Mike Bursell

Mike Bursell

Cambridge, England, United Kingdom
4K followers 500+ connections

About

I am a proud technologist at heart, and this has fuelled my career for the last three…

Activity

Join now to see all activity

Experience

  • ELASTIC Project Graphic
  • -

  • -

    Cambridge, England, United Kingdom

  • -

  • -

  • -

    Cambridge, UK

  • -

  • -

  • -

    Cambridge, England, United Kingdom

  • -

    Cambridge, UK

  • -

  • -

  • -

  • -

    Cambridge, United Kingdom

  • -

    Cambridge, United Kingdom

  • -

    UK

  • -

    Cambridge, United Kingdom

  • -

    Cambridge, United Kingdom

  • -

    Cambridge

  • -

  • -

  • -

  • -

  • -

  • -

  • -

  • -

    Cambridge, United Kingdom

Education

  • University of Cambridge Graphic

    University of Cambridge

    -

    Activities and Societies: King's College Choir, King's College Orchestra, Cambridge University Fencing Club, King's College Rugby Club, Cambridge University Jiu Jitsu Society

  • -

  • -

  • -

Volunteer Experience

  • Confidential Computing Consortium Graphic

    Governing Board member, Technical Advisory Committee member

    Confidential Computing Consortium

    - 3 years 4 months

    Science and Technology

  • Correspondent

    Opensource.com

    - 2 years 4 months

    Science and Technology

    I'm a Correspondent for Opensource.com, as well as a frequent contributor. The Correspondent programme replaced the "Community Moderator" programme in November 2019.

  • East of England Ambulance Service NHS Trust Graphic

    Community First Responder

    East of England Ambulance Service NHS Trust

    - 8 years 1 month

    Health

    Providing local emergency support to the community.

  • Community Moderator

    Opensource.com

    - 1 year 9 months

    Science and Technology

    I'm a Community Moderator at Opensource.com, as well as a frequent contributor.

  • Stour Valley Community School Graphic

    Governor

    Stour Valley Community School

    - Present 6 years 2 months

    Education

    Member of governing body.

  • Treasurer

    Confidential Computing Consortium

    - Present 5 years 2 months

    Science and Technology

Publications

  • Trust in Computer Systems and the Cloud

    Wiley

    Learn to analyze and measure risk by exploring the nature of trust and its application to cybersecurity

    Trust in Computer Systems and the Cloud delivers an insightful and practical new take on what it means to trust in the context of computer and network security and the impact on the emerging field of Confidential Computing. Author Mike Bursell’s experience, ranging from Chief Security Architect at Red Hat to CEO at a Confidential Computing start-up grounds the reader in fundamental…

    Learn to analyze and measure risk by exploring the nature of trust and its application to cybersecurity

    Trust in Computer Systems and the Cloud delivers an insightful and practical new take on what it means to trust in the context of computer and network security and the impact on the emerging field of Confidential Computing. Author Mike Bursell’s experience, ranging from Chief Security Architect at Red Hat to CEO at a Confidential Computing start-up grounds the reader in fundamental concepts of trust and related ideas before discussing the more sophisticated applications of these concepts to various areas in computing.

    The book demonstrates in the importance of understanding and quantifying risk and draws on the social and computer sciences to explain hardware and software security, complex systems, and open source communities. It takes a detailed look at the impact of Confidential Computing on security, trust and risk and also describes the emerging concept of trust domains, which provide an alternative to standard layered security.



    - Foundational definitions of trust from sociology and other social sciences, how they evolved, and what modern concepts of trust mean to computer professionals
    - A comprehensive examination of the importance of systems, from open-source communities to HSMs, TPMs, and Confidential Computing with TEEs.
    A thorough exploration of trust domains, including explorations of communities of practice, the centralization of control and policies, and monitoring

    Perfect for security architects at the CISSP level or higher, Trust in Computer Systems and the Cloud is also an indispensable addition to the libraries of system architects, security system engineers, and master’s students in software architecture and security.

    See publication
  • Network Functions Virtualisation (NFV); NFV Security; Security and Trust Guidance

    ETSI

    Rapporteurs (Editors): Mike Bursell, Kurt Roemer.

    See publication
  • Security and trust in p2p systems, in Information Security and Ethics: Concepts, Methodologies, Tools, and Applications

    IGI Global

    This chapter examines the issue of security in peer-to-peer (P2P) systems from the standpoint of trust. It takes the view that P2P systems present particular challenges in terms of trust over other socio-technical systems, and identifies three key areas of importance: identity; social contexts; punishment and deterrence. It suggests that a better understanding of these areas and the trade-offs associated with them can help in the design, implementation, and running of P2P systems. The chapter…

    This chapter examines the issue of security in peer-to-peer (P2P) systems from the standpoint of trust. It takes the view that P2P systems present particular challenges in terms of trust over other socio-technical systems, and identifies three key areas of importance: identity; social contexts; punishment and deterrence. It suggests that a better understanding of these areas and the trade-offs associated with them can help in the design, implementation, and running of P2P systems. The chapter combines a discussion of problems and issues in current systems with a review of some of the wider sociological and nonsystems literature which can aid those involved with P2P systems. It concludes with some suggestions for areas where future research may provide fruitful insights.

    See publication

Patents

  • Message decryption dependent on third-party confirmation of a condition precedent

    Issued 11451380

    Message decryption dependent on third-party confirmation of a condition precedent is disclosed. A message is encrypted with a message encryption key to form an encrypted message. A message decryption key that is configured to decrypt the encrypted message is encrypted with a key of a first entity to which the message is to be disclosed upon occurrence of a condition precedent to form an encrypted message decryption key. The encrypted message decryption key is encrypted with a key of a second…

    Message decryption dependent on third-party confirmation of a condition precedent is disclosed. A message is encrypted with a message encryption key to form an encrypted message. A message decryption key that is configured to decrypt the encrypted message is encrypted with a key of a first entity to which the message is to be disclosed upon occurrence of a condition precedent to form an encrypted message decryption key. The encrypted message decryption key is encrypted with a key of a second entity configured to confirm the occurrence of the condition precedent to form a double encrypted message decryption key. A condition identifier that identifies the condition precedent is generated. The encrypted message, the double encrypted message decryption key, and the condition identifier are sent to the first entity.

    Other inventors
    See patent
  • Proof of code compliance and protected integrity using a trusted execution environment

    Issued 11449601

    The technology disclosed herein enables a first computing process to execute within a trusted execution environment to protect its data from other processes while selectively enabling a second computing process (e.g., a kernel process) to inspect data for compliance. An example method may include: establishing, by a processor, a trusted execution area for the first computing process, wherein the trusted execution area comprises an encrypted storage area; copying data of the first computing…

    The technology disclosed herein enables a first computing process to execute within a trusted execution environment to protect its data from other processes while selectively enabling a second computing process (e.g., a kernel process) to inspect data for compliance. An example method may include: establishing, by a processor, a trusted execution area for the first computing process, wherein the trusted execution area comprises an encrypted storage area; copying data of the first computing process into the trusted execution area, wherein the data comprises executable data or non-executable data; enabling the second computing process to access the copy of the data of the first computing process; and executing, by the processor, the first computing process using the trusted execution area.

    See patent
  • Proof-of-work key wrapping for restricting data execution based on device capabilities

    Issued 11436352

    The technology disclosed herein provides a proof-of-work key wrapping system for restricting data execution based on device capabilities. An example method may include: accessing a wrapped key and a cryptographic attribute for the wrapped key, wherein the wrapped key encodes a cryptographic key; deriving, by a processing device, the cryptographic key in view of the wrapped key and the cryptographic attribute; using the cryptographic key to access program data; and executing, by the processing…

    The technology disclosed herein provides a proof-of-work key wrapping system for restricting data execution based on device capabilities. An example method may include: accessing a wrapped key and a cryptographic attribute for the wrapped key, wherein the wrapped key encodes a cryptographic key; deriving, by a processing device, the cryptographic key in view of the wrapped key and the cryptographic attribute; using the cryptographic key to access program data; and executing, by the processing device, the program data, wherein the executed program data evaluates a condition related to the duration of time.

    Other inventors
    See patent
  • Proof-of-work key wrapping for cryptographically controlling data access

    Issued 11424920

    The technology disclosed herein provides a proof-of-work key wrapping system that cryptographically controls access to data. An example method may include: selecting a set of cryptographic attributes in view of a characteristic of a computing device; obtaining, by a processing device, a cryptographic key; encrypting, by the processing device, the cryptographic key in view of the set of cryptographic attributes to produce a wrapped key; and providing the wrapped key and at least one of the…

    The technology disclosed herein provides a proof-of-work key wrapping system that cryptographically controls access to data. An example method may include: selecting a set of cryptographic attributes in view of a characteristic of a computing device; obtaining, by a processing device, a cryptographic key; encrypting, by the processing device, the cryptographic key in view of the set of cryptographic attributes to produce a wrapped key; and providing the wrapped key and at least one of the cryptographic attributes to the computing device, wherein the at least one cryptographic attribute facilitates deriving the cryptographic key from the wrapped key.

    Other inventors
    See patent
  • Adaptive and secure bitecode injection based on comparison with previously stored bytecode

    Issued 11416273

    Methods and systems for storing and injecting bytecode are provided. In one embodiment, a method is provided that includes receiving a first function for execution at a first time and generating a first bytecode based on the first function for use in executing the first function. The first bytecode may then be stored with an identifier of the first function. At a second time after the first time, a second function may be received for execution. The second function may be identified as…

    Methods and systems for storing and injecting bytecode are provided. In one embodiment, a method is provided that includes receiving a first function for execution at a first time and generating a first bytecode based on the first function for use in executing the first function. The first bytecode may then be stored with an identifier of the first function. At a second time after the first time, a second function may be received for execution. The second function may be identified as corresponding to the first function and the first bytecode may be received. The first bytecode may then be injected into a container for execution of the second function.

    Other inventors
    See patent
  • Proof-of-work key wrapping with integrated key fragments

    Issued 11411938

    The technology disclosed herein provides a proof-of-work key wrapping system that uses integrated key fragments to cryptographically control access to data. An example method may include encrypting a first cryptographic key to produce a wrapped key, wherein the first cryptographic key enables a computing device to access content; determining a plurality of key fragments of a second cryptographic key, wherein the second cryptographic key is for decrypting the wrapped key and at least one of the…

    The technology disclosed herein provides a proof-of-work key wrapping system that uses integrated key fragments to cryptographically control access to data. An example method may include encrypting a first cryptographic key to produce a wrapped key, wherein the first cryptographic key enables a computing device to access content; determining a plurality of key fragments of a second cryptographic key, wherein the second cryptographic key is for decrypting the wrapped key and at least one of the plurality of key fragments is derived using one of the key fragments as input; selecting a set of cryptographic attributes for deriving the plurality of key fragments, wherein the set of cryptographic attributes are selected in view of a characteristic of the computing device; and providing the wrapped key and the set of cryptographic attributes to the computing device, the set of cryptographic attributes facilitating determination of the second cryptographic key.

    Other inventors
    See patent
  • Proof-of-work key wrapping with individual key fragments

    Issued 11411728

    The technology disclosed herein provides a proof-of-work key wrapping system that uses key fragments to cryptographically control access to data. An example method may include: encrypting a first cryptographic key to produce a wrapped key, wherein the first cryptographic key enables a computing device to access content; splitting a second cryptographic key into a plurality of key fragments, wherein the second cryptographic key is for decrypting the wrapped key; selecting a set of cryptographic…

    The technology disclosed herein provides a proof-of-work key wrapping system that uses key fragments to cryptographically control access to data. An example method may include: encrypting a first cryptographic key to produce a wrapped key, wherein the first cryptographic key enables a computing device to access content; splitting a second cryptographic key into a plurality of key fragments, wherein the second cryptographic key is for decrypting the wrapped key; selecting a set of cryptographic attributes for deriving at least one of the plurality of key fragments, wherein the set of cryptographic attributes are selected in view of a characteristic of the computing device; and providing the wrapped key and the set of cryptographic attributes to the computing device, the set of cryptographic attributes facilitating determination of the second cryptographic key.

    Other inventors
    See patent
  • Secure preloading of serverless function sequences

    Issued 11356367

    According to one example, a method includes, with a serverless function infrastructure, associated a routing secret with a function sequence. The method further includes, with a sequence controller of the serverless function infrastructure, appending the routing secret to a header of a request to invoke a first function of the function sequence. The method further includes, with the serverless function infrastructure invoking the first function of the function sequence, in response to…

    According to one example, a method includes, with a serverless function infrastructure, associated a routing secret with a function sequence. The method further includes, with a sequence controller of the serverless function infrastructure, appending the routing secret to a header of a request to invoke a first function of the function sequence. The method further includes, with the serverless function infrastructure invoking the first function of the function sequence, in response to authenticating the routing secret in the header of the request. The method further includes, after the first function has been invoked and before the first function completes execution, with a serving controller of the serverless function infrastructure, preloading subsequent functions of the function sequence.

    Other inventors
    See patent
  • Use of a trusted execution environment as a safe build environment

    Issued 11341247

    Use of a trusted execution environment (TEE) as a safe build environment. A build task is initiated in a TEE of a compute instance. The build task generates a first software component.

    See patent
  • Resource sharing for trusted execution environments

    Issued 11343082

    The technology disclosed herein enables resource sharing for trusted execution environments. An example method can include: establishing a first trusted execution environment (TEE) in a first computing device; establishing, by the first TEE, a set of shell TEEs, where each shell TEE is configured in view of one or more configuration parameters associated with the set of shell TEEs; receiving, by the first TEE, a request from a tenant computing device to establish a second TEE; determining, by…

    The technology disclosed herein enables resource sharing for trusted execution environments. An example method can include: establishing a first trusted execution environment (TEE) in a first computing device; establishing, by the first TEE, a set of shell TEEs, where each shell TEE is configured in view of one or more configuration parameters associated with the set of shell TEEs; receiving, by the first TEE, a request from a tenant computing device to establish a second TEE; determining, by the first TEE, whether the configuration parameters associated with the set of shell TEEs satisfy one or more request parameters for the second TEE; and responsive to determining that the configuration parameters associated with the set of shell TEEs satisfy the one or more request parameters for the second TEE, establishing, by the first TEE, the second TEE to satisfy the request, wherein the second TEE is selected from the set of shell TEEs, and causing, by the first TEE, the second TEE to communicate with tenant computing device.

    Other inventors
    See patent
  • Multi-stage secure smart contracts

    Issued 11316660

    Encrypted multi-stage smart contracts are disclosed. A smart contract that is to be performed by a contract executor in a plurality of successive stages is generated. For each respective stage of at least some stages, a package of data is encrypted with at least one key to generate an encrypted package that corresponds to the respective stage, and an envelope that corresponds to the respective stage is generated. The envelope includes a condition precedent confirmable by an oracle, and an…

    Encrypted multi-stage smart contracts are disclosed. A smart contract that is to be performed by a contract executor in a plurality of successive stages is generated. For each respective stage of at least some stages, a package of data is encrypted with at least one key to generate an encrypted package that corresponds to the respective stage, and an envelope that corresponds to the respective stage is generated. The envelope includes a condition precedent confirmable by an oracle, and an encrypted package-decryption key that is encrypted with a key of the contract executor. The encrypted package-decryption key, when decrypted, is configured to facilitate the decryption of the encrypted package that corresponds to the respective stage. For at least some of the stages, the encrypted package comprises an envelope and an encrypted package that corresponds to a next successive stage.

    Other inventors
    See patent
  • Proof-of-work key wrapping for temporally restricting data access

    Issued 11316839

    The technology disclosed herein provides an enhanced access control mechanism that uses a proof-of-work key wrapping system to temporally restrict access to data. An example method may include: determining, by a processing device, characteristics of a computing device; accessing a cryptographic key for accessing content; selecting a set of cryptographic attributes for wrapping the cryptographic key, wherein the set of cryptographic attributes are selected to enable the computing device to…

    The technology disclosed herein provides an enhanced access control mechanism that uses a proof-of-work key wrapping system to temporally restrict access to data. An example method may include: determining, by a processing device, characteristics of a computing device; accessing a cryptographic key for accessing content; selecting a set of cryptographic attributes for wrapping the cryptographic key, wherein the set of cryptographic attributes are selected to enable the computing device to derive the cryptographic key from a wrapped key in a predetermined duration of time; and providing the wrapped key and an indication of at least one of the cryptographic attributes to the computing device.

    Other inventors
    See patent
  • Proof-of-work key wrapping with key thresholding

    Issued 11303437

    The technology disclosed herein provides a proof-of-work key wrapping system that uses key thresholding to cryptographically control data access. An example method may include: accessing a plurality of cryptographic key shares, wherein two or more of the plurality of cryptographic key shares enable access to content; selecting, by a processing device, a set of cryptographic attributes in view of a characteristic of a computing device; encrypting the plurality of cryptographic key shares to…

    The technology disclosed herein provides a proof-of-work key wrapping system that uses key thresholding to cryptographically control data access. An example method may include: accessing a plurality of cryptographic key shares, wherein two or more of the plurality of cryptographic key shares enable access to content; selecting, by a processing device, a set of cryptographic attributes in view of a characteristic of a computing device; encrypting the plurality of cryptographic key shares to produce a plurality of wrapped key shares, wherein at least one of the plurality of cryptographic key shares is encrypted in view of the set of cryptographic attributes; and providing a wrapped key share of the plurality of wrapped key shares and at least one of the cryptographic attributes to the computing device, wherein the at least one cryptographic attribute facilitates deriving an access key from the plurality of wrapped key shares.

    Other inventors
    See patent
  • Concealed monitor communications from a task in a trusted execution environment

    Issued 11297100

    Concealed monitor communications from a task in a trusted execution environment (TEE) are disclosed. A first task executing in a first trusted execution environment (TEE) implemented on a processor device determines that a monitor communication is to be sent to a monitor task, the first task being configured to generate response messages in response to requests from requestor tasks, the response messages having a predetermined characteristic. The first task generates the monitor communication…

    Concealed monitor communications from a task in a trusted execution environment (TEE) are disclosed. A first task executing in a first trusted execution environment (TEE) implemented on a processor device determines that a monitor communication is to be sent to a monitor task, the first task being configured to generate response messages in response to requests from requestor tasks, the response messages having a predetermined characteristic. The first task generates the monitor communication, the monitor communication having the predetermined characteristic and an encoded monitor communication report. The first task sends the monitor communication toward the monitor task.

    See patent
  • Providing smart contracts including secrets encrypted with oracle-provided encryption keys using threshold cryptosystems

    Issued 11295024

    Providing smart contracts including secrets encrypted with oracle-provided encryption keys using thresholding cryptosystems is disclosed. In one example, a contract creator encrypts sensitive data necessary for executing a smart contract into ciphertext with multiple symmetric cryptographic keys using a threshold cryptosystem, such that a subset of at least size R of the symmetric cryptographic keys are required to decrypt the ciphertext. The symmetric cryptographic keys are encrypted into…

    Providing smart contracts including secrets encrypted with oracle-provided encryption keys using thresholding cryptosystems is disclosed. In one example, a contract creator encrypts sensitive data necessary for executing a smart contract into ciphertext with multiple symmetric cryptographic keys using a threshold cryptosystem, such that a subset of at least size R of the symmetric cryptographic keys are required to decrypt the ciphertext. The symmetric cryptographic keys are encrypted into wrappers using a public cryptographic key of a contract executor. Envelopes are generated using public cryptographic keys of corresponding contract oracles, where the envelopes include the wrappers encrypted using the public cryptographic keys, and policies that specify condition(s) precedent and are authenticated using the public cryptographic keys. The smart contract, including the envelopes, the ciphertext, and R, is then deployed to the contract executor. In this manner, the sensitive data is protected from unauthorized access within the smart contract.

    Other inventors
    See patent
  • Proof-of-work key wrapping for verifying device capabilities

    Issued 11271734

    The technology disclosed herein provides a proof-of-work key wrapping system for verifying device capabilities. An example method may include: receiving a wrapped key and a cryptographic attribute for the wrapped key, wherein the wrapped key encodes a cryptographic key; deriving, by a processing device, the cryptographic key in view of the wrapped key and the cryptographic attribute, wherein the deriving consumes computing resources for a duration of time; using the cryptographic key to access…

    The technology disclosed herein provides a proof-of-work key wrapping system for verifying device capabilities. An example method may include: receiving a wrapped key and a cryptographic attribute for the wrapped key, wherein the wrapped key encodes a cryptographic key; deriving, by a processing device, the cryptographic key in view of the wrapped key and the cryptographic attribute, wherein the deriving consumes computing resources for a duration of time; using the cryptographic key to access program data; executing, by the processing device, the program data, wherein the executed program data evaluates a condition related to the duration of time; and transmitting a message comprising an indication of the condition.

    Other inventors
    See patent
  • Monitoring a process in a trusted execution environment to identify a resource starvation attack

    Issued 11263318

    Monitoring a process in a trusted execution environment (TEE) to identify a resource starvation attack. A first monitor executing outside of a first TEE determines that a first process is executing in the first TEE. The first monitor makes a determination that the first process is being denied resources necessary for execution of the first process. The first monitor sends an indication indicating that the first process is being denied resources necessary for execution of the first process.

    See patent
  • Using a trusted execution environment for a proof-of-work key wrapping scheme that verifies remote device capabilities

    Issued 11263310

    The technology disclosed herein provides a proof-of-work key wrapping system for verifying device capabilities. An example method may include: accessing instructions, a wrapped key, and a cryptographic attribute for the wrapped key from an encrypted memory region, wherein the wrapped key encodes a cryptographic key; executing, by a processing device, the instructions to derive the cryptographic key in view of the wrapped key and the cryptographic attribute, wherein the executing consumes…

    The technology disclosed herein provides a proof-of-work key wrapping system for verifying device capabilities. An example method may include: accessing instructions, a wrapped key, and a cryptographic attribute for the wrapped key from an encrypted memory region, wherein the wrapped key encodes a cryptographic key; executing, by a processing device, the instructions to derive the cryptographic key in view of the wrapped key and the cryptographic attribute, wherein the executing consumes computing resources for a duration of time; using the cryptographic key to access program data; executing, by the processing device, the program data, wherein the executed program data evaluates a condition related to the duration of time; and transmitting a message comprising an indication of the evaluated condition.

    Other inventors
    See patent
  • Detection and prevention of unauthorized execution of severless functions

    Issued 11240045

    Methods and systems for detecting and responding to fabricated or unauthorized events received by serverless computing environments are provided. In one embodiment the method is provided that includes receiving an event from an event source external to the serverless computing environment for execution by function. The method may then include creating a message that includes the events and signing the message with an identifier of the event source. The message may then be received at the…

    Methods and systems for detecting and responding to fabricated or unauthorized events received by serverless computing environments are provided. In one embodiment the method is provided that includes receiving an event from an event source external to the serverless computing environment for execution by function. The method may then include creating a message that includes the events and signing the message with an identifier of the event source. The message may then be received at the function and the identifier of the event source may be validated. The event may then be executed with the function of the serverless computing environment if the identifier of the event sources successfully validated. However, if the identifier of the event source is not successfully validated, execution of the event with the function may be prevented.

    Other inventors
    See patent
  • Dynamic configuration in cloud computing environments

    Issued US 11140030

    Virtual machines, virtualization servers, and other physical resources in a cloud computing environment may be dynamically configured based on the resource usage data for the virtual machines and resource capacity data for the physical resources in the cloud system. Based on an analysis of the virtual machine resource usage data and the resource capacity data of the virtualization servers and other physical resources in the cloud computing environment, each virtual machine may be matched to one…

    Virtual machines, virtualization servers, and other physical resources in a cloud computing environment may be dynamically configured based on the resource usage data for the virtual machines and resource capacity data for the physical resources in the cloud system. Based on an analysis of the virtual machine resource usage data and the resource capacity data of the virtualization servers and other physical resources in the cloud computing environment, each virtual machine may be matched to one of a plurality of virtualization servers, and the resources of the virtualization servers and other physical resources in the cloud may be reallocated and reconfigured to provide additional usage capacity to the virtual machines.

    See patent
  • Negotiating trust degradation for a central entity by peers lacking direct communication with one another

    Issued US 10666649

    Systems, apparatuses and methods may provide for generating, in response to a decrease in trustworthiness with respect to a controller, a notification message and generating a message authentication code (MAC) based on the notification message and one or more locally stored keys. Additionally, the notification message and the MAC may be sent to the controller, wherein the notification message is directed to one or more peers in a network associated with the controller. In one example, the…

    Systems, apparatuses and methods may provide for generating, in response to a decrease in trustworthiness with respect to a controller, a notification message and generating a message authentication code (MAC) based on the notification message and one or more locally stored keys. Additionally, the notification message and the MAC may be sent to the controller, wherein the notification message is directed to one or more peers in a network associated with the controller. In one example, the notification message includes one or more of an indication that the controller is compromised or an indication that the controller is suspected to be compromised.

    Other inventors
    • Timothy Verall
    See patent
  • Technologies for independent service level agreement monitoring

    Issued US 10572650

    Technologies for monitoring service level agreement (SLA) performance in an end-to-end SLA monitoring architecture include a network functions virtualization (NFV) SLA controller configured to manage SLA agents initialized in various network processing components of the end-to-end SLA monitoring architecture. To do so, the NFV SLA controller is configured to provide instruction to the SLA agents indicating which types of telemetry data to monitor and receive the requested telemetry data, as…

    Technologies for monitoring service level agreement (SLA) performance in an end-to-end SLA monitoring architecture include a network functions virtualization (NFV) SLA controller configured to manage SLA agents initialized in various network processing components of the end-to-end SLA monitoring architecture. To do so, the NFV SLA controller is configured to provide instruction to the SLA agents indicating which types of telemetry data to monitor and receive the requested telemetry data, as securely collected and securely packaged by the SLA agents. The NFV SLA controller is further configured to securely analyze the received telemetry data to determine one or more performance metrics and compare performance benchmarks against the performance metrics to generate an SLA report that includes the results of the comparison. Other embodiments are described and claimed.

    Other inventors
    See patent
  • Technologies for simulating service degradation in a software defined network

    Issued US 10567263

    Technologies for simulating service degradation in telemetry data include a simulator device. The simulator device is to identify a telemetry data stream from a production system to a first management system. The simulator device is also to fork a copy of the telemetry data stream for transmission to a second management system, determine perturbations associated with a determined service degradation type, and apply the perturbations to the forked telemetry data stream. Other embodiments are…

    Technologies for simulating service degradation in telemetry data include a simulator device. The simulator device is to identify a telemetry data stream from a production system to a first management system. The simulator device is also to fork a copy of the telemetry data stream for transmission to a second management system, determine perturbations associated with a determined service degradation type, and apply the perturbations to the forked telemetry data stream. Other embodiments are also described and claimed.

    Other inventors
    See patent
  • Dynamic configuration in cloud computing environments

    Issued US 10263842

    Virtual machines, virtualization servers, and other physical resources in a cloud computing environment may be dynamically configured based on the resource usage data for the virtual machines and resource capacity data for the physical resources in the cloud system. Based on an analysis of the virtual machine resource usage data and the resource capacity data of the virtualization servers and other physical resources in the cloud computing environment, each virtual machine may be matched to one…

    Virtual machines, virtualization servers, and other physical resources in a cloud computing environment may be dynamically configured based on the resource usage data for the virtual machines and resource capacity data for the physical resources in the cloud system. Based on an analysis of the virtual machine resource usage data and the resource capacity data of the virtualization servers and other physical resources in the cloud computing environment, each virtual machine may be matched to one of a plurality of virtualization servers, and the resources of the virtualization servers and other physical resources in the cloud may be reallocated and reconfigured to provide additional usage capacity to the virtual machines.

    See patent
  • Networked peer device round-robin security controller

    Issued US 10200410

    A round-robin network security system implemented by a number of peer devices included in a plurality of networked peer devices. The round-robin security system permits the rotation of the system security controller among at least a portion of the peer devices. Each of the peer devices uses a defined trust assessment ruleset to determine whether the system security controller is trusted/trustworthy. An untrusted system security controller peer device is replaced by another of the peer devices…

    A round-robin network security system implemented by a number of peer devices included in a plurality of networked peer devices. The round-robin security system permits the rotation of the system security controller among at least a portion of the peer devices. Each of the peer devices uses a defined trust assessment ruleset to determine whether the system security controller is trusted/trustworthy. An untrusted system security controller peer device is replaced by another of the peer devices selected by the peer devices. The current system security controller peer device transfers system threat information and security risk information collected from the peer devices to the new system security controller elected by the peer devices.

    Other inventors
    See patent
  • Enhanced virtual function capabilities in a virtualized network environment

    Issued US 10127072

    The present disclosure is directed to enhanced virtual function capabilities in a virtualized network environment. In general, devices may comprise physical and virtualized resources. The physical resources may comprise at least a network adaptor that may handle incoming data from a network and outgoing data to the network. The virtualized resources may comprise at least one virtual machine (VM) and a corresponding interface. The corresponding interface may be one of a physical interface, a…

    The present disclosure is directed to enhanced virtual function capabilities in a virtualized network environment. In general, devices may comprise physical and virtualized resources. The physical resources may comprise at least a network adaptor that may handle incoming data from a network and outgoing data to the network. The virtualized resources may comprise at least one virtual machine (VM) and a corresponding interface. The corresponding interface may be one of a physical interface, a virtual interface or a "super" virtual interface. The physical interface may provide a first set of capabilities allowing the VM to access (e.g., control) at least the network adaptor. The virtual interface may provide a second set of capabilities that is a subset of the first set. The super virtual interface may provide a third set of capabilities including the second set of capabilities and at least one additional capability from the first set of capabilities.

    Other inventors
    See patent
  • Enhanced virtual function capabilities in a virtualized network environment

    Issued US 9910692

    The present disclosure is directed to enhanced virtual function capabilities in a virtualized network environment. In general, devices may comprise physical and virtualized resources. The physical resources may comprise at least a network adaptor that may handle incoming data from a network and outgoing data to the network. The virtualized resources may comprise at least one virtual machine (VM) and a corresponding interface. The corresponding interface may be one of a physical interface, a…

    The present disclosure is directed to enhanced virtual function capabilities in a virtualized network environment. In general, devices may comprise physical and virtualized resources. The physical resources may comprise at least a network adaptor that may handle incoming data from a network and outgoing data to the network. The virtualized resources may comprise at least one virtual machine (VM) and a corresponding interface. The corresponding interface may be one of a physical interface, a virtual interface or a "super" virtual interface. The physical interface may provide a first set of capabilities allowing the VM to access (e.g., control) at least the network adaptor. The virtual interface may provide a second set of capabilities that is a subset of the first set. The super virtual interface may provide a third set of capabilities including the second set of capabilities and at least one additional capability from the first set of capabilities.

    Other inventors
    See patent
  • Storage encryption

    Issued US 9509501

    Storage associated with a virtual machine or other type of device may be migrated between locations (e.g., physical devices, network locations, etc.). To maintain the security of the storage, a system may manage the encryption of the storage area such that a storage area is encrypted with a first encryption key that may be maintained through the migration. A header of the storage area, on the other hand, may be encrypted using a second encryption key and the first encryption key may be stored…

    Storage associated with a virtual machine or other type of device may be migrated between locations (e.g., physical devices, network locations, etc.). To maintain the security of the storage, a system may manage the encryption of the storage area such that a storage area is encrypted with a first encryption key that may be maintained through the migration. A header of the storage area, on the other hand, may be encrypted using a second encryption key and the first encryption key may be stored therein. Upon transfer, the header may be re-encrypted to affect the transfer of security.

    See patent
  • Optimizing virtual machine migration via identification and treatment of virtual memory swap file

    Issued US 9268588

    A virtualization computing platform may host a virtual machine. The virtual machine may be hosted by a first set of resources of the virtualization computing platform. A second set of resources for hosting the virtual machine may be identified. The second set of resources may comprise resources of the virtualization computing platform that are distinct from the first set of resources. At least a portion of a plurality of files associated with the virtual machine may be copied from the first set…

    A virtualization computing platform may host a virtual machine. The virtual machine may be hosted by a first set of resources of the virtualization computing platform. A second set of resources for hosting the virtual machine may be identified. The second set of resources may comprise resources of the virtualization computing platform that are distinct from the first set of resources. At least a portion of a plurality of files associated with the virtual machine may be copied from the first set of resources to the second set of resources. A virtual memory swap file may be identified from among the plurality of files associated with the virtual machine. Based on identifying the virtual memory swap file as a virtual memory swap file, the virtual memory swap file may be treated differently from one or more other of the plurality of files associated with the virtual machine.

    Other inventors
    See patent
  • Secure administration of virtual machines

    Issued US 9258290

    Methods and systems for performing secure administration of virtual domain resource allocation are provided herein. A cloud service provider (CSP) may provide instances of virtual machines to one or more contracting user entities. The cloud service provider may store an authorization database identifying one or more resources (e.g., storage, CPU, etc.) that each of the different contracting user entities is authorized to use on a virtual machine server device. The CSP may subsequently receive a…

    Methods and systems for performing secure administration of virtual domain resource allocation are provided herein. A cloud service provider (CSP) may provide instances of virtual machines to one or more contracting user entities. The cloud service provider may store an authorization database identifying one or more resources (e.g., storage, CPU, etc.) that each of the different contracting user entities is authorized to use on a virtual machine server device. The CSP may subsequently receive a request from an unverified entity to instantiate a virtual machine with access to one or more resources. The request may include security information. The CSP validates the request by verifying the unverified entity using the first security information (e.g., checking a PKI certificate, requiring a login/password, etc.) and, when the request is validated, provides access to the verified entity to a subset of the requested one or more resources based on the authorization database.

    See patent
  • Dynamic configuration in cloud computing environments

    Issued US 9251115

    Virtual machines, virtualization servers, and other physical resources in a cloud computing environment may be dynamically configured based on the resource usage data for the virtual machines and resource capacity data for the physical resources in the cloud system. Based on an analysis of the virtual machine resource usage data and the resource capacity data of the virtualization servers and other physical resources in the cloud computing environment, each virtual machine may be matched to one…

    Virtual machines, virtualization servers, and other physical resources in a cloud computing environment may be dynamically configured based on the resource usage data for the virtual machines and resource capacity data for the physical resources in the cloud system. Based on an analysis of the virtual machine resource usage data and the resource capacity data of the virtualization servers and other physical resources in the cloud computing environment, each virtual machine may be matched to one of a plurality of virtualization servers, and the resources of the virtualization servers and other physical resources in the cloud may be reallocated and reconfigured to provide additional usage capacity to the virtual machines.

    See patent
  • Controlling a network interface using virtual switch proxying

    Issued US 9083651

    Methods and systems for permitting a controller within a virtualization environment to control access to devices virtualized within hardware are described herein. For example, a NIC may be able to request rules that define how network traffic is managed at the NIC's virtual switch. In some arrangements, the NIC may transmit a query for the matching rule to a proxy, which may determine whether it has a rule matching the request. If the proxy does not have a matching rule, the proxy may query a…

    Methods and systems for permitting a controller within a virtualization environment to control access to devices virtualized within hardware are described herein. For example, a NIC may be able to request rules that define how network traffic is managed at the NIC's virtual switch. In some arrangements, the NIC may transmit a query for the matching rule to a proxy, which may determine whether it has a rule matching the request. If the proxy does not have a matching rule, the proxy may query a controller for the matching rule, which may transmit the rule to the proxy. The proxy may update its store of rules and transmit the matching rule to the NIC. Upon receipt of the matching rule, the NIC may update the rules stored in its virtual switch and may process the packet in accordance with the matching rule.

    See patent
  • Storage encryption

    Issued US 9003203

    Storage associated with a virtual machine or other type of device may be migrated between locations (e.g., physical devices, network locations, etc.). To maintain the security of the storage, a system may manage the encryption of the storage area such that a storage area is encrypted with a first encryption key that may be maintained through the migration. A header of the storage area, on the other hand, may be encrypted using a second encryption key and the first encryption key may be stored…

    Storage associated with a virtual machine or other type of device may be migrated between locations (e.g., physical devices, network locations, etc.). To maintain the security of the storage, a system may manage the encryption of the storage area such that a storage area is encrypted with a first encryption key that may be maintained through the migration. A header of the storage area, on the other hand, may be encrypted using a second encryption key and the first encryption key may be stored therein. Upon transfer, the header may be re-encrypted to affect the transfer of security.

    See patent
  • System and method for mounting encrypted data based on availability of a key on a network

    Issued US 8639928

    A system and a method are provided for retrieving decryption keys from a secure location that is separate from the encrypted data. In particular, for each decryption key, there is an associated key ID, public and private authentication key pair and a storage key. The decryption key is encrypted and can be decrypted with the storage key. A key-server securely stores the encrypted decryption key, key ID and public authentication key. A separate key-host stores the storage key, key ID and private…

    A system and a method are provided for retrieving decryption keys from a secure location that is separate from the encrypted data. In particular, for each decryption key, there is an associated key ID, public and private authentication key pair and a storage key. The decryption key is encrypted and can be decrypted with the storage key. A key-server securely stores the encrypted decryption key, key ID and public authentication key. A separate key-host stores the storage key, key ID and private authentication key. For the key-host to retrieve the encrypted decryption key, the key-server first authenticates the key-host using the authentication keys. Upon receipt of the encrypted decryption key, the key-host decrypts the encrypted key using the storage key. The decryption key is then used for decrypting the encrypted data.

    See patent
  • Data certification methods and apparatus

    Issued US 8635457

    This invention generally relates methods, computer program code, data processing apparatus, and signals for certifying data, in particular by means of an electronic signature. Embodiments of the invention can be implemented on a user terminal without the need for dedicated hardware or software and may be termed "zero-footprint" data certification methods. A method of providing an electronic signature to-a-server; the method including receiving data for said server at a proxy system for said…

    This invention generally relates methods, computer program code, data processing apparatus, and signals for certifying data, in particular by means of an electronic signature. Embodiments of the invention can be implemented on a user terminal without the need for dedicated hardware or software and may be termed "zero-footprint" data certification methods. A method of providing an electronic signature to-a-server; the method including receiving data for said server at a proxy system for said server; reading said received data to identify a signature request; obtaining a signature for a portion of said received data associated with said request responsive to said request, and providing said signature from said proxy system to said server. The use of a signature-enabled reverse proxy enables the use of a zero footprint user terminal, that is without the need to add additional functionality to the terminal for the purposes of signature creation in the context of a distributed application architecture.

    Other inventors
    See patent
  • Secure administration of virtual machines

    Issued US 8583920

    Methods and systems for performing secure administration of virtual domain resource allocation are provided herein. A cloud service provider (CSP) may provide instances of virtual machines to one or more contracting user entities. The cloud service provider may store an authorization database identifying one or more resources (e.g., storage, CPU, etc.) that each of the different contracting user entities is authorized to use on a virtual machine server device. The CSP may subsequently receive a…

    Methods and systems for performing secure administration of virtual domain resource allocation are provided herein. A cloud service provider (CSP) may provide instances of virtual machines to one or more contracting user entities. The cloud service provider may store an authorization database identifying one or more resources (e.g., storage, CPU, etc.) that each of the different contracting user entities is authorized to use on a virtual machine server device. The CSP may subsequently receive a request from an unverified entity to instantiate a virtual machine with access to one or more resources. The request may include security information. The CSP validates the request by verifying the unverified entity using the first security information (e.g., checking a PKI certificate, requiring a login/password, etc.) and, when the request is validated, provides access to the verified entity to a subset of the requested one or more resources based on the authorization database.

    See patent

Honors & Awards

  • Linux/Unix security: ICE II - “Best Defender”

    SANS

Languages

  • French

    Limited working proficiency

  • Spanish

    Elementary proficiency

  • Latin

    Limited working proficiency

Organizations

  • ETSI NFV

    Vice Chair, Security WG

    - Present

    Vice Chair and rapporteur for Security Working Group, ETSI NFV.

  • IEEE

    -

    -
  • ETSI NFV

    Caretaker chairman, Security WG

    -

Recommendations received

16 people have recommended Mike

Join now to view

More activity by Mike

View Mike’s full profile

  • See who you know in common
  • Get introduced
  • Contact Mike directly
Join to view full profile

Other similar profiles

Explore collaborative articles

We’re unlocking community knowledge in a new way. Experts add insights directly into each article, started with the help of AI.

Explore More

Others named Mike Bursell

Add new skills with these courses