment comprises, in connection with a migration of a computing workload associated with a given virtual machine to a target geographic location comprising the physical infrastructure device:
    - checking whether the verified geographic location data written to the hardware security module of the hypervisor host for the physical infrastructure device matches at least one of the approved geographic locations for the given virtual machine.

16. A computer program product comprises a non-transitory computer readable storage medium having stored therein program code of one or more software programs, wherein the program code when executed causes a physical infrastructure device:
- to obtain a geographic acquisition code, the geographic acquisition code being valid for a predefined period of time;
  
  to send a request for initial geographic location data of the physical infrastructure device to a geographic data acquisition component, the request comprising the geographic acquisition code;
  
  to receive initial geographic location data of the physical infrastructure device from the geographic data acquisition component, the initial geographic location data being signed utilizing a key of the geographic data acquisition component;
  
  to verify geographic location data of the physical infrastructure device by validating the signature of the initial geographic location data;
  
  to write the verified geographic location data to a hardware security module of a hypervisor host implemented by the physical infrastructure device; and
  
  to manage a virtual environment associated with the hypervisor host in accordance with a geofencing policy utilizing the verified geographic location data written to the hardware security module of the hypervisor host, the geofencing policy specifying one or more approved geographic locations where different virtual machines are permitted to at least one of launch and perform computing operations.
- View Dependent Claims (17, 18, 19)
- - 17. The computer program product of claim 16 wherein managing the virtual environment comprises, in connection with a migration of a computing workload associated with a given virtual machine to a target geographic location comprising the physical infrastructure device:
    - checking whether the verified geographic location data written to the hardware security module of the hypervisor host for the physical infrastructure device matches at least one of the approved geographic locations for the given virtual machine.
  - 18. The computer program product of claim 16 wherein the geographic data acquisition component comprises a mobile device separate from the physical infrastructure device.
  - 19. The computer program product of claim 18 wherein the physical infrastructure device provides the geographic acquisition code to the mobile device in conjunction with the request for the initial geographic location data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VIRTUSTREAM IP HOLDING COMPANY LLC (Dell Technologies Inc.)
Original Assignee
VIRTUSTREAM IP HOLDING COMPANY LLC (Dell Technologies Inc.)
Inventors
Leighton, Gregsie, Lubsey, Vincent George, Reid, Kevin
Primary Examiner(s)
Abrishamkar, Kaveh

Application Number

US15/441,841
Publication Number

US 20170170970A1
Time in Patent Office

431 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/64   Protecting data integrity, ...

G06F 21/83   input devices, e.g. keyboar...

G06F 9/45558   Hypervisor-specific managem...

H04L 2209/24   Key scheduling, i.e. genera...

H04L 63/0876   based on the identity of th...

H04L 63/123   received data contents, e.g...

H04L 9/0872   using geo-location informat...

H04L 9/0897   involving additional device...

H04L 9/3247   involving digital signatures

H04W 12/104   Location integrity, e.g. se...

H04W 4/02   Services making use of loca...

H04W 4/029   Location-based management o...

Systems and methods for securely provisioning the geographic location of physical infrastructure elements in cloud computing environments

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for securely provisioning the geographic location of physical infrastructure elements in cloud computing environments

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links