US2016112453A1PendingUtilityA1

System and method for a cloud computing abstraction layer with security zone facilities

49
Assignee: SERVICEMESH INCPriority: Jun 19, 2008Filed: May 22, 2015Published: Apr 21, 2016
Est. expiryJun 19, 2028(~1.9 yrs left)· nominal 20-yr term from priority
G06F 9/455H04L 63/20H04L 63/0209H04L 67/02H04L 63/105H04L 67/51H04L 67/34H04L 63/0272H04L 12/66H04L 12/6418G06F 2009/45587H04L 63/102H04L 12/4633H04L 67/10G06F 9/45558G06F 9/5072
49
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

In embodiments of the present invention improved capabilities are described for a virtualization environment adapted for development and deployment of at least one software workload, the virtualization environment having a metamodel framework that allows the association of a policy to the software workload upon development of the workload that is applied upon deployment of the software workload. This allows a developer to define a security zone and to apply at least one type of security policy with respect to the security zone including the type of security zone policy in the metamodel framework such that the type of security zone policy can be associated with the software workload upon development of the software workload, and if the type of security zone policy is associated with the software workload, automatically applying the security policy to the software workload when the software workload is deployed within the security zone.

Claims

exact text as granted — not AI-modified
1 . A computer-implemented method comprising:
 receiving, by a computing system, a computing workflow to be performed in a cloud-computing environment including a plurality of cloud-computing resources;   identifying, by the computing system, a computer workload to perform the computing workflow, wherein the computer workload includes a software unit of computing processing performed via at least one of an Infrastructure-as-a-Service (IaaS), a Platform-as-a-Service (PaaS), or a Service-as-a-Service (SaaS);   associating, by the computing system, a policy with the computer workload, wherein the policy is applied to the computer workload when the computer workload is deployed within a security zone assigned for the computer workload, wherein one or more boundaries of the security zone are updatable, wherein the policy is updatable for the computer workload when the computer workload is deployed within the security zone, and wherein the security zone is definable at differing levels of abstraction;   deploying, by the computing system, the computer workload in a virtual private cloud within the clouding-computing environment; and   applying, by the computing system, the policy to the computer workload when the computer workload performs the computing workflow within the virtual private cloud.   
     
     
         2 . The computer-implemented method of  claim 1 , further comprising:
 testing the computer workload in a second virtual private cloud within the cloud-computing environment prior to deploying the computer workload.   
     
     
         3 . The computer-implemented method of  claim 2 , wherein the virtual private cloud corresponds to a production virtual private cloud, and wherein the second virtual private cloud corresponds to a pre-production virtual private cloud. 
     
     
         4 . The computer-implemented method of  claim 1 , wherein the security zone is definable by a developer, and wherein the policy is applicable, by the developer, with respect to the security zone. 
     
     
         5 . The computer-implemented method of  claim 1 , further comprising:
 tagging the computer workload based on the security zone to enable the computer workload to perform at least one of: 1) operations in the security zone or 2) communications across a plurality of security zones, wherein each security zone in the plurality of security zones has a defined set of associated firewalls.   
     
     
         6 . The computer-implemented method of  claim 1 , wherein the cloud-computing environment is associated with a virtualization environment, and wherein the virtualization environment has a metamodel framework that allows the policy to be associated with the computer workload. 
     
     
         7 . The computer-implemented method of  claim 1 , wherein the computer workload is included in an identified plurality of computer workloads configured to perform the computing workflow. 
     
     
         8 . The computer-implemented method of  claim 1 , wherein the security zone is associated with at least one of a geographic zone, a network zone, an enterprise zone, an operational zone, or an organizational zone. 
     
     
         9 . The computer-implemented method of  claim 1 , wherein the policy includes a security policy, and wherein the security policy is associated with at least one of an access policy, a write-permission policy, a resource utilization policy, or an editing permission policy. 
     
     
         10 . The computer-implemented method of  claim 9 , further comprising:
 receiving, at a central policy server, a definition for the security policy, wherein the central policy server is configured to associate the security policy to at least one of the computer workload or a particular cloud-computing resource, out of the plurality of cloud-computing resources, that performs the computer workload; and   pushing the security policy to the particular cloud-computing resource.   
     
     
         11 . A system comprising:
 at least one processor; and   a memory storing instructions that, when executed by the at least one processor, cause the system to perform:
 receiving a computing workflow to be performed in a cloud-computing environment including a plurality of cloud-computing resources; 
 identifying a computer workload to perform the computing workflow, wherein the computer workload includes a software unit of computing processing performed via at least one of an Infrastructure-as-a-Service (IaaS), a Platform-as-a-Service (PaaS), or a Service-as-a-Service (SaaS); 
 associating a policy with the computer workload, wherein the policy is applied to the computer workload when the computer workload is deployed within a security zone assigned for the computer workload, wherein one or more boundaries of the security zone are updatable, wherein the policy is updatable for the computer workload when the computer workload is deployed within the security zone, and wherein the security zone is definable at differing levels of abstraction; 
 deploying the computer workload in a virtual private cloud within the clouding-computing environment; and 
 applying the policy to the computer workload when the computer workload performs the computing workflow within the virtual private cloud. 
   
     
     
         12 . The system of  claim 11 , wherein the instructions cause the system to further perform:
 testing the computer workload in a second virtual private cloud within the cloud-computing environment prior to deploying the computer workload.   
     
     
         13 . The system of  claim 12 , wherein the virtual private cloud corresponds to a production virtual private cloud, and wherein the second virtual private cloud corresponds to a pre-production virtual private cloud. 
     
     
         14 . The system of  claim 11 , wherein the security zone is definable by a developer, and wherein the policy is applicable, by the developer, with respect to the security zone. 
     
     
         15 . The system of  claim 11 , wherein the instructions cause the system to further perform:
 tagging the computer workload based on the security zone to enable the computer workload to perform at least one of: 1) operations in the security zone or 2) communications across a plurality of security zones, wherein each security zone in the plurality of security zones has a defined set of associated firewalls.   
     
     
         16 . A non-transitory computer-readable storage medium including instructions that, when executed by at least one processor of a computing system, cause the computing system to perform:
 receiving a computing workflow to be performed in a cloud-computing environment including a plurality of cloud-computing resources;   identifying a computer workload to perform the computing workflow, wherein the computer workload includes a software unit of computing processing performed via at least one of an Infrastructure-as-a-Service (IaaS), a Platform-as-a-Service (PaaS), or a Service-as-a-Service (SaaS);   associating a policy with the computer workload, wherein the policy is applied to the computer workload when the computer workload is deployed within a security zone assigned for the computer workload, wherein one or more boundaries of the security zone are updatable, wherein the policy is updatable for the computer workload when the computer workload is deployed within the security zone, and wherein the security zone is definable at differing levels of abstraction;   deploying the computer workload in a virtual private cloud within the clouding-computing environment; and   applying the policy to the computer workload when the computer workload performs the computing workflow within the virtual private cloud.   
     
     
         17 . The non-transitory computer-readable storage medium of  claim 16 , wherein the instructions cause the computing system to further perform:
 testing the computer workload in a second virtual private cloud within the cloud-computing environment prior to deploying the computer workload.   
     
     
         18 . The non-transitory computer-readable storage medium of  claim 17 , wherein the virtual private cloud corresponds to a production virtual private cloud, and wherein the second virtual private cloud corresponds to a pre-production virtual private cloud. 
     
     
         19 . The non-transitory computer-readable storage medium of  claim 16 , wherein the security zone is definable by a developer, and wherein the policy is applicable, by the developer, with respect to the security zone. 
     
     
         20 . The non-transitory computer-readable storage medium of  claim 16 , wherein the instructions cause the system to further perform:
 tagging the computer workload based on the security zone to enable the computer workload to perform at least one of: 1) operations in the security zone or 2) communications across a plurality of security zones, wherein each security zone in the plurality of security zones has a defined set of associated firewalls.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.