Client authentication and data management system
DCFirst Claim
1. A system for protecting computing devices and associated secure data stored in at least one secure data storage component from unauthorized access by controlling whether such computing devices are permitted to boot their respective operating systems, the system comprising:
- at least one protected computing device configured for communication through a network with a storage controller to access the secure data, the protected computing device having an operating system and a virtual machine, the virtual machine configured to be launched during boot of the protected computing device but prior to launch of the operating;
an authentication server configured for authenticating the protected computing device for access to the secure data; and
a virtual machine manager associated with the virtual machine, the virtual machine manager configured to be launched during boot of the protected computing device, the virtual machine manager configured to cause the authentication server to authenticate the protected computing device, the virtual machine manager configured to make a decision whether to allow the protected computing device to either launch or not launch the operating system based upon whether the protected computing device is either authenticated or not, respectively, by the authentication server, the virtual machine manager configured to control the protected computing device to either launch or not launch the operating system based upon the decision.
1 Assignment
Litigations
0 Petitions
Reexamination
Accused Products
Abstract
Methods and systems for performing an authenticated boot (310); performing a continuous data protection (350); performing automatic protection and optionally a consolidation; and performing other defenses and protection of a protected computing device (110a, 110b, 110c) (such as a computer system) are provided. The aspects include integrating security mechanisms (which may include a “call home” function (330), role and rule-based policies (225), validating technologies, encryption and decryption technologies, data compression technologies, protected and segmented boot technologies, and virtualization technologies. Booting and operating (either fully or in a restricted manner) are permitted only under a control of a specified role-set, rule-set, and/or a controlling supervisory process or server system(s). The methods and systems make advantageous use of hypervisors (220) and other virtual machine monitors or managers.
25 Citations
58 Claims
-
1. A system for protecting computing devices and associated secure data stored in at least one secure data storage component from unauthorized access by controlling whether such computing devices are permitted to boot their respective operating systems, the system comprising:
-
at least one protected computing device configured for communication through a network with a storage controller to access the secure data, the protected computing device having an operating system and a virtual machine, the virtual machine configured to be launched during boot of the protected computing device but prior to launch of the operating; an authentication server configured for authenticating the protected computing device for access to the secure data; and a virtual machine manager associated with the virtual machine, the virtual machine manager configured to be launched during boot of the protected computing device, the virtual machine manager configured to cause the authentication server to authenticate the protected computing device, the virtual machine manager configured to make a decision whether to allow the protected computing device to either launch or not launch the operating system based upon whether the protected computing device is either authenticated or not, respectively, by the authentication server, the virtual machine manager configured to control the protected computing device to either launch or not launch the operating system based upon the decision. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A method for protecting computing devices from unauthorized access by protecting whether and to what extent such computing devices are permitted to boot their respective operating systems, the method comprising:
-
initiating a boot command of a protected computing device, wherein the boot command is configured to initiate the launch of an operating system; intercepting the boot command to prevent the operating system from launching; launching a virtual machine manager prior to the operating system launch; at the virtual machine, authenticating the protected computing device with an authentication server; receiving at the virtual machine, a response from the authentication server, the response indicating the authentication status of the protected computing device; determining with the virtual machine manager whether or not and to what extent to permit the protected computing device to boot the operating system based upon the authentication status; and permitting the protected computing device to boot the operating system based upon the authentication status and causing the protected computing device to enter a specified state based on the authentication status of the protected computing device, the specified state restricting the protected computing device from accessing, in whole or in part;
(a) a memory associated with the protected computing device or a remote memory that can be accessed by the protected computing device, (b) a storage area associated with the protected computing device or a remote storage area that can be accessed by the protected computing device, (c) an input/output function associated with the protected computing device or a remote input/output function that can be accessed by the protected device. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. A system for centralized network control of computing devices, the system comprising:
-
a plurality of protected computing devices configured for communication through a network, each protected computing device further configured for using a virtual machine, the virtual machine designed to permit the protected computing device to perform one of the following boot operations;
boot its operating system, not boot its operating system, or boot its operating system but limit its memory access, storage access, or input/output capability;a virtual machine manager configured to exercise control over each of the protected computing devices and the virtual machine, the virtual machine manager being in communication with the virtual machine associated with each protected computing device through the network, the virtual manager designed to cause the computing device and an authentication server to authenticate each other; and
the virtual machine manager configured to determine the permitted boot operation. - View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38)
-
-
39. A method for centralized network control of computing devices, the method comprising:
-
configuring one or more protected computing devices for communication through a network; and a hardware or software control element configured to exercise control over each of the protected computing devices wherein the control element is a virtual machine manager associated with a virtual machine; wherein the virtual machine manager is configured to cause the one or more protected computing devices to be authenticated by an authentication server, the virtual machine manager configured to make a decision whether and to what extent to allow the one or more protected computing devices to launch its operating system based upon an authentication status provided by the authentication server, the virtual machine manager configured to control the one or more protected computing devices to perform one of the following boot operations;
boot its operating system, not boot its operating system, or boot its operating system but limit its memory access, storage access, or input/output capability. - View Dependent Claims (40, 41, 42, 43, 44, 45, 46, 47)
-
-
48. A data processing system for protecting client devices and associated secure data from unauthorized access, the system comprising:
-
a plurality of protected client devices configured for accessing secure data through a network, each protected client device further configured for using a virtual machine, the virtual machine designed to permit the protected client device to perform one of the following boot operations;
boot its operating system, not boot its operating system, or boot its operating system but limit its memory access capability, storage access capability, and/or input/output capability;at least one authentication server configured for providing authentication to the protected client devices; and a plurality of virtual machine managers, each virtual machine manager corresponding to one of the protected client devices and virtual machines, each virtual machine manager configured to be launched during boot of the corresponding one of the protected client devices prior to launch of its operating system, each virtual machine manager configured to cause the corresponding one of the protected client devices to be authenticated by the at least one authentication server, and each virtual machine manager configured to determine the permitted boot operation. - View Dependent Claims (49, 50, 51, 52, 53, 54, 55, 56, 57, 58)
-
Specification