System and method for a cloud computing abstraction layer with security zone facilities
Abstract
In embodiments of the present invention improved capabilities are described for a virtualization environment adapted for development and deployment of at least one software workload, the virtualization environment having a metamodel framework that allows the association of a policy to the software workload upon development of the workload that is applied upon deployment of the software workload. This allows a developer to define a security zone and to apply at least one type of security policy with respect to the security zone including the type of security zone policy in the metamodel framework such that the type of security zone policy can be associated with the software workload upon development of the software workload, and if the type of security zone policy is associated with the software workload, automatically applying the security policy to the software workload when the software workload is deployed within the security zone.
Claims
exact text as granted — not AI-modified1 . A computer-implemented method comprising:
receiving, by a computing system, a computing workflow to be performed in a cloud-computing environment including a plurality of cloud-computing resources; identifying, by the computing system, a computer workload to perform the computing workflow, wherein the computer workload includes a software unit of computing processing performed via at least one of an Infrastructure-as-a-Service (IaaS), a Platform-as-a-Service (PaaS), or a Service-as-a-Service (SaaS); associating, by the computing system, a policy with the computer workload, wherein the policy is applied to the computer workload when the computer workload is deployed within a security zone assigned for the computer workload, wherein one or more boundaries of the security zone are updatable, wherein the policy is updatable for the computer workload when the computer workload is deployed within the security zone, and wherein the security zone is definable at differing levels of abstraction; deploying, by the computing system, the computer workload in a virtual private cloud within the clouding-computing environment; and applying, by the computing system, the policy to the computer workload when the computer workload performs the computing workflow within the virtual private cloud.
2 . The computer-implemented method of claim 1 , further comprising:
testing the computer workload in a second virtual private cloud within the cloud-computing environment prior to deploying the computer workload.
3 . The computer-implemented method of claim 2 , wherein the virtual private cloud corresponds to a production virtual private cloud, and wherein the second virtual private cloud corresponds to a pre-production virtual private cloud.
4 . The computer-implemented method of claim 1 , wherein the security zone is definable by a developer, and wherein the policy is applicable, by the developer, with respect to the security zone.
5 . The computer-implemented method of claim 1 , further comprising:
tagging the computer workload based on the security zone to enable the computer workload to perform at least one of: 1) operations in the security zone or 2) communications across a plurality of security zones, wherein each security zone in the plurality of security zones has a defined set of associated firewalls.
6 . The computer-implemented method of claim 1 , wherein the cloud-computing environment is associated with a virtualization environment, and wherein the virtualization environment has a metamodel framework that allows the policy to be associated with the computer workload.
7 . The computer-implemented method of claim 1 , wherein the computer workload is included in an identified plurality of computer workloads configured to perform the computing workflow.
8 . The computer-implemented method of claim 1 , wherein the security zone is associated with at least one of a geographic zone, a network zone, an enterprise zone, an operational zone, or an organizational zone.
9 . The computer-implemented method of claim 1 , wherein the policy includes a security policy, and wherein the security policy is associated with at least one of an access policy, a write-permission policy, a resource utilization policy, or an editing permission policy.
10 . The computer-implemented method of claim 9 , further comprising:
receiving, at a central policy server, a definition for the security policy, wherein the central policy server is configured to associate the security policy to at least one of the computer workload or a particular cloud-computing resource, out of the plurality of cloud-computing resources, that performs the computer workload; and pushing the security policy to the particular cloud-computing resource.
11 . A system comprising:
at least one processor; and a memory storing instructions that, when executed by the at least one processor, cause the system to perform:
receiving a computing workflow to be performed in a cloud-computing environment including a plurality of cloud-computing resources;
identifying a computer workload to perform the computing workflow, wherein the computer workload includes a software unit of computing processing performed via at least one of an Infrastructure-as-a-Service (IaaS), a Platform-as-a-Service (PaaS), or a Service-as-a-Service (SaaS);
associating a policy with the computer workload, wherein the policy is applied to the computer workload when the computer workload is deployed within a security zone assigned for the computer workload, wherein one or more boundaries of the security zone are updatable, wherein the policy is updatable for the computer workload when the computer workload is deployed within the security zone, and wherein the security zone is definable at differing levels of abstraction;
deploying the computer workload in a virtual private cloud within the clouding-computing environment; and
applying the policy to the computer workload when the computer workload performs the computing workflow within the virtual private cloud.
12 . The system of claim 11 , wherein the instructions cause the system to further perform:
testing the computer workload in a second virtual private cloud within the cloud-computing environment prior to deploying the computer workload.
13 . The system of claim 12 , wherein the virtual private cloud corresponds to a production virtual private cloud, and wherein the second virtual private cloud corresponds to a pre-production virtual private cloud.
14 . The system of claim 11 , wherein the security zone is definable by a developer, and wherein the policy is applicable, by the developer, with respect to the security zone.
15 . The system of claim 11 , wherein the instructions cause the system to further perform:
tagging the computer workload based on the security zone to enable the computer workload to perform at least one of: 1) operations in the security zone or 2) communications across a plurality of security zones, wherein each security zone in the plurality of security zones has a defined set of associated firewalls.
16 . A non-transitory computer-readable storage medium including instructions that, when executed by at least one processor of a computing system, cause the computing system to perform:
receiving a computing workflow to be performed in a cloud-computing environment including a plurality of cloud-computing resources; identifying a computer workload to perform the computing workflow, wherein the computer workload includes a software unit of computing processing performed via at least one of an Infrastructure-as-a-Service (IaaS), a Platform-as-a-Service (PaaS), or a Service-as-a-Service (SaaS); associating a policy with the computer workload, wherein the policy is applied to the computer workload when the computer workload is deployed within a security zone assigned for the computer workload, wherein one or more boundaries of the security zone are updatable, wherein the policy is updatable for the computer workload when the computer workload is deployed within the security zone, and wherein the security zone is definable at differing levels of abstraction; deploying the computer workload in a virtual private cloud within the clouding-computing environment; and applying the policy to the computer workload when the computer workload performs the computing workflow within the virtual private cloud.
17 . The non-transitory computer-readable storage medium of claim 16 , wherein the instructions cause the computing system to further perform:
testing the computer workload in a second virtual private cloud within the cloud-computing environment prior to deploying the computer workload.
18 . The non-transitory computer-readable storage medium of claim 17 , wherein the virtual private cloud corresponds to a production virtual private cloud, and wherein the second virtual private cloud corresponds to a pre-production virtual private cloud.
19 . The non-transitory computer-readable storage medium of claim 16 , wherein the security zone is definable by a developer, and wherein the policy is applicable, by the developer, with respect to the security zone.
20 . The non-transitory computer-readable storage medium of claim 16 , wherein the instructions cause the system to further perform:
tagging the computer workload based on the security zone to enable the computer workload to perform at least one of: 1) operations in the security zone or 2) communications across a plurality of security zones, wherein each security zone in the plurality of security zones has a defined set of associated firewalls.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.