Client Authentication And Data Management System

US 20100037296A1
Filed: 10/15/2007
Published: 02/11/2010
Est. Priority Date: 10/13/2006
Status: Active Grant

First Claim

Patent Images

1. A system for protecting computing devices and associated secure data stored in at least one secure data storage component from unauthorized access, the system comprising:

at least one protected computing device configured for communication through a network with a storage controller to access the secure data, the protected computing device further configured for using a virtual machine stored thereon;

an authentication server configured for authenticating the protected computing device for access to the secure data; and

a control console configured for access to and exerting control over devices connected to the network, the devices including the at least one protected computing device and the authentication server,wherein a virtual machine manager associated with the virtual machine is launched during boot of the protected computing device, and wherein the virtual machine causes the computing device and the authentication server to authenticate to each other.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for performing an authenticated boot (310); performing a continuous data protection (350); performing automatic protection and optionally a consolidation; and performing other defenses and protection of a protected computing device (110a, 110b, 110c) (such as a computer system) are provided. The aspects include integrating security mechanisms (which may include a “call home” function (330), role and rule-based policies (225), validating technologies, encryption and decryption technologies, data compression technologies, protected and segmented boot technologies, and virtualization technologies. Booting and operating (either fully or in a restricted manner) are permitted only under a control of a specified role-set, rule-set, and/or a controlling supervisory process or server system(s). The methods and systems make advantageous use of hypervisors (220) and other virtual machine monitors or managers.

74 Citations

View as Search Results

59 Claims

1. A system for protecting computing devices and associated secure data stored in at least one secure data storage component from unauthorized access, the system comprising:
- at least one protected computing device configured for communication through a network with a storage controller to access the secure data, the protected computing device further configured for using a virtual machine stored thereon;
  
  an authentication server configured for authenticating the protected computing device for access to the secure data; and
  
  a control console configured for access to and exerting control over devices connected to the network, the devices including the at least one protected computing device and the authentication server,wherein a virtual machine manager associated with the virtual machine is launched during boot of the protected computing device, and wherein the virtual machine causes the computing device and the authentication server to authenticate to each other.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The system of claim 1, wherein the control console is operable within the protected computing device.
  - 3. The system of claim 1, wherein the control console is operable within the authentication server.
  - 4. The system of claim 1, wherein the control console is operable within a console device separate from the protected computing device.
  - 5. The system of claim 1, wherein the control console is operable within a console device separate from the authentication server.
  - 6. The system of claim 1, wherein the virtual machine is implemented in software of the at least one protected computing device.
  - 7. The system of claim 1, wherein the virtual machine is implemented in hardware of the at least one protected computing device.
  - 8. The system of claim 1, wherein the virtual machine manager is a hypervisor.
  - 9. The system of claim 1, wherein the virtual machine manager is launched prior to launching of an operating system on the protected computing device.
  - 10. The system of claim 1, wherein the virtual machine is further configured to halt the boot of the protected computing device upon failure to authenticate the protected computing device.
  - 11. The system of claim 1, wherein the virtual machine is further configured to shut down the protected computing device upon failure to authenticate the protected computing device.
  - 12. The system of claim 1, wherein the virtual machine is further configured to cause the protected computing device to enter a specified state upon failure to authenticate the protected computing device.
  - 13. The system of claim 1, wherein the virtual machine is further configured for authenticating the authentication server to the protected computing device.
  - 14. The system of claim 1, wherein the virtual machine is further configured for sending data to and receiving data from the secure data storage component.
  - 15. The system of claim 14, wherein the virtual machine is further configured to communicate with the storage controller at a predetermined interval to monitor for changes in the secure data in use on the protected computing device.
  - 16. The system of claim 15, wherein the virtual machine is further configured to monitor for validity of the secure data in use on the protected computing device.
  - 17. The system of claim 16, wherein the virtual machine is further configured to cause the protected computing device to enter a specified state upon a determination that the secure data is no longer valid.
  - 18. The system of claim 1, wherein the virtual machine is further configured to back up the secure data to the secure data storage component.

19. A method for protecting computing devices from unauthorized access, the method comprising:
- initiating a boot command of a protected computing device, wherein the boot command is configured to initiate the launch of an operating system;
  
  intercepting the boot command;
  
  launching a virtual machine manager prior to the operating system launch;
  
  at the virtual machine, authenticating the protected computing device to an authentication server;
  
  receiving at the virtual machine, a response from the authentication server, the response indicating the authentication status of the protected computing device; and
  
  causing the protected computing device to enter a specified state based on the authentication status of the protected computing device.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 20. The method of claim 19, wherein the virtual machine manager is a hypervisor.
  - 21. The method of claim 19, further comprising halting the boot of the protected computing device upon determination the authentication status of the protected computing device indicates failure to authenticate.
  - 22. The method of claim 19, further comprising shutting down the protected computing device upon determination the authentication status of the protected computing device indicates failure to authenticate.
  - 23. The method of claim 19, further comprising the virtual machine receiving a request for authentication from the authentication server.
  - 24. The method of claim 23, further comprising the virtual machine providing a response authentication to the authentication server.
  - 25. The method of claim 19, further comprising the protected computing device sending data to or receiving secure data from a secure data storage component, wherein a storage controller provides access to the secure data storage component.
  - 26. The method of claim 25, further comprising the virtual machine communicating with the storage controller at a predetermined interval to monitor for changes in the secure data on the protected computing device.
  - 27. The method of claim 26, further comprising the virtual machine monitoring for validity the secure data on the protected computing device.
  - 28. The method of claim 27, further comprising the virtual machine causing the protected computing device to enter a specified state upon a determination that the secure data is no longer valid.
  - 29. The method of claim 25, further comprising the virtual machine backing up the secure data to the secure data storage component.

30. A system for centralized network control of computing devices, the system comprising:
- a plurality of protected computing devices configured for communication through a network, each protected computing device further configured for using a virtual machine; and
  
  a virtual machine manager configured to exercise control over each of the protected computing devices.
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39)
- - 31. The system of claim 30, further comprising the virtual machine manager exercising input/output (I/O) control over each of the protected computing devices.
  - 32. The system of claim 30, wherein the virtual machine manager is installed on one of the protected computing devices.
  - 33. The system of claim 30, wherein the virtual machine manager is a hypervisor.
  - 34. The system of claim 33, wherein the hypervisor is implemented in software on at least one of the plurality of protected computing devices.
  - 35. The system of claim 33, wherein the hypervisor is implemented in hardware on at least one of the plurality of protected computing devices.
  - 36. The system of claim 30, wherein the virtual machine manager is configured to enable network access control for each of the protected computing devices.
  - 37. The system of claim 30, further comprising at least one protected partition within at least one protected computing device.
  - 38. The system of claim 37, wherein the virtual machine manager is configured to enable encryption services for each at least one protected partition.
  - 39. The system of claim 37, wherein the virtual machine manager is configured to enable decryption services for each at least one protected partition.

40. A method for centralized network control of computing devices, the method comprising:
- configuring one or more protected computing devices for communication through a network; and
  
  a hardware or software control element configured to exercise control over each of the protected computing devices wherein the control element is a virtual machine manager.
- View Dependent Claims (41, 42, 43, 44, 45, 46, 47, 48)
- - 41. The method of claim 40, wherein the control element exercises input/output (I/O) control over at least one of the protected computing devices.
  - 42. The method of claim 40, wherein the virtual machine manager is installed on at least one of the protected computing devices.
  - 43. The method of claim 40, wherein the virtual machine manager is a hypervisor.
  - 44. The method of claim 43, wherein the hypervisor is implemented in software on at least one of the plurality of protected computing devices.
  - 45. The method of claim 43, wherein the hypervisor implemented in hardware on at least one of the plurality of protected computing devices.
  - 46. The method of claim 40, wherein the virtual machine manager provides network access control for each of the protected computing devices.
  - 47. The method of claim 40, wherein the virtual machine manager provides encryption services for at least one protected partition within at least one protected computing device.
  - 48. The method of claim 40, wherein the virtual machine manager provides decryption services for at least one protected partition within at least one protected computing device.

49. A data processing system for protecting client devices and associated secure data from unauthorized access, the system comprising:
- a plurality of protected client devices configured for accessing secure data through a network, each protected client device further configured for using a virtual machine; and
  
  at least one authentication server configured for providing authentication to the protected client devices,wherein a plurality of virtual machine managers, each virtual machine manager corresponding to one of the protected client devices, are launched during boot of the corresponding protected client device, and wherein the virtual machine authenticates each protected client device to the authentication server.
- View Dependent Claims (50, 51, 52, 53, 54, 55, 56, 57, 58, 59)
- - 50. The system of claim 49, wherein the network is configured for permanent connectivity.
  - 51. The system of claim 49, wherein the network is configured for temporary connectivity.
  - 52. The system of claim 49, wherein the authentication server is configured to allocate at least one resource corresponding to a first protected client device for use by at least one other protected client device, the at least one resource including one or more of memory, storage space, network, and processor bandwidth.
  - 53. The system of claim 49, wherein each virtual machine manager is a hypervisor.
  - 54. The system of claim 53, wherein a first hypervisor corresponding to a first protected client device, is configured for communication with at least one other hypervisor corresponding to other protected client devices.
  - 55. The system of claim 54, wherein the first hypervisor is configured for allocating at least one resource corresponding to a first protected client device for use by at least one other protected client device, the at least one resource selected from:
    - memory, storage space, network, and processor bandwidth.
  - 56. The system of claim 54, wherein the first hypervisor is configured for allocating at least one resource corresponding to a second protected client device for use by at least one other protected client device, the at least one resource selected from:
    - memory, storage space, network, and processor bandwidth.
  - 57. The system of claim 53, wherein a plurality of hypervisors, each hypervisor corresponding to a specified protected client device from among the plurality of protected client devices, are configured for communication with at least one other hypervisor corresponding to other protected client devices from among the plurality of protected client devices.
  - 58. The system of claim 57, wherein each hypervisor is configured for allocating at least one resource corresponding to the specified protected client device for use by at least one other protected client device, the at least one resource including one or more of memory, storage space, network, and processor bandwidth.
  - 59. The system of claim 57, wherein each hypervisor is configured for allocating at least one resource corresponding to a second specified protected client device for use by at least one other protected client device, the at least one resource including one or more of memory, storage space, network, and processor bandwidth.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Computer Protection IP, LLC
Original Assignee
Computer Protection IP, LLC
Inventors
Silverstone, Ariel

Granted Patent

US 8,468,591 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/3
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/44   Program or device authentic...

G06F 21/53   by executing in a restricte...

G06F 21/554   involving event detection a...

G06F 21/575   Secure boot

G06F 21/602   Providing cryptographic fac...

G06F 2221/033   Test or assess software

G06F 9/45558   Hypervisor-specific managem...

H04L 63/08   for authentication of entit...

H04L 63/20   for managing network securi...

Client Authentication And Data Management System

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

74 Citations

59 Claims

Specification

Solutions

Use Cases

Quick Links

Client Authentication And Data Management System

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

74 Citations

59 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links