The present disclosure relates to computing systems, and, in particular, to maintaining the security of computing systems in virtual operating environments.
Cloud computing is a computing paradigm where shared resources, such as processor(s), software, and information, are provided to computers and other devices on demand typically over a network, such as the Internet. In a cloud computing environment, details of the computing infrastructure, e.g., processing power, data storage, bandwidth, and/or other resources are abstracted from the user. The user does not need to have any expertise in or control over such computing infrastructure resources. Cloud computing typically involves the provision of dynamically scalable and/or virtualized resources over the Internet. A user may access and use such resources through the use of a Web browser. A typical cloud computing provider may provide an online application that can be accessed over the Internet using a browser. The cloud computing provider, however, maintains the software for the application and some or all of the data associated with the application on servers in the cloud, i.e., servers that are maintained by the cloud computing provider rather than the users of the application.
FIG. 1 illustrates a conventional cloud service model that includes Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). Infrastructure as a Service, delivers computer infrastructure—typically a platform virtualization environment—as a service. Rather than purchasing servers, software, data-center space or network equipment, clients instead buy those resources as a fully outsourced service. Suppliers typically bill such services on a utility computing basis and the amount of resources consumed. Platform as a Service delivers a computing platform as a service. It provides an environment for the deployment of applications without the need for a client to buy and manage the underlying hardware and software layers. Software as a Service delivers software services over the Internet, which reduces or eliminates the need for the client to install and run an application on its own computers, which may simplify maintenance and support.
Virtualized computing environments may be used to provide computing resources to end users. In a cloud computing environment, the physical hardware configuration is hidden from the end user. Cloud computing systems may include servers, network storage devices, routers, gateways, communication links, and other devices. Because the physical hardware and software platforms on which cloud computing system is implemented are hidden within a “cloud,” they can be managed, upgraded, replaced or otherwise changed by a system administrator without the customer being aware of or affected by the change.
In a typical cloud computing environment, applications may be executed on virtual machines, which are isolated guest operating systems installed within a host system. Virtual machines are typically implemented with either software emulation or hardware virtualization, or both. A single hardware and/or software platform may host a number of virtual machines, each of which may have access to some portion of the platform's resources, such as processing resources, storage resources, etc.
Virtual machines are typically placed in virtualization environments. A virtualization environment logically organizes the virtual machines along with other hardware and/or software resources by defining the relationships and connections between these various entities. For example, a virtualization environment may be represented as a hierarchical collection of folders or containers. One folder or container may be used to define a data center. Within the data center folder, one or more folders may be created to represent host machines. And within a host machine folder, one or more folders may be created to represent virtual machines that are supported by that particular host machine.
Because cloud computing treats computing resources as remote services that are accessed by customers, and because the actual physical resources that are used to implement a cloud computing environment may be accessed by many different customers, security is generally an important aspect of cloud computing. A virtual machine or other entity in a virtualization environment typically has rights or permissions associated therewith for users that have access to the virtual machine or other entity in the virtualization environment. These rights or permissions generally need to be carefully managed to avoid a potential degradation in security due to the rights or permissions being inaccurate.