Posture-based data protection

US 7,793,110 B2
Filed: 05/24/2006
Issued: 09/07/2010
Est. Priority Date: 05/24/2006
Status: Active Grant

First Claim

Patent Images

1. A method for providing access to encrypted data on a computing device based on a security-posture of the computing device, comprising:

assessing the security-posture of the computing device upon which the encrypted data is stored;

if the assessed security-posture meets specified criteria, providing the computing device with a key which enables the computing device to access the encrypted data, wherein providing the computing device with the key involves using a key-management server which interacts with the computing device to provide the key;

allowing the key to be cached locally on the computing device;

monitoring activity on the computing device; and

if the activity causes the security-posture of the computing device to no longer meet the specified criteria, erasing the locally cached copy of the key so that the computing device cannot access the encrypted data without interacting with the key-management server again.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment of the present invention provides a system that facilitates access to encrypted data on a computing device based on a security-posture of the computing device. During operation, the system assesses the security-posture of the computing device upon which the encrypted data is stored. If the assessed security-posture meets specified criteria, the system provides the computing device with a key which enables the computing device to access the encrypted data.

41 Citations

View as Search Results

18 Claims

1. A method for providing access to encrypted data on a computing device based on a security-posture of the computing device, comprising:
- assessing the security-posture of the computing device upon which the encrypted data is stored;
  
  if the assessed security-posture meets specified criteria, providing the computing device with a key which enables the computing device to access the encrypted data, wherein providing the computing device with the key involves using a key-management server which interacts with the computing device to provide the key;
  
  allowing the key to be cached locally on the computing device;
  
  monitoring activity on the computing device; and
  
  if the activity causes the security-posture of the computing device to no longer meet the specified criteria, erasing the locally cached copy of the key so that the computing device cannot access the encrypted data without interacting with the key-management server again.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein assessing the security posture of the computing device involves determining one or more of the following:
    - whether unverified executable code has been loaded onto the computing device;
      
      whether an unverified file has been loaded onto the computing device;
      
      whether a virus scan has been recently performed on the computing device;
      
      whether a virus scanner for the computing device has been recently updated;
      
      whether recent patches have been applied to an operating system for the computing device;
      
      whether the computing device is running an up-to-date firewall; and
      
      whether the computing device is or has been connected to an insecure network.
  - 3. The method of claim 1, wherein assessing the security-posture of the computing device involves using a posture-assessment server which interacts with the computing device to assess the security-posture of the computing device.
  - 4. The method of claim 1, wherein the key is specific to a particular encrypted data item, so that the computing device has to interact with the key-management server again to access another encrypted data item.
  - 5. The method of claim 1, wherein providing the key to the computing device involves obtaining the key from a trusted key storage device.
  - 6. The method of claim 1, wherein the specified criteria is formulated as a policy which provides selective access to specific encrypted data items based on specific security-postures of the computing device.

7. A computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for providing access to encrypted data on a computing device based on a security-posture of the computing device, the method comprising:
- assessing the security-posture of the computing device upon which the encrypted data is stored;
  
  if the assessed security-posture meets specified criteria, providing the computing device with a key which enables the computing device to access the encrypted data, wherein providing the computing device with the key involves using a key-management server which interacts with the computing device to provide the key;
  
  allowing the key to be cached locally on the computing device;
  
  monitoring activity on the computing device; and
  
  if the activity causes the security-posture of the computing device to no longer meet the specified criteria, erasing the locally cached copy of the key so that the computing device cannot access the encrypted data without interacting with the key-management server again.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The computer-readable storage medium of claim 7, wherein assessing the security posture of the computing device involves determining one or more of the following:
    - whether unverified executable code has been loaded onto the computing device;
      
      whether an unverified file has been loaded onto the computing device;
      
      whether a virus scan has been recently performed on the computing device;
      
      whether a virus scanner for the computing device has been recently updated;
      
      whether recent patches have been applied to an operating system for the computing device;
      
      whether the computing device is running an up-to-date firewall; and
      
      whether the computing device is or has been connected to an insecure network.
  - 9. The computer-readable storage medium of claim 7, wherein assessing the security-posture of the computing device involves using a posture-assessment server which interacts with the computing device to assess the security-posture of the computing device.
  - 10. The computer-readable storage medium of claim 7, wherein the key is specific to a particular encrypted data item, so that the computing device has to interact with the key-management server again to access another encrypted data item.
  - 11. The computer-readable storage medium of claim 7, wherein providing the key to the computing device involves obtaining the key from a trusted key storage device.
  - 12. The computer-readable storage medium of claim 7, wherein the specified criteria is formulated as a policy which provides selective access to specific encrypted data items based on specific security-postures of the computing device.

13. An apparatus that provides access to encrypted data on a computing device based on a security-posture of the computing device, comprising:
- an assessment mechanism configured to assess the security-posture of the computing device upon which the encrypted data is stored;
  
  an access mechanism, wherein if the assessed security-posture meets specified criteria, the access mechanism is configured to provide the computing device with a key which enables the computing device to access the encrypted data, the access mechanism being further configured to use a key-management server which interacts with the computing device to provide the key;
  
  a caching mechanism configured to allow the key to be cached locally on the computing device; and
  
  a monitoring mechanism configured to monitor activity on the computing device;
  
  wherein if the activity causes the security-posture of the computing device to no longer meet the specified criteria, the monitoring mechanism is configured to erase the cached copy of the key so that computing device cannot access the encrypted data without interacting with the key-management server again.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The apparatus of claim 13, wherein while assessing the security posture of the computing device, the assessment mechanism is configured to determine one or more of the following:
    - whether unverified executable code has been loaded onto the computing device;
      
      whether an unverified file has been loaded onto the computing device;
      
      whether a virus scan has been recently performed on the computing device;
      
      whether a virus scanner for the computing device has been recently updated;
      
      whether recent patches have been applied to an operating system for the computing device;
      
      whether the computing device is running an up-to-date firewall; and
      
      whether the computing device is or has been connected to an insecure network.
  - 15. The apparatus of claim 13, wherein the assessment mechanism includes a posture-assessment server, which interacts with the computing device to assess the security-posture of the computing device.
  - 16. The apparatus of claim 13, wherein the key is specific to a particular encrypted data item, so that the computing device has to interact with the key-management server again to access another encrypted data item.
  - 17. The apparatus of claim 13, wherein while providing the key to the computing device, the apparatus is configured to obtain the key from a trusted key storage device.
  - 18. The apparatus of claim 13, wherein the specified criteria is formulated as a policy which provides selective access to specific encrypted data items based on specific security-postures of the computing device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gula Consulting Limited Liability Company (Intellectual Ventures LLC)
Original Assignee
Palo Alto Research Center, Inc. (Xerox Holdings Corp.)
Inventors
Stewart, Paul J., Smetters, Diana K., Balfanz, Dirk, Durfee, Glenn E.
Primary Examiner(s)
Parthasarathy; Pramila

Application Number

US11/439,817
Publication Number

US 20070277240A1
Time in Patent Office

1,567 Days
Field of Search

None
US Class Current

713/187
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 21/6209   to a single file or object,...

G06F 2221/2143   Clearing memory, e.g. to pr...

Posture-based data protection

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

41 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Posture-based data protection

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

41 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links