Search

US-12627640-B1 - Secured cloud workload deployment

US12627640B1US 12627640 B1US12627640 B1US 12627640B1US-12627640-B1

Abstract

Systems, methods, and computer program products for limiting unauthorized access to sensitive information in a cloud workload are described herein. A method comprises reading a provisioning request from a host server by a secret manager of a cloud workload; storing sensitive information from the provisioning request in memory accessible to a secret manager of the cloud workload; provisioning resources on the workload server for an application instance based on the provisioning request; receiving an information request; and transmitting the sensitive information to the application instance.

Inventors

  • Cheng-Ta Lee
  • David O'Connor
  • Mark Peters

Assignees

  • INTERNATIONAL BUSINESS MACHINES CORPORATION

Dates

Publication Date
20260512
Application Date
20241112

Claims (20)

  1. 1 . A computer-implemented method for limiting unauthorized access to sensitive information in a cloud workload, the method comprising: receiving a provisioning request of a host server at a workload server associated with the cloud workload; reading, by a secret manager of the cloud workload, the provisioning request, wherein the provisioning request comprises sensitive information and reading the provisioning request by the secret manager comprises intercepting the provisioning request upon receipt; storing the sensitive information in memory accessible to the secret manager of the cloud workload; provisioning resources on the workload server for an application instance based on the provisioning request; reading, by the secret manager, an information request; and transmitting, to the application instance, the sensitive information.
  2. 2 . The computer-implemented method of claim 1 , wherein the sensitive information comprises an application programming interface key and/or a private key.
  3. 3 . The computer-implemented method of claim 1 , further comprising: encrypting the sensitive information.
  4. 4 . The computer-implemented method of claim 3 , wherein encrypting the sensitive information comprises randomly generating a key.
  5. 5 . The computer-implemented method of claim 1 , wherein the provisioning request comprises an identification of an origin of the provisioning request, wherein the computer-implemented method further comprises: determining the origin of the provisioning request is the host server based on the identification.
  6. 6 . The computer-implemented method of claim 5 , wherein the identification of the origin comprises a cryptographic signature, wherein determining whether the origin of the provisioning request is the host server comprises using a public key associated with the host server.
  7. 7 . The computer-implemented method of claim 1 , wherein the sensitive information is read by the secret manager at periodic time increments.
  8. 8 . The computer-implemented method of claim 1 , further comprising: removing the sensitive information from the memory responsive to transmitting the sensitive information to the host server.
  9. 9 . The computer-implemented method of claim 1 , wherein the cloud workload comprises a container executed in a pod.
  10. 10 . The computer-implemented method of claim 1 , wherein the sensitive information is only stored within the cloud workload in the memory.
  11. 11 . A computer program product for limiting unauthorized access to sensitive information in a cloud workload, the computer program product comprising: a set of one or more computer-readable storage media; and program instructions, collectively stored in the set of one or more computer-readable storage media for causing a processor set to perform the following computer operations: receive a provisioning request of a host server at a workload server associated with the cloud workload; read, by a secret manager of the cloud workload, the provisioning request, wherein the provisioning request comprises sensitive information and reading the provisioning request by the secret manager comprises intercepting the provisioning request upon receipt; store the sensitive information in memory accessible to the secret manager of the cloud workload; provision resources on the workload server for an application instance based on the provisioning request; read, by the secret manager, an information request; and transmit, to the application instance, the sensitive information.
  12. 12 . The computer program product of claim 11 , wherein the program instructions further cause the processor set to encrypt the sensitive information, wherein encrypting the sensitive information comprises randomly generating a key.
  13. 13 . The computer program product of claim 11 , wherein the provisioning request comprises an identification of an origin of the provisioning request, wherein the computer-implemented method further comprises: determining the origin of the provisioning request is the host server based on the identification.
  14. 14 . The computer program product of claim 11 , further comprising: removing the sensitive information from the memory responsive to transmitting the sensitive information to the host server.
  15. 15 . The computer program product of claim 11 , wherein the sensitive information is only stored within the cloud workload in the memory.
  16. 16 . A computer system for limiting unauthorized access to sensitive information in a cloud workload, the computer system comprising: a processor set; a set of one or more computer-readable storage media; and program instructions, collectively stored in the set of one or more computer-readable storage media for causing the processor set to perform the following computer operations: receive a provisioning request of a host server at a workload server associated with the cloud workload; read, by a secret manager of the cloud workload, the provisioning request, wherein the provisioning request comprises sensitive information and reading the provisioning request by the secret manager comprises intercepting the provisioning request upon receipt; store the sensitive information in memory accessible to the secret manager of the cloud workload; provision resources on the workload server for an application instance based on the provisioning request; read, by the secret manager, an information request; and transmit, to the application instance, the sensitive information.
  17. 17 . The computer system of claim 16 , wherein the provisioning request comprises an identification of an origin of the provisioning request, wherein the computer-implemented method further comprises: determining the origin of the provisioning request is the host server based on the identification.
  18. 18 . The computer system of claim 16 , further comprising: removing the sensitive information from the memory responsive to transmitting the sensitive information to the host server.
  19. 19 . The computer system of claim 16 , wherein the sensitive information is only stored within the cloud workload in the memory.
  20. 20 . The computer system of claim 17 , wherein the identification of the origin comprises a cryptographic signature, wherein determining whether the origin of the provisioning request is the host server comprises using a public key associated with the host server.

Description

BACKGROUND Embodiments of the present disclosure relate to limiting unauthorized access to sensitive information in a cloud workload. SUMMARY According to embodiments of the present disclosure, methods of, computer program products for, and computer systems for limiting unauthorized access to sensitive information in a cloud workload are disclosed. A method for limiting unauthorized access to sensitive information in a cloud workload may include reading a provisioning request of a host server. The provisioning request may be read by a secret manager of the cloud workload. The provisioning request may comprise sensitive information. The method may include storing the sensitive information in memory accessible to a secret manager of the cloud workload. The method may include provisioning resources on the workload server for an application instance. The provisioning may be based on the provisioning request. The method may include reading an information request. The information request may be received by the secret manager. The method may include transmitting the sensitive information to the application instance. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a flow diagram depicting an exemplary method for limiting unauthorized access to sensitive information in a cloud workload, in accordance with one or more embodiments of this disclosure. FIG. 2 is a block diagram depicting an exemplary system for limiting unauthorized access to sensitive information in a cloud workload, in accordance with one or more embodiments of this disclosure. FIG. 3 is a schematic diagram of a computing node, in accordance with one or more embodiments of the present disclosure. FIG. 4 is a schematic diagram of a cloud computing environment, in accordance with one or more embodiments of the present disclosure. FIG. 5 is a block diagram depicting abstraction model layers, in accordance with one or more embodiments of the present disclosure. DETAILED DESCRIPTION Sensitive information is commonly passed to cloud workloads during deployment. Sensitive information includes application programming interface (API) keys, credentials (e.g., a password), private keys, and/or other information a user desires to remain confidential. The sensitive information may be susceptible to being accessed by unauthorized users due to the passage of the information to the workloads. As such, methods for passing sensitive information and/or maintaining sensitive information within cloud workloads that limit this risk are desired. Current methods for preventing the sensitive information from being accessed by unauthorized users are susceptible to enabling the sensitive information to be leaked. For example, current methods present the sensitive information in a plain text (unencrypted) format in the cloud workloads. For example, running the “export” command inside a container may reveal sensitive information. Further, existing methods establish paths for the unauthorized users to follow to obtain the sensitive information. For example, one method that presents the sensitive information in an unencrypted format includes the use of a secret vault (e.g., HashiCorp vault and Kubernetes Secret) for restricting access to sensitive information. For example, one method includes storing the sensitive information in sidecars. This method does not require the unauthorized user to be authenticated, as it only requires the unauthorized users to have access to configuration files for the workload to retrieve the sensitive information. Accordingly, methods for forcing the unauthorized users to take additional steps to access the sensitive information are desired. For example, such methods may force unauthorized users to perform a “ptrace” to access the sensitive information. The additional steps required are likely to be caught and stopped by security solutions (e.g., Endpoint Detection and Response). One such method (as described herein) creates a service running inside the workload to take incoming application provisioning requests and storing the sensitive information included in the requests in memory. In such a method, the sensitive information only exists in the memory and not in any other forms within the workload. This method is further enhanced by encrypting sensitive information, enforcing an authentication policy, and/or other layers of security as described herein. FIG. 1 is a flowchart illustrating an exemplary method 100 for limiting unauthorized access to sensitive information in a cloud workload according to one or more exemplary embodiments of the present disclosure. The operations of method 100 presented below are intended to be illustrative. In some implementations, method 100 is accomplished with one or more additional operations not described and/or without one or more of the operations discussed. Additionally, the order in which the operations of method 100 are illustrated in FIG. 1 and described below is not intended to be limiting. In some implementation