Individualized audit log access control for virtual machines

US 9,985,970 B2
Filed: 10/09/2014
Issued: 05/29/2018
Est. Priority Date: 05/28/2014
Status: Active Grant

First Claim

Patent Images

1. A method of controlling access to audit logging resources by an instantiated virtual machine from among a plurality of instantiated virtual machines in a virtual computing environment, the method comprising:

the instantiated virtual machine receiving a user token;

the instantiated virtual machine sending a request for individualized audit credentials from an authorization system, wherein the request is based on the user token and an identity, wherein the identity identifies the instantiated virtual machine; and

the instantiated virtual machine receiving the individualized audit credentials from the authorization system based at least on the user token and the identity, the individualized audit credentials enabling authorized storage of first audit data in an audit system, wherein the first audit data pertains to the instantiated virtual machine, and the authorized storage is authorized by the audit system;

the instantiated virtual machine actively operating, with the individualized audit credentials, through a first time period;

wherein when the instantiated virtual machine experiences, after the first time period, an event selected from failing verification based on the identity or having the individualized audit credentials revoked, the event is effective to cause de-authorization of the instantiated virtual machine and reporting of information regarding the de-authorized instantiated virtual machine to the audit system, and wherein the de-authorization of the instantiated virtual machine comprises determining when the instantiated virtual machine has been de-instantiated, and responsively allowing for de-authorization of the individualized audit credentials of the de-authorized de-instantiated instantiated virtual machine.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

To provide enhanced operation of computing systems to control access to audit logging resources by virtual machines, various systems, apparatuses, methods, and software are provided herein. In a first example, a method of operating a computing system is provided. The method includes receiving requests for audit credentials from virtual machines, and responsively providing individualized audit credentials to the virtual machines based at least on identities of the virtual machines. The method also includes, in the audit system, authorizing storage of audit data transferred by the virtual machines based at least on the individualized audit credentials accompanying the audit data. The method also includes, in the authorization system, selectively de-authorizing one or more of the virtual machines and reporting information regarding the de-authorized one or more of the virtual machines to the one or more audit systems.

Citations

22 Claims

1. A method of controlling access to audit logging resources by an instantiated virtual machine from among a plurality of instantiated virtual machines in a virtual computing environment, the method comprising:
- the instantiated virtual machine receiving a user token;
  
  the instantiated virtual machine sending a request for individualized audit credentials from an authorization system, wherein the request is based on the user token and an identity, wherein the identity identifies the instantiated virtual machine; and
  
  the instantiated virtual machine receiving the individualized audit credentials from the authorization system based at least on the user token and the identity, the individualized audit credentials enabling authorized storage of first audit data in an audit system, wherein the first audit data pertains to the instantiated virtual machine, and the authorized storage is authorized by the audit system;
  
  the instantiated virtual machine actively operating, with the individualized audit credentials, through a first time period;
  
  wherein when the instantiated virtual machine experiences, after the first time period, an event selected from failing verification based on the identity or having the individualized audit credentials revoked, the event is effective to cause de-authorization of the instantiated virtual machine and reporting of information regarding the de-authorized instantiated virtual machine to the audit system, and wherein the de-authorization of the instantiated virtual machine comprises determining when the instantiated virtual machine has been de-instantiated, and responsively allowing for de-authorization of the individualized audit credentials of the de-authorized de-instantiated instantiated virtual machine.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the identity comprises a unique number generated by the instantiated virtual machine.
  - 3. The method of claim 1, wherein the identity comprises a network address of the instantiated virtual machine.
  - 4. The method of claim 1, wherein the user token is received by the instantiated virtual machine during instantiation of the instantiated virtual machine.
  - 5. The method of claim 1, wherein the authorized storage is enabled responsive to the audit system verifying the individualized audit credentials with the authorization system and responsively receiving an authorization status transferred by the authorization system.
  - 6. The method of claim 1, wherein the information regarding the de-authorized instantiated virtual machine comprises the individualized audit credentials of the de-authorized instantiated virtual machine.
  - 7. The method of claim 1, wherein the storage of the first audit data is based at least on the individualized audit credentials accompanying the first audit data.
  - 8. The method of claim 7, wherein the instantiated virtual machine is authorized to store the first audit data based on the authorization system receiving authorization check messages transferred by the audit system and responsively providing the audit system with authorization status messages indicating that the instantiated virtual machine is authorized to store the first audit data.

9. A computing system configured to control access to audit logging resources by virtual machines, the computing system comprising software instructions stored on at least one non-transitory computer-readable storage medium, wherein the software instructions are configured, when executed by one or more processors, to enable the computing system to:
- receive a request from an instantiated virtual machine from among a plurality of instantiated virtual machines for audit credentials, wherein the request is based on at least a user token and an identity from the instantiated virtual machine;
  
  provide, in response to the request, individualized audit credentials to the instantiated virtual machine based at least on the user token and the identity;
  
  authorize storage of audit data transferred by the instantiated virtual machine over a first period of time based at least on the individualized audit credentials; and
  
  de-authorize the instantiated virtual machine, after the first period of time, and report information regarding de-authorization of the instantiated virtual machine, responsive to at least one of the following;
  
  failed verification of the instantiated virtual machine based on the identity, orrevocation of the individualized audit credentials; and
  
  wherein the de-authorization of the instantiated virtual machine comprises determining when the instantiated virtual machine has been de-instantiated, and responsively allowing for de-authorization of the individualized audit credentials of the de-authorized de-instantiated instantiated virtual machine.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The computing system of claim 9, wherein the identity comprises a unique number generated by the instantiated virtual machine.
  - 11. The computing system of claim 9, wherein the identity comprises a network address of the instantiated virtual machine.
  - 12. The computing system of claim 9, wherein the identity comprises an access token provided to the instantiated virtual machine during instantiation of the instantiated virtual machine.
  - 13. The computing system of claim 9, wherein the software instructions are configured, when executed by one or more processors, to enable the computing system to:
    - authorize storage of the audit data transferred by the instantiated virtual machine by at least checking the individualized audit credentials with an authorization system and responsively receiving an authorization status transferred by the authorization system.
  - 14. The computing system of claim 9, wherein the software instructions are configured, when executed by one or more processors, to enable the computing system to:
    - de-authorize the instantiated virtual machine by at least determining when the instantiated virtual machine has been de-instantiated, and responsively de-authorizing the individualized audit credentials of the de-authorized instantiated virtual machine.
  - 15. The computing system of claim 9, wherein the information regarding the de-authorized instantiated virtual machine comprises the individualized audit credentials of the de-authorized instantiated virtual machine.
  - 16. The computing system of claim 9, wherein the software instructions are configured, when executed by one or more processors, to enable the computing system to:
    - store the audit data transferred by the instantiated virtual machine based at least on the individualized audit credentials accompanying the audit data.
  - 17. The computing system of claim 16, wherein the software instructions are configured, when executed by one or more processors, to enable the computing system to:
    - receive authorization check messages transferred by an audit system and responsively provide authorization status messages for delivery to the audit system indicating whether the instantiated virtual machine is authorized to store the audit data.

18. A computer-implemented method for controlling access to audit logging resources by a plurality of virtual machines, the method comprising:
- receiving a request from an instantiated virtual machine for audit credentials, wherein the request is based on at least a user token and an identity received from the instantiated virtual machine;
  
  providing, in response to the request, individualized audit credentials to the instantiated virtual machine based at least on the user token and the identity;
  
  authorizing storage of audit data, in an audit system, transferred by the instantiated virtual machine based at least on the individualized audit credentials; and
  
  de-authorizing the instantiated virtual machine and reporting information regarding de-authorization of the instantiated virtual machine, responsive to at least one of the following;
  
  failed verification of the instantiated virtual machine based on the identity, orrevocation of the individualized audit credentials; and
  
  wherein the de-authorization of the instantiated virtual machine comprises determining when the instantiated virtual machine has been de-instantiated, and responsively allowing for de-authorization of the individualized audit credentials of the de-authorized de-instantiated instantiated virtual machine.
- View Dependent Claims (19, 20, 21, 22)
- - 19. The computer-implemented method of claim 18, wherein the user token is provided to the instantiated virtual machine during instantiation of the instantiated virtual machine.
  - 20. The computer-implemented method of claim 18, wherein the authorized storage is enabled responsive to the audit system verifying the individualized audit credentials with an authorization system and responsively receiving an authorization status transferred by the authorization system.
  - 21. The computer-implemented method of claim 18, wherein the information regarding de-authorization of the instantiated virtual machine comprises the individualized audit credentials of the de-authorized instantiated virtual machine.
  - 22. The computer-implemented method of claim 18, wherein the instantiated virtual machine is authorized to store the first audit data based on an authorization system receiving authorization check messages transferred by the audit system and responsively providing the audit system with authorization status messages indicating that the instantiated virtual machine is authorized to store the first audit data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CyberArk Software Ltd.
Original Assignee
Conjur, Inc. (CyberArk Software Ltd.)
Inventors
Gilpin, Kevin, Lawler, Elizabeth
Primary Examiner(s)
DOAN, TRANG T

Application Number

US14/510,230
Publication Number

US 20150350214A1
Time in Patent Office

1,328 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 2009/45595   Network integration; Enabli...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/1425   Traffic logging, e.g. anoma...

Individualized audit log access control for virtual machines

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Individualized audit log access control for virtual machines

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links