Method and system to provide secure data connection between creation points and use points
First Claim
Patent Images
1. A method of creating a secure network access method, called virtual security domain, on a computing device, the method comprising:
- defining a particular virtual security domain on the computing device, the particular virtual security domain includes a list of users as the virtual security domain members, a secure network configuration, a unique domain encrypt key, and a set of access policies for accessing the secure data and communication channels;
validating, when a user is making a request to enter the virtual security domain, only a domain member with a proper access privilege can enter the domain and access the network and secured content;
monitoring, after a validated user enters the virtual security domain, when a piece of secure content in virtual security domain is accessed by an application, that the application cannot leak any part of the secure content outside of the virtual security domain;
monitoring, during the period when the piece of content is decrypted, operations of the computing device that are capable of producing one of a complete copy and a partial copy of the piece of content;
determining, when an operation to produce a copy of the content is detected, to disallow the operation if the application and/or the operation is not permitted according to the access policies; and
copying, if the copy operation is not disallowed, the piece of content within the particular domain so that the copied piece of content is stored in secured format.
0 Assignments
0 Petitions
Accused Products
Abstract
A method and system for creating a secure network access method is provided. The system creates a secure network environment beyond the traditional network endpoints to include the contents transferred through the secure network, stored in the endpoint machine, and utilized by the applications residing on the endpoint machine.
43 Citations
18 Claims
-
1. A method of creating a secure network access method, called virtual security domain, on a computing device, the method comprising:
-
defining a particular virtual security domain on the computing device, the particular virtual security domain includes a list of users as the virtual security domain members, a secure network configuration, a unique domain encrypt key, and a set of access policies for accessing the secure data and communication channels;
validating, when a user is making a request to enter the virtual security domain, only a domain member with a proper access privilege can enter the domain and access the network and secured content;
monitoring, after a validated user enters the virtual security domain, when a piece of secure content in virtual security domain is accessed by an application, that the application cannot leak any part of the secure content outside of the virtual security domain;
monitoring, during the period when the piece of content is decrypted, operations of the computing device that are capable of producing one of a complete copy and a partial copy of the piece of content;
determining, when an operation to produce a copy of the content is detected, to disallow the operation if the application and/or the operation is not permitted according to the access policies; and
copying, if the copy operation is not disallowed, the piece of content within the particular domain so that the copied piece of content is stored in secured format. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. An apparatus for securing a virtual security domain on a computing device, the apparatus comprising:
-
one or more applications executed by a processing unit of the domain client'"'"'s computing device that perform operations on the secure channels or the encrypted storage in a virtual security domain;
an operating system executed by the processing unit of the computing device;
a supervisor unit being executed by the processing unit of the computing device, the supervisor unit in between the one or more applications and the operating system to maintain the security of the data stored in the encrypted storage with respect to the access policy defined in the domain specification;
the supervisor unit further comprising means for accessing the encrypted storage by a user application in access policy wherein the content is decrypted while being accessed, means for verifying, when a piece of content is accessed by an application, means for monitoring, during the period when the piece of content is decrypted, operations of the computing device that are capable of producing one of a complete copy and a partial copy of the piece of content, means for determining, when an operation to produce a copy of the content is detected, to disallow the sending through un-secure channels or copying to storage device outside of the encrypted storage if contaminated. - View Dependent Claims (13, 14, 15, 16, 17, 18)
-
Specification