US20160112453A1 - System and method for a cloud computing abstraction layer with security zone facilities - Google Patents

System and method for a cloud computing abstraction layer with security zone facilities Download PDF

Info

Publication number
US20160112453A1
US20160112453A1 US14/720,681 US201514720681A US2016112453A1 US 20160112453 A1 US20160112453 A1 US 20160112453A1 US 201514720681 A US201514720681 A US 201514720681A US 2016112453 A1 US2016112453 A1 US 2016112453A1
Authority
US
United States
Prior art keywords
cloud
computing
computer
policy
workload
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US14/720,681
Inventor
Frank R. Martinez
Eric Pulier
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CSC Agility Platform Inc
Original Assignee
CSC Agility Platform Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US12/488,424 external-priority patent/US8514868B2/en
Priority claimed from US13/009,774 external-priority patent/US8931038B2/en
Application filed by CSC Agility Platform Inc filed Critical CSC Agility Platform Inc
Priority to US14/720,681 priority Critical patent/US20160112453A1/en
Publication of US20160112453A1 publication Critical patent/US20160112453A1/en
Assigned to CSC AGILITY PLATFORM, INC. reassignment CSC AGILITY PLATFORM, INC. CHANGE OF NAME (SEE DOCUMENT FOR DETAILS). Assignors: SERVICEMESH, INC.
Assigned to SERVICEMESH, INC. reassignment SERVICEMESH, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MARTINEZ, FRANK R., PULIER, ERIC
Priority to US15/621,443 priority patent/US20180131724A1/en
Priority to US16/058,688 priority patent/US20190245888A1/en
Priority to US16/907,005 priority patent/US20210014275A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5061Partitioning or combining of resources
    • G06F9/5072Grid computing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/64Hybrid switching systems
    • H04L12/6418Hybrid transport
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/34Network arrangements or protocols for supporting network services or applications involving the movement of software or configuration parameters 
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/51Discovery or management thereof, e.g. service location protocol [SLP] or web services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances

Definitions

  • the present invention relates to the field of cloud computing, and more particularly, the invention relates to systems and methods for securing, controlling and managing cloud services, applications, platforms and infrastructure.
  • systems and methods are provided for one or more cloud computing abstraction layers.
  • a user can plan cloud-computing services, build a cloud-computing service, publish the cloud-computing service for consumption by users, or run the cloud-computing service.
  • Some embodiments of the present invention provide access to disparate public or private cloud-computing resources through a common interface. Additionally, some embodiments can apply governance uniformly over disparate public or private cloud-computing resources.
  • Some systems may, for example, enable: self-service access to cloud-computing resources by end-users, developers, and admins; automated services with respect to cloud-computing services comprising of one or more cloud-computing resources (e.g., management, building, configuration, publication, validation, and development and deployment of cloud-computing services); rapid provisioning (e.g., deployment, release, scheduling, control etc.) of cloud-computing resources within a cloud-computing service; governance control of cloud-computing resources within a cloud-computing service (e.g., application of security and non-security policies to cloud-computing resources), audit control of cloud-computing services; or secure access to cloud-computing services.
  • cloud-computing resources e.g., management, building, configuration, publication, validation, and development and deployment of cloud-computing services
  • rapid provisioning e.g., deployment, release, scheduling, control etc.
  • embodiments of the present invention provide on-demand access by internal users, external users (e.g. customers, service partners), and developers to cloud-computing services, such as infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), and software-as-a-service (SaaS), provided from a governed federation of internal (private cloud) and external cloud (commercial cloud) service providers.
  • cloud-computing services such as infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), and software-as-a-service (SaaS)
  • IaaS infrastructure-as-a-service
  • PaaS platform-as-a-service
  • SaaS software-as-a-service
  • a private cloud may comprise, for example, Eucalyptus Systems, VMWare vSphere®, or Microsoft® HyperV; and a public cloud may comprise, for example, Amazon EC2®, Amazon Web Services®, Terremark®, Savvis®, or GoGrid®.
  • the system provides a cloud-computing service from a cloud-computing environment comprising a plurality of cloud-computing resources, the system comprising: a management module configured to manage a cloud-computing resource of the plurality of cloud-computing resources as a cloud-computing service, wherein the cloud-computing service performs a computer workload and the cloud-computing service comprises the cloud-computing resource; an adapter configured to connect to the cloud-computing resource to the system and translate a management instruction received from the management module (e.g., intermediate representation of a command from a client) into a cloud application program interface call for the cloud-computing resource (e.g.
  • the system provides a user interface configured to provide access to the system as a virtual private cloud.
  • the system may further comprise a cloud model utilized by the adapter to translate the management instruction to the (target) cloud API call.
  • the virtual private cloud is utilized for operation of a cloud-computing service in accordance with the present invention.
  • a computer workload e.g., application, server software, software development environment, software test environment
  • IaaS IaaS
  • PaaS PaaS
  • SaaS SaaS
  • IaaS may comprise instances of Microsoft® Windows or Linux running on a virtual computer, or a Desktop-as-a-service (DaaS) provided by Citrix® or VMWare®;
  • a PaaS may comprise a database server (e.g., MySQL® server), Samba server, Apache® server, Microsoft® IIS.NET server, Java® runtime, or Microsoft® .NET® runtime, Linux-Apache-MySQL-PHP (LAMP) server, Microsoft® Azure, or Google® AppsEngine;
  • a SaaS may comprise SalesForce®, Google® Apps, or other software application that can be deployed as a cloud service, such as in a web services model.
  • a cloud-computing resource may be a physical or virtual computing resource (e.g., virtual machine).
  • the cloud-computing resource is a storage resource (e.g., Storage Area Network (SAN), Network File System (NFS), or Amazon S3®), a network resource (e.g., firewall, load-balancer, or proxy server), an internal private resource, an external private resource, a secure public resource, an infrastructure-as-a-service (IaaS) resource, a platform-as-a-service (PaaS) resource, or a software-as-a-service (SaaS) resource.
  • SAN Storage Area Network
  • NFS Network File System
  • Amazon S3® Amazon S3®
  • a network resource e.g., firewall, load-balancer, or proxy server
  • IaaS infrastructure-as-a-service
  • PaaS platform-as-a-service
  • SaaS software-as-a-service
  • a cloud-computing service provided may comprise a IaaS, PaaS, or SaaS provided by private or commercial (e.g., public) cloud service provider, such as Amazon Web Services®, Amazon EC2®, GoGrid®, Joyent®, Mosso®, or the like.
  • private or commercial cloud service provider such as Amazon Web Services®, Amazon EC2®, GoGrid®, Joyent®, Mosso®, or the like.
  • the management module that manages the cloud-computing service comprises provisioning the cloud-computing service for a virtual private cloud, releasing the cloud-computing service for the virtual private cloud, accounting for usage of the cloud-computing service in the virtual private cloud, or monitoring the cloud-computing service.
  • the management module manages cloud-computing resources for a cloud-computing service being offered by the system by provisioning a cloud-computing resource for the cloud-computing service, deploying a cloud-computing resource for the cloud-computing service, or releasing a cloud-computing resource being used by the cloud-computing service.
  • the provisioning involves starting, stopping, or generally controlling an instance of a cloud-computing resource (e.g., IaaS providing an instance of Linux) on behalf of a cloud-computing service.
  • a cloud-computing resource e.g., IaaS providing an instance of Linux
  • an embodiment may launch scripts to start an instance of a cloud-computing resource, launch scripts to securely (e.g., via encryption) attach a file system (e.g., a storage volume) to the instantiation of the cloud-computing resource (e.g., so that the cloud-computing resource can access local or remote client data securely), and then connect a client to the instantiation through a virtual private network (VPN) connection between the client's local network and the cloud providers network.
  • VPN virtual private network
  • the management module is further configured to perform collection and maintenance of cost and consumption of various cloud-computing resources such as CPU-time, storage volume consumption, network I/O and other configurable cloud-computing cost and consumption factors.
  • cloud-computing resources such as CPU-time, storage volume consumption, network I/O and other configurable cloud-computing cost and consumption factors.
  • the management module accounts for usage of one more cloud-computing services by a client collecting, aggregating and providing this information through a API to customer billing systems while also presenting reporting through the consumption module demonstrating cost and consumption comparisons, projections and usage.
  • Some embodiments may utilize Ariba®, SAP®, or the like to facilitate accounting and billing of usage of cloud-computing service.
  • the build module allows a developer to create a cloud-computing service (e.g., IaaS, PaaS, and SaaS) comprising one or more cloud-computing resources.
  • the build module may utilize build scripts to build a cloud-computing service from one or more cloud-computing resources, configure a cloud-computing service, or publish a cloud-computing service for consumption.
  • a cloud-computing service may be published to a consumption module that allows an end-user to subscribe to the cloud-computing service and utilize the service.
  • the end-user may access and subscribe to the cloud-computing service through a user interface that lists published and available cloud-computing services.
  • the user interface may be a storefront through which an end-user may preview and select a cloud-computing service for use.
  • an organization can determine the most suitable deployment of a computer workload to a cloud-computing environment, or determine the value/benefit of deploying a computer workload to a cloud-computing environment.
  • the planning module analyzes a computer workload or workflow that may have previously been on a physical or virtual computing resource and assists in migrating or importing the computer workload or workflow to the clouding-computing environment.
  • the planning module assesses difficulty in migrating or importing the computer workload or workflow, and the efficiency or value of using the cloud-computing environment.
  • the planning module determines the correct placement of a computer workload or workflow to an appropriate cloud-computing service based on the profile or characteristics of the computer workload (e.g., determine that the computer workload or workflow needs to be performed within secure cloud/public cloud/private cloud). For example, for a trading platform, which needs a low latency-computing environment that is secure, an embodiment may recommend placement of trading platform in a cloud-computing service comprising a be used for long-term storage of non-sensitive data, an embodiment may recommend configuration of the platform to use cloud-computing services comprising a public cloud resource, or a combination of cloud and physical resources, such as archival tape storage resources. Further, the placement decision is guided by policy that ensures the cloud-computing resource is placed in the appropriate cloud-computing service.
  • the system further comprises a policy engine module configured to enforce a policy on the cloud-computing service through the management module.
  • the management module monitors a cloud-computing resource of the cloud-computing service through the adapter and provisions the cloud-computing resource according to the policy engine module. Additionally, for some embodiments, the management module monitors a cloud-computing resource's performance using Ganglia Monitoring System or collectd (an open source daemon that collects system performance statistics periodically).
  • the system further comprises an identity management module configured to connect to an authentication system and authenticate the user for the cloud-computing service.
  • the identity management connects to disparate authentication systems (e.g., Netegrity®, Oracle OAM®, Microsoft® Active Directory, RSA® Cleartrust, or Lightweight Directory Access Protocol (LDAP), Kerberos) to create a federated authentication system that allows unified authentication to a cloud-computing service.
  • disparate authentication systems e.g., Netegrity®, Oracle OAM®, Microsoft® Active Directory, RSA® Cleartrust, or Lightweight Directory Access Protocol (LDAP), Kerberos
  • the system further comprises an encryption module configured to perform encryption services for the cloud-computing service.
  • the encryption services can include encryption of data on a storage device or data communicated over a network connection.
  • the system further comprises a connection module configure to securely connect the cloud-computing service to a client network or a cloud provider network.
  • a connection module may be deployed on a client network or a cloud provider network to facilitate a secure network connection between cloud-computing service and a client network.
  • a method for a cloud-computing environment comprising a plurality of cloud-computing resources, the method comprising: providing a virtual private cloud configured to utilize a cloud-computing resource from the plurality of cloud-computing resources to perform a computer workload; receiving a request to perform the computer workload within the virtual private cloud, provisioning the cloud-computing resource from the plurality of cloud-computing resources; deploying the cloud-computing resource within the virtual private cloud; and using the cloud-computing resource to perform the computer workload.
  • the cloud-computing resource may be a virtual (e.g., virtual machine) or physical cloud-computing resource (e.g., dedicated server).
  • the cloud-computing resource may be a virtual computing resource where the virtual computing resource is deployed under control of a virtual machine manager.
  • the cloud-computing resource may be a storage resource, a network resource, an internal private resource, an external private resource, a secure public resource, a platform-as-a-service (PaaS), a software-as-a-service (SaaS), or an infrastructure-as-a-service (IaaS).
  • the cloud-computing resource may be a hybrid cloud-computing resource comprising at least two of a physical resource, a virtualized resource, a private resource, a public resource, an internal resource, or an external resource.
  • the method further comprises receiving a constraint for the cloud-computing resource or for a computer workload that may be deployed on the cloud-computing resource, wherein the cloud-computing resource is a cloud-computing resource; and applying the constraint on the cloud-computing resource such that, when the cloud-computing resource is used to perform the computer workload, the cloud-computing resource's operation is limited according to the constraint.
  • the method further comprises declaring a static network address for the computer workload.
  • the method further comprises: defining a security zone such that the security zone comprises the virtual private cloud; and applying a security policy to the security zone such that, when the cloud-computing resource deployed in the virtual private cloud that is used to perform the computer workload, the cloud-computing resource's operation or the performance or operation of the computer workload is subject to, the security policy.
  • the security zone may be defined according to a physical location of the virtual private cloud's usage, a network location of the virtual private cloud's usage, or an attribute of an organization associated with the virtual private cloud.
  • the security policy may be an access policy, a read-permission policy, a write-permission policy, an edit-permission policy, a privacy-based policy, a policy regarding a required level or type of encryption, a cloud-computing resource utilization policy, or other policy.
  • the security policy can be configured to only allow software packages that comply with the security zone's policies to be deployed with the security zone.
  • a security zone may be defined as a specified virtual private network (VPN) or a specified physical network of a business enterprise, such that computer workloads being performed by a cloud-computing resource operating in that zone may be modified only by users who have specified authorization credentials issued by that enterprise.
  • VPN virtual private network
  • a security zone may be defined as cloud-computing resources (public or private) that are physically located in a geographical area, such as the United States, allowing a security policy to be applied that prohibits export of data that is to be associated with computer workloads executed in that security zone.
  • the policies are defined and implemented on the firewalls through a central policy server.
  • the method further comprises: receiving at a central policy server a definition for a security policy, wherein the central policy server is configured to associate the security policy to the computer workload or to the cloud-computing computing resource performing the computer workload; and pushing the security policy to the cloud-computing resource.
  • provisioning the cloud-computing resource comprises: locating an unreserved cloud-computing resource within the plurality of cloud-computing resources; and reserving for the virtual private cloud the unreserved cloud-computing resource.
  • the method further comprises: providing a user interface that allows a user to deploy or configure the infrastructure element; setting, through the user interface, a policy to the infrastructure element or to a computer workload that may be deployed on the infrastructure element; and applying the policy to the infrastructure element when the infrastructure element or computer workload is deployed within the virtual private cloud.
  • the method further comprises: determining a reference design for the infrastructure element; and deploying the infrastructure element in the virtual private cloud according to the reference design.
  • the method further comprises: associating a policy with the computer workload to be performed within the virtual private cloud; and applying the policy to the cloud-computing resource performing the computer workload during the computer workload's performance.
  • receiving the request to perform the computer workload or the application of the policy to the computer workload comprises: receiving an application to be migrated to cloud-computing environment for execution; and identifying the computer workload as necessary for executing the application.
  • the method further comprises: using an adapter to connect the virtual private cloud to one or more other cloud-computing resources, such as of the types described herein; using a metamodel data structure to store an association between a computer workload and a policy; and pushing the metamodel data structure to the adapter such that, when the cloud-computing resource is deployed to perform the computer workload, the adapter applies the policy to the computer workload or to the cloud-computing resource performing the computer workload.
  • the method may further comprise pushing the metamodel data structure to a second adapter that connects the second cloud-computing resource to the virtual private cloud such that when the second cloud-computing resource is deployed, such as within the virtual private cloud to perform the computer workload, the second adapter applies the policy to the second cloud-computing resource performing the cloud computer workload.
  • the method comprises identifying the cloud-computing resource for performing the computer workload. Identifying the cloud-computing resource may be based on a computer workload score determined by a scoring logic.
  • the scoring logic may be, for example, based on a business attribute of the computer workload, a technical attribute of the computer workload, or an operational attribute of the computer workload. In further embodiments, the scoring logic uses a mix of at least two of a business attribute, an operational attribute and a technical attribute. In various embodiments, the scoring logic may be editable or may be dynamically updated at or near real-time.
  • the computer workload may be scalable.
  • the computer workload may be scaled down to decrease the computer workload's use of memory and processing time during performance within a virtual private cloud or actually increase or decrease the number of cloud-computing resources which execute the computer workload.
  • the scaling is based on a policy, which may be associated with the computer workload, stored in a metamodel, and pushed via an adaptor to or among various cloud computing resources.
  • deploying the cloud-computing resource comprises deploying a pre-determined set of cloud-computing resources to optimize the computer workloads' performance.
  • the method further comprises setting a condition for the computer workload, wherein the condition determines if or when the cloud-computing resource can be deployed within the virtual private cloud to perform the computer workload.
  • a method for a cloud-computing environment comprising a plurality of cloud-computing resources, the method comprising: receiving a computing workflow to be performed in the cloud-computing environment; identifying a computer workload to perform the computing workflow; associating a policy with the computer workload; testing the computer workload in a pre-production virtual private cloud (e.g., computing environment) within the cloud-computing environment; deploying the computer workload in a production virtual private cloud (e.g., computing environment) within the clouding-computing environment; and applying the policy to the computer workload during the computer workload's performance within the production virtual private cloud for consumption.
  • identifying the computer workload to perform the computing workflow involves identifying a plurality of computer workloads to perform the computing workflow.
  • the present invention may provide a method and system for a virtualization environment adapted for development and deployment of at least one software workload, the virtualization environment having a metamodel framework that allows the association of a policy to the software workload upon development of the workload that is applied upon deployment of the software workload.
  • the system and method may allow a developer to define a security zone and to apply at least one type of security policy with respect to the security zone including the type of security zone policy in the metamodel framework such that the type of security zone policy can be associated with the software workload upon development of the software workload, and if the type of security zone policy is associated with the software workload, automatically applying the security policy to the software workload when the software workload is deployed within the security zone.
  • the security zone may be a geographic zone, a network zone, an enterprise zone, an operational zone, an organizational zone, and the like.
  • the security policy may be an access policy, a write-permission policy, a resource utilization policy, an editing permission policy, and the like.
  • the security policy may determine whether a software workload is allowed to operate in a specified security zone.
  • the method and system may automatically establish firewall rules across multiple firewalls in multiple security zones for newly deployed applications by tagging application software workloads that are deployed within the security zones.
  • the firewalls may be of types provided by different vendors and employ at least one of different operating system, communication protocols, and programming languages.
  • the method and system may automatically remove firewall rules across multiple firewalls in multiple security zones when the firewall rules do not apply to software workloads within the security zones.
  • the firewalls may be of types provided by different vendors and employ at least one of different operating system, communication protocols, and programming languages.
  • the method and system may provide an alert when a software workload is planned to be deployed in a security zone in a manner that is inconsistent with at least one of a security zone policy applicable to the security zone and a security policy associated with the workload.
  • various operations described above are implemented using a computer.
  • some embodiments provide for a computer program product comprising a computer useable medium having program instructions embodied therein for performing operations similar to those performed by methods according to the present invention.
  • FIG. 1 is a diagram illustrating an example system in accordance with an embodiment of the present invention.
  • FIG. 2A is a diagram illustrating an example management module in accordance with an embodiment of the present invention.
  • FIG. 2B is a diagram illustrating an example management module in accordance with an embodiment of the present invention.
  • FIG. 3 is a diagram illustrating an example of provisioning in accordance with an embodiment of the present invention.
  • FIG. 4 is a diagram illustrating an example use of a connection module in accordance with an embodiment of the present invention.
  • FIG. 5 is a diagram illustrating an example use of an identity module in accordance with an embodiment of the present invention.
  • FIG. 6 is a diagram illustrating an example use of a monitor module in accordance with an embodiment of the present invention.
  • FIG. 7 is a diagram illustrating an example governor module in accordance with an embodiment of the present invention.
  • FIG. 8 is a flowchart illustrating an example method in accordance with an embodiment of the present invention.
  • FIGS. 9A-9D are screenshots of an example user interface in accordance with some embodiments of the present invention.
  • FIG. 10 is a diagram illustrating an example system in accordance with an embodiment of the present invention.
  • FIG. 11 is a diagram illustrating an example of an enterprise cloud ecosystem in an embodiment of the present invention.
  • FIG. 12 is a diagram illustrating an example of a policy-driven governance and control scenario in an embodiment of the present invention.
  • FIG. 13 is a diagram illustrating an embodiment for a self-service enterprise application store.
  • FIG. 14 is a diagram illustrating an example of a computing module for implementing various embodiments of the invention.
  • the present invention is directed toward a system and method for a cloud computing abstraction layer.
  • a user can plan cloud-computing services, build a cloud-computing service, publish the cloud-computing service for consumption by users, or run the cloud-computing service.
  • Some embodiments of the present invention provide access to disparate public or private cloud-computing resources through a standard interface. Additionally, some embodiments can apply governance uniformly over disparate public or private cloud computing resources.
  • Some systems may, for example, enable: self-service access to cloud-computing resources by end-users, developers, and admins; automated services with respect to cloud-computing services comprising of one or more cloud-computing resources (e.g., management, building, configuration, publication, validation, and building of cloud-computing services); rapid provisioning (e.g., deployment, release, scheduling, control etc.) of cloud-computing resources within a cloud-computing service; governance control of cloud-computing resources within a cloud-computing service (e.g., application of security and non-security policies to cloud-computing resources), audit control of cloud-computing services; or secure access to cloud-computing services.
  • cloud-computing resources e.g., management, building, configuration, publication, validation, and building of cloud-computing services
  • rapid provisioning e.g., deployment, release, scheduling, control etc.
  • governance control of cloud-computing resources within a cloud-computing service e.
  • Advantages to the present invention's model include enabling a federated constituency of internal and external service providers that can be selected (and switched as needed) to provide best fit and value, such as between different internal and external cloud providers.
  • development projects which may be subjected to waiting times or interruptions, but which contain highly confidential information, may be deployed on a cloud that has low cost, but that has very specific security requirements
  • commercial services some of which are non-confidential in nature, might preferably be deployed on very fast, highly scalable cloud infrastructure to ensure high quality of service, but security requirements might be different than for a development project.
  • a range of factors may be relevant to deployment of a particular project or service (or to a particular workload element related to it), including technical factors (the processing, storage, bandwidth, and other capabilities required to execute a workload), operational factors (such as when and where a workload needs to be available to meet the operational requirements of a business), and business factors (such as anticipated revenues, costs, quality of service requirements, and the like).
  • technical factors the processing, storage, bandwidth, and other capabilities required to execute a workload
  • operational factors such as when and where a workload needs to be available to meet the operational requirements of a business
  • business factors such as anticipated revenues, costs, quality of service requirements, and the like.
  • Benefits to the federated structure may include greater agility, vendor contestability, and innovation by transitioning an enterprise from a fixed to a variable cost infrastructure (thus avoiding enormous waste currently associated with fixed cost resources acquired by enterprises to meet peak needs but unused in off-peak periods), increased transparency (including the capability to compare the cost, functional benefits, and value of each sub-element of a service, platform, application, or infrastructure component), more direct revenue-to-cost operating models, right-place right size workload placement, minimal vendor lock-in and dependencies, improved standardization, lower risk operating environments, metered cost savings through ‘pay-as-you-go’ economics and demand-driven consumption, faster time-to-market through on-demand provisioning, a compressed systems development life cycle (SDLC), lower costs by arbitrating market price between providers, elastic-dynamic capacity to meet peak demand, and the like.
  • SDLC compressed systems development life cycle
  • the present disclosure also may provide security, governance, and policy enforcement to harness the power and agility of the operating model, a strategy and transition plan to move from a traditional operating model to an everything-as-a-service model, and the like.
  • FIG. 1 is a diagram illustrating an example system 10 in accordance with an embodiment of the present invention.
  • FIG. 1 illustrates a cloud-computing environment 35 comprising one or more cloud-computing resources, a client network 31 comprising client computing devices 14 (e.g., desktops, laptops, smart mobile devices), and a cloud-computing platform 20 in accordance with one embodiment of the invention.
  • cloud-computing platform 20 provides a system through which computing devices residing on client network 31 (e.g., enterprise network) can access one or more cloud-computing services.
  • a cloud-computing service comprises a cloud-computing resource residing within the cloud-computing environment 35 and managed by the cloud-computing platform to provide the cloud-computing service.
  • cloud-computing environment 35 may comprise one or more cloud providing networks that include cloud-computing resources (e.g., cloud services provided by public or private clouds, which may be external or internal to the enterprise that uses them) that can be utilized by users.
  • cloud-computing resources e.g., cloud services provided by public or private clouds, which may be external or internal to the enterprise that uses them
  • platform 20 may reside on a client network 31 or separate from a client network 31 .
  • Cloud-computing environment 35 may comprise an internal cloud, an external cloud, a private cloud, or a public cloud (e.g., commercial cloud).
  • cloud-computing environment 35 comprises internal private cloud resource 38 , external private cloud resource 41 , and secure public cloud resource 44 .
  • a private cloud may be implemented using a variety of cloud systems including, for example, Eucalyptus Systems, VMWare vSphere®, or Microsoft® HyperV.
  • Cloud-computing resources provided by these clouds may include, for example, storage resources (e.g., Storage Area Network (SAN), Network File System (NFS), and Amazon S3®), network resources (e.g., firewall, load-balancer, and proxy server), internal private resources, external private resources, secure public resources, infrastructure-as-a-services (IaaSs), platform-as-a-services (PaaSs), or software-as-a-services (SaaSs).
  • storage resources e.g., Storage Area Network (SAN), Network File System (NFS), and Amazon S3®
  • network resources e.g., firewall, load-balancer, and proxy server
  • IaaSs infrastructure-as-a-services
  • PaaSs platform-as-a-services
  • SaaSs software-as-a-services
  • cloud-computing platform 20 By using cloud-computing platform 20 to plan, build, manage, or use cloud-computing resources within a cloud-computing environment, users of platform 20 are provided with standardized access to a variety of cloud-computing resources from disparate cloud-computing systems and providers without concerning themselves with the proprietary details of accessing or interfacing with such cloud-computing systems and providers.
  • the platform 20 is configured to take the workloads that are developed with the platform 20 (as more particularly described throughout this disclosure) and automatically provide the interfaces and access steps necessary to operate the workload on any particular platform or infrastructure element within a federation of cloud computing resources, such that the user is able to interact with the platform to develop such workloads at a level of abstraction that allows the user to configure the logic of the workload (including conditional logic that allows interrelation of different workloads) and to embody the technical, operational, and business requirements of the workload in policies that are associated with the workload, without the user being required to access or understand the details of (or in some cases even know about the existence of) such particular platform or infrastructure elements.
  • users of platform 20 can access cloud-computing services through platform 20 on-demand and on a self-service basis through the standardized access.
  • Users of cloud computing services offered by platform 20 may include end-users, developers, partners, or administrators that reside on the client network 31 .
  • Platform 20 may comprise planner module 23 , manager module 26 , builder module 29 , and consumption module 32 .
  • Planner module 23 is configured to plan cloud-computing service provided by platform 20 by inventorying, profiling, characterizing and prioritizing computer workloads, such as programs, applets, calculations, applications, servers, or services.
  • planner module 23 may model current applications and associated software-development life cycle (SDLC) phases to determine what infrastructure environments would be required or preferred. This may include defining security, privacy, management or other profiles for each SDLC phase of each application. The profiles, in turn, will identify existing infrastructure and systems that support the SDLC phases, and manage relationships between the infrastructure, systems and the applications.
  • SDLC software-development life cycle
  • Profiles may also contain characteristics regarding the SDLC phases or attributes relevant to development, deployment or performance of infrastructure, systems, or workloads, such as latency, geography, responsiveness, bandwidth, storage capacity, processing speed, processing type, platforms involved (including operating system, file types, communication protocols, and the like), data involved, protocols used, and specific institutional requirements.
  • planner 23 may first identify which SDLC computing environments and systems would be suitable for cloud computing or migration to cloud computing, and then prioritize the enablement and operability of newly developed or migrated computer workloads according to the SDLC phases.
  • the characterizations determined by planner module 23 can be used by builder module 29 to build a cloud-computing service or to deploy a computer workload to a cloud-computing resource.
  • the user may have access to, or may create or modify, policy information relevant to the computer workloads with which the user can interact in the planner module 23 .
  • the policy information may be stored in or associated with a meta model, which may enable the identification, characterization, and storage of a wide range of information, including policy information, that can be associated with a given workload.
  • the metamodel data can be associated with the workload such that throughout the various components of the platform 20 , from planning through deployment to a cloud, the workflow can be handled in a manner that is consistent with the metamodel data, and in particular consistent with the policies that are applicable to that workload.
  • the planner/user may thus plan the use of workloads in a manner that is consistent with technical, operational, and business requirements that are appropriate with such workload, as seen by association of the same with the workload, and the planner/user may modify or populate the policies associated with the workload, such that the metamodel data for that workload embodies and is consistent with the plans of the planner/user.
  • policies and other metamodel data are stored by the platform 20 and may be used throughout the development and deployment cycle.
  • Builder module 29 may be configured to assemble, validate, and publish a cloud-computing service or computer workload for consumption (i.e., use) by a user.
  • Builder module 29 may be configured to receive characterization information from planner module 23 and build a cloud-computing service or computer workload based on the information.
  • builder module 29 may be configured to assemble a cloud computing service based on the prioritized list of computer workloads provided by planner module 23 .
  • Builder module 29 may be configured to create and edit scripts for loading computer workloads during installation, startup, runtime, and shutdown of cloud-computing services assembled by builder 29 . The scripts for the cloud-computing services may be verified and validated before the cloud-computing services are published for consumption (i.e., use).
  • the script may have access to metamodel and policy information which may alter how the script uses the metamodel and policy information to make a decision.
  • builder module 29 may be configured to associate the computer workload with the appropriate cloud-computing service or resource (e.g., associate an application with an appropriate underlying virtual machine image or associate a computer workload with a specific network).
  • the user/builder may have access to, or may create or modify, policy information relevant to the computer workloads with which the user can interact in the builder module 29 , such as the policy information stored in or associated with the above-referenced meta model, which may enable the identification, characterization, and storage of a wide range of information, including policy information, that can be associated with a given workload.
  • the builder/user may thus build of workloads in a manner that is consistent with technical, operational, and business requirements that are appropriate with such workload, as seen by association of the same with the workload, and the builder/user may modify or populate the policies associated with the workload, such that the metamodel data for that workload embodies and is consistent with the plans of the planner/user.
  • the builder module 29 may present options to the builder pre-filtered, such as in pre-populated scripts, filtered drop-down menus, that are dictated by or consistent with the policies and other metamodel data associated with a workload, omitting, blocking or hiding options that are inconsistent with such policies.
  • a workload that stores customer data could omit the option to store a social security number if a data privacy regulation prohibits storing such data in the business process to which the workload relates.
  • Such automatic pre-filtering, pre-configuration, and blocking ensure consistency with the policies associated with the workload at the planning stage (or other stages) while also improving efficiency by removing development paths that might be pursued despite being prohibited.
  • the metamodel provides a flexible structure to organize metadata and apply the same policies using a combination of system and user supplied metadata that may indicate use of the same policy, however may define the same policy in different ways.
  • the system may consider a Tier 5 datacenter to be the most fault tolerant type of data center and a user may consider a Tier 1 data center to be the most tolerant.
  • the metamodel allows a policy that requires provisioning in the most fault tolerant data center to be assigned Tier 5 or Tier 1 metadata, depending on the definition of the most fault tolerant data center in that specific operating environment.
  • builder module 29 can publish a cloud-computing service for consumption by users.
  • the build module 29 will publish the cloud-computing service to a consumption module 32 (e.g., store or storefront such as an application store, a service store, or a software stack store) where users can preview, select, and subscribe to a cloud-computing service for use.
  • the builder module 29 will enter the cloud-computing service in repository 30 when it is ready and available for consumption by users.
  • Embodiments may also be configured the builder module 30 such that the development community can approve or disapprove of the cloud-computing service before publication.
  • Consumption module 32 is configured to allow a user to subscribe to, collaborate on, and assess a cloud-computing service published for consumption. For example, a user can preview cloud-computing services available for deployment to the virtual private cloud and consumption. Then, when a user wants to subscribe and invoke a cloud-computing service for usage, the user can invoke the cloud-computing service on a self-service, on-demand basis through the consumption module 32 .
  • Consumption module 32 may list published available cloud-computing service at or near real-time, and allow a user to request updates and information on a listed cloud-computing service.
  • the consumption module 32 may allow users to collaborate on where, what, and how many cloud-computing services are deployed for consumption.
  • consumption module 32 may allow a user to comment on and rate cloud-computing services, or assess the cost associated with deploying and using a cloud-computing service.
  • the consumption module 32 has access to policy information and other metamodel data that is associated with each workload, such that the workload may be consumed only in a manner that is consistent with such policy information.
  • policy information and other metamodel data that is associated with each workload, such that the workload may be consumed only in a manner that is consistent with such policy information.
  • consumption policies related to permitted time, permitted sets of users, security, pricing, resource consumption rules, and a wide variety of other policies may be maintained by the consumption module based on the policies associated with the workload in the platform 20 .
  • Manager module 26 is configured to provision one or more cloud-computing resources for a cloud-computing service or computer workload, manage one or more cloud-computing resources for the cloud-computing service or computer workload, and monitor one or more cloud-computing resources for the cloud-computing service or computer workload. For example, manager module 26 may provision one or more cloud-computing resources (e.g., provision one or more virtual machine instances) for a published cloud-computing service that is invoked from the consumption module 32 . Upon invoking the cloud-computing service, the manager module 26 may deploy and start the one or more cloud-computing resources to the virtual private cloud for the cloud-computing service.
  • cloud-computing resources e.g., provision one or more virtual machine instances
  • manager module 26 may control the start, stop, or run-time of one or more cloud-computing resources (e.g., control start, stop, or run-time of virtual machine instance) for a cloud-computing service. Manager module 26 may further schedule the start and stop time windows for the one or more cloud-computing resources, or govern a service level, such as per a service level agreement (SLA), or a threshold associated with the one or more cloud-computing resources. Through its control, manager module 26 can govern the cloud-computing resource according to conditions, constraints, security policies, or non-security policies.
  • SLA service level agreement
  • Manager module 26 may also monitor the one or more cloud-computing resources, detect security intrusions, and monitor the consumption of cloud-computing services their associated cloud-computing resources in order to determine the costs accrued by a user. Aspects of cloud-computing resources monitored by manager module 26 include, for example, central processing unit (CPU) usage, memory usage, data storage usage, data input/output usage, application usage, workload usage, service usage, and other attributes of usage of a service or a computer workload.
  • CPU central processing unit
  • manager module 26 is configured such that a user can request a planner using the planner module 23 to change the design of a cloud-computing service. For example, a user may request that the cloud-computing service change or computer workload with respect to the cloud-computing resources utilized (e.g., change to a platform stack). As in the other components of the platform 20 , in the manager module 26 the user may have access to, or may create or modify, policy information or metamodel data relevant to the computer workloads with which the user can interact in the manager module 26 . The manager/user of the manager module 26 may thus manage the provisioning of infrastructure and platform elements such that usage will be consistent with the policies of the enterprise, including operational and business policies, as well as technical requirements.
  • provisioning to expensive infrastructure elements may be confined to workloads that satisfy business rules that distinguish between mission critical elements and other elements.
  • the manager/user of the manager module 26 may be provided with access to the policies consistent with the metamodel framework, and in embodiments may be provided with pre-filtered options, such as in menu choices, decision trees, or the like, that are consistent with such policies.
  • a workload designated as non-critical in its metamodel data could automatically appear in the manager module with deployment options confined to relatively low cost clouds, while a mission-critical workload might appear with all different cloud options (or ones that are filtered to satisfy certain requirements as to low latency, bandwidth, storage capacity, guaranteed quality of service, or the like).
  • the manager module 26 may thus enforce policy while streamlining workflow, improving both effectiveness and efficiency.
  • FIG. 2A is a diagram illustrating example management module 26 in further detail.
  • management module 26 comprises governor module 103 configured to govern operation of a cloud-computing services and its associated cloud-computing resources, provisioning module 106 configured to provision cloud-computing resources for a cloud-computing service, and monitoring module 112 configured to facilitate the various monitoring functions of management module 26 .
  • the present invention may provide for a policy-driven infrastructure as a service (IaaS) event bus, which is comprised of a policy engine, metamodel, reporting system, and workflow engine; and allows for the creation of business policies, such that said business policies can be reflected into a dynamic information technology environment and expressed across internal and external information technology infrastructure, regardless of operating system, programming language, middleware solution, application platform, or cloud provider, by making use of abstraction layers.
  • the workflow engine provides an integration point between the IaaS event bus and workflow management, as described elsewhere in this specification.
  • the abstraction layers allow for integration with application programming interfaces made available by different vendors, business models, technical models, eventing and altering channels and monitoring systems in a vendor agnostic manner.
  • the abstraction layer could be a cloud-computing provider.
  • a cloud computing provider may be VMWare, Baremetal, Amazon Ec2, Savis, TerraMark, Microsoft HyperV, and the like.
  • the policy engine allows policies to be created through an easy to use visual interface that allows users that do not necessarily have information technology skills or other programming skills to author and assign policies to workloads.
  • the policies can be expressed via languages such as XML, and the like.
  • a policy could be an event policy.
  • An event policy supports matching one or more events that are temporally related and generate a notification action when matches occur.
  • An event can be defined as either a threshold condition or matching constraints specified as rules.
  • a rule is comprised of one or more match constraints and each match constraint must be satisfied, by a logical “and” operation, within a specified sliding time window in order for the notification actions to be invoked.
  • a match specifies the set of conditions that must be satisfied to match an event.
  • Each condition specifies a property of an event or object contained by the event, which is matched against a set of one or more values using the supplied comparison operation If multiple values are supplied for a condition then the result is a logical “or” operation of the property being compared and against each value individually.
  • Any of the event properties or properties of objects contained within the event structure may be used to refine the match criteria.
  • an auto-scaling policy may be be created to add more web and database servers according to a ration if a business application becomes heavily loaded, in order to reduce the load on that application.
  • an auto-scaling policy with business awareness may be created that deploys additional business topologies according to an algorithm if revenue per hour exceeds a threshold.
  • the metamodel allows the system to abstract business user definition from technical definition and allows an enterprise to track information about information technology resources that were unknown when the system was created.
  • the metamodel allows business users to define data classes consistent with their enterprise nomenclature, while still being able to map them consistently to the internal system.
  • a Tier 4 data center is common technical classification of a data center that generally has the highest uptime, however some enterprises refer to Tier 4 data centers as Tier 1 and the metamodel would allow Tier 1 and Tier 4 to be used interchangeably, depending on the definition used by a specific enterprise. This provides a benefit to the enterprise by eliminating the need to write specific policies for each instance or the need to customized each abstraction layer for individual instances.
  • the metamodel By tracking information about IT resources that were unknown when the system was created, the metamodel allows business users to arbitrarily define elements of data to track and create policy after the system was built, also allowing the users to track a specific piece of information that is defined for any resources that are managed by the system.
  • Resources could be networks, storage, servers, workloads, topologies, applications, business units, and the like.
  • the policy-driven infrastructure as a service may also include additional components. Additional components may be reporting, auditing, and federated identify management systems.
  • the present invention may provide for a visual policy editor, which provides an easy-to-use graphical user interface to a feature-rich and extensible policy engine, using a visual programming language and policies, eliminating the need for the user to write complex code to define, assign, and enforce policies.
  • the graphical user interface allows the user to author policies using a visual drag-and-drop interface or an XML editor.
  • the visual programming language functions could be loops, variables, branching, switching, pulling of attributes, code execution within a policy, and the like.
  • the visual programming language could access an external pricing engine that contains live pricing information, then make a decision on the next step of the execution process, based on the information it receives from the pricing engine.
  • policies can be enforced at an object level.
  • Objects could be organizational groups, individual projects, different deployment environments, and the like.
  • Policies could be access control policies, firewall policies, event-based policies and the like.
  • Access control policies could include packages, scripts, and the like.
  • Access control policies could be defined by cloud or other service providers, network attributes, network geographic location, security policies, and the like.
  • Firewall policies may include port and network ACL lists that are applied as policies and applied at container level to ensure conformance to corporate standards for port opening/closing.
  • Event based policies relate to service level management and could include compound threshold rules that trigger an action, lifecycle event management, compound event sequences, signature detection, and policy stacking, and the like. For example, a policy could be defined to restrict deployment of a computing workload to private internal clouds in a specific country.
  • the present invention may provide for automated processes to support a continuous integration cycle to migrate a computing workload from a development environment to an operational environment.
  • the continuous integration cycle may include maintaining a code repository, automating the build process, self-testing the build process, automatically deploying the build, and the like.
  • the policies and metamodels defined and assigned to the computing workload environment follow the build from its creation using the Builder Module through to its publication into the Consumption module. This capability allows the enterprise to greatly reduce the time required to develop, test, deploy and update a computing workload.
  • Continuous integration may also include ensuring the modernization, patch management, conforming configuration of deployed cloud-computing services.
  • the embodiments may provide this service as DevToOps policy allowing centrally defined service definition that deployed cloud-compute services can compare against and either update themselves when their configuration no longer matches, warn administrators of non-conformance, rewrite themselves back to conformance when configurations of the cloud-compute services are made arbitrarily, and the like.
  • various embodiments of the present invention provide standardized access, management, or control to different types of cloud-computing resources on a self-service, on-demand basis without the user needing to know the specific instructions or details for accessing, managing, or controlling those different target cloud-computing resources.
  • some management modules may comprise a cloud model data store 109 that maps the management action to the appropriate cloud-computing resources. Subsequently, the management action is translated to one or more instructions for a target cloud-computing resource and/or a computer workload operating thereon.
  • a topology is an example of a cloud service, where a topology is comprised of a number of individual virtual machines orchestrated together. A common management action to perform on a topology is to start it.
  • This simple topology start action within the management layer gets turned into a number of individual instructions that get passed down into the cloud service bus, such as (1) calculate the Start Up order for topology, (2) initiate ordered startup one VM at a time, (3) as VM's come up, attach volumes that are associated with the VM, (4) install any packages and software onto the VM's, and (5) once all machines are up and running the topology status changes to running
  • Cloud service bus 115 may be utilized to parse management instructions received from the manager module 26 , transform the management instructions to instructions compatible with the target cloud-computing resource, and route the management instruction to the targeted cloud-computing resource. In some embodiments, the cloud service bus 115 then routes the instructions to the application program interface (API) for a target cloud-computing resource from external commercial cloud resource 127 , or to the virtual machine manager (VMM) (e.g., hypervisor) for a target cloud-computing resource from internal private cloud resources 130 .
  • API application program interface
  • VMM virtual machine manager
  • FIG. 2B illustrates an example flow of management instructions from manager module 26 to a commercial cloud API.
  • provisioning module 106 of management module 26 transmits a management action for a cloud-computing service currently deployed within a virtual private cloud (VPC) or a cloud-computing resource to be deployed in the virtual private cloud.
  • Cloud service bus 115 receives the management action, parses ( 215 ) the action, and utilizes cloud model data store 109 to resolve ( 218 ) the action to the appropriate one or more cloud-computing resources associated with the cloud-computing service.
  • target-specific instructions e.g., commercial hypervisor API calls
  • target-specific adapter that connects one or more cloud-computing resources to one or more other cloud-computing resources or to the cloud-computing platform.
  • some embodiments utilize a target-specific adapter 209 , 212 in order to connect to and interface with cloud-computing resources provided by those different cloud providers and systems.
  • cloud service bus 115 routes the instructions to Amazon EC2® adapter 209 , which transforms ( 221 ) (or translates) the management action to one or more target-specific instructions that are routed to the Amazon EC2® API 203 for execution on the Amazon EC2®cloud-computing environment 206 .
  • Other adapters 212 illustrated include Microsoft® System Center Virtual Machine Manager, a VMWare® adapter, a Rackspace® Adapter, and a Sun® VMOpsCenter Adapter.
  • APIs illustrated include the Citrix® XenCenter® API 122 used to interface with a XenCenter cloud-computing environment 128 , or a Sun® xVMOpsCenter API 123 used to interface with the xVMOpsCenter cloud-computing environment 129 .
  • connection module 118 which implements a secure (i.e., encrypted) connection between the platform and the cloud-computing environment, the platform and client network, or the cloud-computing environment and the client network to ensure secure communication between the platform and environment.
  • Connection module 118 may be utilized, for example, when a cloud-computing environment does not provide a secure connection between a client and its cloud-provider network (e.g., a commercial cloud provider does not provide a secure connection as feature of their cloud services). Additionally, connection module 118 may be deployed and utilized on the client-side network when the client lacks a secure connection with the platform.
  • FIG. 3 provides a diagram illustrating an example of provisioning in accordance with an embodiment of the present invention.
  • (asset) repository 262 is queried to extract all relevant metamodel information for the deployable assets (e.g., cloud-computing resource), such as a cloud-computing service have a specific topology.
  • a simple topology may comprise a single cloud-computing resource (e.g., operating system running on a virtual machine) or a single tier of cloud-computing resource instances (e.g., LAMP server), combined to provide a cloud-computing service such as a web front-end.
  • a more complex topology may comprise more than one tier of related cloud-computing resource instances such as a back-end database service tier, middleware tier, and web front-end tier, each tier performing a related service as part of delivery of an application to a set of users.
  • the cloud model 109 is queried 280 to match the type(s) of cloud-computing resource instance with an appropriate provisioning request.
  • Topology interpreter 271 examines the request for the relationships of the cloud-computing resource instance(s) being requested and the access list (network port) assignments for the instance(s), and then passes the information to provisioning agent 274 .
  • Provisioning agent 274 queues the startup requests for the cloud-computing resource instances based on the defined startup order of the topology and provisions the instances and access list requests 289 through the virtual machine manager (VMM) API.
  • VMM virtual machine manager
  • FIG. 4 is a diagram illustrating an example use of a connection module in accordance with an embodiment of the present invention. Specifically, illustrated are two cloud-computing environments 306 and 309 each running instances of either Microsoft® Windows ( 333 ) or a distribution of Linux ( 339 ). Each cloud-computing environment is configured with a cloud firewall ( 315 , 318 ) that blocks specified network traffic and defends the environments against malicious network traffic.
  • a cloud firewall 315 , 318
  • client network 303 e.g., enterprise network
  • client network 303 e.g., enterprise network
  • enterprise firewall 312 In order for the cloud-computing environments ( 306 , 309 ) to communicate with client network 303 over external network 321 (e.g., the Internet), connection modules ( 324 , 327 , 330 ) are deployed on the three entities in order to establish and maintain encrypted communication tunnels ( 348 , 351 ) between the cloud-computing environments ( 306 , 309 ) and the client network 303 .
  • connection modules ( 324 , 327 , 330 ) establishes these encrypted communication tunnels ( 348 , 351 ) through allowed ports on the firewalls ( 312 , 315 , 318 ).
  • the connection modules ( 324 , 327 , 330 ) establish one encrypted tunnel for management ( 351 ) and another encrypted tunnel for data ( 348 ).
  • the Platform 20 may support this concept in a plurality of ways.
  • the platform 20 may have the capability to deploy what is commonly referred to as a VPN Overlay network. This network creates secure communication channels between two endpoints. In this instance, the network is setup by deploying ‘connection modules’ into each of the different environments. The connection modules create secure connections between each other.
  • connection broker may rely on creating IPSec tunnels between individual cloud providers and an on-premise environment. This allows for traffic to traverse from one cloud environment to another via your own internal networks.
  • the solution may be configured to combine a set of firewall configurations to enable a security zone model.
  • a new virtual machine is brought online the system can reach out to all the relevant firewalls and set up the appropriate communication.
  • This can mean that the system will configure a host based firewall on the VM, a hypervisor firewall the VM is running in, physical firewall devices, and other firewalls such as the host or hypervisor firewalls running on any of the machines in the communication channel.
  • the platform 20 may provide for end-to-end security across internal and external clouds, such as including secure data in transit from the platform to external clouds, secure access for users, secure encryption keys, secure logs for auditing, secure instances from breaches, secure data in storage, and the like.
  • the platform may provide for comprehensive security capabilities designed for agile IT operating models, such as for network security, instance security, data security, access security, and the like.
  • network security may include an encrypted overlay network across multiple clouds and enterprise data centers, firewall integration with support for multicast, static IP management, point-to-point routing, and the like.
  • Instance security may include images with pluggable host-based intrusion detection systems and virus scanning, and the like.
  • Data security may include images that utilize configurable encrypted block storage as well as SDKs for non-block storage requirements, and the like.
  • access security may include federated identity management and granular role-based access control to instances and stores. For example, there may be need to store credentials in a third-party encrypted key-store.
  • the platform 20 may allow for storing of all credentials in its own encrypted key-store or the ability to store in third-party FIPS compliant key-store for added security and compliance.
  • the present invention may provide for a secure federation of internal and external cloud providers to operate as a trusted extension of an enterprise, establishing security policy and governance earlier in the lifecycle, combined with automated policy enforcement, to provide a more secure computing environment than previously available.
  • Comprehensive security may include host intrusion detection systems and anti-virus protection, virtual firewalls, encryption of persistent data, secure connectivity, federated identity management, and the like.
  • Network isolation may be provided to include a redundant customer-controlled encrypted overlay network service that provides security in a cloud across multiple clouds and between enterprise data centers and commercial clouds; support multicast, static IP management, point-to-point routing, firewall integration; and the like.
  • Instance isolation may be proved through stacks including active host based intrusion detection and prevention packages; pluggable virus scanning integrated into each stack, and the like.
  • Data isolation may be provided, such as including a configurable encrypted block storage system as well as SDKs for non-block storage requirements; backups of block storage devices inheriting encryption; configurations for encryption of data to be transferred or stored in non-block storage, a cloud manager providing granular role-based access control to instances and stores; certificate and key-pair access control of instance log-in, such as connections only over strong-encryption SSL; and the like.
  • an overlay network may extend the client's network into the cloud provider, such as through bridges to corporate network (e.g.
  • VPN virtual private network
  • enhanced failover, load balancing, and peering support extension of corporate IP assignments (e.g. both DHCP and static); support for point-to-point connections (e.g. servers that can talk directly to each other without having to go back to corporate data highway; ability to bridge multiple clouds; support for multicast; deployment of nodes in both the external cloud provider and the corporate data high; and the like.
  • corporate IP assignments e.g. both DHCP and static
  • point-to-point connections e.g. servers that can talk directly to each other without having to go back to corporate data highway; ability to bridge multiple clouds; support for multicast; deployment of nodes in both the external cloud provider and the corporate data high; and the like.
  • Each of the security capabilities described herein may be provided for a particular platform or infrastructure network, as applicable, or may be applied across a security zone, as noted above, such that the security zone, which may reside across multiple clouds or networks, is maintained as a defined layer of security for all elements with the zone.
  • security policies applicable to the zone may, by being associated with all workloads in zone in accordance with the metamodel and policy framework described throughout this disclosure, be enforced to ensure that all such workloads are deployed, executed and consumed in a manner consistent with the current security policies for the zone.
  • the boundaries of each security zone and policies can be rapidly and conveniently updated, such as in the manager module 26 , with assurance that all workloads within the zone will be provided with updated policies, as applicable, and that they will be handled consistent with such policies.
  • multiple security zones may be defined at differing levels of abstraction, such as geographic, business unit, user type, physical network, cloud, cloud type, or the like. Workloads in each zone will be required to satisfy the security policies of the zone, such that if a workload is deployed within overlapping zones, it will be subject to all policies for all such zones.
  • a transactional workload might have a security policy defining anti-virus requirements based on its presence in a security zone defined by the business unit that handles that transaction, but it might also be subject to data encryption requirements defined for a security zone defined by the legal department for all business units of an enterprise.
  • the platform 20 may include the capability to view, manage, and edit security policies for security zones, including to highlight and resolve any potential conflicts among policies in the case of overlapping zones that apply to a workload.
  • the ability in the platform 20 to plan, design, rapidly deploy, and manage workloads and related policies that comply with varying and overlapping security zones allows efficient satisfaction of constantly changing technical requirements (e.g., based on the latest anti-virus, firewall, and similar capabilities for a particular type of cloud or other infrastructure resource), shifting regulatory requirements (such as satisfying legal requirements for security of private user data), and shifting business requirements (such as providing security features that satisfy customer preferences as to security and convenience of use).
  • the definition of security policies in the platform 20 at a level of abstraction that is independent of the infrastructure and platform elements on which a workload is deployed allows an enterprise to establish security zones that are vendor independent.
  • a single security zone can have a defined policy, such as to satisfy a legal requirement, that is associated with a workload, and that is applied within a security zone that contains firewalls, routers, storage systems, and other elements that come from disparate vendors.
  • the platform 20 automatically parses the policy and metamodel data associated with the workload and ensures that the infrastructure elements, regardless of type, are provisioned, updated and operated in accordance with the policy. This capability allows the enterprise to avoid a great deal of effort, often unsuccessful due to the time required and the rapidly shifting requirements, that has previously been spent analyzing, discussing, and updating security policies, then configuring a host of disparate devices in an effort to comply with the changing policies.
  • the method further comprises: deploying an application, where the application is associated with one or more computer workloads; and where each application and/or computer workload is assigned a security zone; and tagging each application or computer workload based on its security zone such that firewall rules to permit the application to perform the computer workload are automatically and simultaneously applied to multiple firewalls within and outside the security zone assigned to the application.
  • the application may have complex security policies integrated within it during the development process of the application.
  • Each application or computer workload may be tagged to operate in a specific security zone and communicate across security zones and each security zone may have a defined set of firewalls associated with it.
  • the firewalls may be virtual firewalls or physical firewalls.
  • the firewalls may be provided by multiple vendors such as Cisco, Juniper, and the like.
  • the firewalls may be cloud-based firewalls provided by vendors such as Amazon, VMWare, and the like.
  • a database application that is tagged to operate in a highly secured security zone may require connectivity through a built-in firewall on the database server, a firewall upstream of the server between the highly secured security zone and a less secure corporate network security zone, and a firewall between the less secure corporate network security zone and a security zone that connects to the public Internet.
  • An adaptor automatically determines the IP addresses assigned to each of the firewalls required to permit the application to perform the computer workload; and simultaneously on each firewall establishes rules required by the application, without restarting the system in which the firewall(s) operate.
  • the method further comprises removing the firewall rules when the application or computer workload is removed or stopped.
  • connection modules such as those illustrated may be utilized when a secure connection is not readily available between a cloud-computing platform of an embodiment and a cloud-computing environment, between the cloud-computing platform of the embodiment and the client network, or between the cloud-computing environment and client the client network.
  • FIG. 5 is a diagram illustrating an example use of an identity module in accordance with an embodiment of the present invention.
  • enterprise network 406 is illustrated comprising identity module 29 in accordance with an embodiment, and identity store 415 .
  • cloud provider network 403 Illustrated opposite the enterprise network is a cloud provider network 403 that is providing commercial cloud 409 (e.g., cloud-computing resource for a cloud-computing service) to enterprise network 406 .
  • commercial cloud 409 e.g., cloud-computing resource for a cloud-computing service
  • Identity module 29 facilitates identity provisioning and de-provisioning 418 (e.g., sign-on and sign-off) of a user to a service provided on a public (e.g., commercial) or private cloud.
  • identity module 29 performs this service by authenticating the user using the client's authentication system (i.e., identity store 415 ).
  • identity module 29 may authenticate a user using a locally deployed service, such as Netegrity®, Oracle OAM®, Microsoft® Active Directory, RSA® Cleartrust, Lightweight Directory Access Protocol (LDAP), and Kerberos.
  • a locally deployed service such as Netegrity®, Oracle OAM®, Microsoft® Active Directory, RSA® Cleartrust, Lightweight Directory Access Protocol (LDAP), and Kerberos.
  • the platform 20 could be configured to use Active Directory (AD) as its user store.
  • AD Active Directory
  • a user When a user wishes to console or desktop into a Virtual Machine that exists within a cloud environment, they may be prompted for credentials. The user supplies their credentials and the platform authenticates against AD. If there is a match, the platform 20 may log into the VM as Admin and create a new local account for the user based on the AD credentials. The user can now login to the VM.
  • Another use case may deal with Software as a Service Integration, where a store, as described herein, may include the concept of purchasing user seats with cloud-based services, such as the commercially available service Salesforce. When a user, backed by the user's AD identity, orders a Salesforce user seat, the platform may provision an account for the user within Salesforce.
  • the platform may de-provision the useraccount within Salesforce. Users may also have the option to ‘consume’ Salesforce, which redirects the user to Salesforce and performs SSO.
  • a user logs into the platform to access a Salesforce service, where first the user is authenticated (e.g. via AD, Netegirty), then based on his identity the platform 20 checks to see if the user has an account in Salesforce. If not, the system may create one in Salesforce by calling the Salesforce account management APIS. The system may also look up addition information about this user by doing database queries or other types of lookups against internal systems.
  • the platform 20 will initiate a process to delete the account and clean up all relevant data. This detection and cleanup process could also be initiated by a periodic job that gets run automatically by the platform 20 according to a schedule, by detection of events (such as changes made to AD), and the like.
  • identity module 29 redirects that user's credentials to the cloud-computing service for authentication. Once the cloud-computing service successfully authenticates the user based on the forwarded user credentials, the user is redirected to the logged in cloud-computing service. It should be noted that identity capabilities may be applied to a cloud-computing resource as well as to a user, such that a specific cloud-computing resource may be authorized (based on its identity) to be used in connection with execution of a computer workload.
  • FIG. 6 is a diagram illustrating an example use of a monitor module in accordance with an embodiment of the present invention.
  • governor module 103 monitor module 112 and private internal clouds 530 reside on enterprise network 503 .
  • Commercial clouds 512 and 515 are providing cloud-computing resources to the enterprise network 503 .
  • Monitor module 112 is responsible for monitoring the status and utilization of commercial clouds 512 and 515 , and deploy a monitor collector 506 and 509 to the commercial clouds 512 and 515 to collect and transmit such information to monitor module 112 .
  • the collectors may provide a plurality of functions. For instance, the first thing a collector may do is collect information coming from the guests. The collectors may also persist this data and respond to queries about the data from the main Monitor Module.
  • a deployed VM e.g. to a VM of an Amazon cloud
  • the monitoring system may be able to monitor events above and at the hypervisor. That is, the monitoring system may receive data not only from VMs, but that it may also be extended to call the low level APIs and metric systems of the hypervisors and cloud computing services and aggregate data from both locations to provide a holistic picture of the performance and status of the system.
  • Aggregator 518 receives the information from individual monitor collectors ( 506 , 509 ) and monitor collectors (not shown) deployed to private internal cloud 530 , and records the (received) monitor information for governance purpose, provisioning purposes, or administrative purposes (e.g., event reporting).
  • Monitor module 112 uses translator 521 to interpret the monitor information from the commercial clouds ( 512 , 515 ) and relays ( 524 ) the interpreted monitor information to event console 527 .
  • Aggregator 518 also forwards monitor information to governor module 103 to enable the module to govern the operations of cloud-computing resources and cloud-computing services being managed by a cloud-computing platform in accordance with an embodiment.
  • the monitor and collector modules may all reside inside the Enterprise Network 503 as virtual appliances running within the internal virtualized Enterprise Network 503 compute environment.
  • FIG. 7 is a diagram illustrating example governor module 103 in accordance with an embodiment of the present invention.
  • Governor module 103 applies constraints, conditions, non-security policies, and security policies on cloud-computing resources and cloud-computing services being managed by a cloud-computing platform in accordance with an embodiment.
  • governor module 103 governs the cloud-computing resources and services by using monitoring information (from cloud-computing resources) provided by monitor module 112 , and then issuing management actions (e.g. VPC actions) to cloud-computing resources based on monitoring information and the constraints, conditions, and policies the governor is applying to the cloud-computing resources.
  • management actions e.g. VPC actions
  • governor module 103 uses analytics engine 609 to analyze monitoring information from monitor module 112 and, then, uses the analysis information to apply the constraints, conditions, and policies through policy engine 603 .
  • policy engine 603 instructs action engine 606 to issue management actions to provisioning module 106 (e.g., issue management actions to increase or decrease the number of cloud-computing resources based on CPU utilization of the existing resources). For instance, when a new threshold policy gets created the threshold may be pushed down into the analytics engine.
  • the analytics may be continuously evaluating the flow coming in from the monitor modules and evaluating the flow against its threshold definitions. When a threshold is violated an event may be created and sent to the policy engine.
  • the policy engine may then determine which action to take and pass the instruction off to the action engine. In the case of auto-scaling the action engine may pass a provisioning or de-provisioning request to the provisioning module.
  • the flow amongst the monitor and provisioning modules and the analytics and policy engines may be as follows.
  • the Monitor Agent may collect data in a variety of ways including polling the system for status, or alternatively it may receive information sent to it by some even or periodic sending of data by the application or service being monitoring.
  • the Monitor Agent rolls up the data, where the roll up may include aggregating and summing data, and it may also include filtering data out that is not required or within thresholds that don't need to be reported on. The data may be collected so it may be sent in bulk efficiently rather than parceled out and causing many interrupts.
  • the Monitor Agent may transmit data to the Analytics Engine.
  • the analytics engine may then parse the data and again may perform aggregations, summation, filtering, or other correlation.
  • Step 4 the analytics engine may then evaluate data against a set of configured thresholds that are configured by the policy engine. If a threshold is found to have been exceeded, then the event system may kick in and take action based on the configured policy.
  • Step 5 is executing the configured policy action, which could include notification of some set of individuals or other system by phone, email, pager, txt message, event bus, programmed call out, shell script, or other configured mechanism.
  • governor module 103 utilizes instance placement 627 to make decisions on where to place an instance of a cloud-computing resource. For example, when an image is built for a cloud-computing service using a builder module, it can be tagged (e.g., using a metamodel) to prevent deployment to certain zones (e.g., security zone) as part of a security policy, cost control policy, performance or availability management policy. Instance placement 627 may cause the governor module 103 to place an instance of a cloud-computing resource based on availability of client-computing resources, or (real-time) performance of particular clouds.
  • instance placement 627 may cause the governor module 103 to place an instance of a cloud-computing resource based on availability of client-computing resources, or (real-time) performance of particular clouds.
  • Virtual Machine (VM) lifecycle management 624 may be utilized by governor module 103 to determine and enforce expiration of virtual machines
  • Auto-scale 621 may be utilized by governor module 103 to scale computer workloads being performed on one or more a cloud-computing resources. Auto-scale 621 can add or remove instances of cloud-computing resources to increase or decrease the performance of computer workloads based on monitored resource consumption, a schedule, or a set of rules.
  • Availability & disaster recovery 618 may be utilized when operation of a cloud-computing resource has failed and the failed cloud-computing resource must be recovered according to the constraints, conditions, or policies governed by governor module 103 .
  • FIG. 8 is a flowchart illustrating an example method 700 in accordance with an embodiment of the present invention.
  • Method 700 begins at operation 703 by providing a user a virtual private cloud (VPC) configured to utilize a cloud-computing resource from the plurality of cloud-computing resources to perform a computer workload.
  • VPC virtual private cloud
  • method 700 then receives a request to perform the computer workload within the virtual private cloud.
  • the computer workload may be an application, a server, a platform (e.g., LAMP server), or an infrastructure element (e.g., load-balancing unit).
  • receiving the request to perform the computer workload comprises: receiving an application to be migrated to cloud-computing environment for execution; and identifying the computer workload as necessary for executing the application.
  • method 700 receives a computing workflow to be performed in the cloud-computing environment; and then identifies a computer workload to perform the computing workflow.
  • method 700 identifies a cloud-computing resource to perform the computer workload.
  • identifying the cloud-computing resource may be based on a workload score determined by a scoring logic.
  • the scoring logic may be based on a business attribute of the computer workload (e.g., whether it is mission-critical, required to satisfy a legal obligation, required for an SLA, or the like), a technical attribute of the computer workload (e.g., storage required, bandwidth required, processing speed required, or the like), an operational attribute of the computer workload (time of day for availability, seasonality, or the like), or any combination thereof.
  • the scoring logic may further be editable or grouped into collections of logic to provide scoring plans for examining multiple types of computer workloads different ways (e.g., a grid computing scoring plan scoring workloads for an application destined to a cloud-computing service hosting grid workloads).
  • the scoring logic may be editable to allow enterprises to store business, technical, and operational attributes of a computing workload, using enterprise-specific nomenclature or to allow for an enterprise to adjust attributes to a preferred score, consistent with business, technical, or operational metrics.
  • the scoring algorithm could be configurable, to weight the different attributes of the scoring algorithm based on business, technical, and operational metrics.
  • the scoring algorithms are configurable in multiple ways and the scores are created by a set of rules.
  • the rules may be cloud readiness rules, cloud value rules, or the like.
  • the rule logic may be expressed as javascript, java, or the like.
  • the rules make it possible to call any programming language system, configuration management data system, or the like.
  • the information retrieved by the rules can be added to the metamodel for the specified information technology resource.
  • Rules are evaluated according to a plan.
  • a plan is a set of rules the weighting value assigned to each rule. For example, when a rule is a business criticality rule based on a set of metrics, and a plan is a “business contingency” plan, where the goal is to move infrastructure into a cloud that has disaster recovery and high availability built into it, the a system with the highest business criticality weight, may be moved first.
  • the weighting values assigned to that item will be added to the metamodel associated with that item.
  • Items could be systems, servers, databases, applications, workloads, and the like. Filters are used to decide where items should be placed. The filter first identifies the places where an item can be placed and then places the item in the place that is determined to be the best fit for the item. If data assigned to score an item is complete, it will be marked as scored and appear in relevant reports. If data assigned to score an item is incomplete, the items will be identified as requiring remediation. Different data attributes can be tagged as requiring different classes of individuals to complete the required information and preventing other classes of individuals from doing the same. Classes of individuals could be business users, technical users, and the like.
  • the present invention may provide for the categorization of workflows into workloads.
  • Each computing workflow can be separated into a set of distinct workloads, each workload having requirements such as input, storage, processing, output, and the like.
  • Each computing workload may have policy and metadata information stored by the system that includes what computing workload it is, how the computing workload is used, how quickly the computing workload needs to be performed, and the like.
  • Each computing workload is instantiated through a customizable workflow. For example, a computing workload may require approval by a business unit, development team, quality assurance team, and an operations team. The workflow in this example would then be instantiated to solicit approval of requirements defined by each workload from each team.
  • method 700 provisions the cloud-computing resource from the plurality of cloud-computing resources for the virtual private cloud (VPC). For example, method 700 may provision by locating an unreserved cloud-computing resource within the plurality of cloud-computing resources; and reserving for the virtual private cloud the unreserved cloud-computing resource.
  • VPC virtual private cloud
  • Method 700 deploys the cloud-computing resource within the virtual private cloud at operation 715 .
  • the cloud-computing resource is a virtual computing resource
  • the virtual computing resource may be deployed under control of a virtual machine manager.
  • method 700 may deploy the cloud-computing resource according to a condition for the computer workload, where the condition determines if or when the cloud-computing resource can be deployed within the virtual private cloud to perform the computer workload. For example, the condition may require that the computer workload for backup servers only operate during evening periods.
  • some embodiments may deploy a pre-determined set of cloud-computing resources to optimize the computer workloads' performance.
  • method 700 uses the cloud-computing resource to perform the computer workload at operation 718 . Then, at operation 721 , method 700 applies a policy or constraint on the cloud-computing resource. For example, where a policy is associated with a computer workload, method 700 may govern operation of the cloud-computing resource performing the computer workload in accordance with the policy.
  • FIGS. 9A-9D are screenshots of an example user interface in accordance with some embodiments of the present invention.
  • FIG. 9A depicts a screenshot of a user interface to a planner module, which can plan a cloud-computing service comprising one or more cloud-computing resources.
  • a corporate blog application and a logistics application are shown being planned for creation.
  • FIG. 9B depicts a screenshot of a user interface to a builder module, which can build a cloud-computing service comprising one or more cloud-computing resources.
  • the illustrated screenshot shows a stack being built on a Linux base stack.
  • FIG. 9A depicts a screenshot of a user interface to a planner module, which can plan a cloud-computing service comprising one or more cloud-computing resources.
  • a corporate blog application and a logistics application are shown being planned for creation.
  • FIG. 9B depicts a screenshot of a user interface to a builder module, which can build a cloud-computing service compris
  • FIG. 9C depicts a screenshot of a user interface to a consumption module, which can be utilized by a user to subscribe to and use a cloud-computing service comprising one or more cloud-computing resources.
  • the screenshot for the consumption module user interface allows a user to subscribe to and use such instances as Linux, Windows® 2003 IIS server, and Flatpress Blog Engine
  • FIG. 9D depicts a screenshot of a user interface to a manager module, which can be utilized by a user to manage cloud-computing service and its one or more cloud-computing resources.
  • the screenshot shows the user interface of the manager module allowing a user to issue commands to cloud-computing services, such as stopping, running scripts, creating storage volumes, and attaching storage volumes to the cloud-computing services.
  • the interface may be a web page, command line, development tool, and the like, such as eclipse or visual studio, and apps such as iphone/ipad applications.
  • an API may be called that will allow a user to make changes and consume services in a way that is consistent with the company policy.
  • an API may be implemented as a REST and SOAP interface, which are standard formats for services that may be exposed over different protocols in a standard way.
  • each user interface module may be designed to support one or more of the functional roles encountered in the Systems Development Life Cycle (SDLC).
  • SDLC Systems Development Life Cycle
  • the user interface Modules represented in FIGS. 9A-9D may be accessed and used by project team members and presented for the functions those team members may have in the systems development life cycle of the project for which the cloud-computing services are being designed, built, provisioned, and consumed.
  • the interface to each module may be designed to best service the type of function that will be performed as part of the SDLC phase being addressed.
  • the user interface components of each module may access the Policy Engine in order to represent the controls, access, and assets available to the functionally specific users in order to preserve the integrity, security and compliance of the cloud-computing services each aspect of the SDLC phase.
  • the present invention may provide a comprehensive enterprise-grade facility based on federation of IaaS, PaaS, SaaS, and the like, delivered by a plurality of internal and external cloud providers enabling advantages including the ability to intelligently govern, secure, and manage a user's critical applications for cloud environments; automate planning, building, sharing, and running lifecycle for optimal speed and efficiency, providing policy driven, end-to-end identity management across the plurality of cloud environments; deliver comprehensive cost, performance, and consumption visibility; integrate with a client's existing IT infrastructure including asset management, authentication and authorization, audit and governance, performance monitoring, and chargeback billing systems; and the like.
  • the present invention may provide for a layer that allows the input of chargeback billing data to be imported from reporting tools or integrated monitoring systems and the ability to “over recover” or “under recover” charges from the service provider's specified rates, providing a comprehensive audit trail. For example, if an enterprise is providing its internal users value-added services based on the Amazon EC2 service, the enterprise can add its own costs to the rate charged by Amazon, to recover the costs the enterprise incurs when providing the service to the internal users.
  • an alternate module structure is depicted for the platform 20 for providing capabilities to specific roles across the lifecycle, including a planner module 1002 (which may have any of the capabilities described for the planner module 23 ), a designer module 1004 (which may have any of the capabilities of the design module 29 ), a centerpoint module 1008 , a manager module 1010 (which may have any of the capabilities of the manager module 26 ), and an access module 1012 , which may collectively provide the platform with management, security, policy, governance, and the like functionality as described herein.
  • the platform 20 as in the example depicted in FIG. 1 and detailed herein, is able to provide virtual private cloud facilities to users through the cloud provider environment, including external private clouds 1014 (e.g.
  • FIG. 1 of the Cloud-Computing Platform 20 map directly to the modules depicted in FIG. 10 , Platform 20 as follows; Planner Module 23 maps directly to the Planner Module 1002 , the Builder Module 29 maps directly to the Designer Module 1004 , the Consumption Module 32 maps directly to the CenterPoint Module 1008 , and the Manager Module 26 maps directly to the Manager Module 1010 .
  • the Access Module 1012 provides a single sign-on function for the platform 20 allowing connectivity to enterprise identity systems such as LDAP/AD, which is shown in FIG. 5 and maps to the Identity Module 29 .
  • the planner module 1002 may help analysts and architects streamline application migration activities by analyzing and scoring application workloads to evaluate their suitability, generate recommendations right-sizing and right-placement across multiple internal as well as external service provider options.
  • the planner module 1002 may also allow analysts and architects the ability to construct new rules and rule-sets for evaluating new and different types of application workloads in evaluating cloud readiness, cloud value, and right placement recommendations.
  • the designer module 1004 may provide technical users with a graphical workbench to rapidly assemble policy-compliant stacks, workloads, and applications for any number of deployment environments. It may include a library of pre-built, reusable assets with the ability to create and publish new ones.
  • the centerpoint module may facilitate the sharing and collaboration of cloud assets with fine-grain access controls, search capabilities, automated notifications, rating and commenting of assets, and access to detailed consumption reports.
  • the manager module 1010 may provide a unified interface to streamline deployment and runtime management for any number of cloud providers, including monitoring of running instances and detailed performance and costing information.
  • the access manager 1012 may deliver federated identity management to the full range of highly dynamic services managed (e.g.
  • modules represented may reside on a common Policy Engine that ensures the integrity and security of the system by enforcing policy and access rights for the users accessing each module are only accessing those assets and functions that are allowed for their functional role.
  • the platform 20 may exist in an IT ecosystem and utilize a plurality of both cloud-based and dedicated resources to integrate with the platform, where these integration points may take place both within an enterprise's existing IT infrastructure, and also extend out to a plurality of external providers and services, such as in applying to both pre-production and production cloud environments.
  • FIG. 11 provides an example illustration of the IT ecosystem as a plurality of these both dedicated and cloud-based resources, including security 1102 (e.g. proxy integration, host firewalls, hypervisor-based firewalls, host intrusion detection, external key store, VLAN management, VPN, file system encryption), IaaS 1104 , external clouds 1108 (e.g.
  • security 1102 e.g. proxy integration, host firewalls, hypervisor-based firewalls, host intrusion detection, external key store, VLAN management, VPN, file system encryption
  • IaaS 1104 e.g.
  • storage 1110 e.g. NFS, VMFS, SAN, Amazon S3, EMC, Oracle, Netapp
  • internal clouds 1112 e.g. vSphere, Cloud.com, Eucalyptus, OpenStack, HyperV, Xen, KVM
  • PaaS 1114 e.g. Hadoop, Azure, EnterPaaS, Vmware CloudFoundry, IBM WebSpheree, Oracle WebLogic
  • orchestration 1118 e.g. Autoscaling, Scripting framework, File management
  • SaaS 1120 e.g.
  • Salesforce.com, Intuit, Google Apps desktop as-a-service 1122 (e.g. Citrix, VMware, Cicero, Framehawk), accounting and chargeback 1124 (e.g. Ariba, SAP), continuous integration 1128 (e.g. Collabnet, Apache Maven, Subversion, Jenkins CI), disaster recovery 1130 (e.g. Double Take), network services 1132 (e.g. DNS, DHCP, Load Balancer, NTP), governance 1134 (e.g. Axway, SOA Software), performance monitoring 1138 (e.g. Ganglia, Collectd), identity management 1140 (e.g. Oracle OAM, Netegrity, LDAP Kerberos SAML, RSA ClearTrust, Active Directory), and the like.
  • network services 1132 e.g. DNS, DHCP, Load Balancer, NTP
  • governance 1134 e.g. Axway, SOA Software
  • performance monitoring 1138 e.g. Ganglia, Collectd
  • the platform 20 may deliver unified governance for IaaS, PaaS, and DaaS workloads across a federation of internal and external cloud providers 1202 , 1204 , 1208 , to leverage scheduling and placement policies to optimize the placement and type of workloads that are being run on a temporal or scheduled basis.
  • scheduling policies may devote much of the cloud compute capacity to running virtualized desktops, however, as the evening approaches and workers go home, the demand for DaaS drops, and the cloud compute capacity can be utilized for compute intensive applications such as financial trade simulation models running on grid-compute nodes.
  • This policy approach also allows cloud-compute services to be shifted to lower cost Cloud Provider environments.
  • the inherent policies provided by the platform 20 lower costs by maximizing the utility of the cloud infrastructure while also having the same effect of lowering costs by aligning workload placement to provider environments best fit to run those types of workloads.
  • policy-driven governance may be integral to the platform 20 and to the end-to-end lifecycle to create and enforce policies in a closed-loop governance lifecycle, such as extensible policy framework to support unique needs, customizable approval workflow, integration with corporate audit and governance systems, establishing a foundation for audits and policy reviews, and the like.
  • the planner module 1002 may contribute to the creation of design-time policies, such as access rights, right-placement parameters, regulatory restrictions, and the like.
  • the designer module 1004 may contribute to the creation of run-time policies, such as auto-scaling parameters, maximum instances allowed, and the like.
  • the centerpoint module 1008 may enforce access policies, ensuring that the right users are accessing the right assets and deploying those assets in the right places, and the like.
  • the manager module 1010 may enforce run and design-time policies, such as allowing cloud-compute services to scale up or down in response to load or other conditions in the environment as well as prevent users from consuming arbitrary amounts of compute resources, and the like.
  • the access module 1012 may enforce access policies across internal and external service providers, and the like. In this way, policy creation is an integrated process across the platform.
  • the present invention may provide many advantages, including a unified interface to deploy and monitor workloads across internal and external service providers; rapid creation of new workloads and re-architect existing ones for cloud portability and on-demand provisioning; automated right-sizing, right-placement, and user access decisions via enforceable policies; deployable and dynamically configurable complex application topologies in real-time; meter usage with integrated chargeback and billing; real-time monitoring and support for auto-scaling and bursting across multiple clouds; federated identity management across internal and external providers; pre-built library of re-usable stacks to accelerate assembly and deployment; incorporated end-to-end security that spans network, access rights, instances, and data; complete visibility and transparency via role-based reports, policy reviews, and audit trails; creation and enforcement of policies in a closed loop governance and management lifecycle; score and prioritization of workloads for migration; consolidated monitoring, reporting and metering including integrated chargeback/billing; platform deployment flexibility to locate securely on premises or as a SaaS offering; and the like
  • Automated governance through the present invention may enable new capacity optimization strategies to maximize the utilization of hardware and server resources through the dynamic placement of different sized workloads, where the platform may manage placement of workloads from large (e.g. production applications, load test environments) to small (e.g. virtual desktops), perform monitoring and manage application auto-scaling, roll-overs seamlessly to external cloud providers when internal capacity limits are reached, and the like.
  • Use of the platform across a plurality of cloud workloads may allow the user to create new capacity optimization strategies to make the most from a user's internal resources, such as though dynamic placement of different sized workloads, and combining these workloads to achieve high capacity and/or utilization of a given computing facility.
  • the platform may perform application monitoring, workload placement, workload scheduling as well as workload and application auto-scaling, and the like, as appropriate.
  • the present invention may provide for a self-service enterprise application store, which provides access to a global, cross-platform, software distribution network for multiple service offerings, accessible through any web browser such as Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, and the like.
  • a self-service enterprise application store can be used to drive virtual desktop installations, provision enterprise server systems, connect to SaaS solutions, and integrate with custom, third-party software and services and the like.
  • such an enterprise application store can provide a full range of services to manage and monitor the provisioning of services.
  • the services could be a wide range of service required by enterprises, such as software publishing and ordering, order approval, license management, chargeback and invoicing, integration with a global marketplace, and the like.
  • the service offerings could be infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS) offerings, and the like.
  • the service offerings could be internal services, open source services, third party services, and the like.
  • the present invention may provide for a single sign-on capability for each of the service offerings.
  • the application store software publishing capability can include tools to package and publish software and services to the application store, such as to allow a customer of services from the application store to develop its own software and publish its own service, which in turn can be made available through the application store.
  • a service builder could obtain from the enterprise application store a set of services that provide storage capability and that retrieve a given set of input data, such as from various sources.
  • the service builder can then build its own service by adding a processing service that processes the inputs into outputs that are stored in the data storage and made available for other users who wish to have those outputs, such as for their own services.
  • the new service can be stored in the enterprise application store for further use by others.
  • a user of the enterprise application store may organize software services into manageable “catalogs” to control user access and experience, apply rich security, usage, and billing policies to entire catalogs, catalogs of catalogs, individual offerings, configure workflows for publishing approvals, and the like.
  • the application store software ordering capability can include an intuitive interface for browsing and purchasing published software and services, allow a user to purchase software and services for itself or on behalf of an entire group of users, schedule deployments upon purchase or for a date in the future, and the like.
  • the software ordering capability can include a customizable user interface, which allows a user to build browsing and ordering interface widgets customized to the needs of the user and then make those widgets available to the user's users through the application store.
  • the software application store order approval capability can include an integrated purchase approval system that follows a flexible workflow that is consistent with industry standards and best practices, a pluggable service model to allow for transparent integration with third-party approval systems, and the like.
  • the order approval capability includes a highly customizable workflow that can be built from individual approval systems that can be chained-together in various and selectable sequences. These various and selectable sequences can be varied by catalog, catalog item, user, user group, and the like.
  • the ordering and approval capabilities may be filtered or otherwise limited by the user who is placing the order and/or the application on whose behalf the order is being placed.
  • Results made available to a user and/or an application may be pre-filtered to only show those services that are available to that user and/or application.
  • the user can be categorized by its role in the organization, or the like.
  • the application can be categorized by its role, function, assigned policies, and the like.
  • the license management capability can include the creation of detailed licensing polices for individual software modules and services, a component model to allow for integration with a wide range of vendor licensing servers, runtime license checking when used with virtual machine instances managed by the present invention, and the like.
  • the chargeback and invoicing capability can include an integrated change management service with a configurable workflow, an adapter model allowing for integration with existing financial and asset management systems, flexible pricing policies to allow for the establishment of one-time charges or variable, usage based models, detailed organization modeling to allow for the distribution of cost across multiple cost centers, a flexible API that allows for the customization of the billing workflow, and the like.
  • invoices could be posted directly to the enterprise's enterprise resource planning (ERP) or payables system.
  • ERP enterprise resource planning
  • the present invention provides for the ability to report chargeback and invoicing information to both the user of the service and the provider of the service from the software application store.
  • the capability to be integrated with a global marketplace can include publish and subscribe access to an open market of verified software, an integrated and stringent approval process of all submissions, access to a free catalog of packaged and open-source solutions, the ability of a user to package and upload its custom solutions for exposure to a global market, the ability of a user to offer its software free or through a licensing/pricing model with automated chargeback, defined by the user, and the like.
  • the software application store supports the recursive publishing of applications.
  • the recursive publishing could include multiple iterations of an application published by multiple users, groups of users, enterprises, departments within enterprises, and the like. For example, a first department of a first enterprise could publish a first IaaS application back into the software application store, a second department of the first enterprise could then publish a PaaS application on top of the IaaS application published by the first department, and a third department of the first enterprise could purchase the PaaS built on top of the IaaS application and the license fees paid by the third department would be split between the first and second departments.
  • the data may be associated with the content available in the software application store is and SKU, policy, SKU-Policy, catalog, and the like.
  • An SKU is the primary entity describing content available through the software application store and is a pure virtual entity describing a potentially addressable software component or interaction.
  • An interaction can be a module, service, or the like.
  • An SKU can be defined as a software module or a service binding.
  • a software model represents and offering comprised of one or more physical software components, which can include source code, binaries, and the like, and the software module encapsulates the information needed to resolve binaries to locations on the shared filesystem, resolve binary dependencies, locate and provision associated software packages, and the like.
  • a service binding models a software-as-a-service (SaaS) type offering and encapsulates the information needed to configure user-access to services, authenticate, bind to services, and the like.
  • SaaS software-as-a-service
  • a policy will be applied as defined by standard policy types, resolved, and applied by modules as described elsewhere in this disclosure. In other embodiments, additional policy types and definitions, with possible extensions to existing models, may be added to support the software application store.
  • An SKU-Policy is the collection of policies associated with a given SKU and is an extensible set of required or optional policies, which may be conditionally applied.
  • a catalog is a collection of SKU's, filtered through access control, which can be applied at any level and made available to a group of users.
  • access control can be used to introduce further groupings below the root level.
  • a given catalog instance is a rule-based expression of the root catalog.
  • the root catalog is defined as the base set of SKU data available to all subscribers. All SKU's published in the root catalog are ‘inherited’ by all derived catalogs.
  • the basic catalog hierarchy can be root catalog->customer catalog->user catalog.
  • FIG. 13 depicts an embodiment of a software application store and marketplace interaction structure, such as with software application store services, including policy management, object models, process handlers, repository providers, filesystem services and workflow services, interfacing with marketplace services, such as with software application store workflow connectors, a shared filesystem, a software application store repository, and the like.
  • the components could be a marketplace, shared filesystem, filesystem client, server components, repository, user interface, and the like.
  • the marketplace is the central ‘public’ repository that hosts the components listed in the root catalog, consists of a cluster of servers hosting a portion of the shared filesystem and a subset of the software application workflow components to manage publishing, approvals, and browsing.
  • the marketplace may have its own basic user interface consisting of a few simple web pages, which provide access to the functionality of the software application interface.
  • the shared filesystem may be a clustered, parallel filesystem housing all the physical components needed by the software application store and its offerings.
  • the filesystem may be self-contained and may be used outside of the software application store or the system of the present invention.
  • marketplace catalog items can be hosted on the shared filesystem.
  • the software application store may offer service components that simplify filesystem administration tasks and serve to isolate other components from the physical filesystem implementation.
  • the filesystem client may be a client that accesses the software application store shared filesystem namespace using local filesystem semantics. For example, the namespace root may appear to the user as a local mount point or network mapped drive.
  • a number of client-side components may be installed to provide access to the software application store shared filesystem through the filesystem client.
  • the present invention requires at least one client package for each target operating system and/or distribution.
  • the filesystem client components are distributed through standard packages of the present invention that contain the scripts and attachment necessary to establish connectivity to the software application store shared filesystem through the filesystem client.
  • the server components may be the core applications of the software application store and include the base object model, workflow processing components, catalog and metamodel access providers, unique policy definitions, and the like.
  • the repository may be the collection of data structures housing the software application store metamodel, configuration, and catalog data, and the like; and are internal to the software application store.
  • the user interface may be the collection of interface elements used to access software application store functionality and is implemented as a completely separate application that integrates with the main user interface of the present invention, describe elsewhere in this disclosure.
  • the software application store may make available shareable widgets that are an extension of the software application store user interface.
  • the software application store includes the capabilities to display lists of applications, application ratings, application reviews, other social features, and the like.
  • tool can be used to refer to any apparatus configured to perform a recited function.
  • tools can include a collection of one or more modules and can also be comprised of hardware, software or a combination thereof.
  • a tool can be a collection of one or more software modules, hardware modules, software/hardware modules or any combination or permutation thereof.
  • a tool can be a computing device or other appliance on which software runs or in which hardware is implemented.
  • module might describe a given unit of functionality that can be performed in accordance with one or more embodiments of the present invention.
  • a module might be implemented utilizing any form of hardware, software, or a combination thereof.
  • processors, controllers, ASICs, PLAs, PALs, CPLDs, FPGAs, logical components, software routines or other mechanisms might be implemented to make up a module.
  • the various modules described herein might be implemented as discrete modules or the functions and features described can be shared in part or in total among one or more modules.
  • computing module 900 may represent, for example, computing or processing capabilities found within desktop, laptop and notebook computers; hand-held computing devices (PDA's, smart phones, cell phones, palmtops, etc.); mainframes, supercomputers, workstations or servers; or any other type of special-purpose or general-purpose computing devices as may be desirable or appropriate for a given application or environment.
  • Computing module 900 might also represent computing capabilities embedded within or otherwise available to a given device.
  • a computing module might be found in other electronic devices such as, for example, digital cameras, navigation systems, cellular telephones, portable computing devices, modems, routers, WAPs, terminals and other electronic devices that might include some form of processing capability.
  • Computing module 900 might include, for example, one or more processors, controllers, control modules, or other processing devices, such as a processor 904 .
  • Processor 904 might be implemented using a general-purpose or special-purpose processing engine such as, for example, a microprocessor, controller, or other control logic.
  • processor 904 is connected to a bus 902 , although any communication medium can be used to facilitate interaction with other components of computing module 900 or to communicate externally.
  • Computing module 900 might also include one or more memory modules, simply referred to herein as main memory 908 .
  • main memory 908 preferably random access memory (RAM) or other dynamic memory, might be used for storing information and instructions to be executed by processor 904 .
  • Main memory 908 might also be used for storing temporary variables or other intermediate information during execution of instructions to be executed by processor 904 .
  • Computing module 900 might likewise include a read only memory (“ROM”) or other static storage device coupled to bus 902 for storing static information and instructions for processor 904 .
  • ROM read only memory
  • the computing module 900 might also include one or more various forms of information storage mechanism 910 , which might include, for example, a media drive 912 and a storage unit interface 920 .
  • the media drive 912 might include a drive or other mechanism to support fixed or removable storage media 914 .
  • a hard disk drive, a floppy disk drive, a magnetic tape drive, an optical disk drive, a CD or DVD drive (R or RW), or other removable or fixed media drive might be provided.
  • storage media 914 might include, for example, a hard disk, a floppy disk, magnetic tape, cartridge, optical disk, a CD or DVD, or other fixed or removable medium that is read by, written to or accessed by media drive 912 .
  • the storage media 914 can include a computer usable storage medium having stored therein computer software or data.
  • information storage mechanism 910 might include other similar instrumentalities for allowing computer programs or other instructions or data to be loaded into computing module 900 .
  • Such instrumentalities might include, for example, a fixed or removable storage unit 922 and an interface 920 .
  • Examples of such storage units 922 and interfaces 920 can include a program cartridge and cartridge interface, a removable memory (for example, a flash memory or other removable memory module) and memory slot, a PCMCIA slot and card, and other fixed or removable storage units 922 and interfaces 920 that allow software and data to be transferred from the storage unit 922 to computing module 900 .
  • Computing module 900 might also include a communications interface 924 .
  • Communications interface 924 might be used to allow software and data to be transferred between computing module 900 and external devices.
  • Examples of communications interface 924 might include a modem or softmodem, a network interface (such as an Ethernet, network interface card, WiMedia, IEEE 802.XX or other interface), a communications port (such as for example, a USB port, IR port, RS232 port Bluetooth® interface, or other port), or other communications interface.
  • Software and data transferred via communications interface 924 might typically be carried on signals, which can be electronic, electromagnetic (which includes optical) or other signals capable of being exchanged by a given communications interface 924 . These signals might be provided to communications interface 924 via a channel 928 .
  • This channel 928 might carry signals and might be implemented using a wired or wireless communication medium.
  • Some examples of a channel might include a phone line, a cellular link, an RF link, an optical link, a network interface, a local or wide area network, and other wired or wireless communications channels.
  • computer program medium and “computer usable medium” are used to generally refer to media such as, for example, memory 908 , storage unit 920 , media 914 , and channel 928 .
  • These and other various forms of computer program media or computer usable media may be involved in carrying one or more sequences of one or more instructions to a processing device for execution.
  • Such instructions embodied on the medium are generally referred to as “computer program code” or a “computer program product” (which may be grouped in the form of computer programs or other groupings). When executed, such instructions might enable the computing module 900 to perform features or functions of the present invention as discussed herein.
  • module does not imply that the components or functionality described or claimed as part of the module are all configured in a common package. Indeed, any or all of the various components of a module, whether control logic or other components, can be combined in a single package or separately maintained and can further be distributed in multiple groupings or packages or across multiple locations.
  • the methods and systems described herein may be deployed in part or in whole through a machine that executes computer software, program codes, and/or instructions on a processor.
  • the present invention may be implemented as a method on the machine, as a system or apparatus as part of or in relation to the machine, or as a computer program product embodied in a computer readable medium executing on one or more of the machines.
  • the processor may be part of a server, client, network infrastructure, mobile computing platform, stationary computing platform, or other computing platform.
  • a processor may be any kind of computational or processing device capable of executing program instructions, codes, binary instructions and the like.
  • the processor may be or include a signal processor, digital processor, embedded processor, microprocessor or any variant such as a co-processor (math co-processor, graphic co-processor, communication co-processor and the like) and the like that may directly or indirectly facilitate execution of program code or program instructions stored thereon.
  • the processor may enable execution of multiple programs, threads, and codes. The threads may be executed simultaneously to enhance the performance of the processor and to facilitate simultaneous operations of the application.
  • methods, program codes, program instructions and the like described herein may be implemented in one or more thread.
  • the thread may spawn other threads that may have assigned priorities associated with them; the processor may execute these threads based on priority or any other order based on instructions provided in the program code.
  • the processor may include memory that stores methods, codes, instructions and programs as described herein and elsewhere.
  • the processor may access a storage medium through an interface that may store methods, codes, and instructions as described herein and elsewhere.
  • the storage medium associated with the processor for storing methods, programs, codes, program instructions or other type of instructions capable of being executed by the computing or processing device may include but may not be limited to one or more of a CD-ROM, DVD, memory, hard disk, flash drive, RAM, ROM, cache and the like.
  • a processor may include one or more cores that may enhance speed and performance of a multiprocessor.
  • the process may be a dual core processor, quad core processors, other chip-level multiprocessor and the like that combine two or more independent cores (called a die).
  • the methods and systems described herein may be deployed in part or in whole through a machine that executes computer software on a server, client, firewall, gateway, hub, router, or other such computer and/or networking hardware.
  • the software program may be associated with a server that may include a file server, print server, domain server, internet server, intranet server and other variants such as secondary server, host server, distributed server and the like.
  • the server may include one or more of memories, processors, computer readable media, storage media, ports (physical and virtual), communication devices, and interfaces capable of accessing other servers, clients, machines, and devices through a wired or a wireless medium, and the like.
  • the methods, programs or codes as described herein and elsewhere may be executed by the server.
  • other devices required for execution of methods as described in this application may be considered as a part of the infrastructure associated with the server.
  • the server may provide an interface to other devices including, without limitation, clients, other servers, printers, database servers, print servers, file servers, communication servers, distributed servers and the like. Additionally, this coupling and/or connection may facilitate remote execution of program across the network. The networking of some or all of these devices may facilitate parallel processing of a program or method at one or more location without deviating from the scope of the invention.
  • any of the devices attached to the server through an interface may include at least one storage medium capable of storing methods, programs, code and/or instructions.
  • a central repository may provide program instructions to be executed on different devices.
  • the remote repository may act as a storage medium for program code, instructions, and programs.
  • the software program may be associated with a client that may include a file client, print client, domain client, internet client, intranet client and other variants such as secondary client, host client, distributed client and the like.
  • the client may include one or more of memories, processors, computer readable media, storage media, ports (physical and virtual), communication devices, and interfaces capable of accessing other clients, servers, machines, and devices through a wired or a wireless medium, and the like.
  • the methods, programs or codes as described herein and elsewhere may be executed by the client.
  • other devices required for execution of methods as described in this application may be considered as a part of the infrastructure associated with the client.
  • the client may provide an interface to other devices including, without limitation, servers, other clients, printers, database servers, print servers, file servers, communication servers, distributed servers and the like. Additionally, this coupling and/or connection may facilitate remote execution of program across the network. The networking of some or all of these devices may facilitate parallel processing of a program or method at one or more location without deviating from the scope of the invention.
  • any of the devices attached to the client through an interface may include at least one storage medium capable of storing methods, programs, applications, code and/or instructions.
  • a central repository may provide program instructions to be executed on different devices.
  • the remote repository may act as a storage medium for program code, instructions, and programs.
  • the methods and systems described herein may be deployed in part or in whole through network infrastructures.
  • the network infrastructure may include elements such as computing devices, servers, routers, hubs, firewalls, clients, personal computers, communication devices, routing devices and other active and passive devices, modules and/or components as known in the art.
  • the computing and/or non-computing device(s) associated with the network infrastructure may include, apart from other components, a storage medium such as flash memory, buffer, stack, RAM, ROM and the like.
  • the processes, methods, program codes, instructions described herein and elsewhere may be executed by one or more of the network infrastructural elements.
  • the methods, program codes, and instructions described herein and elsewhere may be implemented on a cellular network having multiple cells.
  • the cellular network may either be frequency division multiple access (FDMA) network or code division multiple access (CDMA) network.
  • FDMA frequency division multiple access
  • CDMA code division multiple access
  • the cellular network may include mobile devices, cell sites, base stations, repeaters, antennas, towers, and the like.
  • the cell network may be a GSM, GPRS, 3G, EVDO, mesh, or other networks types.
  • the mobile devices may include navigation devices, cell phones, mobile phones, mobile personal digital assistants, laptops, palmtops, netbooks, pagers, electronic books readers, music players and the like. These devices may include, apart from other components, a storage medium such as a flash memory, buffer, RAM, ROM and one or more computing devices.
  • the computing devices associated with mobile devices may be enabled to execute program codes, methods, and instructions stored thereon. Alternatively, the mobile devices may be configured to execute instructions in collaboration with other devices.
  • the mobile devices may communicate with base stations interfaced with servers and configured to execute program codes.
  • the mobile devices may communicate on a peer to peer network, mesh network, or other communications network.
  • the program code may be stored on the storage medium associated with the server and executed by a computing device embedded within the server.
  • the base station may include a computing device and a storage medium.
  • the storage device may store program codes and instructions executed by the computing devices associated with the base station.
  • the computer software, program codes, and/or instructions may be stored and/or accessed on machine readable media that may include: computer components, devices, and recording media that retain digital data used for computing for some interval of time; semiconductor storage known as random access memory (RAM); mass storage typically for more permanent storage, such as optical discs, forms of magnetic storage like hard disks, tapes, drums, cards and other types; processor registers, cache memory, volatile memory, non-volatile memory; optical storage such as CD, DVD; removable media such as flash memory (e.g.
  • RAM random access memory
  • mass storage typically for more permanent storage, such as optical discs, forms of magnetic storage like hard disks, tapes, drums, cards and other types
  • processor registers cache memory, volatile memory, non-volatile memory
  • optical storage such as CD, DVD
  • removable media such as flash memory (e.g.
  • USB sticks or keys floppy disks, magnetic tape, paper tape, punch cards, standalone RAM disks, Zip drives, removable mass storage, off-line, and the like; other computer memory such as dynamic memory, static memory, read/write storage, mutable storage, read only, random access, sequential access, location addressable, file addressable, content addressable, network attached storage, storage area network, bar codes, magnetic ink, and the like.
  • the methods and systems described herein may transform physical and/or or intangible items from one state to another.
  • the methods and systems described herein may also transform data representing physical and/or intangible items from one state to another.
  • machines may include, but may not be limited to, personal digital assistants, laptops, personal computers, mobile phones, other handheld computing devices, medical equipment, wired or wireless communication devices, transducers, chips, calculators, satellites, tablet PCs, electronic books, gadgets, electronic devices, devices having artificial intelligence, computing devices, networking equipments, servers, routers and the like.
  • the elements depicted in the flow chart and block diagrams or any other logical component may be implemented on a machine capable of executing program instructions.
  • the methods and/or processes described above, and steps thereof, may be realized in hardware, software or any combination of hardware and software suitable for a particular application.
  • the hardware may include a general-purpose computer and/or dedicated computing device or specific computing device or particular aspect or component of a specific computing device.
  • the processes may be realized in one or more microprocessors, microcontrollers, embedded microcontrollers, programmable digital signal processors or other programmable device, along with internal and/or external memory.
  • the processes may also, or instead, be embodied in an application specific integrated circuit, a programmable gate array, programmable array logic, or any other device or combination of devices that may be configured to process electronic signals. It will further be appreciated that one or more of the processes may be realized as a computer executable code capable of being executed on a machine-readable medium.
  • the computer executable code may be created using a structured programming language such as C, an object oriented programming language such as C++, or any other high-level or low-level programming language (including assembly languages, hardware description languages, and database programming languages and technologies) that may be stored, compiled or interpreted to run on one of the above devices, as well as heterogeneous combinations of processors, processor architectures, or combinations of different hardware and software, or any other machine capable of executing program instructions.
  • a structured programming language such as C
  • an object oriented programming language such as C++
  • any other high-level or low-level programming language including assembly languages, hardware description languages, and database programming languages and technologies
  • each method described above and combinations thereof may be embodied in computer executable code that, when executing on one or more computing devices, performs the steps thereof.
  • the methods may be embodied in systems that perform the steps thereof, and may be distributed across devices in a number of ways, or all of the functionality may be integrated into a dedicated, standalone device or other hardware.
  • the means for performing the steps associated with the processes described above may include any of the hardware and/or software described above. All such permutations and combinations are intended to fall within the scope of the present disclosure.

Abstract

In embodiments of the present invention improved capabilities are described for a virtualization environment adapted for development and deployment of at least one software workload, the virtualization environment having a metamodel framework that allows the association of a policy to the software workload upon development of the workload that is applied upon deployment of the software workload. This allows a developer to define a security zone and to apply at least one type of security policy with respect to the security zone including the type of security zone policy in the metamodel framework such that the type of security zone policy can be associated with the software workload upon development of the software workload, and if the type of security zone policy is associated with the software workload, automatically applying the security policy to the software workload when the software workload is deployed within the security zone.

Description

    CROSS-REFERENCE TO RELATED APPLICATIONS
  • This application is a Continuation application of U.S. patent application Ser. No. 13/354,275 filed Jan. 19, 2012, entitled “SYSTEM AND METHOD FOR A CLOUD COMPUTING ABSTRACTION LAYER WITH SECURITY ZONE FACILITIES”, which claims the benefit of U.S. Provisional Patent Application No. 61/434,396 filed Jan. 19, 2011, entitled “SYSTEM AND METHOD FOR CLOUD COMPUTING” which is hereby incorporated herein by reference in its entirety.
  • U.S. patent application Ser. No. 13/354,275 filed Jan. 19, 2012, entitled “SYSTEM AND METHOD FOR A CLOUD COMPUTING ABSTRACTION LAYER WITH SECURITY ZONE FACILITIES”, is a continuation-in-part of U.S. patent application Ser. No. 13/009,774 filed Jan. 19, 2011 entitled “SYSTEM AND METHOD FOR A CLOUD COMPUTING ABSTRACTION LAYER”, issued as U.S. Pat. No. 8,931,038 on Jan. 6, 2015, which claims priority to U.S. Provisional Patent App. No. 61/296,405 filed on Jan. 19, 2010, entitled “ENTERPRISE CLOUD SYSTEM AND METHOD”, each of which is hereby incorporated herein by reference in its entirety. Related U.S. patent application Ser. No. 12/488,424 entitled “CLOUD COMPUTING GATEWAY, CLOUD COMPUTING HYPERVISOR, AND METHODS FOR IMPLEMENTING SAME” filed Jun. 19, 2009, issued as U.S. Pat. No. 8,514,868 on Aug. 20, 2013 and claims priority to U.S. Provisional Patent Application No. 61/074,027 filed Jun. 19, 2008 entitled “CLOUD COMPUTING GATEWAY AND CLOUD COMPUTING HYPERVISOR”, each of which is hereby incorporated herein by reference in its entirety.
  • BACKGROUND
  • 1. Field of the Invention
  • The present invention relates to the field of cloud computing, and more particularly, the invention relates to systems and methods for securing, controlling and managing cloud services, applications, platforms and infrastructure.
  • 2. Description of the Related Art
  • Companies have begun offering businesses a new cloud computing outsourcing option that promises reduced costs, improved availability, improved scalability, and reduced time to deploy new applications. These companies act as managed service providers that rent virtual computer, storage, and Internet connectivity services for variable periods on a pay-per-use basis from large pools of re-purposable. multi-tenant computing resources. Such cloud infrastructure providers include Amazon Web Services®, Amazon EC2®, GoGrid®, Joyent®, and Mosso®.
  • Many businesses, however, are currently unable to use cloud infrastructure because of a lack of security, control, and manageability of the computing capacity rented from the cloud infrastructure providers. These problems prevent such businesses from maximizing their use of cloud infrastructure, which includes virtual server instances, storage, and Internet bandwidth. Enterprises also have difficulty identifying what cloud resources they should use, and how they should use them, such that usage is consistent with the technical, operational, and business needs of the enterprise.
  • SUMMARY
  • According to various embodiments of the invention, systems and methods are provided for one or more cloud computing abstraction layers. Through various embodiments of the present invention, a user can plan cloud-computing services, build a cloud-computing service, publish the cloud-computing service for consumption by users, or run the cloud-computing service. Some embodiments of the present invention provide access to disparate public or private cloud-computing resources through a common interface. Additionally, some embodiments can apply governance uniformly over disparate public or private cloud-computing resources.
  • Some systems may, for example, enable: self-service access to cloud-computing resources by end-users, developers, and admins; automated services with respect to cloud-computing services comprising of one or more cloud-computing resources (e.g., management, building, configuration, publication, validation, and development and deployment of cloud-computing services); rapid provisioning (e.g., deployment, release, scheduling, control etc.) of cloud-computing resources within a cloud-computing service; governance control of cloud-computing resources within a cloud-computing service (e.g., application of security and non-security policies to cloud-computing resources), audit control of cloud-computing services; or secure access to cloud-computing services. Accordingly, embodiments of the present invention provide on-demand access by internal users, external users (e.g. customers, service partners), and developers to cloud-computing services, such as infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), and software-as-a-service (SaaS), provided from a governed federation of internal (private cloud) and external cloud (commercial cloud) service providers. Some such embodiments allow for rapid and dynamic deployment and scaling of cloud-computing services. A private cloud may comprise, for example, Eucalyptus Systems, VMWare vSphere®, or Microsoft® HyperV; and a public cloud may comprise, for example, Amazon EC2®, Amazon Web Services®, Terremark®, Savvis®, or GoGrid®.
  • According to one system of the invention, the system provides a cloud-computing service from a cloud-computing environment comprising a plurality of cloud-computing resources, the system comprising: a management module configured to manage a cloud-computing resource of the plurality of cloud-computing resources as a cloud-computing service, wherein the cloud-computing service performs a computer workload and the cloud-computing service comprises the cloud-computing resource; an adapter configured to connect to the cloud-computing resource to the system and translate a management instruction received from the management module (e.g., intermediate representation of a command from a client) into a cloud application program interface call for the cloud-computing resource (e.g. proprietary API call for Amazon EC2®); a cloud service bus configured to route the management instruction from the management module to the adapter; a consumption module configured to allow a user to subscribe the cloud-computing service; a planning module configured to plan the cloud-computing service; and a build module configured to build the cloud-computing service from the cloud-computing resource and publish the cloud-computing service to the consumption module. In some such embodiments, the system provides a user interface configured to provide access to the system as a virtual private cloud. The system may further comprise a cloud model utilized by the adapter to translate the management instruction to the (target) cloud API call.
  • In certain embodiments, the virtual private cloud is utilized for operation of a cloud-computing service in accordance with the present invention. In particular embodiments, a computer workload (e.g., application, server software, software development environment, software test environment) is a unit of computing processing that is performed via an IaaS, PaaS, or SaaS. For example, IaaS may comprise instances of Microsoft® Windows or Linux running on a virtual computer, or a Desktop-as-a-service (DaaS) provided by Citrix® or VMWare®; a PaaS may comprise a database server (e.g., MySQL® server), Samba server, Apache® server, Microsoft® IIS.NET server, Java® runtime, or Microsoft® .NET® runtime, Linux-Apache-MySQL-PHP (LAMP) server, Microsoft® Azure, or Google® AppsEngine; a SaaS may comprise SalesForce®, Google® Apps, or other software application that can be deployed as a cloud service, such as in a web services model. A cloud-computing resource may be a physical or virtual computing resource (e.g., virtual machine). In some embodiments, the cloud-computing resource is a storage resource (e.g., Storage Area Network (SAN), Network File System (NFS), or Amazon S3®), a network resource (e.g., firewall, load-balancer, or proxy server), an internal private resource, an external private resource, a secure public resource, an infrastructure-as-a-service (IaaS) resource, a platform-as-a-service (PaaS) resource, or a software-as-a-service (SaaS) resource. Hence, in some embodiments, a cloud-computing service provided may comprise a IaaS, PaaS, or SaaS provided by private or commercial (e.g., public) cloud service provider, such as Amazon Web Services®, Amazon EC2®, GoGrid®, Joyent®, Mosso®, or the like.
  • In various embodiments, the management module that manages the cloud-computing service comprises provisioning the cloud-computing service for a virtual private cloud, releasing the cloud-computing service for the virtual private cloud, accounting for usage of the cloud-computing service in the virtual private cloud, or monitoring the cloud-computing service. For example, in some embodiments, the management module manages cloud-computing resources for a cloud-computing service being offered by the system by provisioning a cloud-computing resource for the cloud-computing service, deploying a cloud-computing resource for the cloud-computing service, or releasing a cloud-computing resource being used by the cloud-computing service. In some embodiments, the provisioning involves starting, stopping, or generally controlling an instance of a cloud-computing resource (e.g., IaaS providing an instance of Linux) on behalf of a cloud-computing service. For example, an embodiment may launch scripts to start an instance of a cloud-computing resource, launch scripts to securely (e.g., via encryption) attach a file system (e.g., a storage volume) to the instantiation of the cloud-computing resource (e.g., so that the cloud-computing resource can access local or remote client data securely), and then connect a client to the instantiation through a virtual private network (VPN) connection between the client's local network and the cloud providers network.
  • In further embodiments, the management module is further configured to perform collection and maintenance of cost and consumption of various cloud-computing resources such as CPU-time, storage volume consumption, network I/O and other configurable cloud-computing cost and consumption factors. For example, in some embodiments where the management module accounts for usage of one more cloud-computing services by a client collecting, aggregating and providing this information through a API to customer billing systems while also presenting reporting through the consumption module demonstrating cost and consumption comparisons, projections and usage. Some embodiments may utilize Ariba®, SAP®, or the like to facilitate accounting and billing of usage of cloud-computing service.
  • In some embodiments, the build module allows a developer to create a cloud-computing service (e.g., IaaS, PaaS, and SaaS) comprising one or more cloud-computing resources. The build module may utilize build scripts to build a cloud-computing service from one or more cloud-computing resources, configure a cloud-computing service, or publish a cloud-computing service for consumption.
  • In various embodiments, a cloud-computing service may be published to a consumption module that allows an end-user to subscribe to the cloud-computing service and utilize the service. In some embodiment, the end-user may access and subscribe to the cloud-computing service through a user interface that lists published and available cloud-computing services. For example, the user interface may be a storefront through which an end-user may preview and select a cloud-computing service for use.
  • With some embodiments, an organization can determine the most suitable deployment of a computer workload to a cloud-computing environment, or determine the value/benefit of deploying a computer workload to a cloud-computing environment. For some embodiments, the planning module analyzes a computer workload or workflow that may have previously been on a physical or virtual computing resource and assists in migrating or importing the computer workload or workflow to the clouding-computing environment. In further embodiments, the planning module assesses difficulty in migrating or importing the computer workload or workflow, and the efficiency or value of using the cloud-computing environment. In other embodiments, the planning module determines the correct placement of a computer workload or workflow to an appropriate cloud-computing service based on the profile or characteristics of the computer workload (e.g., determine that the computer workload or workflow needs to be performed within secure cloud/public cloud/private cloud). For example, for a trading platform, which needs a low latency-computing environment that is secure, an embodiment may recommend placement of trading platform in a cloud-computing service comprising a be used for long-term storage of non-sensitive data, an embodiment may recommend configuration of the platform to use cloud-computing services comprising a public cloud resource, or a combination of cloud and physical resources, such as archival tape storage resources. Further, the placement decision is guided by policy that ensures the cloud-computing resource is placed in the appropriate cloud-computing service.
  • In particular embodiments, the system further comprises a policy engine module configured to enforce a policy on the cloud-computing service through the management module. For example, in some embodiments, the management module monitors a cloud-computing resource of the cloud-computing service through the adapter and provisions the cloud-computing resource according to the policy engine module. Additionally, for some embodiments, the management module monitors a cloud-computing resource's performance using Ganglia Monitoring System or collectd (an open source daemon that collects system performance statistics periodically).
  • In some embodiments, the system further comprises an identity management module configured to connect to an authentication system and authenticate the user for the cloud-computing service. For example, in some embodiments, the identity management connects to disparate authentication systems (e.g., Netegrity®, Oracle OAM®, Microsoft® Active Directory, RSA® Cleartrust, or Lightweight Directory Access Protocol (LDAP), Kerberos) to create a federated authentication system that allows unified authentication to a cloud-computing service.
  • In various embodiments, the system further comprises an encryption module configured to perform encryption services for the cloud-computing service. For example, the encryption services can include encryption of data on a storage device or data communicated over a network connection. In other embodiments, the system further comprises a connection module configure to securely connect the cloud-computing service to a client network or a cloud provider network. For example, a connection module may be deployed on a client network or a cloud provider network to facilitate a secure network connection between cloud-computing service and a client network.
  • According to some embodiments, a method is provided for a cloud-computing environment comprising a plurality of cloud-computing resources, the method comprising: providing a virtual private cloud configured to utilize a cloud-computing resource from the plurality of cloud-computing resources to perform a computer workload; receiving a request to perform the computer workload within the virtual private cloud, provisioning the cloud-computing resource from the plurality of cloud-computing resources; deploying the cloud-computing resource within the virtual private cloud; and using the cloud-computing resource to perform the computer workload.
  • As noted before, the cloud-computing resource may be a virtual (e.g., virtual machine) or physical cloud-computing resource (e.g., dedicated server). For example, the cloud-computing resource may be a virtual computing resource where the virtual computing resource is deployed under control of a virtual machine manager. The cloud-computing resource may be a storage resource, a network resource, an internal private resource, an external private resource, a secure public resource, a platform-as-a-service (PaaS), a software-as-a-service (SaaS), or an infrastructure-as-a-service (IaaS). The cloud-computing resource may be a hybrid cloud-computing resource comprising at least two of a physical resource, a virtualized resource, a private resource, a public resource, an internal resource, or an external resource.
  • In some embodiments, the method further comprises receiving a constraint for the cloud-computing resource or for a computer workload that may be deployed on the cloud-computing resource, wherein the cloud-computing resource is a cloud-computing resource; and applying the constraint on the cloud-computing resource such that, when the cloud-computing resource is used to perform the computer workload, the cloud-computing resource's operation is limited according to the constraint. In other embodiments, the method further comprises declaring a static network address for the computer workload.
  • In some embodiments, the method further comprises: defining a security zone such that the security zone comprises the virtual private cloud; and applying a security policy to the security zone such that, when the cloud-computing resource deployed in the virtual private cloud that is used to perform the computer workload, the cloud-computing resource's operation or the performance or operation of the computer workload is subject to, the security policy. The security zone may be defined according to a physical location of the virtual private cloud's usage, a network location of the virtual private cloud's usage, or an attribute of an organization associated with the virtual private cloud. The security policy may be an access policy, a read-permission policy, a write-permission policy, an edit-permission policy, a privacy-based policy, a policy regarding a required level or type of encryption, a cloud-computing resource utilization policy, or other policy. The security policy can be configured to only allow software packages that comply with the security zone's policies to be deployed with the security zone. For example, a security zone may be defined as a specified virtual private network (VPN) or a specified physical network of a business enterprise, such that computer workloads being performed by a cloud-computing resource operating in that zone may be modified only by users who have specified authorization credentials issued by that enterprise. Among some embodiments, a security zone may be defined as cloud-computing resources (public or private) that are physically located in a geographical area, such as the United States, allowing a security policy to be applied that prohibits export of data that is to be associated with computer workloads executed in that security zone. In other embodiments, the policies are defined and implemented on the firewalls through a central policy server.
  • In additional embodiments, the method further comprises: receiving at a central policy server a definition for a security policy, wherein the central policy server is configured to associate the security policy to the computer workload or to the cloud-computing computing resource performing the computer workload; and pushing the security policy to the cloud-computing resource.
  • For some embodiments, provisioning the cloud-computing resource comprises: locating an unreserved cloud-computing resource within the plurality of cloud-computing resources; and reserving for the virtual private cloud the unreserved cloud-computing resource.
  • In embodiments where the cloud-computing resource is an infrastructure element, and the method further comprises: providing a user interface that allows a user to deploy or configure the infrastructure element; setting, through the user interface, a policy to the infrastructure element or to a computer workload that may be deployed on the infrastructure element; and applying the policy to the infrastructure element when the infrastructure element or computer workload is deployed within the virtual private cloud. The method further comprises: determining a reference design for the infrastructure element; and deploying the infrastructure element in the virtual private cloud according to the reference design.
  • In other embodiments, the method further comprises: associating a policy with the computer workload to be performed within the virtual private cloud; and applying the policy to the cloud-computing resource performing the computer workload during the computer workload's performance.
  • In additional embodiments, receiving the request to perform the computer workload or the application of the policy to the computer workload comprises: receiving an application to be migrated to cloud-computing environment for execution; and identifying the computer workload as necessary for executing the application.
  • In further embodiments, the method further comprises: using an adapter to connect the virtual private cloud to one or more other cloud-computing resources, such as of the types described herein; using a metamodel data structure to store an association between a computer workload and a policy; and pushing the metamodel data structure to the adapter such that, when the cloud-computing resource is deployed to perform the computer workload, the adapter applies the policy to the computer workload or to the cloud-computing resource performing the computer workload. In some such embodiments, when a computer workload is moved from using one cloud-computing resource to a second cloud-computing resource, the method may further comprise pushing the metamodel data structure to a second adapter that connects the second cloud-computing resource to the virtual private cloud such that when the second cloud-computing resource is deployed, such as within the virtual private cloud to perform the computer workload, the second adapter applies the policy to the second cloud-computing resource performing the cloud computer workload.
  • In other embodiments, the method comprises identifying the cloud-computing resource for performing the computer workload. Identifying the cloud-computing resource may be based on a computer workload score determined by a scoring logic. The scoring logic may be, for example, based on a business attribute of the computer workload, a technical attribute of the computer workload, or an operational attribute of the computer workload. In further embodiments, the scoring logic uses a mix of at least two of a business attribute, an operational attribute and a technical attribute. In various embodiments, the scoring logic may be editable or may be dynamically updated at or near real-time.
  • In some embodiments, the computer workload may be scalable. For example, the computer workload may be scaled down to decrease the computer workload's use of memory and processing time during performance within a virtual private cloud or actually increase or decrease the number of cloud-computing resources which execute the computer workload. In further embodiments, the scaling is based on a policy, which may be associated with the computer workload, stored in a metamodel, and pushed via an adaptor to or among various cloud computing resources.
  • In some embodiments, deploying the cloud-computing resource comprises deploying a pre-determined set of cloud-computing resources to optimize the computer workloads' performance.
  • In further embodiments, the method further comprises setting a condition for the computer workload, wherein the condition determines if or when the cloud-computing resource can be deployed within the virtual private cloud to perform the computer workload.
  • According to other embodiments, a method is provided for a cloud-computing environment comprising a plurality of cloud-computing resources, the method comprising: receiving a computing workflow to be performed in the cloud-computing environment; identifying a computer workload to perform the computing workflow; associating a policy with the computer workload; testing the computer workload in a pre-production virtual private cloud (e.g., computing environment) within the cloud-computing environment; deploying the computer workload in a production virtual private cloud (e.g., computing environment) within the clouding-computing environment; and applying the policy to the computer workload during the computer workload's performance within the production virtual private cloud for consumption. In some such embodiments, identifying the computer workload to perform the computing workflow involves identifying a plurality of computer workloads to perform the computing workflow.
  • According to other embodiments, the present invention may provide a method and system for a virtualization environment adapted for development and deployment of at least one software workload, the virtualization environment having a metamodel framework that allows the association of a policy to the software workload upon development of the workload that is applied upon deployment of the software workload. The system and method may allow a developer to define a security zone and to apply at least one type of security policy with respect to the security zone including the type of security zone policy in the metamodel framework such that the type of security zone policy can be associated with the software workload upon development of the software workload, and if the type of security zone policy is associated with the software workload, automatically applying the security policy to the software workload when the software workload is deployed within the security zone. In embodiments, the security zone may be a geographic zone, a network zone, an enterprise zone, an operational zone, an organizational zone, and the like. The security policy may be an access policy, a write-permission policy, a resource utilization policy, an editing permission policy, and the like. The security policy may determine whether a software workload is allowed to operate in a specified security zone. The method and system may automatically establish firewall rules across multiple firewalls in multiple security zones for newly deployed applications by tagging application software workloads that are deployed within the security zones. The firewalls may be of types provided by different vendors and employ at least one of different operating system, communication protocols, and programming languages. The method and system may automatically remove firewall rules across multiple firewalls in multiple security zones when the firewall rules do not apply to software workloads within the security zones. The firewalls may be of types provided by different vendors and employ at least one of different operating system, communication protocols, and programming languages. The method and system may provide an alert when a software workload is planned to be deployed in a security zone in a manner that is inconsistent with at least one of a security zone policy applicable to the security zone and a security policy associated with the workload.
  • According to further embodiments, various operations described above are implemented using a computer. For example, some embodiments provide for a computer program product comprising a computer useable medium having program instructions embodied therein for performing operations similar to those performed by methods according to the present invention.
  • Other features and aspects of the invention will become apparent from the following detailed description, taken in conjunction with the accompanying drawings, which illustrate, by way of example, the features in accordance with embodiments of the invention. The summary is not intended to limit the scope of the invention, which is defined solely by the claims attached hereto.
  • These and other systems, methods, objects, features, and advantages of the present invention will be apparent to those skilled in the art from the following detailed description of the preferred embodiment and the drawings. All documents mentioned herein are hereby incorporated in their entirety by reference.
  • BRIEF DESCRIPTION OF THE FIGURES
  • The present invention, in accordance with one or more various embodiments, is described in detail with reference to the following figures. The drawings are provided for purposes of illustration only and merely depict typical or example embodiments of the invention. These drawings are provided to facilitate the reader's understanding of the invention and shall not be considered limiting of the breadth, scope, or applicability of the invention. It should be noted that for clarity and ease of illustration these drawings are not necessarily made to scale.
  • FIG. 1 is a diagram illustrating an example system in accordance with an embodiment of the present invention.
  • FIG. 2A is a diagram illustrating an example management module in accordance with an embodiment of the present invention.
  • FIG. 2B is a diagram illustrating an example management module in accordance with an embodiment of the present invention.
  • FIG. 3 is a diagram illustrating an example of provisioning in accordance with an embodiment of the present invention.
  • FIG. 4 is a diagram illustrating an example use of a connection module in accordance with an embodiment of the present invention.
  • FIG. 5 is a diagram illustrating an example use of an identity module in accordance with an embodiment of the present invention.
  • FIG. 6 is a diagram illustrating an example use of a monitor module in accordance with an embodiment of the present invention.
  • FIG. 7 is a diagram illustrating an example governor module in accordance with an embodiment of the present invention.
  • FIG. 8 is a flowchart illustrating an example method in accordance with an embodiment of the present invention.
  • FIGS. 9A-9D are screenshots of an example user interface in accordance with some embodiments of the present invention.
  • FIG. 10 is a diagram illustrating an example system in accordance with an embodiment of the present invention.
  • FIG. 11 is a diagram illustrating an example of an enterprise cloud ecosystem in an embodiment of the present invention.
  • FIG. 12 is a diagram illustrating an example of a policy-driven governance and control scenario in an embodiment of the present invention.
  • FIG. 13 is a diagram illustrating an embodiment for a self-service enterprise application store.
  • FIG. 14 is a diagram illustrating an example of a computing module for implementing various embodiments of the invention.
  • The figures are not intended to be exhaustive or to limit the invention to the precise form disclosed. It should be understood that the invention can be practiced with modification and alteration, and that the invention be limited only by the claims and the equivalents thereof.
  • While the invention has been described in connection with certain preferred embodiments, other embodiments would be understood by one of ordinary skill in the art and are encompassed herein.
  • All documents referenced herein are hereby incorporated by reference.
  • DETAILED DESCRIPTION
  • The present invention is directed toward a system and method for a cloud computing abstraction layer. Through various embodiments of the present invention, a user can plan cloud-computing services, build a cloud-computing service, publish the cloud-computing service for consumption by users, or run the cloud-computing service. Some embodiments of the present invention provide access to disparate public or private cloud-computing resources through a standard interface. Additionally, some embodiments can apply governance uniformly over disparate public or private cloud computing resources.
  • Some systems may, for example, enable: self-service access to cloud-computing resources by end-users, developers, and admins; automated services with respect to cloud-computing services comprising of one or more cloud-computing resources (e.g., management, building, configuration, publication, validation, and building of cloud-computing services); rapid provisioning (e.g., deployment, release, scheduling, control etc.) of cloud-computing resources within a cloud-computing service; governance control of cloud-computing resources within a cloud-computing service (e.g., application of security and non-security policies to cloud-computing resources), audit control of cloud-computing services; or secure access to cloud-computing services.
  • Advantages to the present invention's model include enabling a federated constituency of internal and external service providers that can be selected (and switched as needed) to provide best fit and value, such as between different internal and external cloud providers. For example, development projects, which may be subjected to waiting times or interruptions, but which contain highly confidential information, may be deployed on a cloud that has low cost, but that has very specific security requirements, while commercial services, some of which are non-confidential in nature, might preferably be deployed on very fast, highly scalable cloud infrastructure to ensure high quality of service, but security requirements might be different than for a development project. A range of factors may be relevant to deployment of a particular project or service (or to a particular workload element related to it), including technical factors (the processing, storage, bandwidth, and other capabilities required to execute a workload), operational factors (such as when and where a workload needs to be available to meet the operational requirements of a business), and business factors (such as anticipated revenues, costs, quality of service requirements, and the like). By enabling federation of services, applications, platform elements, infrastructure elements and the like across multiple types of clouds (including internal and external clouds from varying vendors), while providing a single, unified interface for developing workloads and associating policies relating technical, operational, business and other requirements, the embodiments described herein allow an enterprise to satisfy such requirements much more effectively and efficiently than was possible with prior offerings.
  • On top of infrastructure elements provided for a cloud there may be platforms, stacks, software applications, and the like. There may be many different use cases and variations possible in an ‘everything as-a-service’ world, such as development and test environments as-a-service, databases as-a-service, platforms as a service, infrastructure as a service, software as a service, and many flavors of each offering different types of services, and the like. Benefits to the federated structure may include greater agility, vendor contestability, and innovation by transitioning an enterprise from a fixed to a variable cost infrastructure (thus avoiding enormous waste currently associated with fixed cost resources acquired by enterprises to meet peak needs but unused in off-peak periods), increased transparency (including the capability to compare the cost, functional benefits, and value of each sub-element of a service, platform, application, or infrastructure component), more direct revenue-to-cost operating models, right-place right size workload placement, minimal vendor lock-in and dependencies, improved standardization, lower risk operating environments, metered cost savings through ‘pay-as-you-go’ economics and demand-driven consumption, faster time-to-market through on-demand provisioning, a compressed systems development life cycle (SDLC), lower costs by arbitrating market price between providers, elastic-dynamic capacity to meet peak demand, and the like.
  • The present disclosure also may provide security, governance, and policy enforcement to harness the power and agility of the operating model, a strategy and transition plan to move from a traditional operating model to an everything-as-a-service model, and the like.
  • FIG. 1 is a diagram illustrating an example system 10 in accordance with an embodiment of the present invention. FIG. 1 illustrates a cloud-computing environment 35 comprising one or more cloud-computing resources, a client network 31 comprising client computing devices 14 (e.g., desktops, laptops, smart mobile devices), and a cloud-computing platform 20 in accordance with one embodiment of the invention. In illustrated system 10, cloud-computing platform 20 provides a system through which computing devices residing on client network 31 (e.g., enterprise network) can access one or more cloud-computing services. A cloud-computing service comprises a cloud-computing resource residing within the cloud-computing environment 35 and managed by the cloud-computing platform to provide the cloud-computing service. Depending on the embodiment, cloud-computing environment 35 may comprise one or more cloud providing networks that include cloud-computing resources (e.g., cloud services provided by public or private clouds, which may be external or internal to the enterprise that uses them) that can be utilized by users. Additionally, depending on the embodiment, platform 20 may reside on a client network 31 or separate from a client network 31.
  • Cloud-computing environment 35 may comprise an internal cloud, an external cloud, a private cloud, or a public cloud (e.g., commercial cloud). In the embodiment of FIG. 1, cloud-computing environment 35 comprises internal private cloud resource 38, external private cloud resource 41, and secure public cloud resource 44. A private cloud may be implemented using a variety of cloud systems including, for example, Eucalyptus Systems, VMWare vSphere®, or Microsoft® HyperV. Providers of public clouds may include, for example, Amazon EC2®, Amazon Web Services®, Terremark®, Savvis®, or GoGrid® Cloud-computing resources provided by these clouds may include, for example, storage resources (e.g., Storage Area Network (SAN), Network File System (NFS), and Amazon S3®), network resources (e.g., firewall, load-balancer, and proxy server), internal private resources, external private resources, secure public resources, infrastructure-as-a-services (IaaSs), platform-as-a-services (PaaSs), or software-as-a-services (SaaSs).
  • By using cloud-computing platform 20 to plan, build, manage, or use cloud-computing resources within a cloud-computing environment, users of platform 20 are provided with standardized access to a variety of cloud-computing resources from disparate cloud-computing systems and providers without concerning themselves with the proprietary details of accessing or interfacing with such cloud-computing systems and providers. The platform 20 is configured to take the workloads that are developed with the platform 20 (as more particularly described throughout this disclosure) and automatically provide the interfaces and access steps necessary to operate the workload on any particular platform or infrastructure element within a federation of cloud computing resources, such that the user is able to interact with the platform to develop such workloads at a level of abstraction that allows the user to configure the logic of the workload (including conditional logic that allows interrelation of different workloads) and to embody the technical, operational, and business requirements of the workload in policies that are associated with the workload, without the user being required to access or understand the details of (or in some cases even know about the existence of) such particular platform or infrastructure elements. Additionally, users of platform 20 can access cloud-computing services through platform 20 on-demand and on a self-service basis through the standardized access. Users of cloud computing services offered by platform 20 may include end-users, developers, partners, or administrators that reside on the client network 31.
  • Platform 20 may comprise planner module 23, manager module 26, builder module 29, and consumption module 32. Planner module 23 is configured to plan cloud-computing service provided by platform 20 by inventorying, profiling, characterizing and prioritizing computer workloads, such as programs, applets, calculations, applications, servers, or services. For example, with respect to software/application development, planner module 23 may model current applications and associated software-development life cycle (SDLC) phases to determine what infrastructure environments would be required or preferred. This may include defining security, privacy, management or other profiles for each SDLC phase of each application. The profiles, in turn, will identify existing infrastructure and systems that support the SDLC phases, and manage relationships between the infrastructure, systems and the applications. Profiles may also contain characteristics regarding the SDLC phases or attributes relevant to development, deployment or performance of infrastructure, systems, or workloads, such as latency, geography, responsiveness, bandwidth, storage capacity, processing speed, processing type, platforms involved (including operating system, file types, communication protocols, and the like), data involved, protocols used, and specific institutional requirements. In terms of prioritizing the cloud-computing services needed for the SDLC phases, planner 23 may first identify which SDLC computing environments and systems would be suitable for cloud computing or migration to cloud computing, and then prioritize the enablement and operability of newly developed or migrated computer workloads according to the SDLC phases. Subsequently, the characterizations determined by planner module 23 can be used by builder module 29 to build a cloud-computing service or to deploy a computer workload to a cloud-computing resource. In the planner module 23 or in other components of the platform 20 associated with the planner module 23 the user may have access to, or may create or modify, policy information relevant to the computer workloads with which the user can interact in the planner module 23. The policy information may be stored in or associated with a meta model, which may enable the identification, characterization, and storage of a wide range of information, including policy information, that can be associated with a given workload. The metamodel data, including policy information, can be associated with the workload such that throughout the various components of the platform 20, from planning through deployment to a cloud, the workflow can be handled in a manner that is consistent with the metamodel data, and in particular consistent with the policies that are applicable to that workload. In the planner module 23 the planner/user may thus plan the use of workloads in a manner that is consistent with technical, operational, and business requirements that are appropriate with such workload, as seen by association of the same with the workload, and the planner/user may modify or populate the policies associated with the workload, such that the metamodel data for that workload embodies and is consistent with the plans of the planner/user. Once associated with the workload, such policies and other metamodel data are stored by the platform 20 and may be used throughout the development and deployment cycle.
  • Builder module 29 may be configured to assemble, validate, and publish a cloud-computing service or computer workload for consumption (i.e., use) by a user. Builder module 29 may be configured to receive characterization information from planner module 23 and build a cloud-computing service or computer workload based on the information. For example, builder module 29 may be configured to assemble a cloud computing service based on the prioritized list of computer workloads provided by planner module 23. Builder module 29 may be configured to create and edit scripts for loading computer workloads during installation, startup, runtime, and shutdown of cloud-computing services assembled by builder 29. The scripts for the cloud-computing services may be verified and validated before the cloud-computing services are published for consumption (i.e., use). The script may have access to metamodel and policy information which may alter how the script uses the metamodel and policy information to make a decision. Additionally, builder module 29 may be configured to associate the computer workload with the appropriate cloud-computing service or resource (e.g., associate an application with an appropriate underlying virtual machine image or associate a computer workload with a specific network). As with the planner module 23, in the builder module 29 the user/builder may have access to, or may create or modify, policy information relevant to the computer workloads with which the user can interact in the builder module 29, such as the policy information stored in or associated with the above-referenced meta model, which may enable the identification, characterization, and storage of a wide range of information, including policy information, that can be associated with a given workload. In the builder module 29 the builder/user may thus build of workloads in a manner that is consistent with technical, operational, and business requirements that are appropriate with such workload, as seen by association of the same with the workload, and the builder/user may modify or populate the policies associated with the workload, such that the metamodel data for that workload embodies and is consistent with the plans of the planner/user. In embodiments, the builder module 29 may present options to the builder pre-filtered, such as in pre-populated scripts, filtered drop-down menus, that are dictated by or consistent with the policies and other metamodel data associated with a workload, omitting, blocking or hiding options that are inconsistent with such policies. For example, a workload that stores customer data could omit the option to store a social security number if a data privacy regulation prohibits storing such data in the business process to which the workload relates. Such automatic pre-filtering, pre-configuration, and blocking ensure consistency with the policies associated with the workload at the planning stage (or other stages) while also improving efficiency by removing development paths that might be pursued despite being prohibited. In embodiments, the metamodel provides a flexible structure to organize metadata and apply the same policies using a combination of system and user supplied metadata that may indicate use of the same policy, however may define the same policy in different ways. For example, in some embodiments, the system may consider a Tier 5 datacenter to be the most fault tolerant type of data center and a user may consider a Tier 1 data center to be the most tolerant. The metamodel allows a policy that requires provisioning in the most fault tolerant data center to be assigned Tier 5 or Tier 1 metadata, depending on the definition of the most fault tolerant data center in that specific operating environment.
  • Eventually, builder module 29 can publish a cloud-computing service for consumption by users. In some embodiments, the build module 29 will publish the cloud-computing service to a consumption module 32 (e.g., store or storefront such as an application store, a service store, or a software stack store) where users can preview, select, and subscribe to a cloud-computing service for use. Further, in some embodiments, the builder module 29 will enter the cloud-computing service in repository 30 when it is ready and available for consumption by users. Embodiments may also be configured the builder module 30 such that the development community can approve or disapprove of the cloud-computing service before publication.
  • Consumption module 32 is configured to allow a user to subscribe to, collaborate on, and assess a cloud-computing service published for consumption. For example, a user can preview cloud-computing services available for deployment to the virtual private cloud and consumption. Then, when a user wants to subscribe and invoke a cloud-computing service for usage, the user can invoke the cloud-computing service on a self-service, on-demand basis through the consumption module 32. Consumption module 32 may list published available cloud-computing service at or near real-time, and allow a user to request updates and information on a listed cloud-computing service. In some embodiments, the consumption module 32 may allow users to collaborate on where, what, and how many cloud-computing services are deployed for consumption. In further embodiments, consumption module 32 may allow a user to comment on and rate cloud-computing services, or assess the cost associated with deploying and using a cloud-computing service. As noted above, as with the planning module 23 and the builder module 29, the consumption module 32 has access to policy information and other metamodel data that is associated with each workload, such that the workload may be consumed only in a manner that is consistent with such policy information. Thus consumption policies related to permitted time, permitted sets of users, security, pricing, resource consumption rules, and a wide variety of other policies may be maintained by the consumption module based on the policies associated with the workload in the platform 20.
  • Manager module 26 is configured to provision one or more cloud-computing resources for a cloud-computing service or computer workload, manage one or more cloud-computing resources for the cloud-computing service or computer workload, and monitor one or more cloud-computing resources for the cloud-computing service or computer workload. For example, manager module 26 may provision one or more cloud-computing resources (e.g., provision one or more virtual machine instances) for a published cloud-computing service that is invoked from the consumption module 32. Upon invoking the cloud-computing service, the manager module 26 may deploy and start the one or more cloud-computing resources to the virtual private cloud for the cloud-computing service.
  • With respect to control, manager module 26 may control the start, stop, or run-time of one or more cloud-computing resources (e.g., control start, stop, or run-time of virtual machine instance) for a cloud-computing service. Manager module 26 may further schedule the start and stop time windows for the one or more cloud-computing resources, or govern a service level, such as per a service level agreement (SLA), or a threshold associated with the one or more cloud-computing resources. Through its control, manager module 26 can govern the cloud-computing resource according to conditions, constraints, security policies, or non-security policies. Manager module 26 may also monitor the one or more cloud-computing resources, detect security intrusions, and monitor the consumption of cloud-computing services their associated cloud-computing resources in order to determine the costs accrued by a user. Aspects of cloud-computing resources monitored by manager module 26 include, for example, central processing unit (CPU) usage, memory usage, data storage usage, data input/output usage, application usage, workload usage, service usage, and other attributes of usage of a service or a computer workload.
  • In some embodiments, manager module 26 is configured such that a user can request a planner using the planner module 23 to change the design of a cloud-computing service. For example, a user may request that the cloud-computing service change or computer workload with respect to the cloud-computing resources utilized (e.g., change to a platform stack). As in the other components of the platform 20, in the manager module 26 the user may have access to, or may create or modify, policy information or metamodel data relevant to the computer workloads with which the user can interact in the manager module 26. The manager/user of the manager module 26 may thus manage the provisioning of infrastructure and platform elements such that usage will be consistent with the policies of the enterprise, including operational and business policies, as well as technical requirements. For example, provisioning to expensive infrastructure elements may be confined to workloads that satisfy business rules that distinguish between mission critical elements and other elements. The manager/user of the manager module 26 may be provided with access to the policies consistent with the metamodel framework, and in embodiments may be provided with pre-filtered options, such as in menu choices, decision trees, or the like, that are consistent with such policies. For example, a workload designated as non-critical in its metamodel data could automatically appear in the manager module with deployment options confined to relatively low cost clouds, while a mission-critical workload might appear with all different cloud options (or ones that are filtered to satisfy certain requirements as to low latency, bandwidth, storage capacity, guaranteed quality of service, or the like). As with other modules, the manager module 26 may thus enforce policy while streamlining workflow, improving both effectiveness and efficiency.
  • FIG. 2A is a diagram illustrating example management module 26 in further detail. As illustrated, management module 26 comprises governor module 103 configured to govern operation of a cloud-computing services and its associated cloud-computing resources, provisioning module 106 configured to provision cloud-computing resources for a cloud-computing service, and monitoring module 112 configured to facilitate the various monitoring functions of management module 26.
  • In embodiments, the present invention may provide for a policy-driven infrastructure as a service (IaaS) event bus, which is comprised of a policy engine, metamodel, reporting system, and workflow engine; and allows for the creation of business policies, such that said business policies can be reflected into a dynamic information technology environment and expressed across internal and external information technology infrastructure, regardless of operating system, programming language, middleware solution, application platform, or cloud provider, by making use of abstraction layers. The workflow engine provides an integration point between the IaaS event bus and workflow management, as described elsewhere in this specification. The abstraction layers allow for integration with application programming interfaces made available by different vendors, business models, technical models, eventing and altering channels and monitoring systems in a vendor agnostic manner. In embodiments the abstraction layer could be a cloud-computing provider. A cloud computing provider may be VMWare, Baremetal, Amazon Ec2, Savis, TerraMark, Microsoft HyperV, and the like. In other embodiments, there may be multiple layers of abstraction in an abstraction layer.
  • The policy engine allows policies to be created through an easy to use visual interface that allows users that do not necessarily have information technology skills or other programming skills to author and assign policies to workloads. The policies can be expressed via languages such as XML, and the like. In some embodiments of the present invention a policy could be an event policy. An event policy supports matching one or more events that are temporally related and generate a notification action when matches occur. An event can be defined as either a threshold condition or matching constraints specified as rules. A rule is comprised of one or more match constraints and each match constraint must be satisfied, by a logical “and” operation, within a specified sliding time window in order for the notification actions to be invoked. A match specifies the set of conditions that must be satisfied to match an event. Each condition specifies a property of an event or object contained by the event, which is matched against a set of one or more values using the supplied comparison operation If multiple values are supplied for a condition then the result is a logical “or” operation of the property being compared and against each value individually. Any of the event properties or properties of objects contained within the event structure may be used to refine the match criteria. For example, an auto-scaling policy may be be created to add more web and database servers according to a ration if a business application becomes heavily loaded, in order to reduce the load on that application. In another example, an auto-scaling policy with business awareness may be created that deploys additional business topologies according to an algorithm if revenue per hour exceeds a threshold.
  • The metamodel allows the system to abstract business user definition from technical definition and allows an enterprise to track information about information technology resources that were unknown when the system was created. By abstracting the business user definition from the technical definition, the metamodel allows business users to define data classes consistent with their enterprise nomenclature, while still being able to map them consistently to the internal system. For example a Tier 4 data center is common technical classification of a data center that generally has the highest uptime, however some enterprises refer to Tier 4 data centers as Tier 1 and the metamodel would allow Tier 1 and Tier 4 to be used interchangeably, depending on the definition used by a specific enterprise. This provides a benefit to the enterprise by eliminating the need to write specific policies for each instance or the need to customized each abstraction layer for individual instances. By tracking information about IT resources that were unknown when the system was created, the metamodel allows business users to arbitrarily define elements of data to track and create policy after the system was built, also allowing the users to track a specific piece of information that is defined for any resources that are managed by the system. Resources could be networks, storage, servers, workloads, topologies, applications, business units, and the like.
  • In other further embodiments, the policy-driven infrastructure as a service may also include additional components. Additional components may be reporting, auditing, and federated identify management systems.
  • In embodiments, the present invention may provide for a visual policy editor, which provides an easy-to-use graphical user interface to a feature-rich and extensible policy engine, using a visual programming language and policies, eliminating the need for the user to write complex code to define, assign, and enforce policies. The graphical user interface allows the user to author policies using a visual drag-and-drop interface or an XML editor. The visual programming language functions could be loops, variables, branching, switching, pulling of attributes, code execution within a policy, and the like. For example the visual programming language could access an external pricing engine that contains live pricing information, then make a decision on the next step of the execution process, based on the information it receives from the pricing engine. In some embodiments, policies can be enforced at an object level. Objects could be organizational groups, individual projects, different deployment environments, and the like. Policies could be access control policies, firewall policies, event-based policies and the like. Access control policies could include packages, scripts, and the like. Access control policies could be defined by cloud or other service providers, network attributes, network geographic location, security policies, and the like. Firewall policies may include port and network ACL lists that are applied as policies and applied at container level to ensure conformance to corporate standards for port opening/closing. Event based policies relate to service level management and could include compound threshold rules that trigger an action, lifecycle event management, compound event sequences, signature detection, and policy stacking, and the like. For example, a policy could be defined to restrict deployment of a computing workload to private internal clouds in a specific country.
  • In embodiments, the present invention may provide for automated processes to support a continuous integration cycle to migrate a computing workload from a development environment to an operational environment. The continuous integration cycle may include maintaining a code repository, automating the build process, self-testing the build process, automatically deploying the build, and the like. The policies and metamodels defined and assigned to the computing workload environment follow the build from its creation using the Builder Module through to its publication into the Consumption module. This capability allows the enterprise to greatly reduce the time required to develop, test, deploy and update a computing workload. Continuous integration may also include ensuring the modernization, patch management, conforming configuration of deployed cloud-computing services. The embodiments may provide this service as DevToOps policy allowing centrally defined service definition that deployed cloud-compute services can compare against and either update themselves when their configuration no longer matches, warn administrators of non-conformance, rewrite themselves back to conformance when configurations of the cloud-compute services are made arbitrarily, and the like.
  • As noted before, various embodiments of the present invention provide standardized access, management, or control to different types of cloud-computing resources on a self-service, on-demand basis without the user needing to know the specific instructions or details for accessing, managing, or controlling those different target cloud-computing resources.
  • In order to translate a standard management action for a cloud-computing service to instructions for its cloud-computing resource and/or instructions for a computer workload to be executed on a cloud-computing resource, some management modules may comprise a cloud model data store 109 that maps the management action to the appropriate cloud-computing resources. Subsequently, the management action is translated to one or more instructions for a target cloud-computing resource and/or a computer workload operating thereon. For example, a topology is an example of a cloud service, where a topology is comprised of a number of individual virtual machines orchestrated together. A common management action to perform on a topology is to start it. This simple topology start action within the management layer gets turned into a number of individual instructions that get passed down into the cloud service bus, such as (1) calculate the Start Up order for topology, (2) initiate ordered startup one VM at a time, (3) as VM's come up, attach volumes that are associated with the VM, (4) install any packages and software onto the VM's, and (5) once all machines are up and running the topology status changes to running
  • Cloud service bus 115 may be utilized to parse management instructions received from the manager module 26, transform the management instructions to instructions compatible with the target cloud-computing resource, and route the management instruction to the targeted cloud-computing resource. In some embodiments, the cloud service bus 115 then routes the instructions to the application program interface (API) for a target cloud-computing resource from external commercial cloud resource 127, or to the virtual machine manager (VMM) (e.g., hypervisor) for a target cloud-computing resource from internal private cloud resources 130.
  • FIG. 2B illustrates an example flow of management instructions from manager module 26 to a commercial cloud API. As illustrated in FIG. 2B, provisioning module 106 of management module 26 transmits a management action for a cloud-computing service currently deployed within a virtual private cloud (VPC) or a cloud-computing resource to be deployed in the virtual private cloud. Cloud service bus 115 receives the management action, parses (215) the action, and utilizes cloud model data store 109 to resolve (218) the action to the appropriate one or more cloud-computing resources associated with the cloud-computing service.
  • These management actions are then translated to target-specific instructions (e.g., commercial hypervisor API calls) by a target-specific adapter that connects one or more cloud-computing resources to one or more other cloud-computing resources or to the cloud-computing platform. Given the disparate types of cloud providers and systems that exist, each having a proprietary interface for access, management, and control, some embodiments utilize a target-specific adapter 209, 212 in order to connect to and interface with cloud-computing resources provided by those different cloud providers and systems.
  • In the illustrated embodiment, once target-specific instructions have been determined, cloud service bus 115 routes the instructions to Amazon EC2® adapter 209, which transforms (221) (or translates) the management action to one or more target-specific instructions that are routed to the Amazon EC2® API 203 for execution on the Amazon EC2®cloud-computing environment 206. Other adapters 212 illustrated include Microsoft® System Center Virtual Machine Manager, a VMWare® adapter, a Rackspace® Adapter, and a Sun® VMOpsCenter Adapter. Other APIs illustrated include the Citrix® XenCenter® API 122 used to interface with a XenCenter cloud-computing environment 128, or a Sun® xVMOpsCenter API 123 used to interface with the xVMOpsCenter cloud-computing environment 129.
  • In some embodiments, the instruction is transmitted to the Amazon EC2® API 203 through connection module 118, which implements a secure (i.e., encrypted) connection between the platform and the cloud-computing environment, the platform and client network, or the cloud-computing environment and the client network to ensure secure communication between the platform and environment. Connection module 118 may be utilized, for example, when a cloud-computing environment does not provide a secure connection between a client and its cloud-provider network (e.g., a commercial cloud provider does not provide a secure connection as feature of their cloud services). Additionally, connection module 118 may be deployed and utilized on the client-side network when the client lacks a secure connection with the platform.
  • FIG. 3 provides a diagram illustrating an example of provisioning in accordance with an embodiment of the present invention. As illustrated in FIG. 3, upon receipt of a provisioning request from virtual private cloud (VPC) user interface 256, (asset) repository 262 is queried to extract all relevant metamodel information for the deployable assets (e.g., cloud-computing resource), such as a cloud-computing service have a specific topology. A simple topology may comprise a single cloud-computing resource (e.g., operating system running on a virtual machine) or a single tier of cloud-computing resource instances (e.g., LAMP server), combined to provide a cloud-computing service such as a web front-end. A more complex topology may comprise more than one tier of related cloud-computing resource instances such as a back-end database service tier, middleware tier, and web front-end tier, each tier performing a related service as part of delivery of an application to a set of users. The cloud model 109 is queried 280 to match the type(s) of cloud-computing resource instance with an appropriate provisioning request.
  • Upon a successful match, a policy management engine within governor module 103 is queried to ensure current policies allow for provisioning the cloud-computing resource from a cloud-computing environment, thereby providing “valid” or “right” placement 283, consistent with the handling of policy and the metamodel framework described above and throughout this disclosure. Topology interpreter 271 examines the request for the relationships of the cloud-computing resource instance(s) being requested and the access list (network port) assignments for the instance(s), and then passes the information to provisioning agent 274. Provisioning agent 274, in turn, queues the startup requests for the cloud-computing resource instances based on the defined startup order of the topology and provisions the instances and access list requests 289 through the virtual machine manager (VMM) API.
  • FIG. 4 is a diagram illustrating an example use of a connection module in accordance with an embodiment of the present invention. Specifically, illustrated are two cloud-computing environments 306 and 309 each running instances of either Microsoft® Windows (333) or a distribution of Linux (339). Each cloud-computing environment is configured with a cloud firewall (315, 318) that blocks specified network traffic and defends the environments against malicious network traffic.
  • Illustrated opposite the cloud-computing environments is client network 303 (e.g., enterprise network) that has an instance of Linux 342 and Solaris (.times.86) operating and is equipped with it is an enterprise firewall 312. In order for the cloud-computing environments (306, 309) to communicate with client network 303 over external network 321 (e.g., the Internet), connection modules (324, 327, 330) are deployed on the three entities in order to establish and maintain encrypted communication tunnels (348, 351) between the cloud-computing environments (306, 309) and the client network 303. In addition, connection modules (324, 327, 330) establishes these encrypted communication tunnels (348, 351) through allowed ports on the firewalls (312, 315, 318). In FIG. 4, the connection modules (324, 327, 330) establish one encrypted tunnel for management (351) and another encrypted tunnel for data (348). The Platform 20 may support this concept in a plurality of ways. For instance, the platform 20 may have the capability to deploy what is commonly referred to as a VPN Overlay network. This network creates secure communication channels between two endpoints. In this instance, the network is setup by deploying ‘connection modules’ into each of the different environments. The connection modules create secure connections between each other. Now when guest machines are created, they are configured to VPN into their appropriate connection module. From that point on all traffic is tunneled through these secure endpoints and traffic can be routed across network segments (i.e. in and between cloud providers and on premise). In another instance, a connection broker may rely on creating IPSec tunnels between individual cloud providers and an on-premise environment. This allows for traffic to traverse from one cloud environment to another via your own internal networks.
  • Further, the solution may be configured to combine a set of firewall configurations to enable a security zone model. Specifically as a new virtual machine is brought online the system can reach out to all the relevant firewalls and set up the appropriate communication. This can mean that the system will configure a host based firewall on the VM, a hypervisor firewall the VM is running in, physical firewall devices, and other firewalls such as the host or hypervisor firewalls running on any of the machines in the communication channel. This could mean that starting a VM will result in hundreds of firewall changes across the spectrum of all firewall devices and services that might be in the communication path.
  • In embodiments, the platform 20 may provide for end-to-end security across internal and external clouds, such as including secure data in transit from the platform to external clouds, secure access for users, secure encryption keys, secure logs for auditing, secure instances from breaches, secure data in storage, and the like. The platform may provide for comprehensive security capabilities designed for agile IT operating models, such as for network security, instance security, data security, access security, and the like. For instance, network security may include an encrypted overlay network across multiple clouds and enterprise data centers, firewall integration with support for multicast, static IP management, point-to-point routing, and the like. Instance security may include images with pluggable host-based intrusion detection systems and virus scanning, and the like. Data security may include images that utilize configurable encrypted block storage as well as SDKs for non-block storage requirements, and the like. In embodiments, access security may include federated identity management and granular role-based access control to instances and stores. For example, there may be need to store credentials in a third-party encrypted key-store. The platform 20 may allow for storing of all credentials in its own encrypted key-store or the ability to store in third-party FIPS compliant key-store for added security and compliance.
  • In embodiments, the present invention may provide for a secure federation of internal and external cloud providers to operate as a trusted extension of an enterprise, establishing security policy and governance earlier in the lifecycle, combined with automated policy enforcement, to provide a more secure computing environment than previously available. Comprehensive security may include host intrusion detection systems and anti-virus protection, virtual firewalls, encryption of persistent data, secure connectivity, federated identity management, and the like. Network isolation may be provided to include a redundant customer-controlled encrypted overlay network service that provides security in a cloud across multiple clouds and between enterprise data centers and commercial clouds; support multicast, static IP management, point-to-point routing, firewall integration; and the like. Instance isolation may be proved through stacks including active host based intrusion detection and prevention packages; pluggable virus scanning integrated into each stack, and the like. Data isolation may be provided, such as including a configurable encrypted block storage system as well as SDKs for non-block storage requirements; backups of block storage devices inheriting encryption; configurations for encryption of data to be transferred or stored in non-block storage, a cloud manager providing granular role-based access control to instances and stores; certificate and key-pair access control of instance log-in, such as connections only over strong-encryption SSL; and the like. In an embodiment, an overlay network may extend the client's network into the cloud provider, such as through bridges to corporate network (e.g. like VPN); enhanced failover, load balancing, and peering; support extension of corporate IP assignments (e.g. both DHCP and static); support for point-to-point connections (e.g. servers that can talk directly to each other without having to go back to corporate data highway; ability to bridge multiple clouds; support for multicast; deployment of nodes in both the external cloud provider and the corporate data high; and the like.
  • Each of the security capabilities described herein may be provided for a particular platform or infrastructure network, as applicable, or may be applied across a security zone, as noted above, such that the security zone, which may reside across multiple clouds or networks, is maintained as a defined layer of security for all elements with the zone. Thus, security policies applicable to the zone may, by being associated with all workloads in zone in accordance with the metamodel and policy framework described throughout this disclosure, be enforced to ensure that all such workloads are deployed, executed and consumed in a manner consistent with the current security policies for the zone. The boundaries of each security zone and policies can be rapidly and conveniently updated, such as in the manager module 26, with assurance that all workloads within the zone will be provided with updated policies, as applicable, and that they will be handled consistent with such policies. As noted above, multiple security zones may be defined at differing levels of abstraction, such as geographic, business unit, user type, physical network, cloud, cloud type, or the like. Workloads in each zone will be required to satisfy the security policies of the zone, such that if a workload is deployed within overlapping zones, it will be subject to all policies for all such zones. For example, a transactional workload might have a security policy defining anti-virus requirements based on its presence in a security zone defined by the business unit that handles that transaction, but it might also be subject to data encryption requirements defined for a security zone defined by the legal department for all business units of an enterprise. The platform 20 may include the capability to view, manage, and edit security policies for security zones, including to highlight and resolve any potential conflicts among policies in the case of overlapping zones that apply to a workload. The ability in the platform 20 to plan, design, rapidly deploy, and manage workloads and related policies that comply with varying and overlapping security zones allows efficient satisfaction of constantly changing technical requirements (e.g., based on the latest anti-virus, firewall, and similar capabilities for a particular type of cloud or other infrastructure resource), shifting regulatory requirements (such as satisfying legal requirements for security of private user data), and shifting business requirements (such as providing security features that satisfy customer preferences as to security and convenience of use). Among other capabilities, the definition of security policies in the platform 20 at a level of abstraction that is independent of the infrastructure and platform elements on which a workload is deployed allows an enterprise to establish security zones that are vendor independent. A single security zone can have a defined policy, such as to satisfy a legal requirement, that is associated with a workload, and that is applied within a security zone that contains firewalls, routers, storage systems, and other elements that come from disparate vendors. The platform 20 automatically parses the policy and metamodel data associated with the workload and ensures that the infrastructure elements, regardless of type, are provisioned, updated and operated in accordance with the policy. This capability allows the enterprise to avoid a great deal of effort, often unsuccessful due to the time required and the rapidly shifting requirements, that has previously been spent analyzing, discussing, and updating security policies, then configuring a host of disparate devices in an effort to comply with the changing policies.
  • In some embodiments, the method further comprises: deploying an application, where the application is associated with one or more computer workloads; and where each application and/or computer workload is assigned a security zone; and tagging each application or computer workload based on its security zone such that firewall rules to permit the application to perform the computer workload are automatically and simultaneously applied to multiple firewalls within and outside the security zone assigned to the application. In some embodiments, the application may have complex security policies integrated within it during the development process of the application. Each application or computer workload may be tagged to operate in a specific security zone and communicate across security zones and each security zone may have a defined set of firewalls associated with it. In some embodiments the firewalls may be virtual firewalls or physical firewalls. In some embodiments the firewalls may be provided by multiple vendors such as Cisco, Juniper, and the like. In some embodiments the firewalls may be cloud-based firewalls provided by vendors such as Amazon, VMWare, and the like. For example, a database application that is tagged to operate in a highly secured security zone may require connectivity through a built-in firewall on the database server, a firewall upstream of the server between the highly secured security zone and a less secure corporate network security zone, and a firewall between the less secure corporate network security zone and a security zone that connects to the public Internet. An adaptor automatically determines the IP addresses assigned to each of the firewalls required to permit the application to perform the computer workload; and simultaneously on each firewall establishes rules required by the application, without restarting the system in which the firewall(s) operate. In other embodiments, the method further comprises removing the firewall rules when the application or computer workload is removed or stopped.
  • As noted before, connection modules such as those illustrated may be utilized when a secure connection is not readily available between a cloud-computing platform of an embodiment and a cloud-computing environment, between the cloud-computing platform of the embodiment and the client network, or between the cloud-computing environment and client the client network.
  • FIG. 5 is a diagram illustrating an example use of an identity module in accordance with an embodiment of the present invention. In FIG. 5, enterprise network 406 is illustrated comprising identity module 29 in accordance with an embodiment, and identity store 415. Illustrated opposite the enterprise network is a cloud provider network 403 that is providing commercial cloud 409 (e.g., cloud-computing resource for a cloud-computing service) to enterprise network 406.
  • Identity module 29 facilitates identity provisioning and de-provisioning 418 (e.g., sign-on and sign-off) of a user to a service provided on a public (e.g., commercial) or private cloud. In some embodiments, identity module 29 performs this service by authenticating the user using the client's authentication system (i.e., identity store 415). For example, identity module 29 may authenticate a user using a locally deployed service, such as Netegrity®, Oracle OAM®, Microsoft® Active Directory, RSA® Cleartrust, Lightweight Directory Access Protocol (LDAP), and Kerberos. For instance, in one use case the platform 20 could be configured to use Active Directory (AD) as its user store. When a user wishes to console or desktop into a Virtual Machine that exists within a cloud environment, they may be prompted for credentials. The user supplies their credentials and the platform authenticates against AD. If there is a match, the platform 20 may log into the VM as Admin and create a new local account for the user based on the AD credentials. The user can now login to the VM. Another use case may deal with Software as a Service Integration, where a store, as described herein, may include the concept of purchasing user seats with cloud-based services, such as the commercially available service Salesforce. When a user, backed by the user's AD identity, orders a Salesforce user seat, the platform may provision an account for the user within Salesforce. When the employee is terminated via AD, or removes the user seat from the portfolio of an enterprise, the platform may de-provision the useraccount within Salesforce. Users may also have the option to ‘consume’ Salesforce, which redirects the user to Salesforce and performs SSO. In another example, a user logs into the platform to access a Salesforce service, where first the user is authenticated (e.g. via AD, Netegirty), then based on his identity the platform 20 checks to see if the user has an account in Salesforce. If not, the system may create one in Salesforce by calling the Salesforce account management APIS. The system may also look up addition information about this user by doing database queries or other types of lookups against internal systems. If a user tries to access the service and the system detects the user should no longer have access (e.g. because the user has been terminated for example), then the platform 20 will initiate a process to delete the account and clean up all relevant data. This detection and cleanup process could also be initiated by a periodic job that gets run automatically by the platform 20 according to a schedule, by detection of events (such as changes made to AD), and the like.
  • In some embodiments, once a user is successfully authenticated using identity store 415, identity module 29 redirects that user's credentials to the cloud-computing service for authentication. Once the cloud-computing service successfully authenticates the user based on the forwarded user credentials, the user is redirected to the logged in cloud-computing service. It should be noted that identity capabilities may be applied to a cloud-computing resource as well as to a user, such that a specific cloud-computing resource may be authorized (based on its identity) to be used in connection with execution of a computer workload.
  • FIG. 6 is a diagram illustrating an example use of a monitor module in accordance with an embodiment of the present invention. As illustrated, governor module 103, monitor module 112 and private internal clouds 530 reside on enterprise network 503. Commercial clouds 512 and 515 are providing cloud-computing resources to the enterprise network 503. Monitor module 112 is responsible for monitoring the status and utilization of commercial clouds 512 and 515, and deploy a monitor collector 506 and 509 to the commercial clouds 512 and 515 to collect and transmit such information to monitor module 112. The collectors may provide a plurality of functions. For instance, the first thing a collector may do is collect information coming from the guests. The collectors may also persist this data and respond to queries about the data from the main Monitor Module. Being able to deploy these remote monitors provides many benefits, such as lowering bandwidth costs due to all of this data not having to be sent across WAN links (e.g., the data stays on the collectors, and is only retrieved when a specific query needs it), increasing scalability where each collector node can handle a large number of guests and as the number of guests increases additional collectors may be deployed to handle the load, and the like. In another instance, a deployed VM (e.g. to a VM of an Amazon cloud) may periodically report back its status as well as a set of performance metrics it was seeing. Based on this, the platform could detect if there was an outage at that VM. It could detect this as soon as a machine reported, or if a machine fails to make a schedule report. The monitoring system may be able to monitor events above and at the hypervisor. That is, the monitoring system may receive data not only from VMs, but that it may also be extended to call the low level APIs and metric systems of the hypervisors and cloud computing services and aggregate data from both locations to provide a holistic picture of the performance and status of the system.
  • Aggregator 518 receives the information from individual monitor collectors (506, 509) and monitor collectors (not shown) deployed to private internal cloud 530, and records the (received) monitor information for governance purpose, provisioning purposes, or administrative purposes (e.g., event reporting). Monitor module 112 uses translator 521 to interpret the monitor information from the commercial clouds (512, 515) and relays (524) the interpreted monitor information to event console 527. Aggregator 518 also forwards monitor information to governor module 103 to enable the module to govern the operations of cloud-computing resources and cloud-computing services being managed by a cloud-computing platform in accordance with an embodiment. The monitor and collector modules may all reside inside the Enterprise Network 503 as virtual appliances running within the internal virtualized Enterprise Network 503 compute environment.
  • FIG. 7 is a diagram illustrating example governor module 103 in accordance with an embodiment of the present invention. Governor module 103 applies constraints, conditions, non-security policies, and security policies on cloud-computing resources and cloud-computing services being managed by a cloud-computing platform in accordance with an embodiment. In the illustrated embodiment, governor module 103 governs the cloud-computing resources and services by using monitoring information (from cloud-computing resources) provided by monitor module 112, and then issuing management actions (e.g. VPC actions) to cloud-computing resources based on monitoring information and the constraints, conditions, and policies the governor is applying to the cloud-computing resources.
  • In order to apply the constraints, conditions, and policies, governor module 103 uses analytics engine 609 to analyze monitoring information from monitor module 112 and, then, uses the analysis information to apply the constraints, conditions, and policies through policy engine 603. Based on the application of the constraints, conditions, and policies, policy engine 603 instructs action engine 606 to issue management actions to provisioning module 106 (e.g., issue management actions to increase or decrease the number of cloud-computing resources based on CPU utilization of the existing resources). For instance, when a new threshold policy gets created the threshold may be pushed down into the analytics engine. The analytics may be continuously evaluating the flow coming in from the monitor modules and evaluating the flow against its threshold definitions. When a threshold is violated an event may be created and sent to the policy engine. The policy engine may then determine which action to take and pass the instruction off to the action engine. In the case of auto-scaling the action engine may pass a provisioning or de-provisioning request to the provisioning module.
  • In embodiments, the flow amongst the monitor and provisioning modules and the analytics and policy engines may be as follows. In a step 1, the Monitor Agent may collect data in a variety of ways including polling the system for status, or alternatively it may receive information sent to it by some even or periodic sending of data by the application or service being monitoring. Step 2, the Monitor Agent rolls up the data, where the roll up may include aggregating and summing data, and it may also include filtering data out that is not required or within thresholds that don't need to be reported on. The data may be collected so it may be sent in bulk efficiently rather than parceled out and causing many interrupts. Step 3, the Monitor Agent may transmit data to the Analytics Engine. The analytics engine may then parse the data and again may perform aggregations, summation, filtering, or other correlation. Step 4, the analytics engine may then evaluate data against a set of configured thresholds that are configured by the policy engine. If a threshold is found to have been exceeded, then the event system may kick in and take action based on the configured policy. Step 5 is executing the configured policy action, which could include notification of some set of individuals or other system by phone, email, pager, txt message, event bus, programmed call out, shell script, or other configured mechanism.
  • In the illustrated embodiment, governor module 103 utilizes instance placement 627 to make decisions on where to place an instance of a cloud-computing resource. For example, when an image is built for a cloud-computing service using a builder module, it can be tagged (e.g., using a metamodel) to prevent deployment to certain zones (e.g., security zone) as part of a security policy, cost control policy, performance or availability management policy. Instance placement 627 may cause the governor module 103 to place an instance of a cloud-computing resource based on availability of client-computing resources, or (real-time) performance of particular clouds. Virtual Machine (VM) lifecycle management 624 may be utilized by governor module 103 to determine and enforce expiration of virtual machines Auto-scale 621 may be utilized by governor module 103 to scale computer workloads being performed on one or more a cloud-computing resources. Auto-scale 621 can add or remove instances of cloud-computing resources to increase or decrease the performance of computer workloads based on monitored resource consumption, a schedule, or a set of rules. Availability & disaster recovery 618 may be utilized when operation of a cloud-computing resource has failed and the failed cloud-computing resource must be recovered according to the constraints, conditions, or policies governed by governor module 103.
  • FIG. 8 is a flowchart illustrating an example method 700 in accordance with an embodiment of the present invention. Method 700 begins at operation 703 by providing a user a virtual private cloud (VPC) configured to utilize a cloud-computing resource from the plurality of cloud-computing resources to perform a computer workload. At operation 706, method 700 then receives a request to perform the computer workload within the virtual private cloud. For example, in some embodiments, the computer workload may be an application, a server, a platform (e.g., LAMP server), or an infrastructure element (e.g., load-balancing unit). In another example, receiving the request to perform the computer workload comprises: receiving an application to be migrated to cloud-computing environment for execution; and identifying the computer workload as necessary for executing the application. In yet another example, method 700 receives a computing workflow to be performed in the cloud-computing environment; and then identifies a computer workload to perform the computing workflow.
  • Then, at operation 709, method 700 identifies a cloud-computing resource to perform the computer workload. For example, identifying the cloud-computing resource may be based on a workload score determined by a scoring logic. For instance, the scoring logic may be based on a business attribute of the computer workload (e.g., whether it is mission-critical, required to satisfy a legal obligation, required for an SLA, or the like), a technical attribute of the computer workload (e.g., storage required, bandwidth required, processing speed required, or the like), an operational attribute of the computer workload (time of day for availability, seasonality, or the like), or any combination thereof. In some embodiments, the scoring logic may further be editable or grouped into collections of logic to provide scoring plans for examining multiple types of computer workloads different ways (e.g., a grid computing scoring plan scoring workloads for an application destined to a cloud-computing service hosting grid workloads). In other embodiments, the scoring logic may be editable to allow enterprises to store business, technical, and operational attributes of a computing workload, using enterprise-specific nomenclature or to allow for an enterprise to adjust attributes to a preferred score, consistent with business, technical, or operational metrics. In other embodiments, the scoring algorithm could be configurable, to weight the different attributes of the scoring algorithm based on business, technical, and operational metrics. The scoring algorithms are configurable in multiple ways and the scores are created by a set of rules. The rules may be cloud readiness rules, cloud value rules, or the like. The rule logic may be expressed as javascript, java, or the like. The rules make it possible to call any programming language system, configuration management data system, or the like. In embodiments, the information retrieved by the rules can be added to the metamodel for the specified information technology resource. Rules are evaluated according to a plan. A plan is a set of rules the weighting value assigned to each rule. For example, when a rule is a business criticality rule based on a set of metrics, and a plan is a “business contingency” plan, where the goal is to move infrastructure into a cloud that has disaster recovery and high availability built into it, the a system with the highest business criticality weight, may be moved first. When an item has been evaluated, the weighting values assigned to that item will be added to the metamodel associated with that item. Items could be systems, servers, databases, applications, workloads, and the like. Filters are used to decide where items should be placed. The filter first identifies the places where an item can be placed and then places the item in the place that is determined to be the best fit for the item. If data assigned to score an item is complete, it will be marked as scored and appear in relevant reports. If data assigned to score an item is incomplete, the items will be identified as requiring remediation. Different data attributes can be tagged as requiring different classes of individuals to complete the required information and preventing other classes of individuals from doing the same. Classes of individuals could be business users, technical users, and the like.
  • In embodiments, the present invention may provide for the categorization of workflows into workloads. Each computing workflow can be separated into a set of distinct workloads, each workload having requirements such as input, storage, processing, output, and the like. Each computing workload may have policy and metadata information stored by the system that includes what computing workload it is, how the computing workload is used, how quickly the computing workload needs to be performed, and the like. Each computing workload is instantiated through a customizable workflow. For example, a computing workload may require approval by a business unit, development team, quality assurance team, and an operations team. The workflow in this example would then be instantiated to solicit approval of requirements defined by each workload from each team.
  • At operation 712, method 700 provisions the cloud-computing resource from the plurality of cloud-computing resources for the virtual private cloud (VPC). For example, method 700 may provision by locating an unreserved cloud-computing resource within the plurality of cloud-computing resources; and reserving for the virtual private cloud the unreserved cloud-computing resource.
  • Method 700 deploys the cloud-computing resource within the virtual private cloud at operation 715. Where the cloud-computing resource is a virtual computing resource, the virtual computing resource may be deployed under control of a virtual machine manager. In other embodiments, method 700 may deploy the cloud-computing resource according to a condition for the computer workload, where the condition determines if or when the cloud-computing resource can be deployed within the virtual private cloud to perform the computer workload. For example, the condition may require that the computer workload for backup servers only operate during evening periods. To optimize performance of a computer workload, some embodiments may deploy a pre-determined set of cloud-computing resources to optimize the computer workloads' performance.
  • Once the cloud-computing resource is deployed to the virtual private cloud, method 700 uses the cloud-computing resource to perform the computer workload at operation 718. Then, at operation 721, method 700 applies a policy or constraint on the cloud-computing resource. For example, where a policy is associated with a computer workload, method 700 may govern operation of the cloud-computing resource performing the computer workload in accordance with the policy.
  • FIGS. 9A-9D are screenshots of an example user interface in accordance with some embodiments of the present invention. FIG. 9A depicts a screenshot of a user interface to a planner module, which can plan a cloud-computing service comprising one or more cloud-computing resources. In the screenshot shown, a corporate blog application and a logistics application are shown being planned for creation. FIG. 9B depicts a screenshot of a user interface to a builder module, which can build a cloud-computing service comprising one or more cloud-computing resources. The illustrated screenshot shows a stack being built on a Linux base stack. FIG. 9C depicts a screenshot of a user interface to a consumption module, which can be utilized by a user to subscribe to and use a cloud-computing service comprising one or more cloud-computing resources. The screenshot for the consumption module user interface allows a user to subscribe to and use such instances as Linux, Windows® 2003 IIS server, and Flatpress Blog Engine, and more FIG. 9D depicts a screenshot of a user interface to a manager module, which can be utilized by a user to manage cloud-computing service and its one or more cloud-computing resources. The screenshot shows the user interface of the manager module allowing a user to issue commands to cloud-computing services, such as stopping, running scripts, creating storage volumes, and attaching storage volumes to the cloud-computing services. The interface may be a web page, command line, development tool, and the like, such as eclipse or visual studio, and apps such as iphone/ipad applications. In embodiments, an API may be called that will allow a user to make changes and consume services in a way that is consistent with the company policy. For instance, an API may be implemented as a REST and SOAP interface, which are standard formats for services that may be exposed over different protocols in a standard way.
  • Project team members may have substantially different functional roles, and as-such, each user interface module may be designed to support one or more of the functional roles encountered in the Systems Development Life Cycle (SDLC). The user interface Modules represented in FIGS. 9A-9D may be accessed and used by project team members and presented for the functions those team members may have in the systems development life cycle of the project for which the cloud-computing services are being designed, built, provisioned, and consumed. As well, the interface to each module may be designed to best service the type of function that will be performed as part of the SDLC phase being addressed. The user interface components of each module may access the Policy Engine in order to represent the controls, access, and assets available to the functionally specific users in order to preserve the integrity, security and compliance of the cloud-computing services each aspect of the SDLC phase.
  • The present invention may provide a comprehensive enterprise-grade facility based on federation of IaaS, PaaS, SaaS, and the like, delivered by a plurality of internal and external cloud providers enabling advantages including the ability to intelligently govern, secure, and manage a user's critical applications for cloud environments; automate planning, building, sharing, and running lifecycle for optimal speed and efficiency, providing policy driven, end-to-end identity management across the plurality of cloud environments; deliver comprehensive cost, performance, and consumption visibility; integrate with a client's existing IT infrastructure including asset management, authentication and authorization, audit and governance, performance monitoring, and chargeback billing systems; and the like. In other embodiments, the present invention may provide for a layer that allows the input of chargeback billing data to be imported from reporting tools or integrated monitoring systems and the ability to “over recover” or “under recover” charges from the service provider's specified rates, providing a comprehensive audit trail. For example, if an enterprise is providing its internal users value-added services based on the Amazon EC2 service, the enterprise can add its own costs to the rate charged by Amazon, to recover the costs the enterprise incurs when providing the service to the internal users.
  • Referring to FIG. 10, an alternate module structure is depicted for the platform 20 for providing capabilities to specific roles across the lifecycle, including a planner module 1002 (which may have any of the capabilities described for the planner module 23), a designer module 1004 (which may have any of the capabilities of the design module 29), a centerpoint module 1008, a manager module 1010 (which may have any of the capabilities of the manager module 26), and an access module 1012, which may collectively provide the platform with management, security, policy, governance, and the like functionality as described herein. The platform 20, as in the example depicted in FIG. 1 and detailed herein, is able to provide virtual private cloud facilities to users through the cloud provider environment, including external private clouds 1014 (e.g. external companies, such as Savvis, with dedicated connectivity and instances), internal private clouds 1018 (e.g. current data centers that support virtualization and cloud), secure public clouds 1020 (e.g. multi-tenant architectures, such as Amazon), PaaS providers 1022, SaaS providers 1024, and the like. The functions depicted in FIG. 1 of the Cloud-Computing Platform 20 map directly to the modules depicted in FIG. 10, Platform 20 as follows; Planner Module 23 maps directly to the Planner Module 1002, the Builder Module 29 maps directly to the Designer Module 1004, the Consumption Module 32 maps directly to the CenterPoint Module 1008, and the Manager Module 26 maps directly to the Manager Module 1010. The Repository Module 30 of FIG. 1 is encompassed in the platform database and functions provided and depicted as Governance, Policy, Security and Management for the Platform 20. The Access Module 1012 provides a single sign-on function for the platform 20 allowing connectivity to enterprise identity systems such as LDAP/AD, which is shown in FIG. 5 and maps to the Identity Module 29. The planner module 1002 may help analysts and architects streamline application migration activities by analyzing and scoring application workloads to evaluate their suitability, generate recommendations right-sizing and right-placement across multiple internal as well as external service provider options. The planner module 1002 may also allow analysts and architects the ability to construct new rules and rule-sets for evaluating new and different types of application workloads in evaluating cloud readiness, cloud value, and right placement recommendations. The designer module 1004 may provide technical users with a graphical workbench to rapidly assemble policy-compliant stacks, workloads, and applications for any number of deployment environments. It may include a library of pre-built, reusable assets with the ability to create and publish new ones. The centerpoint module may facilitate the sharing and collaboration of cloud assets with fine-grain access controls, search capabilities, automated notifications, rating and commenting of assets, and access to detailed consumption reports. The manager module 1010 may provide a unified interface to streamline deployment and runtime management for any number of cloud providers, including monitoring of running instances and detailed performance and costing information. The access manager 1012 may deliver federated identity management to the full range of highly dynamic services managed (e.g. including IaaS, PaaS, and SaaS providers) along with the platform 20. It may also integrate with and support a plurality of protocols, such as LDAP, Active Directory, X.500, and the like. In each case the modules represented may reside on a common Policy Engine that ensures the integrity and security of the system by enforcing policy and access rights for the users accessing each module are only accessing those assets and functions that are allowed for their functional role.
  • The platform 20 may exist in an IT ecosystem and utilize a plurality of both cloud-based and dedicated resources to integrate with the platform, where these integration points may take place both within an enterprise's existing IT infrastructure, and also extend out to a plurality of external providers and services, such as in applying to both pre-production and production cloud environments. FIG. 11 provides an example illustration of the IT ecosystem as a plurality of these both dedicated and cloud-based resources, including security 1102 (e.g. proxy integration, host firewalls, hypervisor-based firewalls, host intrusion detection, external key store, VLAN management, VPN, file system encryption), IaaS 1104, external clouds 1108 (e.g. GoGrid, Amazon, Terremark, Fujitsu, Savvis, vCloud Director based Cloud offerings (Dell and others), Joyant, vCloud Express offerings), storage 1110 (e.g. NFS, VMFS, SAN, Amazon S3, EMC, Oracle, Netapp), internal clouds 1112 (e.g. vSphere, Cloud.com, Eucalyptus, OpenStack, HyperV, Xen, KVM), PaaS 1114 (e.g. Hadoop, Azure, EnterPaaS, Vmware CloudFoundry, IBM WebSpheree, Oracle WebLogic), orchestration 1118 (e.g. Autoscaling, Scripting framework, File management), SaaS 1120 (e.g. Salesforce.com, Intuit, Google Apps), desktop as-a-service 1122 (e.g. Citrix, VMware, Cicero, Framehawk), accounting and chargeback 1124 (e.g. Ariba, SAP), continuous integration 1128 (e.g. Collabnet, Apache Maven, Subversion, Jenkins CI), disaster recovery 1130 (e.g. Double Take), network services 1132 (e.g. DNS, DHCP, Load Balancer, NTP), governance 1134 (e.g. Axway, SOA Software), performance monitoring 1138 (e.g. Ganglia, Collectd), identity management 1140 (e.g. Oracle OAM, Netegrity, LDAP Kerberos SAML, RSA ClearTrust, Active Directory), and the like.
  • Referring to FIG. 12, the platform 20 may deliver unified governance for IaaS, PaaS, and DaaS workloads across a federation of internal and external cloud providers 1202, 1204, 1208, to leverage scheduling and placement policies to optimize the placement and type of workloads that are being run on a temporal or scheduled basis. As an example, during the day, scheduling policies may devote much of the cloud compute capacity to running virtualized desktops, however, as the evening approaches and workers go home, the demand for DaaS drops, and the cloud compute capacity can be utilized for compute intensive applications such as financial trade simulation models running on grid-compute nodes. This policy approach also allows cloud-compute services to be shifted to lower cost Cloud Provider environments. As such, the inherent policies provided by the platform 20 lower costs by maximizing the utility of the cloud infrastructure while also having the same effect of lowering costs by aligning workload placement to provider environments best fit to run those types of workloads.
  • In embodiments, policy-driven governance may be integral to the platform 20 and to the end-to-end lifecycle to create and enforce policies in a closed-loop governance lifecycle, such as extensible policy framework to support unique needs, customizable approval workflow, integration with corporate audit and governance systems, establishing a foundation for audits and policy reviews, and the like. Referring again to FIG. 10, the planner module 1002 may contribute to the creation of design-time policies, such as access rights, right-placement parameters, regulatory restrictions, and the like. The designer module 1004 may contribute to the creation of run-time policies, such as auto-scaling parameters, maximum instances allowed, and the like. The centerpoint module 1008 may enforce access policies, ensuring that the right users are accessing the right assets and deploying those assets in the right places, and the like. The manager module 1010 may enforce run and design-time policies, such as allowing cloud-compute services to scale up or down in response to load or other conditions in the environment as well as prevent users from consuming arbitrary amounts of compute resources, and the like. The access module 1012 may enforce access policies across internal and external service providers, and the like. In this way, policy creation is an integrated process across the platform.
  • In embodiments, the present invention may provide many advantages, including a unified interface to deploy and monitor workloads across internal and external service providers; rapid creation of new workloads and re-architect existing ones for cloud portability and on-demand provisioning; automated right-sizing, right-placement, and user access decisions via enforceable policies; deployable and dynamically configurable complex application topologies in real-time; meter usage with integrated chargeback and billing; real-time monitoring and support for auto-scaling and bursting across multiple clouds; federated identity management across internal and external providers; pre-built library of re-usable stacks to accelerate assembly and deployment; incorporated end-to-end security that spans network, access rights, instances, and data; complete visibility and transparency via role-based reports, policy reviews, and audit trails; creation and enforcement of policies in a closed loop governance and management lifecycle; score and prioritization of workloads for migration; consolidated monitoring, reporting and metering including integrated chargeback/billing; platform deployment flexibility to locate securely on premises or as a SaaS offering; and the like.
  • Automated governance through the present invention may enable new capacity optimization strategies to maximize the utilization of hardware and server resources through the dynamic placement of different sized workloads, where the platform may manage placement of workloads from large (e.g. production applications, load test environments) to small (e.g. virtual desktops), perform monitoring and manage application auto-scaling, roll-overs seamlessly to external cloud providers when internal capacity limits are reached, and the like. Use of the platform across a plurality of cloud workloads, may allow the user to create new capacity optimization strategies to make the most from a user's internal resources, such as though dynamic placement of different sized workloads, and combining these workloads to achieve high capacity and/or utilization of a given computing facility. To enable this, the platform may perform application monitoring, workload placement, workload scheduling as well as workload and application auto-scaling, and the like, as appropriate.
  • In embodiments, the present invention may provide for a self-service enterprise application store, which provides access to a global, cross-platform, software distribution network for multiple service offerings, accessible through any web browser such as Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, and the like. In embodiments such an enterprise application store can be used to drive virtual desktop installations, provision enterprise server systems, connect to SaaS solutions, and integrate with custom, third-party software and services and the like. In embodiments such an enterprise application store can provide a full range of services to manage and monitor the provisioning of services. The services could be a wide range of service required by enterprises, such as software publishing and ordering, order approval, license management, chargeback and invoicing, integration with a global marketplace, and the like. The service offerings could be infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS) offerings, and the like. In further embodiments, the service offerings could be internal services, open source services, third party services, and the like. In other further embodiments, the present invention may provide for a single sign-on capability for each of the service offerings.
  • The application store software publishing capability can include tools to package and publish software and services to the application store, such as to allow a customer of services from the application store to develop its own software and publish its own service, which in turn can be made available through the application store. For example, a service builder could obtain from the enterprise application store a set of services that provide storage capability and that retrieve a given set of input data, such as from various sources. The service builder can then build its own service by adding a processing service that processes the inputs into outputs that are stored in the data storage and made available for other users who wish to have those outputs, such as for their own services. The new service can be stored in the enterprise application store for further use by others. A user of the enterprise application store may organize software services into manageable “catalogs” to control user access and experience, apply rich security, usage, and billing policies to entire catalogs, catalogs of catalogs, individual offerings, configure workflows for publishing approvals, and the like.
  • The application store software ordering capability can include an intuitive interface for browsing and purchasing published software and services, allow a user to purchase software and services for itself or on behalf of an entire group of users, schedule deployments upon purchase or for a date in the future, and the like. In other embodiments, the software ordering capability can include a customizable user interface, which allows a user to build browsing and ordering interface widgets customized to the needs of the user and then make those widgets available to the user's users through the application store.
  • The software application store order approval capability can include an integrated purchase approval system that follows a flexible workflow that is consistent with industry standards and best practices, a pluggable service model to allow for transparent integration with third-party approval systems, and the like. In other embodiments the order approval capability includes a highly customizable workflow that can be built from individual approval systems that can be chained-together in various and selectable sequences. These various and selectable sequences can be varied by catalog, catalog item, user, user group, and the like.
  • In embodiments, the ordering and approval capabilities may be filtered or otherwise limited by the user who is placing the order and/or the application on whose behalf the order is being placed. Results made available to a user and/or an application may be pre-filtered to only show those services that are available to that user and/or application. The user can be categorized by its role in the organization, or the like. The application can be categorized by its role, function, assigned policies, and the like.
  • The license management capability can include the creation of detailed licensing polices for individual software modules and services, a component model to allow for integration with a wide range of vendor licensing servers, runtime license checking when used with virtual machine instances managed by the present invention, and the like.
  • The chargeback and invoicing capability can include an integrated change management service with a configurable workflow, an adapter model allowing for integration with existing financial and asset management systems, flexible pricing policies to allow for the establishment of one-time charges or variable, usage based models, detailed organization modeling to allow for the distribution of cost across multiple cost centers, a flexible API that allows for the customization of the billing workflow, and the like. For example, invoices could be posted directly to the enterprise's enterprise resource planning (ERP) or payables system. In other embodiments, the present invention provides for the ability to report chargeback and invoicing information to both the user of the service and the provider of the service from the software application store.
  • The capability to be integrated with a global marketplace can include publish and subscribe access to an open market of verified software, an integrated and stringent approval process of all submissions, access to a free catalog of packaged and open-source solutions, the ability of a user to package and upload its custom solutions for exposure to a global market, the ability of a user to offer its software free or through a licensing/pricing model with automated chargeback, defined by the user, and the like.
  • In embodiments of the present invention, the software application store supports the recursive publishing of applications. The recursive publishing could include multiple iterations of an application published by multiple users, groups of users, enterprises, departments within enterprises, and the like. For example, a first department of a first enterprise could publish a first IaaS application back into the software application store, a second department of the first enterprise could then publish a PaaS application on top of the IaaS application published by the first department, and a third department of the first enterprise could purchase the PaaS built on top of the IaaS application and the license fees paid by the third department would be split between the first and second departments.
  • In embodiments of the present invention, the data may be associated with the content available in the software application store is and SKU, policy, SKU-Policy, catalog, and the like. An SKU is the primary entity describing content available through the software application store and is a pure virtual entity describing a potentially addressable software component or interaction. An interaction can be a module, service, or the like. An SKU can be defined as a software module or a service binding. A software model represents and offering comprised of one or more physical software components, which can include source code, binaries, and the like, and the software module encapsulates the information needed to resolve binaries to locations on the shared filesystem, resolve binary dependencies, locate and provision associated software packages, and the like. A service binding models a software-as-a-service (SaaS) type offering and encapsulates the information needed to configure user-access to services, authenticate, bind to services, and the like. A policy will be applied as defined by standard policy types, resolved, and applied by modules as described elsewhere in this disclosure. In other embodiments, additional policy types and definitions, with possible extensions to existing models, may be added to support the software application store. An SKU-Policy is the collection of policies associated with a given SKU and is an extensible set of required or optional policies, which may be conditionally applied. A catalog is a collection of SKU's, filtered through access control, which can be applied at any level and made available to a group of users. In further embodiments access control can be used to introduce further groupings below the root level. A given catalog instance is a rule-based expression of the root catalog. The root catalog is defined as the base set of SKU data available to all subscribers. All SKU's published in the root catalog are ‘inherited’ by all derived catalogs. For example, the basic catalog hierarchy can be root catalog->customer catalog->user catalog.
  • FIG. 13 depicts an embodiment of a software application store and marketplace interaction structure, such as with software application store services, including policy management, object models, process handlers, repository providers, filesystem services and workflow services, interfacing with marketplace services, such as with software application store workflow connectors, a shared filesystem, a software application store repository, and the like. The components could be a marketplace, shared filesystem, filesystem client, server components, repository, user interface, and the like. The marketplace is the central ‘public’ repository that hosts the components listed in the root catalog, consists of a cluster of servers hosting a portion of the shared filesystem and a subset of the software application workflow components to manage publishing, approvals, and browsing. The marketplace may have its own basic user interface consisting of a few simple web pages, which provide access to the functionality of the software application interface. The shared filesystem may be a clustered, parallel filesystem housing all the physical components needed by the software application store and its offerings. The filesystem may be self-contained and may be used outside of the software application store or the system of the present invention. For example, marketplace catalog items can be hosted on the shared filesystem. The software application store may offer service components that simplify filesystem administration tasks and serve to isolate other components from the physical filesystem implementation. The filesystem client may be a client that accesses the software application store shared filesystem namespace using local filesystem semantics. For example, the namespace root may appear to the user as a local mount point or network mapped drive. In other embodiments, a number of client-side components may be installed to provide access to the software application store shared filesystem through the filesystem client. The present invention requires at least one client package for each target operating system and/or distribution. The filesystem client components are distributed through standard packages of the present invention that contain the scripts and attachment necessary to establish connectivity to the software application store shared filesystem through the filesystem client. The server components may be the core applications of the software application store and include the base object model, workflow processing components, catalog and metamodel access providers, unique policy definitions, and the like. The repository may be the collection of data structures housing the software application store metamodel, configuration, and catalog data, and the like; and are internal to the software application store. The user interface may be the collection of interface elements used to access software application store functionality and is implemented as a completely separate application that integrates with the main user interface of the present invention, describe elsewhere in this disclosure. In further embodiments, the software application store may make available shareable widgets that are an extension of the software application store user interface.
  • In other further embodiments, the software application store includes the capabilities to display lists of applications, application ratings, application reviews, other social features, and the like.
  • The term tool can be used to refer to any apparatus configured to perform a recited function. For example, tools can include a collection of one or more modules and can also be comprised of hardware, software or a combination thereof. Thus, for example, a tool can be a collection of one or more software modules, hardware modules, software/hardware modules or any combination or permutation thereof. As another example, a tool can be a computing device or other appliance on which software runs or in which hardware is implemented.
  • As used herein, the term module might describe a given unit of functionality that can be performed in accordance with one or more embodiments of the present invention. As used herein, a module might be implemented utilizing any form of hardware, software, or a combination thereof. For example, one or more processors, controllers, ASICs, PLAs, PALs, CPLDs, FPGAs, logical components, software routines or other mechanisms might be implemented to make up a module. In implementation, the various modules described herein might be implemented as discrete modules or the functions and features described can be shared in part or in total among one or more modules. In other words, as would be apparent to one of ordinary skill in the art after reading this description, the various features and functionality described herein may be implemented in any given application and can be implemented in one or more separate or shared modules in various combinations and permutations. Even though various features or elements of functionality may be individually described or claimed as separate modules, one of ordinary skill in the art will understand that these features and functionality can be shared among one or more common software and hardware elements, and such description shall not require or imply that separate hardware or software components are used to implement such features or functionality.
  • Where components or modules of the invention are implemented in whole or in part using software, in one embodiment, these software elements can be implemented to operate with a computing or processing module capable of carrying out the functionality described with respect thereto. One such example computing module is shown in FIG. 10. Various embodiments are described in terms of this example-computing module 900. After reading this description, it will become apparent to a person skilled in the relevant art how to implement the invention using other computing modules or architectures.
  • Referring now to FIG. 10, computing module 900 may represent, for example, computing or processing capabilities found within desktop, laptop and notebook computers; hand-held computing devices (PDA's, smart phones, cell phones, palmtops, etc.); mainframes, supercomputers, workstations or servers; or any other type of special-purpose or general-purpose computing devices as may be desirable or appropriate for a given application or environment. Computing module 900 might also represent computing capabilities embedded within or otherwise available to a given device. For example, a computing module might be found in other electronic devices such as, for example, digital cameras, navigation systems, cellular telephones, portable computing devices, modems, routers, WAPs, terminals and other electronic devices that might include some form of processing capability.
  • Computing module 900 might include, for example, one or more processors, controllers, control modules, or other processing devices, such as a processor 904. Processor 904 might be implemented using a general-purpose or special-purpose processing engine such as, for example, a microprocessor, controller, or other control logic. In the illustrated example, processor 904 is connected to a bus 902, although any communication medium can be used to facilitate interaction with other components of computing module 900 or to communicate externally.
  • Computing module 900 might also include one or more memory modules, simply referred to herein as main memory 908. For example, preferably random access memory (RAM) or other dynamic memory, might be used for storing information and instructions to be executed by processor 904. Main memory 908 might also be used for storing temporary variables or other intermediate information during execution of instructions to be executed by processor 904. Computing module 900 might likewise include a read only memory (“ROM”) or other static storage device coupled to bus 902 for storing static information and instructions for processor 904.
  • The computing module 900 might also include one or more various forms of information storage mechanism 910, which might include, for example, a media drive 912 and a storage unit interface 920. The media drive 912 might include a drive or other mechanism to support fixed or removable storage media 914. For example, a hard disk drive, a floppy disk drive, a magnetic tape drive, an optical disk drive, a CD or DVD drive (R or RW), or other removable or fixed media drive might be provided. Accordingly, storage media 914 might include, for example, a hard disk, a floppy disk, magnetic tape, cartridge, optical disk, a CD or DVD, or other fixed or removable medium that is read by, written to or accessed by media drive 912. As these examples illustrate, the storage media 914 can include a computer usable storage medium having stored therein computer software or data.
  • In alternative embodiments, information storage mechanism 910 might include other similar instrumentalities for allowing computer programs or other instructions or data to be loaded into computing module 900. Such instrumentalities might include, for example, a fixed or removable storage unit 922 and an interface 920. Examples of such storage units 922 and interfaces 920 can include a program cartridge and cartridge interface, a removable memory (for example, a flash memory or other removable memory module) and memory slot, a PCMCIA slot and card, and other fixed or removable storage units 922 and interfaces 920 that allow software and data to be transferred from the storage unit 922 to computing module 900.
  • Computing module 900 might also include a communications interface 924. Communications interface 924 might be used to allow software and data to be transferred between computing module 900 and external devices. Examples of communications interface 924 might include a modem or softmodem, a network interface (such as an Ethernet, network interface card, WiMedia, IEEE 802.XX or other interface), a communications port (such as for example, a USB port, IR port, RS232 port Bluetooth® interface, or other port), or other communications interface. Software and data transferred via communications interface 924 might typically be carried on signals, which can be electronic, electromagnetic (which includes optical) or other signals capable of being exchanged by a given communications interface 924. These signals might be provided to communications interface 924 via a channel 928. This channel 928 might carry signals and might be implemented using a wired or wireless communication medium. Some examples of a channel might include a phone line, a cellular link, an RF link, an optical link, a network interface, a local or wide area network, and other wired or wireless communications channels.
  • In this document, the terms “computer program medium” and “computer usable medium” are used to generally refer to media such as, for example, memory 908, storage unit 920, media 914, and channel 928. These and other various forms of computer program media or computer usable media may be involved in carrying one or more sequences of one or more instructions to a processing device for execution. Such instructions embodied on the medium, are generally referred to as “computer program code” or a “computer program product” (which may be grouped in the form of computer programs or other groupings). When executed, such instructions might enable the computing module 900 to perform features or functions of the present invention as discussed herein.
  • While various embodiments of the present invention have been described above, it should be understood that they have been presented by way of example only, and not of limitation. Likewise, the various diagrams may depict an example architectural or other configuration for the invention, which is done to aid in understanding the features and functionality that can be included in the invention. The invention is not restricted to the illustrated example architectures or configurations, but the desired features can be implemented using a variety of alternative architectures and configurations. Indeed, it will be apparent to one of skill in the art how alternative functional, logical or physical partitioning and configurations can be implemented to implement the desired features of the present invention. Also, a multitude of different constituent module names other than those depicted herein can be applied to the various partitions. Additionally, with regard to flow diagrams, operational descriptions and method claims, the order in which the steps are presented herein shall not mandate that various embodiments be implemented to perform the recited functionality in the same order unless the context dictates otherwise.
  • Although the invention is described above in terms of various exemplary embodiments and implementations, it should be understood that the various features, aspects and functionality described in one or more of the individual embodiments are not limited in their applicability to the particular embodiment with which they are described, but instead can be applied, alone or in various combinations, to one or more of the other embodiments of the invention, whether or not such embodiments are described and whether or not such features are presented as being a part of a described embodiment. Thus, the breadth and scope of the present invention should not be limited by any of the above-described exemplary embodiments.
  • Terms and phrases used in this document, and variations thereof, unless otherwise expressly stated, should be construed as open ended as opposed to limiting. As examples of the foregoing: the term “including” should be read as meaning “including, without limitation” or the like; the term “example” is used to provide exemplary instances of the item in discussion, not an exhaustive or limiting list thereof; the terms “a” or “an” should be read as meaning at least one, one or more or the like; and adjectives such as “conventional,” “traditional,” “normal,” “standard,” “known” and terms of similar meaning should not be construed as limiting the item described to a given time period or to an item available as of a given time, but instead should be read to encompass conventional, traditional, normal, or standard technologies that may be available or known now or at any time in the future. Likewise, where this document refers to technologies that would be apparent or known to one of ordinary skill in the art, such technologies encompass those apparent or known to the skilled artisan now or at any time in the future.
  • The presence of broadening words and phrases such as “one or more,” “at least,” “but not limited to” or other like phrases in some instances shall not be read to mean that the narrower case is intended or required in instances where such broadening phrases may be absent. The use of the term “module” does not imply that the components or functionality described or claimed as part of the module are all configured in a common package. Indeed, any or all of the various components of a module, whether control logic or other components, can be combined in a single package or separately maintained and can further be distributed in multiple groupings or packages or across multiple locations.
  • Additionally, the various embodiments set forth herein are described in terms of exemplary block diagrams, flow charts and other illustrations. As will become apparent to one of ordinary skill in the art after reading this document, the illustrated embodiments and their various alternatives can be implemented without confinement to the illustrated examples. For example, block diagrams and their accompanying description should not be construed as mandating a particular architecture or configuration.
  • While the invention has been described in connection with certain preferred embodiments, other embodiments would be understood by one of ordinary skill in the art and are encompassed herein.
  • The methods and systems described herein may be deployed in part or in whole through a machine that executes computer software, program codes, and/or instructions on a processor. The present invention may be implemented as a method on the machine, as a system or apparatus as part of or in relation to the machine, or as a computer program product embodied in a computer readable medium executing on one or more of the machines. The processor may be part of a server, client, network infrastructure, mobile computing platform, stationary computing platform, or other computing platform. A processor may be any kind of computational or processing device capable of executing program instructions, codes, binary instructions and the like. The processor may be or include a signal processor, digital processor, embedded processor, microprocessor or any variant such as a co-processor (math co-processor, graphic co-processor, communication co-processor and the like) and the like that may directly or indirectly facilitate execution of program code or program instructions stored thereon. In addition, the processor may enable execution of multiple programs, threads, and codes. The threads may be executed simultaneously to enhance the performance of the processor and to facilitate simultaneous operations of the application. By way of implementation, methods, program codes, program instructions and the like described herein may be implemented in one or more thread. The thread may spawn other threads that may have assigned priorities associated with them; the processor may execute these threads based on priority or any other order based on instructions provided in the program code. The processor may include memory that stores methods, codes, instructions and programs as described herein and elsewhere. The processor may access a storage medium through an interface that may store methods, codes, and instructions as described herein and elsewhere. The storage medium associated with the processor for storing methods, programs, codes, program instructions or other type of instructions capable of being executed by the computing or processing device may include but may not be limited to one or more of a CD-ROM, DVD, memory, hard disk, flash drive, RAM, ROM, cache and the like.
  • A processor may include one or more cores that may enhance speed and performance of a multiprocessor. In embodiments, the process may be a dual core processor, quad core processors, other chip-level multiprocessor and the like that combine two or more independent cores (called a die).
  • The methods and systems described herein may be deployed in part or in whole through a machine that executes computer software on a server, client, firewall, gateway, hub, router, or other such computer and/or networking hardware. The software program may be associated with a server that may include a file server, print server, domain server, internet server, intranet server and other variants such as secondary server, host server, distributed server and the like. The server may include one or more of memories, processors, computer readable media, storage media, ports (physical and virtual), communication devices, and interfaces capable of accessing other servers, clients, machines, and devices through a wired or a wireless medium, and the like. The methods, programs or codes as described herein and elsewhere may be executed by the server. In addition, other devices required for execution of methods as described in this application may be considered as a part of the infrastructure associated with the server.
  • The server may provide an interface to other devices including, without limitation, clients, other servers, printers, database servers, print servers, file servers, communication servers, distributed servers and the like. Additionally, this coupling and/or connection may facilitate remote execution of program across the network. The networking of some or all of these devices may facilitate parallel processing of a program or method at one or more location without deviating from the scope of the invention. In addition, any of the devices attached to the server through an interface may include at least one storage medium capable of storing methods, programs, code and/or instructions. A central repository may provide program instructions to be executed on different devices. In this implementation, the remote repository may act as a storage medium for program code, instructions, and programs.
  • The software program may be associated with a client that may include a file client, print client, domain client, internet client, intranet client and other variants such as secondary client, host client, distributed client and the like. The client may include one or more of memories, processors, computer readable media, storage media, ports (physical and virtual), communication devices, and interfaces capable of accessing other clients, servers, machines, and devices through a wired or a wireless medium, and the like. The methods, programs or codes as described herein and elsewhere may be executed by the client. In addition, other devices required for execution of methods as described in this application may be considered as a part of the infrastructure associated with the client.
  • The client may provide an interface to other devices including, without limitation, servers, other clients, printers, database servers, print servers, file servers, communication servers, distributed servers and the like. Additionally, this coupling and/or connection may facilitate remote execution of program across the network. The networking of some or all of these devices may facilitate parallel processing of a program or method at one or more location without deviating from the scope of the invention. In addition, any of the devices attached to the client through an interface may include at least one storage medium capable of storing methods, programs, applications, code and/or instructions. A central repository may provide program instructions to be executed on different devices. In this implementation, the remote repository may act as a storage medium for program code, instructions, and programs.
  • The methods and systems described herein may be deployed in part or in whole through network infrastructures. The network infrastructure may include elements such as computing devices, servers, routers, hubs, firewalls, clients, personal computers, communication devices, routing devices and other active and passive devices, modules and/or components as known in the art. The computing and/or non-computing device(s) associated with the network infrastructure may include, apart from other components, a storage medium such as flash memory, buffer, stack, RAM, ROM and the like. The processes, methods, program codes, instructions described herein and elsewhere may be executed by one or more of the network infrastructural elements.
  • The methods, program codes, and instructions described herein and elsewhere may be implemented on a cellular network having multiple cells. The cellular network may either be frequency division multiple access (FDMA) network or code division multiple access (CDMA) network. The cellular network may include mobile devices, cell sites, base stations, repeaters, antennas, towers, and the like. The cell network may be a GSM, GPRS, 3G, EVDO, mesh, or other networks types.
  • The methods, programs codes, and instructions described herein and elsewhere may be implemented on or through mobile devices. The mobile devices may include navigation devices, cell phones, mobile phones, mobile personal digital assistants, laptops, palmtops, netbooks, pagers, electronic books readers, music players and the like. These devices may include, apart from other components, a storage medium such as a flash memory, buffer, RAM, ROM and one or more computing devices. The computing devices associated with mobile devices may be enabled to execute program codes, methods, and instructions stored thereon. Alternatively, the mobile devices may be configured to execute instructions in collaboration with other devices. The mobile devices may communicate with base stations interfaced with servers and configured to execute program codes. The mobile devices may communicate on a peer to peer network, mesh network, or other communications network. The program code may be stored on the storage medium associated with the server and executed by a computing device embedded within the server. The base station may include a computing device and a storage medium. The storage device may store program codes and instructions executed by the computing devices associated with the base station.
  • The computer software, program codes, and/or instructions may be stored and/or accessed on machine readable media that may include: computer components, devices, and recording media that retain digital data used for computing for some interval of time; semiconductor storage known as random access memory (RAM); mass storage typically for more permanent storage, such as optical discs, forms of magnetic storage like hard disks, tapes, drums, cards and other types; processor registers, cache memory, volatile memory, non-volatile memory; optical storage such as CD, DVD; removable media such as flash memory (e.g. USB sticks or keys), floppy disks, magnetic tape, paper tape, punch cards, standalone RAM disks, Zip drives, removable mass storage, off-line, and the like; other computer memory such as dynamic memory, static memory, read/write storage, mutable storage, read only, random access, sequential access, location addressable, file addressable, content addressable, network attached storage, storage area network, bar codes, magnetic ink, and the like.
  • The methods and systems described herein may transform physical and/or or intangible items from one state to another. The methods and systems described herein may also transform data representing physical and/or intangible items from one state to another.
  • The elements described and depicted herein, including in flow charts and block diagrams throughout the figures, imply logical boundaries between the elements. However, according to software or hardware engineering practices, the depicted elements and the functions thereof may be implemented on machines through computer executable media having a processor capable of executing program instructions stored thereon as a monolithic software structure, as standalone software modules, or as modules that employ external routines, code, services, and so forth, or any combination of these, and all such implementations may be within the scope of the present disclosure. Examples of such machines may include, but may not be limited to, personal digital assistants, laptops, personal computers, mobile phones, other handheld computing devices, medical equipment, wired or wireless communication devices, transducers, chips, calculators, satellites, tablet PCs, electronic books, gadgets, electronic devices, devices having artificial intelligence, computing devices, networking equipments, servers, routers and the like. Furthermore, the elements depicted in the flow chart and block diagrams or any other logical component may be implemented on a machine capable of executing program instructions. Thus, while the foregoing drawings and descriptions set forth functional aspects of the disclosed systems, no particular arrangement of software for implementing these functional aspects should be inferred from these descriptions unless explicitly stated or otherwise clear from the context. Similarly, it will be appreciated that the various steps identified and described above may be varied, and that the order of steps may be adapted to particular applications of the techniques disclosed herein. All such variations and modifications are intended to fall within the scope of this disclosure. As such, the depiction and/or description of an order for various steps should not be understood to require a particular order of execution for those steps, unless required by a particular application, or explicitly stated or otherwise clear from the context.
  • The methods and/or processes described above, and steps thereof, may be realized in hardware, software or any combination of hardware and software suitable for a particular application. The hardware may include a general-purpose computer and/or dedicated computing device or specific computing device or particular aspect or component of a specific computing device. The processes may be realized in one or more microprocessors, microcontrollers, embedded microcontrollers, programmable digital signal processors or other programmable device, along with internal and/or external memory. The processes may also, or instead, be embodied in an application specific integrated circuit, a programmable gate array, programmable array logic, or any other device or combination of devices that may be configured to process electronic signals. It will further be appreciated that one or more of the processes may be realized as a computer executable code capable of being executed on a machine-readable medium.
  • The computer executable code may be created using a structured programming language such as C, an object oriented programming language such as C++, or any other high-level or low-level programming language (including assembly languages, hardware description languages, and database programming languages and technologies) that may be stored, compiled or interpreted to run on one of the above devices, as well as heterogeneous combinations of processors, processor architectures, or combinations of different hardware and software, or any other machine capable of executing program instructions.
  • Thus, in one aspect, each method described above and combinations thereof may be embodied in computer executable code that, when executing on one or more computing devices, performs the steps thereof. In another aspect, the methods may be embodied in systems that perform the steps thereof, and may be distributed across devices in a number of ways, or all of the functionality may be integrated into a dedicated, standalone device or other hardware. In another aspect, the means for performing the steps associated with the processes described above may include any of the hardware and/or software described above. All such permutations and combinations are intended to fall within the scope of the present disclosure.
  • While the invention has been disclosed in connection with the preferred embodiments shown and described in detail, various modifications and improvements thereon will become readily apparent to those skilled in the art. Accordingly, the spirit and scope of the present invention is not to be limited by the foregoing examples, but is to be understood in the broadest sense allowable by law.
  • All documents referenced herein are hereby incorporated by reference.

Claims (20)

1. A computer-implemented method comprising:
receiving, by a computing system, a computing workflow to be performed in a cloud-computing environment including a plurality of cloud-computing resources;
identifying, by the computing system, a computer workload to perform the computing workflow, wherein the computer workload includes a software unit of computing processing performed via at least one of an Infrastructure-as-a-Service (IaaS), a Platform-as-a-Service (PaaS), or a Service-as-a-Service (SaaS);
associating, by the computing system, a policy with the computer workload, wherein the policy is applied to the computer workload when the computer workload is deployed within a security zone assigned for the computer workload, wherein one or more boundaries of the security zone are updatable, wherein the policy is updatable for the computer workload when the computer workload is deployed within the security zone, and wherein the security zone is definable at differing levels of abstraction;
deploying, by the computing system, the computer workload in a virtual private cloud within the clouding-computing environment; and
applying, by the computing system, the policy to the computer workload when the computer workload performs the computing workflow within the virtual private cloud.
2. The computer-implemented method of claim 1, further comprising:
testing the computer workload in a second virtual private cloud within the cloud-computing environment prior to deploying the computer workload.
3. The computer-implemented method of claim 2, wherein the virtual private cloud corresponds to a production virtual private cloud, and wherein the second virtual private cloud corresponds to a pre-production virtual private cloud.
4. The computer-implemented method of claim 1, wherein the security zone is definable by a developer, and wherein the policy is applicable, by the developer, with respect to the security zone.
5. The computer-implemented method of claim 1, further comprising:
tagging the computer workload based on the security zone to enable the computer workload to perform at least one of: 1) operations in the security zone or 2) communications across a plurality of security zones, wherein each security zone in the plurality of security zones has a defined set of associated firewalls.
6. The computer-implemented method of claim 1, wherein the cloud-computing environment is associated with a virtualization environment, and wherein the virtualization environment has a metamodel framework that allows the policy to be associated with the computer workload.
7. The computer-implemented method of claim 1, wherein the computer workload is included in an identified plurality of computer workloads configured to perform the computing workflow.
8. The computer-implemented method of claim 1, wherein the security zone is associated with at least one of a geographic zone, a network zone, an enterprise zone, an operational zone, or an organizational zone.
9. The computer-implemented method of claim 1, wherein the policy includes a security policy, and wherein the security policy is associated with at least one of an access policy, a write-permission policy, a resource utilization policy, or an editing permission policy.
10. The computer-implemented method of claim 9, further comprising:
receiving, at a central policy server, a definition for the security policy, wherein the central policy server is configured to associate the security policy to at least one of the computer workload or a particular cloud-computing resource, out of the plurality of cloud-computing resources, that performs the computer workload; and
pushing the security policy to the particular cloud-computing resource.
11. A system comprising:
at least one processor; and
a memory storing instructions that, when executed by the at least one processor, cause the system to perform:
receiving a computing workflow to be performed in a cloud-computing environment including a plurality of cloud-computing resources;
identifying a computer workload to perform the computing workflow, wherein the computer workload includes a software unit of computing processing performed via at least one of an Infrastructure-as-a-Service (IaaS), a Platform-as-a-Service (PaaS), or a Service-as-a-Service (SaaS);
associating a policy with the computer workload, wherein the policy is applied to the computer workload when the computer workload is deployed within a security zone assigned for the computer workload, wherein one or more boundaries of the security zone are updatable, wherein the policy is updatable for the computer workload when the computer workload is deployed within the security zone, and wherein the security zone is definable at differing levels of abstraction;
deploying the computer workload in a virtual private cloud within the clouding-computing environment; and
applying the policy to the computer workload when the computer workload performs the computing workflow within the virtual private cloud.
12. The system of claim 11, wherein the instructions cause the system to further perform:
testing the computer workload in a second virtual private cloud within the cloud-computing environment prior to deploying the computer workload.
13. The system of claim 12, wherein the virtual private cloud corresponds to a production virtual private cloud, and wherein the second virtual private cloud corresponds to a pre-production virtual private cloud.
14. The system of claim 11, wherein the security zone is definable by a developer, and wherein the policy is applicable, by the developer, with respect to the security zone.
15. The system of claim 11, wherein the instructions cause the system to further perform:
tagging the computer workload based on the security zone to enable the computer workload to perform at least one of: 1) operations in the security zone or 2) communications across a plurality of security zones, wherein each security zone in the plurality of security zones has a defined set of associated firewalls.
16. A non-transitory computer-readable storage medium including instructions that, when executed by at least one processor of a computing system, cause the computing system to perform:
receiving a computing workflow to be performed in a cloud-computing environment including a plurality of cloud-computing resources;
identifying a computer workload to perform the computing workflow, wherein the computer workload includes a software unit of computing processing performed via at least one of an Infrastructure-as-a-Service (IaaS), a Platform-as-a-Service (PaaS), or a Service-as-a-Service (SaaS);
associating a policy with the computer workload, wherein the policy is applied to the computer workload when the computer workload is deployed within a security zone assigned for the computer workload, wherein one or more boundaries of the security zone are updatable, wherein the policy is updatable for the computer workload when the computer workload is deployed within the security zone, and wherein the security zone is definable at differing levels of abstraction;
deploying the computer workload in a virtual private cloud within the clouding-computing environment; and
applying the policy to the computer workload when the computer workload performs the computing workflow within the virtual private cloud.
17. The non-transitory computer-readable storage medium of claim 16, wherein the instructions cause the computing system to further perform:
testing the computer workload in a second virtual private cloud within the cloud-computing environment prior to deploying the computer workload.
18. The non-transitory computer-readable storage medium of claim 17, wherein the virtual private cloud corresponds to a production virtual private cloud, and wherein the second virtual private cloud corresponds to a pre-production virtual private cloud.
19. The non-transitory computer-readable storage medium of claim 16, wherein the security zone is definable by a developer, and wherein the policy is applicable, by the developer, with respect to the security zone.
20. The non-transitory computer-readable storage medium of claim 16, wherein the instructions cause the system to further perform:
tagging the computer workload based on the security zone to enable the computer workload to perform at least one of: 1) operations in the security zone or 2) communications across a plurality of security zones, wherein each security zone in the plurality of security zones has a defined set of associated firewalls.
US14/720,681 2008-06-19 2015-05-22 System and method for a cloud computing abstraction layer with security zone facilities Abandoned US20160112453A1 (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
US14/720,681 US20160112453A1 (en) 2008-06-19 2015-05-22 System and method for a cloud computing abstraction layer with security zone facilities
US15/621,443 US20180131724A1 (en) 2008-06-19 2017-06-13 System and method for a cloud computing abstraction layer with security zone facilities
US16/058,688 US20190245888A1 (en) 2008-06-19 2018-08-08 System and method for a cloud computing abstraction layer with security zone facilities
US16/907,005 US20210014275A1 (en) 2008-06-19 2020-06-19 System and method for a cloud computing abstraction layer with security zone facilities

Applications Claiming Priority (7)

Application Number Priority Date Filing Date Title
US7402708P 2008-06-19 2008-06-19
US12/488,424 US8514868B2 (en) 2008-06-19 2009-06-19 Cloud computing gateway, cloud computing hypervisor, and methods for implementing same
US29640510P 2010-01-19 2010-01-19
US201161434396P 2011-01-19 2011-01-19
US13/009,774 US8931038B2 (en) 2009-06-19 2011-01-19 System and method for a cloud computing abstraction layer
US13/354,275 US9069599B2 (en) 2008-06-19 2012-01-19 System and method for a cloud computing abstraction layer with security zone facilities
US14/720,681 US20160112453A1 (en) 2008-06-19 2015-05-22 System and method for a cloud computing abstraction layer with security zone facilities

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US13/354,275 Continuation US9069599B2 (en) 2008-06-19 2012-01-19 System and method for a cloud computing abstraction layer with security zone facilities

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US15/621,443 Continuation US20180131724A1 (en) 2008-06-19 2017-06-13 System and method for a cloud computing abstraction layer with security zone facilities

Publications (1)

Publication Number Publication Date
US20160112453A1 true US20160112453A1 (en) 2016-04-21

Family

ID=46491761

Family Applications (5)

Application Number Title Priority Date Filing Date
US13/354,275 Active 2029-08-15 US9069599B2 (en) 2008-06-19 2012-01-19 System and method for a cloud computing abstraction layer with security zone facilities
US14/720,681 Abandoned US20160112453A1 (en) 2008-06-19 2015-05-22 System and method for a cloud computing abstraction layer with security zone facilities
US15/621,443 Abandoned US20180131724A1 (en) 2008-06-19 2017-06-13 System and method for a cloud computing abstraction layer with security zone facilities
US16/058,688 Abandoned US20190245888A1 (en) 2008-06-19 2018-08-08 System and method for a cloud computing abstraction layer with security zone facilities
US16/907,005 Pending US20210014275A1 (en) 2008-06-19 2020-06-19 System and method for a cloud computing abstraction layer with security zone facilities

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US13/354,275 Active 2029-08-15 US9069599B2 (en) 2008-06-19 2012-01-19 System and method for a cloud computing abstraction layer with security zone facilities

Family Applications After (3)

Application Number Title Priority Date Filing Date
US15/621,443 Abandoned US20180131724A1 (en) 2008-06-19 2017-06-13 System and method for a cloud computing abstraction layer with security zone facilities
US16/058,688 Abandoned US20190245888A1 (en) 2008-06-19 2018-08-08 System and method for a cloud computing abstraction layer with security zone facilities
US16/907,005 Pending US20210014275A1 (en) 2008-06-19 2020-06-19 System and method for a cloud computing abstraction layer with security zone facilities

Country Status (1)

Country Link
US (5) US9069599B2 (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130185434A1 (en) * 2012-01-18 2013-07-18 International Business Machines Corporation Cloud-based Content Management System
US20150121244A1 (en) * 2013-10-31 2015-04-30 Hewlett-Packard Development Company, L.P. Building a Realized Topology with a Binding Document
US20170289169A1 (en) * 2016-03-30 2017-10-05 Oracle International Corporation Establishing a cleanroom data processing environment
US10158629B2 (en) 2016-06-20 2018-12-18 Bank Of America Corporation Preventing unauthorized access to secured information systems using multi-device authentication techniques
US10579821B2 (en) 2016-12-30 2020-03-03 Microsoft Technology Licensing, Llc Intelligence and analysis driven security and compliance recommendations
US10650621B1 (en) 2016-09-13 2020-05-12 Iocurrents, Inc. Interfacing with a vehicular controller area network
US10701100B2 (en) 2016-12-30 2020-06-30 Microsoft Technology Licensing, Llc Threat intelligence management in security and compliance environment
US10827006B2 (en) 2018-05-22 2020-11-03 At&T Intellectual Property I, L.P. Policy-driven homing service system
US10848501B2 (en) 2016-12-30 2020-11-24 Microsoft Technology Licensing, Llc Real time pivoting on data to model governance properties
US10917478B2 (en) * 2016-04-16 2021-02-09 International Business Machines Corporation Cloud enabling resources as a service
US20210117517A1 (en) * 2019-10-18 2021-04-22 ASG Technologies Group, Inc. dba ASG Technologies Systems for Secure Enterprise-Wide Fine-Grained Role-Based Access Control of Organizational Assets
US20210185007A1 (en) * 2019-12-17 2021-06-17 Atos Uk It Limited Integration of an orchestration services with a cloud automation services

Families Citing this family (602)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9418040B2 (en) * 2005-07-07 2016-08-16 Sciencelogic, Inc. Dynamically deployable self configuring distributed network management system
US9678803B2 (en) 2007-06-22 2017-06-13 Red Hat, Inc. Migration of network entities to a cloud infrastructure
US9727440B2 (en) 2007-06-22 2017-08-08 Red Hat, Inc. Automatic simulation of virtual machine performance
US9426024B2 (en) * 2007-06-22 2016-08-23 Red Hat, Inc. Establishing communication between enterprise nodes migrated to a public cloud and private enterprise infrastructure
US9477572B2 (en) 2007-06-22 2016-10-25 Red Hat, Inc. Performing predictive modeling of virtual machine relationships
US9569330B2 (en) 2007-06-22 2017-02-14 Red Hat, Inc. Performing dependency analysis on nodes of a business application service group
US9354960B2 (en) 2010-12-27 2016-05-31 Red Hat, Inc. Assigning virtual machines to business application service groups based on ranking of the virtual machines
US9069599B2 (en) * 2008-06-19 2015-06-30 Servicemesh, Inc. System and method for a cloud computing abstraction layer with security zone facilities
US8514868B2 (en) 2008-06-19 2013-08-20 Servicemesh, Inc. Cloud computing gateway, cloud computing hypervisor, and methods for implementing same
US9489647B2 (en) 2008-06-19 2016-11-08 Csc Agility Platform, Inc. System and method for a cloud computing abstraction with self-service portal for publishing resources
US8763071B2 (en) * 2008-07-24 2014-06-24 Zscaler, Inc. Systems and methods for mobile application security classification and enforcement
US20100064033A1 (en) * 2008-09-08 2010-03-11 Franco Travostino Integration of an internal cloud infrastructure with existing enterprise services and systems
EP2184681A1 (en) * 2008-10-31 2010-05-12 HSBC Holdings plc Capacity control
US20190288956A1 (en) * 2009-06-19 2019-09-19 Servicemesh, Inc. System and method for a cloud computing abstraction layer
US8250213B2 (en) 2009-11-16 2012-08-21 At&T Intellectual Property I, L.P. Methods and apparatus to allocate resources associated with a distributive computing network
US8959217B2 (en) * 2010-01-15 2015-02-17 Joyent, Inc. Managing workloads and hardware resources in a cloud resource
US20120005675A1 (en) * 2010-01-22 2012-01-05 Brutesoft, Inc. Applying peer-to-peer networking protocols to virtual machine (vm) image management
US9442748B2 (en) 2010-03-17 2016-09-13 Zerto, Ltd. Multi-RPO data protection
US10649799B2 (en) 2010-03-17 2020-05-12 Zerto Ltd. Hypervisor virtual server system, and method for providing data services within a hypervisor virtual server system
US11256529B2 (en) 2010-03-17 2022-02-22 Zerto Ltd. Methods and apparatus for providing hypervisor level data services for server virtualization
US9710294B2 (en) 2010-03-17 2017-07-18 Zerto Ltd. Methods and apparatus for providing hypervisor level data services for server virtualization
US9389892B2 (en) 2010-03-17 2016-07-12 Zerto Ltd. Multiple points in time disk images for disaster recovery
US10114678B2 (en) * 2010-03-19 2018-10-30 Micro Focus Software Inc. Techniques for managing service definitions in an intelligent workload management system
US8965860B2 (en) * 2010-04-01 2015-02-24 Salesforce.Com, Inc. Methods and systems for bulk uploading of data in an on-demand service environment
US8627426B2 (en) * 2010-04-26 2014-01-07 Vmware, Inc. Cloud platform architecture
US8856300B2 (en) 2010-05-18 2014-10-07 At&T Intellectual Property I, L.P. End-to-end secure cloud computing
US10715457B2 (en) 2010-06-15 2020-07-14 Oracle International Corporation Coordination of processes in cloud computing environments
WO2011159842A2 (en) 2010-06-15 2011-12-22 Nimbula, Inc. Virtual computing infrastructure
US20120054731A1 (en) * 2010-08-24 2012-03-01 International Business Machines Corporation Method, System and Computer Programs to Assist Migration to a Cloud Computing Environment
US8612577B2 (en) * 2010-11-23 2013-12-17 Red Hat, Inc. Systems and methods for migrating software modules into one or more clouds
US8699499B2 (en) * 2010-12-08 2014-04-15 At&T Intellectual Property I, L.P. Methods and apparatus to provision cloud computing network elements
US20120159634A1 (en) * 2010-12-15 2012-06-21 International Business Machines Corporation Virtual machine migration
US10176018B2 (en) * 2010-12-21 2019-01-08 Intel Corporation Virtual core abstraction for cloud computing
US8863138B2 (en) * 2010-12-22 2014-10-14 Intel Corporation Application service performance in cloud computing
US9396040B2 (en) * 2010-12-27 2016-07-19 Nokia Technologies Oy Method and apparatus for providing multi-level distributed computations
US8683560B1 (en) * 2010-12-29 2014-03-25 Amazon Technologies, Inc. Techniques for credential generation
US20120173717A1 (en) * 2010-12-31 2012-07-05 Vince Kohli Cloud*Innovator
US9172766B2 (en) 2011-01-10 2015-10-27 Fiberlink Communications Corporation System and method for extending cloud services into the customer premise
US9191327B2 (en) 2011-02-10 2015-11-17 Varmour Networks, Inc. Distributed service processing of network gateways using virtual machines
US9104672B2 (en) 2011-02-25 2015-08-11 International Business Machines Corporation Virtual security zones for data processing environments
US9128773B2 (en) * 2011-02-25 2015-09-08 International Business Machines Corporation Data processing environment event correlation
US8555276B2 (en) 2011-03-11 2013-10-08 Joyent, Inc. Systems and methods for transparently optimizing workloads
US9935836B2 (en) * 2011-04-07 2018-04-03 Veritas Technologies Llc Exclusive IP zone support systems and method
US9015710B2 (en) 2011-04-12 2015-04-21 Pivotal Software, Inc. Deployment system for multi-node applications
BR112013032366B1 (en) 2011-06-17 2022-11-01 Huawei Technologies Co.,Ltd CLOUD SERVICE MANAGEMENT AND CONTROL EXPANDED ARCHITECTURE APPLIANCE FOR INTERFACE WITH A NETWORK STRATUM
US9015601B2 (en) 2011-06-21 2015-04-21 Box, Inc. Batch uploading of content to a web-based collaboration environment
US9542566B2 (en) * 2011-06-24 2017-01-10 Alibaba.Com Limited Develop and deploy software in multiple environments
US9736065B2 (en) 2011-06-24 2017-08-15 Cisco Technology, Inc. Level of hierarchy in MST for traffic localization and load balancing
US9978040B2 (en) 2011-07-08 2018-05-22 Box, Inc. Collaboration sessions in a workspace on a cloud-based content management system
EP2729877A4 (en) 2011-07-08 2015-06-17 Box Inc Desktop application for access and interaction with workspaces in a cloud-based content management system and synchronization mechanisms thereof
US8407323B2 (en) 2011-07-12 2013-03-26 At&T Intellectual Property I, L.P. Network connectivity wizard to support automated creation of customized configurations for virtual private cloud computing networks
US9170798B2 (en) 2012-03-02 2015-10-27 Vmware, Inc. System and method for customizing a deployment plan for a multi-tier application in a cloud infrastructure
US20130019246A1 (en) * 2011-07-14 2013-01-17 International Business Machines Corporation Managing A Collection Of Assemblies In An Enterprise Intelligence ('EI') Framework
US9646278B2 (en) 2011-07-14 2017-05-09 International Business Machines Corporation Decomposing a process model in an enterprise intelligence (‘EI’) framework
US9659266B2 (en) * 2011-07-14 2017-05-23 International Business Machines Corporation Enterprise intelligence (‘EI’) management in an EI framework
US8706852B2 (en) * 2011-08-23 2014-04-22 Red Hat, Inc. Automated scaling of an application and its support components
US9781205B2 (en) * 2011-09-12 2017-10-03 Microsoft Technology Licensing, Llc Coordination engine for cloud selection
US9197718B2 (en) 2011-09-23 2015-11-24 Box, Inc. Central management and control of user-contributed content in a web-based collaboration environment and management console thereof
US8881229B2 (en) 2011-10-11 2014-11-04 Citrix Systems, Inc. Policy-based application management
US9215225B2 (en) 2013-03-29 2015-12-15 Citrix Systems, Inc. Mobile device locking with context
US9143529B2 (en) 2011-10-11 2015-09-22 Citrix Systems, Inc. Modifying pre-existing mobile applications to implement enterprise security policies
US20140053234A1 (en) 2011-10-11 2014-02-20 Citrix Systems, Inc. Policy-Based Application Management
US20140032733A1 (en) 2011-10-11 2014-01-30 Citrix Systems, Inc. Policy-Based Application Management
US9280377B2 (en) 2013-03-29 2016-03-08 Citrix Systems, Inc. Application with multiple operation modes
US8515902B2 (en) 2011-10-14 2013-08-20 Box, Inc. Automatic and semi-automatic tagging features of work items in a shared workspace for metadata tracking in a cloud-based content management system with selective or optional user contribution
US9116893B2 (en) 2011-10-21 2015-08-25 Qualcomm Incorporated Network connected media gateway for communication networks
US9148381B2 (en) 2011-10-21 2015-09-29 Qualcomm Incorporated Cloud computing enhanced gateway for communication networks
CN103067344B (en) * 2011-10-24 2016-03-30 国际商业机器公司 The noninvasive method of automatic distributing safety regulation and equipment in cloud environment
US8447851B1 (en) * 2011-11-10 2013-05-21 CopperEgg Corporation System for monitoring elastic cloud-based computing systems as a service
US8990307B2 (en) 2011-11-16 2015-03-24 Box, Inc. Resource effective incremental updating of a remote client with events which occurred via a cloud-enabled platform
US8868710B2 (en) * 2011-11-18 2014-10-21 Amazon Technologies, Inc. Virtual network interface objects
GB2500152A (en) 2011-11-29 2013-09-11 Box Inc Mobile platform file and folder selection functionalities for offline access and synchronization
US9019123B2 (en) 2011-12-22 2015-04-28 Box, Inc. Health check services for web-based collaboration environments
US8782224B2 (en) 2011-12-29 2014-07-15 Joyent, Inc. Systems and methods for time-based dynamic allocation of resource management
US9904435B2 (en) 2012-01-06 2018-02-27 Box, Inc. System and method for actionable event generation for task delegation and management via a discussion forum in a web-based collaboration environment
US20130179593A1 (en) * 2012-01-09 2013-07-11 Qualcomm Incorporated Cloud computing controlled gateway for communication networks
US8908698B2 (en) 2012-01-13 2014-12-09 Cisco Technology, Inc. System and method for managing site-to-site VPNs of a cloud managed network
US9336061B2 (en) 2012-01-14 2016-05-10 International Business Machines Corporation Integrated metering of service usage for hybrid clouds
US9772830B2 (en) * 2012-01-19 2017-09-26 Syntel, Inc. System and method for modeling cloud rules for migration to the cloud
US8930542B2 (en) * 2012-01-23 2015-01-06 International Business Machines Corporation Dynamically building a set of compute nodes to host the user's workload
WO2013111532A1 (en) * 2012-01-25 2013-08-01 日本電気株式会社 Administration system, administration method, and program
US9489243B2 (en) * 2012-01-26 2016-11-08 Computenext Inc. Federating computing resources across the web
WO2013119841A1 (en) * 2012-02-10 2013-08-15 Nimbula, Inc. Cloud computing services framework
US9471777B1 (en) * 2012-02-24 2016-10-18 Emc Corporation Scheduling of defensive security actions in information processing systems
US9965745B2 (en) 2012-02-24 2018-05-08 Box, Inc. System and method for promoting enterprise adoption of a web-based collaboration environment
US9058198B2 (en) 2012-02-29 2015-06-16 Red Hat Inc. System resource sharing in a multi-tenant platform-as-a-service environment in a cloud computing system
US9047107B2 (en) * 2012-02-29 2015-06-02 Red Hat, Inc. Applying a custom security type label to multi-tenant applications of a node in a platform-as-a-service environment
US9720668B2 (en) 2012-02-29 2017-08-01 Red Hat, Inc. Creating and maintaining multi-tenant applications in a platform-as-a-service (PaaS) environment of a cloud computing system
US9038128B2 (en) * 2012-02-29 2015-05-19 Red Hat, Inc. Applying security category labels to multi-tenant applications of a node in a platform-as-a-service environment
US9047133B2 (en) 2012-03-02 2015-06-02 Vmware, Inc. Single, logical, multi-tier application blueprint used for deployment and management of multiple physical applications in a cloud environment
US9052961B2 (en) 2012-03-02 2015-06-09 Vmware, Inc. System to generate a deployment plan for a cloud infrastructure according to logical, multi-tier application blueprint
US9544324B2 (en) * 2012-03-02 2017-01-10 Trustwave Holdings, Inc. System and method for managed security assessment and mitigation
US10031783B2 (en) 2012-03-02 2018-07-24 Vmware, Inc. Execution of a distributed deployment plan for a multi-tier application in a cloud infrastructure
US9195636B2 (en) 2012-03-07 2015-11-24 Box, Inc. Universal file type preview for mobile devices
US9088570B2 (en) 2012-03-26 2015-07-21 International Business Machines Corporation Policy implementation in a networked computing environment
JP5804192B2 (en) * 2012-03-28 2015-11-04 富士通株式会社 Information processing apparatus, information processing method, and information processing system
US8751620B2 (en) * 2012-03-30 2014-06-10 International Business Machines Corporation Validating deployment patterns in a networked computing environment
US8782795B1 (en) * 2012-03-30 2014-07-15 Emc Corporation Secure tenant assessment of information technology infrastructure
US9054919B2 (en) 2012-04-05 2015-06-09 Box, Inc. Device pinning capability for enterprise cloud service and storage accounts
US9575981B2 (en) 2012-04-11 2017-02-21 Box, Inc. Cloud service enabled to handle a set of files depicted to a user as a single file in a native operating system
US20150046507A1 (en) * 2012-04-16 2015-02-12 Hewlett-Packard Development Company, L.P. Secure Network Data
US9507748B2 (en) * 2012-04-26 2016-11-29 Hewlett Packard Enterprise Development Lp Platform runtime abstraction
US9626526B2 (en) * 2012-04-30 2017-04-18 Ca, Inc. Trusted public infrastructure grid cloud
WO2013165369A1 (en) * 2012-04-30 2013-11-07 Hewlett-Packard Development Company, L.P. Automated event management
US9665411B2 (en) 2012-05-01 2017-05-30 Red Hat, Inc. Communication between a server orchestration system and a messaging system
US9450967B1 (en) 2012-05-01 2016-09-20 Amazon Technologies, Inc. Intelligent network service provisioning and maintenance
US9438556B1 (en) 2012-05-01 2016-09-06 Amazon Technologies, Inc Flexibly configurable remote network identities
US8850514B2 (en) 2012-05-01 2014-09-30 Red Hat, Inc. Cartridges in a multi-tenant platforms-as-a-service (PaaS) system implemented in a cloud computing environment
US9294437B1 (en) * 2012-05-01 2016-03-22 Amazon Technologies, Inc. Remotely configured network appliances and services
US9288182B1 (en) * 2012-05-01 2016-03-15 Amazon Technologies, Inc. Network gateway services and extensions
US9245111B2 (en) 2012-05-01 2016-01-26 Red Hat, Inc. Owner command execution in a multi-tenant cloud hosting environment
US9413587B2 (en) 2012-05-02 2016-08-09 Box, Inc. System and method for a third-party application to access content within a cloud-based platform
US9396216B2 (en) 2012-05-04 2016-07-19 Box, Inc. Repository redundancy implementation of a system which incrementally updates clients with events that occurred via a cloud-enabled platform
US9548962B2 (en) * 2012-05-11 2017-01-17 Alcatel Lucent Apparatus and method for providing a fluid security layer
US9691051B2 (en) 2012-05-21 2017-06-27 Box, Inc. Security enhancement through application access control
US9027108B2 (en) 2012-05-23 2015-05-05 Box, Inc. Systems and methods for secure file portability between mobile applications on a mobile device
US8914900B2 (en) * 2012-05-23 2014-12-16 Box, Inc. Methods, architectures and security mechanisms for a third-party application to access content in a cloud-based platform
WO2013179383A1 (en) * 2012-05-29 2013-12-05 株式会社日立システムズ Cloud security management system
US9342328B2 (en) * 2012-05-31 2016-05-17 International Business Machines Corporation Model for simulation within infrastructure management software
US9286491B2 (en) 2012-06-07 2016-03-15 Amazon Technologies, Inc. Virtual service provider zones
US10084818B1 (en) 2012-06-07 2018-09-25 Amazon Technologies, Inc. Flexibly configurable data modification services
US10075471B2 (en) 2012-06-07 2018-09-11 Amazon Technologies, Inc. Data loss prevention techniques
US20150100684A1 (en) * 2012-06-08 2015-04-09 Stephane Maes Test and management for cloud applications
EP2859441B1 (en) * 2012-06-08 2019-09-04 Hewlett-Packard Enterprise Development LP Cloud application deployment portability
US9304801B2 (en) * 2012-06-12 2016-04-05 TELEFONAKTIEBOLAGET L M ERRICSSON (publ) Elastic enforcement layer for cloud security using SDN
US9081610B2 (en) * 2012-06-18 2015-07-14 Hitachi, Ltd. Method and apparatus to maximize return on investment in hybrid cloud environment
US9952909B2 (en) * 2012-06-20 2018-04-24 Paypal, Inc. Multiple service classes in a shared cloud
EP3364297B1 (en) 2012-06-26 2022-05-04 Lynx Software Technologies Inc. Systems and methods involving features of hardware virtualization such as separation kernel hypervisors, hypervisors, hypervisor guest context, hypervisor context, rootkit detection prevention, and/or other features
GB2503463A (en) * 2012-06-27 2014-01-01 Ibm Overriding abstract resource manager methods to provide resources to implement nodes in a service definition
US9032399B1 (en) * 2012-06-28 2015-05-12 Emc Corporation Measurement of input/output scheduling characteristics in distributed virtual infrastructure
US9348652B2 (en) 2012-07-02 2016-05-24 Vmware, Inc. Multi-tenant-cloud-aggregation and application-support system
US9021099B2 (en) 2012-07-03 2015-04-28 Box, Inc. Load balancing secure FTP connections among multiple FTP servers
GB2505072A (en) 2012-07-06 2014-02-19 Box Inc Identifying users and collaborators as search results in a cloud-based system
US9712510B2 (en) 2012-07-06 2017-07-18 Box, Inc. Systems and methods for securely submitting comments among users via external messaging applications in a cloud-based platform
US9792320B2 (en) 2012-07-06 2017-10-17 Box, Inc. System and method for performing shard migration to support functions of a cloud-based service
US9237170B2 (en) 2012-07-19 2016-01-12 Box, Inc. Data loss prevention (DLP) methods and architectures by a cloud service
US8949839B2 (en) * 2012-07-26 2015-02-03 Centurylink Intellectual Property Llc Method and system for controlling work request queue in a multi-tenant cloud computing environment
US9794256B2 (en) 2012-07-30 2017-10-17 Box, Inc. System and method for advanced control tools for administrators in a cloud-based service
US8868574B2 (en) 2012-07-30 2014-10-21 Box, Inc. System and method for advanced search and filtering mechanisms for enterprise administrators in a cloud-based environment
US10963420B2 (en) * 2012-08-10 2021-03-30 Adobe Inc. Systems and methods for providing hot spare nodes
US9292352B2 (en) 2012-08-10 2016-03-22 Adobe Systems Incorporated Systems and methods for cloud management
US9167050B2 (en) * 2012-08-16 2015-10-20 Futurewei Technologies, Inc. Control pool based enterprise policy enabler for controlled cloud access
US8745267B2 (en) 2012-08-19 2014-06-03 Box, Inc. Enhancement of upload and/or download performance based on client and/or server feedback information
US9369520B2 (en) 2012-08-19 2016-06-14 Box, Inc. Enhancement of upload and/or download performance based on client and/or server feedback information
US8805921B2 (en) * 2012-08-20 2014-08-12 International Business Machines Corporation System and method supporting application solution composition on cloud
US9306946B1 (en) * 2012-08-21 2016-04-05 Dj Inventions, Llc Intelligent electronic cryptographic cloud computing system
US9558202B2 (en) 2012-08-27 2017-01-31 Box, Inc. Server side techniques for reducing database workload in implementing selective subfolder synchronization in a cloud-based environment
US9135462B2 (en) 2012-08-29 2015-09-15 Box, Inc. Upload and download streaming encryption to/from a cloud-based platform
US9117087B2 (en) 2012-09-06 2015-08-25 Box, Inc. System and method for creating a secure channel for inter-application communication based on intents
US9311071B2 (en) 2012-09-06 2016-04-12 Box, Inc. Force upgrade of a mobile application via a server side configuration file
US9195519B2 (en) 2012-09-06 2015-11-24 Box, Inc. Disabling the self-referential appearance of a mobile application in an intent via a background registration
US10419524B2 (en) * 2012-09-07 2019-09-17 Oracle International Corporation System and method for workflow orchestration for use with a cloud computing environment
US9292833B2 (en) 2012-09-14 2016-03-22 Box, Inc. Batching notifications of activities that occur in a web-based collaboration environment
US8438654B1 (en) 2012-09-14 2013-05-07 Rightscale, Inc. Systems and methods for associating a virtual machine with an access control right
US10200256B2 (en) 2012-09-17 2019-02-05 Box, Inc. System and method of a manipulative handle in an interactive mobile user interface
US9553758B2 (en) 2012-09-18 2017-01-24 Box, Inc. Sandboxing individual applications to specific user folders in a cloud-based service
US10915492B2 (en) 2012-09-19 2021-02-09 Box, Inc. Cloud-based platform enabled with media content indexed for text-based searches and/or metadata extraction
US9363154B2 (en) * 2012-09-26 2016-06-07 International Business Machines Corporaion Prediction-based provisioning planning for cloud environments
US9959420B2 (en) 2012-10-02 2018-05-01 Box, Inc. System and method for enhanced security and management mechanisms for enterprise administrators in a cloud-based environment
US9495364B2 (en) 2012-10-04 2016-11-15 Box, Inc. Enhanced quick search features, low-barrier commenting/interactive features in a collaboration platform
US9705967B2 (en) 2012-10-04 2017-07-11 Box, Inc. Corporate user discovery and identification of recommended collaborators in a cloud platform
US9665349B2 (en) 2012-10-05 2017-05-30 Box, Inc. System and method for generating embeddable widgets which enable access to a cloud-based collaboration platform
TWI459210B (en) * 2012-10-09 2014-11-01 Univ Nat Cheng Kung Multi-cloud communication system
US9424437B1 (en) 2012-10-12 2016-08-23 Egnyte, Inc. Systems and methods for providing file access in a hybrid cloud storage system
US8726343B1 (en) 2012-10-12 2014-05-13 Citrix Systems, Inc. Managing dynamic policies and settings in an orchestration framework for connected devices
US9516022B2 (en) 2012-10-14 2016-12-06 Getgo, Inc. Automated meeting room
US8910239B2 (en) 2012-10-15 2014-12-09 Citrix Systems, Inc. Providing virtualized private network tunnels
US20140109176A1 (en) 2012-10-15 2014-04-17 Citrix Systems, Inc. Configuring and providing profiles that manage execution of mobile applications
US20140109171A1 (en) 2012-10-15 2014-04-17 Citrix Systems, Inc. Providing Virtualized Private Network tunnels
US20140108793A1 (en) 2012-10-16 2014-04-17 Citrix Systems, Inc. Controlling mobile device access to secure data
US9606774B2 (en) 2012-10-16 2017-03-28 Citrix Systems, Inc. Wrapping an application with field-programmable business logic
US9971585B2 (en) 2012-10-16 2018-05-15 Citrix Systems, Inc. Wrapping unmanaged applications on a mobile device
CN104854561B (en) 2012-10-16 2018-05-11 思杰系统有限公司 Application program for application management framework encapsulates
US9756022B2 (en) 2014-08-29 2017-09-05 Box, Inc. Enhanced remote key management for an enterprise in a cloud-based environment
US9628268B2 (en) 2012-10-17 2017-04-18 Box, Inc. Remote key management in a cloud-based environment
US10379910B2 (en) 2012-10-26 2019-08-13 Syntel, Inc. System and method for evaluation of migration of applications to the cloud
WO2014088541A1 (en) * 2012-12-03 2014-06-12 Hewlett-Packard Development Company, L.P. Asynchronous framework for management of iaas
US20150304231A1 (en) * 2012-12-03 2015-10-22 Hewlett-Packard Development Company, L.P. Generic resource provider for cloud service
US9049115B2 (en) 2012-12-13 2015-06-02 Cisco Technology, Inc. Enabling virtual workloads using overlay technologies to interoperate with physical network services
US9361595B2 (en) * 2012-12-14 2016-06-07 International Business Machines Corporation On-demand cloud service management
US10235383B2 (en) 2012-12-19 2019-03-19 Box, Inc. Method and apparatus for synchronization of items with read-only permissions in a cloud-based environment
US9100345B2 (en) 2012-12-21 2015-08-04 Software Ag Usa, Inc. Systems and/or methods for supporting a generic framework for integration of on-premises and SaaS applications with security, service mediation, administrative, and/or monitoring capabilities
US9992306B2 (en) * 2012-12-21 2018-06-05 E*Trade Financial Corporation Dynamic execution
US10097989B2 (en) 2012-12-21 2018-10-09 E*Trade Financial Corporation Dynamic communication
US9396245B2 (en) 2013-01-02 2016-07-19 Box, Inc. Race condition handling in a system which incrementally updates clients with events that occurred in a cloud-based collaboration platform
US9130920B2 (en) 2013-01-07 2015-09-08 Zettaset, Inc. Monitoring of authorization-exceeding activity in distributed networks
US9953036B2 (en) 2013-01-09 2018-04-24 Box, Inc. File system monitoring in a system which incrementally updates clients with events that occurred in a cloud-based collaboration platform
EP2755151A3 (en) 2013-01-11 2014-09-24 Box, Inc. Functionalities, features and user interface of a synchronization client to a cloud-based environment
EP2757491A1 (en) 2013-01-17 2014-07-23 Box, Inc. Conflict resolution, retry condition management, and handling of problem files for the synchronization client to a cloud-based platform
US9384025B2 (en) 2013-01-28 2016-07-05 Intel Corporation Traffic and/or workload processing
US9935841B2 (en) 2013-01-28 2018-04-03 Intel Corporation Traffic forwarding for processing in network environment
WO2014120222A1 (en) * 2013-01-31 2014-08-07 Empire Technology Development, Llc Pausing virtual machines using api signaling
JP2014171211A (en) * 2013-02-06 2014-09-18 Ricoh Co Ltd Information processing system
US9733917B2 (en) * 2013-02-20 2017-08-15 Crimson Corporation Predicting whether a party will purchase a product
US20140236745A1 (en) * 2013-02-20 2014-08-21 Airvm Inc. Virtualized distribution system offering virtual products or services
US10120900B1 (en) 2013-02-25 2018-11-06 EMC IP Holding Company LLC Processing a database query using a shared metadata store
US9984083B1 (en) * 2013-02-25 2018-05-29 EMC IP Holding Company LLC Pluggable storage system for parallel query engines across non-native file systems
US9584544B2 (en) * 2013-03-12 2017-02-28 Red Hat Israel, Ltd. Secured logical component for security in a virtual environment
US9912521B2 (en) * 2013-03-13 2018-03-06 Dell Products L.P. Systems and methods for managing connections in an orchestrated network
US20140280912A1 (en) * 2013-03-13 2014-09-18 Joyent, Inc. System and method for determination and visualization of cloud processes and network relationships
US8943284B2 (en) 2013-03-14 2015-01-27 Joyent, Inc. Systems and methods for integrating compute resources in a storage area network
US20140280796A1 (en) * 2013-03-14 2014-09-18 Joyent, Inc. Systems and methods for providing a distributed service configuration framework
US9104456B2 (en) 2013-03-14 2015-08-11 Joyent, Inc. Zone management of compute-centric object stores
US8826279B1 (en) 2013-03-14 2014-09-02 Joyent, Inc. Instruction set architecture for compute-based object stores
US9342341B2 (en) * 2013-03-14 2016-05-17 Alcatel Lucent Systems and methods for deploying an application and an agent on a customer server in a selected network
US8677359B1 (en) 2013-03-14 2014-03-18 Joyent, Inc. Compute-centric object stores and methods of use
US8881279B2 (en) * 2013-03-14 2014-11-04 Joyent, Inc. Systems and methods for zone-based intrusion detection
US9043439B2 (en) 2013-03-14 2015-05-26 Cisco Technology, Inc. Method for streaming packet captures from network access devices to a cloud server over HTTP
US8819241B1 (en) * 2013-03-14 2014-08-26 State Farm Mutual Automobile Insurance Company System and method for a self service portal and automation for internally hosted virtual server resources
US8775485B1 (en) 2013-03-15 2014-07-08 Joyent, Inc. Object store management operations within compute-centric object stores
US9454294B2 (en) * 2013-03-15 2016-09-27 International Business Machines Corporation Creating, provisioning and managing virtual data centers
US8769644B1 (en) 2013-03-15 2014-07-01 Rightscale, Inc. Systems and methods for establishing cloud-based instances with independent permissions
US9092238B2 (en) 2013-03-15 2015-07-28 Joyent, Inc. Versioning schemes for compute-centric object stores
US8793688B1 (en) 2013-03-15 2014-07-29 Joyent, Inc. Systems and methods for double hulled virtualization operations
EP2972975A4 (en) * 2013-03-15 2016-11-16 Servicemesh Inc Systems and methods for providing repeated use of computing resources
WO2014147438A1 (en) * 2013-03-19 2014-09-25 Emc Corporation Managing provisioning of storage resources
US8849979B1 (en) 2013-03-29 2014-09-30 Citrix Systems, Inc. Providing mobile device management functionalities
US20140297840A1 (en) 2013-03-29 2014-10-02 Citrix Systems, Inc. Providing mobile device management functionalities
US9355223B2 (en) 2013-03-29 2016-05-31 Citrix Systems, Inc. Providing a managed browser
US9369449B2 (en) 2013-03-29 2016-06-14 Citrix Systems, Inc. Providing an enterprise application store
US10284627B2 (en) * 2013-03-29 2019-05-07 Citrix Systems, Inc. Data management for an application with multiple operation modes
US8813179B1 (en) * 2013-03-29 2014-08-19 Citrix Systems, Inc. Providing mobile device management functionalities
US9729465B2 (en) 2013-05-01 2017-08-08 Red Hat, Inc. Policy based application elasticity across heterogeneous computing infrastructure
US10725968B2 (en) 2013-05-10 2020-07-28 Box, Inc. Top down delete or unsynchronization on delete of and depiction of item synchronization with a synchronization client to a cloud-based platform
US10846074B2 (en) 2013-05-10 2020-11-24 Box, Inc. Identification and handling of items to be ignored for synchronization with a cloud-based platform by a synchronization client
TWI578836B (en) * 2013-05-10 2017-04-11 瑞雷2股份有限公司 Multi-tenant virtual access point-network resources virtualization
US9602598B2 (en) 2013-05-29 2017-03-21 International Business Machines Corporation Coordinating application migration processes
GB2515192B (en) 2013-06-13 2016-12-14 Box Inc Systems and methods for synchronization event building and/or collapsing by a synchronization component of a cloud-based platform
US9805050B2 (en) 2013-06-21 2017-10-31 Box, Inc. Maintaining and updating file system shadows on a local device by a synchronization client of a cloud-based platform
US10229134B2 (en) 2013-06-25 2019-03-12 Box, Inc. Systems and methods for managing upgrades, migration of user data and improving performance of a cloud-based platform
US10110656B2 (en) 2013-06-25 2018-10-23 Box, Inc. Systems and methods for providing shell communication in a cloud-based platform
US9619545B2 (en) 2013-06-28 2017-04-11 Oracle International Corporation Naïve, client-side sharding with online addition of shards
US9413854B1 (en) * 2013-07-15 2016-08-09 Amazon Technologies, Inc. Network-accessible signal processing service
US9300691B1 (en) * 2013-07-18 2016-03-29 Symantec Corporation Systems and methods for enforcing secure network segmentation for sensitive workloads
US9288231B2 (en) * 2013-07-22 2016-03-15 Cisco Technology, Inc. Web caching with security as a service
US9456003B2 (en) * 2013-07-24 2016-09-27 At&T Intellectual Property I, L.P. Decoupling hardware and software components of network security devices to provide security software as a service in a distributed computing environment
US9535924B2 (en) 2013-07-30 2017-01-03 Box, Inc. Scalability improvement in a system which incrementally updates clients with events that occurred in a cloud-based collaboration platform
US9710292B2 (en) * 2013-08-02 2017-07-18 International Business Machines Corporation Allowing management of a virtual machine by multiple cloud providers
US20150067126A1 (en) * 2013-08-27 2015-03-05 Connectloud, Inc. Method and apparatus for multi-tenant service catalog for a software defined cloud
US20150067761A1 (en) * 2013-08-29 2015-03-05 International Business Machines Corporation Managing security and compliance of volatile systems
CN105518648B (en) 2013-09-04 2018-10-09 安提特软件有限责任公司 Via node-relational model resource is provided to client
US10212050B2 (en) 2013-09-04 2019-02-19 Entit Software Llc Providing recursively-generated instantiated computing resource in a multi-tenant environment
CN105518651B (en) 2013-09-04 2018-10-16 慧与发展有限责任合伙企业 Resource selection method, system and the storage medium based on strategy for cloud service
CN105531688B (en) 2013-09-04 2018-05-29 慧与发展有限责任合伙企业 The service of resource as other services is provided
US8892679B1 (en) 2013-09-13 2014-11-18 Box, Inc. Mobile device, methods and user interfaces thereof in a mobile device platform featuring multifunctional access and engagement in a collaborative environment provided by a cloud-based platform
GB2518298A (en) 2013-09-13 2015-03-18 Box Inc High-availability architecture for a cloud-based concurrent-access collaboration platform
US9704137B2 (en) 2013-09-13 2017-07-11 Box, Inc. Simultaneous editing/accessing of content by collaborator invitation through a web-based or mobile application to a cloud-based collaboration platform
US9535909B2 (en) 2013-09-13 2017-01-03 Box, Inc. Configurable event-based automation architecture for cloud-based collaboration platforms
US10509527B2 (en) 2013-09-13 2019-12-17 Box, Inc. Systems and methods for configuring event-based automation in cloud-based collaboration platforms
US9213684B2 (en) 2013-09-13 2015-12-15 Box, Inc. System and method for rendering document in web browser or mobile device regardless of third-party plug-in software
US9197709B2 (en) * 2013-09-27 2015-11-24 Level 3 Communications, Llc Provisioning dedicated network resources with API services
FR3011422B1 (en) * 2013-09-30 2016-12-09 Rizze DEVICE FOR THE DUPLICATION OF A SCALABLE NUMBER OF VIRTUAL MACHINES ON PHYSICAL MACHINES FOR THE DEPLOYMENT OF A RESOURCE MANAGEMENT SOFTWARE
WO2015050549A1 (en) 2013-10-03 2015-04-09 Hewlett-Packard Development Company, L.P. Managing a number of secondary clouds by a master cloud service manager
US9396338B2 (en) 2013-10-15 2016-07-19 Intuit Inc. Method and system for providing a secure secrets proxy
US9246935B2 (en) 2013-10-14 2016-01-26 Intuit Inc. Method and system for dynamic and comprehensive vulnerability management
US9384362B2 (en) 2013-10-14 2016-07-05 Intuit Inc. Method and system for distributing secrets
US10866931B2 (en) 2013-10-22 2020-12-15 Box, Inc. Desktop application for accessing a cloud collaboration platform
CN103607426B (en) * 2013-10-25 2019-04-09 中兴通讯股份有限公司 Security service customization method and device
US10284427B2 (en) * 2013-10-30 2019-05-07 Hewlett Packard Enterprise Development Lp Managing the lifecycle of a cloud service modeled as topology decorated by a number of policies
WO2015065374A1 (en) 2013-10-30 2015-05-07 Hewlett-Packard Development Company, L.P. Management of the lifecycle of a cloud service modeled as a topology
WO2015065359A1 (en) 2013-10-30 2015-05-07 Hewlett-Packard Development Company, L.P. Modifying realized topologies
EP3063657B1 (en) 2013-10-30 2021-12-01 Hewlett Packard Enterprise Development LP Monitoring a cloud service modeled as a topology
US10476760B2 (en) * 2013-10-30 2019-11-12 Oracle International Corporation System and method for placement logic in a cloud platform environment
WO2015065355A1 (en) 2013-10-30 2015-05-07 Hewlett-Packard Development Company, L. P. Stitching an application model to an infrastructure template
WO2015065389A1 (en) 2013-10-30 2015-05-07 Hewlett-Packard Development Company, L.P. Execution of a topology
EP3063658A4 (en) 2013-10-30 2017-05-24 Hewlett-Packard Enterprise Development LP Realized topology system management database
US9544188B2 (en) * 2013-10-30 2017-01-10 Oracle International Corporation System and method for webtier providers in a cloud platform environment
WO2015065356A1 (en) 2013-10-30 2015-05-07 Hewlett-Packard Development Company, L.P. Topology remediation
EP3063662A4 (en) 2013-10-30 2017-06-21 Hewlett-Packard Enterprise Development LP Facilitating autonomous computing within a cloud service
US10367702B2 (en) 2013-10-31 2019-07-30 Hewlett Packard Enterprise Development Lp Network database hosting
US9894069B2 (en) 2013-11-01 2018-02-13 Intuit Inc. Method and system for automatically managing secret application and maintenance
US9467477B2 (en) 2013-11-06 2016-10-11 Intuit Inc. Method and system for automatically managing secrets in multiple data security jurisdiction zones
US9444818B2 (en) * 2013-11-01 2016-09-13 Intuit Inc. Method and system for automatically managing secure communications in multiple communications jurisdiction zones
US9282122B2 (en) 2014-04-30 2016-03-08 Intuit Inc. Method and apparatus for multi-tenancy secrets management
TWI528187B (en) * 2013-11-12 2016-04-01 財團法人資訊工業策進會 Cloud auto-test system, method and non-transitory computer readable storage medium of the same
WO2015073719A1 (en) * 2013-11-13 2015-05-21 Evident.io, Inc. Automated sdk ingestion
US9313281B1 (en) 2013-11-13 2016-04-12 Intuit Inc. Method and system for creating and dynamically deploying resource specific discovery agents for determining the state of a cloud computing environment
US20150134424A1 (en) * 2013-11-14 2015-05-14 Vmware, Inc. Systems and methods for assessing hybridization of cloud computing services based on data mining of historical decisions
US9753784B2 (en) 2013-11-27 2017-09-05 At&T Intellectual Property I, L.P. Cloud delivery platform
US11126481B2 (en) 2013-12-09 2021-09-21 Micro Focus Llc Fulfilling a request based on catalog aggregation and orchestrated execution of an end-to-end process
US9692789B2 (en) * 2013-12-13 2017-06-27 Oracle International Corporation Techniques for cloud security monitoring and threat intelligence
WO2015092130A1 (en) * 2013-12-20 2015-06-25 Nokia Technologies Oy Push-based trust model for public cloud applications
WO2015089821A1 (en) * 2013-12-20 2015-06-25 Hewlett-Packard Development Company, L.P. Policy rules for network resource
US9501345B1 (en) 2013-12-23 2016-11-22 Intuit Inc. Method and system for creating enriched log data
US9323926B2 (en) 2013-12-30 2016-04-26 Intuit Inc. Method and system for intrusion and extrusion detection
US9819547B2 (en) * 2013-12-31 2017-11-14 Bmc Software, Inc. Server provisioning based on job history analysis
US9712376B2 (en) * 2014-01-02 2017-07-18 Red Hat Israel, Ltd. Connector configuration for external service provider
US9325726B2 (en) 2014-02-03 2016-04-26 Intuit Inc. Method and system for virtual asset assisted extrusion and intrusion detection in a cloud computing environment
US20150304343A1 (en) 2014-04-18 2015-10-22 Intuit Inc. Method and system for providing self-monitoring, self-reporting, and self-repairing virtual assets in a cloud computing environment
US10264025B2 (en) 2016-06-24 2019-04-16 Varmour Networks, Inc. Security policy generation for virtualization, bare-metal server, and cloud computing environments
US9973472B2 (en) 2015-04-02 2018-05-15 Varmour Networks, Inc. Methods and systems for orchestrating physical and virtual switches to enforce security boundaries
US10091238B2 (en) 2014-02-11 2018-10-02 Varmour Networks, Inc. Deception using distributed threat detection
WO2015123458A1 (en) * 2014-02-12 2015-08-20 Applango Systems Ltd Management of information-technology services
US9558226B2 (en) 2014-02-17 2017-01-31 International Business Machines Corporation Storage quota management
US9420035B2 (en) * 2014-02-20 2016-08-16 International Business Machines Corporation Transaction isolation during multi-tenant transaction requests
US9866581B2 (en) 2014-06-30 2018-01-09 Intuit Inc. Method and system for secure delivery of information to computing environments
US10757133B2 (en) 2014-02-21 2020-08-25 Intuit Inc. Method and system for creating and deploying virtual assets
US9276945B2 (en) 2014-04-07 2016-03-01 Intuit Inc. Method and system for providing security aware applications
WO2015136308A1 (en) * 2014-03-13 2015-09-17 Vodafone Ip Licensing Limited Management of resource allocation in a mobile telecommunication network
GB2524951A (en) * 2014-03-13 2015-10-14 Vodafone Ip Licensing Ltd Management of resource allocation in a mobile telecommunication network
US10176005B2 (en) * 2014-03-31 2019-01-08 Cypherpath, Inc. Environment virtualization
US9245117B2 (en) 2014-03-31 2016-01-26 Intuit Inc. Method and system for comparing different versions of a cloud based application in a production environment using segregated backend systems
US9755858B2 (en) 2014-04-15 2017-09-05 Cisco Technology, Inc. Programmable infrastructure gateway for enabling hybrid cloud services in a network environment
US9660933B2 (en) * 2014-04-17 2017-05-23 Go Daddy Operating Company, LLC Allocating and accessing hosting server resources via continuous resource availability updates
US11294700B2 (en) 2014-04-18 2022-04-05 Intuit Inc. Method and system for enabling self-monitoring virtual assets to correlate external events with characteristic patterns associated with the virtual assets
KR101535502B1 (en) * 2014-04-22 2015-07-09 한국인터넷진흥원 System and method for controlling virtual network including security function
US9374389B2 (en) 2014-04-25 2016-06-21 Intuit Inc. Method and system for ensuring an application conforms with security and regulatory controls prior to deployment
US9900322B2 (en) 2014-04-30 2018-02-20 Intuit Inc. Method and system for providing permissions management
US9319415B2 (en) * 2014-04-30 2016-04-19 Intuit Inc. Method and system for providing reference architecture pattern-based permissions management
US9473365B2 (en) 2014-05-08 2016-10-18 Cisco Technology, Inc. Collaborative inter-service scheduling of logical resources in cloud platforms
KR101534566B1 (en) * 2014-05-09 2015-07-24 한국전자통신연구원 Apparatus and method for security control of cloud virtual desktop
WO2016004263A1 (en) 2014-07-01 2016-01-07 Lynx Software Technologies, Inc. Systems and methods involving aspects of hardware virtualization such as separation kernel hypervisors, hypervisors, hypervisor guest context, hypervisor context, anti-fingerprinting, and/or other features
US9203855B1 (en) 2014-05-15 2015-12-01 Lynx Software Technologies, Inc. Systems and methods involving aspects of hardware virtualization such as hypervisor, detection and interception of code or instruction execution including API calls, and/or other features
US9390267B2 (en) 2014-05-15 2016-07-12 Lynx Software Technologies, Inc. Systems and methods involving features of hardware virtualization, hypervisor, pages of interest, and/or other features
CA2969422A1 (en) 2014-05-15 2015-11-19 Lynx Software Technologies Inc. Systems and methods involving features of hardware virtualization, hypervisor, apis of interest, and/or other features
US10922112B2 (en) * 2014-05-21 2021-02-16 Vmware, Inc. Application aware storage resource management
US10089128B2 (en) 2014-05-21 2018-10-02 Vmware, Inc. Application aware service policy enforcement and autonomous feedback-based remediation
US10659523B1 (en) 2014-05-23 2020-05-19 Amazon Technologies, Inc. Isolating compute clusters created for a customer
US9330263B2 (en) 2014-05-27 2016-05-03 Intuit Inc. Method and apparatus for automating the building of threat models for the public cloud
US10530854B2 (en) 2014-05-30 2020-01-07 Box, Inc. Synchronization of permissioned content in cloud-based environments
US9602514B2 (en) 2014-06-16 2017-03-21 Box, Inc. Enterprise mobility management and verification of a managed application by a content provider
US10616180B2 (en) 2014-06-20 2020-04-07 Zscaler, Inc. Clientless connection setup for cloud-based virtual private access systems and methods
US10375024B2 (en) 2014-06-20 2019-08-06 Zscaler, Inc. Cloud-based virtual private access systems and methods
US11782745B2 (en) 2014-07-01 2023-10-10 Lynx Software Technologies, Inc. Systems and methods involving aspects of hardware virtualization such as separation kernel hypervisors, hypervisors, hypervisor guest context, hypervisor context, anti-fingerprinting and/or other features
US10122605B2 (en) 2014-07-09 2018-11-06 Cisco Technology, Inc Annotation of network activity through different phases of execution
US9509718B1 (en) * 2014-07-17 2016-11-29 Sprint Communications Company L.P. Network-attached storage solution for application servers
US9780963B2 (en) * 2014-07-17 2017-10-03 Futurewei Technologies, Inc. System and method for a federated evolved packet core service bus
US9836332B2 (en) * 2014-07-31 2017-12-05 Corent Technology, Inc. Software defined SaaS platform
US10102082B2 (en) 2014-07-31 2018-10-16 Intuit Inc. Method and system for providing automated self-healing virtual assets
US9473481B2 (en) 2014-07-31 2016-10-18 Intuit Inc. Method and system for providing a virtual asset perimeter
EP2990932B1 (en) * 2014-08-27 2019-04-17 Deutsche Telekom AG Method for provisioning a customized cloud stack
US10574442B2 (en) 2014-08-29 2020-02-25 Box, Inc. Enhanced remote key management for an enterprise in a cloud-based environment
US10038731B2 (en) 2014-08-29 2018-07-31 Box, Inc. Managing flow-based interactions with cloud-based shared content
US9894119B2 (en) 2014-08-29 2018-02-13 Box, Inc. Configurable metadata-based automation and content classification architecture for cloud-based collaboration platforms
US9705923B2 (en) 2014-09-02 2017-07-11 Symantec Corporation Method and apparatus for automating security provisioning of workloads
US10469448B2 (en) * 2014-09-05 2019-11-05 Hewlett Packard Enterprise Development Lp Firewall port access rule generation
US10581756B2 (en) * 2014-09-09 2020-03-03 Microsoft Technology Licensing, Llc Nonintrusive dynamically-scalable network load generation
US9516700B1 (en) 2014-09-25 2016-12-06 Google Inc. Cloud-based controller for managing access points
US10671508B2 (en) 2014-09-25 2020-06-02 Hewlett Packard Enterprise Development Lp Testing a cloud service
US9825878B2 (en) 2014-09-26 2017-11-21 Cisco Technology, Inc. Distributed application framework for prioritizing network traffic using application priority awareness
US9513935B2 (en) 2014-10-28 2016-12-06 International Business Machines Corporation Auto-scaling thresholds in elastic computing environments
CN110086681A (en) * 2014-11-27 2019-08-02 华为技术有限公司 Configuration method, system and its Virtual NE and network management system of virtual network strategy
EP3032453B1 (en) * 2014-12-08 2019-11-13 eperi GmbH Storing data in a server computer with deployable encryption/decryption infrastructure
US9923954B2 (en) * 2014-12-16 2018-03-20 International Business Machines Corporation Virtual fencing gradient to incrementally validate deployed applications directly in production cloud computing environment
US10552796B1 (en) * 2014-12-19 2020-02-04 Amazon Technologies, Inc. Approval service in a catalog service platform
US9894100B2 (en) * 2014-12-30 2018-02-13 Fortinet, Inc. Dynamically optimized security policy management
US9577884B2 (en) * 2015-01-01 2017-02-21 Bank Of America Corporation Enterprise quality assurance and lab management tool
US9774682B2 (en) * 2015-01-08 2017-09-26 International Business Machines Corporation Parallel data streaming between cloud-based applications and massively parallel systems
US10050862B2 (en) 2015-02-09 2018-08-14 Cisco Technology, Inc. Distributed application framework that uses network and application awareness for placing data
US9639706B2 (en) * 2015-02-19 2017-05-02 International Business Machines Corporation Inter-virtual machine communication
US10708342B2 (en) 2015-02-27 2020-07-07 Cisco Technology, Inc. Dynamic troubleshooting workspaces for cloud and network management systems
US10037617B2 (en) 2015-02-27 2018-07-31 Cisco Technology, Inc. Enhanced user interface systems including dynamic context selection for cloud-based networks
US10191860B2 (en) * 2015-03-04 2019-01-29 Schneider Electric Software, Llc Securing sensitive historian configuration information
US9467476B1 (en) 2015-03-13 2016-10-11 Varmour Networks, Inc. Context aware microsegmentation
US10193929B2 (en) 2015-03-13 2019-01-29 Varmour Networks, Inc. Methods and systems for improving analytics in distributed networks
US9438634B1 (en) 2015-03-13 2016-09-06 Varmour Networks, Inc. Microsegmented networks that implement vulnerability scanning
US10178070B2 (en) 2015-03-13 2019-01-08 Varmour Networks, Inc. Methods and systems for providing security to distributed microservices
US9294442B1 (en) 2015-03-30 2016-03-22 Varmour Networks, Inc. System and method for threat-driven security policy controls
US10009381B2 (en) 2015-03-30 2018-06-26 Varmour Networks, Inc. System and method for threat-driven security policy controls
US9380027B1 (en) * 2015-03-30 2016-06-28 Varmour Networks, Inc. Conditional declarative policies
US10129157B2 (en) * 2015-03-31 2018-11-13 At&T Intellectual Property I, L.P. Multiple feedback instance inter-coordination to determine optimal actions
US10277666B2 (en) * 2015-03-31 2019-04-30 At&T Intellectual Property I, L.P. Escalation of feedback instances
US9524200B2 (en) 2015-03-31 2016-12-20 At&T Intellectual Property I, L.P. Consultation among feedback instances
US10129156B2 (en) 2015-03-31 2018-11-13 At&T Intellectual Property I, L.P. Dynamic creation and management of ephemeral coordinated feedback instances
US9992277B2 (en) 2015-03-31 2018-06-05 At&T Intellectual Property I, L.P. Ephemeral feedback instances
US9769206B2 (en) 2015-03-31 2017-09-19 At&T Intellectual Property I, L.P. Modes of policy participation for feedback instances
US9525697B2 (en) 2015-04-02 2016-12-20 Varmour Networks, Inc. Delivering security functions to distributed networks
US10581755B2 (en) 2015-04-03 2020-03-03 Nicira, Inc. Provisioning network services in a software defined data center
US10382534B1 (en) 2015-04-04 2019-08-13 Cisco Technology, Inc. Selective load balancing of network traffic
US9645842B2 (en) * 2015-04-28 2017-05-09 United States Of America As Represented By Secretary Of The Navy Cybernaut: a cloud-oriented energy-efficient intrusion-tolerant hypervisor
US10476982B2 (en) 2015-05-15 2019-11-12 Cisco Technology, Inc. Multi-datacenter message queue
US10135871B2 (en) 2015-06-12 2018-11-20 Accenture Global Solutions Limited Service oriented software-defined security framework
US9912759B2 (en) * 2015-06-24 2018-03-06 International Business Machines Corporation Dynamically generating solution stacks
US10243848B2 (en) 2015-06-27 2019-03-26 Nicira, Inc. Provisioning logical entities in a multi-datacenter environment
US10853141B2 (en) * 2015-06-29 2020-12-01 British Telecommunications Public Limited Company Resource provisioning in distributed computing environments
US10034201B2 (en) 2015-07-09 2018-07-24 Cisco Technology, Inc. Stateless load-balancing across multiple tunnels
US10635779B2 (en) * 2015-07-29 2020-04-28 Siemens Healthcare Gmbh Devices, methods and computer readable mediums for flexible delivery and deployment of medical applications
WO2017019098A1 (en) * 2015-07-30 2017-02-02 Hewlett Packard Enterprise Development Lp Regulating compliance with a billing workflow
WO2017023276A1 (en) * 2015-07-31 2017-02-09 Hewlett Packard Enterprise Development Lp Discovering and publishing api information
US11195216B2 (en) * 2015-07-31 2021-12-07 Ent. Services Development Corporation Lp Federated marketplace portal
US9762616B2 (en) * 2015-08-08 2017-09-12 International Business Machines Corporation Application-based security rights in cloud environments
US9483317B1 (en) 2015-08-17 2016-11-01 Varmour Networks, Inc. Using multiple central processing unit cores for packet forwarding in virtualized networks
US10389754B2 (en) * 2015-09-04 2019-08-20 Quest Software Governance policy framework for cloud resources
US10341194B2 (en) 2015-10-05 2019-07-02 Fugue, Inc. System and method for building, optimizing, and enforcing infrastructure on a cloud based computing environment
US10067780B2 (en) 2015-10-06 2018-09-04 Cisco Technology, Inc. Performance-based public cloud selection for a hybrid cloud environment
US11005682B2 (en) 2015-10-06 2021-05-11 Cisco Technology, Inc. Policy-driven switch overlay bypass in a hybrid cloud network environment
US10462136B2 (en) * 2015-10-13 2019-10-29 Cisco Technology, Inc. Hybrid cloud security groups
US10044758B2 (en) 2015-10-15 2018-08-07 International Business Machines Corporation Secure policy audit in shared enforcement environment
US9841986B2 (en) * 2015-10-27 2017-12-12 Vmware, Inc. Policy based application monitoring in virtualized environment
US10795775B2 (en) * 2015-10-29 2020-10-06 Datto, Inc. Apparatuses, methods, and systems for storage and analysis of SaaS data and non-SaaS data for businesses and other organizations
US10771391B2 (en) 2015-11-05 2020-09-08 Hewlett Packard Enterprise Development Lp Policy enforcement based on host value classification
US10523657B2 (en) 2015-11-16 2019-12-31 Cisco Technology, Inc. Endpoint privacy preservation with cloud conferencing
US10205677B2 (en) 2015-11-24 2019-02-12 Cisco Technology, Inc. Cloud resource placement optimization and migration execution in federated clouds
US10313479B2 (en) 2015-11-24 2019-06-04 Vmware, Inc. Methods and apparatus to manage workload domains in virtual server racks
US11263006B2 (en) * 2015-11-24 2022-03-01 Vmware, Inc. Methods and apparatus to deploy workload domains in virtual server racks
US10084703B2 (en) 2015-12-04 2018-09-25 Cisco Technology, Inc. Infrastructure-exclusive service forwarding
US10191758B2 (en) 2015-12-09 2019-01-29 Varmour Networks, Inc. Directing data traffic between intra-server virtual machines
US20170171020A1 (en) * 2015-12-14 2017-06-15 Microsoft Technology Licensing, Llc Using declarative configuration data to manage cloud lifecycle
US11175910B2 (en) 2015-12-22 2021-11-16 Opera Solutions Usa, Llc System and method for code and data versioning in computerized data modeling and analysis
CA3009641A1 (en) 2015-12-22 2017-06-29 Opera Solutions U.S.A., Llc System and method for rapid development and deployment of reusable analytic code for use in computerized data modeling and analysis
US10275502B2 (en) 2015-12-22 2019-04-30 Opera Solutions Usa, Llc System and method for interactive reporting in computerized data modeling and analysis
US10268753B2 (en) 2015-12-22 2019-04-23 Opera Solutions Usa, Llc System and method for optimized query execution in computerized data modeling and analysis
US10367914B2 (en) 2016-01-12 2019-07-30 Cisco Technology, Inc. Attaching service level agreements to application containers and enabling service assurance
US9680852B1 (en) 2016-01-29 2017-06-13 Varmour Networks, Inc. Recursive multi-layer examination for computer network security remediation
US9762599B2 (en) 2016-01-29 2017-09-12 Varmour Networks, Inc. Multi-node affinity-based examination for computer network security remediation
US10412048B2 (en) * 2016-02-08 2019-09-10 Cryptzone North America, Inc. Protecting network devices by a firewall
US10162682B2 (en) 2016-02-16 2018-12-25 Red Hat, Inc. Automatically scaling up physical resources in a computing infrastructure
US20170255455A1 (en) * 2016-03-03 2017-09-07 International Business Machines Corporation Automated customization of software feature availability based on usage patterns and history
US9521115B1 (en) 2016-03-24 2016-12-13 Varmour Networks, Inc. Security policy generation using container metadata
US10135712B2 (en) 2016-04-07 2018-11-20 At&T Intellectual Property I, L.P. Auto-scaling software-defined monitoring platform for software-defined networking service assurance
US10243926B2 (en) * 2016-04-08 2019-03-26 Cisco Technology, Inc. Configuring firewalls for an industrial automation network
US9560015B1 (en) 2016-04-12 2017-01-31 Cryptzone North America, Inc. Systems and methods for protecting network devices by a firewall
US10255054B2 (en) * 2016-04-13 2019-04-09 International Business Machines Corporation Enforcing security policies for software containers
US11838271B2 (en) 2016-05-18 2023-12-05 Zscaler, Inc. Providing users secure access to business-to-business (B2B) applications
US9923765B2 (en) * 2016-05-20 2018-03-20 CloudCoreo, Inc. Deploying and monitoring multiplatform cloud-based infrastructures
US10129177B2 (en) 2016-05-23 2018-11-13 Cisco Technology, Inc. Inter-cloud broker for hybrid cloud networks
CN105915393A (en) * 2016-06-16 2016-08-31 南京国通智能科技有限公司 System applicable to BbCO service architecture
US10755334B2 (en) 2016-06-30 2020-08-25 Varmour Networks, Inc. Systems and methods for continually scoring and segmenting open opportunities using client data and product predictors
US10659283B2 (en) 2016-07-08 2020-05-19 Cisco Technology, Inc. Reducing ARP/ND flooding in cloud environment
US10432532B2 (en) 2016-07-12 2019-10-01 Cisco Technology, Inc. Dynamically pinning micro-service to uplink port
US10382597B2 (en) 2016-07-20 2019-08-13 Cisco Technology, Inc. System and method for transport-layer level identification and isolation of container traffic
US10263898B2 (en) 2016-07-20 2019-04-16 Cisco Technology, Inc. System and method for implementing universal cloud classification (UCC) as a service (UCCaaS)
US10142346B2 (en) 2016-07-28 2018-11-27 Cisco Technology, Inc. Extension of a private cloud end-point group to a public cloud
US10567344B2 (en) 2016-08-23 2020-02-18 Cisco Technology, Inc. Automatic firewall configuration based on aggregated cloud managed information
US9697144B1 (en) 2016-08-23 2017-07-04 Red Hat, Inc. Quality of service enforcement and data security for containers accessing storage
US10484382B2 (en) 2016-08-31 2019-11-19 Oracle International Corporation Data management for a multi-tenant identity cloud service
US10846390B2 (en) 2016-09-14 2020-11-24 Oracle International Corporation Single sign-on functionality for a multi-tenant identity and data security management cloud service
US10594684B2 (en) 2016-09-14 2020-03-17 Oracle International Corporation Generating derived credentials for a multi-tenant identity cloud service
US10445395B2 (en) 2016-09-16 2019-10-15 Oracle International Corporation Cookie based state propagation for a multi-tenant identity cloud service
WO2018053258A1 (en) 2016-09-16 2018-03-22 Oracle International Corporation Tenant and service management for a multi-tenant identity and data security management cloud service
US10904074B2 (en) 2016-09-17 2021-01-26 Oracle International Corporation Composite event handler for a multi-tenant identity cloud service
US10171431B2 (en) 2016-09-21 2019-01-01 International Business Machines Corporation Secure message handling of an application across deployment locations
US10387670B2 (en) 2016-09-21 2019-08-20 International Business Machines Corporation Handling sensitive data in an application using external processing
US10397189B1 (en) * 2016-09-27 2019-08-27 Amazon Technologies, Inc. Peered virtual private network endpoint nodes
US10523592B2 (en) 2016-10-10 2019-12-31 Cisco Technology, Inc. Orchestration system for migrating user data and services based on user information
US10372520B2 (en) 2016-11-22 2019-08-06 Cisco Technology, Inc. Graphical user interface for visualizing a plurality of issues with an infrastructure
US10749856B2 (en) * 2016-11-23 2020-08-18 Ingram Micro, Inc. System and method for multi-tenant SSO with dynamic attribute retrieval
US10841337B2 (en) 2016-11-28 2020-11-17 Secureworks Corp. Computer implemented system and method, and computer program product for reversibly remediating a security risk
US11044162B2 (en) 2016-12-06 2021-06-22 Cisco Technology, Inc. Orchestration of cloud and fog interactions
US10528993B2 (en) * 2016-12-07 2020-01-07 Intuit Inc. Payment and invoice systems integration
US10739943B2 (en) * 2016-12-13 2020-08-11 Cisco Technology, Inc. Ordered list user interface
US10171425B2 (en) 2016-12-15 2019-01-01 Keysight Technologies Singapore (Holdings) Pte Ltd Active firewall control for network traffic sessions within virtual processing platforms
US11075886B2 (en) 2016-12-15 2021-07-27 Keysight Technologies Singapore (Sales) Pte. Ltd. In-session splitting of network traffic sessions for server traffic monitoring
US10326817B2 (en) 2016-12-20 2019-06-18 Cisco Technology, Inc. System and method for quality-aware recording in large scale collaborate clouds
US10877797B2 (en) * 2016-12-22 2020-12-29 Vmware, Inc. Remote operation authorization between pairs of sites with pre-established trust
US10334029B2 (en) 2017-01-10 2019-06-25 Cisco Technology, Inc. Forming neighborhood groups from disperse cloud providers
US10601871B2 (en) * 2017-01-18 2020-03-24 International Business Machines Corporation Reconfiguration of security requirements for deployed components of applications
US10931744B1 (en) * 2017-01-19 2021-02-23 Tigera, Inc. Policy controlled service routing
US10409988B2 (en) * 2017-01-20 2019-09-10 Hewlett Packard Enterprise Development Lp Escalated remediation
US10552191B2 (en) 2017-01-26 2020-02-04 Cisco Technology, Inc. Distributed hybrid cloud orchestration model
US10320683B2 (en) 2017-01-30 2019-06-11 Cisco Technology, Inc. Reliable load-balancer using segment routing and real-time application monitoring
US10671571B2 (en) 2017-01-31 2020-06-02 Cisco Technology, Inc. Fast network performance in containerized environments for network function virtualization
US10587459B2 (en) * 2017-02-13 2020-03-10 Citrix Systems, Inc. Computer system providing cloud-based health monitoring features and related methods
US10331528B2 (en) 2017-03-02 2019-06-25 Hewlett Packard Enterprise Development Lp Recovery services for computing systems
US10467071B2 (en) 2017-03-17 2019-11-05 Accenture Global Solutions Limited Extensible key management system for application program interfaces
US10678579B2 (en) * 2017-03-17 2020-06-09 Vmware, Inc. Policy based cross-cloud migration
US10860545B2 (en) 2017-03-24 2020-12-08 Microsoft Technology Licensing, Llc Measuring usage of computing resources
US10725979B2 (en) 2017-03-24 2020-07-28 Microsoft Technology Licensing, Llc Measuring usage of computing resources by storing usage events in a distributed file system
US11005731B2 (en) 2017-04-05 2021-05-11 Cisco Technology, Inc. Estimating model parameters for automatic deployment of scalable micro services
US10262127B2 (en) * 2017-04-05 2019-04-16 General Electric Company Systems and method for securely sharing and executing data and models
US10803411B1 (en) * 2017-04-17 2020-10-13 Microstrategy Incorporated Enterprise platform deployment
US10936711B2 (en) * 2017-04-18 2021-03-02 Intuit Inc. Systems and mechanism to control the lifetime of an access token dynamically based on access token use
US10579511B2 (en) * 2017-05-10 2020-03-03 Bank Of America Corporation Flexible testing environment using a cloud infrastructure—cloud technology
US10645087B2 (en) * 2017-06-06 2020-05-05 Amgen Inc. Centralized authenticating abstraction layer with adaptive assembly line pathways
US11210133B1 (en) * 2017-06-12 2021-12-28 Pure Storage, Inc. Workload mobility between disparate execution environments
US10938855B1 (en) * 2017-06-23 2021-03-02 Digi International Inc. Systems and methods for automatically and securely provisioning remote computer network infrastructure
US10382274B2 (en) 2017-06-26 2019-08-13 Cisco Technology, Inc. System and method for wide area zero-configuration network auto configuration
US10439877B2 (en) 2017-06-26 2019-10-08 Cisco Technology, Inc. Systems and methods for enabling wide area multicast domain name system
US10191731B2 (en) * 2017-06-27 2019-01-29 Microsoft Technology Licensing, Llc Safe and agile rollouts in a network-accessible server infrastructure using slices
US10892940B2 (en) 2017-07-21 2021-01-12 Cisco Technology, Inc. Scalable statistics and analytics mechanisms in cloud networking
US10425288B2 (en) 2017-07-21 2019-09-24 Cisco Technology, Inc. Container telemetry in data center environments with blade servers and switches
US10601693B2 (en) 2017-07-24 2020-03-24 Cisco Technology, Inc. System and method for providing scalable flow monitoring in a data center fabric
US10541866B2 (en) 2017-07-25 2020-01-21 Cisco Technology, Inc. Detecting and resolving multicast traffic performance issues
US11477280B1 (en) * 2017-07-26 2022-10-18 Pure Storage, Inc. Integrating cloud storage services
CN112087493B (en) 2017-09-05 2022-02-22 华为技术有限公司 Request processing method, system on chip and public cloud management component
US10838840B2 (en) 2017-09-15 2020-11-17 Hewlett Packard Enterprise Development Lp Generating different workload types for cloud service testing
US10541901B2 (en) 2017-09-19 2020-01-21 Keysight Technologies Singapore (Sales) Pte. Ltd. Methods, systems and computer readable media for optimizing placement of virtual network visibility components
US11308132B2 (en) 2017-09-27 2022-04-19 Oracle International Corporation Reference attributes for related stored objects in a multi-tenant cloud service
US10594735B2 (en) * 2017-09-28 2020-03-17 At&T Intellectual Property I, L.P. Tag-based security policy creation in a distributed computing environment
US20190102156A1 (en) * 2017-09-29 2019-04-04 Compuware Corporation Streamlined Technique For Deploying Application In Cloud Computing Environment
US10705823B2 (en) * 2017-09-29 2020-07-07 Oracle International Corporation Application templates and upgrade framework for a multi-tenant identity cloud service
US10764169B2 (en) 2017-10-09 2020-09-01 Keysight Technologies, Inc. Methods, systems, and computer readable media for testing virtual network components deployed in virtual private clouds (VPCs)
US10467424B2 (en) 2017-10-12 2019-11-05 International Business Machines Corporation File system content based security
US10353800B2 (en) 2017-10-18 2019-07-16 Cisco Technology, Inc. System and method for graph based monitoring and management of distributed systems
US10735470B2 (en) 2017-11-06 2020-08-04 Secureworks Corp. Systems and methods for sharing, distributing, or accessing security data and/or security applications, models, or analytics
US10594713B2 (en) 2017-11-10 2020-03-17 Secureworks Corp. Systems and methods for secure propagation of statistical models within threat intelligence communities
US11481362B2 (en) 2017-11-13 2022-10-25 Cisco Technology, Inc. Using persistent memory to enable restartability of bulk load transactions in cloud databases
US10671442B2 (en) * 2017-11-15 2020-06-02 Red Hat, Inc. Dynamic preparation of a new network environment, and subsequent monitoring thereof
US10733015B2 (en) 2017-11-21 2020-08-04 International Business Machines Corporation Prioritizing applications for diagonal scaling in a distributed computing environment
US10812407B2 (en) * 2017-11-21 2020-10-20 International Business Machines Corporation Automatic diagonal scaling of workloads in a distributed computing environment
US10635501B2 (en) 2017-11-21 2020-04-28 International Business Machines Corporation Adaptive scaling of workloads in a distributed computing environment
US10893000B2 (en) 2017-11-21 2021-01-12 International Business Machines Corporation Diagonal scaling of resource allocations and application instances in a distributed computing environment
US10721179B2 (en) 2017-11-21 2020-07-21 International Business Machines Corporation Adaptive resource allocation operations based on historical data in a distributed computing environment
US10887250B2 (en) 2017-11-21 2021-01-05 International Business Machines Corporation Reducing resource allocations and application instances in diagonal scaling in a distributed computing environment
US10635829B1 (en) 2017-11-28 2020-04-28 Intuit Inc. Method and system for granting permissions to parties within an organization
US10585656B1 (en) 2017-12-18 2020-03-10 Cerner Innovation, Inc. Event manager for software deployment
US10705882B2 (en) 2017-12-21 2020-07-07 Cisco Technology, Inc. System and method for resource placement across clouds for data intensive workloads
US11595474B2 (en) 2017-12-28 2023-02-28 Cisco Technology, Inc. Accelerating data replication using multicast and non-volatile memory enabled nodes
US10402178B2 (en) 2018-01-26 2019-09-03 Accenture Global Solutions Limited Cross platform content management and distribution system
US10671495B2 (en) * 2018-01-29 2020-06-02 Hewlett Packard Enterprise Development Lp Disaster recovery rehearsal of a workload
US10715564B2 (en) 2018-01-29 2020-07-14 Oracle International Corporation Dynamic client registration for an identity cloud service
US10620991B1 (en) * 2018-01-31 2020-04-14 VirtuStream IP Holding Company Workload migration in multi-cloud environments
US11038770B2 (en) 2018-02-01 2021-06-15 Keysight Technologies, Inc. Methods, systems, and computer readable media for managing deployment and maintenance of network tools
US10812349B2 (en) 2018-02-17 2020-10-20 Keysight Technologies, Inc. Methods, systems and computer readable media for triggering on-demand dynamic activation of cloud-based network visibility tools
US10862867B2 (en) 2018-04-01 2020-12-08 Cisco Technology, Inc. Intelligent graphical user interface
US10511534B2 (en) 2018-04-06 2019-12-17 Cisco Technology, Inc. Stateless distributed load-balancing
US11055417B2 (en) 2018-04-17 2021-07-06 Oracle International Corporation High granularity application and data security in cloud environments
US10824751B1 (en) 2018-04-25 2020-11-03 Bank Of America Corporation Zoned data storage and control security system
US10929556B1 (en) 2018-04-25 2021-02-23 Bank Of America Corporation Discrete data masking security system
WO2019213427A1 (en) 2018-05-04 2019-11-07 Laibson Benjamin William Emulation of cloud computing service regions
US10728361B2 (en) 2018-05-29 2020-07-28 Cisco Technology, Inc. System for association of customer information across subscribers
US10867044B2 (en) 2018-05-30 2020-12-15 AppOmni, Inc. Automatic computer system change monitoring and security gap detection system
US10785238B2 (en) 2018-06-12 2020-09-22 Secureworks Corp. Systems and methods for threat discovery across distinct organizations
US11003718B2 (en) 2018-06-12 2021-05-11 Secureworks Corp. Systems and methods for enabling a global aggregated search, while allowing configurable client anonymity
US10904322B2 (en) 2018-06-15 2021-01-26 Cisco Technology, Inc. Systems and methods for scaling down cloud-based servers handling secure connections
US10764266B2 (en) 2018-06-19 2020-09-01 Cisco Technology, Inc. Distributed authentication and authorization for rapid scaling of containerized services
US11019083B2 (en) 2018-06-20 2021-05-25 Cisco Technology, Inc. System for coordinating distributed website analysis
US11159389B1 (en) 2018-06-28 2021-10-26 Juniper Networks, Inc. Inter-application workload network traffic monitoring and visualization
US10819571B2 (en) 2018-06-29 2020-10-27 Cisco Technology, Inc. Network traffic optimization using in-situ notification system
US10846070B2 (en) 2018-07-05 2020-11-24 At&T Intellectual Property I, L.P. Facilitating cloud native edge computing via behavioral intelligence
US10635825B2 (en) 2018-07-11 2020-04-28 International Business Machines Corporation Data privacy awareness in workload provisioning
US10904342B2 (en) 2018-07-30 2021-01-26 Cisco Technology, Inc. Container networking using communication tunnels
US11615061B1 (en) * 2018-08-03 2023-03-28 Amazon Technologies, Inc. Evaluating workload for database migration recommendations
US11146560B1 (en) * 2018-08-30 2021-10-12 Amazon Technologies, Inc. Distributed governance of computing resources
US11310276B2 (en) * 2018-09-17 2022-04-19 International Business Machines Corporation Adjusting resiliency policies for cloud services based on a resiliency score
US11055078B2 (en) * 2018-09-28 2021-07-06 Atlassian Pty Ltd. Systems and methods for deploying software products to environments
US11546296B2 (en) * 2018-10-18 2023-01-03 Bank Of America Corporation Cloud computing architecture with secure multi-cloud integration
US10884815B2 (en) 2018-10-29 2021-01-05 Pivotal Software, Inc. Independent services platform
US10824483B2 (en) 2018-11-20 2020-11-03 R Software Inc. Application programming interface scoring, ranking and selection
WO2020106973A1 (en) * 2018-11-21 2020-05-28 Araali Networks, Inc. Systems and methods for securing a workload
US11538091B2 (en) * 2018-12-28 2022-12-27 Cloudblue Llc Method of digital product onboarding and distribution using the cloud service brokerage infrastructure
US11184375B2 (en) * 2019-01-17 2021-11-23 Vmware, Inc. Threat detection and security for edge devices
US11637864B2 (en) * 2019-02-13 2023-04-25 Radware Ltd. Hardening of cloud security policies
US11792226B2 (en) 2019-02-25 2023-10-17 Oracle International Corporation Automatic api document generation from scim metadata
US11423111B2 (en) 2019-02-25 2022-08-23 Oracle International Corporation Client API for rest based endpoints for a multi-tenant identify cloud service
US11537423B2 (en) * 2019-03-19 2022-12-27 Hewlett Packard Enterprise Development Lp Virtual resource selection for a virtual resource creation request
US11159488B2 (en) * 2019-03-29 2021-10-26 Jpmorgan Chase Bank, N.A. Dynamic application firewalling in cloud systems
US11283896B2 (en) * 2019-04-10 2022-03-22 Jpmorgan Chase Bank, N.A. Methods for implementing a framework for consumption of services for enterprise cloud platforms
US11102227B2 (en) * 2019-04-12 2021-08-24 EMC IP Holding Company LLC Ecosystem-aware smart arrays for unified analytics and troubleshooting
US11310268B2 (en) 2019-05-06 2022-04-19 Secureworks Corp. Systems and methods using computer vision and machine learning for detection of malicious actions
US11418524B2 (en) 2019-05-07 2022-08-16 SecureworksCorp. Systems and methods of hierarchical behavior activity modeling and detection for systems-level security
US11329930B2 (en) * 2019-05-29 2022-05-10 Red Hat, Inc. Generating scenarios for automated execution of resources in a cloud computing environment
US11290494B2 (en) 2019-05-31 2022-03-29 Varmour Networks, Inc. Reliability prediction for cloud security policies
US11863580B2 (en) 2019-05-31 2024-01-02 Varmour Networks, Inc. Modeling application dependencies to identify operational risk
US11290493B2 (en) 2019-05-31 2022-03-29 Varmour Networks, Inc. Template-driven intent-based security
US11310284B2 (en) 2019-05-31 2022-04-19 Varmour Networks, Inc. Validation of cloud security policies
US11711374B2 (en) 2019-05-31 2023-07-25 Varmour Networks, Inc. Systems and methods for understanding identity and organizational access to applications within an enterprise environment
US11575563B2 (en) * 2019-05-31 2023-02-07 Varmour Networks, Inc. Cloud security management
US10951509B1 (en) 2019-06-07 2021-03-16 Keysight Technologies, Inc. Methods, systems, and computer readable media for providing intent-driven microapps for execution on communications network testing devices
US11025732B2 (en) * 2019-06-17 2021-06-01 Vmware, Inc. Method and apparatus to perform user authentication during cloud provider sessions
US11184505B2 (en) * 2019-06-25 2021-11-23 Kyocera Document Solutions, Inc. Methods and system for policy-based printing and scanning
CN110557431A (en) * 2019-07-23 2019-12-10 大唐陕西发电有限公司 Fan data uploading system and method based on JAVA language
US11336694B2 (en) * 2019-08-05 2022-05-17 Cisco Technology, Inc. Scalable security policy architecture with segregated forwarding and security plane and hierarchical classes
US11330006B2 (en) 2019-08-29 2022-05-10 Bank Of America Corporation Detecting and identifying devices at enterprise locations to protect enterprise-managed information and resources
US11356462B2 (en) 2019-08-29 2022-06-07 Bank Of America Corporation Detecting and identifying devices at enterprise locations to protect enterprise-managed information and resources
US11755372B2 (en) 2019-08-30 2023-09-12 Microstrategy Incorporated Environment monitoring and management
EP3786826A1 (en) 2019-08-30 2021-03-03 Barclays Execution Services Limited Secure validation pipeline in a third party cloud environment
US11714658B2 (en) 2019-08-30 2023-08-01 Microstrategy Incorporated Automated idle environment shutdown
EP3786829A1 (en) * 2019-08-30 2021-03-03 Barclays Execution Services Limited Secure data processing in a third-party cloud environment
US11528194B2 (en) * 2019-09-06 2022-12-13 Jpmorgan Chase Bank, N.A. Enterprise control plane for data streaming service
US11687378B2 (en) 2019-09-13 2023-06-27 Oracle International Corporation Multi-tenant identity cloud service with on-premise authentication integration and bridge high availability
US11870770B2 (en) 2019-09-13 2024-01-09 Oracle International Corporation Multi-tenant identity cloud service with on-premise authentication integration
US11108920B2 (en) 2019-10-03 2021-08-31 Starfish Technologies LLC Cloud-based scanning systems and remote image processing methods
US10951779B1 (en) 2019-10-03 2021-03-16 Starfish Technologies LLC Cloud-based scanning systems and remote image processing methods
US10827082B1 (en) 2019-10-03 2020-11-03 Starfish Technologies LLC Cloud-based scanning systems and remote image processing methods
US10848628B1 (en) 2019-10-03 2020-11-24 Starfish Technologies LLC Cloud-based scanning systems and remote image processing methods
US10924615B1 (en) 2019-10-03 2021-02-16 Starfish Technologies LLC Cloud-based scanning systems and remote image processing methods
US10708358B1 (en) 2019-10-03 2020-07-07 Starfish Technologies LLC Cloud-based scanning systems and remote image processing methods
US11128765B2 (en) 2019-10-03 2021-09-21 Starfish Technologies LLC Cloud-based scanning systems and remote image processing methods
US10812667B1 (en) * 2019-10-03 2020-10-20 Starfish Technologies LLC Cloud-based scanning systems and remote image processing methods
US11381589B2 (en) 2019-10-11 2022-07-05 Secureworks Corp. Systems and methods for distributed extended common vulnerabilities and exposures data management
US11489745B2 (en) 2019-10-15 2022-11-01 Keysight Technologies, Inc. Methods, systems and computer readable media for providing a declarative network monitoring environment
US10880232B1 (en) * 2019-11-29 2020-12-29 Amazon Technologies, Inc. Availability groups of cloud provider edge locations
US11522877B2 (en) 2019-12-16 2022-12-06 Secureworks Corp. Systems and methods for identifying malicious actors or activities
US11733986B2 (en) * 2020-01-07 2023-08-22 Chaitanya Kapadia System for managing multiple clouds and method thereof
US11615330B2 (en) * 2020-03-18 2023-03-28 Kyndryl, Inc. Virtual subject matter expert provisioning
US11153170B1 (en) 2020-04-06 2021-10-19 Vmware, Inc. Migration of data compute node across sites
US11088919B1 (en) 2020-04-06 2021-08-10 Vmware, Inc. Data structure for defining multi-site logical network
US11870679B2 (en) 2020-04-06 2024-01-09 VMware LLC Primary datacenter for logical router
US11088902B1 (en) 2020-04-06 2021-08-10 Vmware, Inc. Synchronization of logical network state between global and local managers
US11777793B2 (en) 2020-04-06 2023-10-03 Vmware, Inc. Location criteria for security groups
US10999413B1 (en) * 2020-05-21 2021-05-04 R Software Inc. Public and private API hub synchronization
US11687379B2 (en) 2020-05-27 2023-06-27 Red Hat, Inc. Management of containerized clusters by virtualization systems
US11496443B2 (en) 2020-06-30 2022-11-08 Sap Se Middleware to enable end-to-end processes with limited network communication
US11588834B2 (en) 2020-09-03 2023-02-21 Secureworks Corp. Systems and methods for identifying attack patterns or suspicious activity in client networks
US11736527B1 (en) * 2020-09-04 2023-08-22 Anvilogic, Inc. Multi-system security monitoring configuration distribution
US11102280B1 (en) * 2020-09-08 2021-08-24 HashiCorp Infrastructure imports for an information technology platform
US11343283B2 (en) * 2020-09-28 2022-05-24 Vmware, Inc. Multi-tenant network virtualization infrastructure
US11356382B1 (en) 2020-09-30 2022-06-07 Amazon Technologies, Inc. Protecting integration between resources of different services using service-generated dependency tags
US11316741B1 (en) * 2020-11-23 2022-04-26 Netskope, Inc. Multi-environment networking management system
US11593180B2 (en) 2020-12-15 2023-02-28 Kyndryl, Inc. Cluster selection for workload deployment
US11876817B2 (en) 2020-12-23 2024-01-16 Varmour Networks, Inc. Modeling queue-based message-oriented middleware relationships in a security system
US11818152B2 (en) 2020-12-23 2023-11-14 Varmour Networks, Inc. Modeling topic-based message-oriented middleware within a security system
US11159419B1 (en) 2021-01-29 2021-10-26 Netskope, Inc. Policy-driven data locality and residency
US11777978B2 (en) 2021-01-29 2023-10-03 Varmour Networks, Inc. Methods and systems for accurately assessing application access risk
US11363095B1 (en) * 2021-01-29 2022-06-14 Netskope, Inc. Policy-driven client and destination priority
US11528294B2 (en) 2021-02-18 2022-12-13 SecureworksCorp. Systems and methods for automated threat detection
US20220414577A1 (en) * 2021-06-28 2022-12-29 Dell Products L.P. System and method for performance-centric workload placement in a hybrid cloud environment
US11734316B2 (en) 2021-07-08 2023-08-22 Varmour Networks, Inc. Relationship-based search in a computing environment
US11595324B1 (en) 2021-10-01 2023-02-28 Bank Of America Corporation System for automated cross-network monitoring of computing hardware and software resources
WO2023247038A1 (en) * 2022-06-23 2023-12-28 Telefonaktiebolaget Lm Ericsson (Publ) Secure utilization of external hardware
WO2024039388A1 (en) * 2022-08-19 2024-02-22 Rakuten Symphony Singapore Pte. Ltd. Systems and methods for handling abnormal activity in o-ran near real time ric platform

Citations (93)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6321334B1 (en) * 1998-07-15 2001-11-20 Microsoft Corporation Administering permissions associated with a security zone in a computer system security model
US20020010572A1 (en) * 2000-04-14 2002-01-24 Lyman Orton Integrated system for and method of supporting spatial decision making and land-use scenario analysis
US6345361B1 (en) * 1998-04-06 2002-02-05 Microsoft Corporation Directional set operations for permission based security in a computer system
US20020099823A1 (en) * 2000-05-15 2002-07-25 Brian Jemes System and method for implementing a bubble policy to achieve host and network security
US20020129128A1 (en) * 2001-03-07 2002-09-12 Stephen Gold Aggregation of multiple headless computer entities into a single computer entity group
US6473800B1 (en) * 1998-07-15 2002-10-29 Microsoft Corporation Declarative permission requests in a computer system
US20020178246A1 (en) * 2001-03-27 2002-11-28 Mayer Alain Jules Method and apparatus for network wide policy-based analysis of configurations of devices
US20020184525A1 (en) * 2001-03-29 2002-12-05 Lebin Cheng Style sheet transformation driven firewall access list generation
US20030112182A1 (en) * 2001-12-19 2003-06-19 Bajikar Sundeep M. Method and apparatus for controlling access to mobile devices
US20030229808A1 (en) * 2001-07-30 2003-12-11 Axcelerant, Inc. Method and apparatus for monitoring computer network security enforcement
US20040083295A1 (en) * 2002-10-24 2004-04-29 3Com Corporation System and method for using virtual local area network tags with a virtual private network
US20040111643A1 (en) * 2002-12-02 2004-06-10 Farmer Daniel G. System and method for providing an enterprise-based computer security policy
US20050091353A1 (en) * 2003-09-30 2005-04-28 Gopisetty Sandeep K. System and method for autonomically zoning storage area networks based on policy requirements
US20050193196A1 (en) * 2004-02-26 2005-09-01 Ming-Yuh Huang Cryptographically enforced, multiple-role, policy-enabled object dissemination control mechanism
US20050198299A1 (en) * 2004-01-26 2005-09-08 Beck Christopher Clemmett M. Methods and apparatus for identifying and facilitating a social interaction structure over a data packet network
US20050198125A1 (en) * 2004-01-26 2005-09-08 Macleod Beck Christopher C. Methods and system for creating and managing identity oriented networked communication
US20050257244A1 (en) * 2004-05-13 2005-11-17 Hewlett-Packard Development Company, L.P. Method and apparatus for role-based security policy management
US20050283823A1 (en) * 2004-06-21 2005-12-22 Nec Corporation Method and apparatus for security policy management
US20050289538A1 (en) * 2004-06-23 2005-12-29 International Business Machines Corporation Deploying an application software on a virtual deployment target
US6996716B1 (en) * 1999-04-15 2006-02-07 Avaya Technology Corp. Dual-tier security architecture for inter-domain environments
US20060059548A1 (en) * 2004-09-01 2006-03-16 Hildre Eric A System and method for policy enforcement and token state monitoring
US20060056297A1 (en) * 2004-09-14 2006-03-16 3Com Corporation Method and apparatus for controlling traffic between different entities on a network
US20060100912A1 (en) * 2002-12-16 2006-05-11 Questerra Llc. Real-time insurance policy underwriting and risk management
US20060129670A1 (en) * 2001-03-27 2006-06-15 Redseal Systems, Inc. Method and apparatus for network wide policy-based analysis of configurations of devices
US20060133338A1 (en) * 2004-11-23 2006-06-22 Interdigital Technology Corporation Method and system for securing wireless communications
US20060253443A1 (en) * 2005-05-04 2006-11-09 Microsoft Corporation Region-based security
US7143439B2 (en) * 2000-01-07 2006-11-28 Security, Inc. Efficient evaluation of rules
US20060282294A1 (en) * 2005-06-09 2006-12-14 Mccomb Shawn J Supplemental crop insurance and method for providing risk protection to a grower
US20060282295A1 (en) * 2005-06-09 2006-12-14 Mccomb Shawn J Method for providing enhanced risk protection to a grower
US20070011723A1 (en) * 2005-07-07 2007-01-11 Ching-Yun Chao Method for maintaining application compatibility within an application isolation policy
US20070022479A1 (en) * 2005-07-21 2007-01-25 Somsubhra Sikdar Network interface and firewall device
US20070022474A1 (en) * 2005-07-21 2007-01-25 Mistletoe Technologies, Inc. Portable firewall
US20070061870A1 (en) * 2005-09-15 2007-03-15 Annsheng Ting Method and system to provide secure data connection between creation points and use points
US20070157286A1 (en) * 2005-08-20 2007-07-05 Opnet Technologies, Inc. Analyzing security compliance within a network
US7272646B2 (en) * 2000-06-16 2007-09-18 Securify, Inc. Network monitor internals description
US7284267B1 (en) * 2001-03-08 2007-10-16 Mcafee, Inc. Automatically configuring a computer firewall based on network connection
US20080072284A1 (en) * 2006-08-29 2008-03-20 Microsoft Corporation Zone Policy Administration For Entity Tracking And Privacy Assurance
US7428754B2 (en) * 2004-08-17 2008-09-23 The Mitre Corporation System for secure computing using defense-in-depth architecture
US20080253322A1 (en) * 2007-03-02 2008-10-16 Zte (Usa) Inc. WiMAX Multicast Broadcast Network System Architecture
US20080306798A1 (en) * 2007-06-05 2008-12-11 Juergen Anke Deployment planning of components in heterogeneous environments
US20090063665A1 (en) * 2007-08-28 2009-03-05 Rohati Systems, Inc. Highly scalable architecture for application network appliances
US20090089078A1 (en) * 2007-09-28 2009-04-02 Great-Circle Technologies, Inc. Bundling of automated work flow
US20090085743A1 (en) * 2007-09-28 2009-04-02 Symbol Technologies, Inc. Methods and systems for controlling operations of a mobile radio frequency reader based on its location
US20090138938A1 (en) * 2007-01-31 2009-05-28 Tufin Software Technologies Ltd. System and Method for Auditing a Security Policy
US20090138795A1 (en) * 2007-11-28 2009-05-28 International Business Machines Corporation Enforcing context model based policies with forward chaining
US7584301B1 (en) * 2004-05-06 2009-09-01 Foundry Networks, Inc. Host-level policies for global server load balancing
US20090265755A1 (en) * 2008-04-18 2009-10-22 International Business Machines Corporation Firewall methodologies for use within virtual environments
US7613826B2 (en) * 2006-02-09 2009-11-03 Cisco Technology, Inc. Methods and apparatus for providing multiple policies for a virtual private network
US7620613B1 (en) * 2006-07-28 2009-11-17 Hewlett-Packard Development Company, L.P. Thermal management of data centers
US20090307685A1 (en) * 2008-06-06 2009-12-10 International Business Machines Corporation Method, Arrangement, Computer Program Product and Data Processing Program for Deploying a Software Service
US20100050239A1 (en) * 2008-08-25 2010-02-25 Carter Stephen R Automated service platform prospecting
US20100058435A1 (en) * 2008-08-29 2010-03-04 Novell, Inc. System and method for virtual information cards
US7685261B1 (en) * 2001-06-29 2010-03-23 Symantec Operating Corporation Extensible architecture for the centralized discovery and management of heterogeneous SAN components
US7698230B1 (en) * 2002-02-15 2010-04-13 ContractPal, Inc. Transaction architecture utilizing transaction policy statements
US7698430B2 (en) * 2005-03-16 2010-04-13 Adaptive Computing Enterprises, Inc. On-demand compute environment
US20100169497A1 (en) * 2008-12-31 2010-07-01 Sap Ag Systems and methods for integrating local systems with cloud computing resources
US20100198972A1 (en) * 2009-02-04 2010-08-05 Steven Michael Umbehocker Methods and Systems for Automated Management of Virtual Resources In A Cloud Computing Environment
US7774444B1 (en) * 2002-10-16 2010-08-10 Symantec Operating Corporation SAN simulator
US20100212010A1 (en) * 2009-02-18 2010-08-19 Stringer John D Systems and methods that detect sensitive data leakages from applications
US20100275241A1 (en) * 2009-04-23 2010-10-28 Srinivasan Kattiganehalli Y Securely hosting workloads in virtual computing environments
US20100319004A1 (en) * 2009-06-16 2010-12-16 Microsoft Corporation Policy Management for the Cloud
US20110004916A1 (en) * 2009-07-02 2011-01-06 Samsung Electronics Co., Ltd. Securely using service providers in elastic computing systems and environments
US20110016473A1 (en) * 2009-07-20 2011-01-20 Srinivasan Kattiganehalli Y Managing services for workloads in virtual computing environments
US20110016214A1 (en) * 2009-07-15 2011-01-20 Cluster Resources, Inc. System and method of brokering cloud computing resources
US7886031B1 (en) * 2002-06-04 2011-02-08 Symantec Operating Corporation SAN configuration utility
US20110099126A1 (en) * 2005-08-30 2011-04-28 Sensact Applications, Inc. Automated Parking Policy Enforcement System
US20110126275A1 (en) * 2009-11-25 2011-05-26 Novell, Inc. System and method for discovery enrichment in an intelligent workload management system
US20110214157A1 (en) * 2000-09-25 2011-09-01 Yevgeny Korsunsky Securing a network with data flow processing
US20110213869A1 (en) * 2000-09-25 2011-09-01 Yevgeny Korsunsky Processing data flows with a data flow processor
US20110219035A1 (en) * 2000-09-25 2011-09-08 Yevgeny Korsunsky Database security via data flow processing
US8019849B1 (en) * 2002-09-13 2011-09-13 Symantec Operating Corporation Server-side storage area network management interface
US20110231564A1 (en) * 2000-09-25 2011-09-22 Yevgeny Korsunsky Processing data flows with a data flow processor
US20110231899A1 (en) * 2009-06-19 2011-09-22 ServiceMesh Corporation System and method for a cloud computing abstraction layer
US20110231510A1 (en) * 2000-09-25 2011-09-22 Yevgeny Korsunsky Processing data flows with a data flow processor
US20110238855A1 (en) * 2000-09-25 2011-09-29 Yevgeny Korsunsky Processing data flows with a data flow processor
US8060630B1 (en) * 2002-11-27 2011-11-15 Symantec Operating Corporation Creating and configuring virtual fabrics in storage area networks
US8082262B2 (en) * 1995-04-11 2011-12-20 Personalweb Technologies, LLC Methods, systems, and devices supporting data access in a data processing system
US20120005724A1 (en) * 2009-02-09 2012-01-05 Imera Systems, Inc. Method and system for protecting private enterprise resources in a cloud computing environment
US20120173709A1 (en) * 2011-01-05 2012-07-05 Li Li Seamless scaling of enterprise applications
US20120179824A1 (en) * 2005-03-16 2012-07-12 Adaptive Computing Enterprises, Inc. System and method of brokering cloud computing resources
US20120185821A1 (en) * 2010-09-17 2012-07-19 Oracle International Corporation Pattern-based construction and extension of enterprise applications in a cloud computing environment
US20120185913A1 (en) * 2008-06-19 2012-07-19 Servicemesh, Inc. System and method for a cloud computing abstraction layer with security zone facilities
US8230050B1 (en) * 2008-12-10 2012-07-24 Amazon Technologies, Inc. Providing access to configurable private computer networks
US8261295B1 (en) * 2011-03-16 2012-09-04 Google Inc. High-level language for specifying configurations of cloud-based deployments
US20120240185A1 (en) * 2000-09-25 2012-09-20 Harsh Kapoor Systems and methods for processing data flows
US20120324069A1 (en) * 2011-06-17 2012-12-20 Microsoft Corporation Middleware Services Framework for On-Premises and Cloud Deployment
US8369333B2 (en) * 2009-10-21 2013-02-05 Alcatel Lucent Method and apparatus for transparent cloud computing with a virtualized network infrastructure
US20130066940A1 (en) * 2010-05-20 2013-03-14 Weixiang Shao Cloud service broker, cloud computing method and cloud system
US20130067225A1 (en) * 2008-09-08 2013-03-14 Ofer Shochet Appliance, system, method and corresponding software components for encrypting and processing data
US8473557B2 (en) * 2010-08-24 2013-06-25 At&T Intellectual Property I, L.P. Methods and apparatus to migrate virtual machines between distributive computing networks across a wide area network
US8510835B1 (en) * 2009-09-18 2013-08-13 Trend Micro Incorporated Techniques for protecting data in cloud computing environments
US8543810B1 (en) * 2006-08-07 2013-09-24 Oracle America, Inc. Deployment tool and method for managing security lifecycle of a federated web service
US8782637B2 (en) * 2007-11-03 2014-07-15 ATM Shafiqul Khalid Mini-cloud system for enabling user subscription to cloud service in residential environment

Family Cites Families (120)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
AU8256998A (en) 1997-06-16 1999-01-04 Badieh Z. II Keilani System and method for processing multiple financial applications using a three-tier value network
US7184428B1 (en) 1997-12-31 2007-02-27 At&T Corp. Facility management platform for a hybrid coaxial/twisted pair local loop network service architecture
US6523166B1 (en) * 1998-09-21 2003-02-18 Microsoft Corporation Method and system for on-demand installation of software implementations
US6158010A (en) 1998-10-28 2000-12-05 Crosslogix, Inc. System and method for maintaining security in a distributed computer network
US6880089B1 (en) * 2000-03-31 2005-04-12 Avaya Technology Corp. Firewall clustering for multiple network servers
US20020016926A1 (en) 2000-04-27 2002-02-07 Nguyen Thomas T. Method and apparatus for integrating tunneling protocols with standard routing protocols
US7546629B2 (en) * 2002-03-06 2009-06-09 Check Point Software Technologies, Inc. System and methodology for security policy arbitration
US6880002B2 (en) 2001-09-05 2005-04-12 Surgient, Inc. Virtualized logical server cloud providing non-deterministic allocation of logical attributes of logical servers to physical resources
US20030093465A1 (en) * 2001-10-31 2003-05-15 International Business Machines Corporation Management strategies for internationalization in a distributed computer environment
US7574496B2 (en) 2001-11-30 2009-08-11 Surgient, Inc. Virtual server cloud interfacing
US20030177390A1 (en) * 2002-03-15 2003-09-18 Rakesh Radhakrishnan Securing applications based on application infrastructure security techniques
US6990666B2 (en) 2002-03-18 2006-01-24 Surgient Inc. Near on-line server
US6895413B2 (en) 2002-03-22 2005-05-17 Network Appliance, Inc. System and method for performing an on-line check of a file system
WO2003098490A1 (en) 2002-05-16 2003-11-27 Agency For Science, Technology And Research A computing system deployment planning method
US6847970B2 (en) 2002-09-11 2005-01-25 International Business Machines Corporation Methods and apparatus for managing dependencies in distributed systems
WO2004071038A1 (en) * 2003-02-05 2004-08-19 Nippon Telegraph And Telephone Corporation Firewall device
US20040210623A1 (en) * 2003-03-06 2004-10-21 Aamer Hydrie Virtual network topology generation
US7076393B2 (en) * 2003-10-03 2006-07-11 Verizon Services Corp. Methods and apparatus for testing dynamic network firewalls
JP2007508623A (en) * 2003-10-08 2007-04-05 ユニシス コーポレーション Virtual data center that allocates and manages system resources across multiple nodes
US20070061441A1 (en) * 2003-10-08 2007-03-15 Landis John A Para-virtualized computer system with I/0 server partitions that map physical host hardware for access by guest partitions
US7610621B2 (en) * 2004-03-10 2009-10-27 Eric White System and method for behavior-based firewall modeling
US7501385B2 (en) 2004-06-15 2009-03-10 Halliburton Energy Services, Inc. Compositions and methods for water control and strengthening unconsolidated formations
US20060041936A1 (en) * 2004-08-19 2006-02-23 International Business Machines Corporation Method and apparatus for graphical presentation of firewall security policy
US9083748B2 (en) * 2004-12-16 2015-07-14 Hewlett-Packard Development Company, L.P. Modelling network to assess security properties
US7954090B1 (en) * 2004-12-21 2011-05-31 Zenprise, Inc. Systems and methods for detecting behavioral features of software application deployments for automated deployment management
CN101088256B (en) * 2004-12-21 2010-12-08 艾利森电话股份有限公司 Arrangement and method relating to flow of packets in communication systems
US7937755B1 (en) * 2005-01-27 2011-05-03 Juniper Networks, Inc. Identification of network policy violations
US8577761B1 (en) * 2005-06-30 2013-11-05 Oracle America, Inc. System and method for dynamic offering topologies
US8429630B2 (en) 2005-09-15 2013-04-23 Ca, Inc. Globally distributed utility computing cloud
EP1932079A1 (en) * 2005-09-30 2008-06-18 Telecom Italia S.p.A. A method and system for automatically testing performance of applications run in a distributed processing structure and corresponding computer program product
US9374342B2 (en) * 2005-11-08 2016-06-21 Verizon Patent And Licensing Inc. System and method for testing network firewall using fine granularity measurements
US8027251B2 (en) * 2005-11-08 2011-09-27 Verizon Services Corp. Systems and methods for implementing protocol-aware network firewall
US7805757B2 (en) * 2005-12-30 2010-09-28 Alcatel-Lucent Usa Inc. Control of communication session attributes in network employing firewall protection
US20070174429A1 (en) 2006-01-24 2007-07-26 Citrix Systems, Inc. Methods and servers for establishing a connection between a client system and a virtual machine hosting a requested computing environment
US8078728B1 (en) 2006-03-31 2011-12-13 Quest Software, Inc. Capacity pooling for application reservation and delivery
US7697441B2 (en) 2006-04-27 2010-04-13 Microsoft Corporation Computer system with black hole management
US20080215681A1 (en) 2006-05-01 2008-09-04 Thomas Darcie Network architecture for multi-user collaboration and data-stream mixing and method thereof
US8619771B2 (en) 2009-09-30 2013-12-31 Vmware, Inc. Private allocated networks over shared communications infrastructure
EP2057543A4 (en) 2006-08-07 2012-07-04 Oracle Int Corp System and method for providing hardware virtualization in a virtual machine environment
US20100306773A1 (en) 2006-11-06 2010-12-02 Lee Mark M Instant on Platform
US7937353B2 (en) * 2007-01-15 2011-05-03 International Business Machines Corporation Method and system for determining whether to alter a firewall configuration
US8380880B2 (en) 2007-02-02 2013-02-19 The Mathworks, Inc. Scalable architecture
US7853687B2 (en) * 2007-03-05 2010-12-14 Alcatel Lucent Access control list generation and validation tool
US8621552B1 (en) * 2007-05-22 2013-12-31 Skybox Security Inc. Method, a system, and a computer program product for managing access change assurance
US20090178131A1 (en) 2008-01-08 2009-07-09 Microsoft Corporation Globally distributed infrastructure for secure content management
US8800002B2 (en) 2008-02-18 2014-08-05 Microsoft Corporation Inter-process networking for many-core operating systems
US8479209B2 (en) 2008-02-27 2013-07-02 Sap Ag Automated execution of virtual appliances
US8418222B2 (en) 2008-03-05 2013-04-09 Microsoft Corporation Flexible scalable application authorization for cloud computing environments
US8196175B2 (en) 2008-03-05 2012-06-05 Microsoft Corporation Self-describing authorization policy for accessing cloud-based resources
US7836198B2 (en) 2008-03-20 2010-11-16 International Business Machines Corporation Ethernet virtualization using hardware control flow override
US8056119B2 (en) * 2008-04-25 2011-11-08 Oracle America, Inc. Method and system for controlling inter-zone communication
US8849971B2 (en) 2008-05-28 2014-09-30 Red Hat, Inc. Load balancing in cloud-based networks
US8543998B2 (en) 2008-05-30 2013-09-24 Oracle International Corporation System and method for building virtual appliances using a repository metadata server and a dependency resolution service
US10372490B2 (en) 2008-05-30 2019-08-06 Red Hat, Inc. Migration of a virtual machine from a first cloud computing environment to a second cloud computing environment in response to a resource or services in the second cloud computing environment becoming available
US20090300169A1 (en) 2008-06-03 2009-12-03 Microsoft Corporation Synchronization throttling based on user activity
US8924469B2 (en) 2008-06-05 2014-12-30 Headwater Partners I Llc Enterprise access control and accounting allocation for access networks
US8336052B2 (en) * 2008-06-16 2012-12-18 International Business Machines Corporation Management, control, and monitoring of workload including unrelated processes of different containers
US9489647B2 (en) * 2008-06-19 2016-11-08 Csc Agility Platform, Inc. System and method for a cloud computing abstraction with self-service portal for publishing resources
US8514868B2 (en) 2008-06-19 2013-08-20 Servicemesh, Inc. Cloud computing gateway, cloud computing hypervisor, and methods for implementing same
US8291378B2 (en) 2008-07-29 2012-10-16 International Business Machines Corporation Simplified deployment modeling
US8713627B2 (en) * 2008-08-14 2014-04-29 Juniper Networks, Inc. Scalable security services for multicast in a router having integrated zone-based firewall
US8316435B1 (en) * 2008-08-14 2012-11-20 Juniper Networks, Inc. Routing device having integrated MPLS-aware firewall with virtual security system support
US8307422B2 (en) * 2008-08-14 2012-11-06 Juniper Networks, Inc. Routing device having integrated MPLS-aware firewall
US8955107B2 (en) 2008-09-12 2015-02-10 Juniper Networks, Inc. Hierarchical application of security services within a computer network
US7987262B2 (en) * 2008-11-19 2011-07-26 Accenture Global Services Limited Cloud computing assessment tool
US10057775B2 (en) * 2009-01-28 2018-08-21 Headwater Research Llc Virtualized policy and charging system
US8856783B2 (en) * 2010-10-12 2014-10-07 Citrix Systems, Inc. Allocating virtual machines according to user-specific virtual machine metrics
WO2010127266A1 (en) * 2009-05-01 2010-11-04 Citrix Systems, Inc. Systems and methods for providing a virtual appliance in an application delivery fabric
US20100287280A1 (en) 2009-05-08 2010-11-11 Gal Sivan System and method for cloud computing based on multiple providers
US8397215B2 (en) 2009-05-18 2013-03-12 National Instruments Corporation Executing a physical model with multiple physical domains in a web browser
US20100318609A1 (en) 2009-06-15 2010-12-16 Microsoft Corporation Bridging enterprise networks into cloud
US20190288956A1 (en) * 2009-06-19 2019-09-19 Servicemesh, Inc. System and method for a cloud computing abstraction layer
US8924559B2 (en) 2009-12-03 2014-12-30 International Business Machines Corporation Provisioning services using a cloud services catalog
US7937438B1 (en) 2009-12-07 2011-05-03 Amazon Technologies, Inc. Using virtual networking devices to manage external connections
US8799985B2 (en) * 2009-12-09 2014-08-05 Microsoft Corporation Automated security classification and propagation of virtualized and physical virtual machines
US8726334B2 (en) * 2009-12-09 2014-05-13 Microsoft Corporation Model based systems management in virtualized and non-virtualized environments
US8924569B2 (en) 2009-12-17 2014-12-30 Intel Corporation Cloud federation as a service
US9395965B2 (en) 2009-12-29 2016-07-19 Oracle International Corporation Techniques for automated generation of service artifacts
US8650299B1 (en) * 2010-02-03 2014-02-11 Citrix Systems, Inc. Scalable cloud computing
US8806014B2 (en) 2010-03-19 2014-08-12 Novell, Inc. Techniques for intelligent service deployment
US8259571B1 (en) 2010-03-26 2012-09-04 Zscaler, Inc. Handling overlapping IP addresses in multi-tenant architecture
CA2737631C (en) 2010-04-18 2014-07-15 Layer 7 Technologies Inc. Protected application stack and method and system of utilizing
US8345692B2 (en) 2010-04-27 2013-01-01 Cisco Technology, Inc. Virtual switching overlay for cloud computing
US9461996B2 (en) * 2010-05-07 2016-10-04 Citrix Systems, Inc. Systems and methods for providing a single click access to enterprise, SAAS and cloud hosted application
US9282097B2 (en) * 2010-05-07 2016-03-08 Citrix Systems, Inc. Systems and methods for providing single sign on access to enterprise SAAS and cloud hosted applications
US8880558B2 (en) 2010-07-01 2014-11-04 International Business Machines Corporation Cloud services creation based on graph mapping
US20120066487A1 (en) * 2010-09-09 2012-03-15 Novell, Inc. System and method for providing load balancer visibility in an intelligent workload management system
US9253016B2 (en) * 2010-11-02 2016-02-02 International Business Machines Corporation Management of a data network of a computing environment
US9081613B2 (en) * 2010-11-02 2015-07-14 International Business Machines Corporation Unified resource manager providing a single point of control
EP2643758A1 (en) 2010-11-22 2013-10-02 Telefonaktiebolaget L M Ericsson (PUBL) Technique for resource creation in a cloud computing system
WO2012092262A1 (en) * 2010-12-28 2012-07-05 Citrix Systems, Inc. Systems and methods for vlan tagging via cloud bridge
US8788669B2 (en) * 2011-01-03 2014-07-22 Novell, Inc. Policy and identity based workload provisioning
US10678602B2 (en) 2011-02-09 2020-06-09 Cisco Technology, Inc. Apparatus, systems and methods for dynamic adaptive metrics based application deployment on distributed infrastructures
US9104672B2 (en) * 2011-02-25 2015-08-11 International Business Machines Corporation Virtual security zones for data processing environments
US9880796B2 (en) 2011-03-08 2018-01-30 Georgia Tech Research Corporation Rapid view mobilization for enterprise applications
US8984610B2 (en) * 2011-04-18 2015-03-17 Bank Of America Corporation Secure network cloud architecture
CN103650426B (en) * 2011-05-06 2016-10-05 思杰系统有限公司 For carrying out the system and method that cloud bridge connects between public cloud and privately owned cloud
US9253252B2 (en) * 2011-05-06 2016-02-02 Citrix Systems, Inc. Systems and methods for cloud bridging between intranet resources and cloud resources
US8516241B2 (en) * 2011-07-12 2013-08-20 Cisco Technology, Inc. Zone-based firewall policy model for a virtualized data center
US9170798B2 (en) 2012-03-02 2015-10-27 Vmware, Inc. System and method for customizing a deployment plan for a multi-tier application in a cloud infrastructure
US9647835B2 (en) 2011-12-16 2017-05-09 Akamai Technologies, Inc. Terminating SSL connections without locally-accessible private keys
US8434080B2 (en) 2011-12-22 2013-04-30 Software Ag Usa, Inc. Distributed cloud application deployment systems and/or associated methods
US9319286B2 (en) 2012-03-30 2016-04-19 Cognizant Business Services Limited Apparatus and methods for managing applications in multi-cloud environments
GB2504487A (en) * 2012-07-30 2014-02-05 Ibm Automated network deployment of cloud services into a network by matching security requirements
US20140052877A1 (en) * 2012-08-16 2014-02-20 Wenbo Mao Method and apparatus for tenant programmable logical network for multi-tenancy cloud datacenters
US8856386B2 (en) * 2012-08-21 2014-10-07 Cisco Technology, Inc. Cloud resource placement using placement pivot in physical topology
US9690920B2 (en) 2012-08-30 2017-06-27 International Business Machines Corporation Secure configuration catalog of trusted identity providers
EP2909716B1 (en) * 2012-10-16 2021-02-17 Citrix Systems, Inc. Systems and methods for bridging between public and private clouds through multi-level api integration
US20140236745A1 (en) 2013-02-20 2014-08-21 Airvm Inc. Virtualized distribution system offering virtual products or services
US9130901B2 (en) * 2013-02-26 2015-09-08 Zentera Systems, Inc. Peripheral firewall system for application protection in cloud computing environments
US20150067677A1 (en) * 2013-08-27 2015-03-05 Connectloud, Inc. Method and apparatus for defining virtual machine placement logic that is configurable and restricts virtual machine provisioning within a software defined cloud
US11675837B2 (en) * 2014-03-17 2023-06-13 Modelizeit Inc. Analysis of data flows in complex enterprise IT environments
US10873501B2 (en) * 2016-12-09 2020-12-22 Vmware, Inc. Methods, systems and apparatus to propagate node configuration changes to services in a distributed environment
US10721275B2 (en) * 2017-01-23 2020-07-21 Fireeye, Inc. Automated enforcement of security policies in cloud and hybrid infrastructure environments
US10678579B2 (en) * 2017-03-17 2020-06-09 Vmware, Inc. Policy based cross-cloud migration
US10261836B2 (en) * 2017-03-21 2019-04-16 Oracle International Corporation Dynamic dispatching of workloads spanning heterogeneous services
US10855705B2 (en) * 2017-09-29 2020-12-01 Cisco Technology, Inc. Enhanced flow-based computer network threat detection
US10931656B2 (en) * 2018-03-27 2021-02-23 Oracle International Corporation Cross-region trust for a multi-tenant identity cloud service
US11165634B2 (en) * 2018-04-02 2021-11-02 Oracle International Corporation Data replication conflict detection and resolution for a multi-tenant identity cloud service
US11032381B2 (en) * 2019-06-19 2021-06-08 Servicenow, Inc. Discovery and storage of resource tags

Patent Citations (111)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8082262B2 (en) * 1995-04-11 2011-12-20 Personalweb Technologies, LLC Methods, systems, and devices supporting data access in a data processing system
US6345361B1 (en) * 1998-04-06 2002-02-05 Microsoft Corporation Directional set operations for permission based security in a computer system
US6321334B1 (en) * 1998-07-15 2001-11-20 Microsoft Corporation Administering permissions associated with a security zone in a computer system security model
US6473800B1 (en) * 1998-07-15 2002-10-29 Microsoft Corporation Declarative permission requests in a computer system
US6996716B1 (en) * 1999-04-15 2006-02-07 Avaya Technology Corp. Dual-tier security architecture for inter-domain environments
US7143439B2 (en) * 2000-01-07 2006-11-28 Security, Inc. Efficient evaluation of rules
US20020010572A1 (en) * 2000-04-14 2002-01-24 Lyman Orton Integrated system for and method of supporting spatial decision making and land-use scenario analysis
US7376965B2 (en) * 2000-05-15 2008-05-20 Hewlett-Packard Development Company, L.P. System and method for implementing a bubble policy to achieve host and network security
US20020099823A1 (en) * 2000-05-15 2002-07-25 Brian Jemes System and method for implementing a bubble policy to achieve host and network security
US7272646B2 (en) * 2000-06-16 2007-09-18 Securify, Inc. Network monitor internals description
US20120240185A1 (en) * 2000-09-25 2012-09-20 Harsh Kapoor Systems and methods for processing data flows
US20110238855A1 (en) * 2000-09-25 2011-09-29 Yevgeny Korsunsky Processing data flows with a data flow processor
US20110231510A1 (en) * 2000-09-25 2011-09-22 Yevgeny Korsunsky Processing data flows with a data flow processor
US20110231564A1 (en) * 2000-09-25 2011-09-22 Yevgeny Korsunsky Processing data flows with a data flow processor
US20110219035A1 (en) * 2000-09-25 2011-09-08 Yevgeny Korsunsky Database security via data flow processing
US20110213869A1 (en) * 2000-09-25 2011-09-01 Yevgeny Korsunsky Processing data flows with a data flow processor
US20110214157A1 (en) * 2000-09-25 2011-09-01 Yevgeny Korsunsky Securing a network with data flow processing
US20020129128A1 (en) * 2001-03-07 2002-09-12 Stephen Gold Aggregation of multiple headless computer entities into a single computer entity group
US8468256B1 (en) * 2001-03-08 2013-06-18 Mcafee, Inc. Automatically configuring a computer firewall based on network connection
US7284267B1 (en) * 2001-03-08 2007-10-16 Mcafee, Inc. Automatically configuring a computer firewall based on network connection
US20060129672A1 (en) * 2001-03-27 2006-06-15 Redseal Systems, Inc., A Corporation Of Delaware Method and apparatus for network wide policy-based analysis of configurations of devices
US8135815B2 (en) * 2001-03-27 2012-03-13 Redseal Systems, Inc. Method and apparatus for network wide policy-based analysis of configurations of devices
US7003562B2 (en) * 2001-03-27 2006-02-21 Redseal Systems, Inc. Method and apparatus for network wide policy-based analysis of configurations of devices
US20020178246A1 (en) * 2001-03-27 2002-11-28 Mayer Alain Jules Method and apparatus for network wide policy-based analysis of configurations of devices
US20060129670A1 (en) * 2001-03-27 2006-06-15 Redseal Systems, Inc. Method and apparatus for network wide policy-based analysis of configurations of devices
US20020184525A1 (en) * 2001-03-29 2002-12-05 Lebin Cheng Style sheet transformation driven firewall access list generation
US7685261B1 (en) * 2001-06-29 2010-03-23 Symantec Operating Corporation Extensible architecture for the centralized discovery and management of heterogeneous SAN components
US20060010492A9 (en) * 2001-07-30 2006-01-12 Axcelerant, Inc. Method and apparatus for monitoring computer network security enforcement
US20030229808A1 (en) * 2001-07-30 2003-12-11 Axcelerant, Inc. Method and apparatus for monitoring computer network security enforcement
US20030184474A1 (en) * 2001-12-19 2003-10-02 Bajikar Sundeep M. Method and apparatus for controlling access to mobile devices
US20030112182A1 (en) * 2001-12-19 2003-06-19 Bajikar Sundeep M. Method and apparatus for controlling access to mobile devices
US6747598B2 (en) * 2001-12-19 2004-06-08 Intel Corporation Method and apparatus for controlling access to mobile devices
US7698230B1 (en) * 2002-02-15 2010-04-13 ContractPal, Inc. Transaction architecture utilizing transaction policy statements
US7886031B1 (en) * 2002-06-04 2011-02-08 Symantec Operating Corporation SAN configuration utility
US8019849B1 (en) * 2002-09-13 2011-09-13 Symantec Operating Corporation Server-side storage area network management interface
US7774444B1 (en) * 2002-10-16 2010-08-10 Symantec Operating Corporation SAN simulator
US20040083295A1 (en) * 2002-10-24 2004-04-29 3Com Corporation System and method for using virtual local area network tags with a virtual private network
US8060630B1 (en) * 2002-11-27 2011-11-15 Symantec Operating Corporation Creating and configuring virtual fabrics in storage area networks
US20040111643A1 (en) * 2002-12-02 2004-06-10 Farmer Daniel G. System and method for providing an enterprise-based computer security policy
US20060100912A1 (en) * 2002-12-16 2006-05-11 Questerra Llc. Real-time insurance policy underwriting and risk management
US20050091353A1 (en) * 2003-09-30 2005-04-28 Gopisetty Sandeep K. System and method for autonomically zoning storage area networks based on policy requirements
US20050198125A1 (en) * 2004-01-26 2005-09-08 Macleod Beck Christopher C. Methods and system for creating and managing identity oriented networked communication
US20050198299A1 (en) * 2004-01-26 2005-09-08 Beck Christopher Clemmett M. Methods and apparatus for identifying and facilitating a social interaction structure over a data packet network
US20050193196A1 (en) * 2004-02-26 2005-09-01 Ming-Yuh Huang Cryptographically enforced, multiple-role, policy-enabled object dissemination control mechanism
US7584301B1 (en) * 2004-05-06 2009-09-01 Foundry Networks, Inc. Host-level policies for global server load balancing
US20050257244A1 (en) * 2004-05-13 2005-11-17 Hewlett-Packard Development Company, L.P. Method and apparatus for role-based security policy management
US20050283823A1 (en) * 2004-06-21 2005-12-22 Nec Corporation Method and apparatus for security policy management
US20050289538A1 (en) * 2004-06-23 2005-12-29 International Business Machines Corporation Deploying an application software on a virtual deployment target
US7428754B2 (en) * 2004-08-17 2008-09-23 The Mitre Corporation System for secure computing using defense-in-depth architecture
US20060059548A1 (en) * 2004-09-01 2006-03-16 Hildre Eric A System and method for policy enforcement and token state monitoring
US20060056297A1 (en) * 2004-09-14 2006-03-16 3Com Corporation Method and apparatus for controlling traffic between different entities on a network
US20060133338A1 (en) * 2004-11-23 2006-06-22 Interdigital Technology Corporation Method and system for securing wireless communications
US9015324B2 (en) * 2005-03-16 2015-04-21 Adaptive Computing Enterprises, Inc. System and method of brokering cloud computing resources
US7698430B2 (en) * 2005-03-16 2010-04-13 Adaptive Computing Enterprises, Inc. On-demand compute environment
US20120179824A1 (en) * 2005-03-16 2012-07-12 Adaptive Computing Enterprises, Inc. System and method of brokering cloud computing resources
US20060253443A1 (en) * 2005-05-04 2006-11-09 Microsoft Corporation Region-based security
US20060282294A1 (en) * 2005-06-09 2006-12-14 Mccomb Shawn J Supplemental crop insurance and method for providing risk protection to a grower
US20060282295A1 (en) * 2005-06-09 2006-12-14 Mccomb Shawn J Method for providing enhanced risk protection to a grower
US20070011723A1 (en) * 2005-07-07 2007-01-11 Ching-Yun Chao Method for maintaining application compatibility within an application isolation policy
US20070022479A1 (en) * 2005-07-21 2007-01-25 Somsubhra Sikdar Network interface and firewall device
US20070022474A1 (en) * 2005-07-21 2007-01-25 Mistletoe Technologies, Inc. Portable firewall
US20070157286A1 (en) * 2005-08-20 2007-07-05 Opnet Technologies, Inc. Analyzing security compliance within a network
US20110099126A1 (en) * 2005-08-30 2011-04-28 Sensact Applications, Inc. Automated Parking Policy Enforcement System
US20070061870A1 (en) * 2005-09-15 2007-03-15 Annsheng Ting Method and system to provide secure data connection between creation points and use points
US7613826B2 (en) * 2006-02-09 2009-11-03 Cisco Technology, Inc. Methods and apparatus for providing multiple policies for a virtual private network
US7620613B1 (en) * 2006-07-28 2009-11-17 Hewlett-Packard Development Company, L.P. Thermal management of data centers
US8543810B1 (en) * 2006-08-07 2013-09-24 Oracle America, Inc. Deployment tool and method for managing security lifecycle of a federated web service
US20080072284A1 (en) * 2006-08-29 2008-03-20 Microsoft Corporation Zone Policy Administration For Entity Tracking And Privacy Assurance
US20090138938A1 (en) * 2007-01-31 2009-05-28 Tufin Software Technologies Ltd. System and Method for Auditing a Security Policy
US20080253322A1 (en) * 2007-03-02 2008-10-16 Zte (Usa) Inc. WiMAX Multicast Broadcast Network System Architecture
US20080306798A1 (en) * 2007-06-05 2008-12-11 Juergen Anke Deployment planning of components in heterogeneous environments
US8443069B2 (en) * 2007-08-28 2013-05-14 Cisco Technology, Inc. Highly scalable architecture for application network appliances
US20130318341A1 (en) * 2007-08-28 2013-11-28 Cisco Technology, Inc. Highly Scalable Architecture for Application Network Appliances
US20090063665A1 (en) * 2007-08-28 2009-03-05 Rohati Systems, Inc. Highly scalable architecture for application network appliances
US20090089078A1 (en) * 2007-09-28 2009-04-02 Great-Circle Technologies, Inc. Bundling of automated work flow
US20090085743A1 (en) * 2007-09-28 2009-04-02 Symbol Technologies, Inc. Methods and systems for controlling operations of a mobile radio frequency reader based on its location
US8782637B2 (en) * 2007-11-03 2014-07-15 ATM Shafiqul Khalid Mini-cloud system for enabling user subscription to cloud service in residential environment
US20090138795A1 (en) * 2007-11-28 2009-05-28 International Business Machines Corporation Enforcing context model based policies with forward chaining
US20090265755A1 (en) * 2008-04-18 2009-10-22 International Business Machines Corporation Firewall methodologies for use within virtual environments
US20090307685A1 (en) * 2008-06-06 2009-12-10 International Business Machines Corporation Method, Arrangement, Computer Program Product and Data Processing Program for Deploying a Software Service
US20120185913A1 (en) * 2008-06-19 2012-07-19 Servicemesh, Inc. System and method for a cloud computing abstraction layer with security zone facilities
US20100050239A1 (en) * 2008-08-25 2010-02-25 Carter Stephen R Automated service platform prospecting
US20100058435A1 (en) * 2008-08-29 2010-03-04 Novell, Inc. System and method for virtual information cards
US20130067225A1 (en) * 2008-09-08 2013-03-14 Ofer Shochet Appliance, system, method and corresponding software components for encrypting and processing data
US8230050B1 (en) * 2008-12-10 2012-07-24 Amazon Technologies, Inc. Providing access to configurable private computer networks
US20100169497A1 (en) * 2008-12-31 2010-07-01 Sap Ag Systems and methods for integrating local systems with cloud computing resources
US20100198972A1 (en) * 2009-02-04 2010-08-05 Steven Michael Umbehocker Methods and Systems for Automated Management of Virtual Resources In A Cloud Computing Environment
US20120005724A1 (en) * 2009-02-09 2012-01-05 Imera Systems, Inc. Method and system for protecting private enterprise resources in a cloud computing environment
US20100212010A1 (en) * 2009-02-18 2010-08-19 Stringer John D Systems and methods that detect sensitive data leakages from applications
US20100275241A1 (en) * 2009-04-23 2010-10-28 Srinivasan Kattiganehalli Y Securely hosting workloads in virtual computing environments
US20100319004A1 (en) * 2009-06-16 2010-12-16 Microsoft Corporation Policy Management for the Cloud
US20110231899A1 (en) * 2009-06-19 2011-09-22 ServiceMesh Corporation System and method for a cloud computing abstraction layer
US20110004916A1 (en) * 2009-07-02 2011-01-06 Samsung Electronics Co., Ltd. Securely using service providers in elastic computing systems and environments
US20110016214A1 (en) * 2009-07-15 2011-01-20 Cluster Resources, Inc. System and method of brokering cloud computing resources
US20110016473A1 (en) * 2009-07-20 2011-01-20 Srinivasan Kattiganehalli Y Managing services for workloads in virtual computing environments
US8510835B1 (en) * 2009-09-18 2013-08-13 Trend Micro Incorporated Techniques for protecting data in cloud computing environments
US8369333B2 (en) * 2009-10-21 2013-02-05 Alcatel Lucent Method and apparatus for transparent cloud computing with a virtualized network infrastructure
US8448170B2 (en) * 2009-11-25 2013-05-21 Novell, Inc. System and method for providing annotated service blueprints in an intelligent workload management system
US20110126197A1 (en) * 2009-11-25 2011-05-26 Novell, Inc. System and method for controlling cloud and virtualized data centers in an intelligent workload management system
US20110126047A1 (en) * 2009-11-25 2011-05-26 Novell, Inc. System and method for managing information technology models in an intelligent workload management system
US20110126099A1 (en) * 2009-11-25 2011-05-26 Novell, Inc. System and method for recording collaborative information technology processes in an intelligent workload management system
US20110126275A1 (en) * 2009-11-25 2011-05-26 Novell, Inc. System and method for discovery enrichment in an intelligent workload management system
US20110126207A1 (en) * 2009-11-25 2011-05-26 Novell, Inc. System and method for providing annotated service blueprints in an intelligent workload management system
US20110125894A1 (en) * 2009-11-25 2011-05-26 Novell, Inc. System and method for intelligent workload management
US20110125895A1 (en) * 2009-11-25 2011-05-26 Novell; Inc. System and method for providing scorecards to visualize services in an intelligent workload management system
US20130066940A1 (en) * 2010-05-20 2013-03-14 Weixiang Shao Cloud service broker, cloud computing method and cloud system
US8473557B2 (en) * 2010-08-24 2013-06-25 At&T Intellectual Property I, L.P. Methods and apparatus to migrate virtual machines between distributive computing networks across a wide area network
US20120185821A1 (en) * 2010-09-17 2012-07-19 Oracle International Corporation Pattern-based construction and extension of enterprise applications in a cloud computing environment
US20120173709A1 (en) * 2011-01-05 2012-07-05 Li Li Seamless scaling of enterprise applications
US8261295B1 (en) * 2011-03-16 2012-09-04 Google Inc. High-level language for specifying configurations of cloud-based deployments
US20120324069A1 (en) * 2011-06-17 2012-12-20 Microsoft Corporation Middleware Services Framework for On-Premises and Cloud Deployment

Cited By (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130185434A1 (en) * 2012-01-18 2013-07-18 International Business Machines Corporation Cloud-based Content Management System
US10164896B2 (en) 2012-01-18 2018-12-25 International Business Machines Corporation Cloud-based content management system
US10257109B2 (en) * 2012-01-18 2019-04-09 International Business Machines Corporation Cloud-based content management system
US20150121244A1 (en) * 2013-10-31 2015-04-30 Hewlett-Packard Development Company, L.P. Building a Realized Topology with a Binding Document
US10491597B2 (en) 2016-03-30 2019-11-26 Oracle International Corporation Enforcing data security in a cleanroom data processing environment
US20170289169A1 (en) * 2016-03-30 2017-10-05 Oracle International Corporation Establishing a cleanroom data processing environment
US20170289107A1 (en) * 2016-03-30 2017-10-05 Oracle International Corporation Enforcing data security in a cleanroom data processing envrionment
US10212169B2 (en) * 2016-03-30 2019-02-19 Oracle International Corporation Enforcing data security in a cleanroom data processing environment
US10225259B2 (en) * 2016-03-30 2019-03-05 Oracle International Corporation Establishing a cleanroom data processing environment
US10917478B2 (en) * 2016-04-16 2021-02-09 International Business Machines Corporation Cloud enabling resources as a service
US10158629B2 (en) 2016-06-20 2018-12-18 Bank Of America Corporation Preventing unauthorized access to secured information systems using multi-device authentication techniques
US11232655B2 (en) 2016-09-13 2022-01-25 Iocurrents, Inc. System and method for interfacing with a vehicular controller area network
US10650621B1 (en) 2016-09-13 2020-05-12 Iocurrents, Inc. Interfacing with a vehicular controller area network
US10701100B2 (en) 2016-12-30 2020-06-30 Microsoft Technology Licensing, Llc Threat intelligence management in security and compliance environment
US10848501B2 (en) 2016-12-30 2020-11-24 Microsoft Technology Licensing, Llc Real time pivoting on data to model governance properties
US10579821B2 (en) 2016-12-30 2020-03-03 Microsoft Technology Licensing, Llc Intelligence and analysis driven security and compliance recommendations
US10827006B2 (en) 2018-05-22 2020-11-03 At&T Intellectual Property I, L.P. Policy-driven homing service system
US20210117517A1 (en) * 2019-10-18 2021-04-22 ASG Technologies Group, Inc. dba ASG Technologies Systems for Secure Enterprise-Wide Fine-Grained Role-Based Access Control of Organizational Assets
US11693982B2 (en) * 2019-10-18 2023-07-04 Asg Technologies Group, Inc. Systems for secure enterprise-wide fine-grained role-based access control of organizational assets
US20230259649A1 (en) * 2019-10-18 2023-08-17 ASG Technologies Group, Inc. dba ASG Technologies Systems Using Secure Permissions for Secure Enterprise-Wide Fine-Grained Role-Based Access Control of Organizational Assets
US11755760B2 (en) 2019-10-18 2023-09-12 Asg Technologies Group, Inc. Systems and methods for secure policies-based information governance
US20210185007A1 (en) * 2019-12-17 2021-06-17 Atos Uk It Limited Integration of an orchestration services with a cloud automation services
US11902329B2 (en) * 2019-12-17 2024-02-13 Agarik Sas Integration of an orchestration services with a cloud automation services

Also Published As

Publication number Publication date
US20180131724A1 (en) 2018-05-10
US20190245888A1 (en) 2019-08-08
US20120185913A1 (en) 2012-07-19
US9069599B2 (en) 2015-06-30
US20210014275A1 (en) 2021-01-14

Similar Documents

Publication Publication Date Title
US20210014275A1 (en) System and method for a cloud computing abstraction layer with security zone facilities
US10880189B2 (en) System and method for a cloud computing abstraction with self-service portal for publishing resources
US10411975B2 (en) System and method for a cloud computing abstraction with multi-tier deployment policy
WO2012100092A2 (en) System and method for a cloud computing abstraction layer with security zone facilities
US20210184985A1 (en) System and method for a cloud computing abstraction layer
US10673900B2 (en) Application-based security rights in cloud environments
Ranjan et al. Cloud resource orchestration programming: overview, issues, and directions
US8931038B2 (en) System and method for a cloud computing abstraction layer
US20220207580A1 (en) Systems and methods for providing repeated use of computing resources
US20200234816A1 (en) Blockchain Framework for Enforcing Regulatory Compliance in Healthcare Cloud Solutions
AU2015404396B2 (en) Federated marketplace portal
Iannucci et al. IBM SmartCloud: Building a cloud enabled data center
US10990926B2 (en) Management of resources in view of business goals
AU2019268142B2 (en) Systems and methods for providing repeated use of computing resources
Sabir et al. Effective Management of Hybrid Workloads in Public and Private Cloud Platforms.
Luntovskyy et al. Cloud Computing, Virtualisation, Storage and Networking
US20200019971A1 (en) Sharing information about enterprise computers
Sagar et al. Cloud: On Demand Computing Resources for Scale and Speed
Joshi et al. Cloud computing
Meireles Integrated Management of Cloud Computing Resources
Toivonen et al. ITEA 2 Project 10014 EASI-CLOUDS-Extended Architecture and Service Infrastructure for Cloud-Aware Software
Ullah Distributed Computing (CS 515) Cloud computing
Chellammal CLOUD COMPUTING (SUBJECT CODE-P16CS41)

Legal Events

Date Code Title Description
AS Assignment

Owner name: CSC AGILITY PLATFORM, INC., VIRGINIA

Free format text: CHANGE OF NAME;ASSIGNOR:SERVICEMESH, INC.;REEL/FRAME:038519/0789

Effective date: 20150723

Owner name: SERVICEMESH, INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:MARTINEZ, FRANK R.;PULIER, ERIC;REEL/FRAME:038520/0119

Effective date: 20120315

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO PAY ISSUE FEE