Controlling access to a protected resource using a virtual desktop and ongoing authentication

US 8,701,174 B1
Filed: 09/27/2011
Issued: 04/15/2014
Est. Priority Date: 09/27/2011
Status: Active Grant

First Claim

Patent Images

1. A method of controlling access to a protected resource, the method comprising:

performing a continuous series of authentication operations between an end user device and an authentication engine;

while the continuous series of authentication operations results in ongoing successful authentication, providing a virtual desktop session from a virtual desktop server to the end user device to enable a user at the end user device to access the protected resource using the virtual desktop session; and

when the continuous series of authentication operations results in unsuccessful authentication, closing the virtual desktop session to prevent further access to the protected resource using the virtual desktop session;

wherein the protected resource is a website;

wherein providing the virtual desktop session from the virtual desktop server to the end user device to enable the user at the end user device to access the protected resource using the virtual desktop session includes supplying the virtual desktop session from the virtual desktop server to the end user device while the user runs, within the virtual desktop session, a browser application to access the website;

wherein the browser runs in a virtual desktop server which is remote with respect to the end user device;

wherein the website runs in a web server which is remote with respect to the end user device, the virtual desktop server and the web server residing at different physical locations;

wherein supplying the virtual desktop session while the user runs, within the virtual desktop session, the browser application to access the website includes making the virtual desktop session available to the end user device while the user authenticates with the website running in the web server in a manner which is independent of the continuous series of authentication operations resulting in successful authentication between the end user device and the authentication engine;

wherein performing the continuous series of authentication operations between the end user device and the authentication engine includes authenticating the end user device to the authentication engine, and authenticating the authentication engine to the end user device;

wherein authenticating the end user device to the authentication engine includes evaluating, at the authentication engine, an end user device token code received from the end user device through a network;

wherein the end user device token code is an end user device one-time passcode derived from a seed stored at the end user device; and

wherein evaluating the end user device token code received from the end user device through the network includes comparing the end user device one-time passcode to an expected one-time passcode derived from a copy of the seed stored at the authentication engine;

further including issuing a one-time passcode hardware device to the user for installation on the end user device, the one-time passcode hardware device being the source of the end user device one-time passcode; and

wherein the end user device includes a virtual machine client which resides at a first location, the virtual desktop server resides at a second location which is separate from the first location, the protected resource resides at a third location which is separate from the first and second locations; and

wherein providing the virtual desktop session from the virtual desktop server to the end user device while the continuous series of authentication operations results in ongoing successful authentication includes;

creating a virtual machine on the virtual desktop server,providing user access to the virtual machine created on the virtual desktop server through the virtual machine client of the end user device to enable a user to operate the virtual machine remotely from the virtual machine client of the end user device, the user accessing the protected resource at the third location via the virtual machine created on the virtual desktop server at the second location from the virtual machine client of the end user device residing at the first location.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique controls access to a protected resource. The technique involves performing a series of authentication operations between an end user device and an authentication engine, and providing, while the series of authentication operations results in ongoing successful authentication, a virtual desktop session from a virtual desktop server to the end user device to enable a user at the end user device to access the protected resource using the virtual desktop session. The technique further involves closing the virtual desktop session when the series of authentication operations results in unsuccessful authentication (e.g., receipt of an incorrect authentication factor, loss of communications between the end user device and the authentication engine, etc.) to prevent further access to the protected resource using the virtual desktop session. Such operation provides additional security beyond that offered by a virtual desktop session without ongoing authentication, and thus protects against more advanced types of cyber threats.

31 Citations

View as Search Results

12 Claims

1. A method of controlling access to a protected resource, the method comprising:
- performing a continuous series of authentication operations between an end user device and an authentication engine;
  
  while the continuous series of authentication operations results in ongoing successful authentication, providing a virtual desktop session from a virtual desktop server to the end user device to enable a user at the end user device to access the protected resource using the virtual desktop session; and
  
  when the continuous series of authentication operations results in unsuccessful authentication, closing the virtual desktop session to prevent further access to the protected resource using the virtual desktop session;
  
  wherein the protected resource is a website;
  
  wherein providing the virtual desktop session from the virtual desktop server to the end user device to enable the user at the end user device to access the protected resource using the virtual desktop session includes supplying the virtual desktop session from the virtual desktop server to the end user device while the user runs, within the virtual desktop session, a browser application to access the website;
  
  wherein the browser runs in a virtual desktop server which is remote with respect to the end user device;
  
  wherein the website runs in a web server which is remote with respect to the end user device, the virtual desktop server and the web server residing at different physical locations;
  
  wherein supplying the virtual desktop session while the user runs, within the virtual desktop session, the browser application to access the website includes making the virtual desktop session available to the end user device while the user authenticates with the website running in the web server in a manner which is independent of the continuous series of authentication operations resulting in successful authentication between the end user device and the authentication engine;
  
  wherein performing the continuous series of authentication operations between the end user device and the authentication engine includes authenticating the end user device to the authentication engine, and authenticating the authentication engine to the end user device;
  
  wherein authenticating the end user device to the authentication engine includes evaluating, at the authentication engine, an end user device token code received from the end user device through a network;
  
  wherein the end user device token code is an end user device one-time passcode derived from a seed stored at the end user device; and
  
  wherein evaluating the end user device token code received from the end user device through the network includes comparing the end user device one-time passcode to an expected one-time passcode derived from a copy of the seed stored at the authentication engine;
  
  further including issuing a one-time passcode hardware device to the user for installation on the end user device, the one-time passcode hardware device being the source of the end user device one-time passcode; and
  
  wherein the end user device includes a virtual machine client which resides at a first location, the virtual desktop server resides at a second location which is separate from the first location, the protected resource resides at a third location which is separate from the first and second locations; and
  
  wherein providing the virtual desktop session from the virtual desktop server to the end user device while the continuous series of authentication operations results in ongoing successful authentication includes;
  
  creating a virtual machine on the virtual desktop server,providing user access to the virtual machine created on the virtual desktop server through the virtual machine client of the end user device to enable a user to operate the virtual machine remotely from the virtual machine client of the end user device, the user accessing the protected resource at the third location via the virtual machine created on the virtual desktop server at the second location from the virtual machine client of the end user device residing at the first location.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. A method as in claim 1 wherein authenticating the authentication engine to the end user device includes:
    - providing an authentication engine token code from the authentication engine to the end user device, the authentication engine token code being different than the end user device token code.
  - 3. A method as in claim 2 wherein providing the authentication engine token code from the authentication engine to the end user device includes:
    - deriving, as the authentication engine token code, an authentication engine one-time passcode from a seed stored at the authentication engine, andsending the authentication engine one-time passcode to the end user device through the network for comparison with an expected one-time passcode derived from a copy of the seed stored at the end user device.
  - 4. A method as in claim 1 wherein providing the virtual desktop session from the virtual desktop server to the end user device to enable the user at the end user device to access the protected resource using the virtual desktop session includes:
    - providing a create command from the authentication engine to the virtual desktop server directing the virtual desktop server to create the virtual desktop session for use by the end user device.
  - 5. A method as in claim 4 wherein closing the virtual desktop session to prevent further access to the protected resource using the virtual desktop session includes:
    - in response to detection that the continuous series of authentication operations results in unsuccessful authentication, providing a close command from the authentication engine to the virtual desktop server directing the virtual desktop server to close the virtual desktop session.
  - 6. A method as in claim 5 wherein providing the virtual desktop session from the virtual desktop server to the end user device to enable the user at the end user device to access the protected resource using the virtual desktop session further includes:
    - refraining from sending the close command from the authentication engine to the virtual desktop server as long as the authentication engine routinely performs a new successful authentication operation to authenticate the end user device before a timeout clock elapses.
  - 7. A method as in claim 1 wherein providing the virtual desktop session from the virtual desktop server to the end user device to enable the user at the end user device to access the protected resource using the virtual desktop session includes:
    - providing a create command from the authentication engine to the virtual desktop server rendering, on the end user device, a virtual desktop window from the virtual desktop server.
  - 8. A method as in claim 7 wherein closing the virtual desktop session to prevent further access to the protected resource using the virtual desktop session includes:
    - in response to detection that the continuous series of authentication operations results in unsuccessful authentication, closing the virtual desktop window rendered from the virtual desktop server.
  - 9. A method as in claim 8 wherein providing the virtual desktop session from the virtual desktop server to the end user device to enable the user at the end user device to access the protected resource using the virtual desktop session further includes:
    - refraining from closing the virtual desktop window rendered from the virtual desktop server as long as the end user device routinely performs a new successful authentication operation to authenticate the authentication engine before a timeout clock elapses.

10. An apparatus to control access to a protected resource, the apparatus comprising:
- a network interface to couple to a network; and
  
  processing circuitry coupled to the network interface, the processing circuitry being constructed and arranged to;
  
  perform a continuous series of authentication operations to authenticate an end user device through the network interface,while the continuous series of authentication operations results in ongoing successful authentication, provide a virtual desktop session from a virtual desktop server to the end user device to en able a user at the end user device to access the protected resource using the virtual desktop session, andwhen the continuous series of authentication operations results in unsuccessful authentication, close the virtual desktop session to prevent further access to the protected resource using the virtual desktop session;
  
  wherein the protected resource is a website;
  
  wherein the processing circuitry, when providing the virtual desktop session from the virtual desktop server to the end user device to enable the user at the end user device to access the protected resource using the virtual desktop session is constructed and arranged to supply the virtual desktop session from the virtual desktop server to the end user device while the user runs, within the virtual desktop session, a browser application to access the website;
  
  wherein the browser runs in a virtual desktop server which is remote with respect to the end user device;
  
  wherein the website runs in a web server which is remote with respect to the end user device, the virtual desktop server and the web server residing at different physical locations;
  
  wherein the processing circuitry, when supplying the virtual desktop session while the user runs, within the virtual desktop session, the browser application to access the website is constructed and arranged to make the virtual desktop session available to the end user device while the user authenticates with the website running in the web server in a manner which is independent of the continuous series of authentication operations resulting in successful authentication between the end user device and the authentication engine;
  
  wherein the processing circuitry, when performing the continuous series of authentication operations between the end user device and the authentication engine is constructed and arranged to authenticate the end user device to the authentication engine, and authenticate the authentication engine to the end user device;
  
  wherein authenticating the end user device to the authentication engine includes evaluating, at the authentication engine, an end user device token code received from the end user device through a network;
  
  wherein the end user device token code is an end user device onetime passcode derived from a seed stored at the end user device; and
  
  wherein the processing circuitry, when evaluating the end user device token code received from the end user device through the network is constructed and arranged to compare the end user device one-time passcode to an expected one-time passcode derived from a copy of the seed stored at the authentication engine;
  
  further including issuing a one-time passcode hardware device to the user for installation on the end user device, the one-time passcode hardware device being the source of the end user device one-time passcode; and
  
  wherein the end user device includes a virtual machine client which resides at a first location, the virtual desktop server resides at a second location which is separate from the first location, the protected resource resides at a third location which is separate from the first and second locations; and
  
  wherein the processing circuitry, when providing the virtual desktop session from the virtual desktop server to the end user device while the continuous series of authentication operations results in ongoing successful authentication is constructed and arranged to;
  
  create a virtual machine on the virtual desktop server,provide user access to the virtual machine created on the virtual desktop server through the virtual machine client of the end user device to enable a user to operate the virtual machine remotely from the virtual machine client of the end user device, the user accessing the protected resource at the third location via the virtual machine created on the virtual desktop server at the second location from the virtual machine client of the end user device residing at the first location.

11. A computer program product having a non-transitory computer readable medium storing a set of instructions which, when performed by a computerized device, cause the computerized device to:
- perform a continuous series of authentication operations to authenticate an end user device;
  
  while the continuous series of authentication operations results in ongoing successful authentication, provide a virtual desktop session from a virtual desktop server to the end user device to enable a user at the end user device to access a protected resource using the virtual desktop session; and
  
  when the continuous series of authentication operations results in unsuccessful authentication, close the virtual desktop session to prevent further access to the protected resource using the virtual desktop session;
  
  wherein the protected resource is a website;
  
  wherein the virtual desktop session from the virtual desktop server to the end user device to enable the user at the end user device to access the protected resource using the virtual desktop session includes a browser application to access the website;
  
  wherein the browser runs in a virtual desktop server which is remote with respect to the end user device;
  
  wherein the website runs in a web server which is remote with respect to the end user device, the virtual desktop server and the web server residing at different physical locations;
  
  wherein the virtual desktop session includes user authentication operations with the website running in the web server independent of the continuous series of authentication operations resulting in successful authentication between the end user device and the authentication engine;
  
  wherein the continuous series of authentication operations between the end user device and the authentication engine includes authenticating the end user device to the authentication engine, and authenticating the authentication engine to the end user device;
  
  wherein authenticating the end user device to the authentication engine includes evaluating an end user device token code received from the end user device through a network;
  
  wherein the end user device token code is an end user device one-time passcode derived from a seed stored at the end user device; and
  
  wherein evaluating the end user device token code received from the end user device through the network includes comparing the end user device one-time passcode to an expected one-time passcode derived from a copy of the seed stored at the authentication engine;
  
  further including a one-time passcode hardware device attached to the end user device, the one-time passcode hardware device being the source of the end user device one-time passcode; and
  
  wherein the end user device includes a virtual machine client which resides at a first location, the virtual desktop server resides at a second location which is separate from the first location, the protected resource resides at a third location which is separate from the first and second locations; and
  
  wherein providing the virtual desktop session from the virtual desktop server to the end user device includes a virtual machine on the virtual desktop server, and the user accessing the protected resource at the third location via the virtual machine residing on the virtual desktop server at the second location from the virtual machine client of the end user device residing at the first location.

12. An electronic authentication device to control access to a protected resource, the electronic authentication device comprising:
- an interface to couple to an end user device; and
  
  a controller coupled to the interface, the controller being constructed and arranged to;
  
  perform a continuous series of authentication operations to authenticate the end user device to an authentication engine,while the continuous series of authentication operations results in ongoing successful authentication, provide permission to the end user device through the interface to open a virtual desktop session with a virtual desktop server to enable a user at the end user device to access a the protected resource using the virtual desktop session, andwhen the continuous series of authentication operations results in unsuccessful authentication, deny permission to the end user device through the interface to force the end user device to close the virtual desktop session to prevent further access to the protected resource using the virtual desktop session;
  
  wherein the protected resource is a website;
  
  wherein the virtual desktop session from the virtual desktop server to the end user device to enable the user at the end user device to access the protected resource using the virtual desktop session includes a browser application to access the website;
  
  wherein the browser runs in a virtual desktop server which is remote with respect to the end user device;
  
  wherein the website runs in a web server which is remote with respect to the end user device, the virtual desktop server and the web server residing at different physical locations;
  
  wherein the virtual desktop session includes user authentication operations with the website running in the web server independent of the continuous series of authentication operations resulting in successful authentication between the end user device and the authentication engine;
  
  wherein the continuous series of authentication operations between the end user device and the authentication engine includes authenticating the end user device to the authentication engine, and authenticating the authentication engine to the end user device;
  
  wherein the controller, when authenticating the end user device to the authentication engine is constructed and arranged to evaluate an end user device token code received from the end user device through a network;
  
  wherein the end user device token code is an end user device one-time passcode derived from a seed stored at the end user device; and
  
  wherein evaluating the end user device token code received from the end user device through the network includes comparing the end user device one-time passcode to an expected one-time passcode derived from a copy of the seed stored at the authentication engine;
  
  further including a one-time passcode hardware device attached to the end user device, the one-time passcode hardware device being the source of the end user device one-time passcode; and
  
  wherein the end user device includes a virtual machine client which resides at a first location, the virtual desktop server resides at a second location which is separate from the first location, the protected resource resides at a third location which is separate from the first and second locations; and
  
  wherein the controller, when providing the virtual desktop session from the virtual desktop server to the end user device is constructed and arranged to provide a virtual machine on the virtual desktop server, and the user accessing the protected resource at the third location via the virtual machine residing on the virtual desktop server at the second location from the virtual machine client of the end user device residing at the first location.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Dotan, Yedidya
Primary Examiner(s)
Kim, Jung
Assistant Examiner(s)
Kusyk, Janusz

Application Number

US13/246,023
Time in Patent Office

931 Days
Field of Search

None
US Class Current

726/9
CPC Class Codes

G06F 21/34   involving the use of extern...

G06F 2221/2139   Recurrent verification

H04L 63/0838   using one-time-passwords

H04L 9/3228   One-time or temporary data,...

Controlling access to a protected resource using a virtual desktop and ongoing authentication

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

31 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Controlling access to a protected resource using a virtual desktop and ongoing authentication

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

31 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links