(19) United States
`(12) Patent Application Publication (10) Pub. No.: US 2010/0169948 A1
`(43) Pub. Date:
`Jul. 1, 2010
`Budko et al.
`
`US 20100169948A1
`
`(54) INTELLIGENT SECURITY CONTROL
`SYSTEM FOR VIRTUALIZED ECOSYSTEMS
`
`(75) Inventors:
`
`Renata Budko, Sunnyvale, CA
`(US); Hemma Prafullchandra,
`Mountain View, CA (US); Eric
`Ming Chiu, Los Altos, CA (US);
`Boris Strongin, Redwood City, CA
`(US)
`Correspondence Address:
`SONNENSCHEN NATH & ROSENTHAL LLP
`P.O. BOX 061080, WACKER DRIVE STATION,
`WILLIS TOWER
`CHICAGO, IL 60606-1080 (US)
`
`(73) Assignee:
`
`HyTrust, Inc., Mountain View, CA
`(US)
`
`(21) Appl. No.:
`
`12/347,315
`
`(22) Filed:
`
`Dec. 31, 2008
`
`Publication Classification
`
`(51) Int. Cl.
`(2006.01)
`G06F 9/455
`(2006.01)
`H04L 9/30
`(2006.01)
`G06F2L/00
`(2006.01)
`GO6F 2 1/22
`(52) U.S. Cl. ................... 726/1: 718/1713/189: 706/53;
`706/12; 726/21
`
`ABSTRACT
`(57)
`Resources of a virtualized ecosystem are intelligently secured
`by defining and analyzing object handling security control
`information for one or more logical resources in the virtual
`ized ecosystem and deriving therefrom object properties for
`each of the logical resources involved in the execution of a
`virtual machine in any given context within the virtualized
`ecosystem.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Active
`Directory
`116
`
`ASSet
`Management
`System 118
`
`
`
`Vulnerability
`Scanning &
`Remediation
`System 120
`
`/
`
`1
`
`/
`
`Integration or import from
`extreme Sources of Security
`and Compliance Systems
`
`Management
`Client
`(e.g., VIC, SSH,
`Web.) 114
`
`Security Control
`System
`96
`
`Virtual
`Machine
`
`Virtualization Platform
`102
`
`Protected Virtual Infrastructure
`
`WIZ, Inc. EXHIBIT - 1081
`WIZ, Inc. v. Orca Security LTD.
`
`

`

`Patent Application Publication
`Patent Application Publication
`
`Jul. 1, 2010 Sheet 1 of 9
`Jul. 1,2010 Sheet 1 of 9
`
`US 2010/0169948A1
`US 2010/0169948 Al
`
`
`
`Virtual Machines
`
`Application 224|Application 222Application 22
`
`Virtual Machines
`
`Server 16
`Server 16
`
`

`

`Patent Application Publication
`Patent Application Publication
`
`Jul. 1, 2010 Sheet 2 of 9
`Jul. 1,2010 Sheet 2 of 9
`
`US 2010/0169948A1
`US 2010/0169948 Al
`
`Virtual Machine
`44.
`
`
`
`
`
`
`
`
`
`Virtual Machine
`444
`
`a
`
`Virtual Machine
`443
`
`s.
`
`
`
`
`
`V Network
`42
`
`V PrOCeSSOr
`38
`Vuataion Layer
`Physical Computer(i.e. Host system) 24
`Physical Computer (i.e. Host system
`) 24
`
`
`PrOCeSSOr
`Disk
`30
`32
`
`
`
`Memory
`28
`
`
`
`
`
` ododefateSSLayer,
`
`Memory Progessor|OS Progessor|OS28 Network34
`
`NetWOrk
`34
`
`FIG.2
`FIG. 2
`
`

`

`Patent Application Publication
`
`Jul. 1, 2010
`
`Sheet 3 of 9
`
`US 2010/0169948 A1
`
`
`
`
`W emery ES V_Disk + JG Network 一
`7 五
`i
`eS
`
`Machine
`
`
`
`
`Machine
`Virtual
`
`ae,
`ree
`
`Lanter
`
`7
`
`sens
`
`
`
`-
`
`Pen Bee
`
`
`
`|
`
`es
`t
`ae aE
`
`.
`
`
`
`
`
`
`
`Machine
`Virtual
`
`
`
`
`
`
`
`
`
`Machine
`Virtual
`
`
`
`
`Machine
`Virtual
`
`Machine
`Virtual
`
`
`
`
`
`
`
`
`
`
`ee
`
`站
`
`了
`
`Virtual
`
`
`
`
`Machine
`Virtual
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
` Memory
`
`
`
`
`
`
`46a
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Disk
`
`
`
`
`
`
`
`Processor
`
`
`
`
`
`
`
`Memory
`
`
`
`
`Network
`
`
`
`
`
`
`
`
`Physical Computer (ie. Host st system)
`
`46c
`
`
`
`
`
`
`
`FIG. 3
`
`48
`
`Physical Network
`
`
`
`
`
`
`
`Network
`
`
`
`
`
`
`
`
`
`
`Disk
`
`
`
`
`
`
`
`
`
`
`
`
`Processor
`
`
`
`
`
`
`
`Memory
`
`
`
`
`Physical Computer ie H Host ot system)
`
`
`
`
`
`
`
`

`

`Patent Application Publi cation
`
`Jul. 1,2010
`
`Sheet 4 of 9
`
`US 2010/0169948 A1
`
`
`
`
`
`
`
`
`
`
`| Network
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Disk | 「 Network ow Processor ~~ | Disk
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Processor
`
`
`
`
`
`
`
`
`
`
`
`
`48a
`
`Physical Network - Site A
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Physical Computer (i.e. Host system)
`
`ss
`
`
`
`
`
`
`
`work +} V_M vemory =p) @ = V_Disk + = Network +
`
`Ce V_Disk + m=) Gn Network
`
`SE Pres
`
`V_Mem mory
`
`ro
`
`
`
`
`
`
`
`aT Te
`
`
`
`
`
`
`
`Machine
`Virtual
`
`DO a5 as eee
`
`as
`
`susnee
`
`oun
`
`wf
`
`of
`
`了
`
`Machine
`Virtual
`
`
`
`
`
`
`
`-
`
`Machine
`Virtual
`
`e@ee
`
`還
`
`還
`
`aounuee
`
`ee ee
`ee, woneee®
`
`Machine
`Virtual
`
`.
`
`
`
`
` 個
`
`
`
`
`
`
`
`
`
`
`
`

`

`Patent Application Publication
`
`Jul. 1,2010
`
`Sheet 5 of 9
`
`US 2010/0169948 A1
`
` FIG. 4(Cont.)
`
`
`
`
`
`
`48b
`
`Physical Network - Site B
`
`
`
`
`
`
`
`Network
`
`
`
`
`
`
`
`
`
`
`Disk
`
`
`
`
`
`
`
`
`
`
`
`
`
`Physical Computer (i {ie
`
`同
`
`
`
`
`Processor
`
`
`
`
`
`
`
`Memory
`
`
`
`
`ae
`
`——_ = =
`
`oe
`
`
`
`
`
`
`
`
`
`
`Network
`
`a
`
`
`
`
`
`
`
`Disk
`
`
`
`
`
`
`
`
`
`
`
`cs ——_——=_ =
`
`
`
`Physical Computer lie. Host system)
`
`
`
`
`
`
`
`
`
`
`Memory
`Processor
` — — i op o
`
`
`
`
`
`
`
`¢ _t
`
`
`
`
`
`
`-
`
`s
`
`ie emi +
`
`an
`met pets nem
`
`:
`
`Povo
`
`: at Layer. 和
`
`
`
`
`
`
`
`
`
`
`
`
`
`区 emery Je Processor 放 V_Disk + Jee Network mie
`
`
`
`
`Machine
`Virtual
`
`Machine
`Virtual ee ee
`
`MNES
`
`【
`
`
`
`
`Machine
`Virtual
`
`ra
`
`Machine
`Virtual
`
`
`
`
`Machine
`Virtual
`
`Machine
`Virtual
`
`
`
`
`Machine
`Virtual
`
`
`
`
`<A
`_ Network K+)
`Trewern dden =e
`Machine
`Virtual
`
`

`

`Patent Application Publication
`Patent Application Publication
`
`Jul. 1, 2010 Sheet 6 of 9
`Jul. 1,2010 Sheet 6 of 9
`
`US 2010/0169948A1
`US 2010/0169948 Al
`
`Patch Frequency = 4
`
`
`
`
`
`FIG. 5
`FIG. 5
`
`Patch Frequency = 1
`Patch_Frequency = 1
`
`
`
`64
`64
`
`64
`64
`
`
`
`
`Embedded
`Embedded
`Control
`Control
`Block
`Block
`
`Embedded
`Embedded
`Control
`Control
`Block
`Block
`
`
`
`
`
`Virtual
`Virtual
`
`Add
`Object
`Object
`Add
`(VO)
`COntrols
`(VO)
`Controls
`62
`62
`
`FIG. 6
`FIG. 6
`
`

`

`Patent Application Publication
`Patent Application Publication
`
`Jul. 1, 2010 Sheet 7 of 9
`Jul. 1,2010 Sheet 7 of 9
`
`US 2010/0169948A1
`US 2010/0169948 Al
`
`
`
`
`
`Establish a new lock On the virtual machine
`Establish a new lock on the virtual machine
`and its assOciated virtual disk files.
`and its associated virtual disk files.
`70
`70
`
`Determine the level of protection required
`Determine thelevelof protection required
`and encryption tuning parameters.
`and encryption tuning parameters.
`72
`72
`
`Select an appropriate cipher algorithm and
`Select an appropriate cipher algorithm and
`generate encryption keyS.
`generate encryption keys.
`74.
`74
`
`Apply any re-formatting changes, if
`Apply any re-formatting changes, if
`needed.
`needed.
`76
`16
`
`Encrypt the sector(s) of databased on
`Encrypt the sector(s) of data based on
`the specified level of protection.
`the specified level of protection.
`78
`78
`
`Encrypt the symmetric encryption key with
`Encrypt the symmetric encryption key with
`an asymmetric public key.
`an asymmetric public key.
`80
`80
`
`Add any necessary metadata into the
`Add any necessary metadatainto the
`protected virtual machine.
`protected virtual machine.
`82
`82
`
`U
`O
`
`FIG. 7
`FIG. 7
`
`

`

`Patent Application Publication
`Patent Application Publication
`
`Jul. 1, 2010 Sheet 8 of 9
`Jul. 1,2010 Sheet 8 of 9
`
`US 2010/0169948A1
`US 2010/0169948 Al
`
`S
`O
`
`~
`84
`
`
`
`Retrieve the metadata from the protected
`Retrieve the metadata from the protected
`WM disk file.
`VM disk file.
`86
`86
`
`92
`
`Retrieve the identity/location information
`Retrieve the identity/location information
`of the associated asymmetric private key.
`of the associated asymmetric private key.
`88
`88
`
`Decrypt the symmetric encryption key
`Decrypt the symmetric encryption key
`using the asymmetric private key.
`using the asymmetric private key.
`90
`90
`
`Decrypt the protected disk files with the
`Decrypt the protected disk files with the
`symmetric encryption key.
`symmetric encryption key.
`92.
`
`F.G. 8
`FIG. 8
`
`

`

`Patent Application Publication
`Patent Application Publication
`
`Jul. 1, 2010 Sheet 9 of 9
`Jul. 1,2010 Sheet 9 of 9
`
`US 2010/0169948A1
`US 2010/0169948 Al
`
`
`
`System 120
`
`Vulnerability
`Vulnerability
`Scanning &
`Scanning &
`Remediation
`Remediation
`System 120
`
`7
`/
`
`1
`“
`
`7
`/
`
`Integration or import from
`Integration or import from
`extreme Sources of Security
`extreme sourcesof security
`and Compliance Systems
`and Compliance Systems
`
`Security Control
`Security Control
`System
`System
`96
`96
`
`
`
`
`
`Management
`Management
`Client
`Client
`(e.g., VIC, SSH,
`(e.g., VIC, SSH,
`Web.) 114
`Web...) 114
`
`
`ASSet
`Asset
`
`
`ACtive
`Active
`Management
`Management
`Directory
`
`Directory
`System 118
`system 118
`116
`116
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Virtualization Platform
`102
`
`Protected Virtual Infrastructure
`Protected Virtual Infrastructure
`
`FIG. 9
`FIG. 9
`
`

`

`US 2010/0169948 A1
`US 2010/0169948 Al
`
`Jul. 1, 2010
`Jul. 1, 2010
`
`INTELLIGENT SECURITY CONTROL
`INTELLIGENT SECURITY CONTROL
`SYSTEM FOR VIRTUALIZED ECOSYSTEMS
`SYSTEM FOR VIRTUALIZED ECOSYSTEMS
`
`FIELD OF THE INVENTION
`FIELD OF THE INVENTION
`0001. The present invention relates to a security control
`[0001] The present invention relates to a security control
`system adapted to define and analyze object handling control
`system adaptedto define and analyze object handling control
`information, for example, control information that may influ
`information, for example, control information that may influ-
`ence or impact security and compliance of a virtualized eco
`ence or impact security and complianceof a virtualized eco-
`system and derive from it object properties for each of a
`system and derive from it object properties for each of a
`number of logical resources involved in the execution of a
`numberof logical resources involved in the execution of a
`virtual machine in any given context within the virtualized
`virtual machine in any given context within the virtualized
`ecosystem.
`ecosystem.
`
`BACKGROUND
`BACKGROUND
`0002 Virtualization is a term that has been coined to refer
`[0002] Virtualization is a term that has been coinedto refer
`to the abstraction of computer resources. This includes
`to the abstraction of computer resources. This includes
`abstraction of both hardware and software at multiple levels,
`abstraction of both hardware and software at multiple levels,
`from individual servers and clients to storage to complete
`from individual servers and clients to storage to complete
`networks. In this latter instance, the term “virtual infrastruc
`networks. In this latter instance, the term “virtual infrastruc-
`ture” has been used to refer to abstracted resources of a
`ture' has been used to refer to abstracted resources of a
`computer network, inclusive of all the hardware and software.
`computer network,inclusive ofall the hardware and software.
`Virtualization thus transforms physical hardware and soft
`Virtualization thus transforms physical hardware and soft-
`ware resources into virtual machines (and other virtual
`ware resources into virtual machines (and other virtual
`objects) that are capable of running their own operating sys
`objects) that are capable of running their own operating sys-
`tems and applications across any of a variety of platforms.
`tems and applications across any of a variety of platforms.
`Virtualization also allows the packaging of complete operat
`Virtualization also allows the packaging of complete operat-
`ing system and applications as a portable virtual environment
`ing system andapplicationsas a portable virtual environment
`(also referred to as encapsulation), which can be moved from
`(also referred to as encapsulation), which can be moved from
`one virtualization platform to another (regardless of vendor).
`onevirtualization platform to another (regardless of vendor).
`0003. Among the many benefits afforded by virtualization
`[0003] Among the many benefits afforded by virtualization
`technology are increased flexibility and reduced cost of infra
`technologyare increasedflexibility and reduced cost of infra-
`structure management largely driven by encapsulation and
`structure management largely driven by encapsulation and
`portability inherent to virtual machines. With the benefits of
`portability inherent to virtual machines. With the benefits of
`visualization, however, come several serious security risks.
`visualization, however, come several serious security risks.
`Because virtual infrastructures can now be managed remotely
`Becausevirtual infrastructures can now be managed remotely
`through software, controls that existed in the pre-virtualiza
`through software, controls that existed in the pre-virtualiza-
`tion world are now relaxed or bypassed altogether. Users with
`tion world are now relaxed or bypassed altogether. Users with
`access to Software management facilities now can create cop
`access to software managementfacilities now can create cop-
`ies of the virtual machine disks with sensitive data, cause
`ies of the virtual machine disks with sensitive data, cause
`denial of service to an important application by starving it of
`denial of service to an important application by starving it of
`resources or accidentally connecting a critical virtual
`resources or accidentally connecting a critical virtual
`machine to an insecure network. More maliciousattacks are
`machine to an insecure network. More malicious attacks are
`also possible. Indeed, the data of virtualization applications,
`also possible. Indeed, the data of virtualization applications,
`both run-time and its associated data set, need to be protected
`both run-timeandits associated data set, need to be protected
`as it represents base hardware structures in relation to execut
`as it represents base hardwarestructures in relation to execut-
`ing payload of the operating system and application. More
`ing payload of the operating system and application. More-
`over, the portability of virtual machines and the fact that the
`over, the portability of virtual machinesandthe factthat the
`application/data reader is encapsulated together with the data,
`application/data reader is encapsulated together withthe data,
`invalidates data protection methodologies of separation that
`invalidates data protection methodologies of separation that
`rely on the security of physical storage devices.
`rely on the security of physical storage devices.
`0004 Dynamic allocation of physical and logical
`[0004] Dynamic
`allocation of physical
`and logical
`resources for each instantiated virtual machine requires that
`resources for each instantiated virtual machine requires that
`every resource provider be defined separately with its own
`every resource provider be defined separately with its own
`access and allocation rules; creating a multi-node service
`access and allocation rules; creating a multi-node service
`provider access system as compared to legacy environment
`provider access system as compared to legacy environment
`where a physical system with processor, memory, storage and
`wherea physical system with processor, memory, storage and
`network resources was a single bundled service provider.
`network resources was a single bundled service provider.
`Moreover, the rate of change of the virtualized system makes
`Moreover, the rate of change of the virtualized system makes
`it impractical to require human intervention when adjusting
`it impractical to require human intervention when adjusting
`the access and allocation rules with every change. To be
`the access and allocation rules with every change. To be
`useful, the controls need to have higher level of abstraction
`useful, the controls need to have higher level of abstraction
`and generalization. Further, persistence, inheritance and tight
`and generalization. Further, persistence, inheritance and tight
`coupling between the data set and the associated controls are
`coupling betweenthe data set and the associated controls are
`
`important as the data set routinely migrates and/or Survives
`important as the data set routinely migrates and/or survives
`specific physical environments or virtualized environments.
`specific physical environments or virtualized environments.
`0005. These and other considerations demand that virtu
`[0005] These and other considerations demandthat virtu-
`alized resources be placed under the control of stringent Secu
`alized resources be placed underthe control of stringent secu-
`rity facilities.
`rity facilities.
`
`SUMMARY OF THE INVENTION
`SUMMARY OF THE INVENTION
`
`0006. The present invention address the above-described
`[0006] The present invention address the above-described
`concerns by providing, in one embodiment, a security control
`concerns by providing, in one embodiment, a security control
`system adapted to define and analyze object handling control
`system adaptedto define and analyze object handling control
`information, for example, control information that may influ
`information, for example, control information that may influ-
`ence or impact security and compliance of a virtualized eco
`ence or impact security and complianceof a virtualized eco-
`system and derive from it object properties for each of a
`system and derive from it object properties for each of a
`number of logical resources involved in the execution of a
`numberof logical resources involved in the execution of a
`virtual machine in any given context within the virtualized
`virtual machine in any given context within the virtualized
`ecosystem.
`ecosystem.
`0007. In one embodiment of the invention, resources of a
`[0007]
`In one embodimentofthe invention, resources of a
`virtualized ecosystem are secured by defining and analyzing
`virtualized ecosystem are secured by defining and analyzing
`object handling control information for one or more logical
`object handling control information for one or more logical
`resources in the virtualized ecosystem and deriving therefrom
`resourcesin the virtualized ecosystem and deriving therefrom
`object properties for each of the logical resources involved in
`object properties for each of the logical resources involved in
`the execution of a virtual machine in any given context within
`the execution ofa virtual machinein any given context within
`the virtualized ecosystem. Deriving object properties in Such
`the virtualized ecosystem. Deriving object properties in such
`a scheme may involve defining, managing and enforcing con
`ascheme mayinvolve defining, managing and enforcing con-
`trols for interactions amongst the logical resources and their
`trols for interactions amongst the logical resources and their
`interactions with an underlying physical, computer-based
`interactions with an underlying physical, computer-based
`environment abstracted by the virtualized ecosystem. Fur
`environment abstracted by the virtualized ecosystem. Fur-
`ther, the controls may be evaluated in response to an attempt
`ther, the controls may be evaluated in response to an attempt
`to manipulate one or more of the logical resources and pre
`to manipulate one or more of the logical resources and pre-
`scribed behavior for the logical controls may be enforced
`scribed behavior for the logical controls may be enforced
`according to a context within which the attempted manipula
`according to a context within which the attempted manipula-
`tion is being performed and one or more properties of the
`tion is being performed and one or more properties of the
`logical resources.
`logical resources.
`0008. In some cases, logical and physical objects of the
`[0008]
`In some cases, logical and physical objects of the
`virtualized ecosystem may be categorized so that objects with
`virtualized ecosystem maybe categorized so that objects with
`similar properties are grouped together and a taxonomy of
`similar properties are grouped together and a taxonomy of
`allowed hierarchical relationships of these groupings may
`allowed hierarchical relationships of these groupings may
`define higher groupings thereof. In Such instances, controls
`define higher groupings thereof. In such instances, controls
`may be defined for the groupings within the taxonomy of
`may be defined for the groupings within the taxonomy of
`allowed hierarchical relationships. Such taxonomies of
`allowed hierarchical
`relationships. Such taxonomies of
`allowed hierarchical relationships may be learned from the
`allowed hierarchical relationships may be learned from the
`virtualized ecosystem and/or imported from existing systems
`virtualized ecosystem and/or imported from existing systems
`and Subsequently augmented.
`and subsequently augmented.
`0009. The properties of the logical resources and the
`[0009] The properties of the logical resources and the
`underlying physical, computer-based environment, which
`underlying physical, computer-based environment, which
`make up the virtualized ecosystem may, in Some cases, be
`make up the virtualized ecosystem may, in some cases, be
`automatically discovered through available interfaces and
`automatically discovered through available interfaces and
`management clients for the virtualized ecosystem. Further,
`managementclients for the virtualized ecosystem. Further,
`the controls may be embedded as control blocks within the
`the controls may be embeddedas control blocks within the
`logical resources, and, as such, may dictate where, when, how
`logical resources, and, as such, may dictate where, when, how
`and using what resources the logical resources can operate
`and using what resources the logical resources can operate
`within the virtualized ecosystem. Logical resources at rest in
`within the virtualized ecosystem. Logical resourcesat rest in
`the virtualized ecosystem may be encrypted according to a
`the virtualized ecosystem may be encrypted according to a
`varying level of protection that depends on an environmental
`varying level of protection that depends on an environmental
`context of the logical resources.
`context of the logical resources.
`0010. The controls may be enforced after being validated,
`[0010] The controls may be enforced after being validated,
`for example by verifying digital signatures associated with
`for example by verifying digital signatures associated with
`the controls. Such enforcement may then be achieved by
`the controls. Such enforcement may then be achieved by
`evaluating intentions specified in the controls, operations on
`evaluating intentions specified in the controls, operations on
`the logical resources being performed and environments in
`the logical resources being performed and environments in
`which they are being performed. In some cases, the control
`which they are being performed. In some cases, the control
`information will include control information that influences
`information will include control information that influences
`
`

`

`US 2010/0169948 A1
`US 2010/0169948 Al
`
`Jul. 1, 2010
`Jul. 1, 2010
`
`or impacts security of the virtualized ecosystem. For
`or
`impacts
`security of the virtualized ecosystem. For
`example, the control information may be security and com
`example, the control information may be security and com-
`pliance control information.
`pliance control information.
`0011. A further embodiment of the invention includes a
`[0011] A further embodiment of the invention includes a
`system made up of a virtual infrastructure and a security
`system made up of a virtual infrastructure and a security
`control system communicatively coupled thereto. The Secu
`control system communicatively coupled thereto. The secu-
`rity control system may be configured for securing resources
`rity control system may be configured for securing resources
`of the virtual infrastructure by defining and analyzing object
`of the virtual infrastructure by defining and analyzing object
`handling control information for one or more logical
`handling control
`information for one or more logical
`resources in the virtual infrastructure and deriving therefrom
`resources in the virtual infrastructure and deriving therefrom
`object properties for each of the logical resources involved in
`object properties for each of the logical resources involved in
`the execution of one or more virtual machines in any given
`the execution of one or more virtual machines in any given
`context within the virtual infrastructure. The virtual machines
`context within the virtual infrastructure. The virtual machines
`may execute on one or more virtualization platforms, at least
`may execute on one or morevirtualization platforms, at least
`Some of which have associated security control system agents
`some ofwhich have associated security control system agents
`for communication with the security control system. The
`for communication with the security control system. The
`virtual infrastructure may also include a storage system used
`virtualinfrastructure may also include a storage system used
`by at least Some of virtual machines, and the storage system
`by at least some of virtual machines, and the storage system
`may have its own associated security control system agent. In
`mayhaveits own associated security control system agent.In
`other cases, some of the components of the virtual infrastruc
`other cases, some of the components ofthe virtual infrastruc-
`ture may communicate with the security control system
`ture may communicate with the security control system
`through one or more management clients or interfaces.
`through one or more managementclients or interfaces.
`0012. The virtual infrastructure abstracts an underlying
`[0012] The virtual infrastructure abstracts an underlying
`physical, computer-based environment and the security con
`physical, computer-based environment and the security con-
`trol system is, in Some instances, configured to define, man
`trol system is, in some instances, configured to define, man-
`age and enforce controls for interactions amongst the logical
`age and enforce controls for interactions amongstthe logical
`resources and their interactions with the computer-based
`resources and their interactions with the computer-based
`environment. For example, the security control system may
`environment. For example, the security control system may
`be configured to evaluate the controls in response to attempts
`be configured to evaluate the controls in responseto attempts
`to manipulate one or more of the logical resources and to
`to manipulate one or more of the logical resources and to
`enforce prescribed (or learned) behavior for the controls
`enforce prescribed (or learned) behavior for the controls
`according to a context within which the attempted manipula
`according to a context within which the attempted manipula-
`tion is being performed and one or more properties of the
`tion is being performed and one or more properties of the
`logical resources. For new virtual objects or new contexts, the
`logical resources. For new virtual objects or new contexts, the
`present security control system dynamically generates con
`present security control system dynamically generates con-
`trols based on learned controls that are enforced for similar/
`trols based on learned controls that are enforced for similar/
`like objects or contexts and automatically enforces them, thus
`like objects or contexts and automatically enforces them,thus
`preventing any security or compliance breaches. Logical and
`preventing any security or compliance breaches. Logical and
`physical objects of the virtual infrastructure may be catego
`physical objects of the virtual infrastructure may be catego-
`rized so that objects with similar properties are grouped
`rized so that objects with similar properties are grouped
`together and a taxonomy of allowed hierarchical relation
`together and a taxonomy of allowed hierarchical relation-
`ships of these groupings defines higher groupings thereof and
`ships ofthese groupings defines higher groupings thereof and
`the controls may be defined for the groupings within the
`the controls may be defined for the groupings within the
`taxonomy of allowed hierarchical relationships.
`taxonomy ofallowed hierarchical relationships.
`0013 Still further embodiments of the present invention
`[0013]
`Still further embodiments of the present invention
`provide for protecting a virtual machine by establishing a lock
`provide for protecting a virtual machinebyestablishing a lock
`on the virtual machine and its associated virtual disk files;
`on the virtual machine andits associated virtual disk files;
`determining a required level of protection for the virtual
`determining a required level of protection for the virtual
`machine and encryption tuning parameters; selecting a cipher
`machine and encryption tuning parameters; selecting a cipher
`algorithm and generating encryption keys according to the
`algorithm and generating encryption keys according to the
`encryption tuning parameters; applying re-formatting
`encryption tuning parameters;
`applying re-formatting
`changes, if needed; encrypting sectors of databased on the
`changes, if needed; encrypting sectors of data based on the
`determined level of protection; encrypting a symmetric
`determined level of protection; encrypting a symmetric
`encryption key with an asymmetric public key, and adding
`encryption key with an asymmetric public key, and adding
`metadata along with the encrypted symmetric key into the
`metadata along with the encrypted symmetric key into the
`virtual machine.
`virtual machine.
`0014. The protected virtual machine may be un-protected
`[0014] The protected virtual machine may be un-protected
`by retrieving metadata from a protected virtual machine disk
`by retrieving metadata from a protected virtual machine disk
`file; retrieving identity and/or location information of an asso
`file; retrieving identity and/or location informationofan asso-
`ciated protected asymmetric private key; decrypting a sym
`ciated protected asymmetric private key; decrypting a sym-
`metric encryption key using the unprotected asymmetric pri
`metric encryption key using the unprotected asymmetric pri-
`vate key; and decrypting the protected virtual machine disk
`vate key; and decrypting the protected virtual machine disk
`file with the symmetric encryption key. The identity and/or
`file with the symmetric encryption key. The identity and/or
`location of the protected asymmetric private key may be
`location of the protected asymmetric private key may be
`
`codified as a uniform resource locator (URL). The protection
`codified as a uniform resource locator (URL). The protection
`of the asymmetric private key may be provided by a user
`of the asymmetric private key may be provided by a user
`password-based encryption scheme or a security hardware
`password-based encryption scheme or a security hardware
`module.
`module.
`0015 Still another embodiment of the invention involves
`[0015]
`Still another embodimentof the invention involves
`evaluating and enforcing controls for attempted manipula
`evaluating and enforcing controls for attempted manipula-
`tions of virtual objects in a virtualized ecosystem according to
`tionsofvirtual objects in a virtualized ecosystem according to
`a context within which the attempted manipulations are being
`acontext within which the attempted manipulationsare being
`performed and the properties of the virtual objects. The con
`performed andthe properties of the virtual objects. The con-
`trols are embedded within the virtual objects and may include
`trols are embeddedwithin the virtual objects and may include
`entitlements and accessfuse policies for the virtual objects.
`entitlements and access/use policies for the virtual objects.
`0016. These and other features of the present invention are
`[0016] These andotherfeatures ofthe present invention are
`described in greater detail below.
`described in greater detail below.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`BRIEF DESCRIPTION OF THE DRAWINGS
`0017. The present invention is illustrated by way of
`[0017] The present
`invention is illustrated by way of
`example, and not limitation, in the figures of the accompany
`example, and not limitation, in the figures of the accompany-
`ing drawings in which:
`ing drawings in which:
`0018 FIG. 1 illustrates an example of several virtual
`[0018]
`FIG. 1 illustrates an example of several virtual
`machines executing on a server;
`machines executing on a server;
`0019 FIG. 2 illustrates an example of a single physical
`[0019]
`FIG. 2 illustrates an example of a single physical
`computer system with a virtualization layer and virtualized
`computer system with a virtualization layer and virtualized
`objects of the system's physical elements;
`objects of the system’s physical elements;
`0020 FIG. 3 illustrates an example of a virtualized eco
`[0020]
`FIG. 3 illustrates an example of a virtualized eco-
`system made up of groups of physical computer systems on
`system made up of groups of physical computer systems on
`one or more physical networks:
`one or more physical networks;
`0021
`FIG. 4 illustrates an example of a virtualized envi
`[0021]
`FIG. 4 illustrates an example of a virtualized envi-
`ronment spanning two physical sites;
`ronment spanning two physicalsites;
`0022 FIG. 5 illustrates an example of a hierarchy of vir
`[0022]
`FIG. 5 illustrates an example of a hierarchy of vir-
`tual object classifications according to a classification scheme
`tual object classifications accordingto a classificatio