The present disclosure relates to computer systems, and in particular to managing access to resources of computer systems, such as in virtualized computer environments.
Virtualized computer environments, also referred to as cloud computer systems or composite information technology systems, are used to provide computer resources or other computing resources to end users. In a cloud computer environment, the physical hardware configuration is hidden from the end user. Cloud computer systems may include servers, network storage devices, routers, gateways, communication links, software (e.g., applications, operating systems, web services, etc.), and other devices. However, because the physical hardware and software platforms on which cloud computer system is implemented are hidden within a “cloud,” they can be managed, upgraded, replaced or otherwise changed by a system administrator without the customer being aware of or affected by the change.
In a typical cloud computer environment, applications may be executed on virtual machines or appliances, which are isolated guest operating systems installed within a host system and an optional preset configuration and structure (e.g., combination of operating system and web server). Virtual machines are typically implemented with software emulation, hardware virtualization, or both. A single hardware and/or software platform may host a number of virtual machines, each of which may have access to some portion of the platform's resources, such as program code processing resources, storage resources, display resources, communication interfaces, etc.
Because cloud computing treats computer resources as remote services that are accessed by customers, and because the actual physical resources that are used to implement a cloud computing environment may be accessed by many different customers, security is an important aspect of cloud computing. In a cloud computing environment, different customers may have different security requirements. Hosting applications that have different security requirements in a single cloud computer system may raise additional security issues, however. For example, when highly secured systems are hosted along with lower security systems, an attacker may attempt to leverage the lower security system to gain access to the highly secured systems.
Security policies can be used to define security rules for managing machines, including applications, OS, hypervisors, cloud environments, servers, mobile devices, and/or IP based instrumentations, etc. The policies usually contain rules (actions) that are associated with identified managed machines (e.g., IDs of devices and/or applications, and/or types of machines), and may identify authorized groups (e.g., privileged users and/or systems). The rules can be created by many different users and/or management systems to address resource access restrictions (e.g., privileged users), architecture restrictions (e.g., application A should not be co-located with application B due to scale and load), and/or or business restrictions (e.g., a credit card transaction processing system should not be co-hosted on a same hardware platform as a customer contact list management system).