Method and system for providing a virtual asset perimeter

US 9,473,481 B2
Filed: 07/31/2014
Issued: 10/18/2016
Est. Priority Date: 07/31/2014
Status: Active Grant

First Claim

Patent Images

1. A computing system implemented method for providing a virtual perimeter for assets, comprising:

maintaining, by a first instance of a virtual perimeter agent installed on a first virtual asset of a first plurality of assets, a data structure for identifying a first plurality of assets, wherein separate instances of the virtual perimeter agent reside on each virtual asset of the first plurality of assets, wherein the data structure includes identifiers for each asset of the first plurality of assets, wherein the first plurality of assets include virtual assets and computing systems configured to communicate over one or more networks, wherein the first plurality of assets is within a first virtual perimeter and a second plurality of assets is outside the first virtual perimeter but is inside a second virtual perimeter, at least one virtual asset of the second plurality of assets being assigned a first set of roles associated with the second virtual perimeter, wherein a given asset being assigned a role with respect to a given virtual perimeter enables the given asset to perform one or more virtual asset operations within the given virtual perimeter and restricts the given asset from performing other virtual asset operations within the given virtual perimeter;

providing services, by the first virtual asset to a second virtual asset of the first plurality of assets, at least partially based on the identifiers for the first plurality of assets and based on a first role assigned to the first virtual asset, wherein the first role is enforced on the first of the first plurality of assets by the first instance of the virtual perimeter agent;

qualifying, by the virtual perimeter agent of the first virtual asset by virtue of the first virtual asset being assigned a first virtual perimeter role enabling admissions operations, a third virtual asset of the second plurality of assets for admission into the first virtual perimeter by determining whether the third virtual asset satisfies criteria for admission into the first virtual perimeter, the qualification of the third virtual asset including;

requesting, by the virtual perimeter agent of the first virtual asset of the third virtual asset, communications history of the third virtual asset;

receiving, responsive to the request and from the third virtual asset at the first virtual asset, communications history data of the third virtual asset; and

analyzing, by the virtual perimeter agent of the first virtual asset, the communications history data and comparing the communications history data against admissions and exclusionary criteria to determine whether to qualify the third virtual asset;

admitting, by the virtual perimeter agent of the first virtual asset, the qualified third virtual asset into the first virtual perimeter by;

installing, by the virtual perimeter agent of the first virtual asset, an instance of the virtual perimeter agent on the admitted qualified third virtual asset;

adding, by the virtual perimeter agent of the first virtual asset, an identifier of the one of the second plurality of assets to the data structure; and

assigning, by the virtual perimeter agent of the first virtual asset, a second role to the one of the second plurality of assets to determine second access privileges of the one of the second plurality of assets within the virtual perimeter.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method provides a virtual perimeter by maintaining a data structure for identifying a first plurality of assets, according to one embodiment. The system and method provides services to a second of the first plurality of assets, at least partially based on identifiers for the first plurality of assets and at least partially based on a first role assigned to a first of the first plurality of assets, according to one embodiment. The system and method include admitting one of a second plurality of assets into the virtual perimeter if characteristics of the one of the second plurality of assets satisfy criteria for admission to the virtual perimeter, according to on embodiment.

223 Citations

30 Claims

1. A computing system implemented method for providing a virtual perimeter for assets, comprising:
- maintaining, by a first instance of a virtual perimeter agent installed on a first virtual asset of a first plurality of assets, a data structure for identifying a first plurality of assets, wherein separate instances of the virtual perimeter agent reside on each virtual asset of the first plurality of assets, wherein the data structure includes identifiers for each asset of the first plurality of assets, wherein the first plurality of assets include virtual assets and computing systems configured to communicate over one or more networks, wherein the first plurality of assets is within a first virtual perimeter and a second plurality of assets is outside the first virtual perimeter but is inside a second virtual perimeter, at least one virtual asset of the second plurality of assets being assigned a first set of roles associated with the second virtual perimeter, wherein a given asset being assigned a role with respect to a given virtual perimeter enables the given asset to perform one or more virtual asset operations within the given virtual perimeter and restricts the given asset from performing other virtual asset operations within the given virtual perimeter;
  
  providing services, by the first virtual asset to a second virtual asset of the first plurality of assets, at least partially based on the identifiers for the first plurality of assets and based on a first role assigned to the first virtual asset, wherein the first role is enforced on the first of the first plurality of assets by the first instance of the virtual perimeter agent;
  
  qualifying, by the virtual perimeter agent of the first virtual asset by virtue of the first virtual asset being assigned a first virtual perimeter role enabling admissions operations, a third virtual asset of the second plurality of assets for admission into the first virtual perimeter by determining whether the third virtual asset satisfies criteria for admission into the first virtual perimeter, the qualification of the third virtual asset including;
  
  requesting, by the virtual perimeter agent of the first virtual asset of the third virtual asset, communications history of the third virtual asset;
  
  receiving, responsive to the request and from the third virtual asset at the first virtual asset, communications history data of the third virtual asset; and
  
  analyzing, by the virtual perimeter agent of the first virtual asset, the communications history data and comparing the communications history data against admissions and exclusionary criteria to determine whether to qualify the third virtual asset;
  
  admitting, by the virtual perimeter agent of the first virtual asset, the qualified third virtual asset into the first virtual perimeter by;
  
  installing, by the virtual perimeter agent of the first virtual asset, an instance of the virtual perimeter agent on the admitted qualified third virtual asset;
  
  adding, by the virtual perimeter agent of the first virtual asset, an identifier of the one of the second plurality of assets to the data structure; and
  
  assigning, by the virtual perimeter agent of the first virtual asset, a second role to the one of the second plurality of assets to determine second access privileges of the one of the second plurality of assets within the virtual perimeter.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, further comprising:
    - selectively denying requests for the services, if the requests for the services are received from a computing system that is excluded from the data structure.
  - 3. The method of claim 1, further comprising:
    - expelling, by the virtual perimeter agent of the first virtual asset, a suspicious asset of the first plurality of assets from the first virtual perimeter if one or more characteristics of the suspicious asset fails to satisfy the criteria for admission to the first virtual perimeter.
  - 4. The method of claim 3, wherein the characteristics of the suspicious asset include one or more of an IP address, an availability of computing security software, exposure to a potential security threat, and types of users to which services are provided.
  - 5. The method of claim 1, wherein an instance of the data structure is included in a plurality of instances of the virtual perimeter agent.
  - 6. The method of claim 1, wherein the first plurality of assets includes one or more mobile devices, servers, and virtual machines.
  - 7. The method of claim 1, wherein the services include one or more database hosting services, information management services, and application hosting services.
  - 8. The method of claim 1, wherein the identifiers for the first plurality of assets include at least one of an IP address, a device ID, and an asset type descriptor for each of the first plurality of assets.
  - 9. The method of claim 1, wherein each of the first plurality of assets is associated with at least one of a plurality of roles that defines at least one of a plurality of access privileges within the virtual perimeter.
  - 10. The method of claim 9, wherein the plurality of roles include at least one of architect privileges, security privileges, developer privileges, user privileges, content generator privileges, editor privileges, and operator privileges.
  - 11. The method of claim 10, wherein operations associated with admitting any of the second plurality of assets to the virtual perimeter are enabled only for ones of the first plurality of assets having architect privileges or security privileges.
  - 12. The method of claim 10, wherein ones of the first plurality of assets having security privileges selectively scan the first plurality of assets for potential security threats.
  - 13. The method of claim 12, wherein selectively scanning the first plurality of assets for the potential security threats includes:
    - monitoring communications traffic for digital signatures associated with the potential security threats; and
      
      searching memory for the digital signatures associated with the potential security threats.

14. A computing system implemented method for maintaining a virtual perimeter of communicatively coupled assets, comprising:
- receiving, at a virtual perimeter agent of a first virtual asset from a second virtual asset, a request for access to a first virtual perimeter, wherein the first asset is one of a first plurality of assets and the second asset is one of a second plurality of assets different from the first plurality of assets, wherein the first plurality of assets are included within the first virtual perimeter and the second plurality of assets are outside the virtual perimeter, wherein each of the first plurality of assets and each of the second plurality of assets include one or more of a server, a computing system, a virtual machine, and a mobile device, at least one virtual asset of the second plurality of assets being granted a first set of roles associated with a second virtual perimeter, wherein a given asset being assigned a role with respect to a given virtual perimeter enables the given asset to perform one or more virtual asset operations within the given virtual perimeter and restricts the given asset from performing other virtual asset operations within the given virtual perimeter;
  
  transmitting, by the virtual perimeter agent of the first virtual asset to the second virtual asset, a request for communications history data of the second virtual asset;
  
  receiving, from the second virtual asset by the first virtual asset, communications history data of the second asset;
  
  analyzing, by the virtual perimeter agent of the first virtual asset, the communications history data and comparing the communications history data against admissions and exclusionary criteria to determine whether to qualify the second virtual asset for access to the first virtual perimeter;
  
  qualifying, responsive to completing the analysis by the first virtual asset, by virtue of the first virtual asset being assigned a first virtual perimeter role enabling admissions operations, the second virtual asset;
  
  admitting, by the virtual perimeter agent of the first virtual asset, the second virtual asset-into the first virtual perimeter by installing, by the virtual perimeter agent of the first virtual asset, an instance of the virtual perimeter agent on the qualified second virtual asset;
  
  assigning, by the virtual perimeter agent of the first virtual asset, a role to the second virtual asset and determining second access privileges of the one of the second plurality of assets within the virtual perimeter based on the assigned role;
  
  andproviding virtual perimeter admission information to the second asset to enable the second asset to share services and resources with the first plurality of assets within the first virtual perimeter.
- View Dependent Claims (15)
- - 15. The method of claim 14, wherein the installed virtual perimeter agent enables the second asset to perform secure communications within the virtual perimeter by identifying the first plurality of assets.

16. A system for providing a virtual perimeter, the system comprising:
- at least one processor; and
  
  at least one memory coupled to the at least one processor, the at least one memory having stored therein instructions which, when executed by any set of the at least one processors, perform a process for providing the virtual perimeter for assets, the process including;
  
  maintaining, by a first instance of a virtual perimeter agent installed on a first virtual asset of a first plurality of assets, a data structure for identifying a first plurality of assets, wherein separate instances of the virtual perimeter agent reside on each virtual asset of the first plurality of assets, wherein the data structure includes identifiers for each asset of the first plurality of assets, wherein the first plurality of assets include virtual assets and computing systems configured to communicate over one or more networks, wherein the first plurality of assets is within a first virtual perimeter and a second plurality of assets is outside the first virtual perimeter but is inside a second virtual perimeter, at least one virtual asset of the second plurality of assets being assigned a first set of roles associated with the second virtual perimeter, wherein a given asset being assigned a role with respect to a given virtual perimeter enables the given asset to perform one or more virtual asset operations within the given virtual perimeter and restricts the given asset from performing other virtual asset operations within the given virtual perimeter;
  
  providing services, by the first virtual asset to a second virtual asset of the first plurality of assets, at least partially based on the identifiers for the first plurality of assets and based on a first role assigned to the first virtual asset, wherein the first role is enforced on the first of the first plurality of assets by the first instance of the virtual perimeter agent;
  
  qualifying, by the first virtual asset by virtue of the first virtual asset being assigned a first virtual perimeter role enabling admissions operations, a third virtual asset of the second plurality of assets for admission into the first virtual perimeter by determining whether the third virtual asset satisfies criteria for admission into the first virtual perimeter, the qualification of the third virtual asset including;
  
  requesting, by the first virtual asset of the third virtual asset, communications history of the third virtual asset;
  
  receiving, responsive to the request and from the third virtual asset at the first virtual asset, communications history data of the third virtual asset; and
  
  analyzing, by the first virtual asset, the communications history data and comparing the communications history data against admissions and exclusionary criteria to determine whether to qualify the third virtual asset;
  
  admitting, by the first virtual asset, the qualified third virtual asset into the first virtual perimeter by;
  
  installing, by the virtual perimeter agent of the first virtual asset, an instance of the virtual perimeter agent on the admitted qualified third virtual asset;
  
  adding, by the virtual perimeter agent of the first virtual asset, an identifier of the one of the second plurality of assets to the data structure; and
  
  assigning, by the virtual perimeter agent of the first virtual asset, a second role to the one of the second plurality of assets to determine second access privileges of the one of the second plurality of assets within the virtual perimeter.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 17. The system of claim 16, wherein the process further comprises:
    - selectively denying requests for the services, if the requests for the services are received from a computing system that is excluded from the data structure.
  - 18. The system of claim 16, wherein the process further comprises:
    - expelling a suspicious asset of the first plurality of assets from the first virtual perimeter if characteristics of the suspicious asset fail to satisfy the criteria for admission to the first virtual perimeter.
  - 19. The system of claim 18, wherein the characteristics of the suspicious asset include one or more of an IP address, an availability of computing security software, exposure to a potential security threat, and types of users to which services are provided.
  - 20. The system of claim 16, wherein an instance of the data structure is included in instances of the virtual perimeter agent.
  - 21. The system of claim 16, wherein the first plurality of assets includes one or more mobile devices, servers, and virtual machines.
  - 22. The system of claim 16, wherein the services include one or more database hosting services, information management services, and application hosting services.
  - 23. The system of claim 16, wherein the identifiers for the first plurality of assets include at least one of an IP address, a device ID, and an asset type descriptor for each of the first plurality of assets.
  - 24. The system of claim 16, wherein each of the first plurality of assets is associated with at least one of a plurality of roles that defines at least one of a plurality of access privileges within the first virtual perimeter.
  - 25. The system of claim 24, wherein the plurality of roles include at least one of architect privileges, security privileges, developer privileges, user privileges, content generator privileges, editor privileges, and operator privileges.
  - 26. The system of claim 25, wherein admitting any of the second plurality of assets to the first virtual perimeter is limited to ones of the first plurality of assets having architect privileges or security privileges.
  - 27. The system of claim 25, wherein ones of the first plurality of assets having security privileges selectively scan the first plurality of assets for potential security threats.
  - 28. The system of claim 27, wherein selectively scanning the first plurality of assets for the potential security threats includes:
    - monitoring communications traffic for digital signatures associated with the potential security threats; and
      
      searching memory for the digital signatures associated with the potential security threats.

29. A system for maintaining a virtual perimeter of communicatively coupled assets, comprising:
- at least one processor; and
  
  at least one memory coupled to the at least one processor, the at least one memory having stored therein instructions which when executed by any set of the at least one processors, perform a process for maintaining the virtual perimeter of the communicatively coupled assets, the process including;
  
  receiving, at a virtual perimeter agent of a first virtual asset from a second virtual asset, a request for access to a first virtual perimeter, wherein the first asset is one of a first plurality of assets and the second asset is one of a second plurality of assets different from the first plurality of assets, wherein the first plurality of assets are included within the first virtual perimeter and the second plurality of assets are outside the virtual perimeter, wherein each of the first plurality of assets and each of the second plurality of assets include one or more of a server, a computing system, a virtual machine, and a mobile device, at least one virtual asset of the second plurality of assets being granted a first set of roles associated with a second virtual perimeter, wherein a given asset being assigned a role with respect to a given virtual perimeter enables the given asset to perform one or more virtual asset operations within the given virtual perimeter and restricts the given asset from performing other virtual asset operations within the given virtual perimeter;
  
  transmitting, by the virtual perimeter agent of the first virtual asset to the second virtual asset, a request for communications history data of the second virtual asset;
  
  receiving, from the second virtual asset by the first virtual asset, communications history data of the second asset;
  
  analyzing, by the first virtual asset, the communications history data and comparing the communications history data against admissions and exclusionary criteria to determine whether to qualify the second virtual asset for access to the first virtual perimeter;
  
  qualifying, responsive to completing the analysis by the first virtual asset, by virtue of the first virtual asset being assigned a first virtual perimeter role enabling admissions operations, the second virtual asset;
  
  admitting, by the first virtual asset, the second virtual asset-into the first virtual perimeter by installing, by the virtual perimeter agent of the first virtual asset, an instance of the virtual perimeter agent on the qualified second virtual asset;
  
  assigning, by the virtual perimeter agent of the first virtual asset, a role to the second virtual asset and determining second access privileges of the one of the second plurality of assets within the virtual perimeter based on the assigned role;
  
  andproviding virtual perimeter admission information to the second asset to enable the second asset to share services and resources with the first plurality of assets within the first virtual perimeter.
- View Dependent Claims (30)
- - 30. The system of claim 29, wherein the installed virtual perimeter agent enables the second asset to perform secure communications within the virtual perimeter by identifying the first plurality of assets.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intuit, Inc.
Original Assignee
Intuit, Inc.
Inventors
Lietz, M. Shannon, Cabrera, Luis Felipe
Primary Examiner(s)
Vaughan, Michael R

Application Number

US14/448,281
Publication Number

US 20160036795A1
Time in Patent Office

810 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/56   Computer malware detection ...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/104   Grouping of entities

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

Method and system for providing a virtual asset perimeter

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

223 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for providing a virtual asset perimeter

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

223 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links