Patent Issued for Scanning and remediating configuration settings of a device using a policy-driven approach (USPTO 11310283): VMware Inc.

2022 MAY 11 (NewsRx) -- By a News Reporter-Staff News Editor at Insurance Daily News -- A patent by the inventors Hatch, Thomas S. (Lehi, UT, US), filed on September 7, 2018, was published online on April 19, 2022, according to news reporting originating from Alexandria, Virginia, by NewsRx correspondents.

Patent number 11310283 is assigned to VMware Inc. (Palo Alto, California, United States).

The following quote was obtained by the news editors from the background information supplied by the inventors: “Recent years have seen rapid development in software products and electronic devices. For example, software products can affect functionality related to communication of data to and from electronic devices as well as operation of operating systems and/or individual applications installed on the electronic devices. As software and hardware become more complex, it becomes increasingly difficult to effectively secure information contained on electronic devices as well as information transmitted to and from electronic devices (e.g., over the Internet). Indeed, in an attempt to gather information, many individuals use viruses, spyware, malware, and other threatening tools to gather sensitive and/or valuable information.

“While many tools exist for avoiding potential threats in cybersecurity of electronic devices, conventional cybersecurity systems often fail to adequately address potential security issues. For example, conventional cybersecurity systems typically utilize dedicated diagnostic tools for identifying whether a personal computer is compliant with a known security standard. Conventional diagnostic tools, however, are limited to providing a report of settings or configurations on a device that are out of compliance with a known set of standards. The report is then generally provided to an information technology (IT) administrator who manually addresses issues identified by the report or, alternatively, utilizes a separate software tool to facilitate remediation of various issues identified by the diagnostic tool.

“In addition to failing to enable effective diagnosis and remediation of potential security issues, conventional cybersecurity systems can be inflexible and computationally prohibitive. For example, conventional cybersecurity systems are often limited to scanning a device for compliance with a specific security standard (e.g., Center for Internet Security (CIS) standards, Standard Technical Implementation Guide (STIG) standards, Payment Card Industry (PCI) standards, and Health Insurance Portability and Accountability Act (HIPAA)). As a result, conventional systems may provide an effective tool for identifying potential security threats for a select group of devices or programs uniquely tailored to a particular security standard. However, conventional cybersecurity systems may fail to effectively identify potential security threats for other devices or programs not specifically tailored to the security standard. Furthermore, while a device may simply run different security checks based on multiple security standards, running comprehensive checks based on multiple standards can be expensive and can utilize significant computing resources.

“These along with additional problems and issues exist with regard to conventional cybersecurity systems.”

In addition to the background information obtained for this patent, NewsRx journalists also obtained the inventors’ summary information for this patent: “Embodiments of the present disclosure provide benefits and/or solve one or more of the foregoing and other problems in the art with systems, methods and computer-readable media that enforce security policies on a client device (or other computing device). In particular, in one or more embodiments, the disclosed systems enforce security policies by performing operations that enable an agent on the client device to both scan and fix security issues. For example, the disclosed systems can enforce a security policy by performing an idempotent operation in which a check and a fix of a security policy are the same operation (e.g., a check operation is the fix operation). In this way, the systems described herein can effectively identify and remediate configuration settings of a client device out of compliance with security standards using a single software agent.

“In addition, in one or more embodiments the disclosed systems provide a policy-driven approach to enforcing security policies applicable to a wider range of client devices and applications. Indeed, by providing a policy-driven approach to enforcing security policies, the disclosed systems can enable a client device to comply with multiple security standards while performing a fewer number of operations than conventional systems, thereby improving performance of the client device without sacrificing substantial processing resources. In addition, by enforcing security policies using a policy-driven approach, the disclosed systems provide more effective security across a wider range of client devices and applications for which different security standards may be better suited to address potential security issues.

“Additional features and advantages of one or more embodiments of the present disclosure are outlined in the description which follows, and in part will be obvious from the description, or may be learned by the practice of such example embodiments.”

The claims supplied by the inventors are:

“1. A system comprising: at least one processor; and a computer-readable medium storing instructions thereon that, when executed by the at least one processor, cause a computing device to: maintain a plurality of security policies, the plurality of security policies including: a plurality of configuration states associated with configuration settings of a client device, the configuration settings referring to one or more settings of an application or operating system on the client device that grant or restrict access to one or more intended functionalities of the application or operating system; and mapping information associating the plurality of security policies to a plurality of security standards; receive a request to enforce a first security standard from the plurality of security standards; identify a first subset of security policies from the plurality of security policies having mapping information associated with the first security standard for enforcement on the client device, wherein enforcing the first security standard includes causing the client device to perform an operation to enforce a configuration state for a corresponding configuration setting defined by a security policy from the identified subset of security policies regardless of a current state of the configuration setting prior to receiving the request to implement the plurality of security policies on the client device; determine whether an exemption applies to at least one of the first subset of security policies; in response to determining that the exemption applies to the at least one of the first subset of security policies, bypass enforcement of the at least one of the first subset of security policies; and identify a second subset of security policies from the plurality of security policies having mapping information associated with a second security standard for enforcement on the client device.

“2. The system of claim 1, wherein the operation to enforce the configuration state includes an idempotent operation in which a check and a fix of the security policy are the same operation.

“3. The system of claim 1, wherein the instructions cause the computing device to: receive a report including information associated with enforcing at least one of the first or second subset of security policies on the client device; and generate a compliance report indicating a measure of compliance with at least one of the first or second security standard.

“4. The system of claim 3, wherein generating the compliance report further includes: based on overlap between mapping information for the first subset of security policies and the mapping information associated with the second security standard, providing, within the compliance report, an indication of a second measure of compliance with the second security standard.

“5. The system of claim 1, wherein the instructions cause the computing device to provide an option to request enforcement of the second security standard.

“6. The system of claim 1, wherein enforcing the second security standard includes causing the client device to perform one or more operations to enforce one or more configuration states for one or more corresponding configuration settings defined by the second subset of security policies.

“7. The system of claim 1, wherein the plurality of security standards includes two or more of Center for Internet Security (CIS) standards, Standard Technical Implementation Guide (STIG) standards, Payment Card Industry (PCI) standards, and Health Insurance Portability and Accountability Act (HIPAA) standards, and wherein the instructions further cause the computing device to: generate the mapping information for the plurality of security policies by mapping the plurality of configuration states associated with configuration settings of the client device to respective security standards from the plurality of security standards.

“8. A computer-implemented method comprising: maintaining a plurality of security policies, the plurality of security policies including: a plurality of configuration states associated with configuration settings of a client device, the configuration settings referring to one or more settings of an application or operating system on the client device that grant or restrict access to one or more intended functionalities of the application or operating system; and mapping information associating the plurality of security policies to a plurality of security standards; receiving a request to enforce a first security standard from the plurality of security standards; identifying a first subset of security policies from the plurality of security policies having mapping information associated with the first security standard for enforcement on the client device, wherein enforcing the first security standard includes causing the client device to perform an operation to enforce a configuration state for a corresponding configuration setting defined by a security policy from the identified subset of security policies regardless of a current state of the configuration setting prior to receiving the request to implement the plurality of security policies on the client device; determining whether an exemption applies to at least one of the first subset of security policies; in response to determining that the exemption applies to the at least one of the first subset of security policies, bypassing enforcement of the at least one of the first subset of security policies; and identifying a second subset of security policies from the plurality of security policies having mapping information associated with a second security standard for enforcement on the client device.

“9. The computer-implemented method of claim 8, further including: receiving a report including information associated with enforcing at least one of the first or second subset of security policies on the client device; and generating a compliance report indicating a measure of compliance with at least one of the first or second security standard.

“10. The computer-implemented method of claim 9, wherein generating the compliance report further includes: based on overlap between mapping information for the first subset of security policies and the mapping information associated with the second security standard, providing, within the compliance report, an indication of a second measure of compliance with the second security standard.

“11. The computer-implemented method of claim 8, wherein enforcing the second security standard includes causing the client device to perform one or more operations to enforce one or more configuration states for one or more corresponding configuration settings defined by the second subset of security policies.

“12. A non-transitory computer-readable medium storing instructions thereon that, when executed by at least one processor, cause a computing device to: maintain a plurality of security policies, the plurality of security policies including: a plurality of configuration states associated with configuration settings of a client device, the configuration settings referring to one or more settings of an application or operating system on the client device that grant or restrict access to one or more intended functionalities of the application or operating system; and mapping information associating the plurality of security policies to a plurality of security standards; receive a request to enforce a first security standard from the plurality of security standards; identify a first subset of security policies from the plurality of security policies having mapping information associated with the first security standard for enforcement on the client device, wherein enforcing the first security standard includes causing the client device to perform an operation to enforce a configuration state for a corresponding configuration setting defined by a security policy from the identified subset of security policies regardless of a current state of the configuration setting prior to receiving the request to implement the plurality of security policies on the client device; determine whether an exemption applies to at least one of the first subset of security policies; in response to determining that the exemption applies to the at least one of the first subset of security policies, bypass enforcement of the at least one of the first subset of security policies; and identify a second subset of security policies from the plurality of security policies having mapping information associated with a second security standard for enforcement on the client device.

“13. The non-transitory computer-readable medium of claim 12, further including instructions that, when executed by the at least one processor, cause the computing device to: receive a report including information associated with enforcing at least one of the first or second subset of security policies on the client device; and generate a compliance report indicating a measure of compliance with at least one of the first or second security standard.

“14. The non-transitory computer-readable medium of claim 13, wherein generating the compliance report further includes: based on overlap between mapping information for the first subset of security policies and the mapping information associated with the second security standard, providing, within the compliance report, an indication of a second measure of compliance with the second security standard.

“15. The non-transitory computer-readable medium of claim 12, wherein enforcing the second security standard includes causing the client device to perform one or more operations to enforce one or more configuration states for one or more corresponding configuration settings defined by the second subset of security policies.”

URL and more information on this patent, see: Hatch, Thomas S. Scanning and remediating configuration settings of a device using a policy-driven approach. U.S. Patent Number 11310283, filed September 7, 2018, and published online on April 19, 2022. Patent URL: http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.htm&r=1&f=G&l=50&s1=11310283.PN.&OS=PN/11310283RS=PN/11310283

(Our reports deliver fact-based news of research and discoveries from around the world.)