Sovereign Cloud
The secure pipeline with a data valve and staging area addresses data transmission challenges across sovereign territories by validating and isolating data, ensuring compliance and security in cloud service provider networks.
Patent Information
- Authority / Receiving Office
- JP · JP
- Patent Type
- Applications
- Current Assignee / Owner
- ORACLE INT CORP
- Filing Date
- 2024-05-13
- Publication Date
- 2026-06-23
AI Technical Summary
Existing cloud service providers face challenges in securely transmitting data across sovereign territories due to differing security protocols and legal requirements, leading to uncertainties about data validity and compliance.
A secure pipeline is established between data centers, utilizing a data valve and staging area to verify and isolate data, ensuring compliance with the receiving jurisdiction's regulations, and employing a NOC to manage access and authorization.
Ensures secure, compliant data transmission by validating data integrity and adhering to jurisdiction-specific regulations, preventing unauthorized access and maintaining data security throughout the transfer process.
Smart Images

Figure 2026520396000001_ABST
Abstract
Description
Technical Field
[0001] Cross - reference to Related Applications This application claims the benefit of U.S. Provisional Patent Application No. 63 / 466,599, filed May 15, 2023, U.S. Non - Provisional Patent Application No. 18 / 654,267, filed May 3, 2024, and U.S. Non - Provisional Patent Application No. 18 / 654,448, filed May 3, 2024, and each is hereby incorporated by reference in its entirety for all purposes.
[0002] Field The present disclosure relates to the field of computing networks, and more particularly, to techniques for verifying data being transmitted from one area of the computing network to another area.
Background Art
[0003] Background A cloud service provider (CSP) can provide multiple cloud services to registered customers. These services are provided in various models such as software - as - a - service (SaaS) model, platform - as - a - service (PaaS) model, infrastructure - as - a - service (IaaS) model, etc.
Summary of the Invention
Problems to be Solved by the Invention
[0004] Brief Summary This disclosure generally relates to the verification of data received in a first sovereign territory from a second sovereign territory. More specifically, it describes techniques for storing data received from an out-of-jurisdiction jurisdiction in an isolated environment. The data may be verified while stored in the isolated environment. The verified data may be authorized for deployment from the isolated environment to a data center in the first sovereign territory. This specification describes various embodiments, including methods, systems, and non-temporary computer-readable media that store programs, code, or instructions executable by one or more processors. Several embodiments can be realized by using a computer program product that, when executed by a processor, contains a program / instruction that causes the processor to execute one of the methods described herein. [Means for solving the problem]
[0005] One method performed by a computer may include a computing system in a first data center in a first area retrieving data from a second data center in a second area. The data may be stored in an isolated environment in the first data center.
[0006] The method by which this computer performs may further include the computing system determining validation parameters based at least in part on the first domain.
[0007] The way this computer performs may further include the computing system validating the data based at least partially on validation parameters.
[0008] The way this computer performs may further include the computing system processing a first message indicating the release of data from the isolated environment.
[0009] The way this computer performs may further include the computing system processing a second message indicating that the first message originated from a computing device located in a first area.
[0010] The method by which this computer performs may further include causing the computing system to release data from an isolated environment based at least in part on a verification, a first message indicating that the data is to be released, and a second message indicating that the first message originates from a first area. [Brief explanation of the drawing]
[0011] [Figure 1] This is a diagram of an exemplary data validation system according to one or more embodiments. [Figure 2] This is a diagram of an exemplary data validation system according to one or more embodiments. [Figure 3] This is a diagram of an exemplary data valve according to one or more embodiments. [Figure 4] This is a diagram of an exemplary verification technique database according to one or more embodiments. [Figure 5] This is a diagram of an exemplary staging area according to one or more embodiments. [Figure 6] This is a signal diagram of an exemplary process for data validation according to one or more embodiments. [Figure 7] This figure shows an exemplary process flow for data validation according to one or more embodiments. [Figure 8] This figure shows an exemplary process flow for data validation according to one or more embodiments. [Figure 9] This block diagram shows a pattern for implementing a cloud infrastructure system as a service, according to at least one embodiment. [Figure 10]This block diagram shows another pattern for implementing a cloud infrastructure system as a service, following at least one embodiment. [Figure 11] This block diagram shows another pattern for implementing a cloud infrastructure system as a service, following at least one embodiment. [Figure 12] This block diagram shows another pattern for implementing a cloud infrastructure system as a service, following at least one embodiment. [Figure 13] A block diagram showing an exemplary computer system according to at least one embodiment. [Modes for carrying out the invention]
[0012] Detailed explanation Various embodiments are described in this specification. For illustrative purposes, and to enable a complete understanding of the embodiments, specific configurations and details are described. However, it will be apparent to those skilled in the art that embodiments can be realized without these specific details. Furthermore, well-known features may be omitted or simplified so as not to obscure the description of the embodiments.
[0013] An entity may control two or more data centers and want to send or receive data between data centers in one region and data centers in another. For example, an entity (e.g., a cloud service provider) may have a data center in a first region (e.g., the United States) and want to send data to another data center in a second region (e.g., Europe). A potential problem is that the protocols applicable to the receiving data center may differ from those used for sending the data. For example, the security protocols at the receiving data center may differ from those at the sending data center. This can lead to questions about whether the receiving data center should receive the data.
[0014] Embodiments of this specification describe a secure pipeline for transmitting data across a sovereign boundary from one data center to another. A secure pipeline can be established between two data centers, which may be operated by the same cloud service provider, to enhance control over data flow. The secure pipeline may include a data valve located midway between the two data centers. The data valve mediates data flows of a given format and schema in a specific direction and can define validation rules that must be applied to any payload to determine whether the data payload is allowed to pass through. The data valve can log all payloads and the results of their respective processing. Such logs may be fed into a Security and Information Event Management (SIEM) system for separate processing and auditing.
[0015] A data valve can be equipped with software, hardware, or a combination thereof for verifying data. For example, in some cases, a bare-metal server can be a data valve, and in other cases, a network interface controller (NIC) that controls traffic to a host can be a data valve. The verification performed by the data valve can include scrutinizing any changes to the data (including manual, automatic, or semi-automatic changes). The verification can include determining whether the signature corresponds to the person who approved the change by verifying any change signature. Also, the verification can include checking the data for malware. Malware detection can be performed with or without the assistance of a machine learning model. The verification can include hermetic reconstruction from the source. For example, instead of accepting an object, the receiving data center can request instructions for constructing the object. The object can be reconstructed by the data valve by using, for example, any required libraries, code, or other data. This process can include the receiving data center constructing the object in a secure environment (e.g., a hermetic environment) within the data valve. The data cannot interact with other data outside the secure environment. The verification can further include hermetic reconstruction from the source. The verification can further include hermetic reconstruction using alternative dependencies. Based on the above verification process, the receiving data center can determine whether the data transmitted by the sending data center is valid or invalid.
[0016] Data passes through a data valve, reaches the receiving - side data center, and is stored in a staging area. As a staging area, a secure area that isolates data from other parts of the receiving - side data center is possible. The staging area can include software, hardware, or a combination thereof for verifying data and isolating data from other parts of the receiving - side data center. The staging area can be used to perform additional verification to verify data in addition to any verification performed at the data valve. The receiving - side data center can determine whether to permit the movement of data from the staging area to the receiving - side data center.
[0017] FIG. 1 is a diagram of a network operation center (NOC) 102, which is FIG. 100 of an exemplary data verification system according to one or more embodiments, being communicable with a first data center 104 and a second data center 106. As the NOC 102, one or more virtual or physical interfaces of a data center for operating various data center systems are possible. For example, as the NOC 102, a designated indoor computer within the first data center 104 or the second data center 106 is possible, or a computer used by an operator in charge of operating various data center systems is also possible. In other words, as the NOC 102, a computing device such as a laptop placed outside the first data center 104 and the second data center 106 is possible.
[0018] NOC102 may be restricted to use by Operator Access Tenancy (OAT)108. The OAT may be an authorized person for the operation of various data center systems who is authorized to use NOC102. In some cases, the person may be a resident of the same region as the data center. For example, if the data center is located in India, the person may also be a resident of India and physically located within the same region as the data center. NOC102 may include one or more security mechanisms that restrict the use of the NOC to OAT108. For example, access to NOC102 may be protected by a passcode, biometrics, or other appropriate security measures. In other cases, access to NOC102 may be protected by additional security measures such as storage of NOC102 in a secure room requiring authorization and / or a passcode from a security officer, biometrics, or other appropriate security measures for entry. In any case, access to NOC102 may be restricted to OAT108.
[0019] The first data center 104 and the second data center 106 can be a portion of the data center network operated by the Cloud Service Provider (CSP) 110. The data center network can be located in a region that may each contain one or more data centers. Each data center in the region may have physically different infrastructure (including servers, computing systems, internal networking systems, internal air conditioning control systems, and internal power systems). Therefore, even if one data center fails or is expected to fail, the failure is unlikely to affect other data centers because each data center is physically different and has its own internal systems. The data centers in the region (for example, the first data center 104 and the second data center 106) can be connected via a low-latency, high-bandwidth network. Therefore, even if one data center fails or is expected to fail, the other data centers in the region can continue to provide services to the CSP's customers.
[0020] Each data center may manage data on behalf of CSP's customers and vendors, including any data provided by CSP's customers or vendors, and any data or metadata originating from customers or vendors interacting with the cloud service. This data and metadata may include, for example, customer-provided data, customer IDs, computer names, IP addresses, data addresses, criteria, usage data, and other data.
[0021] Data stored in a data center may be subject to the legal requirements of the sovereign sphere in which the data center is located. For example, data may be subject to different privacy regulations depending on the jurisdiction in which the data center is located. Data stored in California may be subject to the California Consumer Privacy Act (CCPA), while data located in the European Union may be subject to the General Data Protection Regulation (GDPR). Although the CCPA and GDPR may have some overlapping requirements, differences in other requirements between the two may necessitate managing data stored in California differently than data stored in Europe. Naturally, data privacy is just one example of a legal field in which the legal requirements imposed on data can differ depending on the sovereign sphere.
[0022] As shown in the figure, the first data center 104 and the second data center 106 may be located in the same first sovereign domain 112. In this scenario, the same legal requirements may be imposed on the data stored in the first data center 104 and the second data center 106. In some other cases, the transfer of data from one sovereign domain to another is desired. In these cases, differences in the legal requirements of one jurisdiction and another may be considered prior to the transfer of data from one data center to another.
[0023] For example, CSP110 can operate a first data center 104 and a second data center 106, both located in the first sovereign territory 112. CSP110 can further operate a third data center 114 in the second sovereign territory 116. If CSP110 wants to transmit data from the third data center 114 to the first data center 104, it may need to consider whether the payload from the third data center 114 complies with the legal requirements of the first sovereign territory 112.
[0024] NOC102 may be used to manage data being received or transmitted to the first data center 104 via the secure pipeline 118. In some embodiments, the secure pipeline 118 can be unidirectional. In other words, CSP110 can transmit data from one or more data centers to the first data center 104 via the secure pipeline 118, but the first data center 104 cannot receive data from one or more data centers via the secure pipeline 118. In other embodiments, the secure pipeline 118 can be bidirectional, and the first data center 104 and one or more data centers can transmit data to each other via the secure pipeline 118.
[0025] The secure pipeline 118 may include a data valve 120 at an intermediate point between the first data center 104 and the third data center 114. In some embodiments, the data valve 120 may be located within the boundaries of the first sovereign territory 112. For example, if the first sovereign territory 112 is France, then both the first data center 104 and the data valve 120 are located in France. The data valve 120 may include software, hardware, or a combination thereof used for the temporary storage of data transmitted from a data center (e.g., the third data center). The data stored in the data valve 120 may be isolated and inaccessible to users of the third data center 114 and the first data center 104.
[0026] Data transmitted from the third data center 114 may be intercepted by the data valve 120. The data valve 140 may send a message to the NOC 102 indicating that data has been received via the secure pipeline 118. The NOC 102 may send a response containing control commands that the data valve 120 has isolated the data, preventing the third data center 114 from accessing the data, and verifying the data received from the third data center 114.
[0027] The data valve 120 can verify data in accordance with control commands that include verification requirements. Each sovereign domain can implement its own requirements for data verification. The data valve 120 can verify data in accordance with the requirements of the sovereign domain. If the data is not in the third data center 114 or the first data center 104, the data valve can replicate the data and, by performing various operations, may have the flexibility to perform verification without interference from the third data center 114. The verification results may be transmitted to the NOC 102. These results may include, for example, descriptions of any changes, checksums, and other relevant data.
[0028] As described above, NOC102 may be used by an agent, including one or more persons authorized to operate one or more systems in each of the first data center 104 and the second data center 106. In addition to authorization to operate one or more systems, this agent may satisfy additional temporary conditions for authorizing the release of data by the data valve. This agent may be required to be physically present in the sovereign domain where the data centers are located. For example, the agent may be required to be present in the first sovereign domain 112. Another requirement may be that the agent is required to be a resident of the sovereign domain where the data centers are located. Again, as shown in the figure, the agent may be required to be a resident of the first sovereign domain 112.
[0029] NOC102 can communicate with the human resources system in the first data center 104. The human resources system may include employee data indicating employees currently employed by CSP110 and authorized to use NOC102. Users may be required to prove their user identity by entering a passcode, using multi-factor authentication, or submitting biometric information. In response to verification of user identity and authorization to use NOC102, the computing system in the first data center can access the human resources system to verify that the user is a resident of the first sovereign domain 112. The computing system in the first data center can further determine whether the user is physically present in the first sovereign domain. For example, if NOC102 is a laptop, the user may have taken the laptop out of the first sovereign domain 112. The computing system in the first data center can determine in various ways whether the user is physically present in the first sovereign domain 112. For example, the computing system in the first data center can determine whether NOC102 is connected to a local network. In another example, the computing system of the first data center can access location services (e.g., the Global Positioning System) to determine the location of NOC102. If a user enters a passcode, uses multi-factor authentication, or submits biometric information to NOC102, and NOC102 is located within the first sovereign domain 112, then it can be inferred that the user is also located within the first sovereign domain 112.
[0030] After verifying the user's ID, authentication level, and location, NOC102 allows the user to decide whether to allow the data valve 120 to release the data. With the assistance of the computing system of the first data center, the user can examine the data and verification results to decide whether to allow the data valve 120 to release the data. If the user chooses not to allow the data valve 120 to release the data, the data valve can process the data. For example, the data valve 120 may erase the data, any copies of the data, and any transformations of the data. The computing system of the first data center may separately send a message to the third data center 114 indicating that data input to the first data center 104 was not permitted.
[0031] If the user authorizes the release of data via the data valve 120, the data may be received in the staging area. The first data center 104 may store the data in the staging area, which can be an isolated environment of the first data center 104 similar to the data valve 120. The data can undergo a second verification in the staging area. One or more verification processes as described above may be performed in the staging area. Additional processes for verifying the data may be performed in the staging area. In some cases, the staging area may have different functions than the data valve 120. For example, the staging area may have more functions than the data valve 120. In these cases, the staging area may be able to verify more additional requirements of the sovereign domain than the data valve 120. Furthermore, the staging area can transmit the verification results to the NOC 102.
[0032] Based on the validation performed in the staging area, the person using NOC102 can decide to release the data from the staging area to the first data center 104. If the same NOC102 is used to release data from the data valve 120, the user may or may not be asked to re-verify their identity, authentication level, location, and residence. However, if a different NOC102 is used to release data from the staging area, the user may be asked to verify their identity, authentication level, location, and residence.
[0033] In some embodiments, data from a data center (for example, a third data center 114) may be validated in a data valve 120 and a staging area. In some other embodiments, a secure pipeline 118 and a data valve 120 are included in the staging area so that data is validated by the data valve 120 in the staging area.
[0034] Data released from the staging area can be converted for storage in the first data center 104. Naturally, the data is transmitted from the data valve 120 in the same format as when it was received by the data valve 120. In other words, the data is transmitted from the data valve in the same format as when it was transmitted from the third data center 114. For example, the data can be organized as raw data, metadata, and summary data in a format compatible with the first data center 104. The data is then stored in the first data center 104 and made available to users.
[0035] Figure 2 is a diagram of an exemplary data validation system according to one or more embodiments. A first data center 202 and a second data center 204 may be part of a network of data centers operated by the same CSP. The first data center 202 may be located in a first sovereign territory 206 (e.g., the United States), and the second data center 204 may be located in a second sovereign territory 208 (e.g., Spain). The first data center 202 and the second data center 204 can further perform the functionality described herein using infrastructure and computing systems such as those described with respect to Figures 9 to 13.
[0036] The first data center 202 can transmit data to the second data center 204 via a secure pipeline 210. The secure pipeline 210 may include one or more security measures that provide unauthorized access to the data transmitted through the pipeline. For example, data transmitted through the secure pipeline 210 may be encrypted in the first data center 202 and decrypted in the second data center 204.
[0037] The secure pipeline 210 may include a data valve 212 located midway between the first data center 202 and the second data center 204 in the second sovereign domain 208. For example, the data valve 212 may be located within the sovereign boundary 228 of the second sovereign domain 208. The data valve 212 may include a combination of hardware (e.g., a server or network interface controller) and software used to restrict data in a unidirectional path from one or more data centers (including the first data center 202) to the second data center 204. The data valve 212 may further create an isolated environment in which neither the first data center 202 nor the second data center 204 can access the intercepted data until the data valve 212 releases it. Generally, an isolated environment is one in which the source and destination systems cannot access the data inside before the data is verified. Data in the isolated environment is verified and authorized for release prior to access by the source and destination systems. When data routed to the second data center 204 is intercepted by the data valve 212, the data valve 212 can store the data in an isolated environment and implement access control to prevent data access from both the first data center 202 and the second data center 204. The data may be stored in the format provided by the first data center 202 (e.g., JSON). After data isolation, the data valve 212 can send a message to the second data center 204 indicating that the data transmitted through the secure pipeline 210 has been received by the data valve 212. For example, the second data center 204 may have a NOC to operate one or more systems in the second data center 204 that can receive the message. The message may include indicators of the characteristics of the received data. For example, the message may indicate the type of data structure, data class, and other appropriate data categories. The NOC can send a response message containing instructions to validate the data.In some cases, the message may include the use of a specific validation technique for a particular data category. In other cases, the data valve 212 may be configured to select a specific validation technique based on the data category or sovereignty requirements. The data valve 212 can validate the data and send the validation results to the NOC.
[0038] The user operating the NOC can determine whether to allow the release of data from the data valve 212 based on the verification results. For example, the user can view the verification results and make an input indicating whether to release data from the data valve 212. However, prior to executing a command to allow or deny the release of data from the data valve 212, the NOC can determine whether the user satisfies the requirements for the determination. The NOC has access to identification information associated with the user. For example, the NOC may be assigned to the user, the user may enter a user identifier or user password, or the NOC may identify the user using biometric data such as facial features. The NOC can send the user's ID to the authorization resolver 214 along with a command determining whether the user satisfies the requirements for determining whether to allow the release of data from the data valve 212.
[0039] The authorization resolver 214 may include software for determining whether a user satisfies the requirements for determination by applying a set of rules. The requirements may include whether the user is currently an employee of the CSP, whether the user has an authorization level for determining whether to allow or deny the release of data from the data valve 212, whether the user is a resident of the second sovereign territory, or whether the user is currently located in the second sovereign territory.
[0040] The authorization resolver has access to the second human resources system 216 for the second sovereign domain 208. The second human resources system 216 may contain employee information of employees working in the second sovereign domain. For example, the second human resources system may contain employee information of each employee working in each data center in the second sovereign domain 208. The employee information stored in the second human resources system 216 may contain personally identifiable information such as name, employee identifier, address, and residence. Optionally, the second human resources system 216 may contain a subset of employees working for the CSP. The CSP may have a global human resources system that contains employee information of all of its employees. For example, the first sovereign domain 206 may optionally be the headquarters of the CSP and may include the first human resources system 218, which is a global human resources system. In other cases, the global human resources system may be located in a data center separate from the data center that transmits the data to the second data center 204. In any case, the authorization resolver 214 may be configured to determine employee information from the local human resources system rather than accessing employee information from the global human resources system.
[0041] The authorization resolver 214 can send an employee identifier to the second human resources system 216 along with instructions confirming that the user is currently employed by the CSP, the user's authorization level, and the user's residence. Based on the received employee identifier, the second human resources system 216 can access the employee database and the user's files. Furthermore, the second human resources system 216 can determine whether the user is currently an employee of the CSP and assigned to the second data center 204. In other words, the authorization resolver 214 can locally resolve whether the user is currently employed by the CSP, assigned to the second data center 204, and a resident of the second sovereign territory 208.
[0042] In some embodiments, the second human resources system 216 can further access the global human resources system (e.g., the first human resources system 218) to reconfirm that the user is currently employed by the CSP, assigned to the second data center 204, and a resident of the second sovereign territory 208. In some cases, the global human resources system may be updated with changes in the user's employment status, location assignment, and residence, but may not be transmitting these updates to the local human resources system (e.g., the second human resources system 216).
[0043] The second human resources system 216 can further determine whether the user has permission to authorize the release of data. Furthermore, the second human resources system 216 can access a second authorization service 220 configured to manage employee access rights to prevent employees from engaging in unauthorized activities on the CSP's computing system. The second authorization service 220 may include information for managing employee roles, permissions, and access control rules assigned to the second data center 204. For example, the CSP can assign permissions to employees based on predetermined rules. These permissions may include whether the user is permitted or denied the release of data from the data valve 212.
[0044] The second human resources system 216 can send a message to the second authorization service 220 providing the user's ID and a request for information regarding whether the user has permission to determine whether or not to allow data to be released from the data valve 212. In response to receiving the ID and the request, the second authorization service 220 can determine whether or not the user has the required permission. For example, a user may be part of a group designated by the CSP to have permission to determine whether or not to release data from the data valve. The second human resources system 216 can check the group to confirm the user's status as a member of the group.
[0045] In some embodiments, the second human resources system 216 may further access a global human resources system (e.g., the first human resources system 218) to send requests to verify the user's ID and user's authorization level. The global human resources system may have access to a global authorization service. For example, the first authorization service 222 in the first data center 202 may be a global authorization service. The first authorization service 222 may access its records to determine whether a user has a required authorization level. Similar to the human resources system, the global authorization service may be updated with changes in the user's authorization level, but may not have transmitted the updates to a local authorization service (e.g., the second authorization service 220).
[0046] The authorization resolver 214 can further determine whether the user is in the second sovereign domain 208. Therefore, the authorization resolver 214 can determine whether the NOC is located in the second sovereign domain 208. If the NOC is located in the second sovereign domain 208, the authorization resolver 214 can infer that the user is also in the second sovereign domain 208. The authorization resolver 214 can determine whether the NOC is in the second sovereign domain 208 by various means. The authorization resolver 214 can determine that the NOC is physically located within the second data center 204. For example, the authorization resolver 214 can determine that the NOC is accessing the mainframe of the second data center 204 and communicating with the mainframe using a wired communication interface. Furthermore, based on the wired communication with the mainframe, the authorization resolver 214 can infer that the user is in the second sovereign domain 208. In another example, an authorization resolver can access a local area network (LAN), such as a Wi-Fi network, in the second data center 204 and communicate with the NOC using a wireless interface. Based on this communication, the authorization resolver can determine that the NOC is connected to the LAN. Based on the fact that the NOC is connected to the LAN, the authorization resolver 214 can further determine that the NOC is located within the second sovereign domain 208.
[0047] In yet another example, the NOC may be equipped with circuitry for accessing location information services such as the Global Positioning System (GPS) service. The authorization resolver 214 can send a message to the NOC via a wired or wireless interface that provides the NOC's location via the location information service. If the location provided by the NOC is within the second sovereign domain 208, the authorization resolver 214 can determine that the NOC is located in the second sovereign domain 208. If the authorization resolver 214 determines that the NOC is in the second sovereign domain 208, it can further determine that the user is also located in the second sovereign domain 208.
[0048] However, the authorization resolver 214 may initially determine that the NOC is not located within the second sovereign domain 208. For example, if the NOC is not communicating with the mainframe via a wired connection or is not connected to a LAN, the authorization resolver may send a message to the NOC requesting its location via a location information service. If the NOC is able to provide a location within the second sovereign domain 208, the authorization resolver 214 can determine that it is located within the second sovereign domain 208. If the NOC is unable to provide a location within the second sovereign domain 208, the authorization resolver 214 can determine that the NOC is not located within the second sovereign domain 208.
[0049] The authorization resolver 214 can use one or more of the methods described above to determine whether the NOC and the inferred user are located in the second sovereign domain 208. Naturally, the authorization resolver 214 can further use this method in various sequences. For example, as shown above, the authorization resolver 214 may send a location information request from the location information service to the NOC if it determines that the NOC is not connected to the mainframe via a wired interface and is not connected to the LAN via a wireless interface. In another case, the authorization resolver 214 may send a location information request from the location information service to the NOC. If the NOC cannot provide location information indicating that the NOC is in the second sovereign domain 208, the authorization resolver 214 can determine whether the NOC is connected to the mainframe via a wired interface or to the LAN via a wireless interface.
[0050] The user may be required to satisfy all of the above requirements in order for a user determination to be made as to whether data is released from data valve 212. Therefore, in order for the user determination to allow or deny the release of data from data valve 212, the user may be required to be currently employed by CSP, assigned to the second data center 204, a resident of the second sovereign territory 208, and assigned a permission level for determination.
[0051] If the user decides not to release the data from data valve 212, the data and any modifications thereof (e.g., copies, transformations) may be erased. However, if the user decides to release the data from data valve 212, the data may be received in the staging area.
[0052] The data, after passing through the data valve 212, may be received in the staging area 226 of the second data center 204. The staging area 226 may be an intermediate storage area that the second data center can use for data processing. Similar to the data valve 212, the staging area 226 may provide an isolated environment for validating the data prior to reformatting and deployment to the data storage of the second data center 204. The staging area 226 may include storage devices such as network interface controllers or storage bare metal servers. In addition, one or more of the validation processes described above may be performed in the staging area 226.
[0053] The data may be received by the staging area 226 in the same format as when it was transmitted by the data valve 212. Furthermore, the data may be received by the staging area 226 in the same format as when it was transmitted by the first data center 202. While the data is stored in the staging area 226, the second data center 204 can instruct the staging area 226 to perform one or more verification operations. For example, when the data is received in the staging area 226, the authorization resolver 214 can notify the NOC that the data has been received in the staging area. Furthermore, the authorization resolver 214 can verify that no party, including the first data center 202, the data valve 212, or any system in the second data center 204 outside the staging area, can access the data. The NOC can perform one or more verification processes on the data and send a response message indicating that it will report the results to the NOC. In some cases, the NOC can send an instruction to perform a specific verification process, and in other cases, it can send an instruction to select a verification process based on the nature of the data. The authorization resolver 214 can send control instructions to the staging area 226 that execute one or more verification processes based on instructions from the NOC.
[0054] The staging area 226 can enable data validation in a single location, rather than distributing data throughout the second data center 204 and subjecting it to various validation processes. This validation may include each validation process, with the results being sent to the NOC. In this sense, since the staging area can be aware of the execution of each validation process, one or more validation processes will not be omitted from the final validation test report. Furthermore, even if the data contains viruses, malware, or other code that could be harmful to the second data center 204 where any data is stored, the isolation environment of the staging area 226 prevents the harmful data from interacting with any data stored in the second data center 204.
[0055] The staging area 226 can execute one or more verification processes on the data based on instructions from the authorization resolver 214. Examples of one or more processes are described in more detail with reference to Figure 4. Furthermore, the staging area 226 can send the verification results to the authorization resolver 214. The authorization resolver 214 can send the verification results to the NOC. The NOC can send a response message indicating whether the data can be released from the staging area.
[0056] As shown in the figure, the data valve 212 and the staging area 226 are shown as separate points where verification can be performed. Naturally, in some cases, the secure pipeline 210 from the first data center 202 to the second data center 204 may include either the data valve 212 or the staging area 226, rather than having both the data valve 212 and the separate staging area 226. For example, if the data valve 212 is present, the staging area 226 may not be present. Or, if the staging area 226 is present, the data valve 212 may not be present.
[0057] Once data is released from the staging area, the deployment of the data to its intended destination in the second data center 204 can be managed by the service manager 224.
[0058] Figure 3 is a figure 300 of an exemplary data valve according to one or more embodiments. The data valve 302 may comprise a data analysis unit 304, a mapping unit 306, a verification technology database 308, and a verification unit 310. The data valve 302 may be gated to the external environment via a first access control unit 312 and a second access control unit 314. The first access control unit 312 may comprise a combination of software and hardware configured to manage data to the data valve 302. The first access control unit 312 may allow data transmitted via a secure pipeline (e.g., secure pipeline 210) to enter the data valve 302. The data may be transmitted by, for example, a first data center (e.g., first data center 202).
[0059] The first access control unit 312 can control the data flow so that data from the source system 316 through the secure pipeline can enter the data valve 302. However, data from the data valve 302 cannot pass through the secure pipeline from the source system 316 in the reverse direction from the first access control unit 312. For example, the first access control unit 312 may be implemented by a network interface card (NIC) configured to receive data from the source system 316 through the secure pipeline from the source system (e.g., the first data center 202) and to prevent the transmission of data back to the source. For example, the NIC may be configured to filter communications so that the flow of communication is unidirectional. For example, the NIC may be configured to read the header associated with the data packet received in the secure pipeline from the source system 316. Furthermore, based on the header, the NIC can determine the source address (e.g., Internet Protocol (IP) address, Medium Access Control (MAC) address) of the source system that sent the data packet. The NIC can further determine the destination address (e.g., IP address, MAC address) of a data packet based on its header. The NIC can also be configured to allow only data packets received from a specific source system and destined for a specific destination system. For example, the first NIC may be configured to allow only data packets received from the first data center 202 and destined for the second data center 204. The second NIC may be configured to allow only data packets received from the second data center 204 and destined for the first data center 202.
[0060] In other embodiments, the first access control unit 312 may include an optical circuit configured to receive an optical signal from a source. For example, a secure pipeline from the source system 316 may include an optical fiber for transmitting an optical signal to the first access control unit 312. In these embodiments, the first access control unit 312 may include a photodetector, including a photodiode, for receiving the optical signal via the optical fiber and converting this optical signal into an electrical signal. The first access control unit 312 may further include a conversion circuit for receiving the electrical signal from the photodetector and converting the current into a voltage signal. The first access control unit 312 may further include filters (e.g., high-pass filters, low-pass filters, band-pass filters) for receiving the voltage signal and removing noise. The first access control unit 312 may also further include a driver for processing the signal to be suitable for downstream processing. In this embodiment, the first access control unit 312 does not need to include a light source such as a laser. As described above, the photodetector is capable of collecting optical signals from the source, and the first access control unit 312 does not necessarily need to have a light source for sending the optical signal back to the source via the optical fiber.
[0061] Furthermore, the first access control unit 312 can prevent external sources from accessing the data stored in the data valve 302. For example, when the first data center 202 transmits data to be received by the second data center 204, the first access control unit 312 can prevent the first data center 202 from accessing the data stored in the data valve 302 (including adding new data, modifying data, or deleting data) by initializing security mechanisms such as a firewall.
[0062] Data that has passed through the first access control unit 312 may be received by the data analysis unit 304. The data analysis unit 304 may be equipped with software for analyzing the data and collecting information to be used for validation. The data analysis unit 304 can perform various functions, such as data visualization, statistical analysis of data, pattern acquisition through data mining, and information gathering for performing predictive analysis. The data analysis unit 304 can use the information to decide whether or not to allow the execution of one or more validation processes on the data. The data analysis unit 304 can collect the information and provide the user with visual information on the NOC (e.g., histograms of data types, relationship graphs of data, charts of metadata describing the data). The data analysis unit 304 can also use the information to determine whether or not to allow the execution of one or more validation processes on the data.
[0063] The data analysis unit 304 can perform statistical analysis of the data, such as descriptive statistics and inferential statistics. The data analysis unit 304 can use the statistical data to determine patterns in the data. In some cases, the patterns may indicate data under a special class in the second sovereign domain 208. For example, statistical analysis may show that data such as personally identifiable information is mixed with other data (a different type of data). Furthermore, in the second sovereign domain 208, it may be prohibited to receive this special class of data (data containing the two types of mixed data). The data analysis unit 304 can use the statistical analysis to select one or more validation processes to perform on the data.
[0064] The data analysis unit 304 can further perform data mining to extract and discover patterns and relationships in the data. The data analysis unit 304 may be configured to discover patterns and relationships relevant to the second sovereign domain 208. For example, one item of data may be associated with another item of data. For example, a username may be associated with an account number, but this association cannot be encrypted. This association may be permissible in the first sovereign domain 206 but not in the second sovereign domain 208. The data analysis unit 304 can further use predictive modeling to perform generative predictive analytics. For example, the data analysis unit 304 can make predictions about the results of data transformation processes contained in the data. Furthermore, data transformations may allow for changes to the data that are prohibited in the second sovereign domain 208, such as certain changes to financial information. The above patterns and relationships can further provide information that the data analysis unit 304 can use to select one or more validation processes.
[0065] The data analysis unit 304 can use the information obtained from the data analysis to determine a specific verification process to be used to verify the data received from the source system. The data analysis unit 304 can use various criteria to determine the verification technique to use. Furthermore, the data analysis unit 304 can make this decision based on the data type. For example, if the data is numerical data, the data analysis unit 304 can decide to use range verification. The data analysis unit 304 can also determine the verification technique based on jurisdictional regulations. For example, the second sovereign domain 208 may require the performance of specific verifications. As previously mentioned, the first access control unit 312 can receive data from the source system 316 via a secure pipeline from the source system. The first access control unit 312 can decode the data as a bitstream. The first access control unit 312 can then identify the header from the bitstream to determine the source and destination addresses of the data. Based on the source and destination systems, one or more verification techniques may be required by the second sovereign domain 208. Therefore, the data analysis unit 304 can use this information to determine the verification technique. The data analysis unit 304 can also use other criteria to determine one or more verification techniques to be used for the data received by the destination system.
[0066] The data analysis unit 304 can transmit information to a mapping unit 306, which can map data or a portion of data to various verification processes. In particular, the mapping unit 306 can communicate with a verification technology database 308, which can store one or more verification processes. The mapping unit 306 can receive information from the data analysis unit 304 and can also accept information from user-based input. For example, a user may have previously used an NOC to instruct the data valve 302 to execute a specific verification process. The mapping unit 306 can retrieve information from each source and map the data or a portion of data to the memory addresses of one or more instructions for executing the verification process stored in the verification technology database 308. Furthermore, the mapping unit 306 can transmit the mapping to the verification unit 310. The verification unit 310 can use the mapping to read one or more instructions for executing the verification process from the verification technology database 308 and verify the data. The various verification techniques that the verification technology database 308 and the verification unit 310 can execute are described in more detail with reference to Figure 4. The verification unit 310 can determine whether a data center in a second sovereign domain (for example, a second sovereign domain 208) can receive the data by performing one or more verification processes on the data. Once the verification unit 310 has verified the data, it can send this data to a second access control unit 314. However, if the verification unit 310 cannot verify the data, it may erase the data, isolate the data, or make a second attempt to verify the data.
[0067] The data valve 302 may be further gated to the external environment via a second access control unit 314. In some embodiments, the data valve 302 may comprise only the second access control unit 314 and not the first access control unit 312. In these embodiments, data transmitted from the source system 316 via the secure pipeline is received by the data analysis unit 304, not by the first access control unit 312. Similar to the first access control unit 312, the second access control unit 314 may also be implemented by a NIC. The second access control unit 314 may further comprise a logic circuit for determining whether data received from the source system 316 via the second pipeline can be transmitted to the destination system 318 via the secure pipeline. The logic circuit may receive, along with the data, a control command from the verification unit 310 to transmit the data to the destination system 318 via the secure pipeline. The logic circuit may also receive user information (e.g., ID, authorization, approval) from an authorization resolver. Based on control commands and user information, the second access control unit 314 can transmit data to the destination system. In some embodiments, the secure pipeline to the destination system 318 includes an optical fiber, and the second access control unit 314 may include a transmitter. The transmitter may include a light source (e.g., a laser) for generating an optical signal, a modulator for receiving an electrical signal representing the data and encoding the data as an optical signal, and an optical isolator for preventing the optical signal from the secure pipeline to the destination system 318 from being sent back to the second access control unit 314. The secure pipeline to the destination system 318 may include a receiving unit for receiving signals from the transmitter. Similar to the optical system of the first access control unit 312 described above, a physical gap can be formed between the second access control unit 314 and the secure pipeline to the destination system through which the optical signal passes.The photodetector in the secure pipeline to the destination system does not need to have a light source, and the second access control unit 314 does not need to have a photodiode; in this case, communication may be unidirectional.
[0068] The user operating the NOC can communicate with the second access control unit 314 via the NOC interface 320. Based on the verification results, the user can decide whether or not to allow the release of data from the data valve 302. However, prior to executing a command to allow or deny the release of data from the data valve 302, the NOC can determine whether the user satisfies the requirements for the determination. The NOC can access identification information associated with the user. For example, the NOC may be assigned to the user, the user may enter a user identifier or user password, or the NOC may identify the user using biometric data such as facial features.
[0069] Figure 4 is a diagram 400 of an exemplary verification techniques database according to one or more embodiments. A data valve (e.g., data valve 302) may include a verification techniques database 402 (e.g., verification techniques database 308). A mapping unit (e.g., mapping unit 306) can access the verification techniques database 402 and map the verification techniques to instructions for performing the verification techniques. The verification techniques database 402 may store one or more instructions for verification. The verification techniques to be used may be determined by a data analysis unit (e.g., data analysis unit 304) which can use the data received via the secure pipeline and the requirements of the jurisdiction (second sovereign sphere) where the data valve is located. The verification techniques database 402 may include instructions for various verification techniques. For example, a verification techniques instruction could be for format verification 404 to determine whether data or a portion of data conforms to a particular format. For example, it could be determined whether the data constituting a database of account numbers contains values formatted as a particular account number. Values in one jurisdiction may be formatted differently from values in another jurisdiction. For example, in one jurisdiction, a date may be formatted as month / day / year, while in another jurisdiction, a date may be formatted as year / month / day. Therefore, format validation 404 can determine whether the value is properly formatted for the jurisdiction receiving the data. Furthermore, if the value is not properly formatted, this may indicate that the data is malicious. Validation instructions may include length / size validation 406 to determine whether the length of a data column in the data is shorter than a threshold length. If the data column is longer than the threshold, this may indicate that malicious data has been added to the data. Validation instructions may include range validation 408 to determine whether a numerical value falls within a threshold numerical range. If the data contains numerical values outside the threshold numerical range, this may indicate that the numerical values have been tampered with. Validation instructions may include whitelist / blacklist validation.Whitelisting verification may involve setting a list of authorized source systems in the data valve. For example, the data valve may be set to the IP addresses or media access control (MAC) addresses of authorized source systems. The IP addresses or MAC addresses may also target authorized source systems in a particular jurisdiction. The IP addresses or MAC addresses of authorized source systems can be compared to the IP addresses or MAC addresses of source systems. If the IP addresses or MAC addresses do not match, this may indicate that the data was sent from a malicious source. Blacklisting verification may involve setting a list of unauthorized source systems in the data valve. For example, the data valve may be set to the IP addresses or MAC addresses of unauthorized source systems. The IP addresses or MAC addresses may also target unauthorized source systems in a particular jurisdiction. The IP addresses or MAC addresses of authorized source systems can be compared to the IP addresses or MAC addresses of source systems. If the IP addresses or MAC addresses match, this may indicate that the data was sent from a malicious source.
[0070] Verification technical instructions may include cross-field verification 412 for determining whether the relationship between data fields is logical. For example, if a first field and a second field contain contiguous data ranges, cross-field verification can be used to determine whether the end date of the first field is earlier than the start date of the second field. If the relationship between fields is illogical (for example, if the end date of the first field is later than the start date of the second field), this may indicate that malicious data has been introduced into the data. Verification technical instructions may include checksum / hash verification 414. A verification unit can determine a checksum or hash of the data and compare the checksum or hash received with the data. Some jurisdictions may require checksum / hash verification 414 to be performed on certain types of data. Therefore, in these jurisdictions, if the checksums or hashes do not match, the data cannot pass through the second access control unit (for example, the second access control unit 314). Verification technical instructions may include data integrity verification 416. Data integrity verification 416 may include determining whether the number of tables in the data is correct and whether each table has the correct number of columns and rows. Depending on the circumstances, the data may include instructions for constructing data structures such as tables. DataValve can construct data structures and determine that they do not contain malicious code. Verification technical instructions may include virus / malware detection 418. This verification involves running virus and malware detection software on the data to determine whether the data contains viruses or malware.
[0071] Naturally, Figure 4 shows an exemplary set of verification techniques, and other embodiments may include a different set of verification techniques. A verification unit (for example, verification unit 310) is capable of executing one or more of the verification techniques included in the verification techniques database 402. Verification unit 310 may further include logic circuits for determining whether to allow data to pass through if the data is determined to be invalid based on one or more of the verification techniques. The verification techniques provide verification unit 310 with information for determining whether the data can be released from the data valve to the data center in the sovereign area.
[0072] Figure 5 is an exemplary staging area 500 according to one or more embodiments. The staging area 502 may be located in a data center (e.g., a second data center 204) receiving data in a different sovereign domain (e.g., a second sovereign domain 208) from the sovereign domain (e.g., a first sovereign domain 206) of the data center transmitting the data (e.g., a first data center 202). Naturally, in some embodiments the data verification system may consist only of a data valve, in other embodiments the data verification system may consist only of a staging area, and in yet another embodiment the data verification system may consist of both a data valve and a staging area. The staging area 502 may function similarly to a data valve (e.g., a data valve 302) and may comprise a data analysis unit 504, a mapping unit 506, a verification technology database 508, and a verification unit 510. The staging 502 may be gated to the external environment via a third access control unit 512 and a fourth access control unit 514. The third access control unit 512 may comprise a combination of software and hardware configured to manage data to the data valve 302. The third access control unit 512 may allow access to the staging area 502 for data transmitted via a secure pipeline (for example, a secure pipeline 210 from the data valve 212).
[0073] The third access control unit 512 can control the data flow so that data can enter the staging area 502. For example, the third access control unit 512 may be implemented by a NIC configured to receive data from the source system 316 via a secure pipeline and to prevent the transmission of data back to the secure pipeline. In other embodiments, the third access control unit 512 may include an optical circuit configured to receive an optical signal from the source. In these embodiments, the third access control unit 512 may include a photodetector including a photodiode for receiving the optical signal via an optical fiber and converting this optical signal into an electrical signal. The third access control unit 512 may further include a conversion circuit for receiving the electrical signal from the photodetector and converting the current into a voltage signal. The third access control unit 512 may further include a filter for receiving the voltage signal and removing noise. The third access control unit 512 may also further include a driver for processing the signal to be suitable for downstream processing. Furthermore, the third access control unit 512 can prevent external sources from accessing data stored in the staging area 502, which is similar to the first access control unit 312.
[0074] Data that has passed through the third access control unit 512 may be received by a data analysis unit 504, which may include software for analyzing the data and collecting information used for validation. The data analysis unit 504 can perform various functions, such as data visualization, statistical analysis of data, pattern acquisition through data mining, and information gathering for performing predictive analytics. The data analysis unit 504 can use the information to determine one or more validation processes to perform on the data. The data analysis unit 504 can collect the information and provide the user with visual information on the NOC (e.g., histograms of data types, relationship graphs of data, charts of metadata describing the data). The data analysis unit 504 can also use the information to determine whether or not to allow the execution of one or more validation processes on the data.
[0075] The data analysis unit 504 can perform statistical analysis of the data, such as descriptive statistics and inferential statistics. The data analysis unit 504 can use the statistical data to determine patterns in the data. In some cases, the patterns may indicate data under a special class in the second sovereign domain. Furthermore, in the second sovereign domain, it may be prohibited to receive this special class of data (data containing two types of data that are mixed). The data analysis unit 504 can select one or more validation processes to perform on the data through statistical analysis.
[0076] The data analysis unit 504 can further perform data mining to extract and discover patterns and relationships in the data. The data analysis unit 504 may be configured to discover patterns and relationships relevant to a second sovereign domain. The data analysis unit 504 can further use predictive modeling to perform generative predictive analytics. For example, the data analysis unit 504 can make predictions about the results of data transformation processes contained in the data. The above patterns and relationships can further provide information that the data analysis unit 504 can use to select one or more validation processes.
[0077] The data analysis unit 504 can use the information obtained from the data analysis to determine a specific verification process to be used to verify the data received from the source system. The data analysis unit 504 can use various criteria to determine the verification technique to use. Furthermore, the data analysis unit 504 can make this decision based on the data type. Also, the data analysis unit 504 can determine the verification technique based on the regulations of the jurisdiction. For example, in a second sovereign territory, certain verifications may be required. Therefore, the data analysis unit 504 can use this information to determine the verification technique. The data analysis unit 504 can use other criteria to determine one or more verification techniques to be used for the data received by the destination system.
[0078] The data analysis unit 504 can transmit information to a mapping unit 506, which can map data or parts of data to various verification processes. In particular, the mapping unit 506 can communicate with a verification technology database 508, which may store one or more verification processes. The verification technology database 508 in the staging area 502 may differ from the verification technology database 308 in the data valve 302. The mapping unit 506 can receive information from the data analysis unit 504 and can also accept information from user-based input. For example, a user may have previously used an NOC via the NOC interface 516 to instruct the staging area 502 to execute a specific verification process. The mapping unit 506 can acquire information from each source and map the data or parts of data to the memory addresses of one or more instructions for executing the verification process stored in the verification technology database 508. Furthermore, the mapping unit 506 can transmit the mapping to the verification unit 510, which can use the mapping to read one or more instructions for executing the verification process from the verification technology database 508 and verify the data. The verification technology database 508 may store code for performing various verification techniques. The verification unit 510 can determine whether a data center in the second sovereign domain 208 can receive the data by performing one or more verification processes on the data. Once the verification unit 510 has verified the data, it can transmit this data to the fourth access control unit 514. However, if the verification unit 510 cannot verify the data, it may erase the data, isolate the data, or perform a second attempt to verify the data.
[0079] In some embodiments, the staging area 502 may comprise only the fourth access control unit 514 and not the third access control unit 512. In these embodiments, the transmitted data is received by the data analysis unit 504, rather than by the third access control unit 512. The fourth access control unit 514 may further comprise logic circuits for determining whether the received data can be transmitted to the destination system via the secure pipeline.
[0080] The user operating the NOC can communicate with the fourth access control unit 514 via the NOC interface 516. Based on the verification results, the user can decide whether or not to allow the release of data from the staging area 502. However, prior to executing a command to allow or deny the release of data from the staging area 502, the NOC can determine whether the user satisfies the requirements for the determination. The NOC can access identification information associated with the user. For example, the NOC may be assigned to the user, the user may enter a user identifier or user password, or the NOC may identify the user using biometric data such as facial features. The NOC can send the user ID to the authorization resolver 518.
[0081] The authorization resolver 518 may include software for determining whether a user satisfies the requirements for determination by applying a set of rules. The requirements may include whether the user is currently an employee of the CSP, whether the user has an authorization level for determining whether to allow or deny the release of data from the staging area 502, whether the user is a resident of the second sovereign territory, or whether the user is currently located in the second sovereign territory.
[0082] The authorization resolver 518 has access to a second human resources system (for example, a second human resources system 216) for the second sovereign domain. The second human resources system may include employee information of employees working in the second sovereign domain.
[0083] The authorization resolver 518 may transmit an employee identifier to the second human resources system 216 along with an instruction confirming that the user is currently employed by the CSP, the user's authorization level, and the user's place of residence. Based on the received employee identifier, the second human resources system 216 can access the employee database and the user's files. Furthermore, the second human resources system can determine whether the user is currently an employee of the CSP and assigned to the second data center.
[0084] In some embodiments, the second human resources system can further access the global human resources system (e.g., the first human resources system 218) to reconfirm that the user is currently employed by the CSP, assigned to the second data center, and a resident of the second sovereign territory. In some cases, the global human resources system may be updated with changes in the user's employment status, location assignment, and residence, but may not be transmitting the updates to the local human resources system (e.g., the second human resources system 216).
[0085] The second human resources system can further determine whether a user has permission to determine whether data can pass through staging area 502. Furthermore, the second human resources system can access a second authorization service (e.g., second authorization service 220) configured to manage employee access rights to prevent employees from engaging in unauthorized activities on the CSP's computing systems. The second authorization service may include information for managing employee roles, permissions, and access control rules assigned to the second data center. These permissions may include whether a user allows or denies the release of data from staging area 502.
[0086] The second human resources system can send a message to the second authorization service providing the user's ID and a request for information regarding whether the user has permission to release data from the staging area 502. In response to receiving the ID and request, the second authorization service can determine whether the user has the necessary permission. Based on this information, the fourth access control unit 514 may permit the data to pass through the staging area. In some embodiments, the data is stored in a database 520 in a second data center.
[0087] Figure 6 is a signal diagram of an exemplary process 600 for data verification according to one or more embodiments. As shown, NOC 602 can communicate with a data valve 604 or a staging area. For simplicity, this data valve may include a data valve (e.g., data valve 302 or staging area 502). The operation of process 600 is described as being performed by a general computer, but it is understood that any suitable device may be used to perform one or more operations of this method. Process 600 (described later) is shown as a signal diagram, and each operation thereof represents a set of operations that can be implemented by hardware, computer instructions, or a combination thereof. In the background of computer instructions, these operations represent computer-executable instructions that are stored in one or more computer-readable storage media and, when executed by one or more processors, perform the operations described. Generally, computer-executable instructions include routines, programs, objects, components, data structures, etc., that perform a particular function or implement a particular data type. The order in which the actions are described is not intended to have any restrictive interpretation, and any number of described actions can be performed in any order and / or in any parallel combination to realize this process.
[0088] In 606, the data valve 604 can send a message indicating that data has been received. For example, data may be received via a secure pipeline (e.g., secure pipeline 210) from a first data center (e.g., first data center 202) located in a first sovereign domain (e.g., first sovereign domain 206). The NOC 602 may be located in a second sovereign domain (e.g., second sovereign domain 208) and associated with a second data center (e.g., second data center 204).
[0089] In 608, NOC602 can generate a message indicating that data valve 604 will validate the data. NOC602 can generate this message to include specific validation techniques to be used for data validation. Furthermore, NOC602 can transmit the message to data valve 604.
[0090] In 610, the data valve 604 can verify the data. For example, the data valve 604 may include verification units (e.g., verification unit 310, verification unit 510). The verification units can access a verification techniques database and use code to perform one or more verification techniques on the data. In 612, the data valve 604 can generate a message indicating the verification result. Furthermore, the data valve 604 can send the message to the NOC 602.
[0091] In 614, the NOC 602 can use the results from the verification unit to determine whether or not to provide the data to the second data center. In some embodiments, as a separate confirmation of any decision made using the NOC, it can be determined whether or not the decision by the NOC user is approved. For example, in response to receiving a decision from the verification unit, the NOC may send a message to an authorization resolver determining whether the user of the NOC has permission to make a decision. The authorization resolver can access the human resources system to determine the user's authorization. If the authorization resolver determines that the user is authorized, it may send a command to the control access unit to authorize the data to pass through the data valve.
[0092] In 616, NOC602 may send a message to data valve 604 indicating whether the data can pass through data valve 604. If the message indicates that the data can pass and the authorization resolver indicates that the user's decision is approved, data valve 604 may allow the data to pass. If the message indicates that the data can pass and the authorization resolver indicates that the user's decision is not approved, data valve 604 may prevent the data from passing. If the message indicates that the data cannot pass and the authorization resolver indicates that the user's decision is approved, data valve 604 may prevent the data from passing. If the message indicates that the data cannot pass and the authorization resolver indicates that the user's decision is not approved, data valve 604 may prevent the data from passing.
[0093] Figure 7 shows an exemplary process flow 700 for data verification according to one or more embodiments. In 702, the method performed by the computer may include a computing system in a first data center (e.g., a second data center 204) in a first area (e.g., a second sovereign area 208) processing a first message indicating that an intermediate computing system (e.g., a data valve 212) managed by the first data center has received data from the second data center (e.g., a first data center 202) in a second area (e.g., a first sovereign area 206). The computing system can be a data center mainframe or NOC, the NOC communicating with the mainframe. The data is stored in an isolated environment of the intermediate computing system. For example, the intermediate computing system may include a first access control unit (e.g., a first access control unit 312) and a second access control unit (e.g., a second access control unit 314) which may be configured to prevent data from entering or leaving the isolated environment. In some embodiments, the computing system may include computing devices distributed across various different locations.
[0094] In 704, the method performed by the computer may include the computing system sending a first control instruction to an intermediate computing system that validates data based on a first criterion. The intermediate computing system may include a validation unit (e.g., a validation unit 310) that can validate the data using various validation techniques. The validation techniques may be selected based on the requirements of the first domain.
[0095] In 706, the method by which the computer performs may include the computing system processing verification results from an intermediate computing system. Verification results may be outputs from a computing system using one or more of the verification techniques described above. A verification unit can process the verification results to determine whether or not to verify the data.
[0096] In 708, the method by which the computer performs actions may include the computing system processing a second message indicating the release of data from the isolated environment of the intermediate computing system. The computing system can be an NOC, or a computing system can communicate with an NOC. The NOC user can analyze the verification results to determine whether or not to release the data from the intermediate computing system. The computing system can determine whether or not the NOC user is authorized to make the determination and whether or not they are located in the first area. For example, the computing system can send a request to the local human resources system to determine whether or not the user has authorization. The computing system can also use location technology to determine whether or not the NOC is located in the first area. If the NOC is located in the first area, it can be assumed that the user is also located in the first area.
[0097] In 710, the method by which the computer performs may include the computing system processing a third message indicating that the second message originates from a computing device located in the first area. In 708, if it is assumed that the user is in the first area, then it may be assumed that the second message originates from the first area.
[0098] In 712, the method by which the computer performs may include the computing system releasing data from an isolated environment based at least in part on verification results, indicators of data release, and indicators that the second message originates from the first area. The data may be released to a database in a data center or to another isolated environment.
[0099] Figure 8 shows an exemplary process flow 800 for data verification according to one or more embodiments. In 802, the method performed by the computer may include a computing system in a first data center (e.g., a second data center 204) in a first area (e.g., a second sovereign area 208) retrieving data from a second data center (e.g., a first data center 202) in a second area (e.g., a first sovereign area 206). The data may be stored in an isolated environment of the first data center (e.g., a staging area 226). The computing system can be the data center's mainframe or NOC, the NOC communicating with the mainframe. The data is stored in an isolated environment of an intermediate computing system. For example, the intermediate computing system may include a first access control unit (e.g., a third access control unit 512) and a second access control unit (e.g., a fourth access control unit 514) which may be configured to prevent data from entering or leaving the isolated environment. In some embodiments, the computing system may include computing devices distributed across various different locations.
[0100] In 804, the method by which a computer performs actions may include the computing system determining verification parameters, at least in part, based on a first domain. The first domain may have one or more requirements for the data stored in it. Furthermore, based on one or more of these requirements, the verification parameters of the first domain may not be suitable for another domain. Verification parameters may include the subjects of verification techniques, such as format, length and size, range, whitelisting and blacklisting, cross-fielding, checksums and hashes, data integrity, and viruses and malware. Verification parameters may be selected based on the requirements of the domain. For example, in one domain, checksums and hashes may be legally required (or by the data center in the domain) for the verification of certain data. In another domain, checksums and hashes may not be legally required (or by the data center in the domain) for the same data. Thus, verification parameters may be selected based on the requirements of the domain and the data receiving the data. The use of these verification parameters can determine the verification technique. Furthermore, different verification techniques may be used for different requirements. Therefore, computing systems can select verification techniques that can be used to determine whether or not the requirements are met.
[0101] In 806, the method performed by the computer may include the computing system verifying data based at least in part on verification parameters. The isolated environment may include a verification unit (e.g., verification unit 510) that can verify the data using various verification techniques. The verification techniques may be selected based on the requirements of the first domain.
[0102] In 808, the method by which the computer performs actions may include the computing system processing a first message indicating the release of data from an isolated environment. The computing system can be an NOC, or a computing system can communicate with an NOC. The NOC user can analyze the verification results to determine whether or not to release the data from the intermediate computing system. The verification results may include, for example, a format identifier, length and size values, range values, whether the data originates from a whitelisted source or a blacklisted source, whether the relationships between fields are logical, checksum and hash values, a determination regarding the integrity of the data, and a determination regarding any viruses and malware. The computing system can determine whether or not the NOC user is authorized to perform the determination and whether or not they reside in the first area. For example, the computing system can send a request to the local human resources system to determine whether or not the user is authorized. The computing system can also use location technology to determine whether or not the NOC is located in the first area. If the NOC is located in the first area, it can be assumed that the user is also located in the first area.
[0103] In 810, the method by which the computer performs may include the computing system processing a second message indicating that the first message originates from a computing device located in a first area. In 808, if it is assumed that the user is in the first area, then it may be assumed that the second message originates from the first area.
[0104] In 812, the method by which the computer performs may include the computing system releasing data from an isolated environment based at least in part on a verification, a first message indicating that the data is to be released, and a second message indicating that the first message originates from a first area. The data may be released to a database in a data center.
[0105] As mentioned above, Infrastructure as a Service (IaaS) is a specific type of cloud computing. IaaS can be configured to provide virtualized computing resources over a public network (e.g., the internet). In the IaaS model, a cloud computing provider can host infrastructure components (e.g., servers, storage devices, network nodes (e.g., hardware), deployment software, platform virtualization (e.g., hypervisor layer), etc.). In some cases, the IaaS provider may also supply a variety of services associated with these infrastructure components (exemplary services include billing software, monitoring software, logging software, load balancing software, and clustering software, etc.). Therefore, since these services can be policy-driven, IaaS users can maintain application availability and performance by implementing policies that promote load balancing.
[0106] In some cases, IaaS customers can access resources and services over a wide area network (WAN), such as the internet, and use the cloud provider's services to install other elements of their application stack. For example, a user can log into the IaaS platform and create virtual machines (VMs), install operating systems (OS) on each VM, deploy middleware such as databases, create storage buckets for workloads and backups, and even install enterprise software on those VMs. The customer can then use the provider's services to perform various functions, such as distributing network traffic, troubleshooting application issues, monitoring performance, and managing disaster recovery.
[0107] In most cases, the cloud computing model requires the participation of a cloud provider. This cloud provider may, but does not have to be, a third-party service specializing in providing IaaS (e.g., granting, leasing, or selling). Alternatively, an entity could deploy a private cloud and become its own infrastructure service provider.
[0108] In some cases, IaaS deployment is the process of placing a new application or a new version of an application on a prepared application server, etc. It may also include the process of preparing the server (e.g., installing libraries, daemons, etc.). This is often managed by the cloud provider under the hypervisor layer (e.g., servers, storage, network hardware, and virtualization). Therefore, the customer may be responsible for handling (OS), middleware, and / or application deployment (e.g., on self-service virtual machines that can be spun up on demand).
[0109] In some cases, IaaS provisioning represents acquiring the computers or virtual hosts to be used, and may even represent installing the necessary libraries or services on them. In most cases, deployment does not include provisioning, and provisioning may be required to be performed first.
[0110] In some cases, IaaS provisioning presents two distinct challenges. Firstly, there is the initial challenge of provisioning the initial set of infrastructure before anything is operational. Secondly, there is the challenge of evolving the existing infrastructure after all provisioning is complete (e.g., adding new services, modifying services, removing services, etc.). In some cases, these two challenges can be addressed by enabling the declarative definition of infrastructure configuration. In other words, the infrastructure (e.g., the required components and the way those components interact) can be defined by one or more configuration files. Thus, the overall topology of the infrastructure (e.g., resource dependencies and how each resource works together) can be described declaratively. In some cases, once the topology is defined, a workflow can be generated to form and / or manage the various components described in the configuration files.
[0111] In some examples, infrastructure can consist of many interconnected elements. For instance, there may be one or more virtual private clouds (VPCs), also known as core networks (e.g., potential on-demand pools of configurable and / or shared computing resources). In some examples, there may also be one or more inbound / outbound traffic group rules provisioning that define how inbound and / or outbound network traffic is configured and one or more virtual machines (VMs). Other infrastructure elements such as load balancers and databases may also be provisioned. As there is a demand for and / or addition of more infrastructure elements, the infrastructure can gradually evolve.
[0112] In some cases, the adoption of sequential deployment techniques can enable the deployment of infrastructure code across various virtual computing environments. Furthermore, the techniques described can enable infrastructure management within these environments. In some examples, a service team may write code that is desirable to be deployed to one or more (but often many) different generation environments (e.g., geographically diverse locations, sometimes even worldwide). However, in some examples, the infrastructure to which the code is deployed must be configured first. In some cases, manual provisioning, the use of provisioning tools for provisioning resources, and / or the use of deployment tools for deploying code after infrastructure provisioning are also possible.
[0113] Figure 9 is a block diagram 900 showing an exemplary pattern of an IaaS architecture according to at least one embodiment. A service operator 902 may be communicably coupled to a secure host tenancy 904, which may include a virtual cloud network (VCN) 906 and a secure host subnet 908. In some examples, the service operator 902 may use one or more client computing devices, which may be portable handheld devices (e.g., iPhone®, mobile phones, iPad®, computing tablets, personal digital assistants (PDAs)) or wearable devices (e.g., Google® Glass head-mounted display) that run software such as Microsoft Windows® Mobile and / or a variety of mobile operating systems such as iOS, Windows Phone, Android, BlackBerry 8, Palm OS, and are capable of using the Internet, email, short message service (SMS), BlackBerry®, or other communication protocols. Alternatively, a general-purpose personal computer (PC) can serve as a client computing device, including, for example, PCs and / or laptop computers running various versions of Microsoft Windows®, Apple Macintosh®, and / or Linux® operating systems. A workstation computer running any of the various commercially available UNIX® or UNIX-like operating systems can also serve as a client computing device, including, but is not limited to, various GNU / Linux operating systems such as Google Chrome OS.Alternatively or additionally, the client computing device may be any other electronic device, such as a thin client computer that can communicate via a network that can access the VCN906 and / or the Internet, an Internet-enabled gaming system (e.g., a Microsoft Xbox game console with or without a Kinect® gesture input device), and / or a personal messaging device.
[0114] VCN906 may include an LPG910 that can be communicatively coupled to SSH VCN912 via a local peering gateway (LPG)910 included in Secure Shell (SSH) VCN912. SSH VCN912 may include an SSH subnet 914, and SSH VCN912 may be communicatively coupled to control plane VCN916 via an LPG910 included in control plane VCN916. Furthermore, SSH VCN912 may be communicatively coupled to data plane VCN918 via an LPG910. Control plane VCN916 and data plane VCN918 may be included in a service tenancy 919 owned and / or operated by an IaaS provider.
[0115] The control plane VCN916 may include a control plane buffer zone (DMZ) layer 920 that functions as a perimeter network (for example, part of the corporate network between the corporate intranet and the external network). DMZ-based servers may have limited liability and help to mitigate breaches. The DMZ layer 920 may also include a control plane application layer 924 that may include one or more load balancer (LB) subnets 922, an application subnet 926, and a control plane data layer 928 that may include a database (DB) subnet 930 (for example, a front-end DB subnet and / or a back-end DB subnet). The LB subnet 922 included in the control plane DMZ layer 920 may be communicatively coupled to the application subnet 926 included in the control plane application layer 924 and an internet gateway 934 that may be included in the control plane VCN916, and the application subnet 926 may be communicatively coupled to the DB subnet 930, a service gateway 936, and a network address translation (NAT) gateway 938 included in the control plane data layer 928. The control plane VCN916 may include a service gateway 936 and a NAT gateway 938.
[0116] The control plane VCN916 may include a data plane mirror application layer 940 which may include an application subnet 926. The application subnet 926 included in the data plane mirror application layer 940 may include a virtual network interface controller (VNIC) 942 which may run a compute instance 944. The compute instance 944 may communicately connect the application subnet 926 of the data plane mirror application layer 940 to an application subnet 926 which may be included in the data plane application layer 946.
[0117] The data plane VCN918 may comprise a data plane application layer 946, a data plane DMZ layer 948, and a data plane data layer 950. The data plane DMZ layer 948 may comprise an LB subnet 922 that can be communicatively coupled to the application subnet 926 of the data plane application layer 946 and the internet gateway 934 of the data plane VCN918. The application subnet 926 may be communicatively coupled to the service gateway 936 and the NAT gateway 938 of the data plane VCN918. The data plane data layer 950 may comprise a DB subnet 930 that can be communicatively coupled to the application subnet 926 of the data plane application layer 946.
[0118] The Internet gateway 934 of the control plane VCN916 and data plane VCN918 can be communicatively connected to a metadata management service 952, which can be communicatively connected to the public internet 954. The public internet 954 can be communicatively connected to the NAT gateway 938 of the control plane VCN916 and data plane VCN918. The service gateway 936 of the control plane VCN916 and data plane VCN918 can be communicatively connected to a cloud service 956.
[0119] In some cases, a service gateway 936 of the control plane VCN916 or data plane VCN918 can make application programming interface (API) calls to a cloud service 956 without going through the public internet 954. API calls from the service gateway 936 to the cloud service 956 can be unidirectional. The service gateway 936 can make API calls to the cloud service 956, and the cloud service 956 can send the requested data to the service gateway 936. However, the cloud service 956 does not have to initiate an API call to the service gateway 936.
[0120] In some examples, secure host tenancy 904 may be directly connected to service tenancy 919, or otherwise isolated. Secure host subnet 908 can communicate with SSH subnet 914 via LPG 910, which can enable bidirectional communication through systems that would otherwise be isolated. By connecting secure host subnet 908 to SSH subnet 914, secure host subnet 908 gains access to other entities within service tenancy 919.
[0121] The control plane VCN916 may enable users of the service tenancy 919 to configure or provision desired resources. Desired resources provisioned in the control plane VCN916 may be deployed or used in the data plane VCN918. In some examples, the control plane VCN916 can be isolated from the data plane VCN918, and the data plane mirror application layer 940 of the control plane VCN916 can communicate with the data plane application layer 946 of the data plane VCN918 via a VNIC 942 which may be included in the data plane mirror application layer 940 and the data plane application layer 946.
[0122] In some examples, a system user, or customer, can make a request (for example, create, read, update, or erase an operation (CRUD)) through the public internet 954, and the public internet 954 can send the request to the metadata management service 952. The metadata management service 952 can send the request to the control plane VCN 916 through the internet gateway 934. The request may be received by the LB subnet 922 included in the control plane DMZ layer 920. The LB subnet 922 may determine that the request is valid, and in response to this determination, the LB subnet 922 may send the request to the application subnet 926 included in the control plane application layer 924. If the request is validated and a call to the public internet 954 is required, the call to the public internet 954 may be sent to a NAT gateway 938 that can make a call to the public internet 954. Metadata that is deemed desirable to be stored by the request may be stored in the DB subnet 930.
[0123] In some examples, the data plane mirror application layer 940 can facilitate direct communication between the control plane VCN916 and the data plane VCN918. For example, it may be desirable that configuration changes, updates, or other preferred modifications be applied to resources contained in the data plane VCN918. The control plane VCN916 can perform configuration changes, updates, or other preferred modifications to resources by communicating directly with the resources contained in the data plane VCN918 via VNIC942.
[0124] In some embodiments, the control plane VCN916 and the data plane VCN918 may be included in the service tenancy 919. In this case, the system user, i.e., the customer, does not have to own either the control plane VCN916 or the data plane VCN918, or does not have either of them running. Alternatively, the IaaS provider may own both the control plane VCN916 and the data plane VCN918, or have both running, or both may be included in the service tenancy 919. This embodiment may enable network isolation that can prevent interaction between the user, i.e., the customer, and other users, i.e., other customers' resources. Furthermore, this embodiment may enable private storage of databases by the system user, i.e., the customer, without having to rely on the public internet 954, which may not have the desired level of threat prevention for storage.
[0125] In another embodiment, the LB subnet 922 included in the control plane VCN916 can be configured to receive signals from the service gateway 936. In this embodiment, the control plane VCN916 and the data plane VCN918 may be configured to be invoked by the IaaS provider's customer without calling the public internet 954. The IaaS provider's customer is likely to prefer this embodiment because the database used by the customer can be stored in a service tenancy 919 that is controlled by the IaaS provider and isolated from the public internet 954.
[0126] Figure 10 is a block diagram 1000 showing another exemplary pattern of an IaaS architecture according to at least one embodiment. A service operator 1002 (e.g., service operator 902 in Figure 9) may be communicatively coupled to a secure host tenancy 1004 (e.g., secure host tenancy 904 in Figure 9), which may include a virtual cloud network (VCN) 1006 (e.g., VCN906 in Figure 9) and a secure host subnet 1008 (e.g., secure host subnet 908 in Figure 9). The VCN 1006 may include an LPG 910 that can be communicatively coupled to the SSH VCN 1012 (e.g., SSH VCN912 in Figure 9) via a local peering gateway (LPG) 1010 (e.g., LPG910 in Figure 9). SSH VCN1012 may include an SSH subnet 1014 (for example, SSH subnet 914 in Figure 9), and SSH VCN1012 may be communicably coupled to control plane VCN1016 (for example, control plane VCN916 in Figure 9) via an LPG 1010 included in control plane VCN1016. Control plane VCN1016 may be included in service tenancy 1019 (for example, service tenancy 919 in Figure 9), and data plane VCN1018 (for example, data plane VCN918 in Figure 9) may be included in customer tenancy 1021, which may be owned or operated by the system's users, i.e., customers.
[0127] The control plane VCN1016 may include a control plane DMZ layer 1020 (for example, the control plane DMZ layer 920 in Figure 9) which may include an LB subnet 1022 (for example, the LB subnet 922 in Figure 9), a control plane application layer 1024 (for example, the control plane application layer 924 in Figure 9) which may include an application subnet 1026 (for example, the application subnet 926 in Figure 9), and a control plane data layer 1028 (for example, the control plane data layer 928 in Figure 9) which may include a DB subnet 1030 (similar to, for example, the database (DB) subnet 930 in Figure 9). The LB subnet 1022 included in the control plane DMZ layer 1020 is communicatively coupled to the application subnet 1026 included in the control plane application layer 1024 and to an internet gateway 1034 (for example, internet gateway 934 in Figure 9) which may be included in the control plane VCN 1016. The application subnet 1026 may be communicatively coupled to the DB subnet 1030 included in the control plane data layer 1028, to a service gateway 1036 (for example, service gateway 936 in Figure 9), and to a network address translation (NAT) gateway 1038 (for example, NAT gateway 938 in Figure 9). The control plane VCN 1016 may include the service gateway 1036 and the NAT gateway 1038.
[0128] The control plane VCN 1016 may include a data plane mirror application layer 1040 (for example, the data plane mirror application layer 940 in Figure 9) which may include an application subnet 1026. The application subnet 1026 included in the data plane mirror application layer 1040 may include a virtual network interface controller (VNIC) 1042 (for example, VNIC 942) which may run a compute instance 1044 (for example, similar to compute instance 944 in Figure 9). The compute instance 1044 may facilitate communication between the application subnet 1026 of the data plane mirror application layer 1040 and the application subnet 1026 that may be included in the data plane application layer 1046 via the VNIC 1042 included in the data plane mirror application layer 1040 and the VNIC 1042 included in the data plane application layer 1046 (for example, the data plane application layer 946 in Figure 9).
[0129] The Internet gateway 1034 included in the control plane VCN 1016 can be communicably coupled to a metadata management service 1052 (e.g., metadata management service 952 in Figure 9), which can be communicably coupled to the public internet 1054 (e.g., public internet 954 in Figure 9). The public internet 1054 can be communicably coupled to a NAT gateway 1038 included in the control plane VCN 1016. The service gateway 1036 included in the control plane VCN 1016 can be communicably coupled to a cloud service 1056 (e.g., cloud service 956 in Figure 9).
[0130] In some examples, the data plane VCN1018 may be included in customer tenancy 1021. In this case, the IaaS provider may provide a control plane VCN1016 for each customer, and the IaaS provider may configure a unique compute instance 1044 included in service tenancy 1019 for each customer. Each compute instance 1044 may enable communication between the control plane VCN1016 included in service tenancy 1019 and the data plane VCN1018 included in customer tenancy 1021. The compute instance 1044 may enable the deployment or use of resources provisioned in the control plane VCN1016 included in service tenancy 1019 in the data plane VCN1018 included in customer tenancy 1021.
[0131] In another example, the IaaS provider's customer may have a database located in customer tenancy 1021. In this example, the control plane VCN 1016 may have a data plane mirror application layer 1040 that may include application subnet 1026. The data plane mirror application layer 1040 may reside in data plane VCN 1018, but does not have to. That is, the data plane mirror application layer 1040 may be accessible to customer tenancy 1021, but does not have to reside in data plane VCN 1018, nor is it owned or operated by the IaaS provider's customer. The data plane mirror application layer 1040 may be configured to make calls to data plane VCN 1018, but may not be configured to make calls to any entities included in control plane VCN 1016. The customer is expected to want to deploy or use resources in the data plane VCN1018 that are provisioned in the control plane VCN1016, and the data plane mirror application layer 1040 can facilitate the deployment or other use of the resources desired by the customer.
[0132] In some embodiments, a customer of the IaaS provider can apply filters to the data plane VCN 1018. In this embodiment, the customer can determine what the data plane VCN 1018 can access, and may also restrict access from the data plane VCN 1018 to the public internet 1054. The IaaS provider may not be able to apply filters or control the data plane VCN 1018's access to any external network or database. The application of filters and controls by the customer to the data plane VCN 1018 included in the customer tenancy 1021 may help isolate the data plane VCN 1018 from other customers and the public internet 1054.
[0133] In some embodiments, a cloud service 1056 can access services that could not exist on the public internet 1054, the control plane VCN 1016, or the data plane VCN 1018 via a call from the service gateway 1036. The connection between the cloud service 1056 and the control plane VCN 1016 or the data plane VCN 1018 does not have to be live or continuous. The cloud service 1056 may reside on different networks owned or operated by the IaaS provider. The cloud service 1056 may be configured to receive calls from the service gateway 1036 and may be configured not to receive calls from the public internet 1054. Some cloud services 1056 may be isolated from other cloud services 1056, and the control plane VCN 1016 may be isolated from cloud services 1056 that could not be in the same region as the control plane VCN 1016. For example, the control plane VCN1016 may be located in "Region 1," and the cloud service 1056 "Deployment 9" may be located in both "Region 1" and "Region 2." If a call to "Deployment 9" is made by a service gateway 1036 included in the control plane VCN1016 located in "Region 1," the call may be sent to Deployment 9 in "Region 1." In this example, the control plane VCN1016 or "Deployment 9" in "Region 1" does not have to be communicatively coupled to or in communication with "Deployment 9" in "Region 2."
[0134] Figure 11 is a block diagram 1100 showing another exemplary pattern of an IaaS architecture according to at least one embodiment. A service operator 1102 (e.g., service operator 902 in Figure 9) may be communicatively coupled to a secure host tenancy 1104 (e.g., secure host tenancy 904 in Figure 9), which may include a virtual cloud network (VCN) 1106 (e.g., VCN906 in Figure 9) and a secure host subnet 1108 (e.g., secure host subnet 908 in Figure 9). VCN 1106 may comprise an LPG 1110 (e.g., LPG910 in Figure 9) which is contained in SSH VCN 1112 (e.g., SSH VCN912 in Figure 9). SSH VCN1112 may include SSH subnet 1114 (for example, SSH subnet 914 in Figure 9), and SSH VCN1112 may be communicatively coupled to control plane VCN1116 (for example, control plane VCN916 in Figure 9) via LPG1110 included in control plane VCN1116, and may be communicatively coupled to data plane VCN1118 (for example, data plane VCN918 in Figure 9) via LPG1110 included in data plane VCN1118. Control plane VCN1116 and data plane VCN1118 may be included in service tenancy 1119 (for example, service tenancy 919 in Figure 9).
[0135] The control plane VCN1116 may include a control plane DMZ layer 1120 (for example, the control plane DMZ layer 920 in Figure 9) which may include a load balancer (LB) subnet 1122 (for example, the LB subnet 922 in Figure 9), a control plane application layer 1124 (for example, the control plane application layer 924 in Figure 9) which may include an application subnet 1126 (for example, similar to the application subnet 926 in Figure 9), and a control plane data layer 1128 (for example, the control plane data layer 928 in Figure 9) which may include a DB subnet 1130. The LB subnet 1122 included in the control plane DMZ layer 1120 is communicatively coupled to the application subnet 1126 included in the control plane application layer 1124 and the Internet gateway 1134 (for example, Internet gateway 934 in Figure 9) which may be included in the control plane VCN 1116. The application subnet 1126 may be communicatively coupled to the DB subnet 1130 included in the control plane data layer 1128, the service gateway 1136 (for example, the service gateway in Figure 9), and the Network Address Translation (NAT) gateway 1138 (for example, the NAT gateway 938 in Figure 9). The control plane VCN 1116 may include the service gateway 1136 and the NAT gateway 1138.
[0136] The data plane VCN1118 may comprise a data plane application layer 1146 (for example, the data plane application layer 946 in Figure 9), a data plane DMZ layer 1148 (for example, the data plane DMZ layer 948 in Figure 9), and a data plane data layer 1150 (for example, the data plane data layer 950 in Figure 9). The data plane DMZ layer 1148 may comprise an LB subnet 1122 that can be communicatively coupled to the trusted application subnet 1160 and the untrusted application subnet 1162 of the data plane application layer 1146, as well as the internet gateway 1134 included in the data plane VCN1118. The trusted application subnet 1160 may be communicatively coupled to the service gateway 1136 included in the data plane VCN1118, the NAT gateway 1138 included in the data plane VCN1118, and the DB subnet 1130 included in the data plane data layer 1150. The non-trusted application subnet 1162 can be communicatively coupled to the service gateway 1136 included in the data plane VCN 1118 and the DB subnet 1130 included in the data plane data layer 1150. The data plane data layer 1150 may include the DB subnet 1130 which can be communicatively coupled to the service gateway 1136 included in the data plane VCN 1118.
[0137] The untrusted application subnet 1162 may have one or more primary VNICs 1164(1) to 1164(N) that can be communicatively coupled to tenant virtual machines (VMs) 1166(1) to 1166(N). Each tenant VM 1166(1) to 1166(N) may be communicatively coupled to each application subnet 1167(1) to 1167(N) that may be contained within each container output VCN 1168(1) to 1168(N) that may be contained within each customer tenancy 1170(1) to 1170(N). Each secondary VNIC 1172(1) to 1172(N) may facilitate communication between the untrusted application subnet 1162 contained within the data plane VCN 1118 and the application subnet contained within the container output VCN 1168(1) to 1168(N). Each container output VCN1168(1) to 1168(N) may include a NAT gateway 1138 that can be connected to the public internet 1154 (for example, the public internet 954 in Figure 9) in a communicative manner.
[0138] The Internet gateway 1134 included in the control plane VCN1116 and data plane VCN1118 can be communicatively coupled to a metadata management service 1152 (for example, metadata management service 952 in Figure 9), which can be communicatively coupled to the public internet 1154. The public internet 1154 can be communicatively coupled to a NAT gateway 1138 included in the control plane VCN1116 and data plane VCN1118. The service gateway 1136 included in the control plane VCN1116 and data plane VCN1118 can be communicatively coupled to a cloud service 1156.
[0139] In some embodiments, the data plane VCN 1118 may be integrated with a customer tenancy 1170. This integration may be useful or desirable for the IaaS provider's customer, for example, if they may want support for executing code. The customer may provide code to be executed, which may be destructive, communicate with other customer resources, or have undesirable effects. In response, the IaaS provider may determine whether or not to execute the code provided to the IaaS provider by the customer.
[0140] In some examples, an IaaS provider's customer may grant temporary network access to the IaaS provider and request functionality to be granted to the data plane application layer 1146. The code that performs this functionality may run in VMs 1166(1) to 1166(N), and may not be configured to run elsewhere on the data plane VCN 1118. Each VM 1166(1) to 1166(N) may be connected to a single customer tenancy 1170. Each container 1171(1) to 1171(N) contained within VMs 1166(1) to 1166(N) may be configured to run code. In this case, a double isolation may exist (the containers 1171(1)-1171(N) that execute the code may be contained in VMs 1166(1)-1166(N) that are contained in at least the non-trusted app subnet 1162), which may help prevent damage to the IaaS provider's network or the networks of different customers by erroneous or undesirable code. The containers 1171(1)-1171(N) may be communicatively coupled to customer tenancy 1170 and may be configured to send or receive data to or from customer tenancy 1170. The containers 1171(1)-1171(N) may also be configured not to send or receive data to or from any other entities in the data plane VCN 1118. Upon completion of code execution, the IaaS provider may disable or discard the containers 1171(1)-1171(N).
[0141] In some embodiments, the trusted application subnet 1160 may be configured to execute code owned or operated by the IaaS provider. In this embodiment, the trusted application subnet 1160 may be communicatively coupled to the DB subnet 1130 and may be configured to perform CRUD operations in the DB subnet 1130. The non-trusted application subnet 1162 may be communicatively coupled to the DB subnet 1130, but in this embodiment, may be configured to perform read operations in the DB subnet 1130. Containers 1171(1) to 1171(N) contained in each customer's VMs 1166(1) to 1166(N) and capable of executing code from the customer may not be communicatively coupled to the DB subnet 1130.
[0142] In other embodiments, the control plane VCN1116 and the data plane VCN1118 do not have to be directly communicatively coupled. In this embodiment, direct communication between the control plane VCN1116 and the data plane VCN1118 is not required; however, communication can be performed indirectly by at least one method. An LPG1110 that can facilitate communication between the control plane VCN1116 and the data plane VCN1118 may be established by the IaaS provider. In another example, the control plane VCN1116 or the data plane VCN1118 can make a call to the cloud service 1156 via the service gateway 1136. For example, a call from the control plane VCN1116 to the cloud service 1156 may include a request for a service that can communicate with the data plane VCN1118.
[0143] Figure 12 is a block diagram 1200 showing another exemplary pattern of an IaaS architecture according to at least one embodiment. A service operator 1202 (e.g., service operator 902 in Figure 9) may be communicatively coupled to a secure host tenancy 1204 (e.g., secure host tenancy 904 in Figure 9), which may include a virtual cloud network (VCN) 1206 (e.g., VCN906 in Figure 9) and a secure host subnet 1208 (e.g., secure host subnet 908 in Figure 9). VCN 1206 may comprise an LPG 1210 (e.g., LPG910 in Figure 9), which may be communicatively coupled to SSH VCN 1212 (e.g., SSH VCN912 in Figure 9). SSH VCN1212 may include SSH subnet 1214 (for example, SSH subnet 914 in Figure 9), and SSH VCN1212 may be communicatively coupled to control plane VCN1216 (for example, control plane VCN916 in Figure 9) via LPG1210 included in control plane VCN1216, and may be communicatively coupled to data plane VCN1218 (for example, data plane VCN918 in Figure 9) via LPG1210 included in data plane VCN1218. Control plane VCN1216 and data plane VCN1218 may be included in service tenancy 1219 (for example, service tenancy 919 in Figure 9).
[0144] The control plane VCN1216 may include a control plane DMZ layer 1220 (for example, the control plane DMZ layer 920 in Figure 9) which may include an LB subnet 1222 (for example, the LB subnet 922 in Figure 9), a control plane application layer 1224 (for example, the control plane application layer 924 in Figure 9) which may include an application subnet 1226 (for example, the application subnet 926 in Figure 9), and a control plane data layer 1228 (for example, the control plane data layer 928 in Figure 9) which may include a DB subnet 1230 (for example, the DB subnet 1130 in Figure 11). The LB subnet 1222 included in the control plane DMZ layer 1220 is communicatively coupled to the application subnet 1226 included in the control plane application layer 1224 and the Internet gateway 1234 (for example, Internet gateway 934 in Figure 9) which may be included in the control plane VCN 1216. The application subnet 1226 may be communicatively coupled to the DB subnet 1230 included in the control plane data layer 1228, the service gateway 1236 (for example, the service gateway in Figure 9), and the Network Address Translation (NAT) gateway 1238 (for example, NAT gateway 938 in Figure 9). The control plane VCN 1216 may include the service gateway 1236 and the NAT gateway 1238.
[0145] The data plane VCN1218 may comprise a data plane application layer 1246 (for example, the data plane application layer 946 in Figure 9), a data plane DMZ layer 1248 (for example, the data plane DMZ layer 948 in Figure 9), and a data plane data layer 1250 (for example, the data plane data layer 950 in Figure 9). The data plane DMZ layer 1248 may comprise a trusted application subnet 1260 (for example, the trusted application subnet 1160 in Figure 11) and an untrusted application subnet 1262 (for example, the untrusted application subnet 1162 in Figure 11) of the data plane application layer 1246, as well as an LB subnet 1222 that can be communicatively coupled to an internet gateway 1234 included in the data plane VCN1218. Trusted application subnet 1260 may be communicatively coupled to service gateway 1236 included in data plane VCN 1218, NAT gateway 1238 included in data plane VCN 1218, and DB subnet 1230 included in data plane data layer 1250. Non-trusted application subnet 1262 may be communicatively coupled to service gateway 1236 included in data plane VCN 1218 and DB subnet 1230 included in data plane data layer 1250. Data plane data layer 1250 may include DB subnet 1230 that can be communicatively coupled to service gateway 1236 included in data plane VCN 1218.
[0146] The untrusted application subnet 1262 may have primary VNICs 1264(1) to 1264(N) that can be communicatively coupled to tenant virtual machines (VMs) 1266(1) to 1266(N) residing within the untrusted application subnet 1262. Each tenant VM 1266(1) to 1266(N) can execute code in each of the containers 1267(1) to 1267(N) and can be communicatively coupled to an application subnet 1226 that may be included in the data plane application layer 1246 that may be included in the container output VCN 1268. The secondary VNICs 1272(1) to 1272(N) can each facilitate communication between the untrusted application subnet 1262 included in the data plane VCN 1218 and the application subnet included in the container output VCN 1268. The container output VCN may include a NAT gateway 1238 that can be communicably coupled to the public internet 1254 (for example, the public internet 954 in Figure 9).
[0147] The Internet gateway 1234 included in the control plane VCN1216 and data plane VCN1218 can be communicatively coupled to a metadata management service 1252 (for example, metadata management service 952 in Figure 9), which can be communicatively coupled to the public internet 1254. The public internet 1254 can be communicatively coupled to a NAT gateway 1238 included in the control plane VCN1216 and data plane VCN1218. The service gateway 1236 included in the control plane VCN1216 and data plane VCN1218 can be communicatively coupled to a cloud service 1256.
[0148] In some examples, the pattern shown by the architecture in block diagram 1200 of Figure 12 is considered an exception to the pattern shown by the architecture in block diagram 1100 of Figure 11, and is considered desirable for the IaaS provider's customers when the IaaS provider cannot communicate directly with the customer (for example, in an unconnected region). Each customer has containers 1267(1) to 1267(N) contained within VMs 1266(1) to 1266(N), each of which is accessible to the customer in real time. Each container 1267(1) to 1267(N) may be configured to make calls to each of the secondary VNICs 1272(1) to 1272(N) contained within the application subnet 1226 of the data plane application layer 1246, which may be contained within the container output VCN 1268. Secondary VNICs 1272(1) to 1272(N) can send calls to NAT gateway 1238, which may then send calls to the public internet 1254. In this example, the customer-accessible containers 1267(1) to 1267(N) can be isolated from the control plane VCN 1216, as well as from other entities included in the data plane VCN 1218. Furthermore, containers 1267(1) to 1267(N) can also be isolated from other customer resources.
[0149] In another example, a customer can use containers 1267(1) to 1267(N) to invoke cloud service 1256. In this example, a customer can execute code in containers 1267(1) to 1267(N) to request services from cloud service 1256. Containers 1267(1) to 1267(N) can send this request to secondary VNICs 1272(1) to 1272(N), which can send the request to the NAT gateway, which can send the request to the public internet 1254. The public internet 1254 can send the request to LB subnet 1222, which is included in control plane VCN 1216, via internet gateway 1234. In response to the determination that the request is valid, the LB subnet can send the request to the application subnet 1226, and the application subnet 1226 can send the request to the cloud service 1256 via the service gateway 1236.
[0150] Naturally, the IaaS architectures 900, 1000, 1100, and 1200 shown in the drawings may have components other than those shown. Furthermore, the embodiments shown in the drawings are only a few examples of cloud infrastructure systems that may encompass one embodiment of this disclosure. In some other embodiments, the IaaS system may have more or fewer components than shown, may combine two or more components, or may have different configurations or arrangements of components.
[0151] In one embodiment, the IaaS system described herein may include a set of applications, middleware, and database services delivered to customers in a self-service, subscription-based, elastically scalable, reliable, highly available, and secure manner. Oracle Cloud Infrastructure (OCI), offered by the assignee, is an example of such an IaaS system.
[0152] Figure 13 shows an exemplary computer system 1300 in which various embodiments can be realized. System 1300 may be used to realize any of the computer systems described above. As shown in the drawing, computer system 1300 includes a processing unit 1304 that communicates with a number of peripheral subsystems via a bus subsystem 1302. Peripheral subsystems may include a processing acceleration unit 1306, an I / O subsystem 1308, a storage subsystem 1318, and a communication subsystem 1324. The storage subsystem 1318 includes a tangible computer-readable storage medium 1322 and system memory 1310.
[0153] The bus subsystem 1302 provides a mechanism for various components and subsystems of the computer system 1300 to communicate with each other as intended. Although the bus subsystem 1302 is schematically shown as a single bus, alternative embodiments of the bus subsystem may utilize multiple buses. The bus subsystem 1302 may be one of several types of bus structures, including a memory bus or memory controller, a peripheral bus, and a local bus, using any of a variety of bus architectures. For example, such architectures may include industry standard architecture (ISA) buses, microchannel architecture (MCA) buses, extended ISA (EISA) buses, video electronics standards (VESA) local buses, and peripheral interconnect (PCI) buses, which can be implemented as mezzanine buses manufactured according to the IEEE P1386.1 standard.
[0154] A processing unit 1304, which can be implemented as one or more integrated circuits (for example, conventional microprocessors or microcontrollers), controls the operation of the computer system 1300. The processing unit 1304 may include one or more processors. These processors may include single-core or multi-core processors. In one embodiment, the processing unit 1304 may be implemented as one or more independent processing units 1332 and / or 1334, each containing a single-core or multi-core processor. In another embodiment, the processing unit 1304 may be implemented as a quad-core processing unit formed by integrating two dual-core processors onto a single chip.
[0155] In various embodiments, the processing unit 1304 can execute a variety of programs in response to program code and maintain multiple concurrently running programs or processes. At any given time, some or all of the program code to be executed may reside in the processor 1304 and / or the storage subsystem 1318. With suitable programming, the processor 1304 can provide the various functions described above. The computer system 1300 may also include a processing acceleration unit 1306 which may include a digital signal processor (DSP), a dedicated processor, and / or similar.
[0156] The I / O subsystem 1308 may include user interface input devices and user interface output devices. User interface input devices may include pointing devices such as keyboards, mice or trackballs, touchpads or touchscreens integrated into displays, scroll wheels, click wheels, dials, buttons, switches, keypads, audio input devices with voice command recognition systems, microphones, and other types of input devices. User interface input devices may include motion detection and / or gesture recognition devices such as Microsoft Kinect® motion sensors that enable user control and interaction with input devices such as Microsoft Xbox® 360 game controllers through a natural user interface using gestures and voice commands. User interface input devices may also include eye gesture recognition devices such as Google Glass® blink detectors that detect the user's eye activity (e.g., blinking while taking photos and / or selecting menus) and convert eye gestures into input to an input device (e.g., Google Glass®). Furthermore, the user interface input device may include a voice recognition detection device that enables user interaction with a voice recognition system (e.g., Siri® Navigator) via voice commands.
[0157] Furthermore, user interface input devices may include, but are not limited to, three-dimensional (3D) mice, joysticks or pointing sticks, gamepads and graphic tablets, as well as auditory / visual devices such as speakers, digital cameras, digital video cameras, portable media players, webcams, image scanners, fingerprint scanners, barcode readers, 3D scanners, 3D printers, laser rangefinders, and eye-tracking devices. User interface input devices may also include, for example, medical imaging input devices such as computed tomography, magnetic resonance imaging, positron emission tomography, and medical ultrasound imaging devices. Additionally, user interface input devices may include, for example, audio input devices such as MIDI keyboards and digital musical instruments.
[0158] User interface output devices may include non-visual displays such as display subsystems, indicator lights, or audio output devices. Display subsystems may also include flat-panel devices such as cathode ray tubes (CRTs), liquid crystal displays (LCDs), or plasma displays, projection devices, touchscreens, etc. Generally, the use of the term “output device” is intended to include all conceivable types of devices and mechanisms for outputting information from the computer system 1300 to a user or another computer. For example, user interface output devices may include, but are not limited to, a variety of display devices that visually convey text, graphics, and audio / video information, such as monitors, printers, speakers, headphones, car navigation systems, plotters, audio output devices, and modems.
[0159] The computer system 1300 may include a storage subsystem 1318 that provides a tangible, non-temporary, computer-readable storage medium for storing software and data constructs that provide the functionality of the embodiments described in this disclosure. The software may include programs, code modules, instructions, scripts, etc., that provide the above-described functionality when executed by one or more cores or processors of the processing unit 1304. The storage subsystem 1318 may also provide a repository for storing data used in accordance with this disclosure.
[0160] As shown in the example in Figure 13, the storage subsystem 1318 may comprise various components, including system memory 1310, a computer-readable storage medium 1322, and a computer-readable storage medium reader 1320. The system memory 1310 may store program instructions that can be loaded and executed by the processing unit 1304. The system memory 1310 may also store data used during instruction execution and / or data generated during program instruction execution. Various different types of programs may be loaded into the system memory 1310, including, but not limited to, client applications, web browsers, middle-tier applications, relational database management systems (RDBMS), virtual machines, and containers.
[0161] Furthermore, the system memory 1310 may be configured to store the operating system 1316. Examples of operating systems 1316 include various versions of Microsoft Windows®, Apple Macintosh®, and / or Linux operating systems, a variety of commercially available UNIX® or UNIX-like operating systems (including, but not limited to, various GNU / Linux operating systems, Google Chrome® OS, etc.), and / or mobile operating systems such as iOS, Windows® Phone, Android® OS, BlackBerry® OS, and Palm® OS. In some embodiments in which the computer system 1300 runs one or more virtual machines, the virtual machines, along with their respective guest operating systems (GOS), may be loaded into the system memory 1310 and executed by one or more processors or cores of the processing unit 1304.
[0162] The system memory 1310 can have various configurations depending on the type of computer system 1300. For example, the system memory 1310 may be volatile memory (such as random access memory (RAM)) and / or non-volatile memory (such as read-only memory (ROM) or flash memory). It may also be provided with different types of RAM configurations, including static random access memory (SRAM), dynamic random access memory (DRAM), and others. In some embodiments, the system memory 1310 may include a basic input / output system (BIOS) that contains basic routines useful for communicating information between elements within the computer system 1300, such as during startup.
[0163] The computer-readable storage medium 1322 may represent a storage medium for temporarily and / or permanently containing and storing computer-readable information (including instructions executable by the processing unit 1304 of the computer system 1300) used by the computer system 1300, in addition to remote, local, fixed, and / or removable storage devices.
[0164] The computer-readable storage medium 1322 may include, but is not limited to, any suitable medium known or used in the art (including storage and communication media), and may include volatile and non-volatile, removable and non-removable media implemented in any method or technique for storing and / or transmitting information. This may include memory technologies such as RAM, ROM, electronically erasable programmable ROM (EEPROM), and flash memory; optical storage such as CD-ROM and digital multipurpose discs (DVDs); magnetic storage devices such as magnetic cassettes, magnetic tapes, and magnetic disk storage; or other tangible computer-readable storage media.
[0165] As an example, the computer-readable storage medium 1322 may include a hard disk drive that reads and writes to a non-removable non-volatile magnetic medium, a magnetic disk drive that reads and writes to a removable non-volatile magnetic disk, and an optical disk drive that reads and writes to a removable non-volatile optical disk such as a CD-ROM, DVD, Blu-ray® disc, or other optical medium. The computer-readable storage medium 1322 may include, but is not limited to, Zip® drives, flash memory cards, Universal Serial Bus (USB) flash drives, Secure Digital (SD) cards, DVD discs, digital videotapes, etc. Furthermore, the computer-readable storage medium 1322 may include solid-state drives (SSDs) based on non-volatile memory (flash memory-based SSDs, enterprise flash drives, solid-state ROMs, etc.), SSDs based on volatile memory (solid-state RAM, dynamic RAM, static RAM, DRAM-based SSDs, magnetoresistive RAM (MRAM) SSDs), and hybrid SSDs (using a combination of DRAM and flash memory-based SSDs). The disk drives and their respective associated computer-readable media may provide non-volatile storage for computer-readable instructions, data structures, program modules, and other data to the computer system 1300.
[0166] Machine-readable instructions executable by one or more processors or cores of the processing unit 1304 may be stored in a non-temporary computer-readable storage medium. The non-temporary computer-readable storage medium may include physically tangible memory or storage devices, including volatile memory devices and / or non-volatile storage devices. Examples of non-temporary computer-readable storage media include magnetic storage media (e.g., disks or tapes), optical storage media (e.g., DVDs, CDs), various types of RAM, ROM, or flash memory, hard drives, floppy disk drives, removable memory drives (e.g., USB drives), or other types of storage devices.
[0167] The communication subsystem 1324 provides an interface to other computer systems and networks. The communication subsystem 1324 functions as an interface for sending and receiving data between the computer system 1300 and other systems. For example, the communication subsystem 1324 may enable the computer system 1300 to connect to one or more devices via the Internet. In some embodiments, the communication subsystem 1324 may include a wireless voice and / or data network (using, for example, cellular technology, 3G, 4G, or advanced data network technologies such as EDGE (Enhanced Data Rates for Global Evolution), WiFi® (IEEE 802.11 family standard), or other mobile communication technologies, or any combination thereof), a Global Positioning System (GPS) receiver component, and / or a radio frequency (RF) transceiver component for accessing other components. In some embodiments, the communication subsystem 1324 may provide a wired network connection (e.g., Ethernet®) as an addition to or alternative to the wireless interface.
[0168] In addition, in some embodiments, the communication subsystem 1324 can receive incoming communications in the form of structured and / or unstructured data feeds 1326, event streams 1328, event updates 1330, etc., on behalf of one or more users who may be using the computer system 1300.
[0169] For example, the communication subsystem 1324 may be configured to receive data feeds 1326 in real time from users of social networks, and / or from users of other communication services, such as Twitter® feeds, Facebook® updates, RSS (Rich Site Summary) feeds, and / or real-time updates from one or more third-party sources.
[0170] Furthermore, the communication subsystem 1324 may be configured to receive data in the form of a continuous data stream, which may include an event stream 1328 and / or event update 1330 of real-time events, which may be continuous or virtually infinite with no explicit end. Examples of applications that generate continuous data include, for example, sensor data applications, financial tickers, network performance measurement tools (e.g., network monitoring and traffic management applications), clickstream analysis tools, and automotive traffic monitoring.
[0171] Furthermore, the communication subsystem 1324 may be configured to output structured and / or unstructured data feeds 1326, event streams 1328, event updates 1330, etc., to one or more databases that can communicate with one or more streaming data source computers connected to the computer system 1300.
[0172] The computer system 1300 can be one of a variety of types, including portable handheld devices (e.g., iPhone® mobile phones, iPad® computing tablets, PDAs, etc.), wearable devices (e.g., Google Glass® head-mounted displays), PCs, workstations, mainframes, kiosks, server racks, or any other data processing systems.
[0173] Due to the constantly changing nature of computers and networks, the description of the illustrated computer system 1300 is intended only as an example. Many other configurations with more or fewer components than the illustrated system are possible. For example, the use of customized hardware and / or the implementation of specific elements in hardware, firmware, software (including applets), or combinations thereof are also possible. Furthermore, connections to other computing devices such as network input / output devices may be employed. Based on the disclosures and teachings contained herein, those skilled in the art will recognize other methods and / or ways of implementing various embodiments.
[0174] example Example 1 is a method performed by a computer, which includes a computing system in a first data center in a first area detecting data from a second data center in a second area, the data being stored in an isolated environment in the first data center, and the method performed by the computer may further include: the computing system determining validation parameters at least in part based on the first area; the computing system validating the data at least in part based on the validation parameters; the computing system processing a first message indicating the release of the data from the isolated environment; the computing system processing a second message indicating that the first message originates from a computing device located in the first area; and the computing system releasing the data from the isolated environment at least in part based on the validation, the first message indicating the release of the data, and the second message indicating that the first message originates from the first area.
[0175] Example 2 may include a computer-based method as described in Example 1, further comprising selecting a verification technique to be used for verifying data, at least in part, based on the first domain.
[0176] Example 3 is a method performed by a computer as described in Example 1 or Example 2, which may include a method performed by a computer that releases data from an isolated environment to a database in a first data center.
[0177] Example 4 may include a method performed by a computer as described in any one of Examples 1 to 3, further comprising receiving data from an intermediate computing system via a secure pipeline.
[0178] Example 5 may include a method performed by a computer as described in Example 4, further comprising preventing an intermediate computing system from accessing the data while the data is being validated.
[0179] Example 6 is a computer-operated method described in any of the preceding examples, further comprising sending a request to a human resources system in a second area to determine approval to send a first message, the data being released from the isolation environment, at least in part based on the approval, the computer-operated method may include.
[0180] Example 7 is a computer-operated method described in any of the preceding examples, which may include a computer-operated method in which verifying data on at least partly based on verification parameters includes mapping the data to a verification technique, and the data is verified using the verification technique.
[0181] Example 8 may include a computing system comprising one or more processors and one or more computer-readable media containing a set of instructions that, when executed by one or more processors, cause one or more processors to perform the method described in any one of Examples 1 to 7.
[0182] Example 9 may include one or more non-temporary computer-readable media containing a set of instructions that, when executed by one or more processors of a computing system, cause one or more processors to perform the method described in any one of Examples 1 to 7.
[0183] Example 10 is a method performed by a computer, the method being
[0184] Example 11 is a method performed by a computer as described in Example 10, the intermediate computing system may include a method performed by a computer located in a first area.
[0185] Example 12 is a method performed by a computer as described in Example 10 or Example 11, wherein sending a first control instruction to an intermediate computing system to verify data on at least part of a first criterion includes selecting a verification technique to be used to verify the data on at least part of a first area, and the first control instruction may include a method performed by the computer that includes an index of the verification technique.
[0186] Example 13 is a computer method described in any one of Examples 10 to 12, wherein the isolation environment is a first isolation environment, and releasing data from the isolation environment, at least in part on verification results, indicators of data release, and indicators that a second message originates from a first area, may include releasing data from the first isolation environment to a second isolation environment in a first data center.
[0187] Example 14 is a computer method described in any one of Examples 10 to 13, which may include a computer method that, based at least in part on verification results, indicators of data release, and indicators that the second message originates from the first area, releases data from the isolated environment to a database in the first data center.
[0188] Example 15 may include a method performed by a computer as described in any one of Examples 10 to 14, further comprising preventing the first and second data centers from accessing the data during the verification process.
[0189] Example 16 is a computer-operated method described in any one of Examples 10 to 15, further comprising sending a request to a human resources system in a second area to determine approval to send a second message, the data being released from the isolation environment, at least in part based on the approval, the computer-operated method may include.
[0190] Example 17 may include a computing system comprising one or more processors and one or more computer-readable media containing a set of instructions that, when executed by one or more processors, cause one or more processors to perform a method according to any one of Examples 10 to 16.
[0191] Example 18 may include one or more non-temporary computer-readable media containing a set of instructions that, when executed by one or more processors of a computing system, cause one or more processors to perform the method described in any one of Examples 10 to 16.
[0192] Example 19 is a method performed by a computer, the method being
[0193] Example 20 is a method performed by a computer as described in Example 19, the intermediate computing system may include a method performed by a computer located in a first area.
[0194] Example 21 is a method performed by a computer as described in Example 19 or Example 20, wherein sending a first control instruction to an intermediate computing system to verify data on at least part of a first criterion includes selecting a verification technique to be used to verify the data on at least part of a first area, and the first control instruction may include a method performed by the computer that includes an index of the verification technique.
[0195] Example 22 is a computer-operated method described in any one of Examples 19 to 21, which may include releasing data from a first isolation environment to a second isolation environment in a first data center, based at least in part on verification results, indicators for data release, and indicators that a second message originates from a first area.
[0196] Example 23 is a computer-operated method described in any one of Examples 19 to 22, which may include releasing data from a first isolation environment to a database in a first data center, based at least in part on verification results, indicators of data release, and indicators that a second message originates from a first area.
[0197] Example 24 may include a method performed by a computer as described in any one of Examples 19 to 23, further comprising preventing the first and second data centers from accessing the data during the verification process.
[0198] Example 25 may include a method performed by a computer as described in any one of Examples 19 to 24, further comprising sending a request to a human resources system in a second area to determine approval to send a second message, the data being released from the first isolation environment, at least in part, based on the approval.
[0199] Example 26 is a method performed by a computer as described in Example 19, wherein a computing system detects data from a second data center in a second area, the data being stored in a second isolation environment of a first data center, and the method performed by the computer may further include: the computing system determining validation parameters at least in part on the first area; the computing system validating the data at least in part on the validation parameters; the computing system processing a first message indicating the release of the data from the second isolation environment; the computing system processing a second message indicating that the first message originates from a computing device located in the first area; and the computing system causing the data to be released from the second isolation environment at least in part on the validation, the first message indicating the release of the data, and the second message indicating that the first message originates from the first area.
[0200] Example 27 may include a method performed by a computer as described in Example 26, further comprising sending a request to a human resources system in a second area to determine approval to send a first message, wherein the data is released from the second isolation environment, at least in part, based on the approval.
[0201] Example 28 may include a computing system comprising one or more processors and one or more computer-readable media containing a set of instructions that, when executed by one or more processors, cause one or more processors to perform the method described in any one of Examples 19 to 28.
[0202] Example 29 may include one or more non-temporary computer-readable media containing a set of instructions that, when executed by one or more processors of a computing system, cause one or more processors to perform the method described in any one of Examples 19 to 28.
[0203] Unless otherwise explicitly stated, any of the above examples may be combined with any other example (or combination of examples). The above descriptions relating to one or more embodiments are illustrative and explanatory, but are not intended to be exhaustive or to limit the scope of embodiments to the strict form of disclosure. Improvements and modifications in light of the above teachings are possible and can also be obtained by carrying out various embodiments.
[0204] While specific embodiments have been described above, various improvements, modifications, alternative configurations, and equivalents are also included in the scope of this disclosure. The embodiments are not limited to operation within a particular data processing environment, but can freely operate within multiple data processing environments. Furthermore, while the embodiments have been described using a specific set of transactions and steps, it will be clear to those skilled in the art that the scope of this disclosure is not limited to the set of transactions and steps described. The various features and aspects of the embodiments described above may be used individually or in combination.
[0205] Furthermore, while embodiments have been described using specific combinations of hardware and software, it will be recognized that other combinations of hardware and software are also included in the scope of this disclosure. Embodiments may be implemented in hardware only, in software only, or by using a combination of these. The various processes described herein may be implemented on the same processor or on any combination of different processors. Thus, where a component or service is described as being configured to perform a certain operation, such configuration may be achieved, for example, by designing electronic circuits to perform this operation, by programming programmable electronic circuits (such as a microprocessor) to perform this operation, or by any combination thereof. Processes may be communicative using a variety of techniques, including but not limited to conventional techniques for inter-process communication. Also, different pairs of processes may use different techniques, or the same pair of processes may use different techniques at different times.
[0206] Therefore, this specification and the drawings are intended to be illustrative and not limiting in any way. However, it is clear that additions, reductions, deletions, and other improvements and modifications can be made without departing from the broad idea and scope set forth in the claims. For this reason, specific embodiments of this disclosure have been described, but these are not intended to be limiting in any way. Various improvements and equivalents are included in the following claims.
[0207] In the context describing embodiments of the disclosure (in particular, in the context of the following claims), the terms “a,” “an,” and “the,” and similar reference subjects, shall be interpreted as referring to both singular and plural forms unless otherwise indicated herein or there is a clear contextual inconsistency. The terms “comprising,” “having,” “including,” and “containing” shall be interpreted as open-ended terms (i.e., “including, but not limited to.” The term “connected” shall be interpreted as including, attaching, or integrally combining, in part or in whole, even if something is intervening. Unless otherwise indicated herein, descriptions of ranges of values are intended merely as a concise way of referring individually to each distinct value contained within that range, and each distinct value is incorporated herein as if it were individually described herein. Unless otherwise indicated herein or there is a clear contextual inconsistency, all methods described herein may be performed in any preferred order. The use of any examples or illustrative expressions (e.g., "such as") described herein is intended solely to facilitate the understanding of the embodiments and, unless otherwise claimed, does not limit the scope of this disclosure. Nothing described herein shall be construed as indicating that any non-claimed element is essential to the implementation of this disclosure.
[0208] Unless otherwise specified, disjunctive expressions such as "at least one of X, Y, or Z" are intended to be understood in contexts where they are commonly used to indicate that an item, term, etc., can be any one of X, Y, or Z, or any combination thereof (e.g., X, Y, and / or Z). Accordingly, such disjunctive expressions are not intended, nor shall they, to imply, that a particular embodiment requires the presence of at least one of X, at least one of Y, or at least one of Z.
[0209] This specification describes preferred embodiments of the Disclosure, including the best known modes for the execution of the Disclosure. Those skilled in the art will be able to see, by reading the above description, variations of these preferred embodiments. Those skilled in the art may adopt such variations as appropriate, and the Disclosure may be executed in a manner different from the specific description herein. Therefore, to the extent permitted by applicable law, the Disclosure includes all improvements and equivalents to the subject matter described in the claims appended herein. Furthermore, unless otherwise indicated herein, any combination of all conceivable variations of the elements described above is included in the Disclosure.
[0210] All references cited herein, including publications, patent applications, and patents, are incorporated herein by reference to the same extent as all their contents are included herein, with each reference individually and specifically indicated as being incorporated by reference.
[0211] While the above specification describes aspects of the disclosure with reference to specific embodiments, those skilled in the art will recognize that the disclosure is not limited thereto. The various features and aspects of the disclosure described above may be used individually or in combination. Furthermore, embodiments may be used in any number of environments and applications beyond those described herein, without departing from the broader concept and scope of this specification. Accordingly, this specification and the drawings should be considered illustrative and not limiting.
Claims
1. A method by which a computer performs an action. The computing system of the first data center in the first region includes processing a first message indicating that an intermediate computing system managed by the first data center has received data from the second data center in the second region. The data is stored in a first isolated environment of the intermediate computing system, and the method executed by the computer further includes: The computing system transmits a first control command to the intermediate computing system that verifies the data at least in part based on a first criterion. The computing system processes the verification results from the intermediate computing system, The computing system processes a second message indicating the release of the data from the first isolation environment of the intermediate computing system, The computing system processes a third message indicating that the second message originates from a computing device located in the first area, A method performed by a computer, comprising the computing system releasing the data from the first isolation environment based at least in part on the verification result, the second message, and the third message.
2. The intermediate computing system is located in the first region, and the computer according to claim 1 is used to perform the execution of the method.
3. Transmitting the first control command to the intermediate computing system to verify the data based at least in part on the first criterion is: This includes selecting a verification technique to be used to verify the data, based at least in part on the first region, The first control instruction includes an indicator of the verification technique, a method executed by a computer according to claim 1 or 2.
4. Based at least in part on the verification results, the indicators for data release, and the indicators indicating that the second message originates from the first region, releasing the data from the first isolation environment is: A method performed by a computer according to any one of claims 1 to 3, comprising releasing the data from the first isolation environment to a second isolation environment in the first data center.
5. Based at least in part on the verification results, the indicators for data release, and the indicators indicating that the second message originates from the first region, releasing the data from the first isolation environment is: A method performed by a computer according to any one of claims 1 to 4, comprising releasing the data from the first isolation environment to the database of the first data center.
6. A method performed by a computer according to any one of claims 1 to 5, further comprising preventing the first data center and the second data center from accessing the data during the verification process.
7. Further comprising sending a request to the human resources system in the second area to determine approval to send the second message, A method performed by a computer according to any one of claims 1 to 6, wherein the data is released from the first isolation environment at least in part based on the approval.
8. The computing system further includes detecting the data from the second data center in the second region, The data is stored in a second isolated environment of the first data center, and the method performed by the computer is further as follows: The computing system determines verification parameters based at least partially on the first domain, The computing system verifies the data at least partially based on the verification parameters, The computing system processes a first message indicating the release of the data from the second isolation environment, The computing system processes a second message indicating that the first message originates from a computing device located in the first region, A method performed by the computer according to claim 1, comprising the computing system causing the computing system to release the data from the second isolation environment based at least in part on the verification, the first message indicating that the data is to be released, and the second message indicating that the first message originates from the first area.
9. Further comprising sending a request to the human resources system in the second area to determine approval to send the first message, The method performed by the computer according to claim 8, wherein the data is released from the second isolation environment, at least in part, based on the approval.
10. A computing system for a first data center in a first domain, One or more processors, When executed by the one or more processors, The first data center has one or more processors process a first message indicating that the intermediate computing system managed by the first data center has received data from the second data center in the second area. The aforementioned data is stored in the first isolated environment of the intermediate computing system. Transmitting a first control command to the intermediate computing system to verify the data based at least in part on a first criterion, Processing the verification results from the aforementioned intermediate computing system, Processing a second message indicating the release of the data from the first isolation environment of the intermediate computing system, Processing a third message indicating that the second message originates from a computing device located in the first region, Based at least partially on the verification results, the second message, and the third message, the data is released from the first isolation environment. One or more computer-readable media containing a set of instructions that cause one or more processors to perform the following: A computing system equipped with [the following features].
11. The computing system according to claim 10, wherein the intermediate computing system is located in the first region.
12. Transmitting the first control command to the intermediate computing system to verify the data based at least in part on the first criterion is: This includes selecting a verification technique to be used to verify the data, based at least in part on the first region, The computing system according to claim 10 or claim 11, wherein the first control command includes an indicator of the verification technique.
13. Based at least in part on the verification results, the indicators for data release, and the indicators indicating that the second message originates from the first region, releasing the data from the first isolation environment is: A computing system according to any one of claims 10 to 12, comprising releasing the data from the first isolation environment to a second isolation environment in the first data center.
14. Based at least in part on the verification results, the indicators for data release, and the indicators indicating that the second message originates from the first region, releasing the data from the first isolation environment is: A computing system according to any one of claims 10 to 13, comprising releasing the data from the first isolated environment to the database of the first data center.
15. When the aforementioned set of instructions is executed by one or more processors, The computing system according to any one of claims 10 to 14, further comprising causing one or more processors to disable access to the data by the first data center and the second data center during the verification process.
16. When the aforementioned set of instructions is executed by one or more processors, The one or more processors are further made to send a request to the human resources system in the second area for approval to send the second message, The computing system according to any one of claims 10 to 15, wherein the data is released from the first isolation environment at least in part based on the approval.
17. When the aforementioned set of instructions is executed by one or more processors, The one or more processors are further made to detect the data from the second data center in the second region. The aforementioned data is stored in the second isolation environment of the first data center. Determining the verification parameters based at least partially on the first region, The computing system verifies the data at least partially based on the verification parameters, Processing a first message indicating the release of the data from the second isolation environment, Processing a second message indicating that the first message originates from a computing device located in the first region, Releasing the data from the second isolation environment based at least in part on the verification, the first message indicating that the data will be released, and the second message indicating that the first message originates from the first region, The computing system according to claim 10, wherein one or more processors further perform the above.
18. When the aforementioned set of instructions is executed by one or more processors, The one or more processors are further made to send a request to the human resources system in the second area to determine approval for sending the first message, The computing system according to claim 10, wherein the data is released from the second isolation environment at least in part based on the approval.
19. When executed by one or more processors of the computing system of the first data center in the first domain, The first data center has one or more processors process a first message indicating that the intermediate computing system managed by the first data center has received data from the second data center in the second area. The aforementioned data is stored in the first isolated environment of the intermediate computing system. Transmitting a first control command to the intermediate computing system to verify the data based at least in part on a first criterion, Processing the verification results from the aforementioned intermediate computing system, Processing a second message indicating the release of the data from the first isolation environment of the intermediate computing system, Processing a third message indicating that the second message originates from a computing device located in the first region, Based at least partially on the verification results, the second message, and the third message, the data is released from the first isolation environment. One or more non-temporary computer-readable media containing a set of instructions that cause one or more processors to perform the same action.
20. The intermediate computing system is one or more non-temporary computer-readable media according to claim 19, which are located in the first region.