Method and apparatus for securely accessing data

US 20070112772A1
Filed: 11/12/2005
Published: 05/17/2007
Est. Priority Date: 11/12/2005
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving a request for data that is subject to data security management;

determining, in response to receiving the request, a data security policy to associate with the data, including determining an access level to the data for the requester;

if access is allowed, providing a secure virtual partition in which to execute an application to enable the requester to access the data; and

loading a version of the application into the virtual partition that is verified to be secure.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security manager receives a request for data that is subject to data security management. The security manager operates independently of a host partition and is not directly accessible or detectable by the host partition. The security manager determines whether to grant or deny access to the requested data based at least in part on a requesting user'"'"'s authentication credentials. If the data request is approved, a security policy associated with the data is determined. In addition, instructions are sent to a system hypervisor to create a secure partition. The hypervisor loads the requested data and a verified version of an application necessary to access the data into the secure partition creating a secure environment for accessing the data.

86 Citations

View as Search Results

20 Claims

1. A method comprising:
- receiving a request for data that is subject to data security management;
  
  determining, in response to receiving the request, a data security policy to associate with the data, including determining an access level to the data for the requester;
  
  if access is allowed, providing a secure virtual partition in which to execute an application to enable the requester to access the data; and
  
  loading a version of the application into the virtual partition that is verified to be secure.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the request for data is received by a security manager.
  - 3. The method of claim 2, wherein determining the data security policy comprises:
    - forwarding at least a portion of the request to a digital rights management (DRM) server on a network; and
      
      processing a response to the forwarded request to determine the data security policy.
  - 4. The method of claim 2, wherein determining the data security policy comprises retrieving the data security policy from a local memory in the security manager.
  - 5. The method of claim 1, wherein the data security policy comprises access and use controls for data.
  - 6. The method of claim 1, wherein the data security policy is based at least in part on a type of the data.
  - 7. The method of claim 6, wherein the type of the data is based at least in part on one or more of a file type, a data size, and a frequency of use of the data
  - 8. The method of claim 1, wherein the data security policy is based at least in part on authentication credentials of the requester.
  - 9. The method of claim 8, wherein the authentication credentials are based, at least in part, on one or more of a requester'"'"'s identity, a requester'"'"'s location, and a digital certificate.

10. An apparatus comprising:
- a host partition to initiate a data request;
  
  a security manager to receive the data request, determine whether to allow access to the requested data, and determine a security policy to associate with the data, wherein the security manager is not directly accessible or detectable by the host partition; and
  
  a hypervisor to receive an instruction from the active platform manager to generate a secure virtual partition in which to execute an application to enable access to the requested data and to load a verified version of an application that is known to be secure.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The apparatus of claim 10, wherein the security manager forwards at least a portion of the data request to a data rights management (DRM) server on a network and processes a response to the forwarded request to determine whether to allow access to the requested data and to determine the data security policy.
  - 12. The apparatus of claim 10, wherein the data security policy is based at least in part on a type of the data.
  - 13. The apparatus of claim 10, wherein the data security policy is based at least in part on authentication credentials of the requester
  - 14. The apparatus of claim 10, wherein the verified version of an application is stored on a network.
  - 15. The apparatus of claim 10, wherein the verified version of an application is stored locally in a secure memory.

16. An article of manufacture comprising a machine accessible medium having content stored thereon to provide instructions cause a machine to perform operations including:
- determining whether to grant access to data requested by a user;
  
  determining a security policy associated with the data; and
  
  generating a secure virtual partition in which to execute an application to enable the user to access the data if access is granted.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The article of manufacture of claim 16, wherein determining the data security policy comprises further instructions including:
    - forwarding at least a portion of the request to a digital rights management (DRM) server on a network; and
      
      processing a response to the forwarded request to determine the data security policy.
  - 18. The article of manufacture of claim 16, wherein the data security policy comprises access and use controls for data.
  - 19. The article of manufacture of claim 16, wherein the data security policy is based at least in part on one or more of a user'"'"'s authentication credentials and a data type for the requested data.
  - 20. The article of manufacture of claim 19, wherein the data type is based at least in part on one or more of a file type, a data size, and a frequency of use of the data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Morgan, Dennis, Ross, Alan

Granted Patent

US 7,693,838 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/53 by executing in a restricte...

Method and apparatus for securely accessing data

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

86 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Method and apparatus for securely accessing data

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

86 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others