As various forms of distributed computing, such as cloud computing, have come to dominate the computing landscape, security has become a bottleneck issue that currently prevents the complete migration of various capabilities and systems associated with sensitive data, such as financial data, to cloud-based infrastructures, and/or other distributive computing models. This is because many owners and operators of data centers that provide access to data and other resources are extremely hesitant to allow their data and resources to be accessed, processed, and/or otherwise used, by virtual assets, such as virtual machine and server instances, in the cloud.
In a cloud computing environment, various virtual assets, such as, but not limited to, virtual machine instances, data stores, and various services, are created, launched, or instantiated, in the cloud for use by an “owner” of the virtual asset, herein also referred to as a user of the virtual asset.
Herein the terms “owner” and “user” of a virtual asset include, but are not limited to, applications, systems, and sub-systems of software and/or hardware, as well as persons or entities associated with an account number, or other identity, through which the virtual asset is purchased, approved, managed, used, and/or created.
Typically, a given cloud computing environment receives message traffic through one or more network communications channels. One long standing problem associated with cloud computing environments is the fact that malware can be introduced into the cloud computing environment, just as in any computing environment, via these network communications channels. The introduction of malware into a virtual asset, and therefore into an application, service, enterprise, or cloud infrastructure of a cloud computing environment is known as intrusion. However, once introduced, some forms of malware take control of some, or all, of the infected virtual asset functionality and use the virtual asset to send outbound messages and data. This outbound malware mechanism is referred to as extrusion.
The detection of both malware intrusion and extrusion is an important part of making cloud computing environments more secure. However, a given cloud computing environment can include hundreds, thousands, or even millions, of virtual machines and other assets, owned or used by hundreds, thousands, or even millions, of parties and, in many cases, a given application or service can operate within, and interface with, multiple cloud computing environments. Consequently, detecting malware intrusion and extrusion is an extremely difficult and resource intensive task.
Further, with respect to cloud computing environments, one major security issue in a cloud computing environment is that vulnerabilities associated with virtual assets are not always known or understood at the time the virtual assets are created and deployed, e.g., instantiated, in a given computing environment and, once deployed, detecting and/or responding to newly identified vulnerabilities through “normal” communications channels associated with the virtual assets can be challenging, if not impossible.
In addition, in some cases, a malicious entity is able to take control of a virtual asset. In these cases, the malicious entity often takes over, or closes down, normal communications channels associated with the virtual asset. Consequently, in some cases, the malicious entity can mask the fact they have taken control of the virtual asset from other entities outside the virtual asset, such as entities deployed by the owner to monitor and enforce security policies. This leaves the malicious entity relatively free to manipulate the virtual asset under its control and access any data used by the virtual asset, with little concern of detection by the legitimate owner of the virtual asset. Even in cases where the legitimate owner of the virtual asset does become aware that the virtual asset has been compromised, if the malicious entity has shut down, or taken control of, the normal communications channels associated with the virtual asset, the malicious entity can thwart any traditional efforts by the legitimate owner to communicate with the virtual asset and/or repair the virtual asset.
The situation described above represents a significant issue that must be resolved before highly sensitive data, such as financial data, can be safely processed in a cloud computing environment.
For reasons described above, what is needed is a method and system for providing a virtual asset that can independently and automatically detect one or more trigger events within the virtual asset, generate suspicious event reporting data from the virtual asset, and provide the reporting data to a monitoring system external to the virtual asset, all without relying on detection of the suspicious event by entities outside the virtual asset itself or the use of normal communications channels
Additionally, what is further needed is a method and system for detecting and prioritizing malware intrusion and extrusion in cloud computing environments that makes use of existing cloud computing environment infrastructure, features, and assets.