“Working for Mike, he was one of those rare bosses who cared about each of us as people and he was always ready to make progress on the business tasks at hand. He trusted me to take the information I was given, digest it into marketing goals, and create action agendas for overcoming the challenges. He knew when to share important information and opinions that were needed from the executive and when to empower and trust his leadership team to bring their expertise and do the work. Mike understands when to get involved, when to delegate, and when to foster environments of collaboration so we can do our best work and move the business forward.”
About
I am a proud technologist at heart, and this has fuelled my career for the last three…
Activity
-
I recently had professional photos taken with my family. My husband and I took the opportunity to also get individual headshots. (His are so…
I recently had professional photos taken with my family. My husband and I took the opportunity to also get individual headshots. (His are so…
Liked by Mike Bursell
-
Tickets are available now for State of Open Con (https://lnkd.in/eMK3gAwv). I know I'm supposed to say this (as I'm on the CFP committee), but it's…
Tickets are available now for State of Open Con (https://lnkd.in/eMK3gAwv). I know I'm supposed to say this (as I'm on the CFP committee), but it's…
Shared by Mike Bursell
-
As we get to the end of 2024, I'm getting into some really interesting topics on my YouTube channel "What is cybersecurity?"…
As we get to the end of 2024, I'm getting into some really interesting topics on my YouTube channel "What is cybersecurity?"…
Shared by Mike Bursell
Experience
Education
-
University of Cambridge
-
Activities and Societies: King's College Choir, King's College Orchestra, Cambridge University Fencing Club, King's College Rugby Club, Cambridge University Jiu Jitsu Society
-
-
-
-
-
-
Volunteer Experience
-
Governing Board member, Technical Advisory Committee member
Confidential Computing Consortium
- 3 years 4 months
Science and Technology
-
Correspondent
Opensource.com
- 2 years 4 months
Science and Technology
I'm a Correspondent for Opensource.com, as well as a frequent contributor. The Correspondent programme replaced the "Community Moderator" programme in November 2019.
-
Community First Responder
East of England Ambulance Service NHS Trust
- 8 years 1 month
Health
Providing local emergency support to the community.
-
Community Moderator
Opensource.com
- 1 year 9 months
Science and Technology
I'm a Community Moderator at Opensource.com, as well as a frequent contributor.
-
Governor
Stour Valley Community School
- Present 6 years 2 months
Education
Member of governing body.
-
Treasurer
Confidential Computing Consortium
- Present 5 years 2 months
Science and Technology
Publications
-
Trust in Computer Systems and the Cloud
Wiley
Learn to analyze and measure risk by exploring the nature of trust and its application to cybersecurity
Trust in Computer Systems and the Cloud delivers an insightful and practical new take on what it means to trust in the context of computer and network security and the impact on the emerging field of Confidential Computing. Author Mike Bursell’s experience, ranging from Chief Security Architect at Red Hat to CEO at a Confidential Computing start-up grounds the reader in fundamental…Learn to analyze and measure risk by exploring the nature of trust and its application to cybersecurity
Trust in Computer Systems and the Cloud delivers an insightful and practical new take on what it means to trust in the context of computer and network security and the impact on the emerging field of Confidential Computing. Author Mike Bursell’s experience, ranging from Chief Security Architect at Red Hat to CEO at a Confidential Computing start-up grounds the reader in fundamental concepts of trust and related ideas before discussing the more sophisticated applications of these concepts to various areas in computing.
The book demonstrates in the importance of understanding and quantifying risk and draws on the social and computer sciences to explain hardware and software security, complex systems, and open source communities. It takes a detailed look at the impact of Confidential Computing on security, trust and risk and also describes the emerging concept of trust domains, which provide an alternative to standard layered security.
- Foundational definitions of trust from sociology and other social sciences, how they evolved, and what modern concepts of trust mean to computer professionals
- A comprehensive examination of the importance of systems, from open-source communities to HSMs, TPMs, and Confidential Computing with TEEs.
A thorough exploration of trust domains, including explorations of communities of practice, the centralization of control and policies, and monitoring
Perfect for security architects at the CISSP level or higher, Trust in Computer Systems and the Cloud is also an indispensable addition to the libraries of system architects, security system engineers, and master’s students in software architecture and security. -
Network Functions Virtualisation (NFV); NFV Security; Report on use cases and technical approaches for multi-layer host administration
ETSI
Rapporteur (Editor): Mike Bursell.
-
Network Functions Virtualisation (NFV); NFV Security; Security and Trust Guidance
ETSI
Rapporteurs (Editors): Mike Bursell, Kurt Roemer.
-
Security and trust in p2p systems, in Information Security and Ethics: Concepts, Methodologies, Tools, and Applications
IGI Global
This chapter examines the issue of security in peer-to-peer (P2P) systems from the standpoint of trust. It takes the view that P2P systems present particular challenges in terms of trust over other socio-technical systems, and identifies three key areas of importance: identity; social contexts; punishment and deterrence. It suggests that a better understanding of these areas and the trade-offs associated with them can help in the design, implementation, and running of P2P systems. The chapter…
This chapter examines the issue of security in peer-to-peer (P2P) systems from the standpoint of trust. It takes the view that P2P systems present particular challenges in terms of trust over other socio-technical systems, and identifies three key areas of importance: identity; social contexts; punishment and deterrence. It suggests that a better understanding of these areas and the trade-offs associated with them can help in the design, implementation, and running of P2P systems. The chapter combines a discussion of problems and issues in current systems with a review of some of the wider sociological and nonsystems literature which can aid those involved with P2P systems. It concludes with some suggestions for areas where future research may provide fruitful insights.
Patents
-
Message decryption dependent on third-party confirmation of a condition precedent
Issued 11451380
Message decryption dependent on third-party confirmation of a condition precedent is disclosed. A message is encrypted with a message encryption key to form an encrypted message. A message decryption key that is configured to decrypt the encrypted message is encrypted with a key of a first entity to which the message is to be disclosed upon occurrence of a condition precedent to form an encrypted message decryption key. The encrypted message decryption key is encrypted with a key of a second…
Message decryption dependent on third-party confirmation of a condition precedent is disclosed. A message is encrypted with a message encryption key to form an encrypted message. A message decryption key that is configured to decrypt the encrypted message is encrypted with a key of a first entity to which the message is to be disclosed upon occurrence of a condition precedent to form an encrypted message decryption key. The encrypted message decryption key is encrypted with a key of a second entity configured to confirm the occurrence of the condition precedent to form a double encrypted message decryption key. A condition identifier that identifies the condition precedent is generated. The encrypted message, the double encrypted message decryption key, and the condition identifier are sent to the first entity.
Other inventorsSee patent -
Proof of code compliance and protected integrity using a trusted execution environment
Issued 11449601
The technology disclosed herein enables a first computing process to execute within a trusted execution environment to protect its data from other processes while selectively enabling a second computing process (e.g., a kernel process) to inspect data for compliance. An example method may include: establishing, by a processor, a trusted execution area for the first computing process, wherein the trusted execution area comprises an encrypted storage area; copying data of the first computing…
The technology disclosed herein enables a first computing process to execute within a trusted execution environment to protect its data from other processes while selectively enabling a second computing process (e.g., a kernel process) to inspect data for compliance. An example method may include: establishing, by a processor, a trusted execution area for the first computing process, wherein the trusted execution area comprises an encrypted storage area; copying data of the first computing process into the trusted execution area, wherein the data comprises executable data or non-executable data; enabling the second computing process to access the copy of the data of the first computing process; and executing, by the processor, the first computing process using the trusted execution area.
-
Proof-of-work key wrapping for restricting data execution based on device capabilities
Issued 11436352
The technology disclosed herein provides a proof-of-work key wrapping system for restricting data execution based on device capabilities. An example method may include: accessing a wrapped key and a cryptographic attribute for the wrapped key, wherein the wrapped key encodes a cryptographic key; deriving, by a processing device, the cryptographic key in view of the wrapped key and the cryptographic attribute; using the cryptographic key to access program data; and executing, by the processing…
The technology disclosed herein provides a proof-of-work key wrapping system for restricting data execution based on device capabilities. An example method may include: accessing a wrapped key and a cryptographic attribute for the wrapped key, wherein the wrapped key encodes a cryptographic key; deriving, by a processing device, the cryptographic key in view of the wrapped key and the cryptographic attribute; using the cryptographic key to access program data; and executing, by the processing device, the program data, wherein the executed program data evaluates a condition related to the duration of time.
Other inventorsSee patent -
Proof-of-work key wrapping for cryptographically controlling data access
Issued 11424920
The technology disclosed herein provides a proof-of-work key wrapping system that cryptographically controls access to data. An example method may include: selecting a set of cryptographic attributes in view of a characteristic of a computing device; obtaining, by a processing device, a cryptographic key; encrypting, by the processing device, the cryptographic key in view of the set of cryptographic attributes to produce a wrapped key; and providing the wrapped key and at least one of the…
The technology disclosed herein provides a proof-of-work key wrapping system that cryptographically controls access to data. An example method may include: selecting a set of cryptographic attributes in view of a characteristic of a computing device; obtaining, by a processing device, a cryptographic key; encrypting, by the processing device, the cryptographic key in view of the set of cryptographic attributes to produce a wrapped key; and providing the wrapped key and at least one of the cryptographic attributes to the computing device, wherein the at least one cryptographic attribute facilitates deriving the cryptographic key from the wrapped key.
Other inventorsSee patent -
Adaptive and secure bitecode injection based on comparison with previously stored bytecode
Issued 11416273
Methods and systems for storing and injecting bytecode are provided. In one embodiment, a method is provided that includes receiving a first function for execution at a first time and generating a first bytecode based on the first function for use in executing the first function. The first bytecode may then be stored with an identifier of the first function. At a second time after the first time, a second function may be received for execution. The second function may be identified as…
Methods and systems for storing and injecting bytecode are provided. In one embodiment, a method is provided that includes receiving a first function for execution at a first time and generating a first bytecode based on the first function for use in executing the first function. The first bytecode may then be stored with an identifier of the first function. At a second time after the first time, a second function may be received for execution. The second function may be identified as corresponding to the first function and the first bytecode may be received. The first bytecode may then be injected into a container for execution of the second function.
Other inventorsSee patent -
Proof-of-work key wrapping with integrated key fragments
Issued 11411938
The technology disclosed herein provides a proof-of-work key wrapping system that uses integrated key fragments to cryptographically control access to data. An example method may include encrypting a first cryptographic key to produce a wrapped key, wherein the first cryptographic key enables a computing device to access content; determining a plurality of key fragments of a second cryptographic key, wherein the second cryptographic key is for decrypting the wrapped key and at least one of the…
The technology disclosed herein provides a proof-of-work key wrapping system that uses integrated key fragments to cryptographically control access to data. An example method may include encrypting a first cryptographic key to produce a wrapped key, wherein the first cryptographic key enables a computing device to access content; determining a plurality of key fragments of a second cryptographic key, wherein the second cryptographic key is for decrypting the wrapped key and at least one of the plurality of key fragments is derived using one of the key fragments as input; selecting a set of cryptographic attributes for deriving the plurality of key fragments, wherein the set of cryptographic attributes are selected in view of a characteristic of the computing device; and providing the wrapped key and the set of cryptographic attributes to the computing device, the set of cryptographic attributes facilitating determination of the second cryptographic key.
Other inventorsSee patent -
Proof-of-work key wrapping with individual key fragments
Issued 11411728
The technology disclosed herein provides a proof-of-work key wrapping system that uses key fragments to cryptographically control access to data. An example method may include: encrypting a first cryptographic key to produce a wrapped key, wherein the first cryptographic key enables a computing device to access content; splitting a second cryptographic key into a plurality of key fragments, wherein the second cryptographic key is for decrypting the wrapped key; selecting a set of cryptographic…
The technology disclosed herein provides a proof-of-work key wrapping system that uses key fragments to cryptographically control access to data. An example method may include: encrypting a first cryptographic key to produce a wrapped key, wherein the first cryptographic key enables a computing device to access content; splitting a second cryptographic key into a plurality of key fragments, wherein the second cryptographic key is for decrypting the wrapped key; selecting a set of cryptographic attributes for deriving at least one of the plurality of key fragments, wherein the set of cryptographic attributes are selected in view of a characteristic of the computing device; and providing the wrapped key and the set of cryptographic attributes to the computing device, the set of cryptographic attributes facilitating determination of the second cryptographic key.
Other inventorsSee patent -
Secure preloading of serverless function sequences
Issued 11356367
According to one example, a method includes, with a serverless function infrastructure, associated a routing secret with a function sequence. The method further includes, with a sequence controller of the serverless function infrastructure, appending the routing secret to a header of a request to invoke a first function of the function sequence. The method further includes, with the serverless function infrastructure invoking the first function of the function sequence, in response to…
According to one example, a method includes, with a serverless function infrastructure, associated a routing secret with a function sequence. The method further includes, with a sequence controller of the serverless function infrastructure, appending the routing secret to a header of a request to invoke a first function of the function sequence. The method further includes, with the serverless function infrastructure invoking the first function of the function sequence, in response to authenticating the routing secret in the header of the request. The method further includes, after the first function has been invoked and before the first function completes execution, with a serving controller of the serverless function infrastructure, preloading subsequent functions of the function sequence.
Other inventorsSee patent -
Use of a trusted execution environment as a safe build environment
Issued 11341247
Use of a trusted execution environment (TEE) as a safe build environment. A build task is initiated in a TEE of a compute instance. The build task generates a first software component.
-
Resource sharing for trusted execution environments
Issued 11343082
The technology disclosed herein enables resource sharing for trusted execution environments. An example method can include: establishing a first trusted execution environment (TEE) in a first computing device; establishing, by the first TEE, a set of shell TEEs, where each shell TEE is configured in view of one or more configuration parameters associated with the set of shell TEEs; receiving, by the first TEE, a request from a tenant computing device to establish a second TEE; determining, by…
The technology disclosed herein enables resource sharing for trusted execution environments. An example method can include: establishing a first trusted execution environment (TEE) in a first computing device; establishing, by the first TEE, a set of shell TEEs, where each shell TEE is configured in view of one or more configuration parameters associated with the set of shell TEEs; receiving, by the first TEE, a request from a tenant computing device to establish a second TEE; determining, by the first TEE, whether the configuration parameters associated with the set of shell TEEs satisfy one or more request parameters for the second TEE; and responsive to determining that the configuration parameters associated with the set of shell TEEs satisfy the one or more request parameters for the second TEE, establishing, by the first TEE, the second TEE to satisfy the request, wherein the second TEE is selected from the set of shell TEEs, and causing, by the first TEE, the second TEE to communicate with tenant computing device.
Other inventorsSee patent -
Multi-stage secure smart contracts
Issued 11316660
Encrypted multi-stage smart contracts are disclosed. A smart contract that is to be performed by a contract executor in a plurality of successive stages is generated. For each respective stage of at least some stages, a package of data is encrypted with at least one key to generate an encrypted package that corresponds to the respective stage, and an envelope that corresponds to the respective stage is generated. The envelope includes a condition precedent confirmable by an oracle, and an…
Encrypted multi-stage smart contracts are disclosed. A smart contract that is to be performed by a contract executor in a plurality of successive stages is generated. For each respective stage of at least some stages, a package of data is encrypted with at least one key to generate an encrypted package that corresponds to the respective stage, and an envelope that corresponds to the respective stage is generated. The envelope includes a condition precedent confirmable by an oracle, and an encrypted package-decryption key that is encrypted with a key of the contract executor. The encrypted package-decryption key, when decrypted, is configured to facilitate the decryption of the encrypted package that corresponds to the respective stage. For at least some of the stages, the encrypted package comprises an envelope and an encrypted package that corresponds to a next successive stage.
Other inventorsSee patent -
Proof-of-work key wrapping for temporally restricting data access
Issued 11316839
The technology disclosed herein provides an enhanced access control mechanism that uses a proof-of-work key wrapping system to temporally restrict access to data. An example method may include: determining, by a processing device, characteristics of a computing device; accessing a cryptographic key for accessing content; selecting a set of cryptographic attributes for wrapping the cryptographic key, wherein the set of cryptographic attributes are selected to enable the computing device to…
The technology disclosed herein provides an enhanced access control mechanism that uses a proof-of-work key wrapping system to temporally restrict access to data. An example method may include: determining, by a processing device, characteristics of a computing device; accessing a cryptographic key for accessing content; selecting a set of cryptographic attributes for wrapping the cryptographic key, wherein the set of cryptographic attributes are selected to enable the computing device to derive the cryptographic key from a wrapped key in a predetermined duration of time; and providing the wrapped key and an indication of at least one of the cryptographic attributes to the computing device.
Other inventorsSee patent -
Proof-of-work key wrapping with key thresholding
Issued 11303437
The technology disclosed herein provides a proof-of-work key wrapping system that uses key thresholding to cryptographically control data access. An example method may include: accessing a plurality of cryptographic key shares, wherein two or more of the plurality of cryptographic key shares enable access to content; selecting, by a processing device, a set of cryptographic attributes in view of a characteristic of a computing device; encrypting the plurality of cryptographic key shares to…
The technology disclosed herein provides a proof-of-work key wrapping system that uses key thresholding to cryptographically control data access. An example method may include: accessing a plurality of cryptographic key shares, wherein two or more of the plurality of cryptographic key shares enable access to content; selecting, by a processing device, a set of cryptographic attributes in view of a characteristic of a computing device; encrypting the plurality of cryptographic key shares to produce a plurality of wrapped key shares, wherein at least one of the plurality of cryptographic key shares is encrypted in view of the set of cryptographic attributes; and providing a wrapped key share of the plurality of wrapped key shares and at least one of the cryptographic attributes to the computing device, wherein the at least one cryptographic attribute facilitates deriving an access key from the plurality of wrapped key shares.
Other inventorsSee patent -
Concealed monitor communications from a task in a trusted execution environment
Issued 11297100
Concealed monitor communications from a task in a trusted execution environment (TEE) are disclosed. A first task executing in a first trusted execution environment (TEE) implemented on a processor device determines that a monitor communication is to be sent to a monitor task, the first task being configured to generate response messages in response to requests from requestor tasks, the response messages having a predetermined characteristic. The first task generates the monitor communication…
Concealed monitor communications from a task in a trusted execution environment (TEE) are disclosed. A first task executing in a first trusted execution environment (TEE) implemented on a processor device determines that a monitor communication is to be sent to a monitor task, the first task being configured to generate response messages in response to requests from requestor tasks, the response messages having a predetermined characteristic. The first task generates the monitor communication, the monitor communication having the predetermined characteristic and an encoded monitor communication report. The first task sends the monitor communication toward the monitor task.
-
Providing smart contracts including secrets encrypted with oracle-provided encryption keys using threshold cryptosystems
Issued 11295024
Providing smart contracts including secrets encrypted with oracle-provided encryption keys using thresholding cryptosystems is disclosed. In one example, a contract creator encrypts sensitive data necessary for executing a smart contract into ciphertext with multiple symmetric cryptographic keys using a threshold cryptosystem, such that a subset of at least size R of the symmetric cryptographic keys are required to decrypt the ciphertext. The symmetric cryptographic keys are encrypted into…
Providing smart contracts including secrets encrypted with oracle-provided encryption keys using thresholding cryptosystems is disclosed. In one example, a contract creator encrypts sensitive data necessary for executing a smart contract into ciphertext with multiple symmetric cryptographic keys using a threshold cryptosystem, such that a subset of at least size R of the symmetric cryptographic keys are required to decrypt the ciphertext. The symmetric cryptographic keys are encrypted into wrappers using a public cryptographic key of a contract executor. Envelopes are generated using public cryptographic keys of corresponding contract oracles, where the envelopes include the wrappers encrypted using the public cryptographic keys, and policies that specify condition(s) precedent and are authenticated using the public cryptographic keys. The smart contract, including the envelopes, the ciphertext, and R, is then deployed to the contract executor. In this manner, the sensitive data is protected from unauthorized access within the smart contract.
Other inventorsSee patent -
Proof-of-work key wrapping for verifying device capabilities
Issued 11271734
The technology disclosed herein provides a proof-of-work key wrapping system for verifying device capabilities. An example method may include: receiving a wrapped key and a cryptographic attribute for the wrapped key, wherein the wrapped key encodes a cryptographic key; deriving, by a processing device, the cryptographic key in view of the wrapped key and the cryptographic attribute, wherein the deriving consumes computing resources for a duration of time; using the cryptographic key to access…
The technology disclosed herein provides a proof-of-work key wrapping system for verifying device capabilities. An example method may include: receiving a wrapped key and a cryptographic attribute for the wrapped key, wherein the wrapped key encodes a cryptographic key; deriving, by a processing device, the cryptographic key in view of the wrapped key and the cryptographic attribute, wherein the deriving consumes computing resources for a duration of time; using the cryptographic key to access program data; executing, by the processing device, the program data, wherein the executed program data evaluates a condition related to the duration of time; and transmitting a message comprising an indication of the condition.
Other inventorsSee patent -
Monitoring a process in a trusted execution environment to identify a resource starvation attack
Issued 11263318
Monitoring a process in a trusted execution environment (TEE) to identify a resource starvation attack. A first monitor executing outside of a first TEE determines that a first process is executing in the first TEE. The first monitor makes a determination that the first process is being denied resources necessary for execution of the first process. The first monitor sends an indication indicating that the first process is being denied resources necessary for execution of the first process.
-
Using a trusted execution environment for a proof-of-work key wrapping scheme that verifies remote device capabilities
Issued 11263310
The technology disclosed herein provides a proof-of-work key wrapping system for verifying device capabilities. An example method may include: accessing instructions, a wrapped key, and a cryptographic attribute for the wrapped key from an encrypted memory region, wherein the wrapped key encodes a cryptographic key; executing, by a processing device, the instructions to derive the cryptographic key in view of the wrapped key and the cryptographic attribute, wherein the executing consumes…
The technology disclosed herein provides a proof-of-work key wrapping system for verifying device capabilities. An example method may include: accessing instructions, a wrapped key, and a cryptographic attribute for the wrapped key from an encrypted memory region, wherein the wrapped key encodes a cryptographic key; executing, by a processing device, the instructions to derive the cryptographic key in view of the wrapped key and the cryptographic attribute, wherein the executing consumes computing resources for a duration of time; using the cryptographic key to access program data; executing, by the processing device, the program data, wherein the executed program data evaluates a condition related to the duration of time; and transmitting a message comprising an indication of the evaluated condition.
Other inventorsSee patent -
Detection and prevention of unauthorized execution of severless functions
Issued 11240045
Methods and systems for detecting and responding to fabricated or unauthorized events received by serverless computing environments are provided. In one embodiment the method is provided that includes receiving an event from an event source external to the serverless computing environment for execution by function. The method may then include creating a message that includes the events and signing the message with an identifier of the event source. The message may then be received at the…
Methods and systems for detecting and responding to fabricated or unauthorized events received by serverless computing environments are provided. In one embodiment the method is provided that includes receiving an event from an event source external to the serverless computing environment for execution by function. The method may then include creating a message that includes the events and signing the message with an identifier of the event source. The message may then be received at the function and the identifier of the event source may be validated. The event may then be executed with the function of the serverless computing environment if the identifier of the event sources successfully validated. However, if the identifier of the event source is not successfully validated, execution of the event with the function may be prevented.
Other inventorsSee patent -
Dynamic configuration in cloud computing environments
Issued US 11140030
Virtual machines, virtualization servers, and other physical resources in a cloud computing environment may be dynamically configured based on the resource usage data for the virtual machines and resource capacity data for the physical resources in the cloud system. Based on an analysis of the virtual machine resource usage data and the resource capacity data of the virtualization servers and other physical resources in the cloud computing environment, each virtual machine may be matched to one…
Virtual machines, virtualization servers, and other physical resources in a cloud computing environment may be dynamically configured based on the resource usage data for the virtual machines and resource capacity data for the physical resources in the cloud system. Based on an analysis of the virtual machine resource usage data and the resource capacity data of the virtualization servers and other physical resources in the cloud computing environment, each virtual machine may be matched to one of a plurality of virtualization servers, and the resources of the virtualization servers and other physical resources in the cloud may be reallocated and reconfigured to provide additional usage capacity to the virtual machines.
-
Negotiating trust degradation for a central entity by peers lacking direct communication with one another
Issued US 10666649
Systems, apparatuses and methods may provide for generating, in response to a decrease in trustworthiness with respect to a controller, a notification message and generating a message authentication code (MAC) based on the notification message and one or more locally stored keys. Additionally, the notification message and the MAC may be sent to the controller, wherein the notification message is directed to one or more peers in a network associated with the controller. In one example, the…
Systems, apparatuses and methods may provide for generating, in response to a decrease in trustworthiness with respect to a controller, a notification message and generating a message authentication code (MAC) based on the notification message and one or more locally stored keys. Additionally, the notification message and the MAC may be sent to the controller, wherein the notification message is directed to one or more peers in a network associated with the controller. In one example, the notification message includes one or more of an indication that the controller is compromised or an indication that the controller is suspected to be compromised.
Other inventors -
-
Technologies for independent service level agreement monitoring
Issued US 10572650
Technologies for monitoring service level agreement (SLA) performance in an end-to-end SLA monitoring architecture include a network functions virtualization (NFV) SLA controller configured to manage SLA agents initialized in various network processing components of the end-to-end SLA monitoring architecture. To do so, the NFV SLA controller is configured to provide instruction to the SLA agents indicating which types of telemetry data to monitor and receive the requested telemetry data, as…
Technologies for monitoring service level agreement (SLA) performance in an end-to-end SLA monitoring architecture include a network functions virtualization (NFV) SLA controller configured to manage SLA agents initialized in various network processing components of the end-to-end SLA monitoring architecture. To do so, the NFV SLA controller is configured to provide instruction to the SLA agents indicating which types of telemetry data to monitor and receive the requested telemetry data, as securely collected and securely packaged by the SLA agents. The NFV SLA controller is further configured to securely analyze the received telemetry data to determine one or more performance metrics and compare performance benchmarks against the performance metrics to generate an SLA report that includes the results of the comparison. Other embodiments are described and claimed.
Other inventorsSee patent -
Technologies for simulating service degradation in a software defined network
Issued US 10567263
Technologies for simulating service degradation in telemetry data include a simulator device. The simulator device is to identify a telemetry data stream from a production system to a first management system. The simulator device is also to fork a copy of the telemetry data stream for transmission to a second management system, determine perturbations associated with a determined service degradation type, and apply the perturbations to the forked telemetry data stream. Other embodiments are…
Technologies for simulating service degradation in telemetry data include a simulator device. The simulator device is to identify a telemetry data stream from a production system to a first management system. The simulator device is also to fork a copy of the telemetry data stream for transmission to a second management system, determine perturbations associated with a determined service degradation type, and apply the perturbations to the forked telemetry data stream. Other embodiments are also described and claimed.
Other inventorsSee patent -
Dynamic configuration in cloud computing environments
Issued US 10263842
Virtual machines, virtualization servers, and other physical resources in a cloud computing environment may be dynamically configured based on the resource usage data for the virtual machines and resource capacity data for the physical resources in the cloud system. Based on an analysis of the virtual machine resource usage data and the resource capacity data of the virtualization servers and other physical resources in the cloud computing environment, each virtual machine may be matched to one…
Virtual machines, virtualization servers, and other physical resources in a cloud computing environment may be dynamically configured based on the resource usage data for the virtual machines and resource capacity data for the physical resources in the cloud system. Based on an analysis of the virtual machine resource usage data and the resource capacity data of the virtualization servers and other physical resources in the cloud computing environment, each virtual machine may be matched to one of a plurality of virtualization servers, and the resources of the virtualization servers and other physical resources in the cloud may be reallocated and reconfigured to provide additional usage capacity to the virtual machines.
-
Networked peer device round-robin security controller
Issued US 10200410
A round-robin network security system implemented by a number of peer devices included in a plurality of networked peer devices. The round-robin security system permits the rotation of the system security controller among at least a portion of the peer devices. Each of the peer devices uses a defined trust assessment ruleset to determine whether the system security controller is trusted/trustworthy. An untrusted system security controller peer device is replaced by another of the peer devices…
A round-robin network security system implemented by a number of peer devices included in a plurality of networked peer devices. The round-robin security system permits the rotation of the system security controller among at least a portion of the peer devices. Each of the peer devices uses a defined trust assessment ruleset to determine whether the system security controller is trusted/trustworthy. An untrusted system security controller peer device is replaced by another of the peer devices selected by the peer devices. The current system security controller peer device transfers system threat information and security risk information collected from the peer devices to the new system security controller elected by the peer devices.
Other inventorsSee patent -
Enhanced virtual function capabilities in a virtualized network environment
Issued US 10127072
The present disclosure is directed to enhanced virtual function capabilities in a virtualized network environment. In general, devices may comprise physical and virtualized resources. The physical resources may comprise at least a network adaptor that may handle incoming data from a network and outgoing data to the network. The virtualized resources may comprise at least one virtual machine (VM) and a corresponding interface. The corresponding interface may be one of a physical interface, a…
The present disclosure is directed to enhanced virtual function capabilities in a virtualized network environment. In general, devices may comprise physical and virtualized resources. The physical resources may comprise at least a network adaptor that may handle incoming data from a network and outgoing data to the network. The virtualized resources may comprise at least one virtual machine (VM) and a corresponding interface. The corresponding interface may be one of a physical interface, a virtual interface or a "super" virtual interface. The physical interface may provide a first set of capabilities allowing the VM to access (e.g., control) at least the network adaptor. The virtual interface may provide a second set of capabilities that is a subset of the first set. The super virtual interface may provide a third set of capabilities including the second set of capabilities and at least one additional capability from the first set of capabilities.
Other inventorsSee patent -
Enhanced virtual function capabilities in a virtualized network environment
Issued US 9910692
The present disclosure is directed to enhanced virtual function capabilities in a virtualized network environment. In general, devices may comprise physical and virtualized resources. The physical resources may comprise at least a network adaptor that may handle incoming data from a network and outgoing data to the network. The virtualized resources may comprise at least one virtual machine (VM) and a corresponding interface. The corresponding interface may be one of a physical interface, a…
The present disclosure is directed to enhanced virtual function capabilities in a virtualized network environment. In general, devices may comprise physical and virtualized resources. The physical resources may comprise at least a network adaptor that may handle incoming data from a network and outgoing data to the network. The virtualized resources may comprise at least one virtual machine (VM) and a corresponding interface. The corresponding interface may be one of a physical interface, a virtual interface or a "super" virtual interface. The physical interface may provide a first set of capabilities allowing the VM to access (e.g., control) at least the network adaptor. The virtual interface may provide a second set of capabilities that is a subset of the first set. The super virtual interface may provide a third set of capabilities including the second set of capabilities and at least one additional capability from the first set of capabilities.
Other inventorsSee patent -
Storage encryption
Issued US 9509501
Storage associated with a virtual machine or other type of device may be migrated between locations (e.g., physical devices, network locations, etc.). To maintain the security of the storage, a system may manage the encryption of the storage area such that a storage area is encrypted with a first encryption key that may be maintained through the migration. A header of the storage area, on the other hand, may be encrypted using a second encryption key and the first encryption key may be stored…
Storage associated with a virtual machine or other type of device may be migrated between locations (e.g., physical devices, network locations, etc.). To maintain the security of the storage, a system may manage the encryption of the storage area such that a storage area is encrypted with a first encryption key that may be maintained through the migration. A header of the storage area, on the other hand, may be encrypted using a second encryption key and the first encryption key may be stored therein. Upon transfer, the header may be re-encrypted to affect the transfer of security.
-
Optimizing virtual machine migration via identification and treatment of virtual memory swap file
Issued US 9268588
A virtualization computing platform may host a virtual machine. The virtual machine may be hosted by a first set of resources of the virtualization computing platform. A second set of resources for hosting the virtual machine may be identified. The second set of resources may comprise resources of the virtualization computing platform that are distinct from the first set of resources. At least a portion of a plurality of files associated with the virtual machine may be copied from the first set…
A virtualization computing platform may host a virtual machine. The virtual machine may be hosted by a first set of resources of the virtualization computing platform. A second set of resources for hosting the virtual machine may be identified. The second set of resources may comprise resources of the virtualization computing platform that are distinct from the first set of resources. At least a portion of a plurality of files associated with the virtual machine may be copied from the first set of resources to the second set of resources. A virtual memory swap file may be identified from among the plurality of files associated with the virtual machine. Based on identifying the virtual memory swap file as a virtual memory swap file, the virtual memory swap file may be treated differently from one or more other of the plurality of files associated with the virtual machine.
Other inventorsSee patent -
Secure administration of virtual machines
Issued US 9258290
Methods and systems for performing secure administration of virtual domain resource allocation are provided herein. A cloud service provider (CSP) may provide instances of virtual machines to one or more contracting user entities. The cloud service provider may store an authorization database identifying one or more resources (e.g., storage, CPU, etc.) that each of the different contracting user entities is authorized to use on a virtual machine server device. The CSP may subsequently receive a…
Methods and systems for performing secure administration of virtual domain resource allocation are provided herein. A cloud service provider (CSP) may provide instances of virtual machines to one or more contracting user entities. The cloud service provider may store an authorization database identifying one or more resources (e.g., storage, CPU, etc.) that each of the different contracting user entities is authorized to use on a virtual machine server device. The CSP may subsequently receive a request from an unverified entity to instantiate a virtual machine with access to one or more resources. The request may include security information. The CSP validates the request by verifying the unverified entity using the first security information (e.g., checking a PKI certificate, requiring a login/password, etc.) and, when the request is validated, provides access to the verified entity to a subset of the requested one or more resources based on the authorization database.
-
Dynamic configuration in cloud computing environments
Issued US 9251115
Virtual machines, virtualization servers, and other physical resources in a cloud computing environment may be dynamically configured based on the resource usage data for the virtual machines and resource capacity data for the physical resources in the cloud system. Based on an analysis of the virtual machine resource usage data and the resource capacity data of the virtualization servers and other physical resources in the cloud computing environment, each virtual machine may be matched to one…
Virtual machines, virtualization servers, and other physical resources in a cloud computing environment may be dynamically configured based on the resource usage data for the virtual machines and resource capacity data for the physical resources in the cloud system. Based on an analysis of the virtual machine resource usage data and the resource capacity data of the virtualization servers and other physical resources in the cloud computing environment, each virtual machine may be matched to one of a plurality of virtualization servers, and the resources of the virtualization servers and other physical resources in the cloud may be reallocated and reconfigured to provide additional usage capacity to the virtual machines.
-
Controlling a network interface using virtual switch proxying
Issued US 9083651
Methods and systems for permitting a controller within a virtualization environment to control access to devices virtualized within hardware are described herein. For example, a NIC may be able to request rules that define how network traffic is managed at the NIC's virtual switch. In some arrangements, the NIC may transmit a query for the matching rule to a proxy, which may determine whether it has a rule matching the request. If the proxy does not have a matching rule, the proxy may query a…
Methods and systems for permitting a controller within a virtualization environment to control access to devices virtualized within hardware are described herein. For example, a NIC may be able to request rules that define how network traffic is managed at the NIC's virtual switch. In some arrangements, the NIC may transmit a query for the matching rule to a proxy, which may determine whether it has a rule matching the request. If the proxy does not have a matching rule, the proxy may query a controller for the matching rule, which may transmit the rule to the proxy. The proxy may update its store of rules and transmit the matching rule to the NIC. Upon receipt of the matching rule, the NIC may update the rules stored in its virtual switch and may process the packet in accordance with the matching rule.
-
Storage encryption
Issued US 9003203
Storage associated with a virtual machine or other type of device may be migrated between locations (e.g., physical devices, network locations, etc.). To maintain the security of the storage, a system may manage the encryption of the storage area such that a storage area is encrypted with a first encryption key that may be maintained through the migration. A header of the storage area, on the other hand, may be encrypted using a second encryption key and the first encryption key may be stored…
Storage associated with a virtual machine or other type of device may be migrated between locations (e.g., physical devices, network locations, etc.). To maintain the security of the storage, a system may manage the encryption of the storage area such that a storage area is encrypted with a first encryption key that may be maintained through the migration. A header of the storage area, on the other hand, may be encrypted using a second encryption key and the first encryption key may be stored therein. Upon transfer, the header may be re-encrypted to affect the transfer of security.
-
System and method for mounting encrypted data based on availability of a key on a network
Issued US 8639928
A system and a method are provided for retrieving decryption keys from a secure location that is separate from the encrypted data. In particular, for each decryption key, there is an associated key ID, public and private authentication key pair and a storage key. The decryption key is encrypted and can be decrypted with the storage key. A key-server securely stores the encrypted decryption key, key ID and public authentication key. A separate key-host stores the storage key, key ID and private…
A system and a method are provided for retrieving decryption keys from a secure location that is separate from the encrypted data. In particular, for each decryption key, there is an associated key ID, public and private authentication key pair and a storage key. The decryption key is encrypted and can be decrypted with the storage key. A key-server securely stores the encrypted decryption key, key ID and public authentication key. A separate key-host stores the storage key, key ID and private authentication key. For the key-host to retrieve the encrypted decryption key, the key-server first authenticates the key-host using the authentication keys. Upon receipt of the encrypted decryption key, the key-host decrypts the encrypted key using the storage key. The decryption key is then used for decrypting the encrypted data.
-
Data certification methods and apparatus
Issued US 8635457
This invention generally relates methods, computer program code, data processing apparatus, and signals for certifying data, in particular by means of an electronic signature. Embodiments of the invention can be implemented on a user terminal without the need for dedicated hardware or software and may be termed "zero-footprint" data certification methods. A method of providing an electronic signature to-a-server; the method including receiving data for said server at a proxy system for said…
This invention generally relates methods, computer program code, data processing apparatus, and signals for certifying data, in particular by means of an electronic signature. Embodiments of the invention can be implemented on a user terminal without the need for dedicated hardware or software and may be termed "zero-footprint" data certification methods. A method of providing an electronic signature to-a-server; the method including receiving data for said server at a proxy system for said server; reading said received data to identify a signature request; obtaining a signature for a portion of said received data associated with said request responsive to said request, and providing said signature from said proxy system to said server. The use of a signature-enabled reverse proxy enables the use of a zero footprint user terminal, that is without the need to add additional functionality to the terminal for the purposes of signature creation in the context of a distributed application architecture.
Other inventorsSee patent -
Secure administration of virtual machines
Issued US 8583920
Methods and systems for performing secure administration of virtual domain resource allocation are provided herein. A cloud service provider (CSP) may provide instances of virtual machines to one or more contracting user entities. The cloud service provider may store an authorization database identifying one or more resources (e.g., storage, CPU, etc.) that each of the different contracting user entities is authorized to use on a virtual machine server device. The CSP may subsequently receive a…
Methods and systems for performing secure administration of virtual domain resource allocation are provided herein. A cloud service provider (CSP) may provide instances of virtual machines to one or more contracting user entities. The cloud service provider may store an authorization database identifying one or more resources (e.g., storage, CPU, etc.) that each of the different contracting user entities is authorized to use on a virtual machine server device. The CSP may subsequently receive a request from an unverified entity to instantiate a virtual machine with access to one or more resources. The request may include security information. The CSP validates the request by verifying the unverified entity using the first security information (e.g., checking a PKI certificate, requiring a login/password, etc.) and, when the request is validated, provides access to the verified entity to a subset of the requested one or more resources based on the authorization database.
Honors & Awards
-
Linux/Unix security: ICE II - “Best Defender”
SANS
Languages
-
French
Limited working proficiency
-
Spanish
Elementary proficiency
-
Latin
Limited working proficiency
Organizations
-
ETSI NFV
Vice Chair, Security WG
- PresentVice Chair and rapporteur for Security Working Group, ETSI NFV.
-
IEEE
-
- -
ETSI NFV
Caretaker chairman, Security WG
-
Recommendations received
16 people have recommended Mike
Join now to viewMore activity by Mike
-
What's new on my YouTube channel "What is cybersecurity?" (https://lnkd.in/dWzeFyXp)? Well, many of you will have to work with users, and if you do,…
What's new on my YouTube channel "What is cybersecurity?" (https://lnkd.in/dWzeFyXp)? Well, many of you will have to work with users, and if you do,…
Shared by Mike Bursell
-
🚀 The Confidential Computing Consortium (CCC) welcomes HONEYPOTZ, INC. as a Startup Member! 🔐 Honeypotz empowers organizations with secure…
🚀 The Confidential Computing Consortium (CCC) welcomes HONEYPOTZ, INC. as a Startup Member! 🔐 Honeypotz empowers organizations with secure…
Liked by Mike Bursell
-
🎙️ New Podcast Alert! Dive into “TEEs and Confidential Computing: Paving the Way for Onchain AI” on the Zero Gravity podcast! 🚀 Join Mike…
🎙️ New Podcast Alert! Dive into “TEEs and Confidential Computing: Paving the Way for Onchain AI” on the Zero Gravity podcast! 🚀 Join Mike…
Liked by Mike Bursell
-
I gave a talk at #WasmCon 2024 in Salt Lake City earlier this November. It is titled "Protecting Wasm Workloads with Confidential Computing and…
I gave a talk at #WasmCon 2024 in Salt Lake City earlier this November. It is titled "Protecting Wasm Workloads with Confidential Computing and…
Liked by Mike Bursell
-
This is an important article which discusses points which (though of little surprise to those of us who have worked in telecoms security) need to be…
This is an important article which discusses points which (though of little surprise to those of us who have worked in telecoms security) need to be…
Shared by Mike Bursell
-
Confidential computing - RHAT Dan on Tech. Biggest increases in security in years. US and All Govt agencies must insist on Confidential Computing on…
Confidential computing - RHAT Dan on Tech. Biggest increases in security in years. US and All Govt agencies must insist on Confidential Computing on…
Liked by Mike Bursell
-
huge +1 Dan Walsh is taking the position that Confidential Computing and trust boundaries must become the default mode of operation. starting from…
huge +1 Dan Walsh is taking the position that Confidential Computing and trust boundaries must become the default mode of operation. starting from…
Liked by Mike Bursell
-
As Head of Marketing for a confidential computing startup (in 2022), I definitely had moments with the leadership team where I just had to ask: "So…
As Head of Marketing for a confidential computing startup (in 2022), I definitely had moments with the leadership team where I just had to ask: "So…
Liked by Mike Bursell
-
What's the latest video on my YouTube channel "What is cybersecurity?" (https://lnkd.in/eT-v2RNQ). Well, it's one for anyone who's defending a set…
What's the latest video on my YouTube channel "What is cybersecurity?" (https://lnkd.in/eT-v2RNQ). Well, it's one for anyone who's defending a set…
Liked by Mike Bursell
-
What's the latest video on my YouTube channel "What is cybersecurity?" (https://lnkd.in/eT-v2RNQ). Well, it's one for anyone who's defending a set…
What's the latest video on my YouTube channel "What is cybersecurity?" (https://lnkd.in/eT-v2RNQ). Well, it's one for anyone who's defending a set…
Shared by Mike Bursell
-
Well, I've just emailed by editor, Jim Minatel at Wiley - let's see if he bites. If so, I may have some news to announce soon... #cybersecurity…
Well, I've just emailed by editor, Jim Minatel at Wiley - let's see if he bites. If so, I may have some news to announce soon... #cybersecurity…
Posted by Mike Bursell
Other similar profiles
Explore collaborative articles
We’re unlocking community knowledge in a new way. Experts add insights directly into each article, started with the help of AI.
Explore MoreOthers named Mike Bursell
2 others named Mike Bursell are on LinkedIn
See others named Mike Bursell