Approaches for ensuring data security

US 8,556,991 B2
Filed: 11/05/2009
Issued: 10/15/2013
Est. Priority Date: 08/08/2008
Status: Active Grant

First Claim

Patent Images

1. One or more machine-readable non-transitory mediums storing one or more sequences of instructions for securing a client, which when executed, cause:

a BIOS agent to store policy data within a BIOS of the client, wherein the BIOS agent is one or more modules operating at runtime in the BIOS of the client, wherein the policy data is capable of being updated from a server after an operating system on the client has loaded, and wherein the policy data describes one or more security policies followed by the client after the operating system has loaded;

upon the BIOS agent receiving updated policy data from the server white the operating system executes, the client enforcing any new security policies described by the updated policy data without rebooting the client; and

in response to the client following at least one of the one or more security policies, a hard-disk drive (HDD) of the client to lock by instructing a controller present in the hard-disk drive (HDD) to deny, to any entity, access to data stored on the hard-disk drive (HDD) unless the entity supplies, to the controller, a recognized authentication credential.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for protecting resources of a client from theft or unauthorized access. A BIOS agent stores policy data within a BIOS of the client. The BIOS agent is one or more software modules operating in the BIOS of the client. The policy data describes one or more security policies which the client is to follow. In response to the client following at least one of the one or more security policies, a persistent storage medium of the client is locked by instructing a controller of the persistent storage medium to deny, to any entity, access to data stored on the persistent storage medium unless the entity supplies, to the controller, a recognized authentication credential. In this way, a malicious user without access to the recognized authentication credential cannot access the data stored on the persistent storage medium, even if the persistent storage medium is removed from the client.

Citations

21 Claims

1. One or more machine-readable non-transitory mediums storing one or more sequences of instructions for securing a client, which when executed, cause:
- a BIOS agent to store policy data within a BIOS of the client, wherein the BIOS agent is one or more modules operating at runtime in the BIOS of the client, wherein the policy data is capable of being updated from a server after an operating system on the client has loaded, and wherein the policy data describes one or more security policies followed by the client after the operating system has loaded;
  
  upon the BIOS agent receiving updated policy data from the server white the operating system executes, the client enforcing any new security policies described by the updated policy data without rebooting the client; and
  
  in response to the client following at least one of the one or more security policies, a hard-disk drive (HDD) of the client to lock by instructing a controller present in the hard-disk drive (HDD) to deny, to any entity, access to data stored on the hard-disk drive (HDD) unless the entity supplies, to the controller, a recognized authentication credential.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The one or more machine-readable non-transitory mediums of claim 1, wherein the at least one of the one or more security policies was obtained by the client, from a server, over a communications link, and wherein the at least one of the one or more security policies cannot be changed by a user of the client.
  - 3. The one or more machine-readable non-transitory mediums of claim 1, wherein the client is configured to be locked after the client is manufactured, and wherein a purchaser of the client is provided a password to unlock the client.
  - 4. The one or more machine-readable non-transitory mediums of claim 1, wherein the controller is configured such that, upon the hard-disk drive (HDD) being removed from the client, the controller continues to deny, to any entity, access to the data stored on the hard-disk drive (HDD) unless the entity supplies, to the controller, a recognized password.
  - 5. The one or more machine-readable non-transitory mediums of claim 1, wherein the controller denies, to any entity, access to the data stored on the hard-disk drive (HDD) unless the entity supplies, to the controller, a recognized password by preventing the client from booting unless the recognized password is supplied to the controller.
  - 6. The one or more machine-readable non-transitory mediums of claim 1, wherein locking the hard-disk drive (HDD) of the client further comprises:
    - encrypting data stored on the hard-disk drive (HDD) using a key stored in the BIOS of the client.
  - 7. The one or more machine-readable non-transitory mediums of claim 1, wherein locking the hard-disk drive (HDD) of the client further comprises:
    - determining features supported by the client to assess how to deny, to any entity, access to the data stored on the hard-disk drive (HDD) unless the entity supplies, to the controller, a recognized password.
  - 8. The one or more machine-readable non-transitory mediums of claim 1, wherein at least one of the one or more security policies instructs the client to lock the hard-disk drive (HDD) when the client enters a disabled state.
  - 9. The one or more machine-readable non-transitory mediums of claim 1, wherein execution of the one or more sequences of instructions further causes:
    - in response to receiving, over a communications link, a command from a server, the client locking the hard-disk drive (HDD).

10. A method for securing a client, comprising:
- a BIOS agent storing policy data within a BIOS of the client, wherein the BIOS agent is one or more modules operating at runtime in the BIOS of the client, wherein the policy data is capable of being updated from a server after an operating system on the client has loaded, and wherein the policy data describes one or more security policies followed by the client after the operating system has loaded;
  
  upon the BIOS agent receiving updated policy data from the server while the operating system executes, the client enforcing any new security policies described by the updated policy data without rebooting the client; and
  
  in response to the client following at least one of the one or more security policies, locking a hard-disk drive (HDD) of the client by instructing a controller present in the hard-disk drive (HDD) to deny, to any entity, access to data stored on the hard-disk drive (HDD) unless the entity supplies, to the controller, a recognized authentication credential.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 11. The method of claim 10, wherein the at least one of the one or more security policies was obtained by the client, from a server, over a communications link, and wherein the at least one of the one or more security policies cannot be changed by a user of the client.
  - 12. The method of claim 10, wherein the client is configured to be locked after the client is manufactured, and wherein a purchaser of the client is provided a password to unlock the client.
  - 13. The method of claim 10, wherein the controller is configured such that, upon the hard-disk drive (HDD) being removed from the client, the controller continues to deny, to any entity, access to the data stored on the hard-disk drive (HDD) unless the entity supplies, to the controller, a recognized password.
  - 14. The method of claim 10, wherein the controller denies, to any entity, access to the data stored on the hard-disk drive (HDD) unless the entity supplies, to the controller, a recognized password by preventing the client from booting unless the recognized password is supplied to the controller.
  - 15. The method of claim 10, wherein locking the hard-disk drive (HDD) of the client further comprises:
    - encrypting data stored on the hard-disk drive (HDD) using a key stored in the BIOS of the client.
  - 16. The method of claim 10, wherein locking the hard-disk drive (HDD) of the client further comprises:
    - determining features supported by the client to assess how to deny, to any entity, access to the data stored on the hard-disk drive (HDD) unless the entity supplies, to the controller, a recognized password.
  - 17. The method of claim 10, wherein at least one of the one or more security policies instructs the client to lock the hard-disk drive (HDD) when the client enters a disabled state.
  - 18. The method of claim 10, further comprising:
    - in response to receiving, over a communications link, a command from a server, the client locking the hard-disk drive (HDD).
  - 19. The method of claim 10, wherein at least one of the one or more security policies consider information, periodically sent from the operating system in the client to the BIOS, about whether normal operations of the client have been compromised or degraded.
  - 20. The method of claim 10, wherein at least one of the one or more security policies specifies that upon the BIOS agent determining that no heartbeat message has been received by the BIOS agent within a specified period of time, the BIOS agent is to perform one or more actions, and wherein a heartbeat message is a message that (a) is generated by one or more modules operating in the operating system of the client that examine components of the operating system to determine if the components are present as installed and operating as intended, and (b) indicates an operational status of the client.

21. An apparatus for securing resources thereof, comprising:
- one or more processors; and
  
  one or more machine-readable non-transitory mediums storing one or more sequences of instructions, which when executed by the one or more processors, cause;
  
  a BIOS agent to store policy data within a BIOS of the client, wherein the BIOS agent is one or more modules operating at runtime in the BIOS of the client, wherein the policy data is capable of being updated from a server after an operating system on the client has loaded, and wherein the policy data describes one or more security policies followed by the client after the operating system has loaded;
  
  upon the BIOS agent receiving updated policy data from the server while the operating system executes, the client enforcing any new security policies described by the updated policy data without rebooting the client; and
  
  in response to the client following at least one of the one or more security policies, a persistent storage medium of the client to lock by instructing a controller present in the persistent storage medium to deny, to any entity, access to data stored on the persistent storage medium unless the entity supplies, to the controller, a recognized authentication credential.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Absolute Software Corporation
Original Assignee
Absolute Software Corporation
Inventors
Tarkhanyan, Anahit, Gupta, Ravi
Primary Examiner(s)
ZECHER, CORDELIA P K

Application Number

US12/613,440
Publication Number

US 20100050244A1
Time in Patent Office

1,440 Days
Field of Search

726/19, 726/35
US Class Current

726/35
CPC Class Codes

G06F 21/57   Certifying or maintaining t...

G06F 21/6218   to a system of files or obj...

G06F 21/88   Detecting or preventing the...

Approaches for ensuring data security

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Approaches for ensuring data security

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links