Protecting computing devices from unauthorized access
First Claim
1. A system comprising:
- (a) a distributed computer network comprising multiple computing devices at multiple locations, each location comprising at least one network node;
(b) at least one protected computing device at a first location configured for communication through said network with a storage controller to access secure data from a secure data storage repository at a second location;
(c) said at least one protected computing device having an operating system and a virtual machine, said operating system and said virtual machine each associated with said at least one protected computing device and a virtual machine manager;
(d) said virtual machine manager implemented in one or more computer code segments and configured to be launched between boot-up of said at least one protected computing device and launch of said operating system;
(e) an authentication server located remotely from said at least one protected computing device and configured for authenticating said at least one protected computing device for access to said secure data;
(f) a control console configured to access and exert a measure of control over said at least one protected computing device, wherein said control console is operable within a console device at a third location;
(g) said virtual machine manager implemented in one or more computer code segments to be executed on said at least one protected computing device;
(h) said virtual machine manager configured to be launched between boot-up of said protected computing device and launch of said operating system, said virtual machine manager configured to cause said authentication server to provide indicia for use in authenticating said at least one protected computing device, said virtual machine manager configured to make a decision based on said indicia from said authentication server whether to allow said at least one protected computing device to either launch or not launch said operating system based upon whether said at least one protected computing device is either authenticated or not, respectively, by said authentication server, said virtual machine manager further comprising a hypervisor configured to control the protected computing device to either launch or not launch the operating system based upon the decision.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods and systems for performing an authenticated boot; performing a continuous data protection; performing automatic protection and optionally a consolidation; and performing other defenses and protection of a protected computing device (such as a computer system) are provided. The aspects include integrating security mechanisms (which may include a “call home” function, role and rule-based policies, validating technologies, encryption and decryption technologies, data compression technologies, protected and segmented boot technologies, and virtualization technologies. Booting and operating (either fully or in a restricted manner) are permitted only under a control of a specified role-set, rule-set, and/or a controlling supervisory process or server system(s). The methods and systems make advantageous use of hypervisors and other virtual machine monitors or managers.
-
Citations
28 Claims
-
1. A system comprising:
-
(a) a distributed computer network comprising multiple computing devices at multiple locations, each location comprising at least one network node; (b) at least one protected computing device at a first location configured for communication through said network with a storage controller to access secure data from a secure data storage repository at a second location; (c) said at least one protected computing device having an operating system and a virtual machine, said operating system and said virtual machine each associated with said at least one protected computing device and a virtual machine manager; (d) said virtual machine manager implemented in one or more computer code segments and configured to be launched between boot-up of said at least one protected computing device and launch of said operating system; (e) an authentication server located remotely from said at least one protected computing device and configured for authenticating said at least one protected computing device for access to said secure data; (f) a control console configured to access and exert a measure of control over said at least one protected computing device, wherein said control console is operable within a console device at a third location; (g) said virtual machine manager implemented in one or more computer code segments to be executed on said at least one protected computing device; (h) said virtual machine manager configured to be launched between boot-up of said protected computing device and launch of said operating system, said virtual machine manager configured to cause said authentication server to provide indicia for use in authenticating said at least one protected computing device, said virtual machine manager configured to make a decision based on said indicia from said authentication server whether to allow said at least one protected computing device to either launch or not launch said operating system based upon whether said at least one protected computing device is either authenticated or not, respectively, by said authentication server, said virtual machine manager further comprising a hypervisor configured to control the protected computing device to either launch or not launch the operating system based upon the decision. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A distributed computer system with multiple network nodes for exercising control over whether to launch an operating system on at least one protected computing device in order to improve efficient operation of said at least one protected computing device free from unwarranted intrusion, said distributed computer system comprising:
-
(a) at least one protected computing device further comprising a processor at a first node configured for communication through a network with a storage controller to access secure data at a second node; (b) at least one operating system configured to operate on said at least one protected computing device, (c) a virtual machine configured to operate on said at least one protected computing device, said virtual machine configured to be launched during boot of said at least one protected computing device but prior to launch of said at least one operating system; (d) a control console configured to exert a measure of control through said network over said at least one protected computing device, and wherein said control console is operable within a console device located remotely from said at least one protected computing device; (e) an authentication server, configured for authenticating said at least one protected computing device for access to said secure data; (f) a virtual machine manager associated with said virtual machine, said virtual machine manager configured to execute based on one or more policies, said virtual machine manager further comprising a hypervisor configured to operate on said at least one protected computing device, said virtual machine manager further configured to be launched after powering on said at least one protected computing device and before booting said operating system to operate on said at least one protected computing device, said virtual machine manager further configured to interact with said authentication server, wherein an authentication routine is used to authenticate said at least one protected computing device, and wherein said authentication server provides indicia relating to said authentication routine to said virtual machine manager, said virtual machine manager configured to receive indicia from said authentication server relating to the result of said an authentication routines, and said hypervisor of said virtual machine manager is configured to either launch or not launch said operating system based upon said indicia. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. A system for protecting data stored in a secure data storage server, said system comprising:
-
(a) a main computer having memory, said main computer configured to operate in a networked environment using logical connections to a plurality of remote network nodes comprising a secure data storage node and an authentication server; (b) a virtual machine manager configured to begin operation on said main computer, said virtual machine manager configured to communicate with at least one of said plurality of remote network nodes after power-on of said main computer as part of a boot process, said plurality of remote network nodes comprising an authentication server, a secure data storage node, and a control console, said authentication server configured to perform an authentication procedure that generates a response indicia for controlling whether said virtual machine manager is permitted to launch an operating system on said main computer as part of a boot process, said secure data storage node configured to provide access to stored data to said virtual machine manager on said main computer based on communication with said authentication server prior to launching said operating system, said virtual machine manager further comprising a hypervisor; (c) said control console implemented in at least one of said plurality of remote network nodes, wherein said control console is configured to identify an administrator and push a policy for said main computer as part of said authentication procedure, said control console enabling direct or indirect control over said main computer, wherein at least one policy related to limiting said memory or a storage associated with said main computer flows from said control console, wherein said operating system is executed on a virtual machine that is managed by said virtual machine manager based in whole or in part on said response indicia. - View Dependent Claims (28)
-
Specification