What technology area does this patent fall under?

Primary CPC classification G06F9/45533. Mapped technology areas include Physics.

When was this patent published?

Publication date Tue Sep 20 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Enforcing policy-based compliance of virtual machine image configurations

US9448826B2 · US · B2

Patent metadata
Field	Value
Publication number	US-9448826-B2
Application number	US-201313838929-A
Country	US
Kind code	B2
Filing date	Mar 15, 2013
Priority date	Mar 15, 2013
Publication date	Sep 20, 2016
Grant date	Sep 20, 2016

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

Techniques are disclosed for data risk management in accessing an Infrastructure as a Service (IaaS) cloud network. More specifically, embodiments of the invention evaluate virtual machine images launched in cloud-based environments for compliance with a policy. After intercepting a virtual machine image launch request, an intermediary policy management engine determines whether the request conforms to a policy defined by a policy manager, e.g., an enterprise's information security officer. The policy may be based on user identities, virtual machine image attributes, data classifications, or other criteria. Upon determining whether the request conforms to policy, the policy management engine allows the request, blocks the request, or triggers a management approval workflow.

First claim

Opening claim text (preview).

What is claimed is: 1. A method for enforcing policy-based compliance in launching a virtual machine image configuration, the method comprising: receiving a request to launch a virtual machine image having a plurality of attributes, wherein the request specifies at least a first storage volume to attach to the launched virtual machine image, wherein the first storage volume stores data accessible to the launched virtual machine image once attached, and wherein the first storage volume has associated metadata indicating a measure of sensitive of data on the first storage volume; evaluating the virtual machine image identified in the request and the metadata associated with the first storage volume to determine whether the request conforms to a policy; and upon determining that the virtual machine image identified in request conforms to a policy, forwarding the request to a cloud management platform, wherein the cloud management platform launches the virtual machine image and attaches the launched virtual machine image to the first storage volume. 2. The method of claim 1 , wherein the cloud management platform forwards the request to a policy manager for approval. 3. The method of claim 1 , wherein the attributes include at least one of a user identifier, an operating system, an operating system version, and an application identifier. 4. The method of claim 1 , wherein determining whether the request conforms to the policy comprises determining whether a user making the request is authorized to attach virtual machine instances to the first storage volume. 5. The method of claim 1 , wherein determining whether the request conforms to the policy comprises determining whether a user making the request is authorized to launch an instance of the virtual machine image. 6. The method of claim 1 , further comprising: receiving a reconfiguration request to attach the launched virtual machine image to a second storage volume, wherein the second storage volume stores data accessible to the launched virtual machine image once attached and wherein the second storage volume has associated metadata indicating a measure of sensitivity of data on the second storage volume; and upon determining that the reconfiguration request conforms to the policy, forwarding the request to the cloud management platform, wherein the cloud management platform attaches the launched virtual machine image to the second storage volume. 7. A method for enforcing policy-based compliance in a virtual machine image reconfiguration, the method comprising: receiving a request to attach a running instance of a virtual machine image having a plurality of attributes to a first storage volume, wherein the first storage volume stores data accessible to the running instance of the virtual machine image once attached and wherein the first storage volume has associated metadata indicating a measure of sensitivity of data on the first storage volume; evaluating the virtual machine image identified in the request and the metadata associated with the first storage volume to determine whether the request conforms to a policy; and upon determining that the virtual machine image identified in request conforms to the policy, forwarding the request to a cloud management platform, wherein the cloud management platform attaches the virtual machine image to the first storage volume. 8. The method of claim 7 , wherein the virtual machine image attributes include at least one of a user identifier, an operating system, an operating system version, and an application identifier. 9. The method of claim 7 , wherein determining whether the request conforms to the policy comprises determining whether a user making the request is authorized to attach virtual machine instances to the first storage volume. 10. The method of claim 7 , wherein determining whether the request conforms to the policy comprises determining whether the virtual machine image is authorized to attach to the first storage volume. 11. A non-transitory computer-readable storage medium storing instructions, which, when executed on a processor, performs an operation for enforcing policy-based compliance launching a virtual machine image configuration, the operation comprising: receiving a request to launch a virtual machine image having a plurality of attributes, wherein the request specifies at least a first storage volume to attach to the launched virtual machine image, wherein the first storage volume stores data accessible to the launched virtual machine image once attached, and wherein the first storage volume has associated metadata indicating a measure of sensitivity of data on the first storage volume; evaluating the virtual machine image identified in the request and the metadata associated with the first storage volume to determine whether the request conforms to a policy; and upon determining that the virtual machine image identified in request conforms to the policy, forwarding the request to a cloud management platform, wherein the cloud management platform launches the virtual machine image and attaches the launched virtual machine image to the first storage volume. 12. The computer-readable storage medium of claim 11 , wherein the cloud management platform forwards the request to a policy manager for approval. 13. The computer-readable storage medium of claim 11 , wherein the attributes include at least one of a user identifier, an operating system, an operating system version, and an application identifier. 14. The computer-readable storage medium of claim 11 , wherein determining whether the request conforms to the policy comprises determining whether a user making the request is authorized to attach virtual machine instances to the first storage volume. 15. The computer-readable storage medium of claim 11 , wherein determining whether the request conforms to the policy comprises determining whether a user making the request is authorized to launch an instance of the virtual machine image. 16. The computer-readable storage medium of claim 11 , the operation further comprising: receiving a reconfiguration request to attach the launched virtual machine image to a second storage volume, wherein the second storage volume stores data accessible to the launched virtual machine image once attached and wherein the second storage volume has associated metadata indicating a measure of sensitivity of data on the second storage volume; and upon determining that the reconfiguration request conforms to the policy, forwarding the request to the cloud management platform, wherein the cloud management platform attaches the launched virtual machine image to the second storage volume. 17. A system, comprising: a processor and a memory hosting an application, which, when executed on the processor, performs an operation for enforcing policy-based compliance in launching a virtual machine image configuration, the operation comprising: receiving a request to launch a virtual machine image having a plurality of attributes, wherein the request specifies at least a first storage volume to attach to the launched virtual machine image, wherein the first storage volume stores data accessible to the launched virtual machine image once attached, and wherein the first storage volume has associated metadata indicating a measure of sensitivity of data on the first storage volume, evaluating the virtual machine image identified in the request and the metadata associated with the first storage volume to determine whether the request conforms to a policy, and upon determining that the virtual m

Assignees

Symantec Corp

Inventors

Banerjee Deb

Classifications

G06F21/53
by executing in a restricted environment, e.g. sandbox or secure virtual machine · CPC title
G06F2009/45587
Isolation or security of virtual machine instances · CPC title
G06F2009/45575
Starting, stopping, suspending or resuming virtual machine instances · CPC title
G06F9/45533Primary
Hypervisors; Virtual machine monitors · CPC title

Patent family

Related publications grouped by family.

View patent family 51534737

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US9448826B2 cover?: Techniques are disclosed for data risk management in accessing an Infrastructure as a Service (IaaS) cloud network. More specifically, embodiments of the invention evaluate virtual machine images launched in cloud-based environments for compliance with a policy. After intercepting a virtual machine image launch request, an intermediary policy management engine determines whether the request con…
Who is the assignee on this patent?: Symantec Corp
What technology area does this patent fall under?: Primary CPC classification G06F9/45533. Mapped technology areas include Physics.
When was this patent published?: Publication date Tue Sep 20 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).