System and Method to secure Virtual Machines in a Cloud deployment
Publication Date: 2017-Jul-26
The IP.com Prior Art Database
System and Method to Self-Secure Virtual Machines in a Cloud deployment
The Cloud Security Alliance has listed Data Breach as the top threat in Cloud Computing. This is a major concern with cloud customers esp. because cloud is:
- A multi-tenant environment where one’s data could end up in the hands of one's competitors.
- Cloud hosting firm can borrow resources from other clouds / outsource hosting which may not have the same level of compliance as the original hosting company with which contract has been done.
- Customers want more control over their VMs and how they are hosted and managed, instead of trusting everything on the cloud provider.
As part of this publication, we take a stab at bridging this gap, by introducing mechanisms to secure a virtual machine in a cloud environment so that the data contained in it doesn’t reach the hands of unintended or unauthorized parties.
The proposal here revolves around the idea that a VM is responsible for taking care of its own security and should have an in-built mechanism to achieve it rather than relying on a virtualization manager. VM now has the onus to own its security and works with the host to ensure it co-operatively and intelligently and takes preventive measures, rather than passively depend on the mercy of its host / hypervisor or any other external product.
VM should have some in-built mechanism to achieve this.
VM can work cooperatively with these external products and hypervisor/virtualization manager to achieve its intended security needed and goals.
VM has capability and intelligence to tailor itself to cater to its security needs.
VM can take certain actions if it finds the environment in which it is provisioned / meant for provision is not adequate enough for its security needs and its request to the virtualization manager / hypervisor / external entity providing security is not honored.
Idea and details of the Proposal
Every VM that is part of a cloud network should be cognizant of the fact that it is one of the nodes in a cloud network. In addition, it should have a mechanism to automatically and continuously monitor itself based on the policy defined against it:
1) As a standalone VM which is part of a cloud network:
• VM can "activate" a geo-fencing for itself: Every host will have its date/time set which will also have its time-zone details, additionally, a customer can mandate to have a server postal code or pin code details maintained for each host on the host metadata. VM will query this on first boot and will proceed or fail based on accepted time-zone and pin codes. It can also get these details from incoming request time-zone. VM will also periodically scan and verify these conditions to take care of relocation / live-migration cases.
• VM can "activate" a time-fencing for itself: VM will permit traffic in and out of itself only during selective time slots (when it is supposed to be catering to its clients / customers) outside t...