METHODS AND SYSTEMS FOR PROVIDING SECURITY TO DISTRIBUTED MICROSERVICES

US 20160269425A1
Filed: 03/13/2015
Published: 09/15/2016
Est. Priority Date: 03/13/2015
Status: Active Grant

First Claim

Patent Images

1. A system providing secure virtual boundaries for microservices, the system comprising:

at least one microservice, the at least one microservice comprising a plurality of distributed microservice components communicating with one another so as to provide a service;

a plurality of enforcement points positioned in association with the plurality of distributed microservice components to define a secure virtual boundary around the plurality of distributed microservice components; and

a director module that manages sessions and settings of the plurality of distributed microservice components within the secure virtual boundary.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems for providing security to distributed microservices are provided herein. In some embodiments, a system includes a plurality of microservices, each of the plurality of microservices having a plurality of distributed microservice components. At least a portion of the distributed microservice components execute on different physical or virtual servers in a data center or a cloud. The system also includes a plurality of logical security boundaries, with each of the plurality of logical security boundaries being created by a plurality of enforcement points positioned in association with the plurality of distributed microservice components. Each of plurality of microservices is bounded by one of the plurality of logical security boundaries.

52 Citations

View as Search Results

23 Claims

1. A system providing secure virtual boundaries for microservices, the system comprising:
- at least one microservice, the at least one microservice comprising a plurality of distributed microservice components communicating with one another so as to provide a service;
  
  a plurality of enforcement points positioned in association with the plurality of distributed microservice components to define a secure virtual boundary around the plurality of distributed microservice components; and
  
  a director module that manages sessions and settings of the plurality of distributed microservice components within the secure virtual boundary.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system according to claim 1, wherein each of the plurality of enforcement points is configured to control communication of an associated distributed microservice component using stateful inspection.
  - 3. The system according to claim 1, wherein the plurality of distributed microservice components are provided by a plurality of servers in a cloud, each of the servers providing a microservice component type.
  - 4. The system according to claim 1, wherein the plurality of enforcement points are positioned within the secure virtual boundary in such a way that the plurality of enforcement points can intercept data packets entering or exiting the plurality of distributed microservice components.
  - 5. The system according to claim 1, wherein the director module implements a security profile for the at least one microservice.
  - 6. The system according to claim 5, wherein the director module detects malicious acts occurring within the secure virtual boundary by comparing network traffic measured by the plurality of enforcement points with the security profile.

7. A system, comprising:
- a plurality of microservices, each of the plurality of microservices comprising a plurality of distributed microservice components, wherein at least a portion of the distributed microservice components execute on different physical servers or virtual machines in a data center or cloud; and
  
  a plurality of logical security boundaries, wherein each of the plurality of logical security boundaries is created by a plurality of enforcement points positioned in association with the plurality of distributed microservice components, wherein each of the plurality of microservices is bounded by one of the plurality of logical security boundaries.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The system according to claim 7, further comprising a director module that manages sessions and settings of the plurality of distributed microservice components within a logical security boundary.
  - 9. The system according to claim 8, wherein the director module implements a security profile for the at least one microservice by distributing a firewall policy to each of the plurality of enforcement points.
  - 10. The system according to claim 7, wherein the plurality of distributed microservice components are distributed within a cloud.
  - 11. The system according to claim 9, wherein each of the plurality of enforcement points is configured to inspect and control communication of an associated distributed microservice component using stateful inspection.
  - 12. The system according to claim 11, wherein the plurality of distributed microservice components are provided by a plurality of virtual machines in a cloud, each of the virtual machines providing a microservice component type.
  - 13. The system according to claim 7, wherein the plurality of enforcement points are positioned within a logical security boundary in such a way that they can intercept data packets entering or exiting the plurality of distributed microservice components.

14. A method for providing a logical security boundary for microservices, the method comprising:
- locating a plurality of distributed microservice components that belong to a microservice, at least a portion of the plurality of distributed microservice components being located on different physical servers or virtual machines in a data center or cloud;
  
  distributing a plurality of logical enforcement points around the plurality of distributed microservice components that belong to the microservice; and
  
  forming a logical security boundary from the plurality of logical enforcement points.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 15. The method according to claim 14, further comprising:
    - intercepting, by the plurality of logical enforcement points, traffic entering or exiting each of the plurality of distributed microservice components; and
      
      detecting malicious behavior by inspection of the traffic.
  - 16. The method according to claim 14, further comprising implementing a security profile for the microservice.
  - 17. The method according to claim 16, wherein implementing the security profile for the microservice comprises:
    - monitoring traffic within the logical security boundary using the plurality of logical enforcement points;
      
      comparing the traffic to traffic rules included in the security profile; and
      
      providing an alert if the traffic within the logical security boundary is indicative of a malicious attack.
  - 18. The method according to claim 17, further comprising quarantining one or more of the plurality of distributed microservice components when the malicious attack is detected.
  - 19. The method according to claim 17, further comprising utilizing stateful inspection to analyze the traffic.
  - 20. The method according to claim 17, further comprising generating a visual representation of the traffic within the logical security boundary.
  - 21. The method according to claim 14, further comprising coordinating the plurality of distributed microservice components together to provide a service.
  - 22. The method according to claim 14, further comprising migrating a logical enforcement point when a distributed microservice component is migrated within the cloud.
  - 23. The method according to claim 14, further comprising deploying one or more additional logical enforcement points if one or more additional distributed microservice components are added for the microservice.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
vArmour Networks Inc
Original Assignee
vArmour Networks Inc
Inventors
Shieh, Choung-Yaw Michael, Woolward, Marc

Granted Patent

US 10,178,070 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0254   Stateful filtering

H04L 63/0263   Rule management

H04L 63/10   for controlling access to d...

METHODS AND SYSTEMS FOR PROVIDING SECURITY TO DISTRIBUTED MICROSERVICES

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

52 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

METHODS AND SYSTEMS FOR PROVIDING SECURITY TO DISTRIBUTED MICROSERVICES

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

52 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links