Secure network cloud architecture

摘要

Apparatuses, computer readable media, methods, and systems are described for requesting creation of virtual machine (VM) in a cloud environment comprising a virtual private cloud. Through various communications between a cloud DMZ, cloud provider, and/or company's network, a VM instance may be securely created, initialized, booted, unlocked, and/or monitored through a series of interactions building, in some examples, upon a root of trust.

主权项

1. A method comprising:
receiving by a secure boot server controlled by a tenant of a cloud provider data center, a request from a virtual machine to download components configured to boot the virtual machine, wherein the request includes at least a first token; transmitting, by the secure boot server to a first computing system, the first token; receiving, by the secure boot server from the first computing system, a second token indicating authorization to transmit unique components to the virtual machine in response to the request to download components; generating, by the secure boot server, unique components comprising at least one of: unique identifier, configuration settings, and unique data elements; and transmitting, by the secure boot server to the virtual machine, the unique components and the second token to initialize a boot process on the virtual machine, wherein the secure boot server is located within a tenant-controlled cloud demilitarized zone (DMZ) at the cloud provider data center and the virtual machine is located outside the tenant-controlled cloud demilitarized zone (DMZ) at the cloud provider data center, wherein the unique components comprise a unique initial ramdisk associated with the tenant of the cloud provider data center, and wherein the unique initial ramdisk comprises a public cryptographic key associated with a corresponding unique private key stored with the secure boot server.