Apparatus for and method of preventing unsecured data access
First Claim
Patent Images
1. Computer comprising a processor configured to:
- execute a trusted virtual machine and a process in the trusted virtual machine that is executed in response to a request from an untrusted virtual machine that is without an authentication protocol;
prevent output of unsecured content from the virtual machine other than to hardware generating user sensory stimulation or a display virtual machine as necessary for user sensory stimulation;
secure content from the virtual machine so as to be unsecurable only with a File Key and a hardware security device;
the File Key further secured with a Public DLP Key of a designated recipient of the File Key, which is storable in a server;
access a medium accessible by either or both of the trusted virtual machine and untrusted virtual machine, configured to contain data secured before being written from the trusted virtual machine and/or unsecured after being read into the trusted virtual machine;
unsecure content from data that is unsecurable only with a File Key and a specific hardware security device, without communication with a securer of the content; and
wherein the content can be user modified.
0 Assignments
0 Petitions
Accused Products
Abstract
Shown and depicted is preventing sensitive information from being exfiltrated from an organization using hypervisors. A Data Loss Prevention system is composed using virtual machines or domains to segment memory between domains which are assumed to be untrusted and domains which are known to be trusted. Sensitive information is cypher text when observed by software in Untrusted Domains, and clear text when observed by software in Trusted Domains. Sensitive information is unencrypted when it is in the address space of a protected process running inside a trusted domain.
28 Citations
20 Claims
-
1. Computer comprising a processor configured to:
- execute a trusted virtual machine and a process in the trusted virtual machine that is executed in response to a request from an untrusted virtual machine that is without an authentication protocol;
prevent output of unsecured content from the virtual machine other than to hardware generating user sensory stimulation or a display virtual machine as necessary for user sensory stimulation; secure content from the virtual machine so as to be unsecurable only with a File Key and a hardware security device; the File Key further secured with a Public DLP Key of a designated recipient of the File Key, which is storable in a server; access a medium accessible by either or both of the trusted virtual machine and untrusted virtual machine, configured to contain data secured before being written from the trusted virtual machine and/or unsecured after being read into the trusted virtual machine; unsecure content from data that is unsecurable only with a File Key and a specific hardware security device, without communication with a securer of the content; and wherein the content can be user modified. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- execute a trusted virtual machine and a process in the trusted virtual machine that is executed in response to a request from an untrusted virtual machine that is without an authentication protocol;
-
11. Method of securing content comprising:
-
executing a trusted virtual machine; executing a process in the virtual machine responsive to a request from an untrusted virtual machine without an authentication protocol; preventing output of unsecured content from the virtual machine other than to hardware generating user sensory stimulation or a display virtual machine as necessary for user sensory stimulation; securing content from the virtual machine so as to be unsecurable only with a File Key and a hardware security device; wherein the File Key further secured with a Public DLP Key of a designated recipient of the File Key, which is storable in a server; accessing a medium that is accessible by either or both of the trusted virtual machine and untrusted virtual machine, configured to contain data secured before being written from the trusted virtual machine and/or unsecured after being read into the trusted virtual machine; unsecuring content from data that is unsecurable only with a File Key and a specific hardware security device without communication with a securer of the content; and wherein the content can be user modified. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification