System and method for remotely managing security and configuration of compute devices

US 9,699,216 B2
Filed: 12/11/2015
Issued: 07/04/2017
Est. Priority Date: 08/20/2013
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a server computer;

a plurality of secure computers; and

a communication channel between the server computer and the plurality of secure computers,wherein the server computer includes;

a storage for a plurality of security policies;

an administrator interface for allowing an administrator to configure a first one of the security policies for a first one of the plurality of secure computers and to configure a second one of the security policies for a second one of the plurality of secure computers, wherein the first and second security policies respectively define different first and second prohibited operations to be performed by the first and second secure computers; and

a communication channel interface for managing communications between the server computer and the plurality of secure computers over the communication channel, wherein the server computer is adapted to send the first and second ones of the security policies to the first and second secure computers, respectively, via the communication channel using the communication channel interface, andwherein the server computer is further adapted to receive alerts from the first and second secure computers via the communication channel using the communication channel interface, andwherein the alerts are related to attempts to perform the first and second prohibited operations,and wherein each of the plurality of secure computers include;

a host processor;

a device interface;

an upstream port for communicating with the host processor;

a downstream port for communicating with a device via the device interface; and

a secure subsystem interposed between the upstream port and the downstream port, such that the host processor and the device are incapable of communicating independently with each other without the secure subsystem, and such that the secure subsystem is operative thereby to enforce the sent one of the security policies, and wherein the server computer is further adapted to;

determine whether a change is needed in one of the first and second security policies, wherein the change is not in response to one of the alerts being received, and,when the change is needed, send the changed one of the first and second security policies to one of the first and second secure computers via the communication channel using the communication channel interface, andwhen the change is not needed, further determine whether one of the alerts has been received.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention relates to a system that manages security of one or more computer systems and/or one or more different types of I/O channels such as USB, Ethernet, SATA, and SAS. According to certain aspects, the management system is distributed. That is, a central management system and computer subsystems are physically distributed within one or more geographical areas, and communicate with each other by passing messages through a computer network. According to certain additional aspects, the configuration and/or security functions performed by methods and apparatuses according to the invention can be logically transparent to the upstream host and to the downstream device.

71 Citations

20 Claims

1. A system comprising:
- a server computer;
  
  a plurality of secure computers; and
  
  a communication channel between the server computer and the plurality of secure computers,wherein the server computer includes;
  
  a storage for a plurality of security policies;
  
  an administrator interface for allowing an administrator to configure a first one of the security policies for a first one of the plurality of secure computers and to configure a second one of the security policies for a second one of the plurality of secure computers, wherein the first and second security policies respectively define different first and second prohibited operations to be performed by the first and second secure computers; and
  
  a communication channel interface for managing communications between the server computer and the plurality of secure computers over the communication channel, wherein the server computer is adapted to send the first and second ones of the security policies to the first and second secure computers, respectively, via the communication channel using the communication channel interface, andwherein the server computer is further adapted to receive alerts from the first and second secure computers via the communication channel using the communication channel interface, andwherein the alerts are related to attempts to perform the first and second prohibited operations,and wherein each of the plurality of secure computers include;
  
  a host processor;
  
  a device interface;
  
  an upstream port for communicating with the host processor;
  
  a downstream port for communicating with a device via the device interface; and
  
  a secure subsystem interposed between the upstream port and the downstream port, such that the host processor and the device are incapable of communicating independently with each other without the secure subsystem, and such that the secure subsystem is operative thereby to enforce the sent one of the security policies, and wherein the server computer is further adapted to;
  
  determine whether a change is needed in one of the first and second security policies, wherein the change is not in response to one of the alerts being received, and,when the change is needed, send the changed one of the first and second security policies to one of the first and second secure computers via the communication channel using the communication channel interface, andwhen the change is not needed, further determine whether one of the alerts has been received.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. A system according to claim 1, wherein the prohibited first and second operations comprise connection of different first and second unauthorized devices to the first and second secure computers, respectively.
  - 3. A system according to claim 2, wherein the first and second unauthorized devices comprise specific I/O devices.
  - 4. A system according to claim 3, wherein the specific I/O devices comprise specific device classes of universal serial bus (USB) devices.
  - 5. A system according to claim 1, wherein the prohibited first and second operations comprise different first and second keywords used by the first and second secure computers, respectively.
  - 6. A system according to claim 5, wherein the prohibited first and second operations comprise network communications performed by the first and second secure computers, respectively.
  - 7. A system according to claim 5, wherein the prohibited first and second operations comprise communications with connected I/O devices performed by the first and second secure computers, respectively.
  - 8. A system according to claim 5, wherein the first and second keywords comprise network addresses used in network communications performed by the first and second secure computers, respectively.
  - 9. A system according to claim 1, wherein the first and second secure computers are associated with different first and second different groups of employees in an organization.
  - 10. A system according to claim 1, wherein the change is needed in response to a command from the administrator interface.

11. A method comprising:
- maintaining a plurality of security policies in a management server;
  
  allowing an administrator to configure a first one of the security policies for a first one of a plurality of secure computers and to configure a second one of the security policies for a second one of the plurality of secure computers, wherein the first and second security policies respectively define different first and second prohibited operations to be performed by the first and second secure computers;
  
  managing communications between the management server and the plurality of secure computers over a communication channel, the communications including sending the first and second ones of the security policies to the first and second secure computers, respectively, via the communication channel by the management server, and the communications further including receiving alerts from the first and second secure computers via the communication channel at the management server,wherein the alerts are related to attempts to perform the first and second prohibited operations;
  
  interposing, in each of the secure computers, a secure subsystem between an upstream port for communicating with a host processor and a downstream port for communicating with a device via a device interface, such that the host processor and the device are incapable of communicating independently with each other without the secure subsystem;
  
  enforcing, by the secure subsystems, the security policies in the secure computers;
  
  determining, by the management server, whether a change is needed in one of the first and second security policies, wherein the change is not in response to one of the alerts being received, and,when the change is needed, sending the changed one of the first and second security policies to one of the first and second secure computers via the communication channel by the management server, andwhen the change is not needed, further determining by the management server whether one of the alerts has been received.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. A method according to claim 11, wherein the prohibited first and second operations comprise connection of different first and second unauthorized devices to the first and second secure computers, respectively.
  - 13. A method according to claim 12, wherein the first and second unauthorized devices comprise specific I/O devices.
  - 14. A method according to claim 12, wherein the specific I/O devices comprise specific device classes of universal serial bus (USB) devices.
  - 15. A method according to claim 11, wherein the prohibited first and second operations comprise different first and second keywords used by the first and second secure computers, respectively.
  - 16. A method according to claim 15, wherein the prohibited first and second operations comprise network communications performed by the first and second secure computers, respectively.
  - 17. A method according to claim 15, wherein the prohibited first and second operations comprise communications with connected I/O devices performed by the first and second secure computers, respectively.
  - 18. A method according to claim 15, wherein the first and second keywords comprise network addresses used in network communications performed by the first and second secure computers, respectively.
  - 19. A method according to claim 11, wherein the first and second secure computers are associated with different first and second different groups of employees in an organization.
  - 20. A method according to claim 11, wherein the change is needed in response to a command from the administrator interface.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Janus Technologies, Inc.
Original Assignee
Janus Technologies, Inc.
Inventors
Borisov, Mikhail, Porten, Joshua, Raskin, Sofin, Wang, Michael
Primary Examiner(s)
HO, DAO Q

Application Number

US14/967,201
Publication Number

US 20160099974A1
Time in Patent Office

571 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/85   interconnection devices, e....

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

H04L 67/12   specially adapted for propr...

H04L 67/125   involving control of end-de...

System and method for remotely managing security and configuration of compute devices

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

71 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

System and method for remotely managing security and configuration of compute devices

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

71 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others