Techniques for secure access management in virtual environments

摘要

Techniques for secure access management to virtual environments are provided. A user authenticates to a portal for purposes of establishing a virtual machine (VM). The portal interacts with a cloud server and an identity server to authenticate the user, to acquire an Internet Protocol (IP) address and port number for the VM, and to obtain a secure token. The user then interacts with a secure socket layer virtual private network (SSL VPN) server to establish a SSL VPN session with the VM. The SSL VPN server also authenticates the token through the identity server and acquires dynamic policies to enforce during the SSL VPN session between the user and the VM (the VM managed by the cloud server).

主权项

1. A method implemented and residing within a non-transitory computer-readable storage medium that is executed by a processor as a cloud service, the processor configured to perform the method, comprising:
receiving a virtual machine (VM) request from a portal; instantiating a VM to be accessed at a dynamically created Internet Protocol (IP) address and at a dynamically created communication port number, the dynamically created IP address and dynamically created port number representing a combination dynamically created for accessing the instantiated VM, the VM instantiated as needed or requested; acquiring a secure token for a communication session to the VM, the secure token is unique to the VM, an authenticated principal requesting the VM, and the communication session, and generating the secure token collectively as pieces by the cloud service, the portal, and an identity service, the collective pieces form the secure token; returning the IP address, the port number, and the secure token back to the portal for the portal to communicate to the identity service that dynamically generates policy to be enforced during the communication session, the identity service also providing the IP address, the port number, and the secure token to the authenticated principal to use during the communication session with the VM and the identity service provides the policy to a secure socket layer virtual private network (SSL VPN) server for the SSL VPN server to enforce the policy when the principal initiates the communication session with the VM via a SSL VPN connection through the SSL VPN, the cloud service, the identity service, and the portal are all in trusted communication with one another, each of these entities are authenticated to one another and secure communications used between the entities including encrypted communications and usage of secure protocols; and forcing the secure token to expire after a configured period of idleness is detected and shutting down the VM automatically on a detected expiration of the secure token.