Patent Application Titled “Client Authentication And Data Management System” Published Online (USPTO 20220147634): Computer Protection IP LLC

2022 MAY 26 (NewsRx) -- By a News Reporter-Staff News Editor at Insurance Daily News -- According to news reporting originating from Washington, D.C., by NewsRx journalists, a patent application by the inventor Silverstone, Ariel (Redmond, WA, US), filed on January 27, 2022, was made available online on May 12, 2022.

The assignee for this patent application is Computer Protection IP LLC (Cumming, Georgia, United States).

Reporters obtained the following quote from the background information supplied by the inventors: “Businesses and users are increasingly storing corporate, confidential, or sensitive data on personal digital assistants (PDAs), mobile phones, laptops, and other mobile devices that are not properly protected within the confines of a secure building or secure network at all times. Without the proper data protections, a thief has potential access to sensitive information, such as corporate financial data, word documents, and private client information stored on such mobile devices. The value of the lost or stolen data is typically much higher than the value of the physical asset upon which it is stored. Even within the confines of a secure building, there are reasons and needs to protect and to be able to recover sensitive information stored on desktops, laptops, PDAs, mobile phones, and other computing devices (hereinafter, collectively, “computing devices”).

“Protecting and securing data is also a high legislative priority, as evidenced by numerous laws that have been passed by Congress for many industries. For example, in the financial industry, the Gramm-Leach-Bliley Act addresses the collection and disclosure of personal financial information by financial institutions. It requires all financial institutions to design, implement, and maintain safeguards to protect customer information. A customer’s confidential and financial electronic documents are usually maintained in a storage database. The database security compliance obligations required by the Act include continual monitoring of data and the review and management of permissions granted to the database. Other laws and regulations such as Payment Card Industry security protection initiative, the Health Insurance Portability and Accountability Act, Sarbanes-Oxley Act, Canadian Personal Information Protection and the Electronic Documents Act require information protection and strict security for electronic documents.

“Further, most organizations do not have policies or procedures to effectively implement disaster recovery for computing devices that are lost, stolen, or that are disabled. Typically, a user has to initiate and take affirmative actions to backup data to a separate data storage medium, such as DVD, memory chip, or network storage device. This process is inefficient, time consuming, and only sporadically followed. Because every user of a computing device does not backup stored data on a regular or frequent enough basis, information may not be recoverable if the computing device is lost, stolen, or destroyed. If this happens, the organization loses not only hardware and software, which are typically replaceable, but essential data that has not been backed up, which may not be as easily, if at all, replaceable.

“For all of the above reasons, there is a need for systems and methods to protect sensitive, confidential, or important information from foreseeable threats or loss.

“There is a further need for systems and methods that provide access control to computing devices, especially when they are “in the field” and not within a secure or protected environment, wherein such systems and methods include some or all of the following capabilities: authentication, authorization, reporting, compliance-checking, remotely controlling, communicating, controlling bandwidth and computing resource usage, monitoring user actions, allowing and disallowing any and all input and output methods per flexible criteria (which may include, but not limited to: content, name, date, timestamp, user, type), logging, addressing, powering up and down, sharing, collaborating and auditing protocols.

“There is a need for systems and methods to protect and backup corporate and confidential data stored on computing devices associated with an enterprise.

“There is a need for systems and methods that enhances privacy, security and disaster readiness for an organization’s computing devices.

“There is a further need for systems and methods providing centralized management, security, and backing-up of computing devices.

“There are further needs for systems and methods that facilitate the transfer and storage of data from a computing device in a secure and efficient manner.

“There is yet a further need for systems and methods for providing centralized management that incorporates off-site back-up recovery, computing device data recovery, end point protection, disk encryption, device disablement, post theft protection, and data leak protection.”

In addition to obtaining background information on this patent application, NewsRx editors also obtained the inventor’s summary information for this patent application: “The present systems and methods, which will sometimes be referred to as “Kylie™” or “Cosmos™” hereinafter, includes computer hardware and software components that enhance privacy, security, and disaster readiness for an organization’s computing assets and, in particular, mobile assets. This, in effect, turns computing assets into “green terminals” from a security consideration point of view.

“A “green terminal” is a type of terminal that consists of a keyboard and a display screen that can be used to enter and transmit data to, or display data from, a central processing computer to which it is connected. The present invention incorporates specified data or information on the computing device into an encrypted, protected “Realm” that, in one preferred embodiment, is not accessible by the device unless the device and a specified remote authentication server authenticate to each other.

“As used herein, the term “Realm” means and refers to a concept of associated computing devices, that can be dynamically created, managed and controlled by, for example, an enterprise. The term Realm is created to define a logical affinity, rather then the well known terms “domain” and “workgroup.”

“On the other hand, the protected data that falls within the Realm is easily and readily available to the device (and potentially to the enterprise that owns the device) when certain considerations are met. In a preferred embodiment, these considerations do not require any hardware token of any kind and provide intermittent backup of the contents of the computing device, to protect against a disaster, theft, or other loss. The present systems and methods block unauthorized access to confidential or sensitive data stored on the computing devices or assets of, as an example, an enterprise. The present systems and methods also enable the rapid recovery of data, ensure compliance with privacy laws, and extend and help manage enterprise data policies, including and not limited to data protection policies.

“One embodiment provides a system for protecting computing devices and associated secure data stored in at least one secure data storage component from unauthorized access, the system comprising at least one protected computing device configured for communication through a network with a storage controller to access the secure data, the protected computing device further configured for using a virtual machine, an authentication server configured for authenticating the protected computing device for access to the secure data; and a control console configured for access to devices connected to the network, wherein the control console is configured to exert control over the devices, wherein a virtual machine manager is launched during boot of the protected computing device, and wherein the virtual machine authenticates the computing device to the authentication server.

“Another embodiment provides a method for protecting computing devices from unauthorized access, the method comprising: initiating a boot command of a protected computing device, wherein the boot command is configured to initiate the launch of an operating system, intercepting the boot command, launching a virtual machine prior to the operating system launch, at the virtual machine, authenticating the protected computing device to an authentication server, receiving at the virtual machine, a response from the authentication server, the response indicating the authentication status of the protected computing device, and causing the protected computing device to enter a specified state based on the authentication status of the protected computing device.

“In one embodiment, the system performs an authenticated boot of a computer system using the thin layer of a virtual machine on a computing device. The virtual machine accepts a start instruction from the device upon which it is installed. The start instruction may be in the form of a power on, or a BIOS instruction, among others. It should be noted that the computing device may also be a mobile computing device, for example. Additionally, the computing device has an optional connection to other-communication devices such as, for example, a centralized authentication server, or a replication or representation device thereof. An exemplary authentication server can be accessed’through a gateway, or a proxy, among others. The virtual machine authenticates the validity of information within the device to the authentication server. Additionally, information provided by the user of the computing device can also be authenticated to the authentication server. Also, the authentication server is optionally authenticated to the computing device on which the virtual machine is installed using a two-way authentication protocol. Upon failure to authenticate, the booting process of the computing device is halted. Failure to authenticate can occur due to receiving a not-approve status, not receiving a reply, or not receiving a valid reply, among others. Upon successful connection and authentication, a bootstrap start is provided to the main (host) operating system.

“Another embodiment provides a data processing system for an authenticated client including, a plurality of protected client devices, a plurality of server systems for providing authentication to the protected client devices, and a network connection between the protected client device(s) and the server system(s). Those of skill in the art will readily note that the network connection can be a temporary or permanent connection. Thus, the data processing system may provide client authentication with or without a network connection. An inner layer of a virtual machine on the computing device is maintained and/or for a predetermined interval. The interval is defined in the policies installed in the device, remotely downloaded from the authentication server, remotely downloaded from the enterprise control console, or entered by a user. The computing device continues normal operation of the “inner” machine and operating environment. While no longer connected and/or after the predetermined interval to disconnect, the computing device shuts down or takes other action to prevent the utilization of the “inner” machine and operating environment. Optionally, the computing device re-encrypts the protected “partitions.” Of course, other specified areas of the storage medium can also be re-encrypted as necessary. Upon unsuccessful connection and/or authentication, the computing device potentially turns off, shuts down, and/or leaves the device in a state such that the protected information, and also the unprotected information, on the “main” portion of the computing device is left in an encrypted or otherwise unintelligible condition. Options for computing device handling of an unsuccessful connection and authentication are definable by the policies, for example provided by an enterprise, using the system and are limitless.

“Another embodiment of the present invention uses a hypervisor to enable a system administrator to have centralized control over every function of the computing device. Such control is typically expressed by input/output (I/O) control, but is not limited to those. Additionally, the hypervisor can be used for enabling encryption and decryption for protected partitions. The hypervisor can also be used for enabling network access and control.

“Another embodiment provides for encryption and decryption services for protected partitions on a computing device, and network access control are an optional part of the hypervisor’s functionally. It should be noted however, that such functions could reside in the hypervisor, on the agent on top of the operating system, or elsewhere. Protected partitions are defined as files, protected areas, protected datasets, defined areas within a file system, physical drives, directories, bits, and areas of memory, among others. The information in a protected partition is protected from access by the hypervisor based on policies that include user-specific, group, subset, enterprise-specific, or some combination of the policies. At least four different modes of operation are provided: (1) native mode, (2) replication mode, (3) reconsolidation mode, and (4) no connectivity mode.

“In another embodiment, a hypervisor is configured to communicate with a storage controller to monitor any changes in protected data. Secure or protected data on the computing device is backed up in real time or near real time according to pre-defined parameters. The backed up data is sent to the storage controller. The storage controller acts as a file server. Those of skill in the art will readily understand, however, that the storage controller could also act as a file server controller.

“In yet another embodiment, the system enables periodic backup of data on the computing device. During an initial authentication, re-authentication procedure, set intervals, or a schedule as established by policies on the device, the hypervisor communicates with the remote authentication server to send modified data or updates to the storage controller associated with the authentication server.”

There is additional summary information. Please visit full patent to read further.”

The claims supplied by the inventors are:

“1. A system for protecting a computing device from unauthorized use comprising: (a) a computing device configured for communication over a network, said computing device having memory, storage, and input/output functions, said computing device capable of being connected to a network; (b) a virtual machine manager comprising a plurality of modules executable by a one or more systems in a distributed computing environment, wherein at least a portion of the virtual machine manager is executed on the computing device; © a server configured communicatively coupled to said computing device and configured to authenticate said computing device by first receiving a request for authentication that is sent from the computing device and responding to the request for authentication by sending an authenticated indicator or a not authenticated indicator to the computing device; (d) the computing device further being configured to launch a virtual machine operating system only in response to receiving said authenticated indicator from the server, wherein prior to receiving said authenticated indicator said virtual machine operating system is not running and wherein once said virtual machine operating system is launched, said virtual machine operating system runs under the control of a particular virtual machine that is being managed by said virtual machine manager; and (e) the computing device further configured to prevent said virtual machine operating system from launching prior to receiving said authenticated indicator, whereby access to sensitive data present on the computing device cannot be accessed by the unauthenticated computing device.

“2. The system of claim 1, wherein the computing device boots a host operating system prior to initiating a launching of said virtual machine and prior to initiating a launching of said virtual machine operating system.

“3. The system of claim 1, wherein said virtual machine is launched during the boot of said computing device to run on said computing device without an underlying host operating system.

“4. The system of claim 1, wherein said computing device is selected from the group consisting of a server computer, a desktop computer, a personal computer, a notebook computer, a laptop computer, a mobile computing device, a personal digital assistant, a handheld computer, a tablet computer, a cellular telephone, and a satellite telephone.

“5. The system of claim 1, wherein said network is selected from the group consisting of a wireless network, a wired network, a broadband network, a cellular telephone network, a satellite telephone network, a Wi-Fi network, a WiMax network, a local area network (LAN), a wide area network (WAN), the Internet, and a virtual network.

“6. The system of claim 1, wherein said server is remote from said computing device, and said computing device communicates with said server over said network.

“7. The system of claim 1, wherein said server is an authentication server and said request for authentication comprises information provided by a user.

“8. The system of claim 1, wherein said virtual machine manager comprises a hypervisor.

“9. The system of claim 8, wherein said virtual machine manager further comprises a network communications stack.

“10. The system of claim 1, comprising a protected partition accessible to said computing device.

“11. The system of claim 10, wherein said protected partition is encrypted.

“12. The system of claim 11, wherein said protected partition is either decrypted or not decrypted based on said response to said request for authentication.

“13. The system of claim 1, wherein said virtual machine operating system is limited in its ability to access said memory, storage, input/output functions, or network capabilities of said computing device according to a set of policies.

“14. A system for protecting a computing device from unauthorized use comprising: (a) a computing device configured for communication over a network, said computing device having a virtual machine manager configured to run on said computing device, said computing device having memory, storage. input/output functions, and network capabilities, wherein the virtual machine manager comprises a plurality of modules executable by a plurality of computing devices in a distributed computing environment; (b) a virtual machine controlled by said virtual machine manager; © a virtual machine operating system configured to run in said virtual machine; and (d) a server configured for authenticating said computing device, said server configured to receive a request for authentication from the computing device prior to the computing device initiating a launching of said virtual machine, said virtual machine operating system configured to be either launched or not launched by the computing device based upon a response from said server to said request for authentication.

“15. The system of claim 14, wherein said virtual machine operating system is limited in its ability to access said memory, storage, input/output functions, or network capabilities of said computing device based upon said response to said request for authentication.

“16. The system of claim 15, wherein said computing device boots a host operating system prior to initiating a launching of said virtual machine manager and prior to initiating a launching of said virtual machine.

“17. The system of claim 14, wherein said virtual machine manager is launched during boot of said computing device to run on said computing device without an underlying host operating system.

“18. A system comprising: (a) a computing device configured for communication over a network; (b) a virtual machine manager configured to communicate over said network; wherein the virtual machine manager comprises a plurality of modules executable by a plurality of computing devices in a distributed computing environment; © a virtual machine configured to communicate with and be controlled by said virtual machine manager; (d) a server program for authenticating said computing device, said server program configured to receive a request for authentication from the computing device prior to the computing device initiating a launching of said virtual machine operating system, and said virtual machine operating system configured to be either launched or not launched by said computing device and on said computing device based upon a response to said request for authentication, wherein the virtual machine manager is configured to communicate with the server program as part of the authentication without using the virtual machine operating system.

“19. The system of claim 18, wherein said server program, said virtual machine manager, and said virtual machine execute on said computing device.

“20. The system of claim 18, wherein said server program executes in a server computer separate from said computing device.”

For more information, see this patent application: Silverstone, Ariel. Client Authentication And Data Management System. Filed January 27, 2022 and posted May 12, 2022. Patent URL: https://appft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PG01&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.html&r=1&f=G&l=50&s1=%2220220147634%22.PGNR.&OS=DN/20220147634&RS=DN/20220147634

(Our reports deliver fact-based news of research and discoveries from around the world.)