Temporally isolating data accessed by a computing device

US 9,990,505 B2
Filed: 08/12/2015
Issued: 06/05/2018
Est. Priority Date: 08/12/2014
Status: Active Grant

First Claim

Patent Images

1. A method of temporally isolating data so that the data accessed by a computing device is limited to a set of data associated with a current mode of operation, comprising:

receiving a first command to switch to a first mode of operation associated with a first set of data and a first security policy;

receiving an identification of an operator of the computing device that is requesting to engage the computing device in the first mode of operation;

authenticating the identification of the operator;

in response to the identification of the operator being authenticated, initiating a transition of the computing device to switch to the first mode of operation,in response to the identification of the operator failing authentication, disallowing the transition of the computing device to switch to the first mode of operation;

in response to initiating the transition to the first mode of operation, removing any data accessible by the computing device associated with modes of operation different from the first mode of operation so that the removed data is inaccessible by the computing device when operating in the first mode of operation;

storing a second set of data associated with at least one of the modes of operation different from the first mode of operation in a location that is inaccessible to an operating system associated with the computing device so that the operating system is unable to access the second set of data when operating in the first mode of operation;

in response to the data associated with the modes of operation different from the first mode of operation being removed, switching to the first mode of operation; and

operating in the first mode of operation based on a first plurality of rules associated with the first security policy in temporal isolation from any data associated with any other mode of operation of the computing device,wherein the computing device is limited to operating in the first mode of operation and is prevented from accessing any removed data of any other mode of operation while in the first mode of operation.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the present invention provide a method to temporally isolate data accessed by a computing device so that the data accessed by the computing device is limited to a single set of data. The method includes removing any data that is accessed by the computing device when operating in different modes so that the data is inaccessible by the computing device when operating in the mode. The method also includes switching to the mode after the data associated with the modes different from the mode have been removed. The method also includes operating in the mode based on a plurality of rules associated with the security policy in temporal isolation from any other mode associated with the computing device. The computing device is limited to operating in the mode and is prevented from accessing any data that is distinct from the single set of data of the mode.

Citations

17 Claims

1. A method of temporally isolating data so that the data accessed by a computing device is limited to a set of data associated with a current mode of operation, comprising:
- receiving a first command to switch to a first mode of operation associated with a first set of data and a first security policy;
  
  receiving an identification of an operator of the computing device that is requesting to engage the computing device in the first mode of operation;
  
  authenticating the identification of the operator;
  
  in response to the identification of the operator being authenticated, initiating a transition of the computing device to switch to the first mode of operation,in response to the identification of the operator failing authentication, disallowing the transition of the computing device to switch to the first mode of operation;
  
  in response to initiating the transition to the first mode of operation, removing any data accessible by the computing device associated with modes of operation different from the first mode of operation so that the removed data is inaccessible by the computing device when operating in the first mode of operation;
  
  storing a second set of data associated with at least one of the modes of operation different from the first mode of operation in a location that is inaccessible to an operating system associated with the computing device so that the operating system is unable to access the second set of data when operating in the first mode of operation;
  
  in response to the data associated with the modes of operation different from the first mode of operation being removed, switching to the first mode of operation; and
  
  operating in the first mode of operation based on a first plurality of rules associated with the first security policy in temporal isolation from any data associated with any other mode of operation of the computing device,wherein the computing device is limited to operating in the first mode of operation and is prevented from accessing any removed data of any other mode of operation while in the first mode of operation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - receiving a second command to switch from the first mode of operation to a second mode of operation that is associated with another set of data and a second security policy;
      
      in response to receiving the second command, removing the first set of data so that the first set of data is inaccessible by the computing device when operating in the second mode of operation;
      
      switching to the second mode of operation after the first set of data associated with the first mode of operation has been removed; and
      
      operating in the second mode of operation based on a second plurality of rules associated with the second security policy in temporal isolation from the first mode of operation,wherein the computing device is limited to operating in the second mode of operation and is prevented from accessing the first set of data of the first mode of operation while in the second mode of operation.
  - 3. The method of claim 1, further comprising:
    - cryptographically isolating, by the computing device, the identification of the operator to an encryption key applied by the operator to initiate the transition of the computing device to the first mode of operation when the operator is affirmatively authenticated to prevent a different encryption key from being implemented in an attempt to engage the first mode of operation after the computing device has initiated the transition to the first mode of operation.
  - 4. The method of claim 3, further comprising:
    - comparing the encryption key applied by the operator to a mode key associated with the first mode of operation that the operator is requesting to engage, wherein the mode key is stored in a location that is accessible to an initialization layer of the computing device and inaccessible to the operating system of the computing device; and
      
      initiating, by the computing device, the transition of the computing device to switch to the first mode of operation when the encryption key matches the mode key or disallowing the transition of the computing device to switch to the first mode of operation when the encryption key fails to match the mode key.
  - 5. The method of claim 1, further comprising:
    - storing the first set of data in a location that is accessible by an initialization layer associated with the computing device after the identification of the operator attempting to switch the computing device to the first mode of operation is affirmatively authenticated.
  - 6. The method of claim 1, further comprising:
    - uploading the first set of data to the location that is accessible to the operating system associated with the computing device when the computing device has switched to the first mode of operation so that the operating system is able to access the first set of data based on the first plurality of rules associated with the first security policy.
  - 7. The method of claim 1, further comprising:
    - automatically initiating the transition to the first mode of operation when a parameter associated with transitioning to the first mode of operation is satisfied.
  - 8. The method of claim 7, wherein the parameter associated with the automatic transition to the first mode of operation is based on a geographic location of the computing device.

9. A system for temporally isolating data so that the data accessed by a computing device is limited to a set of data associated with a current mode of operation, comprising:
- a mode switch controller configured to;
  
  receive a first command to switch to a first mode of operation associated with a first set of data and a first security policy,receive an identification of an operator of the computing device that is requesting to engage the computing device in the first mode of operation,authenticate the identification of the operator,in response to the identification of the operator being authenticated, initiate a transition of the computing device to switch to the first mode of operation,in response to the identification of the operator failing authentication, disallow the transition of the computing device to switch to the first mode of operation,in response to initiating the transition to the first mode of operation, remove any data accessible by the computing device associated with modes of operation different from the first mode of operation so that the removed data is inaccessible by the computing device when operating in the first mode of operation,store a second set of data associated with at least one of the modes of operation different from the first mode of operation in a location that is inaccessible to an operating system associated with the computing device so that the operating system is unable to access the second set of data when operating in the first mode of operation, andin response to the data associated with the modes of operation different from the first mode of operation being removed, switch the computing device to the first mode of operation; and
  
  a security processor configured to;
  
  control the computing device to operate in the first mode of operation based on a first plurality of rules associated with the first security policy in temporal isolation from any data associated with any other mode of operation of the computing device,wherein the computing device is limited to operating in the first mode of operation and is prevented from accessing any removed data of any other mode of operation while in the first mode of operation.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The system of claim 9, wherein the mode switch controller is further configured to:
    - receive a second command to switch from the first mode of operation to a second mode of operation that is associated with another set of data and a second security policy;
      
      in response to receiving the second command, remove the first set of data so that the first set of data is inaccessible by the computing device when operating in the second mode of operation; and
      
      switch the computing device to the second mode of operation after the first set of data associated the first mode of operation has been removed.
  - 11. The system of claim 10, wherein the security processor is further configured to:
    - operate in the second mode of operation based on a second plurality of rules associated with the second security policy in temporal isolation from the first mode of operation,wherein the computing device is limited to operating in the second mode of operation and is prevented from accessing the first set of data of the first mode of operation.
  - 12. The system of claim 9, wherein the mode switch controller is further configured to cryptographically isolate the identification of the operator to an encryption key applied by the operator to initiate the transition of the computing device to the first mode of operation when the operator is affirmatively authenticated to prevent a different encryption key from being implemented in an attempt to engage the first mode of operation after the computing device has initiated the transition to the first mode of operation.
  - 13. The system of claim 12, wherein the mode switch controller is further configured to:
    - compare the encryption key applied by the operator to a mode key associated with the first mode of operation that the operator is requesting to engage, wherein the mode key is stored in a location that is accessible to an initialization layer of the computing device and inaccessible to the operating system of the computing device; and
      
      initiate the transition of the computing device to switch to the first mode of operation when the encryption key matches the mode key or disallowing the transition of the computing device to switch to the first mode of operation when the encryption key fails to match the mode key.
  - 14. The system of claim 9, wherein the mode switch controller is further configured to store the first set of data in a location that is accessible by an initialization layer associated with the computing device after the identification of the operator attempting to switch the computing device to the mode is affirmatively authenticated.
  - 15. The system of claim 9, wherein the mode switch controller is further configured to upload the first set of data to the location that is accessible to the operating system associated with the computing device when the computing device has switched to the first mode of operation so that the operating system is able to access the first set of data based on the first plurality of rules associated with the first security policy.
  - 16. The system of claim 9, wherein the mode switch controller is further configured to automatically initiate the transition to the first mode of operation when a parameter associated with transitioning to the first mode of operation is satisfied.
  - 17. The system of claim 16, wherein the parameter associated with the automatic transition to the first mode of operation is based on a geographic location of the computing device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Redwall Technologies, LLC
Original Assignee
Redwall Technologies, LLC
Inventors
ner, Eric Ridvan, Collins, Michael J., Hunter, Kent H., Rosenstengel, John E., Sabin, James E., Woods, Kevin S.
Primary Examiner(s)
Armouche, Hadi S
Assistant Examiner(s)
Holmes, Angela R

Application Number

US14/824,709
Publication Number

US 20160048693A1
Time in Patent Office

1,028 Days
Field of Search

713189
US Class Current
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 2221/2105   Dual mode as a secondary as...

Temporally isolating data accessed by a computing device

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Temporally isolating data accessed by a computing device

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links