System and Methods Providing Secure Workspace Sessions

US 20100024036A1
Filed: 07/20/2007
Published: 01/28/2010
Est. Priority Date: 07/20/2007
Status: Active Grant

First Claim

Patent Images

1. In a computer system, a method for providing multiple workspace sessions for securely running applications, the method comprising:

initiating a first workspace session on an existing operating system instance running on the computer system, said first workspace session having a first set of privileges for running applications under that session;

while said first workspace session remains active, initiating a second workspace session on the existing operating system instance running on the computer system, the second workspace session having a second set of privileges for running applications under the second workplace session; and

securing said second workspace session so that applications running under the second workplace session are protected from applications running outside the second workspace session.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

System and methods providing secure workspace sessions is described. In one embodiment a method for providing multiple workspace sessions for securely running applications comprises steps of: initiating a first workspace session on an existing operating system instance running on the computer system, the first workspace session having a first set of privileges for running applications under that session; while the first workspace session remains active, initiating a second workspace session on the existing operating system instance running on the computer system, the second workspace session having a second set of privileges for running applications under the second workplace session; and securing the second workspace session so that applications running under the second workplace session are protected from applications running outside the second workspace session.

142 Citations

40 Claims

1. In a computer system, a method for providing multiple workspace sessions for securely running applications, the method comprising:
- initiating a first workspace session on an existing operating system instance running on the computer system, said first workspace session having a first set of privileges for running applications under that session;
  
  while said first workspace session remains active, initiating a second workspace session on the existing operating system instance running on the computer system, the second workspace session having a second set of privileges for running applications under the second workplace session; and
  
  securing said second workspace session so that applications running under the second workplace session are protected from applications running outside the second workspace session.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The method of claim 1, further comprising:
    - while said first and second sessions remain active, initiating one or more subsequent workspace sessions on the existing operating system instance running on the computer system, each said subsequent workspace session having a particular set of privileges for running applications under that session and secured so that applications running under that workspace session are protected from applications running outside that workspace sessions.
  - 3. The method of claim 1, wherein the privileges comprise security rules applicable to applications running on the computer system.
  - 4. The method of claim 3, wherein the security rules include whether an application is authorized to access the Internet.
  - 5. The method of claim 1, wherein said step of initiating the second workspace session includes generating a separate window for the second workspace session for separately displaying applications running in the second workspace session.
  - 6. The method of claim 5, wherein generating a separate window includes displaying user feedback indicating that the applications running in the second workspace sessions are running in a secure manner.
  - 7. The method of claim 5, wherein the separate window is displayed in a manner that allows users to easily switch between the first workspace session and the second workspace session.
  - 8. The method of claim 1, wherein said step of securing the second workspace session includes hooking particular functions of the operating system instance in order to regulate access to information created during the second workspace session.
  - 9. The method of claim 1, further comprising:
    - storing all temporary data created during the second workspace session in a temporary file system.
  - 10. The method of claim 9, further comprising:
    - discarding all temporary data created during the second workspace session when the second workspace session terminates.
  - 11. The method of claim 1, further comprising:
    - storing all registry changes made during the second workspace session in temporary registry storage.
  - 12. The method of claim 11, further comprising:
    - discarding all registry created during the second workspace session when the second workspace session terminates.
  - 13. The method of claim 1, further comprising:
    - creating a log file for all actions taken by applications running in the second workspace session.
  - 14. The method of claim 1, wherein said step of securing the second workspace session includes applying additional security measures to the second workspace session.
  - 15. The method of claim 14, wherein said additional security measures include selected ones of encryption measures, anti-keylogger measures, anti-screen-grabber measures, antivirus measures, and file scanning measures.
  - 16. The method of claim 1, wherein said step of securing the second workplace session includes applying one set of firewall rules to applications running in the first workspace session and a second set of firewall rules to applications running in the second workspace session.
  - 17. The method of claim 1, further comprising:
    - setting up a virtual private connection to a remote site inside the second workspace session for purposes of providing a secure connection to the remote site.
  - 18. The method of claim 1, wherein said step of securing the second workplace session includes restricting access to peripheral devices from the second workspace session, so as to secure data created during the second workspace session.
  - 19. A computer-readable medium having processor-executable instructions for performing the method of claim 1.
  - 20. The method of claim 1, further comprising:
    - providing a downloadable set of processor-executable instructions for performing the method of claim 1.

21. A system providing that allows users to run software programs in a plurality of workspace sessions subject to separate security rules of a security policy, the system comprising:
- a computer running under an operating system;
  
  a plurality of software programs for use by users of the computer;
  
  a configurable security policy specifying security rules applicable to the software programs;
  
  a session manager for creating a plurality of workspace sessions under the operating system with each of said sessions subject to separate security rules of the security policy and isolated from other workspace sessions, thereby allowing software programs to run in a secure manner subject to said separate security rules; and
  
  a module for enforcing compliance with security rules of the security policy by software programs running in each of said workspace sessions.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 22. The system of claim 21, wherein the security policy includes security rules specifying whether a software program is authorized to access the Internet.
  - 23. The system of claim 21, wherein the security policy includes security rules specifying actions of a software program that are permitted and are not permitted.
  - 24. The system of claim 21, wherein the security policy includes firewall rules, so as to apply separate firewall rules to software programs running in different workspace sessions.
  - 25. The system of claim 21, wherein the security policy specifies certain banned programs that are not permitted to run in a particular workspace session, so as to secure software programs running in the particular workspace session.
  - 26. The system of claim 25, wherein said banned programs include selected ones of spyware software, computer virus software, instant messaging software, peer-to-peer (P2P) software and web browser software.
  - 27. The system of claim 21, wherein the session manager hooks particular functions of the operating system in creating a particular workspace session in order to regulate access to information created during the particular workspace session.
  - 28. The system of claim 21, wherein the session manager generates a separate window for each workspace session for separately displaying software programs running in each session.
  - 29. The system of claim 21, wherein the session manager sets up a virtual private connection to a remote site inside a particular workspace session for purposes of providing a secure connection to the remote site for software programs running in the particular workspace session.
  - 30. The system of claim 21, wherein said module for enforcing creates a log file for actions taken during a particular workspace session so as to enable an administrator to review said actions.
  - 31. The system of claim 21, wherein said module for enforcing applies additional security measures on a per workspace session basis.
  - 32. The system of claim 31, wherein said additional security measures comprise selected ones of encryption measures, anti-keylogger measures, anti-screen-grabber measures, antivirus measures, and file scanning measures.
  - 33. The system of claim 21, wherein said module for enforcing stores all temporary data created during a particular workspace session in a temporary file system.
  - 34. The system of claim 33, wherein said temporary data created during the particular session is destroyed when the particular session terminates.
  - 35. The system of claim 21, wherein said module for enforcing encrypts all data created during a particular workspace session.
  - 36. The system of claim 21, wherein said module for enforcing controls inter-process communication between individual software programs.
  - 37. The system of claim 36, wherein said module for enforcing blocks any inter-process communication that would violate the security policy.
  - 38. The system of claim 21, wherein each of said plurality of workspace sessions is used for particular purposes.
  - 39. The system of claim 38, wherein said particular purposes include selected ones of browsing the Internet, browsing an Intranet, reading confidential documents, securely connecting to a remote site, running business applications, running personal applications, and evaluating software.
  - 40. The system of claim 21, wherein each said workspace session comprises a separate operating system session so as effectively isolate software programs running in said session from programs running in other workspace sessions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Check Point Software Technologies Incorporated (Check Point Software Technologies Limited)
Original Assignee
Check Point Software Technologies Incorporated (Check Point Software Technologies Limited)
Inventors
Konanka, Dzmitry, Morozov, Artiom

Granted Patent

US 8,769,268 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/26
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/71   to assure secure computing ...

G06F 21/74   operating in dual or compar...

System and Methods Providing Secure Workspace Sessions

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

142 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

System and Methods Providing Secure Workspace Sessions

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

142 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links