Method and system for providing a virtual asset perimeter

摘要

A system and method provides a virtual perimeter by maintaining a data structure for identifying a first plurality of assets, according to one embodiment. The system and method provides services to a second of the first plurality of assets, at least partially based on identifiers for the first plurality of assets and at least partially based on a first role assigned to a first of the first plurality of assets, according to one embodiment. The system and method include admitting one of a second plurality of assets into the virtual perimeter if characteristics of the one of the second plurality of assets satisfy criteria for admission to the virtual perimeter, according to on embodiment.

主权项

1. A computing system implemented method for providing a virtual perimeter for assets, comprising:
maintaining, by a first instance of a virtual perimeter agent installed on a first virtual asset of a first plurality of assets, a data structure for identifying a first plurality of assets, wherein separate instances of the virtual perimeter agent reside on each virtual asset of the first plurality of assets, wherein the data structure includes identifiers for each asset of the first plurality of assets, wherein the first plurality of assets include virtual assets and computing systems configured to communicate over one or more networks, wherein the first plurality of assets is within a first virtual perimeter and a second plurality of assets is outside the first virtual perimeter but is inside a second virtual perimeter, at least one virtual asset of the second plurality of assets being assigned a first set of roles associated with the second virtual perimeter, wherein a given asset being assigned a role with respect to a given virtual perimeter enables the given asset to perform one or more virtual asset operations within the given virtual perimeter and restricts the given asset from performing other virtual asset operations within the given virtual perimeter; providing services, by the first virtual asset to a second virtual asset of the first plurality of assets, at least partially based on the identifiers for the first plurality of assets and based on a first role assigned to the first virtual asset, wherein the first role is enforced on the first of the first plurality of assets by the first instance of the virtual perimeter agent; qualifying, by the virtual perimeter agent of the first virtual asset by virtue of the first virtual asset being assigned a first virtual perimeter role enabling admissions operations, a third virtual asset of the second plurality of assets for admission into the first virtual perimeter by determining whether the third virtual asset satisfies criteria for admission into the first virtual perimeter, the qualification of the third virtual asset including:
requesting, by the virtual perimeter agent of the first virtual asset of the third virtual asset, communications history of the third virtual asset;receiving, responsive to the request and from the third virtual asset at the first virtual asset, communications history data of the third virtual asset; andanalyzing, by the virtual perimeter agent of the first virtual asset, the communications history data and comparing the communications history data against admissions and exclusionary criteria to determine whether to qualify the third virtual asset; admitting, by the virtual perimeter agent of the first virtual asset, the qualified third virtual asset into the first virtual perimeter by:
installing, by the virtual perimeter agent of the first virtual asset, an instance of the virtual perimeter agent on the admitted qualified third virtual asset;adding, by the virtual perimeter agent of the first virtual asset, an identifier of the one of the second plurality of assets to the data structure; andassigning, by the virtual perimeter agent of the first virtual asset, a second role to the one of the second plurality of assets to determine second access privileges of the one of the second plurality of assets within the virtual perimeter.