Methods and systems for secure storage segmentation based on security context in a virtual environment

US 9,185,114 B2
Filed: 12/05/2012
Issued: 11/10/2015
Est. Priority Date: 12/05/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

identifying, by a processing device, a request to place a workload in a hypervisor-based host server;

identifying a security level of the workload;

scanning, by the processing device, a storage device associated with the hypervisor-based host server to detect a security level of one or more contents of the storage device;

identifying, by the processing device, a lowest security level from the detected security level of the one or more contents of the storage device;

assigning, by the processing device, a security level of the storage device at or below the lowest security level;

granting, by the processing device, the request to place the workload in the hypervisor-based host server when the security level of the workload corresponds to the security level of the storage device;

denying, by the processing device, the request to place the workload in the hypervisor-based host server when the security level of the workload does not correspond to the security level of the storage device; and

causing the workload to be placed in the hypervisor-based host server when the security level of the workload corresponds to the security level of the storage device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer system identifies a request to place a workload in a hypervisor-based host. The computer system identifies a security level of the workload. The computer system identifies a security level of a storage device associated with the hypervisor-based host. If the security level of the workload corresponds to the security level of the storage device, the computer system grants the request to place the workload in the hypervisor-based host. If the security level of the workload does not correspond to the security level of the storage device, the computer system denies the request to place the workload in the hypervisor-based host.

10 Citations

View as Search Results

20 Claims

1. A method comprising:
- identifying, by a processing device, a request to place a workload in a hypervisor-based host server;
  
  identifying a security level of the workload;
  
  scanning, by the processing device, a storage device associated with the hypervisor-based host server to detect a security level of one or more contents of the storage device;
  
  identifying, by the processing device, a lowest security level from the detected security level of the one or more contents of the storage device;
  
  assigning, by the processing device, a security level of the storage device at or below the lowest security level;
  
  granting, by the processing device, the request to place the workload in the hypervisor-based host server when the security level of the workload corresponds to the security level of the storage device;
  
  denying, by the processing device, the request to place the workload in the hypervisor-based host server when the security level of the workload does not correspond to the security level of the storage device; and
  
  causing the workload to be placed in the hypervisor-based host server when the security level of the workload corresponds to the security level of the storage device.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the workload is an instance of a virtual machine on the hypervisor-based host server.
  - 3. The method of claim 1 wherein granting the request to place the workload in the hypervisor-based host server comprises:
    - associating at least one virtual disk on the storage device with the workload.
  - 4. The method of claim 3, wherein the storage device is a physical disk comprising a plurality of virtual disks used by workloads on different hypervisor-based servers.
  - 5. The method of claim 4, wherein each of the workloads is assigned to one of:
    - a cloud tenant, a cloud sub-tenant, or an operation performed for a cloud tenant or sub-tenant.
  - 6. The method of claim 1, wherein the security level of the storage device is identified based on at least one of:
    - the security level of the workload or input provided by a system administrator.
  - 7. The method of claim 1, wherein the request to place the workload in the hypervisor-based host server is any one of an initial placement request with respect to the workload or a request to migrate the workload to the hypervisor-based host server from another hypervisor-based host server.

8. A system comprising:
- a memory; and
  
  a processing device coupled with the memory to;
  
  identify a request to place a workload in a hypervisor-based host server;
  
  identify a security level of the workload;
  
  scan a storage device associated with the hypervisor-based host server to detect a security level of one or more contents of the storage device;
  
  identify a lowest security level from the detected security level of the one or more contents of the storage device;
  
  assign a security level of the storage device at or below the lowest security level;
  
  grant the request to place the workload in the hypervisor-based host server when the security level of the workload corresponds to the security level of the storage device;
  
  deny the request to place the workload in the hypervisor-based host server when the security level of the workload does not correspond to the security level of the storage device; and
  
  cause the workload to be placed in the hypervisor-based host server when the security level of the workload corresponds to the security level of the storage device.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the workload is an instance of a virtual machine on the hypervisor-based host server.
  - 10. The system of claim 8, wherein when granting the request to place the workload in the hypervisor-based host server comprises, the processing device further to:
    - associate at least one virtual disk on the storage device with the workload.
  - 11. The system of claim 10, wherein the storage device is a physical disk comprising a plurality of virtual disks used by workloads on different hypervisor-based servers.
  - 12. The system of claim 11, wherein each of the workloads is assigned to one of:
    - a cloud tenant, a cloud sub-tenant, or an operation performed for a cloud tenant or sub-tenant.
  - 13. The system of claim 8, wherein the security level of the storage device is identified based on at least one of:
    - the security level of the workload or input provided by a system administrator.
  - 14. The system of claim 8, wherein the request to place the workload in the hypervisor-based host server is any one of an initial placement request with respect to the workload or a request to migrate the workload to the hypervisor-based host server from another hypervisor-based host server.

15. A non-transitory computer readable storage medium including instructions that, when executed by a processing device, cause the processing device to perform operations comprising:
- identifying a request to place a workload in a hypervisor-based host server;
  
  identifying a security level of the workload;
  
  scanning, by a processing device, a storage device associated with the hypervisor-based host server to detect a security level of one or more contents of the storage device;
  
  identifying, by the processing device, a lowest security level from the detected security level of the one or more contents of the storage device;
  
  assigning, by the processing device, a security level of the storage device at or below the lowest security level;
  
  granting, by the processing device, the request to place the workload in the hypervisor-based host server when the security level of the workload corresponds to the security level of the storage device;
  
  denying, by the processing device, the request to place the workload in the hypervisor-based host server when the security level of the workload does not correspond to the security level of the storage device; and
  
  causing the workload to be placed in the hypervisor-based host server when the security level of the workload corresponds to the security level of the storage device.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer readable storage medium of claim 15, wherein the workload is an instance of a virtual machine on the hypervisor-based host server, and wherein the request to place the workload in the hypervisor-based host server is any one of an initial placement request with respect to the workload or a request to migrate the workload to the hypervisor-based host server from another hypervisor-based host server.
  - 17. The non-transitory computer readable storage medium of claim 15, wherein when granting the request to place the workload in the hypervisor-based host server, the processing device further to perform:
    - associating at least one virtual disk on the storage device with the workload.
  - 18. The non-transitory computer readable storage medium of claim 17, wherein the storage device is a physical disk comprising a plurality of virtual disks used by workloads on different hypervisor-based server.
  - 19. The non-transitory computer readable storage medium of claim 18, wherein each of the workloads is assigned to one of:
    - a cloud tenant, a cloud sub-tenant, or an operation performed for a cloud tenant or sub-tenant.
  - 20. The non-transitory computer readable storage medium of claim 15, wherein the security level of the storage device is identified based on at least one of:
    - the security level of the workload or input provided by a system administrator.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Banerjee, Deb
Primary Examiner(s)
Rashid, Harunur
Assistant Examiner(s)
STEINLE, ANDREW J

Application Number

US13/706,256
Publication Number

US 20140157363A1
Time in Patent Office

1,070 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 9/45558   Hypervisor-specific managem...

G06F 9/5044   considering hardware capabi...

G06F 9/5077   Logical partitioning of res...

H04L 63/10   for controlling access to d...

H04L 63/105   Multiple levels of security

Methods and systems for secure storage segmentation based on security context in a virtual environment

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

10 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Methods and systems for secure storage segmentation based on security context in a virtual environment

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

10 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others