Abstract: A computer-implemented method for providing network access control in virtual environments. The method may include: 1) injecting a transient security agent into a virtual machine that is running on a host machine; 2) receiving, from the transient security agent, an indication of whether the virtual machine complies with one or more network access control policies; and 3) controlling network access of the virtual machine based on the indication of whether the virtual machine complies with the one or more network access control policies. Various other methods, systems, and computer-readable media are also disclosed herein.

Abstract: A host validation system runs on a portable storage device, and protects data stored thereon from unauthorized access by host computers. The system identifies a host to which the portable device is coupled, for example by using the host's TPM. This can further comprise identifying the host's current configuration. The system uses the identification and configuration information to verify whether the host is approved to access data stored on the portable device. The system provides the host a level of data access responsive to this verification. This can involve denying all data access to the host, or providing at least some access to data stored on the portable device, for example based on a stored access policy specifying levels of access to provide to specific hosts with specific configurations.

Abstract: A system and method for efficient security protocols in a virtualized datacenter environment are contemplated. In one embodiment, a system is provided comprising a hypervisor coupled to one or more protected virtual machines (VMs) and a security VM. Within a private communication channel, a split kernel loader provides an end-to-end communication between a paravirtualized security device driver, or symbiont, and the security VM. The symbiont monitors kernel-level activities of a corresponding guest OS, and conveys kernel-level metadata to the security VM via the private communication channel. Therefore, the well-known semantic gap problem is solved. The security VM is able to read all of the memory of a protected VM, detect locations of memory compromised by a malicious rootkit, and remediate any detected problems.

Abstract: Techniques for allocating/reducing storage required for one or more virtual machines are disclosed. In one particular exemplary embodiment, the techniques may be realized as a method for allocating storage for one or more virtual machines. The method may comprise providing one or more virtual machines. The method may also comprise creating one or more master images containing one or more commonly used blocks. The method may also comprise creating one or more Copy on Write volumes, where each Copy on Write volume may be associated with at least one of the one or more virtual machines and at least one of the one or more master images, and wherein updated blocks may be stored in at least one of the one or more Copy on Write volumes, thereby reducing storage required for one or more virtual machines.

Abstract: A computer-implemented method for providing network access control in virtual environments. The method may include: 1) injecting a transient security agent into a virtual machine that is running on a host machine; 2) receiving, from the transient security agent, an indication of whether the virtual machine complies with one or more network access control policies; and 3) controlling network access of the virtual machine based on the indication of whether the virtual machine complies with the one or more network access control policies. Various other methods, systems, and computer-readable media are also disclosed herein.