Search

EP-4320518-B1 - WORKLOAD SECURITY RINGS

EP4320518B1EP 4320518 B1EP4320518 B1EP 4320518B1EP-4320518-B1

Inventors

  • WOLAFKA, RAINER
  • JOYNER, Aaron
  • STILLSON, Ken
  • CZAPINSKI, Michael

Dates

Publication Date
20260506
Application Date
20220331

Claims (15)

  1. A computer-implemented method (500) which when executed by data processing hardware (144) causes the data processing hardware (144) to perform operations comprising: receiving a plurality of workloads (102), each workload (102) associated with respective security criteria (104) and scheduled for execution on a distributed computing system (140), the distributed computing system (140) divided into a plurality of security rings (160), each security ring (160) of the plurality of security rings (160) associated with a respective subset of computing devices (162) of the distributed computing system (140) that cannot share a same physical device with the respective subset of computing devices (162) of the distributed computing system (140) associated with each other security ring (160) of the plurality of security rings (160); for each respective workload (102) of the plurality of workloads (102): determining, using the respective security criteria (104), a security level (410) of the respective workload (102); identifying, using the security level (410) of the respective workload (102), one or more of the plurality of security rings (160) that are eligible for executing the respective workload (102); and executing the respective workload (102) on one or more computing devices (162) selected from one of the respective subsets of computing devices (162) associated with the identified one or more of the plurality of security rings (160) eligible for executing the respective workload (102); and from each workload security ring (160), receiving, respective resource statistics (220); and reassigning computing devices (162) from one security ring (160) to a different security ring (160) based on the resource statistics (220).
  2. The method of claim 1, wherein the operations further comprise, for each security ring (160) in the plurality of security rings (160): determining resource utilization (222) for the respective subset of computing devices (162) associated with the security ring (160); and adjusting, using the determined resource utilization (222), a number of computing devices (162) in the respective subset of computing devices (162) associated with the security ring (160).
  3. The method of claim 1 or 2, wherein, for each security ring (160) in the plurality of security rings (160): the security ring (160) is associated with a respective security requirement (310); and each computing device (162) in the respective subset of computing devices (162) associated with the security ring (160) complies with the respective security requirement (310) of the security ring (160), wherein, optionally, the respective security requirement (310) for each security ring (160) in the plurality of security rings (160) comprises a different level of physical security than the respective security requirement (310) for each other security ring (160) in the plurality of security rings (160).
  4. The method of any of claims 1-3, wherein the operations further comprise, prior to receiving the plurality of workloads (102), for each respective computing device (162) of the distributed computing system (140): obtaining a set of parameters (320) characterizing a security posture of the respective computing device (162), wherein the security posture optionally comprises an audit of the respective workload (102); and assigning, using the set of parameters (320), the respective computing device (162) to one of the plurality of security rings (160).
  5. The method of any of claims 1-4, wherein the respective security criteria (104) for each respective workload (102) of the plurality of workloads (102) comprises a sensitivity of the respective workload (102) indicating how critical or sensitive the workload 102 and/or data that the workload 102 processes is; and/or wherein the respective security criteria (104) for each respective workload (102) of the plurality of workloads (102) comprises a security posture of the respective workload (102) indicating how secure the workload (102) is, wherein the security posture optionally comprises an audit of the respective workload (102).
  6. The method of any of claims 1-5, wherein the plurality of security rings (160) comprise a low-security ring (160L) and a high-security ring (160H).
  7. The method of any of claims 1-6, wherein the determined security level (410) for the respective workload (102) comprises one of a low-security level (410L), a middle security level (410M), or a high-security level (410H), wherein optionally: when the determined security level (410) for the respective workload (102) comprises the low-security level (410L), only the low-security ring (160L) is eligible for executing the respective workload (102); when the determined security level (410) for the respective workload (102) comprises the high-security level (410H), only the high-security ring (160H) is eligible for executing the respective workload (102); and when the determined security level (410) for the respective workload (102) comprises the middle security level (410M), both the low-security ring (160L) and the high-security ring (160H) are eligible for executing the respective workload (102).
  8. A system (100) comprising: data processing hardware (144); and memory hardware (142) in communication with the data processing hardware (144), the memory hardware (142) storing instructions that when executed on the data processing hardware (144) cause the data processing hardware (144) to perform operations comprising: receiving a plurality of workloads (102), each workload (102) associated with respective security criteria (104) and scheduled for execution on a distributed computing system (140), the distributed computing system (140) divided into a plurality of security rings (160), each security ring (160) of the plurality of security rings (160) associated with a respective subset of computing devices (162) of the distributed computing system (140) that cannot share a same physical device with the respective subset of computing devices (162) of the distributed computing system (140) associated with each other security ring (160) of the plurality of security rings (160); for each respective workload (102) of the plurality of workloads (102): determining, using the respective security criteria (104), a security level (410) of the respective workload (102); identifying, using the security level (410) of the respective workload (102), one or more of the plurality of security rings (160) that are eligible for executing the respective workload (102); and executing the respective workload (102) on one or more computing devices (162) selected from one of the respective subsets of computing devices (162) associated with the identified one or more of the plurality of security rings (160) eligible for executing the respective workload (102); and from each workload security ring (160), receiving, respective resource statistics (220); and reassigning computing devices (162) from one security ring (160) to a different security ring (160) based on the resource statistics (220).
  9. The system of claim 8, wherein the operations further comprise, for each security ring (160) in the plurality of security rings (160): determining resource utilization (222) for the respective subset of computing devices (162) associated with the security ring (160); and adjusting, using the determined resource utilization (222), a number of computing devices (162) in the respective subset of computing devices (162) associated with the security ring (160).
  10. The system of claim 8 or 9, wherein, for each security ring (160) in the plurality of security rings (160): the security ring (160) is associated with a respective security requirement (310); and each computing device (162) in the respective subset of computing devices (162) associated with the security ring (160) complies with the respective security requirement (310) of the security ring (160), wherein, optionally, the respective security requirement (310) for each security ring (160) in the plurality of security rings (160) comprises a different level of physical security than the respective security requirement (310) for each other security ring (160) in the plurality of security rings (160).
  11. The system of any of claims 8-10, wherein the operations further comprise, prior to receiving the plurality of workloads (102), for each respective computing device (162) of the distributed computing system: obtaining a set of parameters (320) characterizing a security posture of the respective computing device (162), wherein the security posture optionally comprises an audit of the respective workload (102); and assigning, using the set of parameters (320), the respective computing device (162) to one of the plurality of security rings (160).
  12. The system of any of claims 8-11, wherein the respective security criteria (104) for each respective workload (102) of the plurality of workloads (102) comprises a sensitivity of the respective workload (102) indicating how critical or sensitive the workload 102 and/or data that the workload 102 processes is; and/or wherein the respective security criteria (104) for each respective workload (102) of the plurality of workloads (102) comprises a security posture of the respective workload (102) indicating how secure the workload (102) is, wherein the security posture optionally comprises an audit of the respective workload (102).
  13. The system of any of claims 8-12, wherein the plurality of security rings (160) comprise a low-security ring (160L) and a high-security ring (160H).
  14. The system of any of claims 8-13, wherein the determined security level (410) for the respective workload (102) comprises one of a low-security level (410L), a middle security level (410M), or a high-security level (410H).
  15. The system of claim 14, wherein: when the determined security level (410) for the respective workload (102) comprises the low-security level (410L), only the low-security ring (160L) is eligible for executing the respective workload (102); when the determined security level (410) for the respective workload (102) comprises the high-security level (410H), only the high-security ring (160H) is eligible for executing the respective workload (102); and when the determined security level (410) for the respective workload (102) comprises the middle security level (410M), both the low-security ring (160L) and the high-security ring (160H) are eligible for executing the respective workload (102).

Description

TECHNICAL FIELD This disclosure relates to workload security rings. BACKGROUND Distributed computing networks (i.e., "cloud computing") are increasingly popular due to price, scalability, and flexibility. These computing networks simultaneously manage an incredible number of varying workloads. For instance, some workloads may be experimental, other workloads may process user data, while yet other workloads may process mission critical fleet management information. Each different workload type demands different requirements regarding security, maintainability, and flexibility. US2020125370 A1 discloses associating groups of computers in a cloud with a tag. When a new computer is to be included in a group, it is started, tagged with the tag, and an agent brings it in a state compatible with the group policy. US 2019/317825 A1 discloses a system for managing deployment of distributed computing resources. SUMMARY The invention is defined by the independent claims. Dependent claims specify embodiments thereof. One aspect of the disclosure provides a computer-implemented method for workload security rings that, when executed by data processing hardware causes the data processing hardware to perform operations. The operations include receiving a plurality of workloads. Each workload is associated with respective security criteria and scheduled for execution on a distributed computing system. The distributed computing system is divided into a plurality of security rings and each security ring of the plurality of security rings is associated with a respective subset of computing devices of the distributed computing system that is physically isolated from the respective subset of computing devices of the distributed computing system associated with each other security ring of the plurality of security rings. For each respective workload of the plurality of workloads, the method includes determining, using the respective security criteria, a security level of the respective workload and identifying, using the security level of the respective workload, one or more of the plurality of security rings that are eligible for executing the respective workload. The method also includes executing the respective workload on one or more computing devices selected from one of the respective subsets of computing devices associated with the identified one or more of the plurality of security rings eligible for executing the respective workload. Implementations of the disclosure may include one or more of the following optional features. In some implementations, the operations further include, for each security ring in the plurality of security rings, determining resource utilization for the respective subset of computing devices associated with the security ring and adjusting, using the determined resource utilization, a number of computing devices in the respective subset of computing devices associated with the security ring. Optionally, for each security ring in the plurality of security rings, the security ring is associated with a respective security requirement and each computing device in the respective subset of computing devices associated with the security ring complies with the respective security requirement of the security ring. In some examples, the respective security requirement for each security ring in the plurality of security rings includes a different level of physical security than the respective security requirement for each other security ring in the plurality of security rings. The operations may further include, prior to receiving the plurality of workloads, for each respective computing device of the distributed computing system, obtaining a set of parameters characterizing a security posture of the respective computing device and assigning, using the set of parameters, the respective computing device to one of the plurality of security rings. In some implementations, the respective security criteria for each respective workload of the plurality of workloads includes a sensitivity of the respective workload. The respective security criteria for each respective workload of the plurality of workloads may include a security posture of the respective workload. In this implementation, the security posture may include an audit of the respective workload. Optionally, the plurality of security rings include a low-security ring and a high-security ring. In some examples, the determined security level for the respective workload includes one of a low-security level, a middle security level, or a high-security level. When the determined security level for the respective workload includes the low-security level, only the low-security ring may be eligible for executing the respective workload. When the determined security level for the respective workload includes the high-security level, only the high-security ring may be eligible for executing the respective workload. In some examples, when the determined security l