US20160366143A1 - System and method for virtual image security in a cloud environment - Google Patents

System and method for virtual image security in a cloud environment Download PDF

Info

Publication number
US20160366143A1
US20160366143A1 US15/246,034 US201615246034A US2016366143A1 US 20160366143 A1 US20160366143 A1 US 20160366143A1 US 201615246034 A US201615246034 A US 201615246034A US 2016366143 A1 US2016366143 A1 US 2016366143A1
Authority
US
United States
Prior art keywords
virtual machine
guest virtual
status
machine
guest
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
US15/246,034
Inventor
Nir Barak
Eitan Hadar
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CA Inc
Original Assignee
CA Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority to US13/405,973 priority Critical patent/US8839447B2/en
Priority to US14/337,771 priority patent/US9436832B2/en
Application filed by CA Inc filed Critical CA Inc
Priority to US15/246,034 priority patent/US20160366143A1/en
Assigned to COMPUTER ASSOCIATES THINK, INC. reassignment COMPUTER ASSOCIATES THINK, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: BARAK, NIR, HADAR, EITAN
Assigned to CA, INC. reassignment CA, INC. MERGER (SEE DOCUMENT FOR DETAILS). Assignors: COMPUTER ASSOCIATES THINK, INC.
Publication of US20160366143A1 publication Critical patent/US20160366143A1/en
Application status is Pending legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to network resources
    • H04L63/101Access control lists [ACL]
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/468Specific access rights for resources, e.g. using capability register
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network
    • H04L63/0823Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/60Subscription-based services using application servers or record carriers, e.g. SIM application toolkits
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45595Network integration; enabling network access in virtual machine instances

Abstract

Systems and methods enabling secure virtual image access in a virtual or cloud computing environment. The systems and methods include assigning a status to indicator to guest virtual machines (virtual images) that provide applications and other services to cloud consumers in the cloud environment. A virtual appliance machine in the cloud environment maintains the status of the guest virtual machines and makes decisions based on the status as to whether to allow access to the guest virtual machines. These decisions are transmitted to local elements on the guest virtual machines, which enforce access control on a local level. In this manner, unauthorized virtual image access is prevented providing increased security and data integrity.

Description

    CROSS-REFERENCE TO RELATED APPLICATIONS
  • This application is a continuation of U.S. patent application Ser. No. 14/337,771, filed Jul. 22, 2014, now allowed, which is a continuation of U.S. patent application Ser. No. 13/405,973, filed Feb. 27, 2012, now U.S. Pat. No. 8,839,447, each of which is incorporated herein in its entirety by reference.
  • This application is related to the following applications filed Feb. 27, 2012, the disclosures of each of which are hereby incorporated by reference herein in their entirety: U.S. patent application Ser. No. 13/406,036 (Attorney Docket No. 072962-0396103), entitled “System and Method for Securing Leased Images in a Cloud Environment;” and U.S. patent application Ser. No. 13/406,088 (Attorney Docket No. 072962-0397234), entitled “System and Method for Isolated Virtual Image and Appliance Communication within a Cloud Environment.”
  • FIELD
  • The invention relates generally to access control of images in a cloud computing environment, and more particularly to access control of images in a cloud computing environment using a distributed image reservation system.
  • BACKGROUND
  • Cloud computing environments have turned around the manner in which business organizations examine the requirements and capacity to implement their data processing needs. A cloud computing environment may include capabilities where a cloud provider hosts hardware and related items and provides systems and computational power as a service to a customer or other user (e.g., individual consumers, business organizations, or other entities). When implementing data processing needs via a cloud vendor, a user does not need to bear the cost of space, energy, and maintenance in order to acquire the required computational resources at a reasonable cost.
  • In some instances, the cloud provider provides images and/or image bundles to the customer. In some instances, the cloud provider hosts images provided by the customer. As used herein, an “image” may refer to a virtual machine in a cloud environment. Certain virtual machines/images in a cloud environment may provide a specific service or set of specific services for use by a customer. These may be referred to herein as a “guest virtual machines.” The services provided by the guest virtual machines may be, for example, applications, data, or other services. For example, a customer may require use of an application that can be provided by a cloud vendor. However, the customer may not require a complete version of the application with all features, and may only need to use some features of the application. In such a scenario, the cloud vendor may customize the application for the customer and form a guest virtual machine supporting the application for use by the customer. Similarly, a snapshot of a database that has data for testing may be supported by a guest virtual machine and provided to a customer for use. Generally, any resource or application can be provided to or supported for a customer for a limited period of time in the cloud environment via a guest virtual machine. Once provided to the customer for a period of time, a guest virtual machine is deemed as leased for that period of time.
  • When a user is finished using a guest virtual machine, they may simply abandon use or may provide an indication that use has been temporarily or permanently terminated. Furthermore, other indicators that use is temporarily or permanently terminated may also occur (e.g., the expiration of a service contract). In some instances, a cloud environment provider may delete the environment or cleanup the content of guest virtual machines upon such termination. However, formal de-provisioning and clearance processes are not widely relied upon. While some clearing processes exist, they rely on the cloud provider to operate properly. Accordingly, the cloud consumer has no control over the process. Often, versions of a guest virtual machine may remain on the cloud provider environment after cleanup and may expose the machines to misuse. Furthermore, current systems do not include de-provisioning compliance reports or assurances that backup machines or other duplicate were destroyed. Consequently, there is a potential risk for data leftover on machines that are not deleted or re-instantiated to the basic state. Because data can be exposed in unused, dormant machines, there is a need to lock and prevent the use of guest virtual machines.
  • Protection is relevant not only from unauthorized users outside of an organization, but for internal cloud implementations internal security is also a relevant consideration such that segregation of information between departments within the same organization (e.g., finance, HR, sales, R&D, etc.) is desirable.
  • Accordingly, a solution is needed for verification of returned/checked-in/end-of-service images so that such guest virtual machines cannot be used again so that data left on such machines will not be exposed. Further, such attempted unauthorized activity should be exposed to validate regulation and compliance needs.
  • SUMMARY
  • The invention addressing these and other problems relates to systems and methods enabling secure virtual image access in a virtual or cloud computing environment. The systems and methods include assigning a status indicator to guest virtual machines (virtual images) that provide applications and other services to cloud consumers in the cloud environment. A virtual appliance machine in the cloud environment maintains the status of the guest virtual machines and makes decisions based on the status as to whether to allow access to the guest virtual machines. These decisions are transmitted to local elements on the guest virtual machines, which enforce access control on a local level. In this manner, unauthorized virtual image access is prevented providing increased security and data integrity.
  • A system for providing secure virtual image access may reside in a virtual or cloud computing environment. The system may include a virtual appliance machine (also referred to herein as a “virtual access control machine”) and/or the components thereof and that interact with one or more guest virtual machines (also referred to as “images” or a “virtual images”) and/or various components thereof. As the guest virtual machines described herein are virtual in nature, the ability to control and/or limit their use is different from that of physical machines. Accordingly, the virtual appliance machine provides access control features for the one or more guest virtual machines.
  • A guest virtual machine provides one or more applications, media, data access, data manipulation, and/or other “services” to consumers in the cloud environment. The services provided by an individual guest virtual machine may be customized according to the needs of a given user such that a bundle or suite of services may be provided to a user by a given guest virtual machine or several guest virtual machines. Furthermore, a guest virtual machine may provide applications, media, data, or other services that a user has loaded onto the guest virtual machine themselves. Accordingly, a guest virtual machine may provide storage and/or processing services to a user. A user may interact with a guest virtual machine on the cloud computing environment where it resides using one or more user devices. For example, a user device may connect to the cloud environment via a network (e.g., the Internet, a private network, and/or other network).
  • As described herein, access and misuse protections may be provided by proper disposal of virtual guest machines. As a guest virtual machine may include a specific instantiated representation of one or more applications or other services, once it is no longer needed or available to a user the specific guest virtual machine may be segregated from access by user machines and therefore from access by users. Accordingly, the systems and methods provided herein associate guest virtual machines with specific status indicators that may be used to provide access control.
  • Methods for providing secure image access may include assigning a image status (e.g., “active” or “inactive”) that indicate whether the image is able to be used or is not to be used. The image status may be assigned and stored by a virtual appliance machine which thereby enables administration of image access control for a portion of or the entirety of a cloud environment.
  • In some instances, a guest virtual machine may need to be installed and subsequently initialized to be ready for use by users. For example, a guest virtual machine may be created and installed on a cloud environment by a cloud environment provider and may initially have a status of “null.” When the guest virtual machine is ready for use by a user, an indication may be sent changing the status of the guest virtual machine to “active” (initialized).
  • In some instances, a guest virtual machine may no longer be appropriate for use. Any number of circumstances may exist that create or instantiate a deactivation trigger for the guest virtual machine. Accordingly, when one or more deactivation triggers occurs, the virtual appliance machine may mark the image status of the guest virtual machine as “inactive.”
  • When an attempted use of the guest virtual machine is detected or received at the guest virtual machine, the virtual appliance machine that controls access to the guest virtual machine is contacted and informed of the access attempt. The virtual appliance machine then identifies its stored image status of the guest virtual machine on which an access attempt has been made. The virtual appliance machine then determines whether the attempted use of the guest virtual machine is permitted (e.g., whether the image status is “active” or “inactive”). If the image status is “active,” the virtual appliance machine determines that access may be granted and communicates with the guest virtual machine to provide access. If the image status is “inactive,” the virtual appliance machine communicates with the guest virtual machine to deny access. Furthermore, if access is denied, an alert my be generated, stored, and sent to one or more entities.
  • Stored image status indicators for guest virtual machines and stored alerts (including access attempts) may be used to generate reports to cloud providers, users, and/or other entities.
  • Various other objects, features, and advantages of the invention will be apparent through the detailed description and the drawings attached hereto. It is also to be understood that both the foregoing general description and the following detailed description are exemplary and not restrictive of the scope of the invention.
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 is an illustration of an example system for providing access control of images in a cloud computing environment, according to various implementations of the invention.
  • FIG. 2 is an illustration of an example of a method for providing access control of images in a cloud computing environment, according to an implementation of the invention.
  • FIG. 3 is an illustration of an example system for providing access control of images in a cloud computing environment, according to various implementations of the invention.
  • FIG. 4 is an illustration of an example method providing access control of images in a cloud computing environment.
  • DETAILED DESCRIPTION
  • Prevention of unauthorized repeatable usage of virtual images is important to maintain security and business integrity for cloud environment providers and their customers. Images that are no longer in use (e.g., checked back into to a cloud image pool or requested to be de-commissioned and presumably un-provisioned) must be protected from unauthorized use. Typical systems may leave images in cloud computing environments vulnerable. Accordingly, provided herein are systems and methods for cataloguing and maintaining the status of virtual images so as to provide protection of data and prevention against unauthorized use. As used herein, “unauthorized use” may include both intentional unauthorized use (e.g., piracy or malicious use) and un-intentional unauthorized use (e.g., a previously authorized user is attempting to use an expired image).
  • The virtual image access control provided herein increases transparency and trust in cloud environments through increased control over the fulfillment of de-provisioning of virtual images and containment for cloud providers having multiple consumers (e.g., so that one consumer is not able to access images used by another consumer).
  • In some implementations, the systems and methods described herein also provide active monitoring so as to prevent unauthorized use of virtual images and activation interception (which prevents unauthorized initialization). In some implementations, process and labor efficiency for access control are also provided, as the systems and methods herein may include no need to rely on reactive procedures for virtual image disposal (as image disposal is based on rapid real time interceptions, rather than validating for every case). For example, in some instances, a cloud environment enables consumers to “return” a virtual image after he or she is finished using it (or otherwise indicate that use is no longer needed). In current systems, the returned image needs to be manually deleted. If this is not done, or if backup or other copies are not deleted, the image remains vulnerable to misuse. The systems and methods provided herein may provide protection against such misuse. This may be done by ensuring that any undeleted images that should not be available for use are not able to be initialized.
  • Furthermore, in some implementations, the systems and methods herein provide compliance and governance transparency, because virtual image activation is reported and known, therefore increasing trust and transparency, as well as enabling reporting of use patterns according to any number of regulations. These benefits utilize the misuse alerting features as the alerts enabled herein can notify a cloud environment provider and/or an authorized user regarding potential theft/misuse of an image, therefore detecting areas in the cloud computing infrastructure that are susceptible for attack.
  • Enhanced de-provisioning transaction integrity is also provided by the systems and methods herein as de-provisioning is validated and stable on an image-specific basis. Additionally, the systems and methods provided herein enable self-service quality selection in that they enable selection of the type of protection needed from a vendor on subscription to the cloud environment. For example, a consumer may ask for specific security policies on a per machine basis (e.g., no protection at all, simple warnings that allow access but alert certain personnel of use or attempted use, or prevention of all unauthorized access) so as to enable customized protection plans for consumers.
  • Insider threat detection is also enabled because the systems and methods herein support the detection of potential insider threat on image probing without consent from the cloud environment provider, as well as the prevention of the potential damage. The systems and methods described herein may support the segregation of departments by enforcement of strong separations of access permits within an organization. Therefore, consumer entities having sensitive departments (such as, for example, M&A machines, R&D machines, and Sales and Finance machines, etc.) can guard against misuse by blocking unauthorized use. For example, if an image used by a finance department is returned back to an internal cloud, the R&D department cannot access the image by accident.
  • Given the advantages discussed herein, the systems and methods described herein may be useful for access control of onetime use disposable virtual images as well as longer term or repeated use of images in a cloud environment. Potential misuse of virtual images and their information may be guarded against in a shared an image supplier environment (e.g., a shared image pool of a cloud provider), thus enforcing image usage segregations.
  • FIG. 1 illustrates an environment 100, which is an example of an environment wherein a system resides for secure virtual image access in a virtual computing environment. Environment 100 may include a cloud environment 101, one or more user devices 103, a computer network 105, and/or other elements.
  • In some implementations, cloud environment 101 may be or include a virtualized computing environment wherein one or more services are provided to one or more users at one or more user devices 103 over a network. In some implementations, cloud environment 101 may provide images out of a shared pool. The images may be used by consumers as virtual machines and “returned” to the pool when no longer needed. In some implementations, cloud environment 101 may include a virtual appliance machine 107 and one or more guest virtual machines 109. As an “image” or “virtual image” refers to a virtual machine in a cloud or other virtualized computing environment that provides a specific service or set of specific services for use by a customer, the term “guest virtual machine” is used herein to refer to an “image” or a “virtual image.” Other virtual machines in a cloud environment may also be considered “images.”
  • Virtual appliance machine 107 may be or include a virtual machine that serves as an access controller for one or more guest virtual machines 109 in cloud environment 101. Accordingly, virtual appliance machine 107 may also be referred to as a “virtual access control machine” 107.
  • In some implementations, one or more applications, media, data access, data manipulation, and/or other services 111 are provided to consumers (operating one or more user devices 103) via virtual guest machines 109. Services 111 provided by an individual guest virtual machine 109 may be customized according to the needs of a given user such that a bundle or suite of applications or other services 111 may be provided to a user by a given guest virtual machine 109 and or such that a given customized instance of an application 111 may be provided to a user by a given guest virtual machine 109 or by several guest virtual machines. Furthermore, guest virtual machine 109 may provide applications, media, data, or other services 111 that a user has loaded onto guest virtual machine 109 themselves. Accordingly, guest virtual machine 109 may provide storage and/or processing services to a user.
  • As used herein, the term “virtual machine” (e.g., guest virtual machine 109, virtual appliance machine 107) refers to a logically defined computing machine (as opposed to a physically defined computing machine) that may be identified by one or more logical characteristics but which in reality is composed of or supported by a static or dynamic set of one or more physical computing devices providing memory, processing power, or other computing features. A virtual machine is essentially an emulation of computing hardware (physical computing devices), wherein software is used to provide a computing environment that looks to users as physical machine that the user can run applications on. Accordingly, the actions performed by virtual machines described herein, including virtual appliance machine 107 and guest virtual machine 109, may be performed using one or more processing devices (e.g., microprocessors) of one or more physical computing machines supporting the virtual computing environment. Similarly, any data storage needs or actions relating thereto may be provided or facilitated by the memory devices (e.g., RAM, hard disc, eeprom, flash memory, etc.) of one or more physical computing machines supporting the virtual computing environment. Furthermore, the term “cloud computing” or “cloud computing environment,” may refer to a virtual computing environment supporting one or more virtual machines.
  • As described herein, applications/services 111 are provided to users via guest virtual machines 109. As guest virtual machines 109 are virtual in nature, the ability to control and/or limit their use is different from that of physical machines. Accordingly, as described herein, virtual appliance machine 107 provide for control of guest virtual machines within cloud environment 101.
  • In some implementations, guest virtual machine 109 may be provided for the specific use of a user, or group of users. Through guest virtual machine 109, a user may utilize or interact with the one or more services 111 hosted thereon. As discussed above, in some implementations, guest virtual machine 109 may be provided with one or more applications or services 111 installed thereon. In some implementations, a user may install one or more applications/services 111 onto a guest virtual machine 109 provided by a provider of cloud environment 101.
  • In some implementations, a user may interact with guest virtual machine 109 via one or more of user devices 103. For example, a user device 103 may connect to cloud environment 101 via network 105 and therefore be provided with access to a specific guest virtual machine 109 that provides one or more services 111. In some implementations, user devices 103 may be or include one or more servers, desktop computers, laptop computers, tablet computers, hand-held computers, smart phones, cellular phones, personal digital assistants (PDAs), and/or other computing devices.
  • Network 105 may be or include the Internet or the World Wide Web (“www”). In some implementations, network 105 may be or include a switching fabric that is part of a Wide Area Network (WAN), a Local Area Network (LAN), or other types of networks known to those of ordinary skill in the art (e.g., a TCP/IP network). In some implementations, network 105 routes requests and/or other communication between cloud environment 101 and user devices 103. In some implementations, network 105 may use or include wired, wireless, optical, or other types of communication links.
  • As described herein access and misuse protections may be provided by proper segregation and/or disposal of guest virtual machines. As a guest virtual machine (e.g., guest virtual machine 109) may include a specific instantiated representation of one or more services 111, once it is no longer needed or available to a user (e.g., because a user's agreement for use has expired or been terminated) the specific guest virtual machine may be segregated from access by user devices and therefore from access by users. Furthermore, specific guest virtual machines that are no longer to be used may be destroyed/erased (i.e., removed from the “disk” or memory of cloud environment 101). This functionality is provided by maintenance of specific status indicators for specific guest virtual machines.
  • In some implementations, the invention provides methods for providing secure virtual image access. FIG. 2 illustrates a process 200, which is an example of a process for providing secure virtual image access. Process 200 may include an operation 201, wherein a guest virtual machine of a cloud computing environment (e.g., an guest virtual machine 109 in environment 101) that provides one or more applications or services (e.g., applications/services 111) to users across a network (e.g., user devices 103 across network 105) is assigned an image status. In some implementations, the image status may be or include indicators such as, for example, “active” or “inactive” that indicate whether the image is able to be used (active) or not to be used (inactive). Other indicators may also be used. For example, “inactive” may indicate that an image has been disposed of and can never be reactivated, while the status of “disabled” may simply indicate that it cannot be used, but that it may be switched to “active” upon occurrence of a certain trigger. Some statuses may indicate that use is to be permitted but that an alert is to be sent to appropriate personnel according to an alert policy. Furthermore, a null status for new machines that have not yet been activated may be used. Any number of statuses providing different information regarding a machine's state may be used.
  • The image status may be assigned by and stored in virtual appliance machine (e.g., virtual appliance machine 107), which may serve to control status indicators for multiple guest virtual machines (e.g., guest virtual machines 109) and thereby enable administration of image access control for a substantial portion of or an entire cloud environment (e.g., cloud environment 101).
  • In some instances, a guest virtual machine may need to be created (instantiated), set up, and subsequently initialized to be ready for use by users. For example, in some implementations, a guest virtual machine (guest virtual machine 109 of FIG. 1) may be instantiated from a template or otherwise instantiated on a cloud environment (e.g., cloud environment 101) by a cloud environment provider. The created/instantiated guest virtual machine may then be set up according to its intended use. For example, the guest virtual machine may be customized and/or loaded with software (that provide applications/services, e.g., applications/services 111) and otherwise programmed to be used by its intended user. After, setup, the guest virtual machine may initially have a null status. When the guest virtual machine is ready for use by a user, an indication (or “activation trigger”) may be sent changing the status of the guest virtual machine to “active” (initialization). This indication may be sent by the cloud environment provider, may be done by the user, or may be accomplished by a combination of the two (e.g., the user tells the cloud provided that they want to use the guest virtual image, who subsequently sends the indication to initialize it). Once a guest virtual machine is assigned an “active” status, authorized users can then use it.
  • In some instances, a guest virtual machine may no longer be appropriate for use. For example, a user may have an agreement/contract with a provider of a cloud environment that allows the user to access a guest virtual machine for a certain period of time in exchange for a fee. Expiration of the contract or failure of the user to make a payment may be deactivation triggers (or may lead to a deactivation trigger being generated) indicating that the user (or any other user) should no longer be authorized to access the image. Accordingly, a virtual appliance machine (e.g., virtual appliance machine) may mark the image status of the guest virtual machine as “inactive” or “disabled.” In some instances, the provider may provide a user with the ability to use one or more services (e.g., services 111), but a given guest virtual machine to which the user has access may provide an out of date version of the service (e.g., an out of date application). Accordingly, a new guest virtual machine that provides having an updated version of the service/application may be created and provided with an “active” image status.
  • As is apparent from (but not limited to) these examples, many different circumstances may serve as a deactivation trigger (or may lead to generation of a deactivation trigger) for a guest virtual machine. When a given guest virtual machine is no longer needed or of use, such that it is desirable to effectively decommission, a deactivation trigger occurs or is produced and the image status of the guest virtual machine may be marked as “inactive” or “disabled.” Accordingly, as discussed herein user (or any other users) can no longer access the guest virtual machine or any data, applications, or other services provided thereon.
  • In an operation 203, an attempted use of the guest virtual machine is detected or received. In some implementations, the attempted use is detected or received at the guest virtual machine. An attempted use may include a user of a user device 103 attempting to start the guest virtual machine, establish a connection with or otherwise login to the guest virtual machine, and/or otherwise attempt to use the applications/services provided thereby. In some instances, the user may be, for example, an authorized user who is trying to start the guest virtual machine that a cloud provider is contractually obligated to provide to the user. In some instances, the user may be, for example, a user who at one time was authorized to access the guest virtual machine, but whose contract has lapsed such that the user should no longer be able to start the guest virtual machine. In some instances, the user may be, for example, a user who has never been authorized to access the guest virtual machine (e.g., a user trying to start the guest virtual machine without contracting with the cloud environment provided to do so; e.g., a malicious or mistaken user). Other attempted use scenarios may also exist.
  • As the user attempts to start or connect with the guest virtual machine, in an operation 205, the guest virtual machine may forward the access attempt (or otherwise communicate that the access attempt has occurred) to a virtual appliance machine that is assigned to control access to the guest virtual machine (e.g., virtual appliance machine 107 that controls access to guest virtual machine 109). In some implementations, a certificate indicating the identify of the particular guest virtual machine on which the access attempt has been made may be forwarded from the guest virtual machine to the virtual appliance machine along with forwarding the access attempt (or the indication thereof). In an operation 207, the virtual appliance machine determines whether the attempted use of the image is permitted. This determination is based, at least in part, on ascertaining the stored image status associated with the guest virtual machine on which the access attempt has been made. For example, if the image status is “inactive” or “disabled,” the virtual appliance machine may determine that no users are to be given access to the image. If the image status is “active,” the virtual appliance machine may determine that access may be granted. In this instance, whether access is actually granted to the user attempting to use the image in operation 203 may be further based on other authentication or credentialing operations (e.g., login/password operations).
  • In an operation 209, the virtual appliance machine may take an action based on the decision in operation 207 regarding whether to permit the attempted use of the image. For example, if the image status is “active,” the virtual appliance machine may send an indication to the guest virtual machine to permit the attempted use. As discussed herein, additional authentication or credentialing operations may be used before a user is actually granted access to an active guest virtual machine. If the image status is “inactive” or “disabled” the virtual appliance machine may send an indication to the guest virtual machine that access to the image is to be denied or may send an indication that the use is to be allowed but simultaneously sending an alert regarding the attempted use. As discussed herein, statuses other than “active,” “inactive,” or “disabled” may be used.
  • In some implementations, in an operation 211, the guest virtual machine may allow the attempted use or deny the attempted use based on the indication from the virtual appliance machine. As discussed herein, both denial or allowance of the attempted use may be accompanied by generation of an alert regarding the attempted access, deletion of the guest virtual machine, and/or other actions. Process 200 may proceed from operation 211 back to operation 203 wherein an additional indication of attempted use is received. Process 200 may also proceed from operation 211 back to operation 201, wherein a new image status is assigned to the guest virtual machine.
  • FIG. 3 illustrates an example of detailed the constituent components of cloud environment 101 that may be used in the systems and methods provided herein (including virtual appliance machine 107 and guest virtual machine 109) to provide virtual image segregation and access control.
  • In some implementations, guest virtual machine 109 may include one or more agents and/or modules that assist in management of access control procedures. For example, in some implementations, guest virtual machine 109 may include a use control agent 301. Use control agent 301 may perform multiple functions relating to access control of its associated guest virtual machine 109. In some implementations, use control agent may include multiple sub-modules that assist in performing these functions.
  • For example, in some implementations, use control agent 301 may include an image activation/deactivation module 303. Image activation/deactivation module 303 may be a local utility of guest virtual machine 109 that provides indications/triggers to virtual appliance machine 107 so as to update the image status of guest virtual machine 109. For example, activation or deactivation triggers may be received by guest virtual machine 109 and subsequently forwarded by image activation/deactivation module 303 to virtual appliance machine 107 to update the image status of guest virtual machine (see e.g., operations 403 and 407 of process 400). In some implementations, any such triggers my be forwarded to virtual appliance machine 107 with a certificate identifying guest virtual machine 109 so that the appropriate image status stored by virtual appliance machine may be located and updated. While in some instances activation/deactivation triggers may be forwarded via guest virtual machine, they may also be provided to virtual appliance machine via other avenues.
  • Image activation/deactivation module 303 may be the primary avenue by which cloud consumers/customers provide an indication that a guest virtual machine that they have been or will be granted access to is to be activated or deactivated. For example, image activation/deactivation module 303 may receive an indication from a cloud customer's user machine (e.g., user device 103) that a guest virtual machine is to be activated (e.g., because the customer is ready to use it). Image activation/deactivation module 303 may further receive an indication from a cloud customer's user machine (e.g., user device 103) that a guest virtual machine is to be deactivated (e.g., because the customer is done using it).
  • Furthermore, image activation/deactivation module 303 may send requests to and receive responses from virtual appliance machine 107 to determine a current image status and/or to allow or deny access to guest virtual machine 109 (see e.g., operations 205 and 211 of process 200). As with the communication regarding updating image status, communications by image activation/deactivation module 303 to virtual appliance machine 107 regarding the determination of a current image status may include certificate identifying guest virtual machine 109.
  • In some implementations, use control agent 301 may also include an image use control module 305. In some implementations, image use control module 305 may communicate with virtual appliance machine 107 to determine the current image status of its associated guest virtual machine 109 and weather access to guest virtual machine 109 can be provided in response to an access request. For example, image use control module 305 may send requests to and receive responses from virtual appliance machine 107 to determine a current image status and/or to allow or deny access to guest virtual machine 109 (see e.g., operations 205 and 211 of process 200). As with the communication regarding updating image status, communications by image use control module 305 to virtual appliance machine 107 regarding the determination of a current image status may include certificate identifying guest virtual machine 109.
  • In some implementations, image use control module 305 may also check the status (e.g., via sending requests and receiving indications thereof) of the connection between use control agent 301 and various components of virtual appliance machine 107 (e.g., an agent monitor control 311). In some implementations, image use control module 305 further performs shutdowns of and prevents access to guest virtual machine 109 when virtual appliance machine 107 returns an indication that the status of the image is “inactive” (or other status that indicates a shutdown is needed to protect the integrity of guest virtual machine 109). Accordingly, image use control agent 305 may actively monitor (i.e., perform periodic status checks) image statuses stored on virtual appliance machine 107 and prevent the use of inactive/dormant guest virtual machines.
  • In some implementations, use control agent 301 may also include a local store module 307 that stores the certificate associated with one or more authorized users of guest virtual machine 109. The certificate may be or include a set of information relating to the specific user or users associated with a given guest virtual machine 109, including the parameters of the users' relationship with the provider of cloud environment 101. The certificate may be maintained and/or updated at guest virtual machine 109 by local store module 307. The certificate may be used in communications with virtual appliance machine 107 to identify guest virtual machine. For example, the certificate may accompany communications by image activation/deactivation module 303 when providing status update triggers to virtual appliance machine. Furthermore, the certificate may also be used in communications by image use control module 305 for validation of an image status. The certificate is used by virtual appliance machine 107 to determine the identity of guest virtual machine 109 and therefore search for and return the proper image status of guest virtual machine 109. Accordingly, if a malicious user were to make a copy of guest virtual machine 109, rename it, and attempt to use it, the certificate on the copy would indicate to virtual appliance machine 107 that the copy was derived from guest virtual machine 109. Accordingly, the copy would be disabled and an alert regarding the attempted misuse would be sent to the operator of the cloud environment and/or the proper user of guest virtual machine 109.
  • In some implementations, virtual appliance machine 107 may include one or more agents or modules that enable the image access control provided herein. For example, virtual appliance machine 107 may include a use control monitor 309 which may be installed on and/or executed by a virtualization host (such as, for example, VMware ESXi, Microsoft Hyper-v or other vendor). A virtualization host is the physical machine that hosts a set of virtual machines (it may also be called, in many cases, a “hypervisor.” Virtual appliances in a virtual computing environment run on the virtualization host (or on multiple virtualization hosts). In some implementations, use control monitor 309 may include one or more sub-modules that provide access control functions. For example, in some implementations, use control module 309 may include an agent monitor control 311 receives requests from image use control module 305 of guest virtual machine 109 (or other guest virtual machine) for the image status of guest virtual machine 109 (see e.g., operation 205 of process 200) and provides the image status and/or access determinations to image use control module 305 for enforcement of image access control (see e.g., operation 209 of process 200) as discussed herein.
  • In some implementations, agent monitor control 311 may also set/change image statuses. For example image statuses for guest virtual machines stored on virtual appliance machine 107 may be altered per requests from use control agents 301 (e.g., image activation/deactivation module 303) that stem from activation/deactivation triggers received at guest virtual machines. Image statuses may also be changed by agent monitor control 311 as a result activation/deactivation triggers received from other avenues.
  • In some implementations, agent monitor control 311 may also manage the creation of certificates identifying guest virtual machines, the verification/identification of particular guest virtual machines and associated user parameters using certificates, and may manage alert or report policies regarding specific guest virtual machines.
  • In some implementations, use control monitor 309 may include an image use control monitor store 313 that may store, image status information and user certificates for guest virtual machines for whom virtual appliance machine 107 provides access control. Use control monitor store 313 may also store the one or more policies discussed herein that dictate what to do in case of an access attempt on a deactivated image (e.g., warn of unauthorized use, disable an image, whether to send an alert, where to send alerts, how to send alerts, notification of attempting user, etc.).
  • In some implementations, use control monitor 309 may also include an image use alert module 315, which may monitor use attempts and generate alerts. If a use attempt is made on a deactivated guest virtual machine, image use alert module 315 may access the guest virtual machine's associated policy on control monitor store 313 and send alerts accordingly. For example, a policy may indicate whether or not an alert is to be generated when a use attempt on guest virtual machine having an image status of “inactive” (or similar status) is detected. Policies may be stored for each guest virtual machine whose access is controlled by virtual appliance machine 107. In addition to including an indication of whether or not to send an alert if a deactivated image is attempted to be accessed, policies may include am indication of who an alert should be sent to (e.g., users, cloud environment operators or specific individuals related thereto), how to send the alert (e.g., email, SMS text, etc.), whether the guest virtual machine should be deleted after an unauthorized access attempt, whether the user attempting to access the inactive image should be notified of the image status, and/or other parameters. Any generated alarms and any details associated therewith may be stored in control monitor store 313.
  • In some implementations, use control monitor 309 may also include an image use report module 317 which may monitor image statuses and alarms from use control monitor store 313 and generates reports thereon. In some instances, reports on alerts generated may include timing of an alert, who tried to use a deactivated guest virtual machine, where alerts were sent, how they were sent, and/or other information. Reports on image status may also be generated. For example, queries on image statuses can be run and the resultant reports may be used to find dormant images that were not yet disposed of and therefore need to be deleted.
  • In some implementations, cloud environment 101 may include an image reservation system 319 that is used by users (i.e., cloud consumers) for reserving protected or unprotected guest virtual machines. Image reservation system 319 may include an image reservation module 321 which users interact with to reserve a guest virtual machine. In some instances, if a user wants to reserve a guest virtual machine that is protected using the systems and methods described herein, a new guest virtual machine will be setup with a use control agent 301 and corresponding modules as described herein that is controlled by a virtual appliance machine 107 having a user control monitor 309 and corresponding modules. If automatic activation has been requested in the process, the image will automatically be activated and have an image status of “active” using an image activate/deactivate module 303.
  • In some implementations, the image reservation system 319 may include an image release module 323, which is used by users to release a guest virtual machine (i.e., indicate that use is longer needed). lithe access protection systems and/or methods described herein are used and an image status has not been marked to be “inactive” or “disabled” prior to the release, the image will be automatically deactivated so it can no longer be used after the release.
  • In an instance wherein someone attempts to use a guest virtual machine (e.g., guest virtual machine 109) when it has no connectivity to its controlling virtual appliance machine (e.g., virtual appliance machine 107) the guest virtual machine will not start, as it has to be able to connect to the virtual appliance machine to obtain its updated status. Accordingly, an additional control is provided for the instance wherein a user attempts to go circumvent security measures by starting the guest virtual machine in a different place that may not be controlled by the security measures described herein. The use control agent 301 of the guest virtual machine will be moved along with the guest virtual machine and will block the startup (like it does in the case of trying to start a disposed virtual machine) as no connectivity to the virtual appliance machine exists (the use control agent may also send any applicable alerts, etc.).
  • As discussed herein, the systems and methods provided herein provide for activation and deactivation of virtual images/guest virtual machines. FIG. 4 illustrates a process 400, which is an example of a process for providing secure virtual image access. Process 400 may include an operation 401. wherein a guest virtual machine (e.g., guest virtual machine 109) is created. As discussed herein, creation of guest virtual machine may involve instantiating a template in cloud environment 101 and adding any specific software, interfaces, and/or other customizations thereto. In an operation 403, guest virtual machine 109 may be activated(e.g., by image activation/deactivation module 303). In some implementations, guest virtual machine 109 may have its image status marked as “active” automatically when guest virtual machine 109 is created and being setup (i.e., loaded with software, etc.). In some instances, users/customers may request this automatic activation when gust virtual machine 109 is ordered from the cloud provider. In some implementations, guest virtual machine 109 may be created and not automatically activated (it may have an initial image status of null), but may require an indication (e.g., from a user, the they are ready for use; from cloud provider, that the user is permitted access) to activate guest virtual machine 109. Upon activation, the image status for guest virtual machine 109 may be marked as “active” by image activation/deactivation module 303. A certificate for guest virtual machine 109 may be created by agent monitor control 311 of virtual appliance machine 107 and sent to image use control module 305 of guest virtual machine upon activation. This certificate may then be sent back to agent monitor control 311 on virtual appliance machine 107 when use attempts are made.
  • In an operation 405, a deactivation trigger may occur, which indicates that guest virtual machine is to be deactivated (e.g., using image activation/deactivation module 303). For example, a user may send an indication that guest virtual machine 109 is to be deactivated. Other actions may also serve as a deactivation triggers such as, for example, the expiry or breach of a contract; an upgrade to an more recent application version; image remains dormant for predetermined amount of time; or other occurrence. Accordingly, in an operation 407, image use control module 305 may send a deactivation signal to agent monitor control 311. In an operation 409 agent monitor control 311 may change the image status of guest virtual machine 109 to “inactive” or “disabled.” From this point on guest virtual machine 109 can no longer be used, and attempts to use it will be unsuccessful and may generate alerts as discussed herein.
  • In some instances, a user may attempt to start or use a guest virtual machine after it has been deactivated (e.g., in operation 201). As discussed above with respect to process 200, the attempted use may be detected (e.g., in operation 203) at guest virtual machine 109 by image use control module 305. Image use control module 305 may then connect to agent monitor control 311 of virtual appliance machine 107 (e.g., in operation 205) and forwards an indication of the use attempt (along with a local certificate for the guest virtual machine) to virtual appliance machine 107. Agent monitor control 311 then uses the certificate to identify the guest virtual machine 109 to look up the images status of guest virtual machine 109 at user control monitor store 313 (e.g., in operation 207). If the image status of guest virtual machine 109 is “inactive,” virtual appliance machine 107 determines that the access attempt should be denied (e.g., in operation 209) and/or that an alert of the use should be sent. In some instances, if an image status cannot be found (i.e., the guest virtual machine was deleted), the attempt can likewise be denied and/or an alert be sent.
  • In some implementations, an alert instance may be generated by agent control monitor 311 inside image use control monitor store 313 when the access attempt is denied. Image use alert module 315 may be used to send an the alert according to a profile associated with guest virtual machine 109. Furthermore, agent monitor control 311 may send an indication that the status is “inactive” to image use control module 305 of guest virtual machine 109 (e.g., in operation 211) such that image use control module 305 may prevent the attempted mounting or use (e.g., in operation 213). Agent monitor control 311 may then take steps to close guest virtual machine 109, which may include deleting it from cloud environment 101 (optionally can be setup just to warn and not to close).
  • As described herein, in some implementations, the systems and methods for image access control provided herein may include report generation features. For example, image use report module 317 may use image status information, generated and issued alert information, and/or other information from use control monitor store 313 to generate one or more reports. For example, the one or more reports may include information relating to image use timing and statistics, alerts (including logs regarding who improperly tries to improperly access an image and the timing regarding such attempts), and/or other information.
  • As described herein, in some implementations, a guest virtual machine (e.g., guest virtual machine 109) may be set up and installed in a cloud environment (e.g., cloud environment 101) for use by user devices (e.g., user devices 103). When guest virtual machine 109 is ready for use, its image status may be marked as “active” (e.g., in operation 201) on both the use control monitor store 313 of virtual appliance machine and local store 307 of guest virtual machine. After the guest virtual machine is activated, then, use control agent 301 begins monitoring attempted uses of the image. Attempts to use the guest virtual machine may be received by use control agent 301 (e.g., in operation 203), the image status of the guest virtual machine may be checked (e.g., in operations 205, 207) and use may be permitted (e.g., in operations 209, 211). When authorized use of the image is terminated (e.g., a user marks the image for deactivation, a contract for use of the image expires or is otherwise terminated, and/or other deactivation trigger) the certificate associated with the guest virtual machine is provided to the controlling virtual appliance machine (to properly identify the particular guest virtual machine) along with an indication that the image status should be changed to “inactive” or “disabled” (e.g., in operation 201) both on local store 307 and use control monitor store 313.
  • In some instances, a number of users may be provided with access to a single guest virtual machine. Accordingly, these guest virtual machines may be activated by or for these who may use it and subsequently deactivate it. Accordingly, in some instances, guest virtual machines may be left dormant if a deactivation trigger is not timely provided. This could lead to security exposure as such guest virtual images should no longer be available for use. Accordingly, a cloud environment provider may run a search for dormant images (e.g., those that have not been in use for a predetermined period of time). After these dormant images are discovered, they may be verified as no longer needed and assigned an inactive image status. Reports can also be sent to appropriate personnel to identify dormant images.
  • In some instances, guest virtual machines may be used in parallel. For example, a user may obtain and activate a guest virtual machine such that it is available for use. In some instances, a “clone” may be taken from the image for backup purposes or other regular use. Accordingly, the clone may be assigned an image status of “disabled.” In this manner, if an attempt to use the clone is made under certain circumstances (e.g., when another user is conducting authorized use of the primary guest virtual machine; when no disruption necessitating use of the clone has occurred; after a contract for use of the primary image has expired, etc.) the use may be denied (e.g., because the clone exists in an “disabled” state until it is needed to backup the primary image) and an alert may be generated. If the done is needed (e.g., the primary guest virtual machine is corrupted/damaged), the image status of the clone may be changed to “active,” enabling its use.
  • In an embodiment, there is provided a method to provide secure access in a virtual computing environment, the method executed by a processor comprising hardware, the processor configured to perform a plurality of operations, the operations comprising: assigning, by a virtual access control machine of a virtual computing environment, a status to a guest virtual machine supporting a service, wherein the guest virtual machine is accessible to a user through a network; receiving, at the guest virtual machine, an indication of an attempted use of the guest virtual machine; sending, by the guest virtual machine, a request to the virtual access control machine for the status of the guest virtual machine; and determining, at the virtual access control machine, an action to take based on the status.
  • In an embodiment, assigning a status includes assigning, after the guest virtual machine is created and ready for use, a status indicating that the guest virtual machine is able to be accessed by an authorized user, and wherein the action includes allowing the attempted use of the guest virtual machine to an authorized user. In an embodiment, assigning a status includes assigning, after occurrence of a deactivation trigger, a status indicating that the guest virtual machine is not to be used by anyone, and wherein the action includes preventing the attempted use of the guest virtual machine. In an embodiment, the method further comprises recording an indication of the prevented attempted use of the guest virtual machine. In an embodiment, the action further comprises sending an alert regarding the unauthorized attempt to start the guest virtual machine. In an embodiment, assigning a status includes assigning a status indicating that an alert is to be sent upon receipt of any attempted use of the guest virtual machine, and wherein the action includes sending the alert. In an embodiment, assigning a status includes changing a status of the guest virtual machine from a status indicating that the guest virtual machine is able to be accessed by an authorized user to a status indicating that the guest virtual machine is not to be used by anyone, and wherein the action includes preventing the attempted use of the guest virtual machine. In an embodiment, the method further comprises providing a report regarding a plurality of guest virtual machines in the virtual machine environment, wherein the report includes information regarding one or more selected from: attempted use of any of the plurality of guest virtual machines, denied use attempts of any of the plurality of guest virtual machines, or any of the plurality of guest virtual machines that have not been used in a predetermined amount of time.
  • In an embodiment, there is provided a system to provide secure access in a virtual computing environment, the system comprising: a processor comprising hardware, the processor configured to: assign, by a virtual access control machine of a virtual computing environment, an image status to a guest virtual machine supporting a service, wherein the guest virtual machine is accessible to a user through a network, receive, at the guest virtual machine, an indication of an attempted use of the guest virtual machine, send, by the guest virtual machine, a request to the virtual access control machine for the image status of the guest virtual machine, and determine, at the virtual access control machine, an action to take based on the status.
  • In an embodiment, the processor configured to assign a status is further configured to assign, after the guest virtual machine is created and ready for use, a status indicating that the guest virtual machine is able to be accessed by an authorized user, and wherein the action includes allowance of the attempted use of the guest virtual machine to an authorized user. In an embodiment, the processor is configured to assign a status is further configured to assign, after occurrence of a deactivation trigger, a status indicating that the guest virtual machine is not to be used by anyone and wherein the action includes prevention of the attempted use of the guest virtual machine. In an embodiment, the processor is further configured to record an indication of the prevented attempted use of the guest virtual machine. In an embodiment, the action further comprises sending of an alert regarding the unauthorized attempt to start the guest virtual machine. In an embodiment, the processor configured to assign a status is further configured to assign a status indicating that an alert is to be sent upon receipt of any attempted use of the guest virtual machine, and wherein the action includes sending the alert. In an embodiment, the processor configured to assign a status is further configured to change a status of the guest virtual machine from a status indicating that the guest virtual machine is able to be accessed by an authorized user to a status indicating that the guest virtual machine is not to be used by anyone, and wherein the action includes prevention of the attempted use of the guest virtual machine. In an embodiment, the processor is further configured to provide a report regarding a plurality of guest virtual machines in the virtual machine environment, wherein the report includes information regarding one or more selected from: attempted use of any of the plurality of guest virtual machines, denied use attempts of any of the plurality of guest virtual machines, or any of the plurality of guest virtual machines that have not been used in a predetermined amount of time.
  • In an embodiment, there is provided a non-transitory computer-readable medium including computer-executable instructions thereon, the computer-executable instructions, when executed, causing a processor to: assign, by a virtual access control machine of a virtual computing environment, a status to a guest virtual machine supporting a service, wherein the guest virtual machine is accessible to a user through a network; receive, at the guest virtual machine, an indication of an attempted use of the guest virtual machine; send, by the guest virtual machine, a request to the virtual access control machine for the image status of the guest virtual machine; and determine, at the virtual access control machine, an action to take based on the status.
  • In an embodiment, the instructions to assign a status includes instructions to assign, after occurrence of a deactivation trigger, a status indicating that the guest virtual machine is not to be used by anyone, and wherein the action includes preventing the attempted use of the guest virtual machine. In an embodiment, the instructions to assign a status includes instructions to assign a status indicating that an alert is to be sent upon receipt of any attempted use of the guest virtual machine, and wherein the action includes sending the alert. In an embodiment, the instructions to assign a status includes instructions to change a status of the guest virtual machine from a status indicating that the guest virtual machine is able to be accessed by an authorized user to a status indicating that the guest virtual machine is not to be used by anyone, and wherein the action includes preventing the attempted use of the guest virtual machine.
  • Implementations described in this disclosure may be made in hardware, firmware, middleware, software, or various combinations thereof. The technology disclosed herein may also be implemented as computer-readable instructions stored on a tangible computer-readable storage medium which may be read and executed by one or more processors. A computer-readable storage medium may include various mechanisms for storing information in a form readable by a computing device. For example, a tangible computer-readable storage medium may include optical storage media, flash memory devices, and/or other storage mediums. Further, firmware, software, routines, or instructions may be described in the above disclosure in terms of specific exemplary aspects and implementations of the technology, and performing certain actions. However, it will be apparent that such descriptions are merely for convenience, and that such actions may in fact result from computing devices, processors, controllers, or other devices executing firmware, software, routines or instructions.
  • The systems described herein are exemplary system configurations. Other configurations may exist. Those having skill in the art will appreciate that the invention described herein may work with various configurations. Accordingly, more or less of the aforementioned system components may be used and/or combined in various embodiments. Furthermore, various operations of the methods described herein, while described in a particular order, may be performed in different orders as would be appreciated by those having skill in the art. In some embodiments, more of less of the described operations may be used.
  • Other implementations, uses, and advantages of the disclosed technology will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. The specification should be considered exemplary only, and the scope of the technology disclosed herein is accordingly intended to be limited only by any associated claims.

Claims (21)

1-20. (canceled)
21. A method to provide secure access in a virtual computing environment, the method executed by a processor comprising hardware, the processor configured to perform a plurality of operations, the operations comprising:
sending, from a guest virtual machine to a virtual access control machine of a virtual computing environment, information representative of an attempted use of the guest virtual machine, wherein the guest virtual machine supports a service and is accessible to a user through a network and the virtual access control machine assigns a status to the guest virtual machine;
sending, from the guest virtual machine to the virtual access control machine, a request for the status of the guest virtual machine; and
receiving, at the guest virtual machine from the virtual access control machine, information regarding the (i) status of the guest virtual machine in response to the request, or (ii) an action to take based on the status, or (iii) both (i) and (ii).
22. The method of claim 21, wherein the status indicates that the guest virtual machine, after the guest virtual machine is created and ready for use, is able to be accessed by an authorized user, and further comprising allowing the attempted use of the guest virtual machine to an authorized user.
23. The method of claim 21, wherein the status indicates that the guest virtual machine is not to be used by anyone, and further comprising preventing the attempted use of the guest virtual machine.
24. The method of claim 21, further comprising changing the status of the guest virtual machine from a status indicating that the guest virtual machine is able to be accessed by an authorized user to a status indicating that the guest virtual machine is not to be used by anyone, and comprising preventing the attempted use of the guest virtual machine.
25. The method of claim 21, wherein the request includes a certificate identifying the guest virtual machine or an authorized user of the guest virtual machine.
26. The method of claim 21, further comprising sending a signal from the guest virtual machine to the virtual access control machine to set or update the status of the guest virtual machine at the virtual access control machine.
27. The method of claim 21, further comprising sending a certificate associated with an authorized user of the guest virtual machine to the virtual access control machine.
28. The method of claim 21, further comprising causing deactivation of the guest virtual machine responsive to the status or action.
29. A system to provide secure access in a virtual computing environment, the system comprising:
a processor comprising hardware, the processor configured to:
send, from a guest virtual machine to a virtual access control machine of a virtual computing environment, information representative of an attempted use of the guest virtual machine, wherein the guest virtual machine supports a service and is accessible to a user through a network and the virtual access control machine assigns a status to the guest virtual machine;
send, from the guest virtual machine to the virtual access control machine, a request for the status of the guest virtual machine; and
receive, at the guest virtual machine from the virtual access control machine, information regarding the (i) status of the guest virtual machine in response to the request, or (ii) an action to take based on the status, or (iii) both (i) and (ii).
30. The system of claim 29, wherein the status indicates that the guest virtual machine, after the guest virtual machine is created and ready for use, is able to be accessed by an authorized user, and the processor is further configured to allow the attempted use of the guest virtual machine to an authorized user.
31. The system of claim 29, wherein the status indicates that the guest virtual machine is not to be used by anyone, and the processor is further configured to prevent the attempted use of the guest virtual machine.
32. The system of claim 29, wherein the processor is further configured to change the status of the guest virtual machine from a status indicating that the guest virtual machine is able to be accessed-by an authorized user to a status indicating that the guest virtual machine is not to be used by anyone, and the processor is further configured to prevent the attempted use of the guest virtual machine.
33. The system of claim 29, wherein the request includes a certificate identifying the guest virtual machine or an authorized user of the guest virtual machine.
34. The system of claim 29, wherein the processor is further configured to send a signal from the guest virtual machine to the virtual access control machine to set or update the status of the guest virtual machine at the virtual access control machine.
35. The system of claim 29, wherein the processor is further configured to send a certificate associated with an authorized user of the guest virtual machine to the virtual access control machine.
36. The system of claim 29, wherein the processor is further configured to cause the guest virtual machine to be deactivated responsive to the status or action.
37. A non-transitory computer-readable medium including computer-executable instructions thereon, the computer-executable instructions, when executed, causing a processor to:
send, from a guest virtual machine to a virtual access control machine of a virtual computing environment, information representative of an attempted use of the guest virtual machine, wherein the guest virtual machine supports a service and is accessible to a user through a network and the virtual access control machine assigns a status to the guest virtual machine:
send, from the guest virtual machine to the virtual access control machine, a request for the status of the guest virtual machine; and
receive, at the guest virtual machine from the virtual access control machine, information regarding the (i) status of the guest virtual machine in response to the request, or (ii) an action to take based on the status, or (iii) both (i) and (ii).
38. The system of claim 37, wherein the status indicates that the guest virtual machine, after the guest virtual machine is created and ready for use, is able to be accessed by an authorized user, and the instructions further include instructions to allow the attempted use of the guest virtual machine to an authorized user,
39. The system of claim 37, wherein the status indicates that the guest virtual machine is not to be used by anyone, and the instructions further include instructions to prevent the attempted use of the guest virtual machine.
40. The system of claim 37, wherein the instructions further include instructions to change the status of the guest virtual machine from a status indicating that the guest virtual machine is able to be accessed by an authorized user to a status indicating that the guest virtual machine is not to be used by anyone, and the instructions further include instructions to prevent the attempted use of the guest virtual machine.
US15/246,034 2012-02-27 2016-08-24 System and method for virtual image security in a cloud environment Pending US20160366143A1 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
US13/405,973 US8839447B2 (en) 2012-02-27 2012-02-27 System and method for virtual image security in a cloud environment
US14/337,771 US9436832B2 (en) 2012-02-27 2014-07-22 System and method for virtual image security in a cloud environment
US15/246,034 US20160366143A1 (en) 2012-02-27 2016-08-24 System and method for virtual image security in a cloud environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US15/246,034 US20160366143A1 (en) 2012-02-27 2016-08-24 System and method for virtual image security in a cloud environment

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US14/337,771 Continuation US9436832B2 (en) 2012-02-27 2014-07-22 System and method for virtual image security in a cloud environment

Publications (1)

Publication Number Publication Date
US20160366143A1 true US20160366143A1 (en) 2016-12-15

Family

ID=49004813

Family Applications (3)

Application Number Title Priority Date Filing Date
US13/405,973 Active US8839447B2 (en) 2012-02-27 2012-02-27 System and method for virtual image security in a cloud environment
US14/337,771 Active 2032-07-19 US9436832B2 (en) 2012-02-27 2014-07-22 System and method for virtual image security in a cloud environment
US15/246,034 Pending US20160366143A1 (en) 2012-02-27 2016-08-24 System and method for virtual image security in a cloud environment

Family Applications Before (2)

Application Number Title Priority Date Filing Date
US13/405,973 Active US8839447B2 (en) 2012-02-27 2012-02-27 System and method for virtual image security in a cloud environment
US14/337,771 Active 2032-07-19 US9436832B2 (en) 2012-02-27 2014-07-22 System and method for virtual image security in a cloud environment

Country Status (1)

Country Link
US (3) US8839447B2 (en)

Families Citing this family (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8839447B2 (en) 2012-02-27 2014-09-16 Ca, Inc. System and method for virtual image security in a cloud environment
US8954964B2 (en) 2012-02-27 2015-02-10 Ca, Inc. System and method for isolated virtual image and appliance communication within a cloud environment
US9405588B2 (en) * 2012-05-18 2016-08-02 Alcatel Lucent Cloud resource allocation system and method
US10255089B2 (en) * 2012-07-31 2019-04-09 Ca, Inc. Self-deleting virtual machines
US8700898B1 (en) 2012-10-02 2014-04-15 Ca, Inc. System and method for multi-layered sensitive data protection in a virtual computing environment
US9817739B1 (en) * 2012-10-31 2017-11-14 Veritas Technologies Llc Method to restore a virtual environment based on a state of applications/tiers
US20140137247A1 (en) * 2012-11-09 2014-05-15 International Business Machines Corporation Limiting Information Leakage and Piracy due to Virtual Machine Cloning
GB2508160A (en) * 2012-11-21 2014-05-28 Ibm Avoiding conflicts between computing machines
US9483289B2 (en) * 2012-12-17 2016-11-01 Unisys Corporation Operating system in a commodity-based computing system
US20150067675A1 (en) * 2013-08-27 2015-03-05 Connectloud, Inc. Method and apparatus to remotely park a virtual machine from a software defined cloud
US9065854B2 (en) * 2013-10-28 2015-06-23 Citrix Systems, Inc. Systems and methods for managing a guest virtual machine executing within a virtualized environment
US10055240B2 (en) * 2014-09-23 2018-08-21 At&T Intellectual Property I, L.P. Service creation and management
US9489510B1 (en) * 2014-09-24 2016-11-08 Amazon Technologies, Inc. Detecting generation of virtual machine authentication
US10203976B2 (en) * 2015-03-12 2019-02-12 Vmware, Inc. Virtual appliance management in a virtualized computing environment based on operational modes associated with virtual appliance
US9645842B2 (en) * 2015-04-28 2017-05-09 United States Of America As Represented By Secretary Of The Navy Cybernaut: a cloud-oriented energy-efficient intrusion-tolerant hypervisor

Citations (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4975950A (en) * 1988-11-03 1990-12-04 Lentz Stephen A System and method of protecting integrity of computer data and software
US20030065676A1 (en) * 2001-09-05 2003-04-03 Microsoft Corporation Methods and system of managing concurrent access to multiple resources
US20030084294A1 (en) * 2001-10-30 2003-05-01 Hirokazu Aoshima System and method for authentication
US20040158741A1 (en) * 2003-02-07 2004-08-12 Peter Schneider System and method for remote virus scanning in wireless networks
US20050210467A1 (en) * 2004-03-18 2005-09-22 Zimmer Vincent J Sharing trusted hardware across multiple operational environments
US20070288247A1 (en) * 2006-06-11 2007-12-13 Michael Mackay Digital life server
US20080086725A1 (en) * 2006-10-10 2008-04-10 Gregory Jensen Boss Method of and System for Transferring Information
US20090070761A1 (en) * 2007-09-06 2009-03-12 O2Micro Inc. System and method for data communication with data link backup
US20090204960A1 (en) * 2008-02-12 2009-08-13 Shmuel Ben-Yehuda System, method and computer program product for accessing a memory space allocated to a virtual machine
US20090319740A1 (en) * 2008-06-18 2009-12-24 Fujitsu Limited Virtual computer system, information processing device providing virtual computer system, and program thereof
US20100058432A1 (en) * 2008-08-28 2010-03-04 Microsoft Corporation Protecting a virtual guest machine from attacks by an infected host
US20120144005A1 (en) * 2009-09-17 2012-06-07 International Business Machines Corporation Address Server
US8397242B1 (en) * 2009-06-30 2013-03-12 Symantec Corporation System and method for managing operations within virtual machines
US20130152076A1 (en) * 2011-12-07 2013-06-13 Cisco Technology, Inc. Network Access Control Policy for Virtual Machine Migration
US20130159999A1 (en) * 2011-12-15 2013-06-20 Industrial Technology Research Institute System and method for generating application-level dependencies in one or more virtual machines
US20130174150A1 (en) * 2011-12-28 2013-07-04 Hiroshi Nakajima Information processing apparatus and communication control method
US20130246685A1 (en) * 2011-09-09 2013-09-19 Mcafee, Inc. System and method for passive threat detection using virtual memory inspection
US20140019960A1 (en) * 2012-07-12 2014-01-16 Microsoft Corporation Systems and methods of creating custom virtual machines
US20150074665A1 (en) * 2012-05-22 2015-03-12 Fujitsu Limited Information processing apparatus, control method, and computer-readable recording medium having stored therein control program
US9065854B2 (en) * 2013-10-28 2015-06-23 Citrix Systems, Inc. Systems and methods for managing a guest virtual machine executing within a virtualized environment

Family Cites Families (87)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH0814795B2 (en) * 1986-01-14 1996-02-14 株式会社日立製作所 Multi-processor virtual machine system
US4991089A (en) * 1988-09-30 1991-02-05 Ibm Corp. Method for establishing current terminal addresses for system users processing distributed application programs in an SNA LU 6.2 network environment
US4969092A (en) * 1988-09-30 1990-11-06 Ibm Corp. Method for scheduling execution of distributed application programs at preset times in an SNA LU 6.2 network environment
US6496847B1 (en) * 1998-05-15 2002-12-17 Vmware, Inc. System and method for virtualizing computer systems
US6453392B1 (en) * 1998-11-10 2002-09-17 International Business Machines Corporation Method of and apparatus for sharing dedicated devices between virtual machine guests
US7962950B2 (en) * 2001-06-29 2011-06-14 Hewlett-Packard Development Company, L.P. System and method for file system mandatory access control
US7181744B2 (en) * 2002-10-24 2007-02-20 International Business Machines Corporation System and method for transferring data between virtual machines or other computer entities
US7493409B2 (en) * 2003-04-10 2009-02-17 International Business Machines Corporation Apparatus, system and method for implementing a generalized queue pair in a system area network
US7246174B2 (en) * 2003-10-28 2007-07-17 Nacon Consulting, Llc Method and system for accessing and managing virtual machines
GB0325553D0 (en) * 2003-11-01 2003-12-03 Ibm Method and apparatus for activating/deactivating run-time determined software routines in Java compiled bytecode applications
US20050183143A1 (en) * 2004-02-13 2005-08-18 Anderholm Eric J. Methods and systems for monitoring user, application or device activity
US20060005184A1 (en) * 2004-06-30 2006-01-05 Vijay Tewari Virtualizing management hardware for a virtual machine
US7797699B2 (en) * 2004-09-23 2010-09-14 Intel Corporation Method and apparatus for scheduling virtual machine access to shared resources
US7886294B2 (en) * 2004-12-28 2011-02-08 Sap Ag Virtual machine monitoring
WO2007021836A2 (en) * 2005-08-15 2007-02-22 Toutvirtual Inc. Virtual systems management
US7802251B2 (en) * 2005-11-09 2010-09-21 Hitachi, Ltd. System for resource allocation to an active virtual machine using switch and controller to associate resource groups
US7694101B2 (en) * 2005-12-30 2010-04-06 Vmware, Inc. Implementing virtual disk reservations on a storage media for multiple distributed applications
US20070204166A1 (en) 2006-01-04 2007-08-30 Tome Agustin J Trusted host platform
US7961722B1 (en) 2006-03-07 2011-06-14 Juniper Networks, Inc. Multiple virtualized operating environments within a VPN appliance
US9392078B2 (en) * 2006-06-23 2016-07-12 Microsoft Technology Licensing, Llc Remote network access via virtual machine
US9213513B2 (en) * 2006-06-23 2015-12-15 Microsoft Technology Licensing, Llc Maintaining synchronization of virtual machine image differences across server and host computers
US7996835B2 (en) * 2006-10-10 2011-08-09 International Business Machines Corporation System, method and program for managing communication with multiple configurations for virtual machine
EP1933519A1 (en) 2006-12-12 2008-06-18 Koninklijke KPN N.V. Streaming media service for mobile telephones
JP4358224B2 (en) * 2006-12-27 2009-11-04 東芝ソリューション株式会社 Guest os scheduling method and a virtual machine monitor
JP2008187338A (en) * 2007-01-29 2008-08-14 Hewlett-Packard Development Co Lp Control system and method thereof
US8055951B2 (en) * 2007-04-10 2011-11-08 International Business Machines Corporation System, method and computer program product for evaluating a virtual machine
US8453142B2 (en) 2007-04-26 2013-05-28 Hewlett-Packard Development Company, L.P. Virtual machine control
US8875266B2 (en) * 2007-05-16 2014-10-28 Vmware, Inc. System and methods for enforcing software license compliance with virtual machines
US8078827B2 (en) * 2007-07-05 2011-12-13 International Business Machines Corporation Method and apparatus for caching of page translations for virtual machines
US8528070B2 (en) 2007-09-05 2013-09-03 Hewlett-Packard Development Company, L.P. System and method for secure service delivery
JP5010492B2 (en) * 2008-01-31 2012-08-29 株式会社東芝 Communication device, method, and program
EP2261832A4 (en) * 2008-02-25 2012-09-26 Panasonic Corp Information processing device
MX2010009362A (en) * 2008-02-26 2010-12-06 Vmware Inc Extending server-based desktop virtual machine architecture to client machines.
US8104083B1 (en) * 2008-03-31 2012-01-24 Symantec Corporation Virtual machine file system content protection system and method
US8443440B2 (en) 2008-04-05 2013-05-14 Trend Micro Incorporated System and method for intelligent coordination of host and guest intrusion prevention in virtualized environment
US8935692B2 (en) * 2008-05-22 2015-01-13 Red Hat, Inc. Self-management of virtual machines in cloud-based networks
US8341625B2 (en) 2008-05-29 2012-12-25 Red Hat, Inc. Systems and methods for identification and management of cloud-based virtual machines
WO2009147631A1 (en) * 2008-06-05 2009-12-10 Neocleus Israel Ltd Secure multi-purpose computing client
US8250215B2 (en) * 2008-08-12 2012-08-21 Sap Ag Method and system for intelligently leveraging cloud computing resources
US8069242B2 (en) 2008-11-14 2011-11-29 Cisco Technology, Inc. System, method, and software for integrating cloud computing systems
US8359644B2 (en) 2008-11-17 2013-01-22 At&T Intellectual Property I, L.P. Seamless data networking
US9210173B2 (en) * 2008-11-26 2015-12-08 Red Hat, Inc. Securing appliances for use in a cloud computing environment
US8201237B1 (en) 2008-12-10 2012-06-12 Amazon Technologies, Inc. Establishing secure remote access to private computer networks
US8775544B2 (en) 2009-02-04 2014-07-08 Citrix Systems, Inc. Methods and systems for dynamically switching between communications protocols
US8966082B2 (en) * 2009-02-10 2015-02-24 Novell, Inc. Virtual machine address management
WO2010106692A1 (en) * 2009-03-17 2010-09-23 Hitachi, Ltd. Storage system and its controlling method
US20100287280A1 (en) 2009-05-08 2010-11-11 Gal Sivan System and method for cloud computing based on multiple providers
US8538919B1 (en) 2009-05-16 2013-09-17 Eric H. Nielsen System, method, and computer program for real time remote recovery of virtual computing machines
US8290998B2 (en) * 2009-05-20 2012-10-16 Sap Ag Systems and methods for generating cloud computing landscapes
CN101937357B (en) * 2009-07-01 2013-11-06 华为技术有限公司 Virtual machine migration decision-making method, device and system
US8352482B2 (en) 2009-07-21 2013-01-08 Vmware, Inc. System and method for replicating disk images in a cloud computing based virtual machine file system
US8341627B2 (en) * 2009-08-21 2012-12-25 Mcafee, Inc. Method and system for providing user space address protection from writable memory area in a virtual environment
US9448852B2 (en) 2009-08-28 2016-09-20 Oracle International Corporation Managing virtual machines
US8769083B2 (en) 2009-08-31 2014-07-01 Red Hat, Inc. Metering software infrastructure in a cloud computing environment
US20110072487A1 (en) 2009-09-23 2011-03-24 Computer Associates Think, Inc. System, Method, and Software for Providing Access Control Enforcement Capabilities in Cloud Computing Systems
US8924559B2 (en) 2009-12-03 2014-12-30 International Business Machines Corporation Provisioning services using a cloud services catalog
US8705513B2 (en) 2009-12-15 2014-04-22 At&T Intellectual Property I, L.P. Methods and apparatus to communicatively couple virtual private networks to virtual machines within distributive computing networks
US9021046B2 (en) * 2010-01-15 2015-04-28 Joyent, Inc Provisioning server resources in a cloud resource
JP5434616B2 (en) * 2010-01-15 2014-03-05 富士通株式会社 Virtual machine, the control method of the virtual machine monitor, and computer
US8874914B2 (en) * 2010-02-05 2014-10-28 Accenture Global Services Limited Secure and automated credential information transfer mechanism
JP2011170804A (en) * 2010-02-22 2011-09-01 Canon Inc Network print system, control method of the same, and program
JP5440273B2 (en) * 2010-03-09 2014-03-12 富士通株式会社 Snapshot management method, snapshot management device, and program
JP5533315B2 (en) * 2010-06-16 2014-06-25 富士ゼロックス株式会社 The information processing system, the management apparatus, the processing request apparatus and program
US20120054486A1 (en) 2010-08-31 2012-03-01 MindTree Limited Securing A Virtual Environment And Virtual Machines
US20120072685A1 (en) * 2010-09-16 2012-03-22 Hitachi, Ltd. Method and apparatus for backup of virtual machine data
JP5614226B2 (en) * 2010-10-15 2014-10-29 富士通株式会社 Virtual machine control device, the virtual machine control program and a virtual machine control method
CA2816298A1 (en) * 2010-10-31 2012-05-03 Mark Lowell Tucker System and method for securing virtual computing environments
JP5602592B2 (en) * 2010-11-11 2014-10-08 キヤノン株式会社 Network system, server, how to log registration, and, program
KR20120063933A (en) * 2010-12-08 2012-06-18 한국전자통신연구원 System and method for processing virtual machine
US9021465B2 (en) * 2010-12-15 2015-04-28 Red Hat Israel, Ltd. Downloading guest software updates by a hypervisor
US20120179904A1 (en) 2011-01-11 2012-07-12 Safenet, Inc. Remote Pre-Boot Authentication
US8533343B1 (en) * 2011-01-13 2013-09-10 Google Inc. Virtual network pairs
JP2012243255A (en) * 2011-05-24 2012-12-10 Intelligent Willpower Corp Virtual machine providing system
JP5719244B2 (en) * 2011-06-29 2015-05-13 インターナショナル・ビジネス・マシーンズ・コーポレーションInternational Business Machines Corporation Methods for constructing an execution environment for secure management virtual machine, programs and computer apparatus
US8412945B2 (en) * 2011-08-09 2013-04-02 CloudPassage, Inc. Systems and methods for implementing security in a cloud computing environment
US8984221B2 (en) * 2011-10-18 2015-03-17 Hitachi, Ltd. Method for assigning storage area and computer system using the same
US20130097296A1 (en) 2011-10-18 2013-04-18 Telefonaktiebolaget L M Ericsson (Publ) Secure cloud-based virtual machine migration
US9152548B2 (en) * 2012-01-17 2015-10-06 Vmware, Inc. Controlling access to a privileged resource in user-mode system level mobile virtualization using a ptrace () system call
US8484732B1 (en) * 2012-02-01 2013-07-09 Trend Micro Incorporated Protecting computers against virtual machine exploits
JP5862359B2 (en) * 2012-02-23 2016-02-16 日本電気株式会社 Thin client system, the connection management server, the connection management method, and a connection manager
US8954964B2 (en) * 2012-02-27 2015-02-10 Ca, Inc. System and method for isolated virtual image and appliance communication within a cloud environment
US20130227710A1 (en) 2012-02-27 2013-08-29 Computer Associates Think, Inc. System and method for securing leased images in a cloud environment
US8839447B2 (en) 2012-02-27 2014-09-16 Ca, Inc. System and method for virtual image security in a cloud environment
US20130263208A1 (en) * 2012-04-02 2013-10-03 Narsimha Reddy Challa Managing virtual machines in a cloud computing system
US20140006776A1 (en) 2012-06-29 2014-01-02 Mark Scott-Nash Certification of a virtual trusted platform module
US9389898B2 (en) 2012-10-02 2016-07-12 Ca, Inc. System and method for enforcement of security controls on virtual machines throughout life cycle state changes
US8700898B1 (en) 2012-10-02 2014-04-15 Ca, Inc. System and method for multi-layered sensitive data protection in a virtual computing environment

Patent Citations (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4975950A (en) * 1988-11-03 1990-12-04 Lentz Stephen A System and method of protecting integrity of computer data and software
US20030065676A1 (en) * 2001-09-05 2003-04-03 Microsoft Corporation Methods and system of managing concurrent access to multiple resources
US20030084294A1 (en) * 2001-10-30 2003-05-01 Hirokazu Aoshima System and method for authentication
US20040158741A1 (en) * 2003-02-07 2004-08-12 Peter Schneider System and method for remote virus scanning in wireless networks
US20050210467A1 (en) * 2004-03-18 2005-09-22 Zimmer Vincent J Sharing trusted hardware across multiple operational environments
US20070288247A1 (en) * 2006-06-11 2007-12-13 Michael Mackay Digital life server
US20080086725A1 (en) * 2006-10-10 2008-04-10 Gregory Jensen Boss Method of and System for Transferring Information
US20090070761A1 (en) * 2007-09-06 2009-03-12 O2Micro Inc. System and method for data communication with data link backup
US20090204960A1 (en) * 2008-02-12 2009-08-13 Shmuel Ben-Yehuda System, method and computer program product for accessing a memory space allocated to a virtual machine
US20090319740A1 (en) * 2008-06-18 2009-12-24 Fujitsu Limited Virtual computer system, information processing device providing virtual computer system, and program thereof
US8954897B2 (en) * 2008-08-28 2015-02-10 Microsoft Corporation Protecting a virtual guest machine from attacks by an infected host
US20100058432A1 (en) * 2008-08-28 2010-03-04 Microsoft Corporation Protecting a virtual guest machine from attacks by an infected host
US8397242B1 (en) * 2009-06-30 2013-03-12 Symantec Corporation System and method for managing operations within virtual machines
US20120144005A1 (en) * 2009-09-17 2012-06-07 International Business Machines Corporation Address Server
US20130246685A1 (en) * 2011-09-09 2013-09-19 Mcafee, Inc. System and method for passive threat detection using virtual memory inspection
US20130152076A1 (en) * 2011-12-07 2013-06-13 Cisco Technology, Inc. Network Access Control Policy for Virtual Machine Migration
US20130159999A1 (en) * 2011-12-15 2013-06-20 Industrial Technology Research Institute System and method for generating application-level dependencies in one or more virtual machines
US20130174150A1 (en) * 2011-12-28 2013-07-04 Hiroshi Nakajima Information processing apparatus and communication control method
US20150074665A1 (en) * 2012-05-22 2015-03-12 Fujitsu Limited Information processing apparatus, control method, and computer-readable recording medium having stored therein control program
US20140019960A1 (en) * 2012-07-12 2014-01-16 Microsoft Corporation Systems and methods of creating custom virtual machines
US9065854B2 (en) * 2013-10-28 2015-06-23 Citrix Systems, Inc. Systems and methods for managing a guest virtual machine executing within a virtualized environment

Also Published As

Publication number Publication date
US20140373180A1 (en) 2014-12-18
US8839447B2 (en) 2014-09-16
US20130227699A1 (en) 2013-08-29
US9436832B2 (en) 2016-09-06

Similar Documents

Publication Publication Date Title
Berger et al. TVDc: managing security in the trusted virtual datacenter
Jansen et al. Guidelines on security and privacy in public cloud computing
US8909928B2 (en) Securing customer virtual machines in a multi-tenant cloud
Wei et al. Managing security of virtual machine images in a cloud environment
US20070266433A1 (en) System and Method for Securing Information in a Virtual Computing Environment
US9177145B2 (en) Modified file tracking on virtual machines
US8566571B2 (en) Pre-boot securing of operating system (OS) for endpoint evaluation
EP2507736B1 (en) Approaches for a location aware client
US20100082991A1 (en) Trusted key management for virtualized platforms
Hashizume et al. An analysis of security issues for cloud computing
US20080244747A1 (en) Network context triggers for activating virtualized computer applications
KR101691853B1 (en) Automated asset criticality assessment
Lee et al. Multi-level intrusion detection system and log management in cloud computing
US8060924B2 (en) On-line centralized and local authorization of executable files
JP4629332B2 (en) State the reference monitor
AU2009279431B2 (en) Secure computing environment using a client heartbeat to address theft and unauthorized access
US8769605B2 (en) System and method for dynamically enforcing security policies on electronic files
Lombardi et al. Secure virtualization for cloud computing
Luo et al. Virtualization security for cloud computing service
US9092616B2 (en) Systems and methods for threat identification and remediation
US8578374B2 (en) System and method for managing virtual machines
US8028172B2 (en) Systems and methods for updating a secure boot process on a computer with a hardware security module
US8588422B2 (en) Key management to protect encrypted data of an endpoint computing device
Rabai et al. A cybersecurity model in cloud computing environments
US20120060030A1 (en) System and method of providing trusted, secure, and verifiable operating environment

Legal Events

Date Code Title Description
AS Assignment

Owner name: CA, INC., NEW YORK

Free format text: MERGER;ASSIGNOR:COMPUTER ASSOCIATES THINK, INC.;REEL/FRAME:039529/0798

Effective date: 20120327

Owner name: COMPUTER ASSOCIATES THINK, INC., NEW YORK

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:BARAK, NIR;HADAR, EITAN;REEL/FRAME:039529/0672

Effective date: 20120226