Back

Implementation of Cloud Infrastructure


Drawings

Brief Description:

illustrates an example system 100 in accordance with one embodiment.

Detailed Description:

Referring now to Figure 1, an example system 100 includes a cloud infrastructure 102 that includes a scanning service 104 and virtual machines running on one or more virtual private cloud 114. Applications instantiated on virtual machines within the virtual private cloud 114 may access one or more clouddata stores 106 for storage of data. Administrators may configure the virtual private cloud in zones, and may architect applications to store in and receive data from the cloud data store 106 so as to provide fault tolerance and availability

While the cloud infrastructure 102, scanning service 104 and virtual machine instances in the virtual private cloud 114 may be described with respect to cloud-based infrastructure generally, and respect to Amazon Web Services (AWS) and AWS s3 buckets as an example implementation, it should be understood that the architecture and concept may be used with any suitable cloud service and related storage system. For example, cloud infrastructure services available from Microsoft Azure, CenturyLink Cloud, VMware, rackspace, joyent, and google may be suitable in various implementations as well as other cloud infrastructure or infrastructure-as-a-service providers with adjustments or modifications as may be needed for a particular implementation

Deployment of the scanning service 104 may be accomplished with a workflow that is intended to be relatively simple for an administrator to initiate and manage, and relieve a requirement to deploy and manage an agent on application templates or instances as they are created. This may enable, for example, in some implementations, a usage-based billing model as compared to a per-seat license for each image created, which may be desirable with cloud billing models, and particularly in an auto-scaling environment. As instances are created and shut down, instantiations of the scanning service 104 may be based on the load on the scanning service 104load, and may be managed, for example, by the security manager 116, rather than the administrator of the applications running in the virtual private cloud 114

In some implementations, installation and registration may involve setting permissions and authentication configuration, so that a cloud scanning provider handles administration of the scanning application and datasets without additional impact to customers’ workflows. This reduces complexity for the application administrator when adding data protection capability to applications

The system 100 includes a cloud infrastructure service 102 that provides computing resources for execution of software applications, data storage, and resource management, and may provide other services as well. In an example implementation, the cloud infrastructure 102 is implemented with the AWS service, although as mentioned above other suitable cloud infrastructure services may be used. 

The cloud infrastructure service 102 may include a cloud data store 106. The cloud data store 106 may be used by applications within the cloud infrastructure 102 to store data. The cloud data store 106 may be used, for example, by a web application operating within the cloud infrastructure 102 to store files uploaded to the web application by a user. The cloud data store 106 may receive one or more files directly or indirectly from applications, such as mobile apps, operating on user device 122 or a mobile device 322B. In an AWS implementation, the cloud data store 106 may be implemented with the AWS Simple Storage Service S3. Other clouddata services may be used instead or in addition

The cloud infrastructure 102 may include a scanning service 104. The scanning service 104 may be implemented with one or more scanningapplications running on one or more virtual machines within the cloud infrastructure 102. The scanning service 104 may receive policies from a security manager 116 and also may provide status information, events, and alerts to the security manager 116

The security manager 116 may be implemented within the cloud infrastructure 102 or outside the cloud infrastructure 102. The security manager 116 may provide a web-based management interface for configuration of the scanning service 104 and for an administrator to manage their use of the scanning service 104 and potentially other security applications. For example, the security manager 116 may provide management for endpoint protection, firewalls, and so forth. In some implementations, one or more firewalls under management by the security manager 116 are included in the virtual private cloud 114 and may be managed by the security manager 116

The scanning service 104 may receive data updates from a datadistributionservice (DDS 118). data from the DDS 118 may include, for example, code updates and definitions of known or potential malicious files, portions of files, code, or content, or code that may be used to identify malicious files, applications, or the like. The definition files may contain one or more commands, definitions, patterns, or instructions, to be parsed and acted upon, matched, or the like. Patterns may include, for example, identifying files or portions of files that fit a specific pattern, or that were identified in malicious files. Patterns also may include, for example, identifying code that has the same effect of code that is known to be malicious. The data updates may be used by the scanning service 104 when scanningfiles

The scanning service 104 may exchange security-related information, such as files or portions of files and resource reputation information with a security datadata lookup service 120. The security datadata lookup service 120 may be provided within the cloud infrastructure 102 or outside the cloud infrastructure 102. The security datadata lookup service 120 may be used, for example, to check patterns identified by the scanning service 104, determine reputations of resources identified or provided by the scanning service 104, and so forth. The scanning service 104 may provide files or data to the data lookup service 120 for further analysis. In some implementations, the scanning service 104 may initiate sending data to the data lookup service 120 under a variety of circumstances, for example, if the scanning service 104 is unable to determine whether a file or a portion of a file is malicious, or the relevance of code or other content, or if the reputation of a file is unknown. The data lookup service 120 may request a file or data to be provided to the data lookup service 120 for further investigation

The scanning service 104 accesses files to be scanned directly from the cloud data store 106 that is used by the virtual machine instances, which avoids overhead and performance delay. The use of virtual machine instances for the scanning that are different from the virtual machine instances of the application facilitate management and reduce complexity. In some implementations, the scanning service provides alerts to an administrator, but does not attempt to control access to files. In some implementations, the scanning service may move files or change the name of files in order to control access. For example, to prevent access to a file, the scanning service may change the name or the location (e.g., path in a file system) of a file in order to prevent access. In some implementations, the scanning service 104 may replace a file with another file that is “clean.” 

In some implementations, file permissions are used to control use of files. For example, if the scanning service 104 has been configured with an account having the appropriate permissions, the scanning service 104 may change the permission of files in the cloud data store 106 to permit or deny access to files by the applications in the virtual private cloud 114. Use of file permissions to control file access provides security for data, without a need for lengthy setup or installation. This reduces the costs to deploy and provision and takes advantage of the benefits of the cloud, which is to distribute processing and avoid the need for custom infrastructure, which in turn reduces total cost of ownership for cloud applications

In some implementations in which permissions are used, an application stores a file in the cloud data store 106 with default permissions that permit access by applications running in the virtual private cloud 114. The scanning service 104 receives notification of the storage event from the cloud data store 106, and the scanning service 104 scans the file. If access to the file needs to be restricted based on the scan, the scanning service 104 changes the permission of the file so that applications in the virtual private cloud 114 can no longer access the file

In some implementations in which permissions are used, an application stores a file in the cloud data store 106 with default permissions that do not permit access by applications running in the virtual private cloud 114. The scanning service 104 receives notification of the storage event from the cloud data store 106, and the scanning service 104 scans the file. If access to the file needs to be restricted based on the scan, the scanning service 104 does not change the permission of the file so that applications in the virtual private cloud 114 still cannot access the file. If access to the file does not need to be restricted based on the scan, the scanning service 104 changes the permission of the file so that applications in the virtual private cloud 114 may access the file

The cloud infrastructure 102 may include a virtual private cloud 114 (VPC) including one or more computing resources on which virtual machine instances are implemented. For example, the virtual private cloud 114 may include one or more applications such as a software application, a web application, a virtual desktop, a server application, etc. Applications in the virtual private cloud 114 may access and store data in the cloud data store 106, depending on the permissions assigned to the files in the cloud data store 106. In some implementations, some or all of applications may be implemented on infrastructure inside or outside of the cloud. For example, applications may be implemented in a co-location facility or in a data center not associated with a cloud infrastructure. For example, applications may be implemented on a user device, such as a mobile app or desktop computer application. Applications implemented outside of the cloud may make use of cloud resources, such as cloud storage. Use of the scanning techniques described with respect to cloud storage may be useful even if the applications are partially or entirely implemented outside of the cloud infrastructure, for example, with the exception of the cloud storage

User devices 122 may be in communication with the data store. The user devices 122 may have applications that directly store data in the data store 106. The user devices 122 may be in communication with one or more applications in the virtual private cloud 114, which in turn store data in the data store 106. 

An example is presented in which the cloud data store 106 includes three files; clean files 108, clean files 110 and malicious file 112. The clean files 108, clean files 110, malicious file 112 may be any sort of data file or collection of data files (e.g., a word processing file, an image, a video, an archive collection of files, etc.). In this example, there may be a first clean file 108 and a second clean files 110. The clean files 108, clean files 110 may be clean in the sense that they do not contain content that would be identified by the scanning service 104 to require reporting or restriction. The cloud data store 106 also includes a third malicious file 112, which contains content may be identified by the scanning service 104 to require restriction of file access. For example, the malicious file 112 may include malware or other malicious content. For example, the file may include content that should be protected from distribution under a policy

In some implementations, access to the malicious file 112 by applications running on the virtual private cloud 114 may be prevented through the use of permissions associated with the malicious file 112 within the data store 106, while the clean files 108, clean files 110 may have other permissions assigned and so applications running the on the virtual private cloud 114 would not be blocked. As a result, applications running on the VPC may access the clean files 108, clean files 110 but not access the malicious file 112. In some implementations, the file names of the clean files 108, clean files 110 are not changed, but the file name of the malicious file 112 is changed such that applications running on the virtual private cloud 114 cannot access the malicious file 112. In some implementations, the clean files 108, clean files 110 are not moved, but the malicious file 112 is moved such that applications running on the virtual private cloud 114 cannot access the malicious file 112


Parts List

100

example system

102

cloud infrastructure

104

scanning service

106

cloud data store

108

clean files

110

clean files

112

malicious file

114

virtual private cloud

116

security manager

118

DDS

120

data lookup service

122

user devices


Terms/Definitions

file name

instantiations

web-based management interface

google

infrastructure-as-a-service providers

files or portions

elements

distribution

particular embodiments

security-related information

ordinary skill

further analysis

advantage

video

implementations

functional information one

data store

diamond

application stores

circuits

same effect

three files

code

Microsoft Azure

application templates or instances

digital signal processor circuit

malicious file

desirable order

relevance

firewalls

virtual private cloud (VPC)

malicious files

instructions

cloud-based infrastructure

virtual private clouds

syntax

account

joyent

file system

reporting or restriction

sort

s3 buckets

service

scanning service

clean files

potential malicious files

AWS service

alerts

data

their use

user devices

third file

server application

benefits

functionally equivalent circuits

cloud infrastructure service

particular programming language

default permissions

policies

co-location facility

total cost

mobile app

configuration

workflow

facility

portions

Amazon Web Services

administration

security data

turn

instances

initialization

per-seat license

second clean file

many routine program elements

AWS implementation

administrator

virtual desktop

reputation

permission

various implementations

Data Distribution Service (DDS)

AWS Simple Storage Service

rackspace

software applications

patterns

circumstances

application administrator

file names

hardware implementation

management

present invention

storage

computer software instructions or groups

computer software instructions

communication

customers’ workflows

mobile device

flow diagrams

example implementation

software application

example system

files or data

presently disclosed methods

store files

loops and variables

access

virtual private cloud

invention

agent

adjustments or modifications

cloud

permissions

location

first clean file

particular implementation

data protection capability

applications

VMware

word processing file

application

scanning techniques

resource management

cloud infrastructure services

computing resources

cloud resources

deploy and provision

additional impact

cloud scanning provider

reputations

cloud storage

specific pattern

block diagram

related storage system

endpoint protection

costs

cloud billing models

auto-scaling environment

requirement

custom infrastructure

infrastructure

exception

code updates and definitions

lengthy setup or installation

complexity

mobile apps

scan

virtual machines

storage event

portion

events

web application

unordered meaning

user

data file or collection

status information

resources

cloud infrastructure

figure

definition files

particular sequence

processing

data center

administrators

policy

potentially other security applications

restriction

application facilitate management

file

appropriate permissions

implementation

cloud applications

delay

processing and decision blocks

security

processing blocks

file permissions

virtual machine instances

computer software

result

data lookup service

specific integrated circuit

example

cloud data store

archive collection

file access

need

notification

respect

zones

spirit

execution

load

content

security manager

suitable cloud service

data storage

usage-based billing model

ownership

data lookup

steps

image

architecture and concept

user device

desktop computer application

groups

temporary variables

files

rectangular elements

fault tolerance and availability

installation and registration

file or data

permissions and authentication configuration

addition

CenturyLink Cloud

files and resource reputation information

further investigation

system

variety

scanning

name

data files

scanning application and datasets

data updates

malware