公开(公告)号：US10356128B1

公开(公告)日：2019-07-16

申请号：US15661618

申请日：2017-07-27

Applicant: VMware, Inc.

Inventor： Jason A. Lango ,  Grant Callaghan ,  Marcel Moolenaar ,  Vinay Wagh ,  Rohan Desai ,  Matthew Page ,  Gary Menezes ,  Antoine Pourchet ,  Ramya Olichandran

IPC: H04L29/06 ,  G06F21/57 ,  H04L9/32 ,  G06F9/455

Abstract: A tag-based policy architecture enforces information technology (IT) policy in a virtualized computing environment using cryptographically-verifiable metadata to authenticate compute resources coupled to a computer network and to authorize access to protected resources of the network. The compute resources are illustratively virtual machine instances (VMIs) provided by a virtual data center (VDC) of the environment, whereas the protected resources are illustratively virtualized storage, network and/or other compute resources of the VDC. Each VMI includes an intermediary manager, e.g., metavisor. The tag-based policy architecture includes an infrastructure having a centralized policy decision end point (e.g., a control plane of the VDC) and distributed policy enforcement endpoints (e.g., metavisors of the VMIs) to provide end-to-end passing of the cryptographically-verifiable metadata to (i) authorize instantiation of the VM is at the control plane, and (ii) enforce access to the virtualized resources at the metavisors.

公开(公告)号：US10999328B2

公开(公告)日：2021-05-04

申请号：US16430344

申请日：2019-06-03

Applicant: VMware, Inc.

Inventor： Jason A. Lango ,  Grant Callaghan ,  Marcel Moolenaar ,  Vinay Wagh ,  Rohan Desai ,  Matthew Page ,  Gary Menezes ,  Antoine Pourchet ,  Ramya Olichandran

IPC: H04L29/06 ,  G06F21/57 ,  H04L9/32 ,  H04L29/08 ,  G06F9/455

Abstract: A tag-based policy architecture enforces information technology (IT) policy in a virtualized computing environment using cryptographically-verifiable metadata to authenticate compute resources coupled to a computer network and to authorize access to protected resources of the network. The compute resources are illustratively virtual machine instances (VMIs) provided by a virtual data center (VDC) of the environment, whereas the protected resources are illustratively virtualized storage, network and/or other compute resources of the VDC. Each VMI includes an intermediary manager, e.g., metavisor. The tag-based policy architecture includes an infrastructure having a centralized policy decision end point (e.g., a control plane of the VDC) and distributed policy enforcement endpoints (e.g., metavisors of the VMIs) to provide end-to-end passing of the cryptographically-verifiable metadata to (i) authorize instantiation of the VMIs at the control plane, and (ii) enforce access to the virtualized resources at the metavisors.

公开(公告)号：US10509914B1

公开(公告)日：2019-12-17

申请号：US15796264

申请日：2017-10-27

Applicant: VMware, Inc.

Inventor： Rohan Desai ,  Jason A. Lango ,  Vinay Wagh ,  Nolan Karpinski ,  Antoine Pourchet

IPC: H04L29/06 ,  G06F21/62 ,  H04L9/08 ,  H04L9/32 ,  G06F16/188 ,  G06F21/60

Abstract: A technique implements data policy deployed in a tag-based policy architecture of a virtualized computing environment. Implementation of the data policy may include applying volume tags to data stored on virtualized storage resources, such as disks organized as volumes, based on instances that generate the data, contents of the data, and/or sensitivity of the data. The volume tags may be applied in a cryptographically strong manner to prevent tampering of the tagged data. To that end, the volume tags are cryptographically associated with the data, wherein such association is effected by binding the tags to a data encryption key stored on the volumes (disks) and used to encrypt/decrypt the data stored on the volumes.