US20190327221A1 - Environment-Aware Security Tokens - Google Patents
Environment-Aware Security Tokens Download PDFInfo
- Publication number
- US20190327221A1 US20190327221A1 US16/180,688 US201816180688A US2019327221A1 US 20190327221 A1 US20190327221 A1 US 20190327221A1 US 201816180688 A US201816180688 A US 201816180688A US 2019327221 A1 US2019327221 A1 US 2019327221A1
- Authority
- US
- United States
- Prior art keywords
- asset
- security token
- network
- information
- home network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/33—User authentication using certificates
- G06F21/335—User authentication using certificates for accessing specific resources, e.g. using Kerberos tickets
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6209—Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2143—Clearing memory, e.g. to prevent the data from being stolen
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/56—Financial cryptography, e.g. electronic payment or e-cash
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/2866—Architectures; Arrangements
- H04L67/30—Profiles
- H04L67/306—User profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/006—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving public key infrastructure [PKI] trust models
Definitions
- This disclosure relates to security of networked devices and files.
- Security tokens for authorizing use of computer services can be generated using a security architecture such as a shared secret architecture or a public-key cryptography architecture.
- the technology described in this document can be embodied in a computer implemented method that includes receiving, at a processing device, information about one or more assets associated with a network of devices.
- the method also includes generating, for at least one of the assets, a security token that is based at least on a portion of the received information about the corresponding asset.
- the security token can be configured to identify a home network defined for the asset, and to restrict access to the corresponding asset upon detecting an occurrence of an unauthorized activity involving the asset.
- the method further includes storing, in a storage device, information about the security token and information linking the security token to the corresponding asset, and initiating integration of the security token with the corresponding asset.
- the technology described in this document can be embodied in a computing device that includes memory and one or more processors.
- the one or more processors can be configured to receive information about one or more assets associated with a network of devices.
- the processors can also be configured to generate for at least one of the assets, a security token that is based at least on a portion of the received information about the corresponding asset.
- the security token can be configured to identify a home network defined for the asset, and also to restrict access to the corresponding asset upon detecting an occurrence of an unauthorized activity involving the asset.
- the processors can be further configured to store, in a storage device, information about the security token and information linking the security token to the corresponding asset, and initiate integration of the security token with the corresponding asset.
- the technology described in this document can be embodied in one or more machine-readable storage devices that store instructions executable by one or more processing devices. These instructions, when executed, can cause the one or more processing devices to perform operations that include receiving information about one or more assets associated with a network of devices.
- the operations also include generating, for at least one of the assets, a security token that is based at least on a portion of the received information about the corresponding asset.
- the security token can be configured to identify a home network defined for the asset, and to restrict access to the corresponding asset upon detecting an occurrence of an unauthorized activity involving the asset.
- the operations further include storing, in a storage device, information about the security token and information linking the security token to the corresponding asset, and initiating integration of the security token with the corresponding asset. Implementations of the above embodiments can include one or more of the following features.
- Detecting the occurrence of the unauthorized activity can include determining a dissociation of the asset from the home network defined for the asset.
- the assets associated with the network can include one or more of: a device connected to the network, a file stored on a storage device connected to the network, and a user-profile associated with the network.
- the asset can be an electronic file, and initiating the integration of the security token into the asset can include initiating an encryption of the asset based on the security token.
- the home network for the asset can be defined based on one or more security policies associated with the asset.
- the information can include one or more of: a serial number of a device, a media access control (MAC) address, a file path, a registry key, a network identifier, an internet protocol (IP) address, a file-type identifier, a user-profile identifier, and one or more policies associated with the network.
- the information about the one or more assets can be received from an agent deployed on the network.
- the agent can be configured to scan the devices of the network to obtain the information.
- the agent can include an automated browser.
- the security token can include an object generated in accordance with Component Object Model (COM).
- COM Component Object Model
- Determining the dissociation of the corresponding asset from the home network can include determining that the corresponding asset is not connected to the home network. Determining the dissociation of the corresponding asset from the home network can include determining that the corresponding asset is not stored on a device associated with the home network. Determining the dissociation of the corresponding asset from the home network can include detecting an access attempt from a user-profile not associated with the home network.
- the corresponding asset can be an electronic file, and the security token can be configured to restrict access to the electronic file by deleting content of the electronic file upon determining the dissociation from the home network.
- the information about the security token and the information linking the security token to the corresponding identifier can be stored in a database.
- the corresponding asset can be an electronic file, and initiating an integration of the security token into the electronic file can include initiating a code injection to a header portion of the electronic file.
- the corresponding asset can be an electronic file, and initiating an integration of the security token with the electronic file can include initiating an encapsulation of the security token with the electronic file.
- the executable file can be generated via the encapsulation.
- the corresponding asset can be an electronic document, and the security token can be integrated into the document as a portion of a page description language of the document.
- Information related to an access point attempting to access an asset can be received from the asset, based possibly on information collected by the security token. A determination can be made, based on the stored information about the security token, whether the access point is associated with the security token. Permission information indicating a level of access permitted for the access point can be provided based on the determination.
- the technology described in this document may provide one or more of the following advantages.
- environment-aware security tokens that include an identification of an authorized network (often referred to as the home network)
- network assets such as one or more devices, user profiles and document files can be locked down within the authorized network.
- Security of data and other network assets can therefore be increased many fold.
- a non-authorized device i.e., a device not authenticated to the authorized network
- the environment-aware security token associated with the files can detect this dissociation from the home network and prevent unauthorized access to the files. Efficacy of malicious security breaches can therefore be mitigated by reducing usefulness of stolen data.
- physical devices such as printers, laptops, phones, mobile devices, etc. can also be associated with environment-aware security tokens such that the devices are functional only when connected to the authorized network.
- the environment-aware security tokens can be configured to be user-defined, scalable, and adaptive to provide a greater degree of control on accessibility of corresponding assets.
- the environment-aware security token associated with a particular document can be configured such that the particular document is viewable only on a predefined set of computing devices within the authorized network.
- FIG. 1 is an example of a system that uses environment-aware security tokens.
- FIGS. 2A-2B show examples of user-interfaces.
- FIG. 3 is a flowchart depicting an example sequence of operations associated with generating a security token.
- FIG. 4 is a diagram illustrating examples of computing devices.
- Security tokens are often used to give authorized users access to secure assets such as computing devices or files stored within the computing devices. Such security tokens can allow, for example, secure single sign-on (also referred to as S 3 ) capabilities in systems that provide access to various resources.
- a security token can include, for example, a two-factor authentication security mechanism that authorizes access to assets associated with a network.
- Security tokens can be stored on a general-purpose computing device such as a desktop computer, laptop computer, or handheld wireless device (e.g., a mobile phone, e-reader, or tablet) and used to access various assets (e.g., files or documents) using the computing device.
- Some security tokens may be vulnerable to threats based on duplication of underlying cryptographic material.
- a malicious entity e.g., a human user such as a hacker, or software entities such as a computer virus or other malicious software
- the stolen files may be stored on a storage device conveniently accessible to the malicious entity, and content of the files may potentially be used in illegal or harmful activities.
- This can happen, for example, when a malicious entity attacks a financial institution such as a credit card company and is able to copy files that include sensitive user information such as username and password pairs.
- sensitive information can also be obtained directly from the users, for example, via phishing attacks.
- the sensitive information can then be supplied to a token generating authority (e.g., a secure website) to obtain the security tokens needed for accessing, for example, user accounts.
- a token generating authority e.g., a secure website
- a configuration file is typically generated for each end-user.
- the generated configuration file can include, for example, a username, a personal identification number, and a configurable “secret” associated with the particular user (e.g., answers to questions posed to a user).
- the security provided by the shared secret architecture is largely dependent on the configuration file. Therefore, in the event the configuration file is stolen or copied, the security provided by the shared secret architecture may be compromised.
- Architectures such as public-key cryptography, or asymmetric cryptography provide some advantages over the shared secret type architecture by requiring two separate keys, one of which is secret (or private) and the other public.
- the two keys are mathematically linked, and can be used in conjunction to provide security.
- the public key can be used in encryption or to verify a digital signature
- the private key can be used in decryption or to create a digital signature.
- the security provided by architectures such as public-key cryptography may also be compromised if both keys are stolen or duplicated.
- an environment-aware security token for a document can be generated from environmental metrics associated with a network on which the document is authorized to reside. Examples of the environmental metric can also include various parameters associated with an asset such as asset name, asset ID (GUID, or QUID), asset class, (e.g., whether the asset is a device, document, user profile, system data, or security policy data), security token keys, security objects, etc.
- parameters associated with a device include assigned addresses (e.g., MAC addresses), serial numbers, device name, device ID, and security object status (e.g., whether security object is attached or embedded, whether the object is a null object, etc.)
- parameters associated with a user include user name, user ID, and user profile data structures (e.g., data structures representing data on various user metrics).
- parameters associated with a document include document name, document ID, and document profile data structures (e.g., data structures representing data on document metrics).
- parameters associated with system and security policy data include system name, system ID, security policy name, security policy ID, and data structures representing security policies.
- the generated environment-aware security token can be configured to include an identification of the particular network, and can then be associated with the document to “lock-down” the document to the particular network (often referred to as the home network).
- the lock-down can be such that the document cannot be accessed from any non-authorized device, for example, a device that is not authenticated to the particular network.
- the environment-aware security token can be embedded, attached, encapsulated, or otherwise associated with the document in a way such that the environment-aware security token deletes, digitally destroys, or otherwise prevents access to content of the document if the document is moved or copied to or attempted to be accessed from a device not authenticated to the home network.
- the technology described in this document can be deployed in conjunction with other security architecture such as the shared secret architecture or public-key cryptography architecture described above.
- file system and document attributes can be used to generate environment-aware security tokens that provide access to the storage locations and/or encrypt file content.
- environment-aware security tokens can be used to restrict user(s) or device(s) from accessing an asset.
- the environment-aware security tokens can be used in restricting documents from being copied from the original storage location.
- file attributes can be configured such that corresponding environment-aware security tokens can be used to prevent unauthorized copying and/or downloading.
- the file attributes can be controlled via the attached or embedded security tokens (e.g., embedded security objects) that are verified by a token server with or without a hardware dongle.
- the technology can be implemented as a part of an operating system (OS).
- OS operating system
- the security layer provided by the technology can be used to acquire control over the file system of the corresponding OS to control operations such as read, write, and copy.
- the security layer can be used, for example, to control and verify various assets via attached, encapsulated, or embedded security objects.
- a security object is encapsulated together with the corresponding file or document into a separate entity (e.g., an application or executable file)
- the entity can be configured to destroy, delete or otherwise digitally shred the contents of the file or document upon detecting dissociation from the home network.
- the dissociation can be detected, for example, when the entity fails to establish a connection with a token server that controls administration of the security objects.
- the entity can also be configured to collect information on one or more metrics associated with the environment from where an access attempt is being made. For example, in the event of a security breach (e.g., a hack), the entity can be configured to transmit details of the environment (e.g., MAC address, IP address, device serial number etc.) back to the token server.
- details of the environment e.g., MAC address, IP address, device serial number etc.
- Dissociation from the home network can encompass various situations.
- the dissociation can include a physical connection loss with the home network.
- the home network can be defined or configured by choosing a set of assets (devices, user profiles, storage locations, files, documents, operating systems etc.) that are authenticated to be associated with a particular asset such as a device or document.
- the dissociation from the home network can include an access attempt from an asset or entity that is not included within the home network as configured for the asset on which the access attempt is being made.
- the dissociation can include access attempt from a user profile not associated with the home network as configured for the corresponding asset.
- a dissociation can include storing a particular asset at (or accessing the particular asset from) a storage location outside the home network as configured for the particular asset.
- a dissociation can include disconnecting a device from a network (including a physical network or a virtual network such as a virtual private network) that is not a part of the corresponding home network.
- the operating system can therefore be configured such that data cannot be removed from a home network without appropriate permissions, for example, explicit user and/or device authorizations.
- the technology can therefore be configured to act as a gateway to physical and virtual storage locations on the home network or on registered devices with user(s) privileges.
- Documents can be assigned identifiers as they are stored in secure storage locations within the home network. Assets such as documents, devices, files and user profiles can be classified and a database of asset data can be created from data collected from the assets. Security objects such as environment-aware security token can then be created from security keys defined based on the asset data.
- the technology described in this document provides improved security for various assets in a network.
- computing devices such as laptop computers, desktop computers, printers, scanners, servers, storage devices, network devices, as well as electronic files stored within such computing devices can be made more secure via the environment-aware security tokens described in this document.
- FIG. 1 shows an example of a system 100 that uses environment-aware security tokens.
- the system 100 includes various network assets (also referred to herein simply as assets) connected to a server 106 over a network 102 .
- asset refers to devices that are directly or indirectly associated with a network, as well as electronic files that can be stored on a device associated with the network.
- the assets can include a personal computing device 103 (e.g., a laptop computer), a printer 110 , a desktop computing device 112 , a mobile computing device (e.g., a smartphone, tablet or e-reader) 114 , a storage device 116 , or a server 125 (which can also be referred to as a remote server).
- the assets can include a passive device such as a credit or debit card 108 or a radio frequency identification (RFID) tag that can communicate over the network 102 via an appropriate reader (e.g., a credit/debit card reader and RFID tag reader, respectively).
- RFID radio frequency identification
- the system 100 can include none, one, or more devices of the various types described above.
- a portion of the network 102 , and/or one or more devices coupled to the network 102 can form at least a portion of a home network defined for a particular asset.
- the assets include electronic files 104 that can be stored, accessed, read, processed, or otherwise acted on by a device, such as one or more of the devices associated with the network 102 .
- the files 104 can include, for example, documents, software packages, executable files, binary files, non-binary files, or other files that can be stored or processed electronically.
- the files 104 can be associated with various applications and include various features.
- the files 104 can include word processing documents, spreadsheets, text files, drawing files, data files (e.g., database files, and/or information), and multimedia files (e.g., audio, video, system data files etc.).
- the files 104 can be formatted in accordance with an application and/or operating system associated with individual files.
- the formats of the files can be identified, for example, by an appropriate file name extension such as .exe (for executable files), .htm (for hypertext markup language (HTML) files), or .txt (for text files).
- the electronic files 104 can include various types of records and files stored in different types of databases.
- the electronic files 104 can include medical records, academic records, health records, business records, government records, criminal records, real-estate records, financial records, social network data etc.
- the electronic files 104 can be stored, for example, on a single device (e.g., a laptop computer or server), or can be distributed across several devices (e.g., multiple servers, multiple trays in a data center, or multiple virtual machines in a distributed computing/storage system such as a cloud-based system).
- a single device e.g., a laptop computer or server
- the electronic files 104 can be stored, for example, on a single device (e.g., a laptop computer or server), or can be distributed across several devices (e.g., multiple servers, multiple trays in a data center, or multiple virtual machines in a distributed computing/storage system such as a cloud-based system).
- the electronic files 104 include metadata information about the corresponding files.
- the metadata can include, for example, structural metadata that relates to design and specification of data structures, and descriptive metadata that relates to additional information the data content.
- the metadata can include, for example, information on a location of creation of the document, means of creation of the document, time and date of creation of the document, author or source of the document or the data within the document, and security policies associated with the document.
- the metadata information about a particular document can be used in generating an appropriate environment-aware security token for the particular document.
- the environment-aware security token for the document can be configured such that the document is viewable (and/or printable) only on devices associated with the Human Resources department.
- the system 100 includes a server 106 that coordinates generation and distribution of environment-aware security tokens 120 .
- the server 106 may also be referred to as a security token server or simply a token server.
- the server 106 receives asset information 118 related to the various assets associated with the home network and generates the corresponding environment-aware security tokens 120 .
- the server 106 itself may be associated with an environment-aware security token 120 such that the server is not accessible from a device not included in a home network.
- FIG. 1 shows a single server 106 , multiple servers (e.g., a server farm), and/or one or more remote servers 125 can be used for implementing the functionalities of the server 106 .
- the server 106 can be a dedicated server, or the functionalities of the server 106 can be provided by a server that performs other tasks.
- the asset information 118 can include identification information related to the assets, including for example, one or more of a serial number of a device, a media access control (MAC) address, a file path, a registry key, a network identifier, an internet protocol (IP) address, a file-type identifier, a user-profile identifier, or other identifying information that identifies that a particular asset is connected to, authenticated to, or otherwise associated with the home network.
- the home network may be defined by the serial numbers or MAC addresses of a group of physical devices, such as the devices owned, administered, or otherwise controlled by a company or institution.
- the asset information 118 can include identification of electronic files and documents and/or the corresponding storage locations on various devices associated with the home network.
- the asset information can include user profile information that identifies various users authorized to access the assets associated with the home network.
- the asset information 118 can also include various security policies related to the usage of the assets.
- the security policies can be retrieved, for example, from a storage device connected to or otherwise accessible from the home network.
- the security policies can be used, possibly in conjunction with other asset information 118 to create environment-aware security tokens for one or more assets of the home network.
- the security policies can include, for example, an identification of devices or profiles of users (also referred to herein as user profiles) authorized to access a particular asset such as a document, and can be configured for example by authorized personnel.
- the security policies for a company may specify that a particular document is viewable only by the board of directors.
- the environment-aware security token for the particular document can be configured such that the document can be viewed only when accessed from a user-profile associated with a member of the board of directors.
- the security of the document can be enhanced further by configuring the environment-aware security token to allow access to the document only from personal devices associated with members of the board.
- the environment-aware security token for the document can therefore be generated based on a selectable portion of the asset information 118 .
- the server 106 may obtain the asset information 118 by employing one or more techniques.
- the asset information 118 may be obtained by deploying a network agent configured to gather information on the various assets.
- the network agent can be deployed by the server 106 as a client application 117 that is installed on the devices associated with the home network.
- the client application 117 can be pushed out by the server 106 to the devices that authenticates to the home network.
- the client application 117 can be pre-installed on various devices (e.g., as a part of the corresponding operating system) and authenticates to the home network when the devices attempt to communicate with the home network.
- the client application 117 itself may include a corresponding environment-aware security token that prevents the application 117 from executing when dissociated from the home network.
- the network agent can be similar to the agents described in U.S. Pat. Nos. 7,190,478 and 7,872,772, the contents of which are incorporated herein by reference.
- the deployment of the network agent can be configured via a user interface such as the example 200 depicted in FIG. 2A .
- a user may be able to download and install the network agent on a device using the user interface 200 , which in turn may be launched using the client application 117 .
- the user may be presented with the user interface 200 to authenticate a user profile and/or device to the home network. This can be done, for example, via controls 205 (e.g., fillable text fields, selectable radio buttons, or other controls for entering credentials) provided within the interface 200 .
- controls 205 e.g., fillable text fields, selectable radio buttons, or other controls for entering credentials
- the user may be directed to a storage location from which the network agent may be installed on the is device.
- the user may be directed to a storage location that stores an executable file 210 configured to install the network agent on the device.
- authorized personnel e.g., a network administrator
- the network agent can be configured to be deployed on a device automatically, for example, when a device registers with or authenticates to the server 106 .
- the network agent can include one or more software package-specific plug-ins or add-ins (also referred to herein as document agents) that are installed on devices associated with the home network.
- FIG. 2B shows an example user interface 250 where such a document agent is installed into the word processing application (MICROSOFT WORD in this particular example).
- a document agent may allow a user to perform various configurations on a document, for example, to make the document compatible with environment-aware security tokens, and/or specify security parameters of the document.
- the document agent may allow, for example via a second user interface 255 , to specify whether a password would be required to access the document, or if one or more actions (e.g., printing, editing, copying etc.) should be restricted.
- the document agent can also be configured to communicate asset information 118 (i.e., information related to the document) to the server 106 .
- asset information 118 i.e., information related to the document
- activating the control 260 may initiate a communication between the document agent and the server 106 to provide corresponding asset information 118 to the server 106 and receive an environment-aware security token 120 generated by the server 106 based on the corresponding asset information 118 .
- the user interface 255 can be configured to allow a user to specify user-defined security parameters such as cypher keys or passwords to a document, such that the document had additional protection, for example, against unauthorized internal access (i.e., access associated with devices or user-profiles associated with the home network).
- the document agent can also be configured to integrate the received environment-aware security token 120 into the corresponding document.
- the document agent can be configured to embed the received environment-aware security token into the page description language (PDL) of a document.
- PDL page description language
- PDLs include PostScript, Printer Command Language (PCL), Portable Document Format (PDF), and mark up languages such as Open XML Paper Specification (XPS) and Hypertext Markup Language (HTML).
- the document agent can be configured to encapsulate the received environment-aware security token with the document to create, for example, an executable file.
- an executable file can be configured such that an execution point is verified to be within the home network (based on the information within the encapsulated environment-aware security token) before an access to the encapsulated document is allowed.
- access to the encapsulated document is prevented.
- any unauthorized attempt to access the executable file can cause a destruction (e.g., by deletion or digital shredding) of the encapsulated document.
- Other functionalities such as logging unauthorized attempts, triggering one or more alerts, or starting focused investigations, etc. may also be initiated through operations of the agent and use of such environment-aware security tokens.
- the network agent is configured to scan for assets residing on devices and/or storage locations and provide the obtained asset information 118 to the server 106 .
- the network agent executes from the server 106 (or another device associated with the home network) and polls other devices and storage locations of the home network to obtain the asset information 118 .
- the obtained asset information can be associated with (i.e., linked to) a corresponding security token and the association or link information can be stored in a database.
- the obtained asset information is linked to a corresponding asset using identifiers assigned to the assets.
- identifiers can include globally unique identifiers (GUIDs), universally unique identifiers (UUIDs), etc.
- GUIDs globally unique identifiers
- UUIDs universally unique identifiers
- Such identifiers may enable unique identification of the various assets within the system 100 . For example, one or more documents, files, devices, and storage locations within the system 100 may be uniquely identified using such identifiers. Depending on the finite size of the identifiers, in some cases two different assets may share the same identifier. However, the identifier size and generation process may be selected so as to reduce a probability of such an occurrence.
- 128 bit values can be used as the identifiers assigned to the various assets.
- the identifiers can be generated, for example, via deterministic, random or pseudo-random processes.
- identifiers already associated with the assets e.g., identifier issued by the manufacturer, the home network, or users/administrators of the home network
- the network agent includes an automated browser (also referred to as a robotic browser) that obtains the asset information 118 from some or all of the various devices and other assets associated with the home network.
- an automated browser can be used, for example, to collect information about devices on the network, such as identifiers (GUID, UUID, etc.) associated with computing devices, printers, and/or storage devices connected to the network.
- Such an automated browser can also be used, for example, to scan storage locations on various devices to identify asset information such as file attributes of files associated with operating systems of devices connected to the home network and/or operating systems of devices connected to the home network via a remote login process (e.g., via a virtual private network (VPN)).
- VPN virtual private network
- the automated browser can be configured to attach identifiers such as GUIDs and UUIDs to the obtained asset information.
- such an automated browser (which may or may not be the same browser used for collecting information about the devices on the network) can also be used to embed, attach, encapsulate, or otherwise associate an environment-aware security token with a corresponding document or other asset.
- the automated browser can be configured to include an environment-aware security token into the header portion of a document via a process such as code injection (implemented, for example, using a programming language such as JAVA). This can be done, for example, by providing the automated browser appropriate permissions to modify is document attributes. Such permissions can be configured or modified based on the security context and group policies associated with the home network.
- the server 106 can be configured to generate corresponding environment-aware security tokens 120 for one or more assets associated with the home network, based on at least a portion of the received asset information 118 .
- the generated environment-aware security token 120 can be configured to control how and/or by who the corresponding asset may be accessed. Once an environment-aware security token 120 is generated and linked to a particular asset, the asset may be used only in accordance with the security policies encoded within the environment-aware security token 120 .
- the environment-aware security token 120 for a document can be configured to include an identification of the home network such that the document can be accessed only from devices connected to the home network.
- the environment-aware security token 120 for a document or file can be configured such that the document is accessible only on a selected set of devices (identified, for example, using serial numbers or MAC addresses) and/or using a user profile from an approved set.
- a selected set of devices identified, for example, using serial numbers or MAC addresses
- a user profile from an approved set.
- the environment-aware security token 120 for a particular document can be configured such that the document is accessible only by management personnel (identified, for example by user profiles), and/or on devices (e.g., laptops) associated with the personnel.
- the environment-aware security tokens 120 can also be used for increasing security and/or controlling accessibility of hardware devices.
- an environment-aware security token 120 for a hardware device e.g., a printer, scanner, copier, fax machine, or multi-function device (MFD)
- MFD multi-function device
- This can be useful, for example, in increasing device security in a corporate setting and/or to prevent usage of corporate resources for personal use.
- the process of generating the environment-aware security tokens 120 can be made scalable, granular, and customizable to provide flexible security solutions.
- the environment-aware security tokens 120 can be configured to control a level of access for various assets.
- the environment-aware security token 120 of a particular document can be configured such that a only a select group of people (as identified by corresponding user profiles) is able to change the content of the document, but a larger group of people associated with the home network (e.g., all employees of a company) is able to view the document without being able to make any changes.
- the environment-aware security token 120 for an asset can be configured such that the asset may be viewed or accessed from outside the home network, but no changes or edits to the asset may be made. This can be useful, for example, in a social network, where a user registers a plurality of devices (e.g., home computer, office computer, and personal mobile devices) that the user plans to use in accessing the social network account. Environment-aware security tokens 120 can then be generated for each device (for example, by the social network service provider) and associated with the corresponding user profile. In such a case, the user is able to update the corresponding social networking account (e.g., in the form of posts, images, videos etc.) only from the devices that are associated with the user profile.
- a social network where a user registers a plurality of devices (e.g., home computer, office computer, and personal mobile devices) that the user plans to use in accessing the social network account. Environment-aware security tokens 120 can then be generated for each device (for example, by
- a malicious entity e.g., a hacker in possession of the account credentials would still not be able to make changes to the user account from devices that do not have the environment-aware security tokens 120 associated with the corresponding user profile. For example, the malicious entity would not be able to post potentially embarrassing or harmful content to the user's account in spite of obtaining the credentials needed to log into the user's account.
- environment-aware security tokens 120 can be generated for a particular user of a social networking service for the network resources or assets associated with the corresponding user profile.
- network resources and assets can include, for example, network segments, storage locations, and files associated with the user profile within the social network service infrastructure.
- additional security can be provided by the social network service, for example, in exchange for a fee for the same.
- the home network associated with a given environment-aware security token can be configured by a user.
- an environment-aware security token 120 associated with a credit card 108 can be configured to block one or more types of transactions using the card.
- the environment-aware security token 120 corresponding to the card can be configured such that certain types of products or commodities may not be bought using the card, and/or the card may not be used at a predefined set of vendors. This can be useful, for example, in implementing parental control on add-on cards given to young adults.
- the environment-aware security token 120 for an add-on card can be configured such that the corresponding home network includes only on-campus shops and vendors in a school.
- an environment-aware security token 120 of the add-on card prevents usage of the card to buy merchandise from shops or vendors outside the campus.
- an environment-aware security token can also be associated with virtual instances of the credit card 108 , for example, credit cards represented by online accounts or smartphone applications.
- the server 106 can be configured to generate the environment-aware security tokens 120 as language agnostic objects that can be developed using various programming languages capable of accessing and processing binary data types such as the ones associated with the asset information 118 .
- the environment-aware security tokens 120 can be implemented as objects generated using the Component Object Model (COM) standard that is a binary-interface standard for software components developed by MICROSOFT. The standard can be used, for example, to enable inter-process communications and dynamic object creation in a large range of programming languages.
- COM Component Object Model
- language agnostic objects such as COM objects allow reuse of objects with no knowledge of the corresponding internal implementation.
- the objects may be implemented using interfaces that are agnostic to the implementation details.
- Reference counting can be used, for example, as a technique of storing the number of references, pointers, or handles to a resource such as an object, block of memory, disk space or other resource. Casting between different interfaces of an object can be achieved, for example using query processes such as the QueryInterface.
- the server 106 is configured to generate the environment-aware security tokens 120 for corresponding assets as objects (e.g, COM objects) using at least portion of the received asset information 118 .
- objects e.g, COM objects
- an object corresponding to an environment-aware security token can include data fields corresponding to the portions of the asset information used in generating the environment-aware security token, and procedures associated with intended functionalities of the environment-aware security token.
- the procedures associated with the functionalities may be referred to as methods.
- the methods associated with an object corresponding to an environment-aware security token can be related to, for example, one or more of the following functionalities: i) detecting environmental parameters for an asset associated with the environment-aware security token, ii) authenticating the asset with a token server (e.g., server 106 ), iii) allowing access to the asset upon authentication, iv) preventing access to the asset upon detecting a dissociation from the home network, and/or v) tracking various activities related to accessing the asset.
- a token server e.g., server 106
- the environment-aware security token 120 embedded or otherwise integrated with an asset can be configured to detect environmental parameters associated with the asset. For example, if the environment-aware security token 120 is embedded into document metadata, the associated object (e.g., COM object or other security object) can be configured to detect a serial number of the device that the document is being accessed from or stored on. The environment-aware security token 120 can be configured to detect one or more other environmental parameters such as user-profile information, security policies associated with the document, a type of access being attempted on the document, etc.
- the associated object e.g., COM object or other security object
- the environment-aware security token 120 can be configured to detect one or more other environmental parameters such as user-profile information, security policies associated with the document, a type of access being attempted on the document, etc.
- the environment-aware security token 120 of an asset can also be configured to attempt an authentication of the asset (or the attempted use of the asset) using the detected environmental parameters.
- the environment-aware security token 120 can be configured to communicate the detected environmental parameters to the server 106 to receive an indication if access to the asset can be allowed.
- the environment-aware security token may also perform at least a portion of the authentication locally, for example, based on an identification of the home network encoded within the environment-aware security token 120 . If a connection to the server 106 cannot be established (for example, due to loss in Internet connectivity), a message may be displayed notifying the user that the asset cannot be accessed immediately.
- the authentication can be triggered when an attempt to access the corresponding asset is made (e.g., when a user attempts to open a document).
- the environment-aware security token 120 can also be configured to be synchronized with the server 106 periodically, for example, after predetermined time intervals or when any changes to the corresponding asset is detected.
- the environment-aware security token 120 can allow access to the corresponding asset. For example, upon determining that an authorized user is attempting to open a document (as indicated, for example, by authentication information received from the server 106 ), the environment-aware security token 120 can allow the user to access the document. The access may be allowed based on additional security policies associated with the document. For example, the environment-aware security token 120 may allow a read-only access to a document based on determining that the user attempting to access the document is not authorized to edit the document.
- the environment-aware security token 120 determines that an access to the asset is unauthorized, the access may be prevented. For example, if the environment-aware security token 120 determines that a corresponding document is residing on a device that is not authenticated to the home network, access to the content of the document may be denied.
- the environment-aware security token 120 can be configured to destroy, delete or digitally shred the corresponding document upon detecting unauthorized access attempts. This can be done, for example, to prevent any additional attempts to breach the security provided by the environment-aware security token 120 .
- the environment-aware security tokens 120 can also be used for tracking usage of the corresponding assets.
- the environment-aware security token 120 associated with a document can be configured to log access information (e.g., creation credentials, time and nature of access attempts, location of access attempts, device ids, etc.) for the corresponding asset.
- the access information can be stored, for example, on a local storage device within an encrypted file system.
- the stored access information can then be synchronized with information stored at the server 106 during subsequent communications between the environment-aware security token 120 and the server 106 .
- a separate agent such as a virtual private network (VPN) agent can be used to communicate the access information to the server 106 .
- VPN virtual private network
- Such an agent may itself be associated with a corresponding environment-aware security token 120 , and may use database management systems such as MySQL, ORACLE, or MICROSOFT SQL to manage communications with the server 106 .
- the access information may also be used to update the environment-aware security token 120 associated with the document.
- the environment-aware security tokens 120 can therefore be used to generate and maintain an audit trail of asset usage, thereby further increasing security and accountability of asset usage.
- the asset usage log stored in the token database can be processed, for example, by an artificial intelligence system to learn trends associated with various assets such as devices, user profiles, and applications.
- an artificial intelligence system to learn trends associated with various assets such as devices, user profiles, and applications.
- Various types of machine-learning techniques may be used by such an artificial intelligence system.
- various supervised, unsupervised, or semi-supervised machine learning techniques can be used in identifying, classifying, or otherwise learning trends and/or behaviors associated with the various assets.
- One or more tools can be used in implementing such machine-learning techniques. Examples of such tools include decision trees, artificial neural networks, support vector machines, Bayesian statistics, classifiers, Markov models, and conditional random fields.
- Information obtained by using the machine-learning techniques on the asset usage logs can then be used in increasing security of the assets. For example, if a malicious entity (e.g., a hacker or malicious software) tries to access an asset such as a document, an agent can be configured to detect fraudulent behavior based on detecting a deviation from “normal” behavior as learned from the asset usage logs. For example, if the log corresponding to a user profile shows that the user typically logs in within the first one or two attempts, an occurrence of repeated failed log-in attempts may be flagged as a potential security breach. In such cases, the agent can be configured to capture identification of the accessing device (e.g., IP and/or MAC address of the device).
- identification of the accessing device e.g., IP and/or MAC address of the device.
- the agent detects malicious software (e.g., a virus, trojan, or payload software)
- the agent can be configured to detect the IP and/or MAC address of the server the software communicates with (or reports to). From the identification of the accessing device, additional information such as geographical location, manufacturer, or serial number may also be determined. Such information can be used for taking appropriate action against the security breaches, possibly with the help of law enforcement agencies.
- the environment-aware security tokens 120 generated by the server 106 is stored within a token database 122 accessible to the server 106 .
- the token database 122 may be stored in a storage device within the server 106 or at a remote storage location or the remote server 125 accessible to the server 106 .
- the token database 122 can be used to store information about the environment-aware security tokens 120 generated at the server 106 .
- the token database 122 may store information linking the environment-aware security tokens 120 to the corresponding asset identifiers such as the GUIDs or UUIDs.
- the information linking the environment-aware security tokens 120 to the corresponding identifiers can be used, for example to identify home networks associated with the corresponding assets, and/or to authenticate access attempts on the various assets. For example, if a user attempts to access a document from a particular device, the server 106 may authenticate the access attempt based on information linking a corresponding environment-aware security token 120 to the identifier associated with the document.
- the token database 122 also stores access information associated with the corresponding assets. For example, if an asset (such as a document) is updated, modified, created, deleted, or otherwise acted on, such access information can be stored in the token database linked, for example, to the corresponding asset identifiers.
- the server 106 may also be implemented using a distributed computing environment such as a cloud based system. In such cases, the server 106 may be implemented on a pool 105 of multiple virtual machines 107 .
- a virtual machine 107 can be a set of computing resources (processors, memory, software etc.) that can be used for executing computing tasks.
- the computing resources can be provided by one or more independent providers (e.g., providers of cloud computing or other distributed computing services).
- the security of the virtual machines 107 used to implement the server 106 , or portions thereof, can be increased, for example, by associating the virtual machines 107 with corresponding environment-aware security tokens 120 .
- FIG. 3 shows a flowchart 300 depicting an example sequence of operations for providing environment-aware security tokens for various assets.
- the operations include receiving information about one or more assets ( 302 ).
- the various assets may be identified, for example, by a corresponding identifier such as a GUID or UUID.
- the assets can include, for example, one or more of: a device connected to the home network, a file stored on a storage device connected to the home network, a user-profile associated with the home network, or any other asset as described above with reference to FIG. 1 .
- the information can include any of the asset information 118 described above.
- the information can include one or more of a serial number of a device, a media access control (MAC) address, a file path, a registry key, a network identifier, an internet protocol (IP) address, a file-type identifier, a user-profile identifier, and one or more policies associated with the network.
- the information about the one or more assets may be received from an agent deployed on the home network and configured to scan the assets associated with the home network. For example, when a device authenticates to the home network, the agent may be installed on the device to obtain information related to one or more assets associated with the device.
- Operations can include generating a security token for an asset based on the received information ( 304 ), wherein the security token is configured to identify the home network and restrict access to the corresponding asset upon determining a dissociation of the asset from the home network.
- the security token can be generated as a language agnostic object (e.g., a COM object), and can be embedded, attached, encapsulated, or otherwise associated with the corresponding asset such that that security token deletes, digitally destroys, or otherwise prevents access to the asset if the asset is dissociated from the home network.
- the security token can be generated in accordance with one or more security policies associated with the corresponding asset.
- the security can be substantially similar to the environment-aware security tokens described above.
- the dissociation of an asset from the home network can be determined in various ways. For example, determining the dissociation of the corresponding asset from the home network can include determining that the corresponding asset is not connected to the home network, or is not stored on a device connected or registered to the home network. In some implementations, determining the dissociation of the corresponding asset from the network can include detecting an access attempt from a user-profile that is not associated with the home network. In some implementations, the determining the dissociation can include determining a deviation from security policies associated with the corresponding asset.
- Operations also include storing information about the security token and information linking the security token to the corresponding identifier ( 306 ).
- the information can be stored, for example, in a database such as the token database 122 described with reference to FIG. 1 .
- the information stored in the database may be updated based on, for example, how the various assets are accessed, used, or updated.
- the information stored in the database can include logs representing how, where and by who a particular asset is accessed.
- Operations can also include initiating integration of the security token into the corresponding asset ( 308 ).
- initiating the integration can include providing the security token to an agent that performs the integration.
- the security token for a document can be provided to an agent that is configured to inject a code corresponding to the security token in a portion of the document.
- the code injection can be performed, for example, by an automated browser such as the robotic browser described above.
- the code or object (e.g., a COM object) corresponding to the security token for a document or file can be injected within the metadata for the document/file, for example, into a header.
- the code or object corresponding to the security token for a document can also be embedded within a PDL of the document.
- the security token can be encapsulated together with the corresponding document or file into a separate file.
- an agent or application can be configured to generate an application or executable file that encapsulates a security token (e.g., a COM object) with the corresponding document or file.
- the application, executable file, or a file including the security object can be stored, for example, as an encrypted document at a storage location.
- information about the storage location of the encrypted document can be stored in the token database 122 .
- a distributed storage location e.g., a cloud based storage location
- the storage location can be defined to be a part of the home network for the corresponding asset.
- access to the asset can be restricted to be from within the home network defined for the asset.
- a security token can provide information on environment parameters associated with an attempt to access an asset.
- the environment parameters can include, for example, information on the access point, user profile, or security parameters associated with the asset.
- the received information may be compared to the stored information to determine whether the access attempt is considered to be from within a home network associated with the asset.
- the access attempt may be authorized. This can be done, for example, by providing permission information that signals the security token to allow access to the asset.
- an asset such as a document embedded with an environment-aware security token can be stored as an encrypted document within a secure storage location within the home network defined for the asset.
- the encryption used in storing the asset within the secure storage location can be based on, for example, a security key specific to a particular user. This can be used, for example, to store a user's documents within a storage system associated with a multi-user system such as a social network service or e-mail service. Access to the asset can be controlled, for example, based on detecting that the asset is stored at a storage location that is associated with the corresponding home network.
- additional layers of security can be provided, for example, by checking whether the user profile and/or device profile associated with the access request is authenticated to the home network.
- access to the home network can be provided, for example, via a hyperlink (e.g., such as one embedded in an email) that is associated with an environment-aware security token.
- a user or device that is not otherwise associated with the home network may be able to access an asset within the home network using such a hyperlink.
- a user may be authenticated to the home network via an authentication request (e.g., a request for biometric authentication) that is associated with an environment-aware security token.
- the security technology described in this document can be used both independently and in conjunction with other security systems and architectures.
- the environment-aware security tokens described above can be used in conjunction with security and cryptography techniques such as biometric identification, symmetric keys, asymmetric keys, symmetric ciphers, transport layer security, and encryption techniques.
- security for an online account that uses secure socket layer (SSL) can be increased by associating the account with a corresponding environment-aware security token to restrict editing capabilities to a user-selected set of devices.
- SSL secure socket layer
- files e.g., system files, data files, documents, voice files, image files, video files, or web files
- files stored on the home network can be stored with additional cryptography built into the security tokens utilizing for example, a symmetric key unique to a particular authorized user.
- the environment-aware security tokens can be used in multiple layers to enhance security.
- a file encrypted with an embedded COM object can be further encapsulated with another COM object to generate a file with double layer security.
- the security policies of the two COM objects can be configured differently, the security of the underlying file or document can be increased manifold.
- the security policies can be configured such that the higher and lower layer files may be opened using two separate user profiles, thereby requiring not one, but two separate personnel to be involved in accessing the file.
- the encapsulation can be scalable allowing additional security to be incorporated as needed, for example, via increased layers of encapsulations.
- the environment-aware security tokens can also be used in identity verification services such as eAuthetication.
- identity verification services can be provided, for example, by a remote server to other distributed servers that are possibly distributed on the Internet or an intranet. Similar to credit card verification services that are provided by third parties to eCommerce web sites, identity verification services can verify identity of users to entities such as web sites or intranet servers.
- Various networking protocols and application programming interfaces may be used by such identity verification services. Examples of such networking protocols include the Remote Authentication Dial In User Service (RADIUS), which is a networking protocol for providing centralized Authentication, Authorization, and Accounting (AAA) management for users that connect and use a network service.
- RADIUS Remote Authentication Dial In User Service
- AAA centralized Authentication, Authorization, and Accounting
- environment-aware security tokens can be used to secure files associated with network-based transactions such that the files are locked down to the physical attributes of the corresponding data center or server. Therefore, even if a malicious entity (e.g., a hacker) obtains the transaction files (for example, via hacking the point of sale corresponding to the transactions), the malicious entity could be prevented from opening the file to access the sensitive data included in the files.
- credit card data can be protected using embedded environmental security tokens on the card such that the corresponding user profile can be accessed only from the home network, data center, or cloud service registered with the card.
- the home network information in turn can be stored in a file protected by another environment-aware security token, to prevent the home network information from being compromised.
- the environment-aware security tokens can also be used in securing mobile devices such as phones, tablets or e-readers.
- a phone or other mobile device can be associated with an environment-aware security token.
- the environment-aware security token can be configured such that in the event of theft, biometric login or text login capabilities are suspended on detecting no activity (or suspicious activity such as multiple log in attempt) for a predetermined period of time. Because any harmful activities, such as ones involving downloading files, copying files or deleting files, require login authentication with the home network, the owners may get additional time to shut down the phone or mobile device to prevent theft of data.
- FIG. 4 shows an example of a computing device 400 and a mobile device 450 , which may be used with the techniques described here.
- any of the devices 106 , 110 , 112 , or 114 could be examples of the computing device 400 or the mobile device 450
- the server 106 could include one or more computer devices 400 .
- Computing device 400 is intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers.
- Computing device 450 is intended to represent various forms of mobile devices, such as personal digital assistants, cellular telephones, smartphones, and other similar computing devices.
- the components shown here, their connections and relationships, and their functions, are meant to be examples only, and are not meant to limit implementations of the techniques described and/or claimed in this document.
- the exemplary computing device 400 includes a processor 402 , memory 404 , a storage device 406 , a high-speed interface 408 connecting to memory 404 and high-speed expansion ports 410 , and a low speed interface 412 connecting to low speed bus 414 and storage device 606 .
- Each of the components 402 , 404 , 406 , 408 , 410 , and 412 are interconnected using various busses, and may be mounted on a common motherboard or in other manners as appropriate.
- the processor 402 can process instructions for execution within the computing device 400 , including instructions stored in the memory 404 or on the storage device 406 to display graphical information for a GUI on an external input/output device, such as display 416 coupled to high speed interface 408 .
- multiple processors and/or multiple buses may be used, as appropriate, along with multiple memories and types of memory.
- multiple computing devices 400 may be connected, with each device providing portions of the necessary operations (e.g., as a server bank, a group of blade servers, or a multi-processor system).
- the computing device can include a graphics processing unit.
- the memory 404 stores information within the computing device 400 .
- the memory 404 is a volatile memory unit or units.
- the memory 404 is a non-volatile memory unit or units.
- the memory 404 may also be another form of computer-readable medium, such as a magnetic or optical disk.
- the storage device 406 is capable of providing mass storage for the computing device 400 .
- the storage device 116 could be examples of the storage device 406 .
- the storage device 406 may be or contain a non-transitory computer-readable medium, such as a floppy disk device, a hard disk device, an optical disk device, or a tape device, a flash memory or other similar solid state memory device, or an array of devices, including devices in a storage area network or other configurations.
- a computer program product can be tangibly embodied in an information carrier.
- the computer program product may also contain instructions that, when executed, perform one or more methods, such as those described above.
- the information carrier is a computer- or machine-readable medium, such as the memory 404 , the storage device 406 , or memory on the processor 402 .
- the high speed controller 408 manages bandwidth-intensive operations for the computing device 400 , while the low speed controller 412 manages lower bandwidth-intensive operations.
- the high-speed controller 408 is coupled to memory 404 , display 416 (e.g., through a graphics processor or accelerator), and to high-speed expansion ports 410 , which may accept various expansion cards (not shown).
- low-speed controller 412 is coupled to storage device 406 and low-speed expansion port 414 .
- the low-speed expansion port which may include various communication ports (e.g., USB, Bluetooth, Ethernet, wireless Ethernet) may be coupled to one or more input/output devices, such as a keyboard, a pointing device, a scanner, or a networking device such as a switch or router, e.g., through a network adapter.
- input/output devices such as a keyboard, a pointing device, a scanner, or a networking device such as a switch or router, e.g., through a network adapter.
- the computing device 400 may be implemented in a number of different forms, as shown in the figure. For example, it may be implemented as a standard server 420 , or multiple times in a group of such servers. It may also be implemented as part of a rack server system 424 . In addition, it may be implemented in a personal computer such as a laptop computer 422 . Alternatively, components from computing device 400 may be combined with other components in a mobile device (not shown), such as device 450 . Each of such devices may contain one or more of computing device 400 , 450 , and an entire system may be made up of multiple computing devices 400 , 450 communicating with each other.
- Computing device 450 includes a processor 452 , memory 464 , an input/output device such as a display 454 , a communication interface 466 , and a transceiver 468 , among other components.
- the device 450 may also be provided with a storage device, such as a microdrive or other device, to provide additional storage.
- a storage device such as a microdrive or other device, to provide additional storage.
- Each of the components 450 , 452 , 464 , 454 , 466 , and 468 are interconnected using various buses, and several of the components may be mounted on a common motherboard or in other manners as appropriate.
- the processor 452 can execute instructions within the computing device 450 , including instructions stored in the memory 464 .
- the processor may be implemented as a chipset of chips that include separate and multiple analog and digital processors.
- the processor may provide, for example, for coordination of the other components of the device 450 , such as control of user-interfaces, applications run by device 450 , and wireless communication by device 450 .
- Processor 452 may communicate with a user through control interface 458 and display interface 456 coupled to a display 454 .
- the display 454 may be, for example, a TFT LCD (Thin-Film-Transistor Liquid Crystal Display) or an OLED (Organic Light Emitting Diode) display, or other appropriate display technology.
- the display interface 456 may comprise appropriate circuitry for driving the display 454 to present graphical and other information to a user.
- the control interface 458 may receive commands from a user and convert them for submission to the processor 452 .
- an external interface 462 may be provide in communication with processor 452 , so as to enable near area communication of device 450 with other devices. External interface 462 may provide, for example, for wired communication in some implementations, or for wireless communication in other implementations, and multiple interfaces may also be used.
- the memory 464 stores information within the computing device 450 .
- the memory 464 can be implemented as one or more of a computer-readable medium or media, a volatile memory unit or units, or a non-volatile memory unit or units.
- Expansion memory 474 may also be provided and connected to device 450 through expansion interface 472 , which may include, for example, a SIMM (Single In Line Memory Module) card interface.
- SIMM Single In Line Memory Module
- expansion memory 474 may provide extra storage space for device 450 , or may also store applications or other information for device 450 .
- expansion memory 474 may include instructions to carry out or supplement the processes described above, and may include secure information also.
- expansion memory 474 may be provided as a security module for device 450 , and may be programmed with instructions that permit secure use of device 450 .
- secure applications may be provided via the SIMM cards, along with additional information, such as placing identifying information on the SIMM card in a non-hackable manner.
- the memory may include, for example, flash memory and/or NVRAM memory, as discussed below.
- a computer program product is tangibly embodied in an information carrier.
- the computer program product contains instructions that, when executed, perform one or more methods, such as those described above.
- the information carrier is a computer- or machine-readable medium, such as the memory 464 , expansion memory 474 , memory on processor 452 , or a propagated signal that may be received, for example, over transceiver 468 or external interface 462 .
- Device 450 may communicate wirelessly through communication interface 466 , which may include digital signal processing circuitry where necessary. Communication interface 466 may provide for communications under various modes or protocols, such as GSM voice calls, SMS, EMS, or MMS messaging, CDMA, TDMA, PDC, WCDMA, CDMA2000, or GPRS, among others. Such communication may occur, for example, through radio-frequency transceiver 468 . In addition, short-range communication may occur, such as using a Bluetooth, WiFi, or other such transceiver (not shown). In addition, GPS (Global Positioning System) receiver module 470 may provide additional navigation- and location-related wireless data to device 450 , which may be used as appropriate by applications running on device 450 .
- GPS Global Positioning System
- Device 450 may also communicate audibly using audio codec 460 , which may receive spoken information from a user and convert it to usable digital information. Audio codec 460 may likewise generate audible sound for a user, such as through a speaker, e.g., in a handset of device 450 . Such sound may include sound from voice telephone calls, may include recorded sound (e.g., voice messages, music files, and so forth) and may also include sound generated by applications operating on device 450 .
- Audio codec 460 may receive spoken information from a user and convert it to usable digital information. Audio codec 460 may likewise generate audible sound for a user, such as through a speaker, e.g., in a handset of device 450 . Such sound may include sound from voice telephone calls, may include recorded sound (e.g., voice messages, music files, and so forth) and may also include sound generated by applications operating on device 450 .
- the computing device 450 may be implemented in a number of different forms, as shown in the figure. For example, it may be implemented as a cellular telephone 480 . It may also be implemented as part of a smartphone 482 , personal digital assistant, tablet computer, or other similar mobile device.
- implementations of the systems and techniques described here can be realized in digital electronic circuitry, integrated circuitry, specially designed ASICs (application specific integrated circuits), computer hardware, firmware, software, and/or combinations thereof.
- ASICs application specific integrated circuits
- These various implementations can include implementation in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, coupled to receive data and instructions from, and to transmit data and instructions to, a storage system, at least one input device, and at least one output device.
- the systems and techniques described here can be implemented on a computer having a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to the user and a keyboard and a pointing device (e.g., a mouse or a trackball) by which the user can provide input to the computer.
- a display device e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor
- a keyboard and a pointing device e.g., a mouse or a trackball
- Other kinds of devices can be used to provide for interaction with a user as well.
- feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback).
- Input from the user can be received in any form, including acoustic, speech, biometric, or tactile input.
- the systems and techniques described here can be implemented in a computing system that includes a back end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front end component (e.g., a client computer having a graphical user-interface or a Web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back end, middleware, or front end components.
- the components of the system can be interconnected by any form or medium of digital data communication (e.g., a network such as the network 102 described with reference to FIG. 1A ). Examples of networks include a local area network (“LAN”), a wide area network (“WAN”), and the Internet.
- LAN local area network
- WAN wide area network
- the Internet the global information network
- the computing system can include clients and servers (including remote servers).
- a client and server are generally remote from each other and typically interact through a communication network such as the network 102 .
- the relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- Software Systems (AREA)
- General Physics & Mathematics (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The technology described in this document can be embodied in a computer implemented method that includes receiving, at a processing device, information about one or more assets associated with a network of devices. The method also includes generating, for at least one of the assets, a security token that is based at least on a portion of the received information about the corresponding asset. The security token can be configured to identify a home network defined for the asset, and to restrict access to the corresponding asset upon detecting an occurrence of an unauthorized activity involving the asset. The method further includes storing, in a storage device, information about the security token and information linking the security token to the corresponding asset, and initiating integration of the security token with the corresponding asset.
Description
- This application is a continuation application and claims priority under 35 USC § 120 to U.S. patent application Ser. No. 15/450,984, filed on Mar. 6, 2017 (to be issued as U.S. Pat. No. 10,122,696 on Nov. 6, 2018), which is a continuation application and claims the benefit to U.S. patent application Ser. No. 15/236,649, filed on Aug. 15, 2016 (now issued as U.S. Pat. No. 9,590,971 on Mar. 7, 2017), which is a continuation application and claims the benefit to U.S. patent application Ser. No. 14/456,777, filed on Aug. 11, 2014 (now issued as U.S. Pat. No. 9,449,187 on Sep. 20, 2016), the entire contents of which are hereby incorporated by reference.
- This disclosure relates to security of networked devices and files.
- Security tokens for authorizing use of computer services can be generated using a security architecture such as a shared secret architecture or a public-key cryptography architecture.
- In one aspect, the technology described in this document can be embodied in a computer implemented method that includes receiving, at a processing device, information about one or more assets associated with a network of devices. The method also includes generating, for at least one of the assets, a security token that is based at least on a portion of the received information about the corresponding asset. The security token can be configured to identify a home network defined for the asset, and to restrict access to the corresponding asset upon detecting an occurrence of an unauthorized activity involving the asset. The method further includes storing, in a storage device, information about the security token and information linking the security token to the corresponding asset, and initiating integration of the security token with the corresponding asset.
- In another aspect, the technology described in this document can be embodied in a computing device that includes memory and one or more processors. The one or more processors can be configured to receive information about one or more assets associated with a network of devices. The processors can also be configured to generate for at least one of the assets, a security token that is based at least on a portion of the received information about the corresponding asset. The security token can be configured to identify a home network defined for the asset, and also to restrict access to the corresponding asset upon detecting an occurrence of an unauthorized activity involving the asset. The processors can be further configured to store, in a storage device, information about the security token and information linking the security token to the corresponding asset, and initiate integration of the security token with the corresponding asset.
- In another aspect, the technology described in this document can be embodied in one or more machine-readable storage devices that store instructions executable by one or more processing devices. These instructions, when executed, can cause the one or more processing devices to perform operations that include receiving information about one or more assets associated with a network of devices. The operations also include generating, for at least one of the assets, a security token that is based at least on a portion of the received information about the corresponding asset. The security token can be configured to identify a home network defined for the asset, and to restrict access to the corresponding asset upon detecting an occurrence of an unauthorized activity involving the asset. The operations further include storing, in a storage device, information about the security token and information linking the security token to the corresponding asset, and initiating integration of the security token with the corresponding asset. Implementations of the above embodiments can include one or more of the following features.
- Detecting the occurrence of the unauthorized activity can include determining a dissociation of the asset from the home network defined for the asset. The assets associated with the network can include one or more of: a device connected to the network, a file stored on a storage device connected to the network, and a user-profile associated with the network. The asset can be an electronic file, and initiating the integration of the security token into the asset can include initiating an encryption of the asset based on the security token. The home network for the asset can be defined based on one or more security policies associated with the asset. The information can include one or more of: a serial number of a device, a media access control (MAC) address, a file path, a registry key, a network identifier, an internet protocol (IP) address, a file-type identifier, a user-profile identifier, and one or more policies associated with the network. The information about the one or more assets can be received from an agent deployed on the network. The agent can be configured to scan the devices of the network to obtain the information. The agent can include an automated browser. The security token can include an object generated in accordance with Component Object Model (COM). The security token can be generated in accordance with one or more security policies associated with the corresponding asset. Determining the dissociation of the corresponding asset from the home network can include determining that the corresponding asset is not connected to the home network. Determining the dissociation of the corresponding asset from the home network can include determining that the corresponding asset is not stored on a device associated with the home network. Determining the dissociation of the corresponding asset from the home network can include detecting an access attempt from a user-profile not associated with the home network. The corresponding asset can be an electronic file, and the security token can be configured to restrict access to the electronic file by deleting content of the electronic file upon determining the dissociation from the home network. The information about the security token and the information linking the security token to the corresponding identifier can be stored in a database. The corresponding asset can be an electronic file, and initiating an integration of the security token into the electronic file can include initiating a code injection to a header portion of the electronic file. The corresponding asset can be an electronic file, and initiating an integration of the security token with the electronic file can include initiating an encapsulation of the security token with the electronic file. The executable file can be generated via the encapsulation. The corresponding asset can be an electronic document, and the security token can be integrated into the document as a portion of a page description language of the document. Information related to an access point attempting to access an asset can be received from the asset, based possibly on information collected by the security token. A determination can be made, based on the stored information about the security token, whether the access point is associated with the security token. Permission information indicating a level of access permitted for the access point can be provided based on the determination.
- In some implementations, the technology described in this document may provide one or more of the following advantages. By using environment-aware security tokens that include an identification of an authorized network (often referred to as the home network), network assets such as one or more devices, user profiles and document files can be locked down within the authorized network. Security of data and other network assets can therefore be increased many fold. For example, even if files are fraudulently copied and stored (for example, via a security breach) on a non-authorized device (i.e., a device not authenticated to the authorized network), the environment-aware security token associated with the files can detect this dissociation from the home network and prevent unauthorized access to the files. Efficacy of malicious security breaches can therefore be mitigated by reducing usefulness of stolen data. In some implementations, physical devices such as printers, laptops, phones, mobile devices, etc. can also be associated with environment-aware security tokens such that the devices are functional only when connected to the authorized network. The environment-aware security tokens can be configured to be user-defined, scalable, and adaptive to provide a greater degree of control on accessibility of corresponding assets. For example, the environment-aware security token associated with a particular document can be configured such that the particular document is viewable only on a predefined set of computing devices within the authorized network.
- Other features and advantages are apparent from the following detailed description, and from the claims.
-
FIG. 1 is an example of a system that uses environment-aware security tokens. -
FIGS. 2A-2B show examples of user-interfaces. -
FIG. 3 is a flowchart depicting an example sequence of operations associated with generating a security token. -
FIG. 4 is a diagram illustrating examples of computing devices. - Security tokens are often used to give authorized users access to secure assets such as computing devices or files stored within the computing devices. Such security tokens can allow, for example, secure single sign-on (also referred to as S3) capabilities in systems that provide access to various resources. A security token can include, for example, a two-factor authentication security mechanism that authorizes access to assets associated with a network. Security tokens can be stored on a general-purpose computing device such as a desktop computer, laptop computer, or handheld wireless device (e.g., a mobile phone, e-reader, or tablet) and used to access various assets (e.g., files or documents) using the computing device.
- Some security tokens (e.g., security tokens provided by a shared secret or public-key cryptography architectures) may be vulnerable to threats based on duplication of underlying cryptographic material. For example, a malicious entity (e.g., a human user such as a hacker, or software entities such as a computer virus or other malicious software) may breach the security of a network to steal data in the form of documents or other files. In such cases, the stolen files may be stored on a storage device conveniently accessible to the malicious entity, and content of the files may potentially be used in illegal or harmful activities. This can happen, for example, when a malicious entity attacks a financial institution such as a credit card company and is able to copy files that include sensitive user information such as username and password pairs. Such sensitive information can also be obtained directly from the users, for example, via phishing attacks. The sensitive information can then be supplied to a token generating authority (e.g., a secure website) to obtain the security tokens needed for accessing, for example, user accounts.
- In a shared secret architecture, a configuration file is typically generated for each end-user. The generated configuration file can include, for example, a username, a personal identification number, and a configurable “secret” associated with the particular user (e.g., answers to questions posed to a user). The security provided by the shared secret architecture is largely dependent on the configuration file. Therefore, in the event the configuration file is stolen or copied, the security provided by the shared secret architecture may be compromised.
- Architectures such as public-key cryptography, or asymmetric cryptography provide some advantages over the shared secret type architecture by requiring two separate keys, one of which is secret (or private) and the other public. The two keys are mathematically linked, and can be used in conjunction to provide security. For example, the public key can be used in encryption or to verify a digital signature, and the private key can be used in decryption or to create a digital signature. However, the security provided by architectures such as public-key cryptography may also be compromised if both keys are stolen or duplicated.
- The technology described in this document improves security of network assets (documents, files, devices etc.) by generating environment-aware security tokens that are specific to the corresponding assets. The technology can be used both independently, and in conjunction with other security technologies, such as provided via third party software application or social network services. For example, an environment-aware security token for a document can be generated from environmental metrics associated with a network on which the document is authorized to reside. Examples of the environmental metric can also include various parameters associated with an asset such as asset name, asset ID (GUID, or QUID), asset class, (e.g., whether the asset is a device, document, user profile, system data, or security policy data), security token keys, security objects, etc. Examples of parameters associated with a device include assigned addresses (e.g., MAC addresses), serial numbers, device name, device ID, and security object status (e.g., whether security object is attached or embedded, whether the object is a null object, etc.) Examples of parameters associated with a user include user name, user ID, and user profile data structures (e.g., data structures representing data on various user metrics). Examples of parameters associated with a document include document name, document ID, and document profile data structures (e.g., data structures representing data on document metrics). Examples of parameters associated with system and security policy data include system name, system ID, security policy name, security policy ID, and data structures representing security policies.
- The generated environment-aware security token can be configured to include an identification of the particular network, and can then be associated with the document to “lock-down” the document to the particular network (often referred to as the home network). The lock-down can be such that the document cannot be accessed from any non-authorized device, for example, a device that is not authenticated to the particular network. For example, the environment-aware security token can be embedded, attached, encapsulated, or otherwise associated with the document in a way such that the environment-aware security token deletes, digitally destroys, or otherwise prevents access to content of the document if the document is moved or copied to or attempted to be accessed from a device not authenticated to the home network. In some implementations, the technology described in this document can be deployed in conjunction with other security architecture such as the shared secret architecture or public-key cryptography architecture described above.
- The technology described in this document can be used to control physical or virtual access to a physical or virtual storage location. In some implementations, file system and document attributes can be used to generate environment-aware security tokens that provide access to the storage locations and/or encrypt file content. Various restrictions can be imposed based on the environment-aware security tokens. In some implementations, the environment-aware security tokens can be used to restrict user(s) or device(s) from accessing an asset. In some implementations, the environment-aware security tokens can be used in restricting documents from being copied from the original storage location. Moreover, file attributes can be configured such that corresponding environment-aware security tokens can be used to prevent unauthorized copying and/or downloading. For example, the file attributes can be controlled via the attached or embedded security tokens (e.g., embedded security objects) that are verified by a token server with or without a hardware dongle.
- In some implementations, the technology can be implemented as a part of an operating system (OS). For example, the security layer provided by the technology can be used to acquire control over the file system of the corresponding OS to control operations such as read, write, and copy. The security layer can be used, for example, to control and verify various assets via attached, encapsulated, or embedded security objects. In some implementations, for example where a security object is encapsulated together with the corresponding file or document into a separate entity (e.g., an application or executable file), the entity can be configured to destroy, delete or otherwise digitally shred the contents of the file or document upon detecting dissociation from the home network. The dissociation can be detected, for example, when the entity fails to establish a connection with a token server that controls administration of the security objects. In some implementations, the entity can also be configured to collect information on one or more metrics associated with the environment from where an access attempt is being made. For example, in the event of a security breach (e.g., a hack), the entity can be configured to transmit details of the environment (e.g., MAC address, IP address, device serial number etc.) back to the token server.
- Dissociation from the home network can encompass various situations. In some implementations, the dissociation can include a physical connection loss with the home network. The home network can be defined or configured by choosing a set of assets (devices, user profiles, storage locations, files, documents, operating systems etc.) that are authenticated to be associated with a particular asset such as a device or document. In some implementations, the dissociation from the home network can include an access attempt from an asset or entity that is not included within the home network as configured for the asset on which the access attempt is being made. In one example, the dissociation can include access attempt from a user profile not associated with the home network as configured for the corresponding asset. In another example, a dissociation can include storing a particular asset at (or accessing the particular asset from) a storage location outside the home network as configured for the particular asset. In yet another example, a dissociation can include disconnecting a device from a network (including a physical network or a virtual network such as a virtual private network) that is not a part of the corresponding home network.
- The operating system can therefore be configured such that data cannot be removed from a home network without appropriate permissions, for example, explicit user and/or device authorizations. The technology can therefore be configured to act as a gateway to physical and virtual storage locations on the home network or on registered devices with user(s) privileges. Documents can be assigned identifiers as they are stored in secure storage locations within the home network. Assets such as documents, devices, files and user profiles can be classified and a database of asset data can be created from data collected from the assets. Security objects such as environment-aware security token can then be created from security keys defined based on the asset data.
- In some implementations, the technology described in this document provides improved security for various assets in a network. For example, computing devices such as laptop computers, desktop computers, printers, scanners, servers, storage devices, network devices, as well as electronic files stored within such computing devices can be made more secure via the environment-aware security tokens described in this document.
-
FIG. 1 shows an example of asystem 100 that uses environment-aware security tokens. Thesystem 100 includes various network assets (also referred to herein simply as assets) connected to aserver 106 over anetwork 102. The term asset, as used in this document, refers to devices that are directly or indirectly associated with a network, as well as electronic files that can be stored on a device associated with the network. For example, the assets can include a personal computing device 103 (e.g., a laptop computer), aprinter 110, adesktop computing device 112, a mobile computing device (e.g., a smartphone, tablet or e-reader) 114, astorage device 116, or a server 125 (which can also be referred to as a remote server). In some implementations, the assets can include a passive device such as a credit ordebit card 108 or a radio frequency identification (RFID) tag that can communicate over thenetwork 102 via an appropriate reader (e.g., a credit/debit card reader and RFID tag reader, respectively). Thesystem 100 can include none, one, or more devices of the various types described above. In some implementations, a portion of thenetwork 102, and/or one or more devices coupled to thenetwork 102 can form at least a portion of a home network defined for a particular asset. - In some implementations, the assets include
electronic files 104 that can be stored, accessed, read, processed, or otherwise acted on by a device, such as one or more of the devices associated with thenetwork 102. Thefiles 104 can include, for example, documents, software packages, executable files, binary files, non-binary files, or other files that can be stored or processed electronically. Thefiles 104 can be associated with various applications and include various features. For example, thefiles 104 can include word processing documents, spreadsheets, text files, drawing files, data files (e.g., database files, and/or information), and multimedia files (e.g., audio, video, system data files etc.). Thefiles 104 can be formatted in accordance with an application and/or operating system associated with individual files. The formats of the files can be identified, for example, by an appropriate file name extension such as .exe (for executable files), .htm (for hypertext markup language (HTML) files), or .txt (for text files). In some implementations, theelectronic files 104 can include various types of records and files stored in different types of databases. For example, theelectronic files 104 can include medical records, academic records, health records, business records, government records, criminal records, real-estate records, financial records, social network data etc. Theelectronic files 104 can be stored, for example, on a single device (e.g., a laptop computer or server), or can be distributed across several devices (e.g., multiple servers, multiple trays in a data center, or multiple virtual machines in a distributed computing/storage system such as a cloud-based system). - In some implementations, the
electronic files 104 include metadata information about the corresponding files. The metadata can include, for example, structural metadata that relates to design and specification of data structures, and descriptive metadata that relates to additional information the data content. The metadata can include, for example, information on a location of creation of the document, means of creation of the document, time and date of creation of the document, author or source of the document or the data within the document, and security policies associated with the document. In some implementations, the metadata information about a particular document can be used in generating an appropriate environment-aware security token for the particular document. For example, if the security policies included within the metadata establishes that the corresponding document can only be viewed by personnel from the Human Resources department of a company, the environment-aware security token for the document can be configured such that the document is viewable (and/or printable) only on devices associated with the Human Resources department. - In some implementations, the
system 100 includes aserver 106 that coordinates generation and distribution of environment-aware security tokens 120. Theserver 106 may also be referred to as a security token server or simply a token server. In some implementations, theserver 106 receivesasset information 118 related to the various assets associated with the home network and generates the corresponding environment-aware security tokens 120. In some implementations, theserver 106 itself may be associated with an environment-aware security token 120 such that the server is not accessible from a device not included in a home network. Even thoughFIG. 1 shows asingle server 106, multiple servers (e.g., a server farm), and/or one or moreremote servers 125 can be used for implementing the functionalities of theserver 106. Theserver 106 can be a dedicated server, or the functionalities of theserver 106 can be provided by a server that performs other tasks. - The
asset information 118 can include identification information related to the assets, including for example, one or more of a serial number of a device, a media access control (MAC) address, a file path, a registry key, a network identifier, an internet protocol (IP) address, a file-type identifier, a user-profile identifier, or other identifying information that identifies that a particular asset is connected to, authenticated to, or otherwise associated with the home network. In some implementations, the home network may be defined by the serial numbers or MAC addresses of a group of physical devices, such as the devices owned, administered, or otherwise controlled by a company or institution. In some implementations, theasset information 118 can include identification of electronic files and documents and/or the corresponding storage locations on various devices associated with the home network. In some implementations, the asset information can include user profile information that identifies various users authorized to access the assets associated with the home network. - In some implementations, the
asset information 118 can also include various security policies related to the usage of the assets. The security policies can be retrieved, for example, from a storage device connected to or otherwise accessible from the home network. The security policies can be used, possibly in conjunction withother asset information 118 to create environment-aware security tokens for one or more assets of the home network. The security policies can include, for example, an identification of devices or profiles of users (also referred to herein as user profiles) authorized to access a particular asset such as a document, and can be configured for example by authorized personnel. The security policies for a company may specify that a particular document is viewable only by the board of directors. In such a case, the environment-aware security token for the particular document can be configured such that the document can be viewed only when accessed from a user-profile associated with a member of the board of directors. The security of the document can be enhanced further by configuring the environment-aware security token to allow access to the document only from personal devices associated with members of the board. The environment-aware security token for the document can therefore be generated based on a selectable portion of theasset information 118. By allowing such configuration of the environment-aware security tokens, the technology described in this document can be made scalable, granular, and flexible to suit various types of security needs. - The
server 106 may obtain theasset information 118 by employing one or more techniques. In some implementations, theasset information 118 may be obtained by deploying a network agent configured to gather information on the various assets. For example, the network agent can be deployed by theserver 106 as aclient application 117 that is installed on the devices associated with the home network. In some implementations, theclient application 117 can be pushed out by theserver 106 to the devices that authenticates to the home network. In some implementations, theclient application 117 can be pre-installed on various devices (e.g., as a part of the corresponding operating system) and authenticates to the home network when the devices attempt to communicate with the home network. In some implementations, theclient application 117 itself may include a corresponding environment-aware security token that prevents theapplication 117 from executing when dissociated from the home network. In some implementations, the network agent can be similar to the agents described in U.S. Pat. Nos. 7,190,478 and 7,872,772, the contents of which are incorporated herein by reference. - In some implementations, the deployment of the network agent can be configured via a user interface such as the example 200 depicted in
FIG. 2A . A user may be able to download and install the network agent on a device using theuser interface 200, which in turn may be launched using theclient application 117. For example, upon launching theclient application 117, the user may be presented with theuser interface 200 to authenticate a user profile and/or device to the home network. This can be done, for example, via controls 205 (e.g., fillable text fields, selectable radio buttons, or other controls for entering credentials) provided within theinterface 200. Upon successful authentication, the user may be directed to a storage location from which the network agent may be installed on the is device. For example, the user may be directed to a storage location that stores anexecutable file 210 configured to install the network agent on the device. In some implementations, authorized personnel (e.g., a network administrator) may be able to install the network agent on remote devices, for example, via theuser interface 200. In some implementations, the network agent can be configured to be deployed on a device automatically, for example, when a device registers with or authenticates to theserver 106. - In some implementations, the network agent can include one or more software package-specific plug-ins or add-ins (also referred to herein as document agents) that are installed on devices associated with the home network.
FIG. 2B shows anexample user interface 250 where such a document agent is installed into the word processing application (MICROSOFT WORD in this particular example). Such a document agent may allow a user to perform various configurations on a document, for example, to make the document compatible with environment-aware security tokens, and/or specify security parameters of the document. For example, the document agent may allow, for example via asecond user interface 255, to specify whether a password would be required to access the document, or if one or more actions (e.g., printing, editing, copying etc.) should be restricted. In some implementations, the document agent can also be configured to communicate asset information 118 (i.e., information related to the document) to theserver 106. For example, activating thecontrol 260 may initiate a communication between the document agent and theserver 106 to providecorresponding asset information 118 to theserver 106 and receive an environment-aware security token 120 generated by theserver 106 based on thecorresponding asset information 118. In some implementations, theuser interface 255 can be configured to allow a user to specify user-defined security parameters such as cypher keys or passwords to a document, such that the document had additional protection, for example, against unauthorized internal access (i.e., access associated with devices or user-profiles associated with the home network). - In some implementations, the document agent can also be configured to integrate the received environment-
aware security token 120 into the corresponding document. For example, the document agent can be configured to embed the received environment-aware security token into the page description language (PDL) of a document. In general, PDL is a language that describes the appearance of a printed page at a higher level than an actual output bitmap. Examples of PDLs include PostScript, Printer Command Language (PCL), Portable Document Format (PDF), and mark up languages such as Open XML Paper Specification (XPS) and Hypertext Markup Language (HTML). - In some implementations, the document agent can be configured to encapsulate the received environment-aware security token with the document to create, for example, an executable file. Such an executable file can be configured such that an execution point is verified to be within the home network (based on the information within the encapsulated environment-aware security token) before an access to the encapsulated document is allowed. Upon determining that the executable file is being accessed from a location outside the home network (or an otherwise unauthorized device or storage location), access to the encapsulated document is prevented. In some implementations (such as for high security applications), any unauthorized attempt to access the executable file can cause a destruction (e.g., by deletion or digital shredding) of the encapsulated document. Other functionalities such as logging unauthorized attempts, triggering one or more alerts, or starting focused investigations, etc. may also be initiated through operations of the agent and use of such environment-aware security tokens.
- Referring again to
FIG. 1 , in some implementations, the network agent is configured to scan for assets residing on devices and/or storage locations and provide the obtainedasset information 118 to theserver 106. In some implementations, the network agent executes from the server 106 (or another device associated with the home network) and polls other devices and storage locations of the home network to obtain theasset information 118. The obtained asset information can be associated with (i.e., linked to) a corresponding security token and the association or link information can be stored in a database. - In some implementations, the obtained asset information is linked to a corresponding asset using identifiers assigned to the assets. Examples of such identifiers can include globally unique identifiers (GUIDs), universally unique identifiers (UUIDs), etc. Such identifiers may enable unique identification of the various assets within the
system 100. For example, one or more documents, files, devices, and storage locations within thesystem 100 may be uniquely identified using such identifiers. Depending on the finite size of the identifiers, in some cases two different assets may share the same identifier. However, the identifier size and generation process may be selected so as to reduce a probability of such an occurrence. In some implementations, 128 bit values (e.g., that are displayed as 32 hexadecimal digits such as 21EC2020-3AEA-4069-A2DD-08002B30309D) can be used as the identifiers assigned to the various assets. The identifiers can be generated, for example, via deterministic, random or pseudo-random processes. Alternatively, identifiers already associated with the assets (e.g., identifier issued by the manufacturer, the home network, or users/administrators of the home network) can also be used. - In some implementations, the network agent includes an automated browser (also referred to as a robotic browser) that obtains the
asset information 118 from some or all of the various devices and other assets associated with the home network. Such an automated browser can be used, for example, to collect information about devices on the network, such as identifiers (GUID, UUID, etc.) associated with computing devices, printers, and/or storage devices connected to the network. Such an automated browser can also be used, for example, to scan storage locations on various devices to identify asset information such as file attributes of files associated with operating systems of devices connected to the home network and/or operating systems of devices connected to the home network via a remote login process (e.g., via a virtual private network (VPN)). In some implementations, the automated browser can be configured to attach identifiers such as GUIDs and UUIDs to the obtained asset information. In some implementations, such an automated browser (which may or may not be the same browser used for collecting information about the devices on the network) can also be used to embed, attach, encapsulate, or otherwise associate an environment-aware security token with a corresponding document or other asset. For example, the automated browser can be configured to include an environment-aware security token into the header portion of a document via a process such as code injection (implemented, for example, using a programming language such as JAVA). This can be done, for example, by providing the automated browser appropriate permissions to modify is document attributes. Such permissions can be configured or modified based on the security context and group policies associated with the home network. - The
server 106 can be configured to generate corresponding environment-aware security tokens 120 for one or more assets associated with the home network, based on at least a portion of the receivedasset information 118. The generated environment-aware security token 120 can be configured to control how and/or by who the corresponding asset may be accessed. Once an environment-aware security token 120 is generated and linked to a particular asset, the asset may be used only in accordance with the security policies encoded within the environment-aware security token 120. For example, the environment-aware security token 120 for a document can be configured to include an identification of the home network such that the document can be accessed only from devices connected to the home network. In some implementations, the environment-aware security token 120 for a document or file can be configured such that the document is accessible only on a selected set of devices (identified, for example, using serial numbers or MAC addresses) and/or using a user profile from an approved set. For example, in a corporate setting, the environment-aware security token 120 for a particular document can be configured such that the document is accessible only by management personnel (identified, for example by user profiles), and/or on devices (e.g., laptops) associated with the personnel. - The environment-
aware security tokens 120 can also be used for increasing security and/or controlling accessibility of hardware devices. For example, an environment-aware security token 120 for a hardware device (e.g., a printer, scanner, copier, fax machine, or multi-function device (MFD)) can be configured such that the hardware device would not function outside the home network. This can be useful, for example, in increasing device security in a corporate setting and/or to prevent usage of corporate resources for personal use. - The process of generating the environment-
aware security tokens 120 can be made scalable, granular, and customizable to provide flexible security solutions. For example, the environment-aware security tokens 120 can be configured to control a level of access for various assets. For example, the environment-aware security token 120 of a particular document can be configured such that a only a select group of people (as identified by corresponding user profiles) is able to change the content of the document, but a larger group of people associated with the home network (e.g., all employees of a company) is able to view the document without being able to make any changes. - In some implementations, the environment-
aware security token 120 for an asset can be configured such that the asset may be viewed or accessed from outside the home network, but no changes or edits to the asset may be made. This can be useful, for example, in a social network, where a user registers a plurality of devices (e.g., home computer, office computer, and personal mobile devices) that the user plans to use in accessing the social network account. Environment-aware security tokens 120 can then be generated for each device (for example, by the social network service provider) and associated with the corresponding user profile. In such a case, the user is able to update the corresponding social networking account (e.g., in the form of posts, images, videos etc.) only from the devices that are associated with the user profile. This way even if the security of the account is compromised (e.g., via a phishing attack that obtains the username-password pair for the user account), a malicious entity (e.g., a hacker) in possession of the account credentials would still not be able to make changes to the user account from devices that do not have the environment-aware security tokens 120 associated with the corresponding user profile. For example, the malicious entity would not be able to post potentially embarrassing or harmful content to the user's account in spite of obtaining the credentials needed to log into the user's account. Security of other web-based accounts such as e-mail accounts, online banking accounts, trading accounts, and e-commerce accounts can therefore be increased by using environment-aware security tokens 120 to associate a predetermined set of physical devices with the corresponding accounts. In some implementations, environment-aware security tokens can be generated for a particular user of a social networking service for the network resources or assets associated with the corresponding user profile. Examples of such network resources and assets can include, for example, network segments, storage locations, and files associated with the user profile within the social network service infrastructure. In such cases, even if the security of the social network service is compromised, the user files stored within the infrastructure is protected by the additional security of the corresponding environment-aware security tokens. In some implementations, such additional security can be provided by the social network service, for example, in exchange for a fee for the same. - In some implementations, the home network associated with a given environment-aware security token can be configured by a user. For example, for an environment-
aware security token 120 associated with acredit card 108 can be configured to block one or more types of transactions using the card. For example, the environment-aware security token 120 corresponding to the card can be configured such that certain types of products or commodities may not be bought using the card, and/or the card may not be used at a predefined set of vendors. This can be useful, for example, in implementing parental control on add-on cards given to young adults. For example, the environment-aware security token 120 for an add-on card can be configured such that the corresponding home network includes only on-campus shops and vendors in a school. In such a case, the environment-aware security token 120 of the add-on card prevents usage of the card to buy merchandise from shops or vendors outside the campus. In some implementations, an environment-aware security token can also be associated with virtual instances of thecredit card 108, for example, credit cards represented by online accounts or smartphone applications. - In some implementations, the
server 106 can be configured to generate the environment-aware security tokens 120 as language agnostic objects that can be developed using various programming languages capable of accessing and processing binary data types such as the ones associated with theasset information 118. For example, the environment-aware security tokens 120 can be implemented as objects generated using the Component Object Model (COM) standard that is a binary-interface standard for software components developed by MICROSOFT. The standard can be used, for example, to enable inter-process communications and dynamic object creation in a large range of programming languages. In some implementations, language agnostic objects such as COM objects allow reuse of objects with no knowledge of the corresponding internal implementation. For example, the objects may be implemented using interfaces that are agnostic to the implementation details. Different allocation semantics of various programming languages can be accommodated, for example, by making objects responsible for their own creation and destruction through processes such as reference-counting. Reference counting can be used, for example, as a technique of storing the number of references, pointers, or handles to a resource such as an object, block of memory, disk space or other resource. Casting between different interfaces of an object can be achieved, for example using query processes such as the QueryInterface. - In some implementations, the
server 106 is configured to generate the environment-aware security tokens 120 for corresponding assets as objects (e.g, COM objects) using at least portion of the receivedasset information 118. For example, an object corresponding to an environment-aware security token can include data fields corresponding to the portions of the asset information used in generating the environment-aware security token, and procedures associated with intended functionalities of the environment-aware security token. - In an object-oriented programming paradigm, the procedures associated with the functionalities may be referred to as methods. In some implementations, the methods associated with an object corresponding to an environment-aware security token can be related to, for example, one or more of the following functionalities: i) detecting environmental parameters for an asset associated with the environment-aware security token, ii) authenticating the asset with a token server (e.g., server 106), iii) allowing access to the asset upon authentication, iv) preventing access to the asset upon detecting a dissociation from the home network, and/or v) tracking various activities related to accessing the asset.
- The environment-
aware security token 120 embedded or otherwise integrated with an asset can be configured to detect environmental parameters associated with the asset. For example, if the environment-aware security token 120 is embedded into document metadata, the associated object (e.g., COM object or other security object) can be configured to detect a serial number of the device that the document is being accessed from or stored on. The environment-aware security token 120 can be configured to detect one or more other environmental parameters such as user-profile information, security policies associated with the document, a type of access being attempted on the document, etc. - The environment-
aware security token 120 of an asset can also be configured to attempt an authentication of the asset (or the attempted use of the asset) using the detected environmental parameters. For example, the environment-aware security token 120 can be configured to communicate the detected environmental parameters to theserver 106 to receive an indication if access to the asset can be allowed. Alternatively, the environment-aware security token may also perform at least a portion of the authentication locally, for example, based on an identification of the home network encoded within the environment-aware security token 120. If a connection to theserver 106 cannot be established (for example, due to loss in Internet connectivity), a message may be displayed notifying the user that the asset cannot be accessed immediately. In some implementations, the authentication can be triggered when an attempt to access the corresponding asset is made (e.g., when a user attempts to open a document). The environment-aware security token 120 can also be configured to be synchronized with theserver 106 periodically, for example, after predetermined time intervals or when any changes to the corresponding asset is detected. - In some implementations, upon determining that an access to the corresponding asset may be allowed, the environment-
aware security token 120 can allow access to the corresponding asset. For example, upon determining that an authorized user is attempting to open a document (as indicated, for example, by authentication information received from the server 106), the environment-aware security token 120 can allow the user to access the document. The access may be allowed based on additional security policies associated with the document. For example, the environment-aware security token 120 may allow a read-only access to a document based on determining that the user attempting to access the document is not authorized to edit the document. - On the other hand, if the environment-
aware security token 120 determines that an access to the asset is unauthorized, the access may be prevented. For example, if the environment-aware security token 120 determines that a corresponding document is residing on a device that is not authenticated to the home network, access to the content of the document may be denied. In high security scenarios (e.g., for confidential or sensitive military or healthcare related documents), the environment-aware security token 120 can be configured to destroy, delete or digitally shred the corresponding document upon detecting unauthorized access attempts. This can be done, for example, to prevent any additional attempts to breach the security provided by the environment-aware security token 120. Such procedures can of course be implemented selectively, for example, pursuant to guidelines that prevent deletion or destruction of original documents, files or other assets due to accidental access attempts. In addition, the technology described in this document can be used in conjunction with data back-up and secondary storage techniques to prevent accidental permanent deletion of data. - In some implementations, the environment-
aware security tokens 120 can also be used for tracking usage of the corresponding assets. For example, the environment-aware security token 120 associated with a document can be configured to log access information (e.g., creation credentials, time and nature of access attempts, location of access attempts, device ids, etc.) for the corresponding asset. The access information can be stored, for example, on a local storage device within an encrypted file system. The stored access information can then be synchronized with information stored at theserver 106 during subsequent communications between the environment-aware security token 120 and theserver 106. In some implementations, a separate agent such as a virtual private network (VPN) agent can be used to communicate the access information to theserver 106. Such an agent may itself be associated with a corresponding environment-aware security token 120, and may use database management systems such as MySQL, ORACLE, or MICROSOFT SQL to manage communications with theserver 106. In some implementations, the access information may also be used to update the environment-aware security token 120 associated with the document. The environment-aware security tokens 120 can therefore be used to generate and maintain an audit trail of asset usage, thereby further increasing security and accountability of asset usage. - In some implementations, the asset usage log stored in the token database can be processed, for example, by an artificial intelligence system to learn trends associated with various assets such as devices, user profiles, and applications. Various types of machine-learning techniques may be used by such an artificial intelligence system. For example, various supervised, unsupervised, or semi-supervised machine learning techniques can be used in identifying, classifying, or otherwise learning trends and/or behaviors associated with the various assets. One or more tools can be used in implementing such machine-learning techniques. Examples of such tools include decision trees, artificial neural networks, support vector machines, Bayesian statistics, classifiers, Markov models, and conditional random fields.
- Information obtained by using the machine-learning techniques on the asset usage logs can then be used in increasing security of the assets. For example, if a malicious entity (e.g., a hacker or malicious software) tries to access an asset such as a document, an agent can be configured to detect fraudulent behavior based on detecting a deviation from “normal” behavior as learned from the asset usage logs. For example, if the log corresponding to a user profile shows that the user typically logs in within the first one or two attempts, an occurrence of repeated failed log-in attempts may be flagged as a potential security breach. In such cases, the agent can be configured to capture identification of the accessing device (e.g., IP and/or MAC address of the device). If the agent detects malicious software (e.g., a virus, trojan, or payload software), the agent can be configured to detect the IP and/or MAC address of the server the software communicates with (or reports to). From the identification of the accessing device, additional information such as geographical location, manufacturer, or serial number may also be determined. Such information can be used for taking appropriate action against the security breaches, possibly with the help of law enforcement agencies.
- In some implementations, the environment-
aware security tokens 120 generated by theserver 106 is stored within atoken database 122 accessible to theserver 106. Thetoken database 122 may be stored in a storage device within theserver 106 or at a remote storage location or theremote server 125 accessible to theserver 106. Thetoken database 122 can be used to store information about the environment-aware security tokens 120 generated at theserver 106. For example, thetoken database 122 may store information linking the environment-aware security tokens 120 to the corresponding asset identifiers such as the GUIDs or UUIDs. The information linking the environment-aware security tokens 120 to the corresponding identifiers can be used, for example to identify home networks associated with the corresponding assets, and/or to authenticate access attempts on the various assets. For example, if a user attempts to access a document from a particular device, theserver 106 may authenticate the access attempt based on information linking a corresponding environment-aware security token 120 to the identifier associated with the document. In some implementations, thetoken database 122 also stores access information associated with the corresponding assets. For example, if an asset (such as a document) is updated, modified, created, deleted, or otherwise acted on, such access information can be stored in the token database linked, for example, to the corresponding asset identifiers. - In some implementations, the
server 106 may also be implemented using a distributed computing environment such as a cloud based system. In such cases, theserver 106 may be implemented on apool 105 of multiplevirtual machines 107. Avirtual machine 107 can be a set of computing resources (processors, memory, software etc.) that can be used for executing computing tasks. The computing resources can be provided by one or more independent providers (e.g., providers of cloud computing or other distributed computing services). The security of thevirtual machines 107 used to implement theserver 106, or portions thereof, can be increased, for example, by associating thevirtual machines 107 with corresponding environment-aware security tokens 120. -
FIG. 3 shows aflowchart 300 depicting an example sequence of operations for providing environment-aware security tokens for various assets. In some implementations, at least a portion of the operations of theflowchart 300 can be executed, for example, at theserver 106 described above with reference toFIG. 1 . The operations include receiving information about one or more assets (302). The various assets may be identified, for example, by a corresponding identifier such as a GUID or UUID. The assets can include, for example, one or more of: a device connected to the home network, a file stored on a storage device connected to the home network, a user-profile associated with the home network, or any other asset as described above with reference toFIG. 1 . The information can include any of theasset information 118 described above. For example, the information can include one or more of a serial number of a device, a media access control (MAC) address, a file path, a registry key, a network identifier, an internet protocol (IP) address, a file-type identifier, a user-profile identifier, and one or more policies associated with the network. In some implementations, the information about the one or more assets may be received from an agent deployed on the home network and configured to scan the assets associated with the home network. For example, when a device authenticates to the home network, the agent may be installed on the device to obtain information related to one or more assets associated with the device. - Operations can include generating a security token for an asset based on the received information (304), wherein the security token is configured to identify the home network and restrict access to the corresponding asset upon determining a dissociation of the asset from the home network. The security token can be generated as a language agnostic object (e.g., a COM object), and can be embedded, attached, encapsulated, or otherwise associated with the corresponding asset such that that security token deletes, digitally destroys, or otherwise prevents access to the asset if the asset is dissociated from the home network. In some implementations, the security token can be generated in accordance with one or more security policies associated with the corresponding asset. The security can be substantially similar to the environment-aware security tokens described above.
- The dissociation of an asset from the home network can be determined in various ways. For example, determining the dissociation of the corresponding asset from the home network can include determining that the corresponding asset is not connected to the home network, or is not stored on a device connected or registered to the home network. In some implementations, determining the dissociation of the corresponding asset from the network can include detecting an access attempt from a user-profile that is not associated with the home network. In some implementations, the determining the dissociation can include determining a deviation from security policies associated with the corresponding asset.
- Operations also include storing information about the security token and information linking the security token to the corresponding identifier (306). The information can be stored, for example, in a database such as the
token database 122 described with reference toFIG. 1 . In some implementations, the information stored in the database may be updated based on, for example, how the various assets are accessed, used, or updated. For example, the information stored in the database can include logs representing how, where and by who a particular asset is accessed. - Operations can also include initiating integration of the security token into the corresponding asset (308). In some implementations, initiating the integration can include providing the security token to an agent that performs the integration. For example, the security token for a document can be provided to an agent that is configured to inject a code corresponding to the security token in a portion of the document. In some implementations, the code injection can be performed, for example, by an automated browser such as the robotic browser described above. The code or object (e.g., a COM object) corresponding to the security token for a document or file can be injected within the metadata for the document/file, for example, into a header. In some implementations, the code or object corresponding to the security token for a document can also be embedded within a PDL of the document. In some implementations, the security token can be encapsulated together with the corresponding document or file into a separate file. For example, an agent or application can be configured to generate an application or executable file that encapsulates a security token (e.g., a COM object) with the corresponding document or file. The application, executable file, or a file including the security object can be stored, for example, as an encrypted document at a storage location. In some implementations, information about the storage location of the encrypted document can be stored in the
token database 122. In some implementations, a distributed storage location (e.g., a cloud based storage location) can be used for storing the encrypted documents. The storage location can be defined to be a part of the home network for the corresponding asset. In addition, by also threading or otherwise associating a predefined set of user profiles and/or device profiles to the home network, access to the asset can be restricted to be from within the home network defined for the asset. - During runtime, access to an asset can be controlled based on information received from the corresponding security token associated with the asset. For example, a security token can provide information on environment parameters associated with an attempt to access an asset. The environment parameters can include, for example, information on the access point, user profile, or security parameters associated with the asset. The received information may be compared to the stored information to determine whether the access attempt is considered to be from within a home network associated with the asset. Upon determining that the access attempt is indeed from within the home network and/or satisfies security policies associated with the corresponding asset, the access attempt may be authorized. This can be done, for example, by providing permission information that signals the security token to allow access to the asset.
- In some implementations, an asset such as a document embedded with an environment-aware security token can be stored as an encrypted document within a secure storage location within the home network defined for the asset. The encryption used in storing the asset within the secure storage location can be based on, for example, a security key specific to a particular user. This can be used, for example, to store a user's documents within a storage system associated with a multi-user system such as a social network service or e-mail service. Access to the asset can be controlled, for example, based on detecting that the asset is stored at a storage location that is associated with the corresponding home network. In some implementations, additional layers of security can be provided, for example, by checking whether the user profile and/or device profile associated with the access request is authenticated to the home network. In some implementations, access to the home network can be provided, for example, via a hyperlink (e.g., such as one embedded in an email) that is associated with an environment-aware security token. A user or device that is not otherwise associated with the home network may be able to access an asset within the home network using such a hyperlink. In some implementations, a user may be authenticated to the home network via an authentication request (e.g., a request for biometric authentication) that is associated with an environment-aware security token.
- The security technology described in this document can be used both independently and in conjunction with other security systems and architectures. For example, the environment-aware security tokens described above can be used in conjunction with security and cryptography techniques such as biometric identification, symmetric keys, asymmetric keys, symmetric ciphers, transport layer security, and encryption techniques. For example, security for an online account that uses secure socket layer (SSL) can be increased by associating the account with a corresponding environment-aware security token to restrict editing capabilities to a user-selected set of devices. In some implementations, files (e.g., system files, data files, documents, voice files, image files, video files, or web files) stored on the home network can be stored with additional cryptography built into the security tokens utilizing for example, a symmetric key unique to a particular authorized user.
- In some implementations (e.g., in high security scenarios), the environment-aware security tokens can be used in multiple layers to enhance security. For example, a file encrypted with an embedded COM object can be further encapsulated with another COM object to generate a file with double layer security. By configuring the security policies of the two COM objects differently, the security of the underlying file or document can be increased manifold. For example, the security policies can be configured such that the higher and lower layer files may be opened using two separate user profiles, thereby requiring not one, but two separate personnel to be involved in accessing the file. The encapsulation can be scalable allowing additional security to be incorporated as needed, for example, via increased layers of encapsulations.
- The technology described in this document can be used in various applications, types of applications or combinations of applications. In some implementations, the environment-aware security tokens can also be used in identity verification services such as eAuthetication. Such identity verification services can be provided, for example, by a remote server to other distributed servers that are possibly distributed on the Internet or an intranet. Similar to credit card verification services that are provided by third parties to eCommerce web sites, identity verification services can verify identity of users to entities such as web sites or intranet servers. Various networking protocols and application programming interfaces may be used by such identity verification services. Examples of such networking protocols include the Remote Authentication Dial In User Service (RADIUS), which is a networking protocol for providing centralized Authentication, Authorization, and Accounting (AAA) management for users that connect and use a network service. In some implementations, the technology described herein can be used either in conjunction with or in lieu of such identity verification services to provide secure network-based services. For example, environment-aware security tokens can be used to secure files associated with network-based transactions such that the files are locked down to the physical attributes of the corresponding data center or server. Therefore, even if a malicious entity (e.g., a hacker) obtains the transaction files (for example, via hacking the point of sale corresponding to the transactions), the malicious entity could be prevented from opening the file to access the sensitive data included in the files. In another example, credit card data can be protected using embedded environmental security tokens on the card such that the corresponding user profile can be accessed only from the home network, data center, or cloud service registered with the card. The home network information in turn can be stored in a file protected by another environment-aware security token, to prevent the home network information from being compromised.
- The environment-aware security tokens can also be used in securing mobile devices such as phones, tablets or e-readers. For example, a phone or other mobile device can be associated with an environment-aware security token. The environment-aware security token can be configured such that in the event of theft, biometric login or text login capabilities are suspended on detecting no activity (or suspicious activity such as multiple log in attempt) for a predetermined period of time. Because any harmful activities, such as ones involving downloading files, copying files or deleting files, require login authentication with the home network, the owners may get additional time to shut down the phone or mobile device to prevent theft of data.
-
FIG. 4 shows an example of acomputing device 400 and amobile device 450, which may be used with the techniques described here. Referring toFIG. 1 , any of thedevices computing device 400 or themobile device 450, and theserver 106 could include one ormore computer devices 400.Computing device 400 is intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers.Computing device 450 is intended to represent various forms of mobile devices, such as personal digital assistants, cellular telephones, smartphones, and other similar computing devices. The components shown here, their connections and relationships, and their functions, are meant to be examples only, and are not meant to limit implementations of the techniques described and/or claimed in this document. - The
exemplary computing device 400 includes a processor 402,memory 404, astorage device 406, a high-speed interface 408 connecting tomemory 404 and high-speed expansion ports 410, and alow speed interface 412 connecting tolow speed bus 414 and storage device 606. Each of thecomponents computing device 400, including instructions stored in thememory 404 or on thestorage device 406 to display graphical information for a GUI on an external input/output device, such as display 416 coupled tohigh speed interface 408. In other implementations, multiple processors and/or multiple buses may be used, as appropriate, along with multiple memories and types of memory. Also,multiple computing devices 400 may be connected, with each device providing portions of the necessary operations (e.g., as a server bank, a group of blade servers, or a multi-processor system). In some implementations the computing device can include a graphics processing unit. Thememory 404 stores information within thecomputing device 400. In one implementation, thememory 404 is a volatile memory unit or units. In another implementation, thememory 404 is a non-volatile memory unit or units. Thememory 404 may also be another form of computer-readable medium, such as a magnetic or optical disk. - The
storage device 406 is capable of providing mass storage for thecomputing device 400. Referring toFIG. 1 , thestorage device 116 could be examples of thestorage device 406. In one implementation, thestorage device 406 may be or contain a non-transitory computer-readable medium, such as a floppy disk device, a hard disk device, an optical disk device, or a tape device, a flash memory or other similar solid state memory device, or an array of devices, including devices in a storage area network or other configurations. A computer program product can be tangibly embodied in an information carrier. The computer program product may also contain instructions that, when executed, perform one or more methods, such as those described above. The information carrier is a computer- or machine-readable medium, such as thememory 404, thestorage device 406, or memory on the processor 402. - The
high speed controller 408 manages bandwidth-intensive operations for thecomputing device 400, while thelow speed controller 412 manages lower bandwidth-intensive operations. Such allocation of functions is an example only. In one implementation, the high-speed controller 408 is coupled tomemory 404, display 416 (e.g., through a graphics processor or accelerator), and to high-speed expansion ports 410, which may accept various expansion cards (not shown). In the implementation, low-speed controller 412 is coupled tostorage device 406 and low-speed expansion port 414. The low-speed expansion port, which may include various communication ports (e.g., USB, Bluetooth, Ethernet, wireless Ethernet) may be coupled to one or more input/output devices, such as a keyboard, a pointing device, a scanner, or a networking device such as a switch or router, e.g., through a network adapter. - The
computing device 400 may be implemented in a number of different forms, as shown in the figure. For example, it may be implemented as astandard server 420, or multiple times in a group of such servers. It may also be implemented as part of arack server system 424. In addition, it may be implemented in a personal computer such as alaptop computer 422. Alternatively, components fromcomputing device 400 may be combined with other components in a mobile device (not shown), such asdevice 450. Each of such devices may contain one or more ofcomputing device multiple computing devices -
Computing device 450 includes aprocessor 452,memory 464, an input/output device such as adisplay 454, acommunication interface 466, and atransceiver 468, among other components. Thedevice 450 may also be provided with a storage device, such as a microdrive or other device, to provide additional storage. Each of thecomponents - The
processor 452 can execute instructions within thecomputing device 450, including instructions stored in thememory 464. The processor may be implemented as a chipset of chips that include separate and multiple analog and digital processors. The processor may provide, for example, for coordination of the other components of thedevice 450, such as control of user-interfaces, applications run bydevice 450, and wireless communication bydevice 450. -
Processor 452 may communicate with a user throughcontrol interface 458 anddisplay interface 456 coupled to adisplay 454. Thedisplay 454 may be, for example, a TFT LCD (Thin-Film-Transistor Liquid Crystal Display) or an OLED (Organic Light Emitting Diode) display, or other appropriate display technology. Thedisplay interface 456 may comprise appropriate circuitry for driving thedisplay 454 to present graphical and other information to a user. Thecontrol interface 458 may receive commands from a user and convert them for submission to theprocessor 452. In addition, anexternal interface 462 may be provide in communication withprocessor 452, so as to enable near area communication ofdevice 450 with other devices.External interface 462 may provide, for example, for wired communication in some implementations, or for wireless communication in other implementations, and multiple interfaces may also be used. - The
memory 464 stores information within thecomputing device 450. Thememory 464 can be implemented as one or more of a computer-readable medium or media, a volatile memory unit or units, or a non-volatile memory unit or units.Expansion memory 474 may also be provided and connected todevice 450 throughexpansion interface 472, which may include, for example, a SIMM (Single In Line Memory Module) card interface.Such expansion memory 474 may provide extra storage space fordevice 450, or may also store applications or other information fordevice 450. Specifically,expansion memory 474 may include instructions to carry out or supplement the processes described above, and may include secure information also. Thus, for example,expansion memory 474 may be provided as a security module fordevice 450, and may be programmed with instructions that permit secure use ofdevice 450. In addition, secure applications may be provided via the SIMM cards, along with additional information, such as placing identifying information on the SIMM card in a non-hackable manner. - The memory may include, for example, flash memory and/or NVRAM memory, as discussed below. In one implementation, a computer program product is tangibly embodied in an information carrier. The computer program product contains instructions that, when executed, perform one or more methods, such as those described above. The information carrier is a computer- or machine-readable medium, such as the
memory 464,expansion memory 474, memory onprocessor 452, or a propagated signal that may be received, for example, overtransceiver 468 orexternal interface 462. -
Device 450 may communicate wirelessly throughcommunication interface 466, which may include digital signal processing circuitry where necessary.Communication interface 466 may provide for communications under various modes or protocols, such as GSM voice calls, SMS, EMS, or MMS messaging, CDMA, TDMA, PDC, WCDMA, CDMA2000, or GPRS, among others. Such communication may occur, for example, through radio-frequency transceiver 468. In addition, short-range communication may occur, such as using a Bluetooth, WiFi, or other such transceiver (not shown). In addition, GPS (Global Positioning System)receiver module 470 may provide additional navigation- and location-related wireless data todevice 450, which may be used as appropriate by applications running ondevice 450. -
Device 450 may also communicate audibly usingaudio codec 460, which may receive spoken information from a user and convert it to usable digital information.Audio codec 460 may likewise generate audible sound for a user, such as through a speaker, e.g., in a handset ofdevice 450. Such sound may include sound from voice telephone calls, may include recorded sound (e.g., voice messages, music files, and so forth) and may also include sound generated by applications operating ondevice 450. - The
computing device 450 may be implemented in a number of different forms, as shown in the figure. For example, it may be implemented as acellular telephone 480. It may also be implemented as part of asmartphone 482, personal digital assistant, tablet computer, or other similar mobile device. - Various implementations of the systems and techniques described here can be realized in digital electronic circuitry, integrated circuitry, specially designed ASICs (application specific integrated circuits), computer hardware, firmware, software, and/or combinations thereof. These various implementations can include implementation in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, coupled to receive data and instructions from, and to transmit data and instructions to, a storage system, at least one input device, and at least one output device.
- These computer programs (also known as programs, software, software applications or code) include machine instructions for a programmable processor, and can be implemented in a high-level procedural and/or object-oriented programming language, and/or in assembly/machine language. As used herein, the terms “machine-readable medium” “computer-readable medium” refers to any computer program product, apparatus and/or device (e.g., magnetic discs, optical disks, memory, Programmable Logic Devices (PLDs)) used to provide machine instructions and/or data to a programmable processor, including a machine-readable medium that receives machine instructions.
- To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to the user and a keyboard and a pointing device (e.g., a mouse or a trackball) by which the user can provide input to the computer. Other kinds of devices can be used to provide for interaction with a user as well. For example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback). Input from the user can be received in any form, including acoustic, speech, biometric, or tactile input.
- The systems and techniques described here can be implemented in a computing system that includes a back end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front end component (e.g., a client computer having a graphical user-interface or a Web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back end, middleware, or front end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a network such as the
network 102 described with reference toFIG. 1A ). Examples of networks include a local area network (“LAN”), a wide area network (“WAN”), and the Internet. - The computing system can include clients and servers (including remote servers). A client and server are generally remote from each other and typically interact through a communication network such as the
network 102. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. - Other implementations are also within the scope of the following claims.
Claims (60)
1. A computer implemented method comprising:
receiving, at a processing device, information about one or more assets associated with a network of devices;
generating, for at least one of the assets, a security token that is based at least on a portion of the received information about the corresponding asset, wherein the security token is configured to identify a home network defined for the asset, and to restrict access to the corresponding asset upon detecting an occurrence of an unauthorized activity involving the asset;
storing, in a storage device, information about the security token and information linking the security token to the corresponding asset; and
initiating integration of the security token with the corresponding asset.
2. The method of claim 1 , wherein detecting the occurrence of the unauthorized activity comprises determining a dissociation of the asset from the home network defined for the asset.
3. The method of claim 1 , wherein the assets associated with the network comprises one or more of: a device connected to the network, a file stored on a storage device connected to the network, and a user-profile associated with the network.
4. The method of claim 1 , wherein the asset is an electronic file, and initiating the integration of the security token into the asset comprises initiating an encryption of the asset based on the security token.
5. The method of claim 1 , wherein the home network for the asset is defined based on one or more security policies associated with the asset.
6. The method of claim 1 , wherein the information includes one or more of: a serial number of a device, a media access control (MAC) address, a file path, a registry key, a network identifier, an internet protocol (IP) address, a file-type identifier, a user-profile identifier, and one or more policies associated with the network.
7. The method of claim 1 , wherein the information about the one or more assets is received from an agent deployed on the network.
8. The method of claim 7 , wherein the agent is configured to scan the devices of the network to obtain the information.
9. The method of claim 7 , wherein the agent comprises an automated browser.
10. The method of claim 1 , wherein the security token comprises an object generated in accordance with Component Object Model (COM).
11. The method of claim 1 , wherein the security token is generated in accordance with one or more security policies associated with the corresponding asset.
12. The method of claim 2 , wherein determining the dissociation of the corresponding asset from the home network comprises determining that the corresponding asset is not connected to the home network.
13. The method of claim 2 , wherein determining the dissociation of the corresponding asset from the home network comprises determining that the corresponding asset is not stored on a device associated with the home network.
14. The method of claim 2 , wherein determining the dissociation of the corresponding asset from the home network comprises detecting an access attempt from a user-profile not associated with the home network.
15. The method of claim 2 , wherein the corresponding asset is an electronic file, and the security token is configured to restrict access to the electronic file by deleting content of the electronic file upon determining the dissociation from the home network.
16. The method of claim 1 , wherein the information about the security token and the information linking the security token to the corresponding identifier are stored in a database.
17. The method of claim 1 , wherein the corresponding asset is an electronic file, and initiating an integration of the security token into the electronic file comprises initiating a code injection to a header portion of the electronic file.
18. The method of claim 1 , wherein the corresponding asset is an electronic file, and initiating an integration of the security token with the electronic file comprises initiating an encapsulation of the security token with the electronic file.
19. The method of claim 18 , wherein an executable file is generated via the encapsulation.
20. The method of claim 1 , wherein the corresponding asset is an electronic document, and the security token is integrated into the document as a portion of a page description language of the document.
21. The method of claim 1 , further comprising:
receiving, from the corresponding asset, information related to an access point attempting to access the asset;
determining, based on the stored information about the security token, whether the access point is associated with the security token; and
providing permission information indicating a level of access permitted for the access point based on the determination.
22. A system comprising:
memory; and
one or more processors configured to:
receive information about one or more assets associated with a network of devices,
generate, for at least one of the assets, a security token that is based at least on a portion of the received information about the corresponding asset, wherein the security token is configured to identify a home network defined for the asset, and to restrict access to the corresponding asset upon detecting an occurrence of an unauthorized activity involving the asset, store, in a storage device, information about the security
token and information linking the security token to the corresponding asset, and
initiate integration of the security token with the corresponding asset.
23. The system of claim 22 , wherein detecting the occurrence of the unauthorized activity comprises determining a dissociation of the asset from the home network defined for the asset.
24. The system of claim 22 , wherein the assets associated with the network comprises one or more of: a device connected to the network, a file stored on a storage device connected to the network, and a user-profile associated with the network.
25. The system of claim 22 , wherein the asset is an electronic file, and initiating the integration of the security token into the asset comprises initiating an encryption of the asset based on the security token.
26. The system of claim 22 , wherein the home network for the asset is defined based on one or more security policies associated with the asset.
27. The system of claim 22 , wherein the information includes one or more of: a serial number of a device, a media access control (MAC) address, a file path, a registry key, a network identifier, an internet protocol (IP) address, a file-type identifier, a user-profile identifier, and one or more policies associated with the network.
28. The system of claim 22 , wherein the information about the one or more assets is received from an agent deployed on the network.
29. The system of claim 28 , wherein the agent is configured to scan the devices of the network to obtain the information.
30. The system of claim 28 , wherein the computing device is configured to deploy the agent on the network.
31. The system of claim 22 , wherein the security token comprises an object generated in accordance with Component Object Model (COM).
32. The system of claim 22 , wherein the computing device is configured to generate the security token in accordance with one or more security policies associated with the corresponding asset.
33. The system of claim 23 , wherein determining the dissociation of the corresponding asset from the home network comprises determining that the corresponding asset is not connected to the home network.
34. The system of claim 23 , wherein determining the dissociation of the corresponding asset from the home network comprises determining that the corresponding asset is not stored on a device associated with the home network.
35. The system of claim 23 , wherein determining the dissociation of the corresponding asset from the home network comprises detecting an access attempt from a user-profile not associated with the home network.
36. The system of claim 23 , wherein the corresponding asset is an electronic file, and the security token is configured to restrict access to the electronic file by deleting content of the electronic file upon determining the dissociation from the home network.
37. The system of claim 22 , wherein the information about the security token and the information linking the security token to the corresponding identifier are stored in a database.
38. The system of claim 22 , wherein the corresponding asset is an electronic file, and the computing device is configured to initiate an integration of the security token into the electronic file by initiating a code injection to a header portion of the electronic file.
39. The system of claim 22 , wherein the corresponding asset is an electronic file, and the computing device is configured to initiate an integration of the security token with the electronic file by initiating an encapsulation of the security token with the electronic file.
40. The system of claim 39 , wherein an executable file is generated via the encapsulation.
41. The system of claim 22 , wherein the corresponding asset is an electronic document, and the security token is integrated into the document as a portion of a page description language of the document.
42. The system of claim 22 , wherein the computing device is configured to:
receive, from the corresponding asset, information related to an access attempt pertaining to the asset;
determine, based on the stored information about the security token, whether the access attempt is associated with the home network; and
providing, based on the determination, permission information indicating a level of access granted for the access attempt.
43. One or more machine-readable storage devices storing instructions that are executable by one or more processing devices to perform operations comprising:
receiving information about one or more assets associated with a network of devices;
generating, for at least one of the assets, a security token that is based at least on a portion of the received information about the corresponding asset, wherein the security token is configured to identify a home network defined for the asset, and to restrict access to the corresponding asset upon detecting an occurrence of an unauthorized activity involving the asset;
storing, in a storage device, information about the security token and information linking the security token to the corresponding asset; and
initiating integration of the security token with the corresponding asset.
44. The one or more machine-readable storage devices of claim 43 , wherein detecting the occurrence of the unauthorized activity comprises determining a dissociation of the asset from the home network defined for the asset.
45. The one or more machine-readable storage devices of claim 43 , wherein the assets associated with the network comprises one or more of: a device connected to the network, a file stored on a storage device connected to the network, and a user-profile associated with the network.
46. The one or more machine-readable storage devices of claim 43 , wherein the asset is an electronic file, and initiating the integration of the security token into the asset comprises initiating an encryption of the asset based on the security token.
47. The one or more machine-readable storage devices of claim 43 , wherein the home network for the asset is defined based on one or more security policies associated with the asset.
48. The one or more machine-readable storage devices of claim 43 , wherein the information includes one or more of: a serial number of a device, a media access control (MAC) address, a file path, a registry key, a network identifier, an interne protocol (IP) address, a file-type identifier, a user-profile identifier, and one or more policies associated with the network.
49. The one or more machine-readable storage devices of claim 43 , wherein the information about the one or more assets is received from an agent deployed on the network.
50. The one or more machine-readable storage devices of claim 43 , wherein the security token comprises an object generated in accordance with Component Object Model (COM).
51. The one or more machine-readable storage devices of claim 43 , wherein the security token is generated in accordance with one or more security policies associated with the corresponding asset.
52. The one or more machine-readable storage devices of claim 44 , wherein determining the dissociation of the corresponding asset from the home network comprises determining that the corresponding asset is not connected to the home network.
53. The one or more machine-readable storage devices of claim 44 , wherein determining the dissociation of the corresponding asset from the home network comprises determining that the corresponding asset is not stored on a device associated with the home network.
54. The one or more machine-readable storage devices of claim 44 , wherein determining the dissociation of the corresponding asset from the home network comprises detecting an access attempt from a user-profile not associated with the home network.
55. The one or more machine-readable storage devices of claim 44 , wherein the corresponding asset is an electronic file, and the security token is configured to restrict access to the electronic file by deleting content of the electronic file upon determining the dissociation from the home network.
56. The one or more machine-readable storage devices of claim 43 , wherein the corresponding asset is an electronic file, and initiating an integration of the security token into the electronic file comprises initiating a code injection to a header portion of the electronic file.
57. The one or more machine-readable storage devices of claim 43 , wherein the corresponding asset is an electronic file, and initiating an integration of the security token with the electronic file comprises initiating an encapsulation of the security token with the electronic file.
58. The one or more machine-readable storage devices of claim 57 , wherein an executable file is generated via the encapsulation.
59. The one or more machine-readable storage devices of claim 43 , wherein the corresponding asset is an electronic document, and the security token is integrated into the document as a portion of a page description language of the document.
60. The one or more machine-readable storage devices of claim 43 , further comprising instructions for:
receiving, from the corresponding asset, information related to an access point attempting to access the asset;
determining, based on the stored information about the security token, whether the access point is associated with the security token; and
providing permission information indicating a level of access permitted for the access point based on the determination.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US16/180,688 US20190327221A1 (en) | 2014-08-11 | 2018-11-05 | Environment-Aware Security Tokens |
US16/788,926 US20210014210A1 (en) | 2014-08-11 | 2020-02-12 | Environment-Aware Security Tokens |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/456,777 US9449187B2 (en) | 2014-08-11 | 2014-08-11 | Environment-aware security tokens |
US15/236,649 US9590971B2 (en) | 2014-08-11 | 2016-08-15 | Environment-aware security tokens |
US15/450,984 US10122696B2 (en) | 2014-08-11 | 2017-03-06 | Environment-aware security tokens |
US16/180,688 US20190327221A1 (en) | 2014-08-11 | 2018-11-05 | Environment-Aware Security Tokens |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/450,984 Continuation US10122696B2 (en) | 2014-08-11 | 2017-03-06 | Environment-aware security tokens |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US201916456926A Continuation | 2014-08-11 | 2019-06-28 |
Publications (1)
Publication Number | Publication Date |
---|---|
US20190327221A1 true US20190327221A1 (en) | 2019-10-24 |
Family
ID=55268314
Family Applications (6)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/456,777 Expired - Fee Related US9449187B2 (en) | 2014-08-11 | 2014-08-11 | Environment-aware security tokens |
US15/236,628 Active US9608980B2 (en) | 2014-08-11 | 2016-08-15 | Environment-aware security tokens |
US15/236,649 Active US9590971B2 (en) | 2014-08-11 | 2016-08-15 | Environment-aware security tokens |
US15/450,984 Expired - Fee Related US10122696B2 (en) | 2014-08-11 | 2017-03-06 | Environment-aware security tokens |
US16/180,688 Abandoned US20190327221A1 (en) | 2014-08-11 | 2018-11-05 | Environment-Aware Security Tokens |
US16/788,926 Abandoned US20210014210A1 (en) | 2014-08-11 | 2020-02-12 | Environment-Aware Security Tokens |
Family Applications Before (4)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/456,777 Expired - Fee Related US9449187B2 (en) | 2014-08-11 | 2014-08-11 | Environment-aware security tokens |
US15/236,628 Active US9608980B2 (en) | 2014-08-11 | 2016-08-15 | Environment-aware security tokens |
US15/236,649 Active US9590971B2 (en) | 2014-08-11 | 2016-08-15 | Environment-aware security tokens |
US15/450,984 Expired - Fee Related US10122696B2 (en) | 2014-08-11 | 2017-03-06 | Environment-aware security tokens |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/788,926 Abandoned US20210014210A1 (en) | 2014-08-11 | 2020-02-12 | Environment-Aware Security Tokens |
Country Status (4)
Country | Link |
---|---|
US (6) | US9449187B2 (en) |
EP (1) | EP3180730A4 (en) |
CN (1) | CN107004080A (en) |
WO (1) | WO2016073047A2 (en) |
Families Citing this family (49)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
GB2535373A (en) | 2013-09-30 | 2016-08-17 | Maximus Inc | Process tracking and defect detection |
US10530854B2 (en) * | 2014-05-30 | 2020-01-07 | Box, Inc. | Synchronization of permissioned content in cloud-based environments |
US9449187B2 (en) | 2014-08-11 | 2016-09-20 | Document Dynamics, Llc | Environment-aware security tokens |
US9600548B2 (en) * | 2014-10-10 | 2017-03-21 | Salesforce.Com | Row level security integration of analytical data store with cloud architecture |
US10049141B2 (en) | 2014-10-10 | 2018-08-14 | salesforce.com,inc. | Declarative specification of visualization queries, display formats and bindings |
US10101889B2 (en) | 2014-10-10 | 2018-10-16 | Salesforce.Com, Inc. | Dashboard builder with live data updating without exiting an edit mode |
US9449188B2 (en) | 2014-10-10 | 2016-09-20 | Salesforce.Com, Inc. | Integration user for analytical access to read only data stores generated from transactional systems |
US9767145B2 (en) | 2014-10-10 | 2017-09-19 | Salesforce.Com, Inc. | Visual data analysis with animated informational morphing replay |
US10243788B1 (en) * | 2015-01-27 | 2019-03-26 | Accellion, Inc. | Automated configuration of distributed computing systems |
US9736246B1 (en) * | 2015-02-19 | 2017-08-15 | Amazon Technologies, Inc. | Cross-device synchronization system for account-level information |
US20170046531A1 (en) * | 2015-08-14 | 2017-02-16 | Strong Bear Llc | Data encryption method and system for use with cloud storage |
US10115213B2 (en) | 2015-09-15 | 2018-10-30 | Salesforce, Inc. | Recursive cell-based hierarchy for data visualizations |
US10089368B2 (en) | 2015-09-18 | 2018-10-02 | Salesforce, Inc. | Systems and methods for making visual data representations actionable |
US10826844B2 (en) * | 2015-09-30 | 2020-11-03 | Amazon Technologies, Inc. | Transmission of tags and policies with data objects |
US10044705B2 (en) * | 2016-01-20 | 2018-08-07 | Facebook, Inc. | Session management for internet of things devices |
US10440153B1 (en) | 2016-02-08 | 2019-10-08 | Microstrategy Incorporated | Enterprise health score and data migration |
US11283900B2 (en) | 2016-02-08 | 2022-03-22 | Microstrategy Incorporated | Enterprise performance and capacity testing |
US20190109857A1 (en) | 2016-03-24 | 2019-04-11 | Document Dynamics, Llc | Securing cloud drives using environment-aware security tokens |
US10225259B2 (en) * | 2016-03-30 | 2019-03-05 | Oracle International Corporation | Establishing a cleanroom data processing environment |
US10713376B2 (en) | 2016-04-14 | 2020-07-14 | Salesforce.Com, Inc. | Fine grain security for analytic data sets |
US10397278B2 (en) * | 2016-07-27 | 2019-08-27 | BanyanOps, Inc. | Transparently enhanced authentication and authorization between networked services |
US10311047B2 (en) | 2016-10-19 | 2019-06-04 | Salesforce.Com, Inc. | Streamlined creation and updating of OLAP analytic databases |
US20180232487A1 (en) * | 2017-02-10 | 2018-08-16 | Maximus, Inc. | Document classification tool for large electronic files |
US11030697B2 (en) | 2017-02-10 | 2021-06-08 | Maximus, Inc. | Secure document exchange portal system with efficient user access |
US10936711B2 (en) * | 2017-04-18 | 2021-03-02 | Intuit Inc. | Systems and mechanism to control the lifetime of an access token dynamically based on access token use |
US10635829B1 (en) | 2017-11-28 | 2020-04-28 | Intuit Inc. | Method and system for granting permissions to parties within an organization |
US20190318118A1 (en) * | 2018-04-16 | 2019-10-17 | International Business Machines Corporation | Secure encrypted document retrieval |
SG10201806602VA (en) * | 2018-08-02 | 2020-03-30 | Mastercard International Inc | Methods and systems for identification of breach attempts in a client-server communication using access tokens |
US10891391B2 (en) * | 2018-08-29 | 2021-01-12 | International Business Machines Corporation | Remote file storage with multiple access levels |
CN109375960B (en) * | 2018-09-29 | 2021-10-01 | 郑州云海信息技术有限公司 | Copyright information loading method and device |
CN110290109B (en) * | 2019-05-20 | 2022-04-19 | 蚂蚁蓉信(成都)网络科技有限公司 | Data processing method and device, and processing authority acquisition method and device |
US11190514B2 (en) * | 2019-06-17 | 2021-11-30 | Microsoft Technology Licensing, Llc | Client-server security enhancement using information accessed from access tokens |
US11080411B2 (en) * | 2019-07-28 | 2021-08-03 | Bank Of America Corporation | Elastic virtual information access ecosystem |
CN110443051B (en) * | 2019-07-30 | 2022-12-27 | 空气动力学国家重点实验室 | Method for preventing confidential documents from spreading on Internet |
US11106455B2 (en) | 2019-08-15 | 2021-08-31 | Microstrategy Incorporated | Integration of containers with external elements |
US11288053B2 (en) | 2019-08-15 | 2022-03-29 | Microstrategy Incorporated | Conversion and restoration of computer environments to container-based implementations |
US11637748B2 (en) | 2019-08-28 | 2023-04-25 | Microstrategy Incorporated | Self-optimization of computing environments |
US11507295B2 (en) * | 2019-08-30 | 2022-11-22 | Microstrategy Incorporated | Backup, restoration, and migration of computer systems |
US11210189B2 (en) | 2019-08-30 | 2021-12-28 | Microstrategy Incorporated | Monitoring performance of computing systems |
US11354216B2 (en) | 2019-09-18 | 2022-06-07 | Microstrategy Incorporated | Monitoring performance deviations |
US11360881B2 (en) | 2019-09-23 | 2022-06-14 | Microstrategy Incorporated | Customizing computer performance tests |
US11438231B2 (en) | 2019-09-25 | 2022-09-06 | Microstrategy Incorporated | Centralized platform management for computing environments |
US11824755B2 (en) | 2020-01-31 | 2023-11-21 | Hewlett-Packard Development Company, L.P. | Communication asset usage metrics |
WO2021232347A1 (en) * | 2020-05-21 | 2021-11-25 | Citrix Systems, Inc. | Cross device single sign-on |
US12058119B2 (en) * | 2020-12-18 | 2024-08-06 | Intel Corporation | Automatic escalation of trust credentials |
WO2023044020A1 (en) * | 2021-09-17 | 2023-03-23 | Worcester Polytechnic Institute | Method and apparatus for providing isolated asset access in a layered security system |
US11954473B2 (en) | 2021-09-20 | 2024-04-09 | Microstrategy Incorporated | Deployment architecture for multi-tenant cloud computing systems |
US11861342B2 (en) | 2022-01-28 | 2024-01-02 | Microstrategy Incorporated | Enhanced cloud-computing environment deployment |
JP2024021674A (en) * | 2022-08-04 | 2024-02-16 | キヤノン株式会社 | Information processing apparatus, control method of information processing apparatus and program |
Citations (50)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6145003A (en) * | 1997-12-17 | 2000-11-07 | Microsoft Corporation | Method of web crawling utilizing address mapping |
US20020048369A1 (en) * | 1995-02-13 | 2002-04-25 | Intertrust Technologies Corp. | Systems and methods for secure transaction management and electronic rights protection |
US6397261B1 (en) * | 1998-09-30 | 2002-05-28 | Xerox Corporation | Secure token-based document server |
US20020077985A1 (en) * | 2000-07-14 | 2002-06-20 | Hiroshi Kobata | Controlling and managing digital assets |
US20020171546A1 (en) * | 2001-04-18 | 2002-11-21 | Evans Thomas P. | Universal, customizable security system for computers and other devices |
US6487189B1 (en) * | 1998-09-30 | 2002-11-26 | Xerox Corporation | Mobile e-mail document transaction service |
US6493760B1 (en) * | 1999-06-28 | 2002-12-10 | Xerox Corporation | Standalone device for identifying available document services in a token-enabled operating environment |
US20030018491A1 (en) * | 2001-07-17 | 2003-01-23 | Tohru Nakahara | Content usage device and network system, and license information acquisition method |
US6519700B1 (en) * | 1998-10-23 | 2003-02-11 | Contentguard Holdings, Inc. | Self-protecting documents |
US20030200436A1 (en) * | 2002-04-17 | 2003-10-23 | Eun Sung Kyong | Access control method using token having security attributes in computer system |
US20040078573A1 (en) * | 2002-07-10 | 2004-04-22 | Shinako Matsuyama | Remote access system, remote access method, and remote access program |
US20040123153A1 (en) * | 2002-12-18 | 2004-06-24 | Michael Wright | Administration of protection of data accessible by a mobile device |
US20040215772A1 (en) * | 2003-04-08 | 2004-10-28 | Sun Microsystems, Inc. | Distributed token manager with transactional properties |
US20040255137A1 (en) * | 2003-01-09 | 2004-12-16 | Shuqian Ying | Defending the name space |
US20050080746A1 (en) * | 2003-10-14 | 2005-04-14 | Bin Zhu | Digital rights management system |
US20050086514A1 (en) * | 2003-10-02 | 2005-04-21 | Samsung Electronics Co., Ltd | Method of constructing domain based on public key and implementing the domain through universal plug and play (UPnP) |
US20050111466A1 (en) * | 2003-11-25 | 2005-05-26 | Martin Kappes | Method and apparatus for content based authentication for network access |
US20060005132A1 (en) * | 2004-06-30 | 2006-01-05 | Microsoft Corporation | Smart UI recording and playback framework |
US20070118891A1 (en) * | 2005-11-16 | 2007-05-24 | Broadcom Corporation | Universal authentication token |
US20070156694A1 (en) * | 2005-12-29 | 2007-07-05 | Blue Jungle | Techniques and system to manage access of information using policies |
US20080047000A1 (en) * | 2004-06-30 | 2008-02-21 | Matsushita Electric Industrial Co., Ltd. | Program Execution Device And Program Execution Method |
US20080097998A1 (en) * | 2006-10-23 | 2008-04-24 | Adobe Systems Incorporated | Data file access control |
US20080103977A1 (en) * | 2006-10-31 | 2008-05-01 | Microsoft Corporation | Digital rights management for distributed devices |
US20080255994A1 (en) * | 2007-04-12 | 2008-10-16 | Microsoft Corporation | Content Preview |
US20090089353A1 (en) * | 2007-09-28 | 2009-04-02 | Fujitsu Limited | Computer-readable medium storing relay program, relay device, and relay method |
US20090183257A1 (en) * | 2008-01-15 | 2009-07-16 | Microsoft Corporation | Preventing secure data from leaving the network perimeter |
US20090240941A1 (en) * | 2006-06-29 | 2009-09-24 | Electronics And Telecommunications Research Institute | Method and apparatus for authenticating device in multi domain home network environment |
US20090287709A1 (en) * | 2008-05-16 | 2009-11-19 | Canon Kabushiki Kaisha | Information processing apparatus for editing document having access right settings, method of information processing, and program |
US20090327908A1 (en) * | 2008-06-26 | 2009-12-31 | Richard Hayton | Methods and Systems for Interactive Evaluation Using Dynamically Generated, Interactive Resultant Sets of Policies |
US20100036950A1 (en) * | 2008-08-07 | 2010-02-11 | Electronics And Telecommunications Research Institute | Method and apparatus for providing home contents |
US20100082680A1 (en) * | 2008-09-30 | 2010-04-01 | Apple Inc. | Methods and systems for providing easy access to information and for sharing services |
US20100088258A1 (en) * | 2008-10-02 | 2010-04-08 | Global Healthcare Exchange, Llc | Dynamic intelligent objects |
US20100138900A1 (en) * | 2008-12-02 | 2010-06-03 | General Instrument Corporation | Remote access of protected internet protocol (ip)-based content over an ip multimedia subsystem (ims)-based network |
US20100153696A1 (en) * | 2008-12-12 | 2010-06-17 | Novell, Inc. | Pre-boot securing of operating system (OS) for endpoint evaluation |
US20100235514A1 (en) * | 2009-03-12 | 2010-09-16 | Novell, Inc. | Securing a network connection by way of an endpoint computing device |
US20100235885A1 (en) * | 2009-03-11 | 2010-09-16 | Jan Patrik Persson | Secure Client-Side Aggregation of Web Applications |
US20110314530A1 (en) * | 2010-06-17 | 2011-12-22 | Aliphcom | System and method for controlling access to network services using biometric authentication |
US20120102540A1 (en) * | 2010-10-20 | 2012-04-26 | Jeffry Aronson | Single-Point-Of-Access Cyber System |
US20120167158A1 (en) * | 2010-12-24 | 2012-06-28 | Microsoft Corporation | Scoped resource authorization policies |
US20130061335A1 (en) * | 2011-09-07 | 2013-03-07 | CloudPointe, LLC | Method, Apparatus, Computer Readable Media for a Storage Virtualization Middleware System |
US20130212271A1 (en) * | 2010-10-20 | 2013-08-15 | Jeffry David Aronson | Single-Point-of-Access Cyber System |
US20130298253A1 (en) * | 2012-05-02 | 2013-11-07 | University Of Seoul Industry Cooperation Foundation | Method and apparatus for transmitting and receiving message for downloadable cas or drm in mmt |
US20130318211A1 (en) * | 2012-04-30 | 2013-11-28 | Numecent Holdings, Inc. | Asset streaming and delivery |
US20140075568A1 (en) * | 2012-09-07 | 2014-03-13 | Shiju Sathyadevan | Security Layer and Methods for Protecting Tenant Data in a Cloud-Mediated Computing Network |
US20140130117A1 (en) * | 2011-05-09 | 2014-05-08 | I Think Security Ltd. | System, apparatus and method for securing electronic data independent of their location |
US20140280740A1 (en) * | 2013-03-12 | 2014-09-18 | General Electric Company | Location based equipment documentation access control |
US8984651B1 (en) * | 2011-09-20 | 2015-03-17 | Amazon Technologies, Inc. | Integrated physical security control system for computing resources |
US20150101042A1 (en) * | 2013-10-04 | 2015-04-09 | Vmware, Inc. | Tag based permission system and method for virtualized environments |
US20150324602A1 (en) * | 2005-12-29 | 2015-11-12 | Nextlabs, Inc. | Managing Access of Information Using Policies |
US9231956B1 (en) * | 2013-03-13 | 2016-01-05 | Emc Corporation | Utilizing entity-generic records for determining access to assets |
Family Cites Families (37)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6502135B1 (en) | 1998-10-30 | 2002-12-31 | Science Applications International Corporation | Agile network protocol for secure communications with assured system availability |
US7418504B2 (en) | 1998-10-30 | 2008-08-26 | Virnetx, Inc. | Agile network protocol for secure communications using secure domain names |
US20020162005A1 (en) * | 2000-04-24 | 2002-10-31 | Masaomi Ueda | Access right setting device and manager terminal |
JP4294322B2 (en) * | 2001-03-12 | 2009-07-08 | コーニンクレッカ フィリップス エレクトロニクス エヌ ヴィ | Receiving device and playback device for storing content items in a protected manner |
KR100982166B1 (en) * | 2002-05-22 | 2010-09-14 | 코닌클리케 필립스 일렉트로닉스 엔.브이. | Digital rights management method and system |
US8011015B2 (en) * | 2002-12-17 | 2011-08-30 | Sony Corporation | Content access in a media network environment |
US7827156B2 (en) * | 2003-02-26 | 2010-11-02 | Microsoft Corporation | Issuing a digital rights management (DRM) license for content based on cross-forest directory information |
US9197668B2 (en) * | 2003-02-28 | 2015-11-24 | Novell, Inc. | Access control to files based on source information |
US20050114672A1 (en) | 2003-11-20 | 2005-05-26 | Encryptx Corporation | Data rights management of digital information in a portable software permission wrapper |
JP4682520B2 (en) * | 2004-02-25 | 2011-05-11 | ソニー株式会社 | Information processing apparatus, information processing method, and computer program |
US7437771B2 (en) | 2004-04-19 | 2008-10-14 | Woodcock Washburn Llp | Rendering protected digital content within a network of computing devices or the like |
CN100418097C (en) * | 2004-07-21 | 2008-09-10 | 索尼株式会社 | Communication system, content processing device, communication method, and computer program |
US20060085738A1 (en) | 2004-09-01 | 2006-04-20 | Frederic Chapus | Method and system for automatic audit trail |
JP4455239B2 (en) * | 2004-09-10 | 2010-04-21 | キヤノン株式会社 | Information processing method and apparatus |
JPWO2006067951A1 (en) * | 2004-12-22 | 2008-06-12 | 松下電器産業株式会社 | Access control apparatus and access control method |
EP1921559A1 (en) * | 2005-08-31 | 2008-05-14 | Sony Corporation | Group registration device, group registration release device, group registration method, license acquisition device, license acquisition method, time setting device, and time setting method |
US9626667B2 (en) | 2005-10-18 | 2017-04-18 | Intertrust Technologies Corporation | Digital rights management engine systems and methods |
JP2007184756A (en) * | 2006-01-06 | 2007-07-19 | Hitachi Ltd | Adapter device performing encryption communication on network |
US7793110B2 (en) * | 2006-05-24 | 2010-09-07 | Palo Alto Research Center Incorporated | Posture-based data protection |
JP4992378B2 (en) | 2006-10-19 | 2012-08-08 | 富士通株式会社 | Portable terminal device, gateway device, program, and system |
GB0623842D0 (en) * | 2006-11-29 | 2007-01-10 | British Telecomm | Secure access |
US7617220B2 (en) * | 2006-12-21 | 2009-11-10 | Palm, Inc. | Sharing access to content items using group information and item information |
US8539543B2 (en) * | 2007-04-12 | 2013-09-17 | Microsoft Corporation | Managing digital rights for multiple assets in an envelope |
JP4919944B2 (en) * | 2007-12-10 | 2012-04-18 | 富士通株式会社 | Information processing apparatus and license distribution system |
US9338176B2 (en) * | 2008-01-07 | 2016-05-10 | Global Dataguard, Inc. | Systems and methods of identity and access management |
US8961619B2 (en) * | 2009-01-06 | 2015-02-24 | Qualcomm Incorporated | Location-based system permissions and adjustments at an electronic device |
US8429191B2 (en) * | 2011-01-14 | 2013-04-23 | International Business Machines Corporation | Domain based isolation of objects |
KR101760778B1 (en) | 2011-01-17 | 2017-07-26 | 에스프린팅솔루션 주식회사 | Computer system and method for updating program therein |
CN103166783A (en) * | 2011-12-14 | 2013-06-19 | 华为技术有限公司 | Resource control method and resource control device |
CN102546648B (en) * | 2012-01-18 | 2015-04-01 | Ut斯达康通讯有限公司 | Resource access authorization method |
EP2815345B1 (en) * | 2012-02-17 | 2022-08-03 | Irdeto B.V. | Digital rights management |
US8881302B1 (en) * | 2012-04-03 | 2014-11-04 | Google Inc. | Detecting security token reuse in a third party mediated video authentication system |
CN103236928B (en) * | 2013-04-22 | 2015-11-25 | 广东电网有限责任公司电力科学研究院 | The method and system that network resource security controls |
US8739286B1 (en) * | 2013-05-30 | 2014-05-27 | Phantom Technologies, Inc. | Controlling network access based on application detection |
US20150150148A1 (en) * | 2013-11-27 | 2015-05-28 | Sony Corporation | Configuring and controlling digital ecosystem of devices, user profiles, and content |
EP2980726B1 (en) | 2014-07-29 | 2019-09-04 | Samsung Electronics Co., Ltd | Method and apparatus for sharing data |
US9449187B2 (en) | 2014-08-11 | 2016-09-20 | Document Dynamics, Llc | Environment-aware security tokens |
-
2014
- 2014-08-11 US US14/456,777 patent/US9449187B2/en not_active Expired - Fee Related
-
2015
- 2015-08-06 CN CN201580052469.2A patent/CN107004080A/en active Pending
- 2015-08-06 WO PCT/US2015/044061 patent/WO2016073047A2/en active Application Filing
- 2015-08-06 EP EP15858004.3A patent/EP3180730A4/en not_active Withdrawn
-
2016
- 2016-08-15 US US15/236,628 patent/US9608980B2/en active Active
- 2016-08-15 US US15/236,649 patent/US9590971B2/en active Active
-
2017
- 2017-03-06 US US15/450,984 patent/US10122696B2/en not_active Expired - Fee Related
-
2018
- 2018-11-05 US US16/180,688 patent/US20190327221A1/en not_active Abandoned
-
2020
- 2020-02-12 US US16/788,926 patent/US20210014210A1/en not_active Abandoned
Patent Citations (50)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20020048369A1 (en) * | 1995-02-13 | 2002-04-25 | Intertrust Technologies Corp. | Systems and methods for secure transaction management and electronic rights protection |
US6145003A (en) * | 1997-12-17 | 2000-11-07 | Microsoft Corporation | Method of web crawling utilizing address mapping |
US6397261B1 (en) * | 1998-09-30 | 2002-05-28 | Xerox Corporation | Secure token-based document server |
US6487189B1 (en) * | 1998-09-30 | 2002-11-26 | Xerox Corporation | Mobile e-mail document transaction service |
US6519700B1 (en) * | 1998-10-23 | 2003-02-11 | Contentguard Holdings, Inc. | Self-protecting documents |
US6493760B1 (en) * | 1999-06-28 | 2002-12-10 | Xerox Corporation | Standalone device for identifying available document services in a token-enabled operating environment |
US20020077985A1 (en) * | 2000-07-14 | 2002-06-20 | Hiroshi Kobata | Controlling and managing digital assets |
US20020171546A1 (en) * | 2001-04-18 | 2002-11-21 | Evans Thomas P. | Universal, customizable security system for computers and other devices |
US20030018491A1 (en) * | 2001-07-17 | 2003-01-23 | Tohru Nakahara | Content usage device and network system, and license information acquisition method |
US20030200436A1 (en) * | 2002-04-17 | 2003-10-23 | Eun Sung Kyong | Access control method using token having security attributes in computer system |
US20040078573A1 (en) * | 2002-07-10 | 2004-04-22 | Shinako Matsuyama | Remote access system, remote access method, and remote access program |
US20040123153A1 (en) * | 2002-12-18 | 2004-06-24 | Michael Wright | Administration of protection of data accessible by a mobile device |
US20040255137A1 (en) * | 2003-01-09 | 2004-12-16 | Shuqian Ying | Defending the name space |
US20040215772A1 (en) * | 2003-04-08 | 2004-10-28 | Sun Microsystems, Inc. | Distributed token manager with transactional properties |
US20050086514A1 (en) * | 2003-10-02 | 2005-04-21 | Samsung Electronics Co., Ltd | Method of constructing domain based on public key and implementing the domain through universal plug and play (UPnP) |
US20050080746A1 (en) * | 2003-10-14 | 2005-04-14 | Bin Zhu | Digital rights management system |
US20050111466A1 (en) * | 2003-11-25 | 2005-05-26 | Martin Kappes | Method and apparatus for content based authentication for network access |
US20060005132A1 (en) * | 2004-06-30 | 2006-01-05 | Microsoft Corporation | Smart UI recording and playback framework |
US20080047000A1 (en) * | 2004-06-30 | 2008-02-21 | Matsushita Electric Industrial Co., Ltd. | Program Execution Device And Program Execution Method |
US20070118891A1 (en) * | 2005-11-16 | 2007-05-24 | Broadcom Corporation | Universal authentication token |
US20070156694A1 (en) * | 2005-12-29 | 2007-07-05 | Blue Jungle | Techniques and system to manage access of information using policies |
US20150324602A1 (en) * | 2005-12-29 | 2015-11-12 | Nextlabs, Inc. | Managing Access of Information Using Policies |
US20090240941A1 (en) * | 2006-06-29 | 2009-09-24 | Electronics And Telecommunications Research Institute | Method and apparatus for authenticating device in multi domain home network environment |
US20080097998A1 (en) * | 2006-10-23 | 2008-04-24 | Adobe Systems Incorporated | Data file access control |
US20080103977A1 (en) * | 2006-10-31 | 2008-05-01 | Microsoft Corporation | Digital rights management for distributed devices |
US20080255994A1 (en) * | 2007-04-12 | 2008-10-16 | Microsoft Corporation | Content Preview |
US20090089353A1 (en) * | 2007-09-28 | 2009-04-02 | Fujitsu Limited | Computer-readable medium storing relay program, relay device, and relay method |
US20090183257A1 (en) * | 2008-01-15 | 2009-07-16 | Microsoft Corporation | Preventing secure data from leaving the network perimeter |
US20090287709A1 (en) * | 2008-05-16 | 2009-11-19 | Canon Kabushiki Kaisha | Information processing apparatus for editing document having access right settings, method of information processing, and program |
US20090327908A1 (en) * | 2008-06-26 | 2009-12-31 | Richard Hayton | Methods and Systems for Interactive Evaluation Using Dynamically Generated, Interactive Resultant Sets of Policies |
US20100036950A1 (en) * | 2008-08-07 | 2010-02-11 | Electronics And Telecommunications Research Institute | Method and apparatus for providing home contents |
US20100082680A1 (en) * | 2008-09-30 | 2010-04-01 | Apple Inc. | Methods and systems for providing easy access to information and for sharing services |
US20100088258A1 (en) * | 2008-10-02 | 2010-04-08 | Global Healthcare Exchange, Llc | Dynamic intelligent objects |
US20100138900A1 (en) * | 2008-12-02 | 2010-06-03 | General Instrument Corporation | Remote access of protected internet protocol (ip)-based content over an ip multimedia subsystem (ims)-based network |
US20100153696A1 (en) * | 2008-12-12 | 2010-06-17 | Novell, Inc. | Pre-boot securing of operating system (OS) for endpoint evaluation |
US20100235885A1 (en) * | 2009-03-11 | 2010-09-16 | Jan Patrik Persson | Secure Client-Side Aggregation of Web Applications |
US20100235514A1 (en) * | 2009-03-12 | 2010-09-16 | Novell, Inc. | Securing a network connection by way of an endpoint computing device |
US20110314530A1 (en) * | 2010-06-17 | 2011-12-22 | Aliphcom | System and method for controlling access to network services using biometric authentication |
US20120102540A1 (en) * | 2010-10-20 | 2012-04-26 | Jeffry Aronson | Single-Point-Of-Access Cyber System |
US20130212271A1 (en) * | 2010-10-20 | 2013-08-15 | Jeffry David Aronson | Single-Point-of-Access Cyber System |
US20120167158A1 (en) * | 2010-12-24 | 2012-06-28 | Microsoft Corporation | Scoped resource authorization policies |
US20140130117A1 (en) * | 2011-05-09 | 2014-05-08 | I Think Security Ltd. | System, apparatus and method for securing electronic data independent of their location |
US20130061335A1 (en) * | 2011-09-07 | 2013-03-07 | CloudPointe, LLC | Method, Apparatus, Computer Readable Media for a Storage Virtualization Middleware System |
US8984651B1 (en) * | 2011-09-20 | 2015-03-17 | Amazon Technologies, Inc. | Integrated physical security control system for computing resources |
US20130318211A1 (en) * | 2012-04-30 | 2013-11-28 | Numecent Holdings, Inc. | Asset streaming and delivery |
US20130298253A1 (en) * | 2012-05-02 | 2013-11-07 | University Of Seoul Industry Cooperation Foundation | Method and apparatus for transmitting and receiving message for downloadable cas or drm in mmt |
US20140075568A1 (en) * | 2012-09-07 | 2014-03-13 | Shiju Sathyadevan | Security Layer and Methods for Protecting Tenant Data in a Cloud-Mediated Computing Network |
US20140280740A1 (en) * | 2013-03-12 | 2014-09-18 | General Electric Company | Location based equipment documentation access control |
US9231956B1 (en) * | 2013-03-13 | 2016-01-05 | Emc Corporation | Utilizing entity-generic records for determining access to assets |
US20150101042A1 (en) * | 2013-10-04 | 2015-04-09 | Vmware, Inc. | Tag based permission system and method for virtualized environments |
Also Published As
Publication number | Publication date |
---|---|
US20180026956A1 (en) | 2018-01-25 |
US20210014210A1 (en) | 2021-01-14 |
US10122696B2 (en) | 2018-11-06 |
EP3180730A4 (en) | 2018-03-21 |
EP3180730A2 (en) | 2017-06-21 |
US9590971B2 (en) | 2017-03-07 |
US20160352741A1 (en) | 2016-12-01 |
US20160352718A1 (en) | 2016-12-01 |
WO2016073047A3 (en) | 2016-08-04 |
US20160044040A1 (en) | 2016-02-11 |
US9449187B2 (en) | 2016-09-20 |
US9608980B2 (en) | 2017-03-28 |
WO2016073047A2 (en) | 2016-05-12 |
CN107004080A (en) | 2017-08-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10122696B2 (en) | Environment-aware security tokens | |
US11558381B2 (en) | Out-of-band authentication based on secure channel to trusted execution environment on client device | |
US12081545B2 (en) | Out-of-band authentication to access web-service with indication of physical access to client device | |
US20190109857A1 (en) | Securing cloud drives using environment-aware security tokens | |
US12010228B2 (en) | Systems, methods, and devices for secure blockchain transaction and subnetworks | |
US9680654B2 (en) | Systems and methods for validated secure data access based on an endorsement provided by a trusted third party | |
US8954758B2 (en) | Password-less security and protection of online digital assets | |
US8782404B2 (en) | System and method of providing trusted, secure, and verifiable operating environment | |
US9053335B2 (en) | Methods and systems for active data security enforcement during protected mode use of a system | |
JP2017539017A (en) | Identity infrastructure as a service | |
US20210099431A1 (en) | Synthetic identity and network egress for user privacy | |
US10652249B2 (en) | Remote locking a multi-user device to a set of users | |
US20240362344A1 (en) | Encrypted file control | |
US11595372B1 (en) | Data source driven expected network policy control | |
Nyamwaro | Application for enhancing confidentiality and availability for sensitive user data using AES algorithm in smartphone devices | |
Otrokh et al. | Two-factor Authentication System Using Audio Signal Analysis | |
Rahman | An authentication middleware for prevention of information theft (AMPIT) |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: FINAL REJECTION MAILED |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |