System and method for remotely managing security and configuration of compute devices
First Claim
1. A system for managing security of one or more computers, comprising:
- a remote management system that manages security policies;
secure subsystems incorporated in the one or more computers; and
a communication channel between the remote management system and the secure subsystems,wherein the remote management system selectively sends certain of the security policies to the secure subsystems via the communication channel, andwherein the remote management system further maintains an encryption key repository, andwherein the remote management system selectively sends certain encryption keys from the repository to the secure subsystems via the communication channel, andwherein the secure subsystems are configured to enforce the security policies in the incorporated computers, andwherein the incorporated computers include an upstream port for communicating with a host processor of the incorporated computers and a downstream port for communicating with a device, and wherein the secure subsystems are interposed between the upstream port and the downstream port, such that the host processor and the device are incapable of communicating independently without the secure subsystem,wherein the device is a Universal Serial Bus (USB) device, andwherein the enforcement includes performing one or more of blocking communications between the host processor and the USB device and transparently encrypting and decrypting communications between the host processor and the USB device using the certain encryption keys, andwherein the secure subsystems in the incorporated computers are configured to raise alerts to the remote management system via the communication channel, andwherein the remote management system is configured to change the certain security policies sent to the secure subsystems in response to the alerts, andwherein the alerts are raised in connection with violations of the security policies, andwherein violations include a connection of an unauthorized device to the downstream port detected by the associated secure subsystem.
1 Assignment
0 Petitions
Accused Products
Abstract
The present invention relates to a system that manages security of one or more computer systems and/or one or more different types of I/O channels such as USB, Ethernet, SATA, and SAS. According to certain aspects, the management system is distributed. That is, a central management system and computer subsystems are physically distributed within one or more geographical areas, and communicate with each other by passing messages through a computer network. According to certain additional aspects, the configuration and/or security functions performed by methods and apparatuses according to the invention can be logically transparent to the upstream host and to the downstream device.
81 Citations
8 Claims
-
1. A system for managing security of one or more computers, comprising:
-
a remote management system that manages security policies; secure subsystems incorporated in the one or more computers; and a communication channel between the remote management system and the secure subsystems, wherein the remote management system selectively sends certain of the security policies to the secure subsystems via the communication channel, and wherein the remote management system further maintains an encryption key repository, and wherein the remote management system selectively sends certain encryption keys from the repository to the secure subsystems via the communication channel, and wherein the secure subsystems are configured to enforce the security policies in the incorporated computers, and wherein the incorporated computers include an upstream port for communicating with a host processor of the incorporated computers and a downstream port for communicating with a device, and wherein the secure subsystems are interposed between the upstream port and the downstream port, such that the host processor and the device are incapable of communicating independently without the secure subsystem, wherein the device is a Universal Serial Bus (USB) device, and wherein the enforcement includes performing one or more of blocking communications between the host processor and the USB device and transparently encrypting and decrypting communications between the host processor and the USB device using the certain encryption keys, and wherein the secure subsystems in the incorporated computers are configured to raise alerts to the remote management system via the communication channel, and wherein the remote management system is configured to change the certain security policies sent to the secure subsystems in response to the alerts, and wherein the alerts are raised in connection with violations of the security policies, and wherein violations include a connection of an unauthorized device to the downstream port detected by the associated secure subsystem. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method for managing security of one or more computers, each of the one or more computers having a secure subsystem incorporated therein, the method comprising:
-
managing security policies at a remote management system; selectively sending certain of the security policies to the secure subsystems via a communication channel between the remote management system and the secure subsystems, wherein the security policies define whether or not to perform encryption; managing encryption keys at the remote management system; selectively sending certain of the encryption keys to the secure subsystems via the communication channel; enforcing, by the secure subsystems, the security policies in the incorporated computers, wherein the incorporated computers include an upstream port for communicating with a host processor of the incorporated computers and a downstream port for communicating with a device, the method further including interposing the secure subsystems between the upstream port and the downstream port, such that the host processor and the device are incapable of communicating independently without the secure subsystem wherein the device is a Universal Serial Bus (USB) device, and wherein enforcing includes performing one or more of blocking communications between the host processor and the USB device and transparently encrypting and decrypting communications between the host processor and the USB device using the certain encryption keys; raising, by the secure subsystems in the incorporated computers, alerts to the remote management system via the communication channel; and changing, by the remote management system, the certain security policies sent to the secure subsystems in response to the alerts, wherein the alerts are raised in connection with violations of the security policies, and wherein violations include a connection of an unauthorized device to the downstream port detected by the associated secure subsystem. - View Dependent Claims (7, 8)
-
Specification