US20060075506A1 - Systems and methods for enhanced electronic asset protection - Google Patents

Abstract

Systems and methods for enhanced electronic asset protection are described. One aspect of one described embodiment includes receiving an indication to activate asset protection, the client device having a local data store; and activating asset protection in response to the indication, wherein asset protection comprises disabling the local data store and disabling the client device. In another embodiment, a computer-readable medium (such as, for example random access memory or a computer disk) includes code for carrying out such a method.

Description

RELATED APPLICATIONS
• This application claims priority to Application Ser. No. 60/583,765, filed on Jun. 28, 2004, titled “Controlling Use of a Mobile Work Station Based on Network Environment,” Application Ser. No. 60/598,364, filed on Aug. 3, 2004, titled “Systems and Methods for Enhancing and Optimizing a User's Experience on an Electronic Device,” Application Ser. No. 60/652,121, filed on Feb. 11, 2005, titled “Remote Access Services,” and Application Ser. No. 60/653,411, filed on Feb. 16, 2005, titled “Creating an Environment for Secure Mobile Access Anywhere,” the entirety of all of which are incorporated herein by reference.
FIELD OF THE INVENTION
• The present invention relates generally to computer data security and, more particularly systems and methods for enhanced electronic asset protection.
BACKGROUND
• As the workforce becomes more mobile, enterprises often have equipment and data stored remotely, outside of the office. Unfortunately, mobile equipment, such as laptop computers, is sometimes lost or stolen.
• A stolen or lost laptop may provide an opportunity for someone to access valuable confidential data or attempt to breach the corporate network and access data and systems that are available only to an enterprise's users via the enterprise's private network.
• When a laptop is stolen, the enterprise may be able to protect the corporate network by, for example, disabling the user account associated with the laptop. However, it may be difficult or impossible to protect the data on the stolen or lost laptop.
• Conventional hand held devices, such as personal digital assistants (PDA's) provide some facilities for dealing with stolen or lost equipment. For instance, some PDA's include a facility for destroying all of the data on the PDA if the enterprise determines that the PDA is lost or stolen. If the PDA is later recovered or discovered not to have been lost or stolen in the first place, the PDA can typically be recovered by synchronizing the PDA with a user's personal computer. However, when a laptop is stolen, it may be difficult to protect confidential data on the laptop. And if the data is protected by, for example deleting it, recovery of data on the laptop is difficult at best.
SUMMARY
• Embodiments of the present invention provide systems and methods for enhanced electronic asset protection. One aspect of one described embodiment includes a client device receiving an indication to activate asset protection, the client device having a local data store; and activating asset protection in response to the indication, wherein asset protection comprises disabling the local data store and disabling the client device. In another embodiment, a computer-readable medium (such as, for example random access memory or a computer disk) includes code for carrying out such a method.
• This illustrative embodiment is mentioned not to limit or define the invention, but to provide one example to aid understanding thereof. Illustrative embodiments are discussed in the Detailed Description, and further description of the invention is provided there. Advantages offered by the various embodiments of the present invention may be further understood by examining this specification.
FIGURES
• These and other features, aspects, and advantages of the present invention are better understood when the following Detailed Description is read with reference to the accompanying drawings, wherein:
• FIG. 1 is a block diagram showing an illustrative environment for implementation of one embodiment of the present invention;
• FIG. 2 is a block diagram illustrating the modules present on aclient device102 in one embodiment of the present invention;
• FIG. 3 is a block diagram illustrating the modules present on asecurity server104 in one embodiment of the present invention;
• FIG. 4 is a block diagram illustrating the modules present on anenterprise server106 in one embodiment of the present invention;
• FIG. 5 is a flowchart illustrating a process for generating and distributing an indication to activate asset protection in one embodiment of the present invention;
• FIG. 6 is a flowchart illustrating a process for activating asset protection in one embodiment of the present invention;
• FIG. 7 is a flowchart illustrating a process for disabling theclient device102 in one embodiment of the present invention;
• FIG. 8 is a flowchart illustrating a process for disabling the local data store in one embodiment of the present invention; and
• FIG. 9 is a flowchart illustrating a process for recovering theclient device102 in one embodiment of the present invention.
DETAILED DESCRIPTION
• Embodiments of the present invention provide systems and methods for enhanced electronic asset protection. There are multiple embodiments of the present invention. By way of introduction and example, one illustrative embodiment of the present invention provides a method for protecting data stored on a laptop after the laptop is stolen.
• The user reports the fact that the laptop was stolen to an administrator. The administrator sets an indicator in a policy data store that the laptop should execute an asset protection procedure the next time it connects to a network. When the laptop is next powered up, it automatically connects to a network, and the asset protection indicator is transmitted to the laptop.
• In response to the asset protection indicator, the hard drive on the laptop is encrypted using an encryption key. While the hard drive is encrypted, the laptop begins shutting down devices, such as the network interface card, wireless access card, serial and parallel ports, keyboard, and monitor. In one embodiment, the network interface card continues to accept traffic from the policy data store so that it can receive additional instructions, such as a recovery indication. The laptop also shuts off all or most ports in the firewall and will not execute some or all applications. The laptop may also shut down.
• If the laptop is not recovered, the data on the laptop is protected from discovery by the user who has stolen or found the laptop. If the laptop is recovered, a recover indication is sent to the laptop. When the laptop receives the recover indication, it uses the encryption key to decrypt the hard drive and enables all the devices, ports, and applications.
• This introduction is given to introduce the reader to the general subject matter of the application. By no means is the invention limited to such subject matter. Illustrative embodiments are described below.
System Architecture
• Various systems in accordance with the present invention may be constructed. Referring now to the drawings in which like numerals indicate like elements throughout the several figures,FIG. 1 is a block diagram showing an illustrative environment for implementation of one embodiment of the present invention. The system shown inFIG. 1 includes aclient102.
• Communication with thesecurity server104 occurs via anetwork108. Thenetwork108 may comprise a public or private network and may include the Internet. The network may also comprise a plurality of networks, including, for example, dedicated phone lines between the various components. In one embodiment, theclient102 communicates with thesecurity server104 via a virtual private network (“VPN”) established over the Internet.
• Thesecurity server104 is also in communication with anenterprise server106 via a network. Thenetwork108 may comprise various elements, both wired and wireless. In one embodiment, the communication between thesecurity server104 andenterprise server106 occurs over a static VPN established over dedicated communication lines.
• In one embodiment, a user connects aclient device102 to thenetwork108 using a network access user interface. The network access user interface is always on and only allows the user to connect to thenetwork108 via the interface. The network access user interface automatically causes theclient102 to connect to thesecurity server104 through thenetwork108. Thesecurity server104 provides value added services to theclient102 and to one or more enterprises. Access to other services, such as the Internet, may be provided via thesecurity server104.
• AlthoughFIG. 1 includes only asingle client102,security server104, andenterprise server106, an embodiment of the present invention will typically include a plurality ofclients102 and may include a plurality ofsecurity servers104 andenterprise servers106.
Client Devices
• FIG. 2 is a block diagram illustrating the modules present on aclient device102 in one embodiment of the present invention. Examples ofclient device102 are personal computers, digital assistants, personal digital assistants, cellular phones, mobile phones, smart phones, pagers, digital tablets, laptop computers, Internet appliances, and other processor-based devices. In general, aclient device102 may be any suitable type of processor-based platform that is connected to thenetwork108, and that interacts with one or more application programs. Theclient device102 can contain a processor coupled to a computer-readable medium, such as RAM.Client device102 may operate on any operating system, such as Microsoft® Windows® or Linux. Theclient device102 is, for example, a laptop computer executing a network access user interface.
• The modules shown inFIG. 2 represent functionality of theclient102. The modules may be implemented as one or more computer programs that include one or more modules. For instance, in one embodiment, all the modules shown inFIG. 2 are contained within a single network access application. Also, the functionality shown on theclient102 may be implemented on a server in other embodiments of the present invention. Likewise, functionality shown inFIGS. 3 and 4 as being on a server may be implemented on theclient102 in some embodiments of the present invention.
• Theclient102 shown inFIG. 2 comprises aVPN client202. TheVPN client202 allows theclient102 to connect to theenterprise server106. In one embodiment of the present invention, theVPN client202 is used to determine whether or not theVPN client202 is active and whether or not theVPN client202 is connected to a VPN server. For instance, an embodiment of the present invention may determine whether or not to connect to a particular service based on whether or not theVPN client202 is enabled.
• In another embodiment of the present invention, theVPN client202 is used for four purposes: (1) to manage policy files, which include information, such as a gateway Internet Protocol (IP) address, secrecy and authentication level, and hash; (2) automatically connecting a VPN; (3) automatically disconnecting the VPN; and (4) monitoring the status of the VPN. Each of these four purposes may be affected by other modules, including, for example, theconnection manager210.
• Theclient102 also comprises asecure vault204. Thesecure vault204 protects content on theclient102. In one embodiment, thesecure vault204 is responsible for storing encrypted content on theclient102 and allowing access to the encrypted content based on a set of permissions or policies. In such an embodiment, a content creator can provide access via a viewer to secured content and allow a recipient of the content read-only access or allow the recipient to perform other tasks, such as modifying the content and forwarding it to other users. In another embodiment, thesecure vault204 allows the user to create and distribute secure content toother clients102, the content creator can decide to send a document to several users and allow two of the users full access and one of the users read-only access.
• Theclient102 shown inFIG. 2 also comprises afirewall206. Thefirewall206 allows port blocking via predefined policies. For instance, in one embodiment, an information technology (“IT”) manager specifies port blocking based on two zones, a safe zone and a dangerous zone. The IT manager specifies one of these two zones for each of the network interface devices installed on theclient102. The IT manager is then able to set port-blocking rules by zone on thefirewall206.
• For example, the IT manager may classify a Wireless Fidelity (“Wi-Fi”) network interface as dangerous since it has traditionally been considered fairly unsafe. And the IT manager may apply more restrictive port-blocking rules to the dangerous zone than to the safe zone and network interface devices, such as those used to connect to a wired Local Area Network (“LAN”) or a Personal Handyphone System (“PHS”) cellular connection. The PHS standard is a TDD-TDMA based microcellular wireless communications technology and has been traditionally considered relatively safer than Wi-Fi connections. The PHS cellular connection may also be referred to as a wireless wide area network (“WWAN”) as opposed to a dial-up connection providing access to a wide area network (“WAN”).
• In various other embodiments, the port-blocking rules of thefirewall206 may be based on time of day, client IP address, terminating IP address, terminating and originating port, protocol, and other variables. In one embodiment, the port-blocking rules are based on policy data associated with individual users logged into theclient102.
• In one embodiment, the port-blocking rules of thefirewall206 include a blacklist. The blacklist allows an IT manager to prevent an application from executing on theclient102. For instance, an IT manager may blacklist a DVD player so that a user is unable to view DVD's on theclient102. Thefirewall206 may provide a message to the user informing the user that an application is unavailable.
• In another embodiment, thefirewall206 implements a white list. The white list is somewhat more restrictive than the blacklist described above. The white list allows only specified applications to execute. For example, an IT manager may allow only MS Word, Excel, PowerPoint, and Outlook to execute. No other applications will be permitted to execute. Thefirewall206 may be a custom firewall or a third-party firewall integrated into an embodiment of the present invention.
• The embodiment shown inFIG. 2 also includes an antivirus module208. The antivirus module208 shown determines whether policy files, virus dictionary, or other virus-related resources are out of date and provides theclient102 with a mechanism for updating the files or data. The antivirus module208 may restrict access to various connections, applications, and other functionality when the policy files are out of date. For instance, the antivirus module208 may restrict theclient102 to connecting to a single gateway through which the policy files are available. In one embodiment, the antivirus module208 comprises a third-party antivirus product that is integrated with the other modules on theclient102.
• Theclient102 also comprises aconnection manager210, which includes a rules processor. In one embodiment, theconnection manager210 assigns a priority number to every connection, e.g., one to one hundred, and selects the connection with the highest number to connect to.
• Theconnection manager210 may provide a connection to a variety of networks, including, for example, dial-up, LAN, digital subscriber line (“DSL”), cable modem, Wi-Fi, wireless local area network (“WLAN”), PHS, and satellite.
• In one embodiment, theconnection manager210 differentiates between public and private connections. A public connection is a connection provided by a service provider who has a relationship with the administrator of thesecurity server104, which allows thesecurity server104 to authenticate the connection. For instance, thesecurity server104 administrator may have a business arrangement with a hotspot provider. In order to connect, theclient102 connects to a local access point and the authentication of the user occurs automatically at thesecurity server104. In contrast, a private connection requires that all aspects of the authentication mechanism for a connection are managed in the absence of thesecurity server104, although the connection manager may provide certain facilities to allow for automated authentication where possible.
• In one embodiment, theconnection manager210 makes connections available or unavailable to theclient102 based on policies present on theclient102. Theconnection manager210 may also download changes to policy data and transmit quality of service (“QoS”) and other data to thesecurity server104 or theenterprise server106.
• In one embodiment, theconnection manager210 determines the type of connections that are available based on signals provided by hardware associated with theclient102. For example, when theclient102 passes near a hotspot, a Wi-Fi card in theclient102 senses the hotspot and sends a signal to theconnection manager210. For instance, the Wi-Fi card may sense a broadcast service set identifier (“SSID”). Once the signal exceeds a threshold, theconnection manager210 provides a signal to a user of theclient102 that the network is available or may automatically connect to the hotspot. Alternatively, the Wi-Fi card may poll for a non-broadcast SSID. Theconnection manager210 may provide a single connection to theclient102 at one time or may provide multiple connections to theclient102.
• Theclient102 shown inFIG. 2 also comprises aQoS collector212. TheQoS collector212 collects data values, including, for example, the number of bytes sent and received, the average transfer rate, the average signal strength at connection, termination cause, failed connections, and a network identifier. In another embodiment, theQoS collector212 collects data during the session to determine when a connection provides inconsistent performance.
• In one embodiment, theQoS collector212 collects data regarding a connection during a session but does not send the data for a session until the next session. Thus, if a session is terminated abnormally, the QoS data will still be collected and transferred successfully. In another embodiment, theQoS collector212 transfers data only when a particular type of connection is detected, such as a high-speed or low cost connection.
• Theclient102 also comprises asession statistics module214. The session statistics module stores data representing user characteristics. For instance, the sessionstatistic module214 may store a list of the applications a user generally accesses, how often the user is connected, the typical CPU and memory utilization measure, keyboard sequences, and other characteristics of a user. If a particular user deviates from the expected characteristics by greater than a threshold, such as N standard deviations, and the significance of the statistic is more than a specified amount, thesession statistics module214 can identify the current user as a potential unauthorized user.
• Thesession statistics module214 may perform other tasks as well. For instance, in one embodiment, thesession statistics module214 pre-loads applications based on a user's general usage patterns.
• Theclient102 shown inFIG. 2 also comprises apolicy reader216. In one embodiment, a company's policies are housed on theenterprise server106. For instance, individual groups and users within an enterprise are identified and associated with policies, such as what types of connections they are able to access and what a user's VPN profile is. The user may also be able to specify a VPN policy on theclient102. In such an embodiment, thepolicy reader216 downloads the policy rules from theenterprise server106 and accesses local user policies and reconciles any conflicts between the two.
• For example, an IT manager may establish a VPN profile to be used by a user when connecting to a Wi-Fi network. However, the user may wish to create a secondary VPN profile to be used if the first VPN becomes unavailable. Thepolicy reader216 loads both local and enterprise VPN profiles, resolving any conflict between the two VPN profiles.
• In one embodiment, thepolicy reader216 accesses data at an enterprise, department, and user level. In such an embodiment, some of the policy rules may be stored in a lightweight directory access protocol (“LDAP”) server on theclient102,security server104, orenterprise server106. In another embodiment, thepolicy reader216 receives only changes to policy data and does not typically download all of the policy data at once. Policies downloaded by thepolicy reader216 may be provided to the rules processor of theconnection manager210.
• Theclient102 may also comprises aclient security module216. In one embodiment, theclient security module216 implements a client asset protection process. When theclient security module216 receives a signal indicating that the client asset protection process is to be executed, theclient security module216 may, for example, disable devices and interfaces on theclient device102 and may, in some embodiments, encrypt the hard drive of theclient device102 so that the files stored on the drive are not easily accessible.
• Theclient102 may also comprise a user interface220. The user interface220 may control the underlying operating environment or the user's view of the underlying environment. For example, in one embodiment, the user interface220 supplants the Microsoft® Windows operating system interface from the user's perspective. In other words, the user is unable to access many of the standard Windows features. Such a user interface may be implemented to limit the applications and configuration setting a user is able to access. In some embodiments, such as a personal digital assistant (“PDA”), no user interface is provided by an embodiment of the present invention; the standard PDA user interface is utilized.
• Theclient102 shown inFIG. 2 also comprises asecurity agent222. In some embodiments, thesecurity agent222 is also referred to as a “bomb.” In one embodiment, an IT manager indicates that thesecurity agent222 should be activated when theclient102 next connects to theenterprise server106. The IT manager may do so because theclient102 has been reported stolen. Subsequently, theclient102 connects to theenterprise server106, either directly or indirectly and receives the message to initiate thesecurity agent222.
• In one embodiment, when thesecurity agent222 activates, it stops all applications from being able to run and encrypts the data on the hard drive of theclient102. For instance, thesecurity agent222 may implement a white list as described above and then implement a secure vault for all data on theclient102. Theconnection manager210 may also be configured so that no connections are possible.
• In one such embodiment, since the data is merely encrypted bysecurity agent222, rather than erased, the data may be recovered if theclient102 is subsequently recovered. For instance, the enterprise may retain the key needed for decrypting the local drive. Theclient102 is returned to the enterprise, which then decrypts the drive. In another embodiment, the data on the local drive of the client is rendered inaccessible by, for example, writing over the data multiple times.
• Theclient102 shown inFIG. 2 also comprises an out-of-band communication receiver224. The out-of-band communication receiver224 allows the client to receive communications other than through a network-based connection. Theconnection manager210 may manage the out-of-band communication. For instance, the command to activate thesecurity agent222 may be transferred via a short messaging service (“SMS”) communication received by the out-of-band communication receiver224.
Security Server
• FIG. 3 is a block diagram illustrating the modules present on asecurity server104 in one embodiment of the present invention. Thesecurity server104 shown inFIG. 3 comprises a remote authentication dial-in user service (“RADIUS”) server302, which may also be referred to as an AAA (authentication, authorization, and accounting) server. RADIUS is the standard by which applications and devices communicate with an AAA server.
• The RADIUS server302 provides authentication services on thesecurity server104. In some embodiments of the present invention, the RADIUS server302 proxies to a RADIUS server on theenterprise server106. In one embodiment, the RADIUS server302 provides mutual authentication for theclient102 using Extensible Authentication Protocol Transport Layer Security (“EAP-TLS”). Although EAP-TLS itself is strictly an 802.1× authentication protocol, designed primarily for WiFi connections, the underlying TLS authentication protocol may be deployed in both wired and wireless networks. EAP-TLS performs mutual secured sockets layer (“SSL”) authentication. This requires both theclient device102 and the RADIUS server302 to have a certificate. In mutual authentication, each side may prove its identity to the other using its certificate and its private key.
• The security server shown inFIG. 3 also comprises anLDAP server304. TheLDAP server304 uses the LDAP protocol, which provides a mechanism for locating users, organizations, and other resources on the network. In one embodiment of the present invention, theLDAP server304 provides access control at the network layer to various components that an enterprise customer may or may not purchase. For example, a customer may choose to implement a secure vault as described in relation toFIG. 1. In such a case, the customer or users or groups associated with the customer are also associated with the firewall module. The LDAP entry is then used to determine that the firewall is to be enabled on a client.
• In some embodiments, theLDAP server304 is implemented as a list of user identifiers not using the LDAP protocol. In another embodiment, data in theLDAP server304 is propagated from data present in theenterprise server106.
• Thesecurity server104 shown inFIG. 3 also comprises asession manager306. Thesession manager306 controls sessions, including sessions between theclient102 andenterprise server106. In some embodiments, thesession manager306 also determines how to route data requests. For instance, thesession manager306 may determine that a particular data request should be routed to the Internet rather than to theenterprise server106. This may be referred to as “splitting the pipe” and provides a mechanism to replace “split tunneling” (a traditional configuration option with most standard VPN clients) at the client device by the more secure split of traffic not intended for the enterprise at the security server, allowing monitoring of all traffic without the enterprise incurring the expense of the extra bandwidth required.
• In some embodiments, theclient102 andenterprise server106 establish a VPN for communication. In such an embodiment, thesession manager306 may be unable to route requests to any location other than the enterprise—the packets are encrypted and thus, cannot be separately evaluated.
• In one embodiment, thesession manager306 performs automated authentication of aclient device102 or user. For example, if thesession manager306 determines that aclient102 is approaching a Wi-Fi hotspot, thesession manager306 is able to pre-populate the hotspot with the certificate that the hotspot requires to authenticate the user. In this manner, the authentication appears very fast to the user. Thesession manager306 may also control the manner in which data is queued for download to theclient device102.
• In one such embodiment, thesession manager306 provides two modes for data queuing. In a first mode, thesession manager306 determines that the network down time will be brief, e.g., the user is moving through a tunnel, which interferes with network access. In such a case, the session manager queues a minimal amount of data. In a second mode, thesession manager306 determines that the network down time will be of a longer duration, e.g., the user is boarding a plane from New York to Tokyo. In such a case, thesession manager306 may queue a larger amount of data. In one such embodiment, thesession manager306 determines the mode by querying the user for the downtime interval. When the user reconnects to thesecurity server104, thesession manager306 determines the best manner of downloading the queued data and begins the download.
• In one embodiment, thesession manager306 comprises a packet shaper (not shown). The packet shaper provides various functional capabilities to thesession manager306. For example, in one embodiment, the packet shaper provides a mechanism for prioritizing packets sent between theenterprise server106 and theclient102. In one embodiment, the packet shaper utilizes Multiprotocol Label Switching (“MPLS”). MPLS allows a specific path to be specified for a given sequence of packets. MPLS allows most packets to be forwarded at the switching (layer 2) level rather than at the (routing) layer 3 level. MPLS provides a means for providing QoS for data transmissions, particularly as networks begin to carry more varied traffic.
• Thesession manager306 may also provide session persistence capabilities. For instance, in one embodiment, when a user drops a connection or moves from one provider network coverage area to another, theconnection manager306 persists a virtual connection as the first connection is terminated and the second is initiated.
• Thesession manager306 may include a server-side rules engine. The server-side rules engine may use historical information, such as the session statistics described above, for statistical attack determination. For instance,session manager306 may access a stored statistic regarding aclient device102 and based on monitoring of the current statistics for theclient device102 determine that an unauthorized user is using theclient device102.
• Thesecurity server104 shown inFIG. 3 also comprises a real-time monitor308. The real-time monitor308 monitors the status of communications, such as which clients and users are logged on, the amount of data being transferred, ongoing QoS measures, ports in use, and other information.
• When the real-time monitor308 detects a problem, it may issue an alert to network support. In one embodiment, data from the real-time monitor308 is provided to users via a portal available on thesecurity server308. In another embodiment, the real-time portal308 transfers information to theenterprise server106, from which users access the data.
• The embodiment shown inFIG. 3 also comprises ahistorical monitor310. Thehistorical monitor310 provides information similar to the real-time monitor310. However, the underlying data is historical in nature. For instance, in one embodiment, thehistorical monitor310 provides audit information for making intelligent business decisions and for dealing with regulatory compliance issues.
• The information available via thehistorical monitor310 may include, for example, historical QoS data, registration compliance data, and metrics consistency data. The historical data monitor310 may be used to determine that certain clients are not performing optimally by comparing metrics of various clients over time. For instance, by evaluating information available via the historical data monitor310, a support person may be able to determine that a radio tuner on aspecific client device102 is failing. If the user of oneclient device102 is complaining about the availability of service, but other users are able to successfully access service, then the client device's radio may be the problem.
• The historical data monitor310 may also be used to reconcile information captured on thesecurity server104 regarding connections and data provided by telecommunication carriers. The data may be used to determine when certain resources need to be increased and when a certain carrier is not performing adequately.
• The security server also comprises adatabase312. In embodiments of the present invention, thedatabase312 may be any type of database, including, for example, MySQL, Oracle, or Microsoft SQL Server relational databases. Also, although thedatabase312 is shown as a single database inFIG. 2, thedatabase312 may actually comprise multiple databases, multiple schemas within one or more databases, and multiples tables within one or more schemas. Thedatabase312 may also be present on one or more other machines, e.g., database servers.
• In one embodiment of the present invention, thedatabase312 stores customer information regarding enterprises served by thesecurity server104, such as a list of valid users, a list of valid cellular cards, the relationships between the individual users and groups within the enterprise, and other customer information.
• For example, in one embodiment, thedatabase312 stores an association between users and cellular data cards. The enterprise may allocate a single user to a specific data card. Alternatively, the enterprise may associate a group of users with a group of cellular data cards. Other types of data may also be stored in thedatabase312, such as billing data.
• Thesecurity server104 shown inFIG. 3 also comprises aQoS server314. TheQoS server314 uploads information from theQoS collector212 on theclient device102 and stores the QoS data. TheQoS server314 can collect data from multiple clients and store it in thedatabase312.
• The security server also comprises aQoS tools engine316. TheQoS tools engine316 displays data made available by theQoS server314 and other processes, such as the real-time monitor308.
• In one embodiment, theQoS tools engine316 provides an aggregation of QoS data in a spreadsheet. In another embodiment, theQoS tools engine316 provides data using map views, pie charts, and graphs. TheQoS tools engine316 may also provide the capability for setting QoS-based alarms and may provide data to users via a portal.
• In the embodiment shown inFIG. 3, thesecurity server104 also comprises aportal server318. Theportal server318 may be, for example, a web server. Any standard web server application may be utilized, including Microsoft® Internet Information Server (“IIS”) or Apache.
• Although thesecurity server104 shown inFIGS. 1 and 3 is illustrated as a single server, it may comprise multiple servers. For example, in one embodiment of the present invention, thesecurity server104 comprises multiple regional servers.
• Also, the description above suggests that data is provided to and queried from thesecurity server104 by theclient102, i.e., the client pulls the data. However, in some embodiments, theclient102 also comprises a listener (not shown) so that thesecurity server104 can push data to theclient102.
Enterprise Server
• FIG. 4 is a block diagram illustrating the modules present on anenterprise server106 in one embodiment of the present invention. Theenterprise server106 may also be referred to herein as a customer server and may comprise one or more servers for one or more enterprises linked to one ormore security servers104.
• Theenterprise server106 shown inFIG. 4 comprises apolicy server402. Thepolicy server402 provides a means for managing the policy rules, including, for example, available VPN profiles, available transports (e.g. WiFi, LAN, PHS, Dialup), firewall rules, such as blacklists and white lists, connection rules, and antivirus rules. Thepolicy server402 may include other rules as well, such as the level of data throttling to perform for each client or group of clients. Data throttling limits the data transfer rate to aparticular client102 so that connection resources can be optimized.
• The policies may be managed at one or more levels. For example, an IT manager may wish to create a VPN profile for the enterprise as a whole, but a different VPN profile for an engineering group since the engineering group needs access to various unique applications.
• Thepolicy server412 may also provide a mechanism for configuring the location of various servers that theclient102 will utilize. For instance, thepolicy server412 may allow an IT manager to specify the IP address of anacceleration server404 or avault server406
• In one embodiment, the policy server also allows the IT manager to specify which users receive updates for various components on theclient102. Thepolicy server402 may also allow the IT manager to perform connection configuration. For instance, the IT manager may use the policy server to specify phone numbers for PHS connections, Wi-Fi SSID's for private connections, and other connection configuration information.
• Theenterprise server106 shown inFIG. 4 also comprises anacceleration server404. Theacceleration server404 performs processes to improve the performance of data transfer. For instance, theacceleration server404 may automatically compress images that are to be transferred to aclient102.
• In one embodiment, theacceleration server404 communicates with thepolicy server402. An IT manager sets acceleration rules using thepolicy server402, and theacceleration server404 uses these rules to determine what level of acceleration to use for a particular communication. In one embodiment, the IT manager sets a default level of acceleration for all communication and a specific level of acceleration for one group of users. The specific level of acceleration may be referred to as an override.
• Theenterprise server106 also comprises avault server406. The vault server comprises two components, an automatic component and an administration component. In one embodiment, the automatic component integrates with an enterprise's mail server (not shown) and performs operations on emails to and from the mail server. For instance, thevault server406 may quarantine an email, automatically encrypt the email before it is sent, add a legal disclaimer to an email, or perform other functions on the email.
• In one embodiment, the automatic component of thevault server406 searches an email based on words or based on the domain or specific address to which the email is addressed or from which the email originated. Using this information, the user can perform functions on the email, such as those described above.
• The administration component of thevault server406 allows a user to terminate access to secure content, either by a specific user or by all users. It also logs activity. Using one embodiment of thevault server406, a user can indicate that a set of users whose employment has been terminated will no longer have access to any secure content. In an alternative embodiment of thevault server406, a user can indicate that a given element of secure content, say a price list, is now out of date, and so that piece of secure content will no longer be viewable by any user. When each user accesses the secure content, thevault server406 logs the event. So for each secure content element, thevault server406 creates a log of all activity on the secure content.
• In one embodiment, thevault server406 also compresses data. For instance, one embodiment utilizes standard PKZIP compression to compress all content. In another embodiment, an IT manager may identify three types of images and specify a different level of compression for each type of image based on the level of resolution necessary for each type of image.
• Theenterprise server108 also comprises a RADIUS server408 andLDAP server410, which are similar to those described above in relation to thesecurity server104. The RADIUS server302 on thesecurity server104 may proxy to the RADIUS server408 on theenterprise server106. Similarly, data in theLDAP server410 may be propagated to theLDAP server204 on thesecurity server104.
• Theenterprise server106 also comprises a one-time password (“OTP”)server412. TheOTP server412 provides a mechanism for authentication. For instance, in one embodiment of the present invention, theenterprise server106 uses theOTP server412 to perform a mutual authentication process.
• Theenterprise server106 also comprises aconcentrator414. Theconcentrator414 provides remote access capability to theclient102. For instance, theconcentrator414 may serve as a means for terminating a VPN between theclient102 andenterprise server106.
• Theenterprise server104 shown inFIG. 4 also comprises aportal server416. Theportal server416 may comprise a standard web server, such as IIS or Apache. Theportal server416 may provide one or more portals. For example, in one embodiment, theportal server416 provides two portals, portal one and portal two.
• Portal one provides a configuration interface for managing the various elements shown inFIGS. 2 and 3, including, for example, thepolicy server402 andLDAP server410. Portal two provides an interface for accessing data, such as QoS data and session data.
• For instance, a user may use historical QoS data on portal two to determine how a particular provider is performing in terms of throughput, user connections, and other QoS metrics. Portal two may also provide real-time information, such as how many users are currently connected.
• For instance, in one embodiment, an IT manager determines that twenty users have been rejected by a carrier in the last three minutes due to authentication failure and five users with the same user identifier are currently logged on to five different devices. The IT manager uses this information to detect a potential security problem. Portal two may also be used to set alerts as described above.
• It should be noted that the present invention may comprise systems having a different architecture than that which is shown inFIG. 1. For example, in some systems according to the present invention, first authentication server118 and final authentication server126 may be combined in a single server. The system100 shown inFIG. 1 is merely illustrative, and is used to help explain the illustrative systems and processes discussed below.
Illustrative Methods of Enhanced Electronic Asset Protection
• Various methods for electronic asset protection may be implemented in embodiments of the present invention.FIG. 5 is a flowchart illustrating a process for generating and distributing an indication to activate asset protection in one embodiment of the present invention. In the embodiment shown inFIG. 5, asecurity server104 automatically determines whether to send an indication to aclient device102 to invokeasset protection502. The determination may be based on a variety of factors. For example, in one embodiment, a user reports that a laptop has been lost or stolen. In another embodiment, thesecurity server104 monitors the duration between connections between thesecurity server104 and the laptop, and if the duration exceeds a threshold, determines that the indication should be sent. In yet another embodiment, thesecurity server104 performs a statistical analysis on the probability that the laptop has been lost or stolen, and if the probability exceeds a predetermined threshold, activates asset protection. For instance, in one embodiment, thesecurity server104 determines that 15 failed login attempts have occurred from aclient device102. Based on this number of failed login attempts, thesecurity server104 determines a 90% probability that an unauthorized user is using theclient device102. If the 90% probability exceeds the threshold set for that measure, thesecurity server104 sends the asset protection indication to theclient102. In another embodiment, through a similar statistical mechanism, theclient device102 generates the indication without connecting to the network.
• In the embodiment shown inFIG. 5, if the determination is made to invoke asset protection, thesecurity server104 generates anencryption key504 and delivers it, along with an indication to activate asset protection, securely to theclient device102. Theclient device102 uses the encryption key to encrypt data on the hard drive. Theclient device102 may use any conventional encryption routine to encrypt the data. Subsequently, the encryption key can be used to recover the data on the hard drive. In other embodiments, the data on the hard drive or other storage medium is erased or otherwise destroyed; in such an embodiment, the encryption key may not be sent to theclient102.
• In some cases, data present on theclient device102 may not be available anywhere else. For instance, a confidential customer list or proposal may be stored on theclient device102. By providing a recoverable method of disabling the client device, an embodiment of the present invention avoids the loss of this data should the laptop subsequently be found or returned.
• If the security administrator decides to generate an encryption key, the encryption key will be stored locally506, for instance, in a database on thesecurity server104. By generating and storing the encryption key on thesecurity server104, theclient device102 does not have to store an encryption key, which could decrypt data on its local data store. Once the encryption key is stored locally506, the encryption key will be sent with the indication to activateasset protection508.
• Thesecurity server104 may transmit the key and indication in a secure manner via a network, such asnetwork108. The network may comprise a wired or wireless network. In one embodiment, the key and indication are transmitted over a wired or wireless transmission control protocol/internet protocol (TCP/IP) link. In another embodiment, thesecurity server104 transmits the key and indication through an out-of-band communication channel, e.g., transmitting an SMS message to the client.
• Theclient device102 receives the encryption key andasset protection indication508. Theclient device102 may receive the key and indication vianetwork106. For instance, in one embodiment, theclient device102 initiates all network connections through thesecurity server104. In such an embodiment, thesecurity server104 is able to detect when theclient device102 connects. In another embodiment, the client device receives the key and indication as part of an SMS message. Theclient device102 extracts the key and indicator from the SMS message.
• In response to receiving the indication, theclient device102 executes anasset protection component510. The client device shown inFIG. 2 comprises asecurity agent222. Thesecurity agent222 is responsible for carrying out the asset protection steps illustrated inFIGS. 6-9 on the client device. In some embodiments of the present invention, processes on thesecurity server104 orenterprise server106 may also be executed. For instance, access to the enterprise's VPN may be disabled if aclient device102 is thought to have been stolen, lost, or otherwise compromised.
• FIG. 6 is a flowchart illustrating a process for activating asset protection in one embodiment of the present invention. In the embodiment shown theclient device102 first receives an indication to activateasset protection602. As described above, in some embodiments, the indication contains an encryption key.
• Thesecurity agent222 then activatesasset protection604. Asset protection may comprise a variety of security mechanisms. These security mechanism may be software, firmware, or hardware based or may be a combination of software, firmware, and/or hardware.
• In the embodiment shown inFIG. 6, thesecurity agent222 disables the client device (102)606. Thesecurity agent222 may disable the client in various ways. For instance, thesecurity agent222 may disable communications, input/output, or even disrupt the power supply. Other methods of disabling theclient device102 are described in reference toFIG. 7.
• Thesecurity agent222 also disables thelocal data store608. Disabling of the data store andclient device102 may occur simultaneously or sequentially. In one embodiment, portions of theclient device102 are disabled, such as the network adapter or adapters, the data store is disabled, and then the rest of the client device is disabled. As with disabling theclient device102, disabling the data store may be accomplished in various ways. For instance, thesecurity agent222 may preserve the data on the data store but make the data inaccessible. In one embodiment, thesecurity agent222 destroys all the data on the data store. In another embodiment, the local data store is made unavailable by implementing a “file system filter driver” that redirects all read/write attempts to local data stores to a location that does not exist or to a single location that contains a security message. Other methods of disabling the local data store are described in relation toFIG. 8.
• FIG. 7 is a flowchart illustrating a process for disabling theclient device102 in one embodiment of the present invention. In the embodiment shown, thesecurity agent222 first blocks network access from the client device (102)702. For instance, in one embodiment, once asset protection is activated, theclient device102 is no longer able to connect to any wired or wireless networks except to check whether or not an indication to recover the device has been sent.
• In the embodiment shown inFIG. 7, thesecurity agent222 also blocks execution of one or more applications on theclient device102. For instance, thesecurity client102 may block access of an application that would allow a user to modify registry entries or to examine the file system. In one embodiment, thesecurity agent222 implements a white list, allowing theclient device102 to execute only specified applications. In another embodiment, thesecurity agent222 destroys the BIOS, rendering theclient device102 unusable.
• Thesecurity agent222 also blocks input and output ports on theclient device706. By blocking output ports, thesecurity agent222 stops a user from transferring information off of theclient device102. The blocked ports may be virtual or real. For instance, in one embodiment, blocking the ports comprises revising setting on a firewall. In another embodiment, blocking ports comprises turning off access to serial, parallel, USB, and other physical ports. Thesecurity agent222 may also shut off access to CD or DVD burners. For instance, in one embodiment, blocking a physical port may stop the user from printing information, storing information on a USB drive, or otherwise moving information from theclient device102 to another device or medium. By blocking input ports, thesecurity agent222 stops a user from loading utility programs or data on theclient device102. For instance, if a user determines that thesecurity agent222 is disabling theclient device102, a user may attempt to load a program from a web site to disable thesecurity agent222. By disabling the input ports, thesecurity agent222 thwarts this threat.
• In the embodiment shown inFIG. 7, thesecurity agent222 next verifies that no indication to recover the client device has been received708. For example, in one embodiment, if an administrator determines that theclient device102 has been disabled inadvertently, the administrator can transmit a recovery indication, e.g., by sending an out-of-band communication. When theclient device102 receives the recover indication, thesecurity agent222 may stop the process of disabling theclient device102 and may reopen ports and allow access to applications automatically. In one embodiment, theclient device102 is returned to an administrative facility to be recovered.
• If no recover indication is received, thesecurity agent222 shuts theclient device102 down710. For instance, in one embodiment, thesecurity agent222 executes the normal shut down procedure for theclient device102. In another embodiment, thesecurity agent222 causes the client device to immediately power down without executing the normal operating system shut down procedure. As with the previously described processes, the steps shown inFIG. 7 may occur in a different order and may occur sequentially or concurrently.
• In the embodiment shown inFIG. 6, thesecurity agent222 disables theclient device102 and disables a local data store.FIG. 8 is a flowchart illustrating a process for disabling the local data store in one embodiment of the present invention. In the embodiment shown, thesecurity agent222 receives anasset protection indication802. For instance, if theclient device102 is stolen, the network administrator may set a flag in thepolicy server402, indicating that the asset protection indication is to be sent to theclient device102.
• In response to receiving the asset protection indication, thesecurity agent222 encrypts thelocal data store804. The local data store may comprise a hard drive, flash memory, or any other medium capable of storing data. Thesecurity agent222 may encrypt he data using an encryption key transmitted with the asset protection indication. In such an embodiment, the encryption key is not stored on the local data store, decreasing the chances of discovery of the key and decryption of the data store. In another embodiment, the encryption key is stored on the local data store, facilitating automated recovery of the local data store.
• In the embodiment shown inFIG. 8, thesecurity agent222 next permanently deletes the contents of thelocal data store806. For example, thesecurity agent222 may repeatedly write over the local data store with random pieces of information. Thesecurity agent222 may also corrupt the file allocation table of the local data store, such that the data cannot be accessed without rebuilding the file allocation table.
• In one embodiment, thesecurity agent222 encrypts the local data store and sets an expiration date two days after the encryption takes place. On the expiration date, thesecurity agent222 permanently deletes the local data store unless a recover indication is received.
• One advantage of an embodiment of the present invention is the ability to recover data after asset protection has been executed.FIG. 9 is a flowchart illustrating a process for recovering theclient device102 in one embodiment of the present invention.
• In the embodiment shown inFIG. 9, theclient device102 receives an indication to recover902. Theclient device102 may receive the recover indication in various ways. For instance, in one embodiment, a port in a firewall remains open after the remaining ports are blocked. A recover indication is transmitted over the open port. In another embodiment, a network administrator takes physical possession of theclient device102 and recovers it manually.
• Thesecurity agent222 then enables the client device (102)904. In one embodiment, thesecurity agent222 enables the client device by reversing the process shown inFIG. 7.
• Thesecurity agent222 also enables thelocal data store906. Enabling the local data store may occur before, after, or concurrently with enabling theclient device102 in various embodiments of the present invention. Theclient device102 enables the local data store by decrypting the data. Thesecurity agent222 may perform this task automatically. For example, thesecurity agent222 may use an encryption key stored on the local data store to perform the encryption or may receive the encryption key from the security server with the recover indication.
• In one embodiment of the present invention, thesecurity agent222 is also able to report a position of theclient device102. For instance, theclient device102 may comprise a global positioning (“GPS”) card that provides the capability of providing a position, or theclient device102 may use signals from multiple signal towers to determine a position by triangulation. The position of theclient device102 may then be used to help determine whether theclient device102 and/or local data store are to be disabled.
General
• The foregoing description of the embodiments, including preferred embodiments, of the invention has been presented only for the purpose of illustration and description and is not intended to be exhaustive or to limit the invention to the precise forms disclosed. Numerous modifications and adaptations thereof will be apparent to those skilled in the art without departing from the spirit and scope of the present invention.

Claims (17)

1. A method comprising:

receiving an indication to activate asset protection on a client device, the client device having a local data store; and

activating asset protection in response to receiving the indication to activate the asset protection module, wherein asset protection comprises disabling the local data store and disabling the client device.

2. The method ofclaim 1, wherein disabling the local data store comprises encrypting the local data store.

3. The method ofclaim 1, wherein disabling the local data store comprises permanently deleting contents stored on the local data store.

4. The method ofclaim 1, wherein the local data store comprises a magnetic drive.

5. The method ofclaim 1, wherein the local data store comprises an optical drive.

6. The method ofclaim 1, wherein the local data store comprises a random access memory.

7. The method ofclaim 1, wherein disabling the client device comprises block network access from the client device.

8. The method ofclaim 1, wherein disabling the client device comprises blocking execution of an application on the client device.

9. The method ofclaim 1, wherein disabling the client device comprises blocking input/output port access on the client device.

10. The method ofclaim 1, wherein disabling the client device comprises:

verifying that no indication to recover the client device has been received; and

shutting down the client device.

11. The method ofclaim 1, further comprising:

receiving an indication to recover the client device;

enabling the local data store; and

enabling the client device.

12. The method ofclaim 11, wherein receiving an indication to recover the client device comprises receiving the indication from a remote device.

13. The method ofclaim 11, wherein enabling the local data store comprises decrypting the local data store.

14. The method ofclaim 1, wherein receiving an indication to activate asset protection on a client device comprises receiving an out-of-band communication.

15. The method ofclaim 14, wherein the out-of-band communication comprises an SMS message.

16. A computer-readable medium on which is encoded program code, the program code comprising:

program code for receiving an indication to activate asset protection on a client device, the client device having a local data store; and

program code for activating asset protection in response to receiving the indication to active the asset protection module, wherein asset protection comprises disabling the local data store and disabling the client device.

17. A system comprising:

a communications receiver operable to receive an indication to activate asset protection on a client device, the client device having a local data store; and

a security agent in communication with the communications receiver and operable to receive the indication to activate the asset protection module form the communications receiver, and in response disable the local data store and disable the client device.

Images