Patent Application
20080271122
Physical access protection is an important link in overall security strategy. Much recent attention has been given to network security with physical access security lagging behind. Physical access should not be a weak link in a security chain. Current methods of physical access protection combine aspects of logical authentication for data center access, racks protected by lock and key, and server chassis and front panel protected by lock and key. Some problems are inherent with the current security approach. First, access is on an all-or-nothing basis. Either the key is available or not so that granular access is unavailable. Second, access is difficult to manage with no available auditing of who accesses the system and at what time. Keys can be copied or lost, and then the lock is to be replaced. Access management difficulty increases with the number of systems deployed, and the number of employees with access.
Typical methods for securing hardware in a data center involve physically locking each server to prevent access to chassis or controls without key. Physical locks are cumbersome when many servers are deployed or when many people access are allowed access to the devices.
Current techniques are lacking in fine-grained physical access to servers. In bladed or partitioned systems, no technique is available to deny access to resources that are not owned by a user. No technique is available to grant access to only those resources that are owned by a user in the bladed or partitioned system. Access rights to different users are not distinguished.
Authentication can be required to enter data center or portion of data center, but does enable access with server granularity and gives insufficient information for an audit trail.
A security technique by usage of a lock and key for a server or rack is difficult to manage as number of servers grows. Audits are performed manually as keys are checked out.
An embodiment of control logic secures access to an electronic system. The control logic comprises an initialization logic and an operational logic. The initialization logic allocates access rights individually among a plurality of hardware and/or operation elements in the electronic system and individually secures the plurality of hardware and/or operation elements with electronic and/or software-activated access. The operational logic responds to attempted access by a user to authenticate hardware and/or operation elements and enable operation of the hardware and/or operation elements upon authentication.
Embodiments of the invention relating to both structure and method of operation may best be understood by referring to the following description and accompanying drawings:
Industry trends of server consolidation, and increased security requirements create additional incentive to seek improvements to current physical access security solutions. As servers consolidate, different entities are more likely to share server resources. Creating granular access rights at the blade, or server level promotes consolidation ensuring that each entity only has physical access to the resources owned by the entity. In addition, refining access rights to resource level and incorporating logical authentication greatly increases overall system security.
A security system and associated security techniques increase security in an electronic system such as a server by implementing electronic authentication, for example smart card, personal RFID identification, biometrics, voice or face recognition, a virtual authentication device, or the like, to gain operation or physical access to the electronic system, or part of the electronic system. Security enables the electronic system to protect resources available via physical access, for example chassis, blade, partition, disks, reset, console, keyboard, mouse, and others, at the resource level. The illustrative techniques also enable users to have individual security access rights with finer granularity. Electronic authentication for physical access enables collection of an audit trail on physical access.
The illustrative security system and security techniques enable central administration of physical access rights, simplifying operations for large installations. Central physical access right management can be incorporated and managed with logical access rights.
The illustrative security system and techniques enable fine-grained physical access to servers, with user-access personalized to blades or partitions owned by the user. A user is enabled to change operate, access, or remove a disk or blade with ownership or access rights to different users distinguished. For example, access can be controlled by enabling specific individuals to be authorized for different levels of access. In a server, the described security system increases the level of protection for the server, disk arrays, the rack, and any other valuable physical resource.
A server implementation of the illustrative security features scales from a single server to large servers with several partitions with utility in a single server model, but most useful when used for blades or partitioned systems. Similar scaling can be implemented for other devices such as switches, disk arrays, racks, and many other hardware or system types.
The disclosed system also enables tracking of users who physically access the server, and the time and date of access. The electronic system can be used in combination with other security tools that determine actions taken by the user during the access and correlation of access data, features that enable more complete and accurate reports for Sarbanes-Oxley reporting since users are authenticated before physical access is allowed.
Referring to
The control logic 104 comprises an initialization logic 106 that is operative to allocate access rights individually among the multiple hardware and/or operation elements 102 and individually secure the hardware and/or operation elements 102 with electronic and/or software-activated access. The control logic 104 further comprises an operational logic 108 that is operative in response to attempted access by a user to authenticate selected items of the hardware and/or operation elements 102 and to enable operation upon authentication.
The electronic system 100 further comprises an authentication block 112 which can be used to authenticate a hardware and/or operation elements 102 to enable operation or access. For example, the authentication block 112 can be authentication hardware that, for example, can prevent hardware removal unless authorized.
In some embodiments, the electronic system 100 can also include a virtual authentication block 114 and a central rights management block 116 which are coupled to a network. The virtual authentication block 114 enforces secure virtual electronic authentication. The central rights management block 116 can be used to enforce digital media access rights.
The illustrative techniques can be applied to a wide variety of electronic systems, for example to servers, partitioned servers, bladed servers, server racks, computer systems, consumer electronic systems, network systems, network switches, storage arrays, disk arrays, smart-device disk arrays, network interface controllers, storage controllers, disk controllers, and the like. Similarly, the techniques can further be applied to cellular telephones or other communication systems, entertainment system, and the like. The techniques are generally applicable to any suitable electronic property.
For example, is illustrative system and techniques can be used for property protection in general. Device operation can be a protected physical access that is controlled by authentication, such as RFID authentication, wherein an RFID transmitter is located in the vicinity of the protected device but not internal to the device. RFID authentication is thus limited to the range of the RFID transmitter. Accordingly, operation of the protected device can be limited to a home.
In various applications, configurations, and embodiments, a protected resource 102 can be protected using a combination of internal protection mechanisms 120 and external protection mechanisms. Referring to
Similarly, the illustrative techniques can be applied to allocate access rights and secure a wide range of hardware and/or operation elements. For example, the initialization logic 106 can be operative to allocate access rights and secure one or more hardware and/or operation elements such as servers, partitioned servers, virtualized systems, optical devices, and bladed servers. The initialization logic 106 can secure wide area network (WAN) port connections and local area network (LAN) port connections to prevent unauthorized access to data or systems on a network. The initialization logic 106 can be implemented to secure processors, central processing units (CPUs), storage devices, disk arrays, switches, embedded system devices, communication interfaces, user interfaces, blades, partitions, chasses, disks, reset buttons, consoles, keyboards, mice, trackballs, joysticks, memory, input/output (I/O) cards, power supplies, fans, field replaceable units (FRUs), light-emitting diodes (LED) displays, liquid-crystal displays (LCDs), diagnostic panels, and displays.
In general application, the illustrative electronic system 100 and associated control logic 104 can be implemented to secure electronic devices in general, home electronic devices, home and office, automobiles, and the like, for example to prevent theft.
In a partitioned system, a large server is divided into partitions, each of which can run a separate application. The partitions can be electrically isolated as hard partitions or partitioned by management software in soft partitions. In either case, access rights can be configured to match partition resource allocation and ownership. The individual partitions may be owned by different entities. The illustrative electronic system 100 and control logic 104 enable the individual partitions to be secured against access by an unauthorized entity. Physical access rights can be structured to reflect ownership so that access rights are similarly partitioned in the manner of partitioning of the hardware.
In various applications, access rights can be granulated to multiple levels. For example, some authorization can extend to whole machines while other can enable access to individual disks, a group of blades, an individual blade, an individual resource on the blade such as a disk or reset button, or the like.
The operational logic 108 can be used with a variety of security devices, systems, and technology. For example, the operational logic 108 can be implemented to control a single security device or technology, but more likely is implemented with a capability to manage multiple types of security systems and technologies. Security technologies supported by the control logic 104 can include retina scan biometrics, fingerprint biometrics, voice recognition, image recognition, smart cards, magnetic swipe cards with associated pin, personal radio frequency identification (RFID). Some implementations may use secure virtual electronic authentication. A keyboard and/or keypad entry can be used with a user name and login password. In some embodiments, a servo-electronic-activated physical barrier can be used to protect a resource.
Biometrics or smartcards can be used for operating system access. The illustrative electronic system 100 enables biometric and smartcard security for physical hardware access. Secure virtual electronic authentication can also be used to control access and operation of an operating system.
An encryption key can be implemented that enables data usage. Firmware can enable activation of a feature and/or an associated resource. Similarly, the control logic 104 can enable a run mode or execution of an operating system and/or an application which is executable by the operating system. The control logic 104 can implement security by enabling an execution mode by authorization as part of an authorization chain that sets permissions for multiple security layers. Execution mode can be selectively promoted or demoted by additional authorization.
The control logic 104 can implement security via a combination of security technologies. For example referring to
In some applications, a two-part key can be associated with a respective resource and chassis pair to enable operation only in combination. Two-part lock protection can be used to prevent a resource from removal from an authorized machine and installation in an unauthorized machine. Both portions of a lock are needed to enable operation of the resource. Two-part keys also can enable sharing of hardware resources between chassis in the same group while preventing running from other chassis.
The control logic 104 can be configured to allocate access rights according to a wide variety of considerations, according to the particular electronic system 100 and associated resource elements 102 that are protected and according to various considerations and conditions relating to the characteristics of the desired security. For example, the access rights can be granular access rights wherein individual resources have an associated access right. In some arrangements, the access rights can be locally managed, centrally managed for example using a utility such as Lightweight Directory Access Protocol (LDAP) or other protocols, or can be globally managed.
The access rights can be managed to change dynamically with partitioning and/or virtualization with ownership changes tracked. For example, an error condition in a memory module can be detected and access rights can be triggered by the detection event which limits access to the failed module.
Group access rights can be managed according to user, resource, machine, and/or location. Referring to
In a particular application, chassis and servers can be assigned to groups owned by an entity and accessible interchangeably within that group. For example, a blade can be removed from a server but the access rights can be implemented so that the blade is not functional in another server that does not have authorization. In another example, an RFID key in a data center can tie a resource to a location. In a further example, access rights can be assigned at manufacture specifying access for only certain authorized technicians. In some applications, access rights can be used to define resource capabilities.
Access rights can be determined based on the operating system.
In some implementations, access rights can be determined by hardware. For example, the occurrence of an event can trigger access rights which enable access to malfunctioning hardware. By tying access rights to both the hardware and the event, malfunctioning or broken hardware can be accessed for repair.
Access rights can be allocated according to resource capability and/or functionality. For example, access rights can be dependent on model number. In some applications, access rights can be made interoperable with operating system and executable application for enable and disable. Access rights can be allocated to that authentication is required to enable firmware and/or software features. Access rights can be allocated as physical access permissions for bootstrap loading while an operating system is executing. For example, physical access rights can be tied to licensing which enables and disables features according to license rights.
The control logic 104 can be operated so that access rights are determined by location of the resource elements 102. Access rights can be allocated to hardware in groups or can be allocated to multiple users. Access rights can be paired according to user and resource, or according to user and location. Similarly, access rights can be allocated based on a combination of user, resource, and location.
Access rights can be encoded and/or encrypted to prevent tampering. Access rights can be allocated according to date and time. Access rights can be configured to protect against resource removal, preventing a resource from removal from a system. Similarly, access rights can be configured to require authentication for bootstrap loading of an operating system. In some applications, access rights can be allocated to require the correct running mode for executing software, an example of a general technique of implementing access rights to protect resource usage. Access rights can be implemented to limit operation to a designated location. For example, access rights can be used to limit operation to a designated shipping address and RFID data center location key.
Access rights can be tracked during resource operation. Access rights can be queried by an operating system or executable application during a working session, and can be promoted and/or demoted during the working session. For example, at bootstrap loading a relatively high authorization can be set for operation at a root level and authorization demoted to an operator level subsequently.
In applications for facility security, such as data center security for a network of clients and servers, access rights can protect LAN port connections in a server or switch.
Access rights can be determined by events and/or conditions. For example, access rights can be enabled to activate a resource that is disabled by default. In another application, access rights can be activated by shipping of resource to an address.
In an example embodiment, electronic system hardware can have electronic authentication using an available technology such as retina or finger print biometrics, smart card, or personal RFID identification. In other examples, electronic system management software can perform secure virtual electronic authentication. Server hardware resources including blades, partitions, chassis, disks, reset button, console, keyboard, mouse, and the like, can each have an associated access right. Each protected resource can have either an electronically activated physical lock in the case of chassis, blades, disks, and memory, or an electronic way of disabling operation such as a multiplexer for the reset button, keyboard, console, and mouse.
In some examples, the protection mechanism can be controlled by management software that reads a hardware authentication method and validates the user against an internal or external (LDAP) access list. Once validated, the users' access rights are checked. Management software then enables corresponding features that are authenticated for the user.
User login and possibly access rights can be recorded in a management audit log. A second authentication or a timeout can log the user out when done.
Implementing fine-grained physical access control with audit capabilities enables significant security control and reporting which is particularly useful in blades or partitioned servers wherein different entities may own different parts of the server. For example, the illustrative access control can eliminate usage of unauthorized software by preventing addition of a new disk or usage of a compact disk (CD) or digital versatile disk (DVD). A single user mode attack can be prevented by protecting access to a video graphics array (VGA) console and keyboard
The described electronic system 100 and control logic 104 enable protection of all physical resources of the server individually and prevent removal of valuable hardware such as a blade, a disk, memory, a CPU. The system 100 also prevents addition of new unauthorized software by adding a new disk or DVD. The electronic system 100 prevents local attacks by disabling the keyboard and console, and the reset button.
The electronic system 100 enables users to have individual access levels.
Protection for the electronic system 100 can be implemented according to two general considerations. A first step is enumerating all resources to be protected and identifying a protection method for each resource. Next, a logical authentication technique is implemented to grant physical access, for example using a management hardware device that runs when system power is off. Typically, many servers include some type of management processor. This management processor can be extended to control the protection mechanisms, and authenticate uses to grant access to physical resources.
Partitioning system resources to a device level enable more stringent and flexible physical access policies. Any valuable resource or access permission can be identified. Resources can be anything with value, including blades, disks, central processing units (CPUs), dual inline memory modules (DIMMs), and the like. Access permissions relate to authorization to access at least part of the system. Relevant permissions include access to opening a chassis, input to a keyboard, and viewing console output, for example. After identifying desired protected resources, including considerations of cost of protection and likelihood and consequences of resource exploitation, a protection mechanism for each resource is identified. Most resources can be protected with a servo-activated locking mechanism, but others may be protected by a disabling feature in the manageability subsystem. The manageability subsystem controls the resource protection.
Logical authentication by smart card, biometrics, RFID, or password involves additional hardware to receive user information for authentication. Several methods can be combined to enable multi-factor authentication. The manageability subsystem authenticates the user and determines access rights. Logical authentication can support many users, each which may have different access rights. Management of users and physical access rights can be centralized using a directory service.
The combined security for multiple resources enables security policies for physical access to the resource level. Multiple people can have different access rights to the same machine which is particularly useful in the case of blades or partitioned systems where resource ownership may be divided between many parties. Each party can be granted access only to the resources they own. Moreover, the security technique can adapt quickly without user interaction to handle dynamic partitioning, and can be extended to virtualized systems for cases that a virtual machine can communicate resource ownership information to management hardware.
Referring to
In various applications or implementations, the hardware and/or operation elements can be secured 204 for example by securing removal of a hardware element with a lock, and/or by securing removal of a hardware element with a disable operation on the hardware and/or operation element if removed. Another technique secures removal and the operating environment of a hardware element with a two-part lock for the respective hardware element and the operating environment. Also, an operation can be secured by ensuring authentication for hardware element operation.
In some configurations, access permission can be associated in groups.
In some examples, theft can be deterred by enabling operation only by authentication.
For some applications, removal of a hardware and/or operation element can be disabled until access is authenticated. An example electronic system can have a default condition in which functionality of a hardware and/or operation element is disabled. Functionality of the hardware and/or operation element can be enabled by authentication. In other applications, functionality of a hardware and/or operation element can be disabled by removal of the element from an operating environment, rendering the element non-operational.
In a particular example, referring to
In some embodiments, secured access to the electronic system can further be controlled 210 by checking 218 user access rights for a validated user and enabling 219 features according to the user access rights.
Referring to
Referring to
In some implementations, access rights can be dynamically changed 238 based on the detected event and/or condition.
In another embodiment, secured access to the electronic system can be controlled for a shared hardware and/or operation element by defining multiple authorization domains for the shared element. Operation and/or access rights are enabled for the shared hardware and/or operation element upon successive authentications for each of the multiple authorization domains.
The described electronic system and associated techniques enable protection of individual physical hardware resources, and further enable administrators to grant physical access to resources on a need-to-have basis, thus greatly improving security.
Resource security is becoming increasingly important to government and business users. Much of the attention on security is focused on the network and application with physical access threats at the server level overlooked. The illustrative electronic system and associated methods enables security at the server level and even the lowest component levels, as well as at the network and application levels.
Using illustrative system and methods enable additional protection from current methods by allowing access to each server resource on a need-to-have basis. Complex security policies can be realized. Access can be granted per resource based on user ID and some expected maintenance time. For example, a specified user can be allowed to access the chassis for processor upgrades, but only on a particular date during a particular time window. The illustrative flexible technique can be tailored to particular security policies.
Using logical access authentication rather than lock and key can greatly simplify physical access management. Adding and removing users becomes trivial without changing physical locks. Users can easily be grouped into access groups which can be managed easily. Predefined group permissions simplify definition of user rights. Management of physical access rights can be centralized.
The illustrative security platform is easily extensible. Auditing facilitates tracking of login identity for physical access, as well as time and actions performed during the physical access, supplying information compilation and security reporting, for example for compliance with various regulatory bodies. New features can be easily developed to comply with future regulations.
Terms “substantially”, “essentially”, or “approximately”, that may be used herein, relate to an industry-accepted tolerance to the corresponding term. Such an industry-accepted tolerance ranges from less than one percent to twenty percent and corresponds to, but is not limited to, functionality, values, process variations, sizes, operating speeds, and the like. The term “coupled”, as may be used herein, includes direct coupling and indirect coupling via another component, element, circuit, or module where, for indirect coupling, the intervening component, element, circuit, or module does not modify the information of a signal but may adjust its current level, voltage level, and/or power level. Inferred coupling, for example where one element is coupled to another element by inference, includes direct and indirect coupling between two elements in the same manner as “coupled”.
The illustrative block diagrams and flow charts depict process steps or blocks that may represent modules, segments, or portions of code that include one or more executable instructions for implementing specific logical functions or steps in the process. Although the particular examples illustrate specific process steps or acts, many alternative implementations are possible and commonly made by simple design choice. Acts and steps may be executed in different order from the specific description herein, based on considerations of function, purpose, conformance to standard, legacy structure, and the like.
While the present disclosure describes various embodiments, these embodiments are to be understood as illustrative and do not limit the claim scope. Many variations, modifications, additions and improvements of the described embodiments are possible. For example, those having ordinary skill in the art will readily implement the steps necessary to provide the structures and methods disclosed herein, and will understand that the process parameters, materials, and dimensions are given by way of example only. The parameters, materials, and dimensions can be varied to achieve the desired structure as well as modifications, which are within the scope of the claims. Variations and modifications of the embodiments disclosed herein may also be made while remaining within the scope of the following claims.
