-
公开(公告)号:US10572672B2
公开(公告)日:2020-02-25
申请号:US15573101
申请日:2015-08-14
摘要: An apparatus comprises a memory to store data and a processor coupled to the memory. The processor may modify a plurality of data elements using a semantic relationship between the plurality of data elements and a pre-selected data security policy and to store data representing the modified plurality of data elements in the memory.
-
公开(公告)号:US08544002B2
公开(公告)日:2013-09-24
申请号:US11718196
申请日:2005-10-28
IPC分类号: G06F9/50
CPC分类号: G06F9/5077 , G06F9/45558 , G06F2009/45562 , G06F2009/45575
摘要: A system has a virtual overlay infrastructure mapped onto physical resources for processing, storage and network communications, the virtual infrastructure having virtual entities for processing, storage and network communications. Each virtual infrastructure can be passivated by suspending applications, stopping operating systems, and storing state, to enable later reactivation. This is simpler for a complete virtual infrastructure than for groups of virtual entities and physical entities. It enables cloned virtual infrastructure to be created for testing, upgrading or sharing without risk to the parent. On failure, reversion to a previous working clone is feasible.
摘要翻译: 系统具有映射到用于处理,存储和网络通信的物理资源的虚拟覆盖基础设施,虚拟基础设施具有用于处理,存储和网络通信的虚拟实体。 每个虚拟基础设施可以通过挂起应用程序,停止操作系统和存储状态来钝化,以便稍后重新启动。 与虚拟实体和物理实体的组相比,这对于完整的虚拟基础设施来说更简单。 它可以创建克隆的虚拟基础架构,用于测试,升级或共享,而不会对父级造成风险。 失败后,回复到以前的工作克隆是可行的。
-
公开(公告)号:US20100082991A1
公开(公告)日:2010-04-01
申请号:US12242104
申请日:2008-09-30
CPC分类号: H04L9/083 , H04L2209/805
摘要: To provide a secure service to an application virtual machine running in a first domain of a virtualized computing platform, a second domain is arranged to run a corresponding service driver exclusively for the application virtual machine. As part of the secure service, the service driver effects a key-based cryptographic operation; to do so, the service driver has to obtain the appropriate key from a key manager. The key manager is arranged to store the key and to release it to the service driver only upon receiving evidence of its identity and being satisfied of compliance with release policies associated with the key. These policies include receipt of valid integrity metrics, signed by trusted-device functionality of the virtualized computing platform, for the service driver and the code on which it depends.
摘要翻译: 为了向在虚拟化计算平台的第一域中运行的应用虚拟机提供安全服务,第二域被安排为专用于应用虚拟机运行相应的服务驱动器。 作为安全服务的一部分,服务驱动程序实现了基于密钥的加密操作; 要这样做,服务驱动程序必须从密钥管理器获取适当的密钥。 密钥管理器被安排为存储密钥,并且仅在接收到其身份的证据并且满足与密钥相关的释放策略的满足时将其释放给服务驱动器。 这些策略包括为服务驱动程序及其所依赖的代码接收由虚拟化计算平台的可信设备功能签名的有效完整性度量。
-
公开(公告)号:US20080270198A1
公开(公告)日:2008-10-30
申请号:US11739839
申请日:2007-04-25
申请人: David Graves , Adrian John Baldwin , Yolanta Beresnevichiene , Philippe Lamy , Simon Kai-Ying Shiu
发明人: David Graves , Adrian John Baldwin , Yolanta Beresnevichiene , Philippe Lamy , Simon Kai-Ying Shiu
IPC分类号: G06Q99/00
CPC分类号: G06Q10/06 , G06Q10/0631
摘要: In one embodiment, a system and method pertain to receiving audit exceptions indicative of instances of noncompliance of an information system under evaluation relative to a policy or standard, identifying remediation recommendations that are relevant to the audit exceptions and that indicate how to correct conditions that caused the noncompliance, and providing the remediation recommendations to an entity responsible for correcting the conditions so as to provide information as to how the information system can be brought into compliance with the policy or standard.
摘要翻译: 在一个实施例中,系统和方法涉及接收关于相对于策略或标准进行评估的信息系统不符合实例的审计异常,识别与审计异常相关的补救建议,并且指示如何纠正引起的条件 不合规,并向负责纠正条件的实体提供补救建议,以提供信息系统如何符合政策或标准的信息。
-
公开(公告)号:US06978379B1
公开(公告)日:2005-12-20
申请号:US09578503
申请日:2000-05-26
CPC分类号: G06F21/604 , G06F21/6218
摘要: An apparatus (22,44) is described for use in generating configuration information for a computer system (12) employing hierarchical entities.A policy template (24) is employed which contains a definition of an abstract high-level policy, for the configuration of the system, and permitted refinements to that policy, the definition referring to a plurality of the entities. An information and system model (16) contains information about the computer system and its environment including the entities referred to in the high-level policy definition, the hierarchy thereof and non-hierarchical relations between the entities. A policy authoring engine (26) refines the high-level policy definition with reference to the permitted refinements thereto and the stored information about the entities to which the high-level policy definition relates in order to produce a refined policy definition. In doing this, the engine presents refinement options to a user (10) via a user interface (28) and refines the high-level policy definition in dependence upon options selected by the user via the user interface. Some of the entities stored in the model (16) may be abstract entities, but with pointers to data in the computer system representing an instance of that abstract entity. The refined policy may be in terms of a policy context, referring to unbound entities, and a policy statement. A policy deployer (20) stores rules for interpreting the policy statement as instructions executable by the computer system and is operable, with reference to the information and system model (16), to bind the unbound entities in the policy context to instances of those entities, and, with reference to the stored rules, to interpret the policy statement into a series of instructions to the computer system referring to the bound instances or derivatives of them.The apparatus facilitates the refinement of abstract policies and implementation of the refined policies.
-
公开(公告)号:US09596239B2
公开(公告)日:2017-03-14
申请号:US11718122
申请日:2005-10-28
CPC分类号: H04L63/10 , G06F9/45533 , G06F9/45558 , G06F21/604
摘要: A system has a virtual overlay infrastructure mapped onto physical resources for processing, storage and network communications, the virtual infrastructure having virtual entities for processing, storage and network communications. Virtual infrastructures of different users share physical resources but are isolated. Each infrastructure has its own infrastructure controller to create and configure the infrastructure. It has a user accessible part (CFC) for configuration of that user's infrastructure, and a user inaccessible part (UFC) able to access the mapping and the physical resources. This increases user control to ease system administration, while maintaining security by limiting access to the mapping.
摘要翻译: 系统具有映射到用于处理,存储和网络通信的物理资源的虚拟覆盖基础设施,虚拟基础设施具有用于处理,存储和网络通信的虚拟实体。 不同用户的虚拟基础架构共享物理资源,但是是孤立的。 每个基础设施都有自己的基础设施控制器来创建和配置基础架构。 它具有用于配置该用户基础设施的用户可访问部分(CFC),以及能够访问映射和物理资源的用户无法访问的部分(UFC)。 这增加了用户控制以简化系统管理,同时通过限制对映射的访问来保持安全性。
-
公开(公告)号:US20120110669A1
公开(公告)日:2012-05-03
申请号:US12916197
申请日:2010-10-29
申请人: Yolanta Beresnevichiene , Adrian John Baldwin , Jonathan F. Griffin , Simon K.Y. Shiu , Marco Casassa Mont , Brian Quentin Monahan , David J. Pym
发明人: Yolanta Beresnevichiene , Adrian John Baldwin , Jonathan F. Griffin , Simon K.Y. Shiu , Marco Casassa Mont , Brian Quentin Monahan , David J. Pym
IPC分类号: G06F12/00
CPC分类号: G06F21/577
摘要: A system for analyzing an environment to identify a security risk, comprising a model engine to generate a model of the environment using multiple components defining adjustable elements of the model and a risk analyzer to calculate multiple randomized instances of an outcome for the environment using multiple values for parameters of the elements of the model selected from within respective predefined ranges for the parameters.
摘要翻译: 一种用于分析环境以识别安全风险的系统,包括使用定义所述模型的可调节元素的多个组件来生成环境模型的模型引擎和风险分析器,以使用多个值来计算所述环境的结果的多个随机化实例 对于参数的相应预定义范围内选择的模型元素的参数。
-
公开(公告)号:US09559842B2
公开(公告)日:2017-01-31
申请号:US12242104
申请日:2008-09-30
CPC分类号: H04L9/083 , H04L2209/805
摘要: To provide a secure service to an application virtual machine running in a first domain of a virtualized computing platform, a second domain is arranged to run a corresponding service driver exclusively for the application virtual machine. As part of the secure service, the service driver effects a key-based cryptographic operation; to do so, the service driver has to obtain the appropriate key from a key manager. The key manager is arranged to store the key and to release it to the service driver only upon receiving evidence of its identity and being satisfied of compliance with release policies associated with the key. These policies include receipt of valid integrity metrics, signed by trusted-device functionality of the virtualized computing platform, for the service driver and the code on which it depends.
摘要翻译: 为了向在虚拟化计算平台的第一域中运行的应用虚拟机提供安全服务,第二域被安排为专用于应用虚拟机运行相应的服务驱动器。 作为安全服务的一部分,服务驱动程序实现了基于密钥的加密操作; 要这样做,服务驱动程序必须从密钥管理器获取适当的密钥。 密钥管理器被安排为存储密钥,并且仅在接收到其身份的证据并且满足与密钥相关的释放策略的满足时将其释放给服务驱动器。 这些策略包括为服务驱动程序及其所依赖的代码接收由虚拟化计算平台的可信设备功能签名的有效完整性度量。
-
公开(公告)号:US20090199177A1
公开(公告)日:2009-08-06
申请号:US11718194
申请日:2005-10-28
IPC分类号: G06F9/455
CPC分类号: H04L67/1097 , G06F9/5077
摘要: A system has a virtual overlay infrastructure mapped onto physical resources for processing, storage and network communications, the virtual infrastructure having virtual entities for processing, storage and network communications. The system has a mapping manager to dynamically alter the mapping for balancing, performance, and redundancy. There can be more independence from the underlying physical configuration, compared to known methods of virtualizing only some of the entities. The mapping manager can be distributed across a number of entities on different physical servers arranged to cooperate with each other.
摘要翻译: 系统具有映射到用于处理,存储和网络通信的物理资源的虚拟覆盖基础设施,虚拟基础设施具有用于处理,存储和网络通信的虚拟实体。 系统具有映射管理器,用于动态更改映射以实现平衡,性能和冗余。 与已知的仅虚拟化一些实体的方法相比,底层物理配置可以有更多的独立性。 映射管理器可以分布在布置为彼此协作的不同物理服务器上的多个实体上。
-
公开(公告)号:US20180165459A1
公开(公告)日:2018-06-14
申请号:US15573101
申请日:2015-08-14
CPC分类号: G06F21/60 , G06F12/023 , G06F21/64 , H04L63/1491
摘要: An apparatus comprises a memory to store data and a processor coupled to the memory. The processor may modify a plurality of data elements using a semantic relationship between the plurality of data elements and a pre-selected data security policy and to store data representing the modified plurality of data elements in the memory.
-
-
-
-
-
-
-
-
-