As more and more applications, services, and data have moved to cloud computing models, security of data and accounts has become a paramount issue and a significant challenge requiring new and unique solutions and patterns.
As a specific example, in traditional computing environments, e.g., non-cloud computing environments, when a security vulnerability, or other software application feature, needed to be addressed or upgraded, additional code, known as a “patch,” was provided to the physical hardware-based computing system, i.e. server, providing the software application and this patch code was then incorporated in the software running on the hardware computing system. This type of “fix” was acceptable, and efficient, in a hardware-based server environment where the replacement of the hardware computing system server itself was not an economically viable option.
However, in a cloud computing environment, the “computing systems/servers” are actually virtual machines, known as instances, which are not themselves hardware systems but are instead software-based entities which operate like traditional physical hardware-based computing systems/servers.
One of the many advantages associated with virtual machine instances of computing system/servers is that these instances can be generated and terminated at will without the need for replacing physical hardware. Consequently, when a new software vulnerability solution, or other fix is required, instead of implementing a patch on a physical hardware system, as was done traditionally to repair a vulnerability, the entire virtual computing system/server instance can be terminated and new computing system/server instances can be generated or “spun up” to replace the terminated instances, with the new instances being based on, or running, the updated software.
In particular, a given computing system/server virtual machine instance, hereafter referred to as simply an “instance,” is typically created in a cloud computing environment using an instance creation template. As used herein, the term “instance creation template” is used to denote a special type of virtual appliance that is used to create a virtual machine (instance) within a cloud computing environment. A specific illustrative example of an instance creation template is an Amazon Machine Image (AMI). An AMI is a special type of instance creation template that is a virtual appliance used to create a virtual machine within the Amazon Elastic Compute Cloud (“EC2”). An AMI serves as the basic unit of deployment for services delivered using EC2.
In a cloud computing environment, one way to correct a vulnerability, or otherwise update or correct, a system/application is to issue a new instance creation template which incorporates the desired change/fix. In an AWS environment, this means issuing new or updated AMIs. Consequently, in a cloud computing environment, whenever a new instance creation template, referred to herein as a new base instance creation template, is generated and made available, it is highly desirable that all instances associated with an account or application that were created using previously generated base instance creation templates be terminated and new instances, based on the new instance creation template, be created/launched to replace the old instances based on the old instance creation template. Then the instances based on the new instance creation template can be used to service the account and implement and/or offer the application associated with the account.
The process of terminating old instances associated with a given account or application and replacing those instances with new instances is referred to herein as “re-stacking.”
As can be seen from the discussion above, the re-stacking of instances associated with a given account or application, and the resulting restacking patterns, is a significant indicator of the overall security and efficiency of the account and associated application. Indeed, were an account holder, application provider, or cloud computing system environment provider given the capability to easily identify and evaluate restacking policies associated with a given account and application, then significant information regarding the security of the account, application, and even the entire cloud computing environment, could be readily recognized.
However, despite the value of an efficient and effective process to identify and evaluate restacking policies associated with a given account, there is currently no mechanism or system available to effectively and efficiently identify and evaluate restacking policies or patterns associated with a given account or application. This is largely due to the fact that many account holders, application providers, and cloud computing system providers have yet to fully recognize the significance of re-stacking policy analysis and that the amounts of data that must be analyzed for even a modest account or application offering is potentially overwhelming. Consequently, there is currently no algorithm or process for obtaining this re-stacking policy and pattern data and processing it in a manner that produces a useful visualization/analysis tool.
Therefore, there is a long standing technical need in the cloud computing arts for providing an easy to understand process to identify and evaluate re-stacking policies.