III IIIIIIII a NI uiu 111111!
`
`US 20100169948A1
`
`(19) United States
`(19) United States
`(12) Patent Application Publication (10) Pub. No.: US 2010/0169948 A1
`(12) Patent Application Publication (10) Pub. No.: US 2010/0169948 Al
`(43) Pub. Date:
`Jul. 1, 2010
`Jul. 1, 2010
`Budko et al.
`(43) Pub. Date:
`Budko et al.
`
`(54) INTELLIGENT SECURITY CONTROL
`INTELLIGENT SECURITY CONTROL
`(54)
`SYSTEM FOR VIRTUALIZED ECOSYSTEMS
`SYSTEM FOR VIRTUALIZED ECOSYSTEMS
`
`(75) Inventors:
`Inventors:
`(75)
`
`Renata Budko, Sunnyvale, CA
`Renata Budko, Sunnyvale, CA
`(US); Hemma Prafullchandra,
`(US); Hemma Prafullchandra,
`Mountain View, CA (US); Eric
`Mountain View, CA (US); Eric
`Ming Chiu, Los Altos, CA (US);
`Ming Chiu, Los Altos, CA (US);
`Boris Strongin, Redwood City, CA
`Boris Strongin, Redwood City, CA
`(US)
`(US)
`Correspondence Address:
`Correspondence Address:
`SONNENSCHEN NATH & ROSENTHAL LLP
`SONNENSCHEIN NATH & ROSENTHAL LLP
`P.O. BOX 061080, WACKER DRIVE STATION,
`P.O. BOX 061080, WACKER DRIVE STATION,
`WILLIS TOWER
`WILLIS TOWER
`CHICAGO, IL 60606-1080 (US)
`CHICAGO, IL 60606-1080 (US)
`
`(73) Assignee:
`(73) Assignee:
`
`HyTrust, Inc., Mountain View, CA
`HyTrust, Inc., Mountain View, CA
`(US)
`(US)
`
`(21) Appl. No.:
`(21) Appl. No.:
`
`12/347,315
`12/347,315
`
`(22) Filed:
`(22) Filed:
`
`Dec. 31, 2008
`Dec. 31, 2008
`
`Publication Classification
`Publication Classification
`
`(51) Int. Cl.
`(51) Int. Cl.
`(2006.01)
`G06F 9/455
`(2006.01)
`G06F 9/455
`(2006.01)
`H04L 9/30
`(2006.01)
`H04L 9/30
`(2006.01)
`G06F2L/00
`(2006.01)
`G06F 21/00
`(2006.01)
`GO6F 2 1/22
`(2006.01)
`G06F 21/22
`(52) U.S. Cl. ................... 726/1: 718/1713/189: 706/53;
`726/1; 718/1; 713/189; 706/53;
`(52) U.S. Cl.
`706/12; 726/21
`706/12; 726/21
`
`ABSTRACT
`(57)
`ABSTRACT
`(57)
`Resources of a virtualized ecosystem are intelligently secured
`Resources of a virtualized ecosystem are intelligently secured
`by defining and analyzing object handling security control
`by defining and analyzing object handling security control
`information for one or more logical resources in the virtual
`information for one or more logical resources in the virtual-
`ized ecosystem and deriving therefrom object properties for
`ized ecosystem and deriving therefrom object properties for
`each of the logical resources involved in the execution of a
`each of the logical resources involved in the execution of a
`virtual machine in any given context within the virtualized
`virtual machine in any given context within the virtualized
`ecosystem.
`ecosystem.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Active
`Active
`Directory
`Directory
`116
`116
`
`Asset
`ASSet
`Management
`Management
`System 118
`System 118
`
`
`
`Vulnerability
`Vulnerability
`Scanning &
`Scanning &
`Remediation
`Remediation
`System 120
`System 120
`
`Management
`Management
`Client
`Client
`(e.g., VIC, SSH,
`(e.g., VIC, SSH,
`Web...) 114
`Web.) 114
`
`N.
`
`N
`
`.a/
`Security Control
`Security Control
`System
`System
`96
`96
`
`A
`
`98
`
`/
`
`1
`
`/
`Integration or import from
`Integration or import from
`extreme Sources of Security
`extreme sources of security
`and Compliance Systems
`and Compliance Systems
`
`94
`
`1041
`
`1042
`
`1043
`
`106
`
`Virtual
`Virtual
`Machine
`Machine
`Virt
`Machine --------
`Viii
`Macrune
`
`ISCS VM
`or Agent
`Ae-
`Virtualization Platform
`Virtualization Platform
`102
`102
`
`Storage System
`
`112
`
`ISCS Agent
`
`110
`
`vmdk
`vmdk
`vmdk
`108
`
`100
`Protected Virtual Infrastructure
`Protected Virtual Infrastructure
`
`WIZ, Inc. EXHIBIT - 1081
`WIZ, Inc. v. Orca Security LTD.
`
`WIZ, Inc. EXHIBIT - 1081
`WIZ, Inc. v. Orca Security LTD.
`
`

`

`Patent Application Publication
`
`Jul. 1, 2010 Sheet 1 of 9
`
`US 2010/0169948 Al
`
`Virtual Machines
`
`Application 221
`
`Application 222
`
`Application 223
`
`OS 201
`
`VM 10
`
`OS 202
`
`VM 12
`
`OS 203
`
`VM 14 .}
`
`Hypervisor 18
`
`FIG. 1
`
`Server 16
`
`

`

`Patent Application Publication
`
`Jul. 1, 2010 Sheet 2 of 9
`
`US 2010/0169948 Al
`
`•
`
`•
`
`•
`
`[Virtual Machine
`442
`
`Virtual Machine
`441
`
`.00 ....
`
`.
`
`..................
`
`V_Memory I
`36
`
`•
` ...•
`******
`4 4
`...lso:...
`****** 6S
`*******
`.............
`
`**** ***
`
`•
`
`•
`
`•
`
`•
`
`Virtual Machine
`444
`
`..'***•••
`
`
`
`.. ****** .
`
`Virtual Machine
`443
`............. :::: •
`1 r
`V_Network I
`42
`
`..
`
`. Oa
`
`■
`
`.
`
`.
`
`.................
`
`illmmIll
`................
`•
`•
`•
` "1 r
`V_Disk I
`V_Processor I
`40
`38
`Virtualiza,tiQn Layer
`
`Physical Computer (i.e. Host system) 24
`Disk
`32
`
`Processor
`30
`
`Memory
`28
`
`Network
`34
`
`FIG. 2
`
`

`

`Patent Application Publication
`
`O
`
`6 Jo £ JaalIS
`
`TV 81766910/010Z SR
`
`•
`•
`
`•
`
`Virtual
`Machine
`
`Virtual
`Machine
`
`• •
`
`.....
`..............................
`
`)10.
`
`CV_Memory
`
`•
`
`•
`
`•
`
`.....
`
`....
`
`.....
`
`IP•le ***
`.....
`
`......
`
`........
`
`;
`
`.
`
`•••%•••••••••••••••::::.:.:::.
`
`**************
`......
`
`% .......
`.
`
`_Processor
`
`V_Disk+
`
`•
`
`•
`
`•
`
`Virtual
`Machine
`
`Virtual
`Machine
`
`(V_Memory
`
`... ......
`
`.
`
`....
`
`••• • •
`•
`...... ...
`....
`
`.......
`
`......
`
`C
`
`Virtual
`Machine
`
`Virtual
`Machine
`Ny.1- k.j.j.444
`
`ter:::::......
`
`.
`
`•
`
`.
`
`•
`•
`• 0..0' !,:.
`
`v
`
`• a,,orr. .. • .. • ....
`titin, "
`
`. •
`
`°
`
`IL.
`
`•
`
`•
`
`•
`
`•
`
`Virtual
`Machine
`
`Virtual
`Machine
`
`.......
`
`Of •
`
`"
`
` '
`p.:r..r°~
`
`•
`
`•
`
`".!
`
`•
`
`•
`
`•
`
`Virtual
`Machine
`
`Virtual
`Machine
`
`.......
`
`:Ie..
`
`I.
`
`46b
`
`Phy
`(V_Memory
`
`@_Processor
`
`V_Disk + 1 V_Network +
`
`46a
`
`Physical Computer (i.e. Host system
`
`Memory
`
`•
`
`1".
`
`Memory
`
`Processor
`
`Disk
`
`Network
`
`46c
`
`Physical Computer (i.e. Host system)
`
`Memory
`
`Processor
`
`Disk
`
`Network
`
`Physical Network
`48
`
`FIG. 3
`
`Patent Application Publication
`
`Jul. 1, 2010
`
`Sheet 3 of 9
`
`US 2010/0169948 A1
`
`Virtual
`
`Machine
`Virtual
`
`了
`
`
`
`
`
`站
`ee
`
`Virtual
`Machine
`
`
`
`Virtual
`Machine
`
`Virtual
`Machine
`
`
`
`
`
`
`
`Virtual
`Machine
`
`
`|
`Pen Bee
`
`sens
`
`7
`
`Virtual
`Machine
`
`
`
`Machine
`
`
`
`
`
`
`
`
`
`ree
`Lanter
`ae aE
`eS
`es
`ae,
`t
`.
`
`-
`i
`7 五
`
`W emery ES V_Disk + JG Network 一
`
` Memory
`46a
`
`
`
`
`
`
`
`
`Physical Computer ie H Host ot system)
`
`
`
`Physical Computer (ie. Host st system)
`46c
`Network
`Disk
`Processor
`Memory
`
`
`
`
`
`
`
`
`
`Disk
`Processor
`Memory
`Network
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Physical Network
`48
`
`FIG. 3
`
`.......
`

`

`Patent Application Publication
`
`Q0
`=
`
`6 Jo 17 loollS
`
`TV 81766910/010Z SR
`
`■
`
`■
`
`K 50
`
`•
`•
`•
`
`Virtual
`Machine
`
`•
`
`•
`
`•
`...............
`. t.: ..
`
`..........
`................ .
`
`.••
`
`Virtual
`Machine
`. : ,••a* ............
`.....
`.......................
`.....
`
`''''''
`
`■
`•
`
`ti:
`V Memory +
`—
`
`V Processor + I-C V —Disk +
`•
`
`i.
`
`•
`
`gali0f1.14ior:
`
`Physical Computer (i.e Host system)
`. —
`- —
`Processor
`
`Disk
`
`Memory
`
`•
`
`•
`
`•
`
`Virtual
`Machine
`
`Virtual
`Machine
`
`......
`
`:foe.
`
`V_Network +
`
`• :
`
`I—Network
`
`•
`
`•
`
`•
`
`•
`
`•
`
`•
`
`Virtual
`Machine
`
`• -• •
`
`•
`
`•
`
`•
`
`•
`•
`•
`....... ....... ..............
`Virtual
`....
`. a
`Machine
`..
`........ .......
`...tat ..
`......
`... ......... ..
`•
`. ••••tt ..........
`•
`......................
`•
`....
`t ...........
`V_Memory + V Processor +
` •- •= 1-
`•
`‘,VirtAaliz.atiQn1 .-46r- ••••
`VIRTUAL- 128D.NET
`Physical Computer (i.e Host system)
`
`Virtual
`Machine
`
`Virtual
`Machine
`
`. it.
`
`-%
`
`V Disk +
`—
`
`` V_Network +
`
`Memory
`
`Processor)
`
`WM,
`
`Disk
`
`[Network
`
`Physical Network - Site A
`48a
`
`FIG. 4
`
`Patent Application Publi cation
`
`Jul. 1,2010
`
`Sheet 4 of 9
`
`US 2010/0169948 A1
`
`
`
`.
`
`Virtual
`Machine
`
`ee, woneee®
`ee ee
`
`Virtual
`Machine
`
`-
`
`
`
`Virtual
`Machine
`
`aounuee
`
`還
`
`還
`
`e@ee
`
`as
`wf
`susnee
`oun
`of
`了
`DO a5 as eee
`
`
`
`
`
`
`
`V_Mem mory ro
`
`SE Pres
`
`
`
`Ce V_Disk + m=) Gn Network work +} V_M vemory =p) @ = V_Disk + = Network +
`
`Virtual
`
`Machine
`
`
`aT Te
`
`
`
` 個
`
`
`
`Physical Computer (i.e. Host system)
`ss
`
`
`
`
`
`
`
`
`
`Processor
`
`
`
`
`
`
`
`| Network
`Disk | 「 Network ow Processor ~~ | Disk
`
`
`
`
`
`
`
`
`
`
`
`
`Physical Network - Site A
`48a
`
`
`
`

`

`Patent Application Publication
`
`O
`
`6 Jo S WIN
`
`TV 81766910/010Z SR
`
`•
`
`•
`
`•
`
`Virtual
`Machine
`
`•
`
`•
`
`•
`
`Virtual
`Machine
`
`•
`
`•
`
`•
`
`.............
`
`.. .....
`
`Virtual
`.........
`. ...
`Machine
`....
`.....
`...
`.....
`..........
`. ....
`.
`...........
`........
`........ .. • • •
`..........
`-
`.............
`71.
`V Memory +)
`V_Processor +
` . . . . . . . . .
`;yid
`
`V—Disk +
`
`•
`
`•
`
`•
`
`Virtual
`Machine
`
`Virtual
`Machine
`.
`
`V—Netmrk +
`
`Physical Computer (i.e. Host system)
`
`_ -
`
`Disk
`
`Memoryl
`
`Processor
`
`FIG. 4(Cont.)
`
`Physical Computer (i.e. Host system)
`
`Network
`
`Memory
`
`Processor
`
`Disk
`
`Network
`
`Physical Network - Site B
`48b
`
`•
`•
`•
`
`Virtual
`Machine
`
`•
`
`•
`
`•
`
`........
`..
`...........
`. ....
`........ ..
`............
`........
`•
`•
`•
`
`..... .... ..... ....... ....
`...
`.......
`......
`..........
`
`Virtual
`Machine
`
`•
`
`V —Memory +
`
`i.i.
`
`.• ...' ..F...
`
`Virtual
`Machine
`...... fp..
`V -Network +J
`C V_Disk+
`—Pr°CeSS°r )
`4
`.,..4• ...°.....r......,..... ., ...„ ........... .:....,:„....-....-
`.,....,...,,,.,. ..,.....,.:„ ... ,
`i A., , :Ii
`
`:: :.:•:.':'.-::: *...: .°.:..:' ,°: %.- ::' :',../- 2V.K- t.ii ail atiitif}: Layer. 1. ::...: ..::..'. ::. ',,:.:
`
`Patent Application Publication
`
`Jul. 1,2010
`
`Sheet 5 of 9
`
`US 2010/0169948 A1
`
`Virtual
`Machine
`
`
`
`
`
`Virtual
`Machine
`
`Virtual
`Machine
`
`
`
`Virtual
`Machine
`
`ra
`
`Virtual
`Machine
`
`
`
`Virtual ee ee
`Machine
`
`【
`MNES
`
`Virtual
`Machine
`
`
`
`Virtual
`Machine
`Trewern dden =e
`_ Network K+)
`<A
`
`
`
`
`区 emery Je Processor 放 V_Disk + Jee Network mie
`
`
`
`
`Povo
`
`met pets nem
`an
`:
`
`ie emi +
`s
`-
`
`: at Layer. 和
`
`
`
`Physical Computer (i {ie
`同
`ae
`oe
`a
`——_ = =
` — — i op o
`cs ——_——=_ =
`Memory
`Processor
`Disk
`Network
`Memory
`Processor
`Disk
`Network
`
`¢ _t
`
`Physical Computer lie. Host system)
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Physical Network - Site B
`
`48b
`
` FIG. 4(Cont.)
`
`..
`

`

`Patent Application Publication
`
`Jul. 1, 2010 Sheet 6 of 9
`
`US 2010/0169948 Al
`
`Patch_Frequenyy= 4
`
`OS
`52
`
`• •
`
`• •
`
`• •
`
`FIG. 5
`
`Patch_Frequency = 1
`
`Windows
`54
`
`Unix
`56
`
`/N
`
`Win2003Std32
`58
`
`Win2003Std64
`60
`
`Virtual
`Object
`(VO)
`62
`
`Add
`Controls
`
`64
`
`64
`
`Embedded
`Control
`Block
`VO
`
`66
`
`Protect
`
`)
`
`Embedded
`Control
`Block
`VO
`
`62
`
`FIG. 6
`
`

`

`Patent Application Publication
`
`Jul. 1, 2010 Sheet 7 of 9
`
`US 2010/0169948 Al
`
`a
`
`68
`
`Establish a new lock on the virtual machine
`and its associated virtual disk files.
`70
`
`Determine the level of protection required
`and encryption tuning parameters.
`72
`
`Select an appropriate cipher algorithm and
`generate encryption keys.
`74
`
`Apply any re-formatting changes, if
`needed.
`76
`
`Encrypt the sector(s) of data based on
`the specified level of protection.
`78
`
`.
`Encrypt the symmetrc encryption key with
`an asymmetric public key.
`80
`
`.
`Add any necessary metadata into the
`protected virtual machine.
`82
`
`FIG. 7
`
`

`

`Patent Application Publication
`
`Jul. 1, 2010 Sheet 8 of 9
`
`US 2010/0169948 Al
`
`84
`
`Retrieve the metadata from the protected
`VM disk file.
`86
`
`Retrieve the identity/location information
`of the associated asymmetric private key.
`
`1
`88 1
`
`Decrypt the symmetric encryption key
`using the asymmetric private key.
`90
`
`I
`
`Decrypt the protected disk files with the
`symmetric encryption key.
`92
`
`FIG. 8
`
`

`

`Patent Application Publication
`
`Jul. 1, 2010 Sheet 9 of 9
`
`US 2010/0169948 Al
`
`C
`
`>
`Active
`Directory
`116 1
`
`Asset
`Management
`System 118
`
`N
`
`N
`
`N
`
`N
`
`•
`
`Management
`Client
`(e.g., VIC, SSH,
`Web...) 114
`
`,
`
`/
`
`1
`Security Control
`System
`96
`
`A 98
`
`Vulnerability
`Scanning &
`Remediation
`System 120
`ir
`
`/
`
`/
`
`Integration or import from
`extreme sources of security
`and Compliance Systems
`
`94
`
`1041
`
`Storage System
`
`112
`
`1042
`
`-------
`Virtual
`1043
`------Th
`Machine
`--------Th
`106
`Virti
` vir Machine
`--------
`'ISCS VM Mac ine
`or Agent
`Ar"
`Virtualization Platform
`102
`
`•••
`
`ISCS Agent:
`,
`.
`vmdk
`,....__
`...,
`vmdk
`,
`
`vmdk
`108
`
`...**
`
`00'
`
`110
`
`100
`Protected Virtual Infrastructure
`
`FIG. 9
`
`--------
`

`

`US 2010/0169948 Al
`
`1
`
`Jul. 1, 2010
`
`INTELLIGENT SECURITY CONTROL
`SYSTEM FOR VIRTUALIZED ECOSYSTEMS
`
`FIELD OF THE INVENTION
`
`[0001] The present invention relates to a security control
`system adapted to define and analyze object handling control
`information, for example, control information that may influ-
`ence or impact security and compliance of a virtualized eco-
`system and derive from it object properties for each of a
`number of logical resources involved in the execution of a
`virtual machine in any given context within the virtualized
`ecosystem.
`
`BACKGROUND
`
`[0002] Virtualization is a term that has been coined to refer
`to the abstraction of computer resources. This includes
`abstraction of both hardware and software at multiple levels,
`from individual servers and clients to storage to complete
`networks. In this latter instance, the term "virtual infrastruc-
`ture" has been used to refer to abstracted resources of a
`computer network, inclusive of all the hardware and software.
`Virtualization thus transforms physical hardware and soft-
`ware resources into virtual machines (and other virtual
`objects) that are capable of running their own operating sys-
`tems and applications across any of a variety of platforms.
`Virtualization also allows the packaging of complete operat-
`ing system and applications as a portable virtual environment
`(also referred to as encapsulation), which can be moved from
`one virtualization platform to another (regardless of vendor).
`[0003] Among the many benefits afforded by virtualization
`technology are increased flexibility and reduced cost of infra-
`structure management largely driven by encapsulation and
`portability inherent to virtual machines. With the benefits of
`visualization, however, come several serious security risks.
`Because virtual infrastructures can now be managed remotely
`through software, controls that existed in the pre-virtualiza-
`tion world are now relaxed or bypassed altogether. Users with
`access to software management facilities now can create cop-
`ies of the virtual machine disks with sensitive data, cause
`denial of service to an important application by starving it of
`resources or accidentally connecting a critical virtual
`machine to an insecure network. More malicious attacks are
`also possible. Indeed, the data of virtualization applications,
`both run-time and its associated data set, need to be protected
`as it represents base hardware structures in relation to execut-
`ing payload of the operating system and application. More-
`over, the portability of virtual machines and the fact that the
`application/data reader is encapsulated together with the data,
`invalidates data protection methodologies of separation that
`rely on the security of physical storage devices.
`logical
`[0004] Dynamic allocation of physical and
`resources for each instantiated virtual machine requires that
`every resource provider be defined separately with its own
`access and allocation rules; creating a multi-node service
`provider access system as compared to legacy environment
`where a physical system with processor, memory, storage and
`network resources was a single bundled service provider.
`Moreover, the rate of change of the virtualized system makes
`it impractical to require human intervention when adjusting
`the access and allocation rules with every change. To be
`useful, the controls need to have higher level of abstraction
`and generalization. Further, persistence, inheritance and tight
`coupling between the data set and the associated controls are
`
`important as the data set routinely migrates and/or survives
`specific physical environments or virtualized environments.
`[0005] These and other considerations demand that virtu-
`alized resources be placed under the control of stringent secu-
`rity facilities.
`
`SUMMARY OF THE INVENTION
`
`[0006] The present invention address the above-described
`concerns by providing, in one embodiment, a security control
`system adapted to define and analyze object handling control
`information, for example, control information that may influ-
`ence or impact security and compliance of a virtualized eco-
`system and derive from it object properties for each of a
`number of logical resources involved in the execution of a
`virtual machine in any given context within the virtualized
`ecosystem.
`[0007]
`In one embodiment of the invention, resources of a
`virtualized ecosystem are secured by defining and analyzing
`object handling control information for one or more logical
`resources in the virtualized ecosystem and deriving therefrom
`object properties for each of the logical resources involved in
`the execution of a virtual machine in any given context within
`the virtualized ecosystem. Deriving object properties in such
`a scheme may involve defining, managing and enforcing con-
`trols for interactions amongst the logical resources and their
`interactions with an underlying physical, computer-based
`environment abstracted by the virtualized ecosystem. Fur-
`ther, the controls may be evaluated in response to an attempt
`to manipulate one or more of the logical resources and pre-
`scribed behavior for the logical controls may be enforced
`according to a context within which the attempted manipula-
`tion is being performed and one or more properties of the
`logical resources.
`[0008]
`In some cases, logical and physical objects of the
`virtualized ecosystem may be categorized so that objects with
`similar properties are grouped together and a taxonomy of
`allowed hierarchical relationships of these groupings may
`define higher groupings thereof. In such instances, controls
`may be defined for the groupings within the taxonomy of
`allowed hierarchical relationships. Such taxonomies of
`allowed hierarchical relationships may be learned from the
`virtualized ecosystem and/or imported from existing systems
`and subsequently augmented.
`[0009] The properties of the logical resources and the
`underlying physical, computer-based environment, which
`make up the virtualized ecosystem may, in some cases, be
`automatically discovered through available interfaces and
`management clients for the virtualized ecosystem. Further,
`the controls may be embedded as control blocks within the
`logical resources, and, as such, may dictate where, when, how
`and using what resources the logical resources can operate
`within the virtualized ecosystem. Logical resources at rest in
`the virtualized ecosystem may be encrypted according to a
`varying level of protection that depends on an environmental
`context of the logical resources.
`[0010] The controls may be enforced after being validated,
`for example by verifying digital signatures associated with
`the controls. Such enforcement may then be achieved by
`evaluating intentions specified in the controls, operations on
`the logical resources being performed and environments in
`which they are being performed. In some cases, the control
`information will include control information that influences
`
`

`

`US 2010/0169948 Al
`
`Jul. 1, 2010
`
`2
`
`or impacts security of the virtualized ecosystem. For
`example, the control information may be security and com-
`pliance control information.
`[0011] A further embodiment of the invention includes a
`system made up of a virtual infrastructure and a security
`control system communicatively coupled thereto. The secu-
`rity control system may be configured for securing resources
`of the virtual infrastructure by defining and analyzing object
`handling control information for one or more logical
`resources in the virtual infrastructure and deriving therefrom
`object properties for each of the logical resources involved in
`the execution of one or more virtual machines in any given
`context within the virtual infrastructure. The virtual machines
`may execute on one or more virtualization platforms, at least
`some of which have associated security control system agents
`for communication with the security control system. The
`virtual infrastructure may also include a storage system used
`by at least some of virtual machines, and the storage system
`may have its own associated security control system agent. In
`other cases, some of the components of the virtual infrastruc-
`ture may communicate with the security control system
`through one or more management clients or interfaces.
`[0012] The virtual infrastructure abstracts an underlying
`physical, computer-based environment and the security con-
`trol system is, in some instances, configured to define, man-
`age and enforce controls for interactions amongst the logical
`resources and their interactions with the computer-based
`environment. For example, the security control system may
`be configured to evaluate the controls in response to attempts
`to manipulate one or more of the logical resources and to
`enforce prescribed (or learned) behavior for the controls
`according to a context within which the attempted manipula-
`tion is being performed and one or more properties of the
`logical resources. For new virtual objects or new contexts, the
`present security control system dynamically generates con-
`trols based on learned controls that are enforced for similar/
`like objects or contexts and automatically enforces them, thus
`preventing any security or compliance breaches. Logical and
`physical objects of the virtual infrastructure may be catego-
`rized so that objects with similar properties are grouped
`together and a taxonomy of allowed hierarchical relation-
`ships of these groupings defines higher groupings thereof and
`the controls may be defined for the groupings within the
`taxonomy of allowed hierarchical relationships.
`[0013] Still further embodiments of the present invention
`provide for protecting a virtual machine by establishing a lock
`on the virtual machine and its associated virtual disk files;
`determining a required level of protection for the virtual
`machine and encryption tuning parameters; selecting a cipher
`algorithm and generating encryption keys according to the
`encryption
`tuning parameters; applying re-formatting
`changes, if needed; encrypting sectors of data based on the
`determined level of protection; encrypting a symmetric
`encryption key with an asymmetric public key, and adding
`metadata along with the encrypted symmetric key into the
`virtual machine.
`[0014] The protected virtual machine may be un-protected
`by retrieving metadata from a protected virtual machine disk
`file; retrieving identity and/or location information of an asso-
`ciated protected asymmetric private key; decrypting a sym-
`metric encryption key using the unprotected asymmetric pri-
`vate key; and decrypting the protected virtual machine disk
`file with the symmetric encryption key. The identity and/or
`location of the protected asymmetric private key may be
`
`codified as a uniform resource locator (URL). The protection
`of the asymmetric private key may be provided by a user
`password-based encryption scheme or a security hardware
`module.
`[0015] Still another embodiment of the invention involves
`evaluating and enforcing controls for attempted manipula-
`tions of virtual objects in a virtualized ecosystem according to
`a context within which the attempted manipulations are being
`performed and the properties of the virtual objects. The con-
`trols are embedded within the virtual objects and may include
`entitlements and access/use policies for the virtual objects.
`[0016] These and other features of the present invention are
`described in greater detail below.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`[0017] The present invention is illustrated by way of
`example, and not limitation, in the figures of the accompany-
`ing drawings in which:
`[0018] FIG. 1 illustrates an example of several virtual
`machines executing on a server;
`[0019] FIG. 2 illustrates an example of a single physical
`computer system with a virtualization layer and virtualized
`objects of the system's physical elements;
`[0020] FIG. 3 illustrates an example of a virtualized eco-
`system made up of groups of physical computer systems on
`one or more physical networks;
`[0021] FIG. 4 illustrates an example of a virtualized envi-
`ronment spanning two physical sites;
`[0022] FIG. 5 illustrates an example of a hierarchy of vir-
`tual object classifications according to a classification scheme
`in accordance with the present invention;
`[0023] FIG. 6 illustrates an example of a procedure for
`protecting a virtual object including an embedded control
`block in accordance with an embodiment of the present
`invention;
`[0024] FIG. 7 illustrates one exemplary process for protect-
`ing a virtual machine in accordance with an embodiment of
`the present invention;
`[0025] FIG. 8 illustrates one exemplary process for un-
`protecting a virtual machine in accordance with an embodi-
`ment of the present invention; and
`[0026] FIG. 9 illustrates an exemplary system which
`includes a security control system configured in accordance
`with an embodiment of the present invention.
`
`DETAILED DESCRIPTION
`
`[0027] Described herein is a security control system
`adapted to define and analyze object handling control infor-
`mation, for example, control information that may influence
`or impact security and compliance of a virtualized ecosystem
`and derive from it object properties for each of a number of
`logical resources involved in the execution of a virtual
`machine in any given context within the virtualized ecosys-
`tem. Before discussing this system in detail, however, some
`introduction to virtualized ecosystems is appropriate.
`[0028] FIG. 1 illustrates an example of three virtual
`machines (VM) 10, 12, 14, executing on a single physical
`server 16. The server hardware is abstracted by a hypervisor
`18, such as a VM WareTM ESX ServerTM. Of course, any other
`form of hypervisor, such as the open source XenTM Hypervi-
`sor, could be used and reference to an ESX Server is intended
`only as an example. Indeed, the present security control sys-
`tem is hypervisor vendor neutral, and design and implemen-
`
`

`

`US 2010/0169948 Al
`
`Jul. 1, 2010
`
`3
`
`tation to support each are possible. Each VM includes its own
`operating system (OS) 20 (e.g., Microsoft WindowsTM
`LinuxTM, UnixTM, etc.) and one or more application programs
`22.
`[0029] A VM at rest is fully represented by a set of files.
`These files can be stored on local, direct attached storage
`(e.g., a hard disk), on networked storage, such as a storage
`area network (SAN), or on off-line or near-line storage, such
`as digital tape. To run/instantiate a VM these files are inter-
`preted by the virtualization layer (i.e., the hypervisor), which
`then dynamically allocates a fraction of the pool of distributed
`physical resources available to it, to each of the VMs being
`executed. Running VMs have additional state information
`stored in run-time memory, cache and registers of various
`physical devices, and also state-specific files.
`[0030] AVM can thus be thought of simply as a virtualiza-
`tion application. The state of the VM can be treated as run-
`time data of the virtualization application, while the configu-
`ration of the VM as well as the virtual disk file(s) with OS,
`application and data, are the data set of the same application.
`For example, in the VMware Virtual Infrastructure 3, a virtual
`machine at rest (powered off) is represented minimally by
`two files:
`[0031] <vm_name>.vmx and <vm_name>.vmdk.
`[0032] The VMs are examples of a broader category of
`constructs called virtual objects (VOs). VOs exist at almost
`every level of a system and the present inventors will use the
`term Virtualized Ecosystem to refer to a community of VOs
`and their physical environment. Logically related collections
`of VOs (which may include virtual environments) may them-
`selves be regarded as VOs.
`[0033] FIG. 2 illustrates an example of a single physical
`computer system 24 with a virtualization layer 26, and sub-
`sequent virtualized objects of the physical elements such as
`memory 28, processor 30, disk 32, network 34 and machine
`24. The diagram is representative only and is not intended to
`be an exhaustive representation of all the physical elements
`and their virtual counterparts (if any). In this illustration the
`VOs are indicated as V_Memory 36, V_Processor 38, V_Disk
`40, V_Network 42 and collectively as a logical unit, V_Ma-
`chine 44. Other examples of VOs or logical collections of VOs
`include a virtual switch, a load-balanced cluster, a named data
`center, a physical or virtual resource pool, and so on.
`[0034] Of course, each of these VOs may be further decom-
`posed. In terms of present security control system, the level of
`granularity is that supported by the virtualization technology
`in use, and its support for exposing the virtualized objects and
`interfaces for external/third-party manipulation. However, a
`custom virtualization platform driver/module may be imple-
`mented to extend the ability to access and manipulate other-
`wise unexposed virtualized objects, or even be able to indi-
`rectly manipulate all the virtualized objects, removing
`perhaps the need to add specific controls for those objects.
`[0035] Groups of physical computer systems, 46a, 46b,
`46n, on one or more physical networks 48 represent a virtu-
`alized ecosystem, as shown in FIG. 3. VMs on one physical
`server running a virtualization layer can move to another via
`a user input through a management interface or through man-
`agement automation technologies such as VMware's Distrib-
`uted Resource Scheduler (DRS) and VMotionTM. If the same
`virtualization technology is used, then a virtual network 50
`can be formed across the virtualization layer such that the
`virtual network has a more complex mapping to the underly-
`ing physical networks 48a, 48b, and is much harder to control
`
`and manage. For example, as shown in FIG. 4, a virtualized
`environment may span two physical sites and a virtual
`machine running on a virtualized physical server in one site
`can just as easily run on a virtualized physical server in the
`other site.
`[0036] Because the virtualization technologies facilitate
`such a range of capabilities, the present security control sys-
`tem is needed in order to achieve a satisfactory level of robust-
`nes s, balance and containment within virtualized ecosystems.
`If we assume that a VO, when it is created, is fully isolated,
`then the present security system defines, manages and
`enforces the controls for interactions amongst the VOs and
`their interactions with the underlying physical environment.
`As a user or automated agent attempts to manipulate the VOs
`in the virtualized ecosystem (which is equivalent to executing
`commands within a virtualization platform), the controls (in-
`cluding entitlements and access/use policies) for the opera-
`tion are evaluated and enforced at run time depending on the
`context within which the operation is being performed (i.e.,
`the virtual and physical environment) and the properties of
`the VOs. The properties of the VOs include controls specifi-
`cally defined by the present security control system, which
`may, in one embodiment, execute on the same platform as the
`security control layer described in co-pending U.S. patent
`application Ser. No. 12/210,084, filed 12 Sep. 2008, assigned
`to the assignee of the present invention and incorporated
`herein by reference (or a complementary platform thereto).
`[0037] The present security control system has a number of
`attributes and features, including: means for collecting an
`inventory and classifying virtual objects and environments;
`means for automated discovery of a virtual infrastructure to
`identify VOs and physical and virtual environments already
`available; means for automated definition of supported con-
`trols and the ability to develop actionable ontologies; embed-
`ded controls for securely executing VOs within virtual and
`physical environment contexts; means for providing variable
`protection of VOs at rest; means for efficiently checking/
`enforcing controls before a VO can be operated on, instanti-
`ated/activated, or moved, etc.; means for cryptographic key
`management; means for monitoring, logging, and reporting;
`means for importing and integrating with externally-defined
`security controls; and means for determining baselines for
`operations performed