Method and system for providing an efficient vulnerability management and verification service
US-2015242634-A1 · Aug 27, 2015 · US
Policy management system for heterogeneous cloud services
US10129100B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10129100-B2 |
| Application number | US-201414503103-A |
| Country | US |
| Kind code | B2 |
| Filing date | Sep 30, 2014 |
| Priority date | Aug 22, 2014 |
| Publication date | Nov 13, 2018 |
| Grant date | Nov 13, 2018 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Some embodiments provide a method for a system that enforces policy for a network. The method receives (i) a first set of network state data from a first cloud management application that manages a first aspect of the network and stores its network state data in a first format and (ii) a second set of network state data from a second cloud management application that manages a second aspect of the network and stores its network state data in a second format. The method stores the first and second sets of network state data in a single, unified data format. The method monitors the stored sets of network state data to determine whether the network state violates one or more network policies that constrain the network state received from the first and second cloud management applications.
First claim
Opening claim text (preview).
We claim: 1. A method to enforce a policy for a network, the method comprising: storing, by executing an instruction using a processor, a first set of network state data and a second set of network state data in a single, unified data format, the first set of network state data from a first cloud management application that manages a first aspect of the network and stores its network state data in a first format, the second set of network state data from a second cloud management application that manages a second aspect of the network and stores its network state data in a second format; detecting, by executing an instruction using the processor, addition of a virtual machine to a cloud environment; in response to detecting the addition of the virtual machine, determining, by executing an instruction using the processor, whether the virtual machine violates a network policy based on a first owner of the virtual machine and the first and second sets of network state data stored in the single, unified data format; and when the virtual machine violates the network policy: creating a new membership group; adding the first owner to the membership group; and adding a second owner of the network to the membership group, wherein the first owner and the second owner being part of the same membership group removes the violation. 2. The method of claim 1 , wherein the single, unified data format includes a set of relational database tables. 3. The method of claim 2 , wherein the first set of network state data is stored in a first plurality of tables and the second set of network state data is stored in a second plurality of tables. 4. The method of claim 3 , wherein the set of relational database tables includes a third plurality of tables that stores data from both the first and second cloud management applications. 5. The method of claim 4 , wherein the third plurality of tables includes tables defined by network policies. 6. The method of claim 1 , wherein the first cloud management application is a network virtualization manager that manages logical networks for the network and the second cloud management application is a compute virtualization manager that manages virtual machines in the network. 7. The method of claim 1 , wherein the first and second cloud management applications include two of a compute virtualization manager, a network virtualization manager, a storage virtualization manager, a firewall manager, an antivirus manager, and a group directory. 8. The method of claim 1 , wherein receiving the first and second sets of network state data includes receiving sets of network state data from a plurality of cloud management applications that manage different aspects of the network and store network state data in a plurality of different formats. 9. The method of claim 8 , wherein the plurality of cloud management applications include a compute virtualization manager, a network virtualization manager, a storage virtualization manager, an antivirus manager, a firewall manager, and a group directory. 10. The method of claim 1 , wherein the sets of network state data are received as updates that reflect changes made to the network state by the first and second cloud management applications. 11. The method of claim 10 , wherein at least one of the updates includes a command to (A) insert a new record or (B) delete a record for a data entity in the stored network state data. 12. The method of claim 1 , wherein monitoring the stored sets of network state data includes comparing the stored sets of network data to states defined by network policies as violations of policy to determine whether the stored network state violates any policies. 13. The method of claim 1 , further including simulating the modification of the at least one of the first or second cloud management applications to identify how the modifying will affect the network state. 14. The method of claim 1 , further including storing a violation type corresponding to the violation with modification data in short-term memory, the modification data including indicating the modification of the first or second cloud management applications were modified to remove the violation. 15. A system to enforce a policy for a network, the system comprising: a machine readable storage to store network state data from at least two cloud management applications in a single, unified data format, the network state data from at least two cloud management applications that each manage different aspects of the network and store their network state data in different formats; and a processor to: detect addition of a virtual machine to a cloud environment, in response to detecting the addition of the virtual machine, determine if the virtual machine violates a network policy based on a first owner of the virtual machine and the first and second sets of network state data stored in the single, unified data format, and, when the virtual machine violates the network policy: create a new membership group; add the first owner to the membership group; and add a second owner of the network to the membership group, wherein the first owner and the second owner being part of the same membership group removes the violation. 16. The system of claim 15 , wherein the single, unified data format includes a set of relational database tables. 17. The system of claim 16 , wherein the network state data from the different cloud management applications are stored in different sets of tables. 18. The system of claim 17 , wherein the network state data further includes tables defined by network policies. 19. The system of claim 16 , wherein the set of relational database tables includes a table for storing violations of network policies. 20. The system of claim 15 , wherein the cloud management applications include at least two of a compute virtualization manager, a network virtualization manager, a storage virtualization manager, a firewall manager, an antivirus manager, and a group directory. 21. The system of claim 15 , wherein the processor receives the network state data as updates that reflect changes made to the network state by the cloud management applications. 22. The system of claim 15 , wherein the processor is to compare the stored sets of network data to states defined by network policies as violations of policy to determine whether the stored network state violates any policies.
Assignees
Inventors
Classifications
involving simulating, designing, planning or modelling of a network · CPC title
using an interconnection network, e.g. matrix, shuffle, pyramid, star, snowflake · CPC title
related to network traffic · CPC title
Determining service level performance parameters or violations of service level contracts, e.g. violations of agreed response time or mean time between failures [MTBF] · CPC title
Updates performed during online database operations; commit processing · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10129100B2 cover?
- Some embodiments provide a method for a system that enforces policy for a network. The method receives (i) a first set of network state data from a first cloud management application that manages a first aspect of the network and stores its network state data in a first format and (ii) a second set of network state data from a second cloud management application that manages a second aspect of …
- Who is the assignee on this patent?
- Vmware Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L41/5022. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Nov 13 2018 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).