Security and resiliency for cloud to edge deployments
Abstract
Various systems and methods are described for implementing cloud-to-edge (C2E) security are disclosed, including systems and methods for the execution of various workloads that are distributed among multiple edge computing nodes. An example technique for managing distributed workloads includes: identifying characteristics of a distributed workload from an execution of the distributed workload, for a distributed workload that is partitioned among multiple computing nodes; evaluating a trust status of the distributed workload in response to a change in the execution of the distributed workload, including verifying resources to execute the distributed workload and verifying security policies associated with the resources; and controlling the execution of the distributed workload among the multiple computing nodes, based on the characteristics and the evaluated trust status.
Claims
exact text as granted — not AI-modified1 . A computing system configured to manage distributed workloads, comprising:
processing circuitry; and a memory device including instructions embodied thereon, wherein the instructions, which when executed by the processing circuitry, configure the processing circuitry to cause operations that:
identify characteristics of a distributed workload from an ongoing execution of the distributed workload, the distributed workload being partitioned among multiple computing nodes;
evaluate a trust status of the distributed workload in response to a change in the execution of the distributed workload, including verifying resources to execute the distributed workload and verifying security policies associated with the resources; and
control the execution of the distributed workload among the multiple computing nodes, based on the characteristics and the evaluated trust status.
2 . The computing system of claim 1 , wherein the characteristics of the distributed workload include expected trust properties to exist between a workload execution environment and respective infrastructure resources, and
wherein the control of the execution of the distributed workload is based on use of a token that includes security intents metadata to describe the expected trust properties.
3 . The computing system of claim 1 , wherein the operations to evaluate the trust status are performed by a trust coordination framework service, and wherein the instructions further configure the processing circuitry to cause operations that:
evaluate data provenance of data associated with the distributed workload, attestation properties of the resources to execute the distributed workload, and workload provenance of respective portions of the distributed workload, using the trust coordination framework service.
4 . The computing system of claim 1 , wherein the distributed workload is associated with an attestation workload, and wherein the instructions further configure the processing circuitry to cause operations that:
distribute the attestation workload by co-locating execution of portions of the attestation workload onto the resources that are to execute portions of the distributed workload.
5 . The computing system of claim 1 , wherein the change in the execution of the distributed workload is provided from a software or firmware update to at least one of the multiple computing nodes.
6 . The computing system of claim 5 , wherein the software or firmware update includes moving a provisioned workload to a migration target workload, and moving a provisioned resource to a migration target resource.
7 . The computing system of claim 5 , wherein the software or firmware update is coordinated by a workload update manager, and wherein the workload update manager is to coordinate distribution of the software or firmware update.
8 . The computing system of claim 1 , wherein the multiple computing nodes are provided by a cloud repository infrastructure, and wherein the cloud repository infrastructure operates a trusted repository cloud agent service to verify operations that execute the distributed workload.
9 . The computing system of claim 1 , wherein the characteristics of the distributed workload are based on results from a resource simulation performed on the distributed workload, and wherein the resource simulation includes testing of resource bindings to be used by the distributed workload.
10 . The computing system of claim 1 , wherein the multiple computing nodes are provided by a platform-as-a-service (PaaS) configuration, wherein the operations of the computing system are coordinated by an infrastructure-as-a-service (IaaS) configuration to execute the distributed workload.
11 . At least one non-transitory machine-readable storage medium comprising instructions stored thereupon, which when executed by processing circuitry of a computing machine, cause the processing circuitry to:
identify characteristics of a distributed workload from an ongoing execution of the distributed workload, the distributed workload being partitioned among multiple computing nodes; evaluate a trust status of the distributed workload in response to a change in the execution of the distributed workload, including verifying resources to execute the distributed workload and verifying security policies associated with the resources; and control the execution of the distributed workload among the multiple computing nodes, based on the characteristics and the evaluated trust status.
12 . The machine-readable storage medium of claim 11 , wherein the characteristics of the distributed workload include expected trust properties to exist between a workload execution environment and respective infrastructure resources, and
wherein the control of the execution of the distributed workload is based on use of a token that includes security intents metadata to describe the expected trust properties.
13 . The machine-readable storage medium of claim 11 , wherein operations to evaluate the trust status are performed by a trust coordination framework service, and wherein the instructions cause the processing circuitry to:
evaluate data provenance of data associated with the distributed workload, attestation properties of the resources to execute the distributed workload, and workload provenance of respective portions of the distributed workload, using the trust coordination framework service.
14 . The machine-readable storage medium of claim 11 , wherein the distributed workload is associated with an attestation workload, and wherein the instructions further cause the processing circuitry to:
distribute the attestation workload by co-locating execution of portions of the attestation workload onto the resources that are to execute portions of the distributed workload.
15 . The machine-readable storage medium of claim 11 , wherein the change in the execution of the distributed workload is provided from a software or firmware update to at least one of the multiple computing nodes.
16 . The machine-readable storage medium of claim 15 , wherein the software or firmware update includes moving a provisioned workload to a migration target workload, and moving a provisioned resource to a migration target resource.
17 . The machine-readable storage medium of claim 15 , wherein the software or firmware update is coordinated by a workload update manager, and wherein the workload update manager is to coordinate distribution of the software or firmware update.
18 . The machine-readable storage medium of claim 11 , wherein the multiple computing nodes are provided by a cloud repository infrastructure, and wherein the cloud repository infrastructure operates a trusted repository cloud agent service to verify operations that execute the distributed workload.
19 . The machine-readable storage medium of claim 11 , wherein the characteristics of the distributed workload are based on results from a resource simulation performed on the distributed workload, and wherein the resource simulation includes testing of resource bindings to be used by the distributed workload.
20 . The machine-readable storage medium of claim 11 , wherein the multiple computing nodes are provided by a platform-as-a-service (PaaS) configuration, wherein operations of the computing machine are coordinated by an infrastructure-as-a-service (IaaS) configuration to execute the distributed workload.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.