Controlling access to a protected resource using a virtual desktop and ongoing authentication
First Claim
1. A method of controlling access to a protected resource, the method comprising:
- performing a continuous series of authentication operations between an end user device and an authentication engine;
while the continuous series of authentication operations results in ongoing successful authentication, providing a virtual desktop session from a virtual desktop server to the end user device to enable a user at the end user device to access the protected resource using the virtual desktop session; and
when the continuous series of authentication operations results in unsuccessful authentication, closing the virtual desktop session to prevent further access to the protected resource using the virtual desktop session;
wherein the protected resource is a website;
wherein providing the virtual desktop session from the virtual desktop server to the end user device to enable the user at the end user device to access the protected resource using the virtual desktop session includes supplying the virtual desktop session from the virtual desktop server to the end user device while the user runs, within the virtual desktop session, a browser application to access the website;
wherein the browser runs in a virtual desktop server which is remote with respect to the end user device;
wherein the website runs in a web server which is remote with respect to the end user device, the virtual desktop server and the web server residing at different physical locations;
wherein supplying the virtual desktop session while the user runs, within the virtual desktop session, the browser application to access the website includes making the virtual desktop session available to the end user device while the user authenticates with the website running in the web server in a manner which is independent of the continuous series of authentication operations resulting in successful authentication between the end user device and the authentication engine;
wherein performing the continuous series of authentication operations between the end user device and the authentication engine includes authenticating the end user device to the authentication engine, and authenticating the authentication engine to the end user device;
wherein authenticating the end user device to the authentication engine includes evaluating, at the authentication engine, an end user device token code received from the end user device through a network;
wherein the end user device token code is an end user device one-time passcode derived from a seed stored at the end user device; and
wherein evaluating the end user device token code received from the end user device through the network includes comparing the end user device one-time passcode to an expected one-time passcode derived from a copy of the seed stored at the authentication engine;
further including issuing a one-time passcode hardware device to the user for installation on the end user device, the one-time passcode hardware device being the source of the end user device one-time passcode; and
wherein the end user device includes a virtual machine client which resides at a first location, the virtual desktop server resides at a second location which is separate from the first location, the protected resource resides at a third location which is separate from the first and second locations; and
wherein providing the virtual desktop session from the virtual desktop server to the end user device while the continuous series of authentication operations results in ongoing successful authentication includes;
creating a virtual machine on the virtual desktop server,providing user access to the virtual machine created on the virtual desktop server through the virtual machine client of the end user device to enable a user to operate the virtual machine remotely from the virtual machine client of the end user device, the user accessing the protected resource at the third location via the virtual machine created on the virtual desktop server at the second location from the virtual machine client of the end user device residing at the first location.
9 Assignments
0 Petitions
Accused Products
Abstract
A technique controls access to a protected resource. The technique involves performing a series of authentication operations between an end user device and an authentication engine, and providing, while the series of authentication operations results in ongoing successful authentication, a virtual desktop session from a virtual desktop server to the end user device to enable a user at the end user device to access the protected resource using the virtual desktop session. The technique further involves closing the virtual desktop session when the series of authentication operations results in unsuccessful authentication (e.g., receipt of an incorrect authentication factor, loss of communications between the end user device and the authentication engine, etc.) to prevent further access to the protected resource using the virtual desktop session. Such operation provides additional security beyond that offered by a virtual desktop session without ongoing authentication, and thus protects against more advanced types of cyber threats.
-
Citations
12 Claims
-
1. A method of controlling access to a protected resource, the method comprising:
-
performing a continuous series of authentication operations between an end user device and an authentication engine; while the continuous series of authentication operations results in ongoing successful authentication, providing a virtual desktop session from a virtual desktop server to the end user device to enable a user at the end user device to access the protected resource using the virtual desktop session; and when the continuous series of authentication operations results in unsuccessful authentication, closing the virtual desktop session to prevent further access to the protected resource using the virtual desktop session; wherein the protected resource is a website; wherein providing the virtual desktop session from the virtual desktop server to the end user device to enable the user at the end user device to access the protected resource using the virtual desktop session includes supplying the virtual desktop session from the virtual desktop server to the end user device while the user runs, within the virtual desktop session, a browser application to access the website; wherein the browser runs in a virtual desktop server which is remote with respect to the end user device; wherein the website runs in a web server which is remote with respect to the end user device, the virtual desktop server and the web server residing at different physical locations; wherein supplying the virtual desktop session while the user runs, within the virtual desktop session, the browser application to access the website includes making the virtual desktop session available to the end user device while the user authenticates with the website running in the web server in a manner which is independent of the continuous series of authentication operations resulting in successful authentication between the end user device and the authentication engine; wherein performing the continuous series of authentication operations between the end user device and the authentication engine includes authenticating the end user device to the authentication engine, and authenticating the authentication engine to the end user device; wherein authenticating the end user device to the authentication engine includes evaluating, at the authentication engine, an end user device token code received from the end user device through a network; wherein the end user device token code is an end user device one-time passcode derived from a seed stored at the end user device; and wherein evaluating the end user device token code received from the end user device through the network includes comparing the end user device one-time passcode to an expected one-time passcode derived from a copy of the seed stored at the authentication engine; further including issuing a one-time passcode hardware device to the user for installation on the end user device, the one-time passcode hardware device being the source of the end user device one-time passcode; and wherein the end user device includes a virtual machine client which resides at a first location, the virtual desktop server resides at a second location which is separate from the first location, the protected resource resides at a third location which is separate from the first and second locations; and wherein providing the virtual desktop session from the virtual desktop server to the end user device while the continuous series of authentication operations results in ongoing successful authentication includes; creating a virtual machine on the virtual desktop server, providing user access to the virtual machine created on the virtual desktop server through the virtual machine client of the end user device to enable a user to operate the virtual machine remotely from the virtual machine client of the end user device, the user accessing the protected resource at the third location via the virtual machine created on the virtual desktop server at the second location from the virtual machine client of the end user device residing at the first location. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. An apparatus to control access to a protected resource, the apparatus comprising:
-
a network interface to couple to a network; and processing circuitry coupled to the network interface, the processing circuitry being constructed and arranged to; perform a continuous series of authentication operations to authenticate an end user device through the network interface, while the continuous series of authentication operations results in ongoing successful authentication, provide a virtual desktop session from a virtual desktop server to the end user device to en able a user at the end user device to access the protected resource using the virtual desktop session, and when the continuous series of authentication operations results in unsuccessful authentication, close the virtual desktop session to prevent further access to the protected resource using the virtual desktop session; wherein the protected resource is a website; wherein the processing circuitry, when providing the virtual desktop session from the virtual desktop server to the end user device to enable the user at the end user device to access the protected resource using the virtual desktop session is constructed and arranged to supply the virtual desktop session from the virtual desktop server to the end user device while the user runs, within the virtual desktop session, a browser application to access the website; wherein the browser runs in a virtual desktop server which is remote with respect to the end user device; wherein the website runs in a web server which is remote with respect to the end user device, the virtual desktop server and the web server residing at different physical locations; wherein the processing circuitry, when supplying the virtual desktop session while the user runs, within the virtual desktop session, the browser application to access the website is constructed and arranged to make the virtual desktop session available to the end user device while the user authenticates with the website running in the web server in a manner which is independent of the continuous series of authentication operations resulting in successful authentication between the end user device and the authentication engine; wherein the processing circuitry, when performing the continuous series of authentication operations between the end user device and the authentication engine is constructed and arranged to authenticate the end user device to the authentication engine, and authenticate the authentication engine to the end user device; wherein authenticating the end user device to the authentication engine includes evaluating, at the authentication engine, an end user device token code received from the end user device through a network; wherein the end user device token code is an end user device onetime passcode derived from a seed stored at the end user device; and wherein the processing circuitry, when evaluating the end user device token code received from the end user device through the network is constructed and arranged to compare the end user device one-time passcode to an expected one-time passcode derived from a copy of the seed stored at the authentication engine; further including issuing a one-time passcode hardware device to the user for installation on the end user device, the one-time passcode hardware device being the source of the end user device one-time passcode; and wherein the end user device includes a virtual machine client which resides at a first location, the virtual desktop server resides at a second location which is separate from the first location, the protected resource resides at a third location which is separate from the first and second locations; and wherein the processing circuitry, when providing the virtual desktop session from the virtual desktop server to the end user device while the continuous series of authentication operations results in ongoing successful authentication is constructed and arranged to; create a virtual machine on the virtual desktop server, provide user access to the virtual machine created on the virtual desktop server through the virtual machine client of the end user device to enable a user to operate the virtual machine remotely from the virtual machine client of the end user device, the user accessing the protected resource at the third location via the virtual machine created on the virtual desktop server at the second location from the virtual machine client of the end user device residing at the first location.
-
-
11. A computer program product having a non-transitory computer readable medium storing a set of instructions which, when performed by a computerized device, cause the computerized device to:
-
perform a continuous series of authentication operations to authenticate an end user device; while the continuous series of authentication operations results in ongoing successful authentication, provide a virtual desktop session from a virtual desktop server to the end user device to enable a user at the end user device to access a protected resource using the virtual desktop session; and when the continuous series of authentication operations results in unsuccessful authentication, close the virtual desktop session to prevent further access to the protected resource using the virtual desktop session; wherein the protected resource is a website; wherein the virtual desktop session from the virtual desktop server to the end user device to enable the user at the end user device to access the protected resource using the virtual desktop session includes a browser application to access the website; wherein the browser runs in a virtual desktop server which is remote with respect to the end user device; wherein the website runs in a web server which is remote with respect to the end user device, the virtual desktop server and the web server residing at different physical locations; wherein the virtual desktop session includes user authentication operations with the website running in the web server independent of the continuous series of authentication operations resulting in successful authentication between the end user device and the authentication engine; wherein the continuous series of authentication operations between the end user device and the authentication engine includes authenticating the end user device to the authentication engine, and authenticating the authentication engine to the end user device; wherein authenticating the end user device to the authentication engine includes evaluating an end user device token code received from the end user device through a network; wherein the end user device token code is an end user device one-time passcode derived from a seed stored at the end user device; and wherein evaluating the end user device token code received from the end user device through the network includes comparing the end user device one-time passcode to an expected one-time passcode derived from a copy of the seed stored at the authentication engine; further including a one-time passcode hardware device attached to the end user device, the one-time passcode hardware device being the source of the end user device one-time passcode; and wherein the end user device includes a virtual machine client which resides at a first location, the virtual desktop server resides at a second location which is separate from the first location, the protected resource resides at a third location which is separate from the first and second locations; and wherein providing the virtual desktop session from the virtual desktop server to the end user device includes a virtual machine on the virtual desktop server, and the user accessing the protected resource at the third location via the virtual machine residing on the virtual desktop server at the second location from the virtual machine client of the end user device residing at the first location.
-
-
12. An electronic authentication device to control access to a protected resource, the electronic authentication device comprising:
-
an interface to couple to an end user device; and a controller coupled to the interface, the controller being constructed and arranged to; perform a continuous series of authentication operations to authenticate the end user device to an authentication engine, while the continuous series of authentication operations results in ongoing successful authentication, provide permission to the end user device through the interface to open a virtual desktop session with a virtual desktop server to enable a user at the end user device to access a the protected resource using the virtual desktop session, and when the continuous series of authentication operations results in unsuccessful authentication, deny permission to the end user device through the interface to force the end user device to close the virtual desktop session to prevent further access to the protected resource using the virtual desktop session; wherein the protected resource is a website; wherein the virtual desktop session from the virtual desktop server to the end user device to enable the user at the end user device to access the protected resource using the virtual desktop session includes a browser application to access the website; wherein the browser runs in a virtual desktop server which is remote with respect to the end user device; wherein the website runs in a web server which is remote with respect to the end user device, the virtual desktop server and the web server residing at different physical locations; wherein the virtual desktop session includes user authentication operations with the website running in the web server independent of the continuous series of authentication operations resulting in successful authentication between the end user device and the authentication engine; wherein the continuous series of authentication operations between the end user device and the authentication engine includes authenticating the end user device to the authentication engine, and authenticating the authentication engine to the end user device; wherein the controller, when authenticating the end user device to the authentication engine is constructed and arranged to evaluate an end user device token code received from the end user device through a network; wherein the end user device token code is an end user device one-time passcode derived from a seed stored at the end user device; and wherein evaluating the end user device token code received from the end user device through the network includes comparing the end user device one-time passcode to an expected one-time passcode derived from a copy of the seed stored at the authentication engine; further including a one-time passcode hardware device attached to the end user device, the one-time passcode hardware device being the source of the end user device one-time passcode; and wherein the end user device includes a virtual machine client which resides at a first location, the virtual desktop server resides at a second location which is separate from the first location, the protected resource resides at a third location which is separate from the first and second locations; and wherein the controller, when providing the virtual desktop session from the virtual desktop server to the end user device is constructed and arranged to provide a virtual machine on the virtual desktop server, and the user accessing the protected resource at the third location via the virtual machine residing on the virtual desktop server at the second location from the virtual machine client of the end user device residing at the first location.
-
Specification