Patent Application
20240289478
Embodiments disclosed herein relate generally to data access management. More particularly, embodiments disclosed herein relate to systems and methods to manage secure access to sensitive data.
Computing devices may provide computer implemented services. The computer implemented services may be used by users of the computing devices and/or devices operably connected to the computing devices. Computing devices may utilize sensitive data when providing computer implemented services. Computer security measures may be implemented to protect sensitive data while performing the computer implemented services.
Embodiments disclosed herein are illustrated by way of example and not limitation in the figures of the accompanying drawings in which like references indicate similar elements.
Various embodiments will be described with reference to details discussed below, and the accompanying drawings will illustrate the various embodiments. The following description and drawings are illustrative and are not to be construed as limiting. Numerous specific details are described to provide a thorough understanding of various embodiments. However, in certain instances, well-known or conventional details are not described in order to provide a concise discussion of embodiments disclosed herein.
Reference in the specification to “one embodiment” or “an embodiment” means that a particular feature, structure, or characteristic described in conjunction with the embodiment can be included in at least one embodiment. The appearances of the phrases “in one embodiment” and “an embodiment” in various places in the specification do not necessarily all refer to the same embodiment.
References to an “operable connection” or “operably connected” means that a particular device is able to communicate with one or more other devices. The devices themselves may be directly connected to one another or may be indirectly connected to one another through any number of intermediary devices, such as in a network topology.
In general, embodiments disclosed herein relate to methods and systems for managing access to data stored in a data storage system. A data storage system may be used to store sensitive data, to which malicious parties may attempt to gain access. The security of this sensitive data may depend on data security measures (e.g., access control measures) implemented around the data storage system.
For example, access control measures such as user authentication (e.g., username and password combinations) may be implemented. However, a malicious party may gain access to the credentials of an authorized user, allowing the malicious party to gain access to the user's end device and any sensitive data transferred to the end device from data storage.
The malicious party may gain access to sensitive data through virtual methods (e.g., remote access into the end device using the compromised user credentials) and/or through physical methods (e.g., gaining physical access to the end device and using the compromised credentials to gain access). However, a malicious party may gain access to sensitive data without obtaining user credentials. For example, an authorized user may access sensitive data obtained via an approved data access request in an environment (e.g., a public environment). A malicious party present in the environment may be able to gain physical access (e.g., visual access) to the sensitive data while the sensitive data is being made accessible to the authorized user.
To increase the security of sensitive data, additional security access mechanisms may be implemented. The additional mechanisms may include a security registration process for combinations of users and the devices of users (e.g., end devices and/or auxiliary devices associated with end devices), and environmental monitoring devices (e.g., using sensing devices to determine whether parties other than the registered user are present in the environment).
The registration process may assign cryptographic key pairs to registered user-device combinations (e.g., a user, the end device of a user, the display device associated with the end device, and/or sensing device associated with the display device). If a user of an end device with associated display and/or environmental monitoring devices requests sensitive data from the data storage system, the assigned key pairs may be used to authenticate the user-device combination. Additionally, before providing the user with the sensitive data, an environmental check must be passed (e.g., the environment must be secure), based on the analysis of data collected by environmental monitoring devices. Once the user and end device are validated and the environmental check is passed, the sensitive data may be encrypted using device-specific encryption (e.g., using a key pair established during registration).
The encrypted data may be transmitted to the display device where an independent decryption process may be initiated by the user. The decryption process may be performed using a key stored on the display device (e.g., established during registration), thereby protecting the sensitive data from a malicious party that may gain access to the end device. The decryption process may be performed provided the environment remains secure (e.g., via real-time environmental checks); otherwise, the decryption process may be prevented, or the sensitive data may be rendered inaccessible.
By doing so, an improved computing device and/or distributed system may be obtained. The improved device and/or system may prevent malicious parties from accessing sensitive data required to provide the computer implemented services.
In an embodiment, a computer implemented method for managing access to data stored in a data storage system is provided. The method may include: obtaining a data access request for a portion of the data, the data access request being from a user located in an environment, and the data access request being obtained from a requesting device, the requesting device being used by the user; and, making a first determination regarding whether the requesting device and the user can be validated and that the portion of data includes sensitive data.
In a first instance of the first determination where both the requesting device and the user are validated, and the portion of the data includes the sensitive data, the method may include performing an environmental check based on activity in the environment, the environment being monitored by an environmental monitoring system to determine whether the environment is secure.
In a first instance of the environmental check where the environment is secure, the method may include: identifying a portion of a first key pair associated with the user, the requesting device, a display device associated with the requesting device, and the environmental monitoring system; encrypting the sensitive data of the portion of the data using the portion of the first key pair to obtain encrypted data; and, providing at least the encrypted data to the display device.
The method may also include, after the sensitive data has been accessed by the user, performing a second environmental check to determine whether the environment is secure.
In a first instance of the second environmental check where the environment is unsecure, the method may include performing an obfuscation operation rendering the sensitive data temporarily inaccessible. Performing the obfuscation operation may include disabling the display device that is displaying the sensitive data.
Performing the environmental check may include: collecting environmental data using sensing devices of the environmental monitoring system, the environmental data comprising a type of data selected from a group of types of data consisting of audio data, video data, thermal data, and electromagnetic data; and, making, based on the environmental data, a second determination regarding whether an unauthorized person is within a minimum proximity to the display device.
In a first instance of the second determination where the unauthorized person is within a proximity inferior to the minimum proximity, the method may include performing the obfuscation operation rendering the sensitive data temporarily inaccessible.
The environmental monitoring system may use the sensing devices to record the environmental data, and the sensing devices may include at least one sensing device selected from a group of sensing devices consisting of a camera, a microphone, and a proximity sensor.
The display device may include the sensing device. The sensing device may be separate from the display device, and the display device may be at least partially in a field of sensing of the sensing device.
The activity in the environment may include presence of an unauthorized person in a portion of the environment monitored by the sensing devices, or absence of an authorized user in the portion of the environment, and the authorized user having requested the sensitive data.
The method may also include, prior to obtaining the data access request, performing a registration process for the user, the requesting device, the display device, and the environmental monitoring system with respect to the data storage system, the registration process obtaining the first key pair and distributing portions of the first key pair to the display device and the data storage system.
Distributing the portions of the first key pair may include: obtaining a first public key certificate based on a first public key of the first key pair; and, providing the first public key certificate to the data storage system, the data storage system associating the first public key certificate with the user, the requesting device, the display device, the environmental monitoring system.
The method may also include, in a second instance of the environmental check where the environment is unsecure, denying the data access request.
The method may also include, in a second instance of the first determination where both the requesting device and the user are validated, and the portion of the data comprises insensitive data, providing the portion of the data to the requesting device.
In an embodiment, a non-transitory media is provided. The non-transitory media may include instructions that when executed by a processor cause the computer implemented method to be performed.
In an embodiment, a data processing system is provided. The data processing system may include the non-transitory media and a processor, and may perform the computer implemented method when the computer instructions are executed by the process.
Turning to
For example, all, or a portion, of data processing systems 102 may provide computer implemented services to users and/or other computing devices operably connected to data processing systems 102. The computer implemented services may include any type and quantity of services including, for example, database services, instant messaging services, video conferencing services, etc. Different systems may provide similar and/or different computer implemented services.
To provide the computer implemented services, data processing systems 102 may host applications that provide these (and/or other) computer implemented services. The applications may be hosted by one or more of data processing systems 102. One or more of data processing systems 102 may access data stored in data storage system 104 (e.g., via operable connection 106) and/or display accessed data on display systems 103 in order to provide all or a portion of the computer implemented services.
Display systems 103 may include any number of auxiliary devices operably connected to one or more of data processing systems 102. Display systems 103 may include a data processing system that operates independently from data processing systems 102. For example, the auxiliary devices may output data in a visual and/or tactile form if implemented using monitors, mobile displays, projectors, etc., and/or provide other types of functions if implemented using other types of auxiliary devices such as printers, keyboards, mice, etc.
Any of display systems 103 may independently and/or cooperatively display data received through an operable connection to another device. For example, a display system of display systems 103 may display information received from any of data processing systems 102 via operable connection 107.
Display systems 103 may receive data (e.g., environmental data) from environmental monitoring system 114. For example, environmental monitoring system 114 may be operably connected to display systems 103 via operable connection 109. Environmental monitoring system 114 may collect environmental data such as audio data, video data, and/or thermal data, using one or more sensing devices (e.g., microphones, cameras, proximity sensors). Environmental monitoring system 114 may operate as part of display systems 103 and/or may operate independently from display systems 103 (e.g., as one or more peripheral devices).
Any of data processing systems 102 and components thereof, as well as hosted entities (e.g., applications that provide computer implemented services, other applications that manage the operation of data processing systems 102, etc.), may be subject to attacks performed by malicious parties. For example, a malicious party may gain access to any of data processing systems 102 (e.g., by compromising user credentials, passwords, and/or other type of access control data). If the malicious party gains access to any of data processing systems 102, the malicious party may gain access to data accessible by the data processing systems.
Consequently, if any of data processing systems 102 are able to access data stored in data storage system 104 while compromised, the data stored in data storage system 104 may also be compromised.
Data storage system 104 may store sensitive data and/or insensitive data. Data storage system 104 may obtain data access requests for data (e.g., including sensitive data) from any of data processing systems 102, and may, in turn, provide the requested data to data processing systems 102.
In general, embodiments disclosed herein may provide systems, devices, and methods for managing access to sensitive data by implementing data access security control mechanisms. The access control mechanisms may limit access to data stored in data storage system 104. The access may be limited through (i) environmental checks (e.g., based on the analysis of environmental data), (ii) registration processes, (iii) device-specific encryption of the data, and/or (iv) redirection of data from requesting entities to other entities. By doing so, sensitive data from data storage system 104 that is accessed by a compromised data processing system may be less likely to be divulged to malicious parties by virtue of the data access limiting framework implemented by the system.
To provide its functionality, data storage system 104 may implement the registration processes, the environmental checks, the device-specific encryption, and/or redirection of data from requesting entities to other associated entities.
To perform the registration processes, data storage system 104 may (i) receive user identification and/or device identification information (e.g., from a data processing system) thereby establishing a registered quadruple including a user, an end device, one or more associated auxiliary devices, such as a display device and/or a sensing device (e.g., a registered user-device combination), and an environmental monitoring system that may monitor an environment in which the display device and/or end device is positioned, (ii) obtain cryptographic key pairs based on the user identification and device identification information (e.g., for each user-device combination), (iii) generate certificates (e.g., public key certificates for the validation of devices and/or systems), and/or (iv) provide the key pairs and/or certificates to devices (e.g., to the end device, the display device, and/or the data storage system) that may participate in the data access control system. Refer to
To perform an environmental check, environmental data, collected by one or more sensing devices (e.g., of environmental monitoring systems) situated in the environment in which the end device and/or auxiliary devices are used to access the sensitive data, may be analyzed (e.g., in real-time). Based on the analysis, data storage system 104 may (i) receive a notification (e.g., from environmental monitoring system 114) that an environmental threat such as an unauthorized person (e.g., a malicious party) is present in the environment, and based on the environmental threat, (ii) deny an access request, and/or (iii) send a notification to an auxiliary device (e.g., a display device associated with the requesting device) to render the sensitive data inaccessible to the user and therefore the unauthorized person (e.g., a malicious party).
To perform device-specific encryption and data redirection, data storage system 104 may (i) obtain data access requests for data from users of end devices, (ii) perform validations of the user, the end device, an auxiliary device (e.g., a display device used by the user in making the data access request and/or a sensing device of an environmental monitoring system) associated with the end device that originated the access request, (iii) perform validations of the security of the environment through environmental checks, (iv) when all validations are successful, encrypt the requested data (e.g., using a public key of a key pair established during registration of the user, the end device, and the display device), (v) provide the encrypted data to the display device (as opposed to the end device), and/or (vi) deny access requests for users or devices (e.g., one or more of them) that cannot be validated.
For example, a display system of display systems 103 may receive data (e.g., input media) from data storage system 104 through operable connection 108. By providing the sensitive data to display systems 103 directly (e.g., circumventing data processing systems 102), in the event that one or more of data processing systems 102 are compromised (e.g., via spyware and/or malicious party access), the sensitive data may be screened from the malicious party. Refer to
By doing so, a system in accordance with embodiments disclosed herein may provide a method for managing access to sensitive data by reducing and/or preventing access of the data by malicious parties that may leak the data and/or use the data for other purposes.
When providing its functionality, data storage system 104 may perform all, or a portion, of the method and/or actions shown in
Data processing systems 102 and/or data storage system 104 may be implemented using a computing device such as a host or server, a personal computer (e.g., desktops, laptops, and tablets), a “thin” client, a personal digital assistant (PDA), a Web enabled appliance, or a mobile phone (e.g., Smartphone), an embedded system, local controllers, and/or any other type of data processing device or system. For additional details regarding computing devices, refer to
Any of the components illustrated in
While illustrated in
Turning to
To do so, data processing system 102A of data processing systems 102 may provide registration system 110 with information regarding authorized users and/or devices (e.g., end devices, display devices, and/or sensing devices). For example, an auxiliary device such as display system 103A may be associated with (e.g., operably connected to) data processing system 102A and may receive media output for display from data processing system 102A. A sensing device (not shown) may be associated with (e.g., operably connected to or included as part of) display system 103A. One or more sensing devices may record data (e.g., audio data, video data, etc.) and may be included in an environmental monitoring system.
Information such as user identifiers (e.g., usernames), security information for the user identifiers (cryptographically secure identifiers), device identifiers (e.g., of an end device and/or display device), and/or environmental monitoring system information (e.g., sensing device identifiers) may be used by registration system 110 to link a cryptographic key pair to a specific combination of registered user and/or associated registered devices (e.g., sensing devices, end devices, and/or display devices).
For example, once a user, a sensing device, an end device, and a display device associated with the end device are registered (e.g., the user and devices may be subject to any number of validation processes during the registration process), one or more key pairs may be generated for and/or be associated with the user-device combination.
Registration system 110 may (i) obtain key pairs and/or certificates from another device, (ii) generate key pairs and/or certificates, (iii) assign key pairs to user-device combinations, (iv) distribute key pairs to systems and/or devices (e.g., data processing system 102A, display system 103A, data storage system 104, and/or a sensing device of an environmental monitoring system (not shown)), and/or (v) facilitate distribution of portions of key pairs. The key pairs may be associated with a user, a device, and/or a combination thereof, and may include a public key and a private key. The key pair associations (e.g., to users and devices) may be retained by registration system 110.
For example, during registration of data processing system 102A, a key pair may be generated, or a portion of a key pair (e.g., a public key) may be provided to registration system 110 by data processing system 102A. The public portion of the key pair may be provided as part of a certificate to data storage system 104 (and/or a certificate may be generated using the public portion). The certificate may be signed by a trusted entity (e.g., registration system 110).
Registration system 110 may be a part of data storage system 104 and/or may operate independently (e.g., may be a third-party registration system) from data storage system 104. Registration system 110 may distribute (e.g., transfer over an encrypted channel) a portion of the generated key pair (e.g., the public key) to data storage system 104, where the portion of the key pair may be stored. Another portion of the key pair (e.g., the private key) may be distributed securely to a registered display device (e.g., display system 103A) that is associated with a registered end device (e.g., data processing system 102A), a registered user (e.g., a user of data processing system 102A), and a registered sensing device. The private key may then be stored on the registered display device, and the key pair may be used to encrypt and/or decrypt data transferred between data storage system 104 and the registered display device (e.g., display system 103A).
Any number of key pairs may be obtained, generated, and/or distributed for any number of user/end device combinations during the registration process. For example, registration system 110 may distribute the public key of a key pair to data storage system 104 and may provide the private key to data processing system 102A. This key pair may be used to in a validation process between data storage system 104 and data processing system 102A (e.g., to validate data access requests received by data storage system 104 from data processing system 102A).
Thus, as illustrated in
Turning to
In order to access data from data storage system 104, data processing system 102A may send a data access request to data storage system 104. The request may be for a portion of data, which may include sensitive data. The data access request may include information regarding (i) the requesting end device (e.g., data processing system 102A), (ii) the user of the requesting device, (iii) the display device associated with the end device, (iv) the sensing device associated with the display device, and/or (v) the portion of requested data. The data access request may be encrypted using a private key of a key pair assigned during registration of the user-device combination (e.g., the user, the end device, the sensing device, and the display device).
When the access request is received, data storage system 104 may initiate verification process 112 based on the information from the data access request. Verification process 112 may be performed by data storage system 104 and/or may be performed independently of data storage system 104 (e.g., by another device acting as an agent for data storage system 104).
Verification process 112 may include (i) attempting to validate the requesting device, (ii) attempting to validate the requesting user, and/or (iii) determining whether the user-device pair (e.g., data processing system 102A and a user thereof) can be authenticated based on the outcomes of the validation attempts. To attempt to validate the user, access credentials (e.g., passwords, other data usable to validate a user on a domain or other type of user-based computing environment) for the user may be used to ascertain whether the user is valid. For example, the combination of the username and access credentials may be forwarded to a domain controller for review, or may be otherwise used to attempt to validate the user.
To attempt to validate the requesting device, the encrypted access request may be attempted to be decrypted using the public key from the certificate (e.g., established during registration). If the decryption is successful, then the requesting device may be considered to have been validated (e.g., since only the requesting device should have access to the corresponding private key).
Once the requesting device and user are validated, verification process 112 may verify that (i) a display device associated with the requesting device (e.g., display system 103A), and/or (ii) a sensing device associated with the display device (e.g., a sensing device of environmental monitoring system 114) are registered and associated with the user and the requesting device.
Environmental monitoring system 114 may perform an environmental check by (i) collecting environmental data using any number of sensing devices, (ii) analyzing the collected environmental data, and/or (iii) generating an environmental status (e.g., secure, unsecure, unknown, etc.) based on the analysis of the environmental data. The environmental status may describe the security of the environment (e.g., the presence of an unauthorized and/or malicious party) in which the display device is located. The environmental status may be represented as Boolean (e.g., secure, or unsecure) or may be represented as a probability or likelihood of being secure (or unsecure).
The environmental status may be used in verification process 112 to validate the environment of the display device (e.g., based on the environmental check), and may affect the transfer of sensitive data from data storage system 104 (e.g., access to sensitive data may be approved or denied). Accordingly, if a malicious party is physically present in the environment where sensitive data is intended to be viewed (e.g., based on the analysis of environmental data recorded by the sensing device), the sensitive data access request may be denied, to prevent the malicious party from gaining access (e.g., over the shoulder of the authorized user) to the sensitive data.
In the event that both the user-device pair is validated and the environment is secure, the portion of data may be prepared for transfer to the verified display device (e.g., display system 103A). If the portion of requested data includes sensitive data, the sensitive data may be encrypted. For example, the sensitive data may be encrypted by data storage system 104 using a public key of display system 103A (e.g., from the certificate established during registration). The requested data (e.g., with sensitive data being encrypted) may be transferred over a secure channel using a security protocol (e.g., mutual transport layer security) to data processing system 102A (e.g., via operable connection 106). Data processing system 102A may then transfer the requested data to display system 103A. Alternatively, the requested data may be transferred from data storage system 104 to display system 103A directly, bypassing the requesting device (e.g., data processing system 102A) via operable connection 108.
Thus, when received by one of data processing system 102A and/or display system 103A, the sensitive data may be encrypted and may not be accessible without being decrypted. Accordingly, if a malicious party has compromised data processing system 102A, the malicious party may not be able to access the sensitive data because the private key that may be used to decrypt the sensitive data may be stored on another device (e.g., display system 103A) that the malicious party may not have knowledge of and/or have access to.
The encrypted data may be decrypted by display system 103A using a private key (e.g., established during registration of the user-device combination). The decrypted data may then be accessed (e.g., viewed) on display system 103A by the validated user. While sensitive data is being accessed by an authorized user, environmental monitoring system 114 may continuously collect environmental data (e.g., audio, video, thermal, electromagnetic, etc.) to monitor the security of the environment in real-time.
The environmental data may be analyzed in real-time by environmental monitoring system 114 and/or an independent system used for the analysis of sensing data. The analysis of the sensing data may yield an environmental status update (e.g., the environment may be updated from secure to unsecure).
Environmental monitoring system 114 may send the environmental status update to data storage system 104, data processing system 102A, and/or directly to display system 103A (e.g., while sensitive data is being accessed by the authorized user). Upon receipt of the environmental status update, display system 103A may perform an obfuscation operation to render the sensitive data inaccessible (e.g., the display system may be disabled if the environment is deemed unsecure via real-time analysis of environmental data). Accordingly, if a malicious party enters a secure environment in which sensitive data is being viewed, the sensitive data may be rendered inaccessible (e.g., to the user and the malicious party).
Thus, as illustrated in
As discussed above, the components of
Turning to
At operation 302, a data access request for a portion of data may be obtained from a requesting device. The data access request may be obtained, for example, by receiving the data access request from a data processing system. The data access request may be obtained by a data storage system via network communications between the data storage system and the data processing system. The data access request may be received from a user (e.g., a user of the requesting device) located in an environment.
The data access request may include information regarding the requesting device, a user of the requesting device, a display device associated with (e.g., connected to) the requesting device, and a sensing device (e.g., of an environmental monitoring system) associated with the display device. The data access request may be encrypted using a private key of a key pair established during a registration process.
Prior to obtaining the data access request, a registration process for the user, the requesting device, the display device, and the environmental monitoring system (e.g., a sensing device thereof), with respect to the data storage system may be performed. The registration process may register user-device combinations; that is, the devices (e.g., the requesting devices, the display device, and the sensing device) and the user of the devices, in order to establish key pairs.
For example, a first key pair associated with the display device and the data storage device may be obtained by a registration system. Portions of the first key pair may be distributed to each of the display device and the data storage device. The data storage device may receive a public key certificate (e.g., based on the public key of the first key pair) associating the first public key certificate with the requesting device, the display device, the sensing device, and the user.
A second key pair associated with the requesting device, the display device associated with the requesting device, the sensing device associated with the display device, and the user of the requesting device may be generated. Portions of the second key pair may be distributed to each of the requesting device and the data storage system (e.g., the data storage system may receive a second public key certificate based on the second public key of the second key pair). The second public key certificate may be used to facilitate validation of the second public key (e.g., validate the requesting device and/or data access requests received from the requesting device). Refer to the discussion of
At operation 304, a determination may be made regarding whether the requesting device and the user of the requesting device may be validated. The determination may be made by authenticating the user and the device independently (e.g., using the second key pair), as described with respect to
If both the user and the requesting device are validated, the method may proceed to operation 308. However, if at least one of the user and the requesting device cannot be validated (e.g., fail to be authenticated), the method may proceed to operation 306.
At operation 306, the data access request may be denied. The data access request may be denied (i) by notifying the user of the requesting device of the denied access request, (ii) by refusing access to the requested portion of data, (iii) by discarding the access request without sending a notification, and/or (iv) via other methods.
The method may end following operation 306.
At operation 308, a determination may be made regarding whether the portion of data includes sensitive data. The determination may be made by obtaining a classification of a sub-portion of the portion of requested data. The classification may describe the level of sensitivity of the sub-portion. The classification of a sub-portion of the requested data may be read from metadata of the sub-portion. The classification may be based on data content, based on data context, based on user judgement, and/or may be generated using an artificial intelligence model trained to identify the level of sensitivity of data or via other methods.
If the portion of data does not include sensitive data, the method may proceed to operation 310. However, if the portion of data includes sensitive data, the method may proceed to operation 312.
At operation 310, the portion of the data may be provided to the requesting device. The portion of the data may be provided to the requesting device by transferring the portion of data through a secure network channel established between the data storage system and the data processing system (e.g., end device). The provided portion may not be encrypted with any key pairs established during registration.
Returning to operation 308, the method may proceed to operation 312 following operation 308 when both the user and the requesting device are validated, and the portion of the data includes sensitive data.
At operation 312, an environmental check may be performed based on activity in the environment. The environmental check may be performed by analyzing activity data collected by using sensing devices of an environmental monitoring system. The environmental monitoring system may utilize one or more sensing devices (e.g., a camera, a microphone, and/or a proximity sensor) to record activity (e.g., environmental data) in the environment in which the display system is located. The display device may include the sensing device (e.g., a webcam), and/or the display device may be separate from but at least partially in a field of sensing of the sensing device (e.g., in a field of view of the webcam). The recorded environmental data may include audio data, video data, thermal data, electromagnetic data, and/or any combination thereof (e.g., based on the type of sensing device(s) used).
The environmental data may be analyzed by the environmental monitoring system and/or an independent entity to determine whether activity in the environment includes (i) the presence of an unauthorized person (e.g., by sensing the proximity of an unauthorized person), and/or (ii) the absence of the authorized user in a portion of the environment (e.g., by tracking eye movements of the user). For example, the analysis may include a proximity measurement of an unauthorized person (e.g., the proximity of the unauthorized person to the display device). If the proximity measurement is within a proximity inferior to a minimum proximity, the unauthorized person may be able to gain access to sensitive data being displayed on the display device.
The environmental data analysis may yield an environmental status (e.g., to determine whether a party other than the authorized user is present) that may indicate whether the environment is compromised.
At operation 314, a determination may be made regarding whether the environment is secure. The determination may be made by receiving the environmental status from the environmental monitoring system or an independent entity that may perform environmental data analysis. The environmental status may indicate that the environment is compromised (e.g., unsecure), and/or that the environment has a likelihood of being compromised (e.g., 10% secure). Alternatively, the environmental status may indicate that the environment is not compromised or has a high likelihood of being secure (e.g., 90% secure). The environmental status may be provided as a fractional (e.g., 0.8) or percentage quantification (e.g., 80%) regarding whether the environment is secure.
If the environmental status is provided as a fractional or percentage quantification, the likelihood may be compared to a security threshold. For example, if the likelihood exceeds the security threshold, the environment may be determined to be secure. Otherwise, if the likelihood is inferior to (or equal to) the security threshold, the environment may be determined to be unsecure. The security threshold may be based on the level of sensitivity of the data (e.g., using higher security thresholds for higher levels of sensitivity of data).
If the environment is determined to be unsecure, the method may proceed to operation 306, where the data access request may be denied. The method may end following operation 306.
However, if the environment is determined to be secure, the method may proceed to operation 316.
At operation 316, a portion of a first key pair associated with the user, the requesting device, the display device, and the environmental monitoring system (e.g., the sensing device) is identified. The portion of the first key pair (e.g., established during the registration process) may be identified by accessing a key pair association database or a certificate.
The key pair database may associate identifiers of users, devices, and/or other information with keys for encrypting sensitive data. A key may be identified by performing a look-up in the key pair database based on information included in the data access request (e.g., identifying information regarding the requesting device, the display device associated with the requesting device, the user of the requesting device, and the sensing device associated with the display device). The portion of the first key pair may be a public key (e.g., a public key certificate).
The first key pair may be identified by matching an identifier of the display device to a stored certificate. The stored certificate may validate that a public key of the certificate is known to be part of a key pair (e.g., the first key pair) associated with the display device. For example, the certificate may include a public key and the display device may store the corresponding private key.
At operation 318, the sensitive data of the portion of the data is encrypted using the portion of the first key pair to obtain encrypted data. The sensitive data may be encrypted using the portion of the first key pair identified in operation 316 (e.g., the public key of the display device). For example, plaintext (e.g., the sensitive data and/or other data used as an ingest for an encryption algorithm) may be encrypted using the public key (e.g., as a cypher, or establishing a cypher) to obtain encrypted data. During encryption, plaintext may be converted to ciphertext (e.g., encrypted data), securing the plaintext from malicious parties as it may only be decrypted by a trusted device that has access to the corresponding private key (e.g., stored on the display device).
At operation 320, at least the encrypted data is provided to the display device. The encrypted data obtained in operation 318 may be provided to the display device by transmitting the encrypted data (and/or unencrypted data) over a secure communication channel established between the data storage system and the display device (e.g., a transmission path that does not include the requesting device).
Alternatively, the data storage system may transmit the requested data (e.g., encrypted and/or unencrypted data) to the requesting device, where the data may not be decrypted. The requesting device may then transmit the requested data to the display device.
Once the requested data is received by the display device, the user may decrypt the encrypted portion of the requested data using the private key of the first key pair established during registration. The decryption may be automatic or may be an additional process that requires manual initiation by the user. Consequently, an additional layer of security for the sensitive data may be provided (e.g., malicious parties that have compromised the display device may not be able to decrypt the encrypted data unless the malicious party knows of the key pair and encryption process).
Once decrypted by the display system (e.g., display device), the sensitive data may be viewed on the display device (e.g., accessed) by the user but may not be accessible by the requesting device that typically displays content on the display device. By decrypting the sensitive data using the display device, the sensitive data may be screened from the requesting device (e.g., and any malicious party that may have access to the requesting device).
While the sensitive data is being accessed by the user, additional environmental checks may be performed (e.g., in real-time). The environmental check may determine whether the environment remains secure (or unsecure) based on analysis of environmental data collected by sensing devices (e.g., as described with respect to operation 314). If the security of the environment changes, an updated environmental status may be sent from the environmental monitoring system to the display device that affects the accessibility of the sensitive data.
For example, if the environment status changes from secure to unsecure, the display device may perform an obfuscation operation rendering the sensitive data temporarily inaccessible (e.g., by disabling the display system and/or by blurring the sensitive data). Alternatively, if the environment status changes from unsecure to secure, the sensitive data may again be made accessible to the user (e.g., by re-enabling the display system and/or by de-blurring the sensitive data). Thus, access to sensitive data may be managed in real-time based on the real-time environmental security status, thereby preventing sensitive data access by unauthorized parties physically occupying the environment.
The method may end following operation 320.
Thus, as illustrated above, embodiments disclosed herein may provide systems and methods usable to manage access to data stored in data storage systems. By managing access to the data, the likelihood of malicious parties gaining access to sensitive data stored in data storage systems may be reduced. By registering user-device combinations through a registration system, cryptographic keys (e.g., key pairs) specific to the registered combinations (e.g., user, end device, display device, and sensing device) may be used to employ multiple layers of security. As described, an access control system that includes user authentication, requesting device authentication, display device-based encryption (e.g., circumventing the requesting device), and real-time secure environment validation may be implemented. The access control system may be implemented to prevent the exposure of sensitive data to remote malicious parties and/or malicious parties physically present in the data access environment.
Thus, embodiments disclosed herein may provide an improved computing device that is able to reduce the likelihood of a malicious party intercepting accessed sensitive data. Accordingly, the disclosed process provides for both an embodiment in computing technology and an improved method for managing secure data access.
Any of the components illustrated in
System 400 may represent a desktop, a laptop, a tablet, a server, a mobile phone, a media player, a personal digital assistant (PDA), a personal communicator, a gaming device, a network router or hub, a wireless access point (AP) or repeater, a set-top box, or a combination thereof. Further, while only a single machine or system is illustrated, the term “machine” or “system” shall also be taken to include any collection of machines or systems that individually or jointly execute a set (or multiple sets) of instructions to perform any one or more of the methodologies discussed herein.
In one embodiment, system 400 includes processor 401, memory 403, and devices 405-408 via a bus or an interconnect 410. Processor 401 may represent a single processor or multiple processors with a single processor core or multiple processor cores included therein. Processor 401 may represent one or more general-purpose processors such as a microprocessor, a central processing unit (CPU), or the like.
More particularly, processor 401 may be a complex instruction set computing (CISC) microprocessor, reduced instruction set computing (RISC) microprocessor, very long instruction word (VLIW) microprocessor, or processor implementing other instruction sets, or processors implementing a combination of instruction sets.
Processor 401 may also be one or more special-purpose processors such as an application specific integrated circuit (ASIC), a cellular or baseband processor, a field programmable gate array (FPGA), a digital signal processor (DSP), a network processor, a graphics processor, a network processor, a communications processor, a cryptographic processor, a co-processor, an embedded processor, or any other type of logic capable of processing instructions.
Processor 401, which may be a low power multi-core processor socket such as an ultra-low voltage processor, may act as a main processing unit and central hub for communication with the various components of the system. Such processor can be implemented as a system on chip (SoC). Processor 401 is configured to execute instructions for performing the operations discussed herein. System 400 may further include a graphics interface that communicates with optional graphics subsystem 404, which may include a display controller, a graphics processor, and/or a display device.
Processor 401 may communicate with memory 403, which in one embodiment can be implemented via multiple memory devices to provide for a given amount of system memory. Memory 403 may include one or more volatile storage (or memory) devices such as random access memory (RAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), static RAM (SRAM), or other types of storage devices. Memory 403 may store information including sequences of instructions that are executed by processor 401, or any other device.
For example, executable code and/or data of a variety of operating systems, device drivers, firmware (e.g., input output basic system or BIOS), and/or applications can be loaded in memory 403 and executed by processor 401. An operating system can be any kind of operating systems, such as, for example, Windows® operating system from Microsoft®, Mac OS®/iOS® from Apple, Android® from Google®, Linux®, Unix®, or other real-time or embedded operating systems such as VxWorks.
System 400 may further include IO devices such as devices (e.g., 405, 406, 407, 408) including network interface device(s) 405, optional input device(s) 406, and other optional IO device(s) 407. Network interface device(s) 405 may include a wireless transceiver and/or a network interface card (NIC). The wireless transceiver may be a WiFi transceiver, an infrared transceiver, a Bluetooth transceiver, a WiMax transceiver, a wireless cellular telephony transceiver, a satellite transceiver (e.g., a global positioning system (GPS) transceiver), or other radio frequency (RF) transceivers, or a combination thereof. The NIC may be an Ethernet card.
Input device(s) 406 may include a mouse, a touch pad, a touch sensitive screen (which may be integrated with a display device of optional graphics subsystem 404), a pointer device such as a stylus, and/or a keyboard (e.g., physical keyboard or a virtual keyboard displayed as part of a touch sensitive screen). For example, input device(s) 406 may include a touch screen controller coupled to a touch screen. The touch screen and touch screen controller can, for example, detect contact and movement or break thereof using any of a plurality of touch sensitivity technologies, including but not limited to capacitive, resistive, infrared, and surface acoustic wave technologies, as well as other proximity sensor arrays or other elements for determining one or more points of contact with the touch screen.
IO devices 407 may include an audio device. An audio device may include a speaker and/or a microphone to facilitate voice-enabled functions, such as voice recognition, voice replication, digital recording, and/or telephony functions. Other IO devices 407 may further include universal serial bus (USB) port(s), parallel port(s), serial port(s), a printer, a network interface, a bus bridge (e.g., a PCI-PCI bridge), sensor(s) (e.g., a motion sensor such as an accelerometer, gyroscope, a magnetometer, a light sensor, compass, a proximity sensor, etc.), or a combination thereof. IO device(s) 407 may further include an imaging processing subsystem (e.g., a camera), which may include an optical sensor, such as a charged coupled device (CCD) or a complementary metal-oxide semiconductor (CMOS) optical sensor, utilized to facilitate camera functions, such as recording photographs and video clips. Certain sensors may be coupled to interconnect 410 via a sensor hub (not shown), while other devices such as a keyboard or thermal sensor may be controlled by an embedded controller (not shown), dependent upon the specific configuration or design of system 400.
To provide for persistent storage of information such as data, applications, one or more operating systems and so forth, a mass storage (not shown) may also couple to processor 401. In various embodiments, to enable a thinner and lighter system design as well as to improve system responsiveness, this mass storage may be implemented via a solid-state device (SSD). However, in other embodiments, the mass storage may primarily be implemented using a hard disk drive (HDD) with a smaller amount of SSD storage to act as an SSD cache to enable non-volatile storage of context state and other such information during power down events so that a fast power up can occur on re-initiation of system activities. Also, a flash device may be coupled to processor 401, e.g., via a serial peripheral interface (SPI). This flash device may provide for non-volatile storage of system software, including a basic input/output software (BIOS) as well as other firmware of the system.
Storage device 408 may include computer-readable storage medium 409 (also known as a machine-readable storage medium or a computer-readable medium) on which is stored one or more sets of instructions or software (e.g., processing module, unit, and/or processing module/unit/logic 428) embodying any one or more of the methodologies or functions described herein. Processing module/unit/logic 428 may represent any of the components described above. Processing module/unit/logic 428 may also reside, completely or at least partially, within memory 403 and/or within processor 401 during execution thereof by system 400, memory 403 and processor 401 also constituting machine-accessible storage media. Processing module/unit/logic 428 may further be transmitted or received over a network via network interface device(s) 405.
Computer-readable storage medium 409 may also be used to store some software functionalities described above persistently. While computer-readable storage medium 409 is shown in an exemplary embodiment to be a single medium, the term “computer-readable storage medium” should be taken to include a single medium or multiple media (e.g., a centralized or distributed database, and/or associated caches and servers) that store the one or more sets of instructions. The terms “computer-readable storage medium” shall also be taken to include any medium that is capable of storing or encoding a set of instructions for execution by the machine and that cause the machine to perform any one or more of the methodologies of embodiments disclosed herein. The term “computer-readable storage medium” shall accordingly be taken to include, but not be limited to, solid-state memories, and optical and magnetic media, or any other non-transitory machine-readable medium.
Processing module/unit/logic 428, components and other features described herein can be implemented as discrete hardware components or integrated in the functionality of hardware components such as ASICS, FPGAs, DSPs or similar devices. In addition, processing module/unit/logic 428 can be implemented as firmware or functional circuitry within hardware devices. Further, processing module/unit/logic 428 can be implemented in any combination hardware devices and software components.
Note that while system 400 is illustrated with various components of a data processing system, it is not intended to represent any particular architecture or manner of interconnecting the components; as such details are not germane to embodiments disclosed herein. It will also be appreciated that network computers, handheld computers, mobile phones, servers, and/or other data processing systems which have fewer components, or perhaps more components may also be used with embodiments disclosed herein.
Some portions of the preceding detailed descriptions have been presented in terms of algorithms and symbolic representations of operations on data bits within a computer memory. These algorithmic descriptions and representations are the ways used by those skilled in the data processing arts to most effectively convey the substance of their work to others skilled in the art. An algorithm is here, and generally, conceived to be a self-consistent sequence of operations leading to a desired result. The operations are those requiring physical manipulations of physical quantities.
It should be borne in mind, however, that all of these and similar terms are to be associated with the appropriate physical quantities and are merely convenient labels applied to these quantities. Unless specifically stated otherwise as apparent from the above discussion, it is appreciated that throughout the description, discussions utilizing terms such as those set forth in the claims below, refer to the action and processes of a computer system, or similar electronic computing device, that manipulates and transforms data represented as physical (electronic) quantities within the computer system's registers and memories into other data similarly represented as physical quantities within the computer system memories or registers or other such information storage, transmission or display devices.
Embodiments disclosed herein also relate to an apparatus for performing the operations herein. Such a computer program is stored in a non-transitory computer readable medium. A non-transitory machine-readable medium includes any mechanism for storing information in a form readable by a machine (e.g., a computer). For example, a machine-readable (e.g., computer-readable) medium includes a machine (e.g., a computer) readable storage medium (e.g., read only memory (“ROM”), random access memory (“RAM”), magnetic disk storage media, optical storage media, flash memory devices).
The processes or methods depicted in the preceding figures may be performed by processing logic that comprises hardware (e.g., circuitry, dedicated logic, etc.), software (e.g., embodied on a non-transitory computer readable medium), or a combination of both. Although the processes or methods are described above in terms of some sequential operations, it should be appreciated that some of the operations described may be performed in a different order. Moreover, some operations may be performed in parallel rather than sequentially.
Embodiments disclosed herein are not described with reference to any particular programming language. It will be appreciated that a variety of programming languages may be used to implement the teachings of embodiments disclosed herein.
In the foregoing specification, embodiments have been described with reference to specific exemplary embodiments thereof. It will be evident that various modifications may be made thereto without departing from the broader spirit and scope of the embodiments disclosed herein as set forth in the following claims. The specification and drawings are, accordingly, to be regarded in an illustrative sense rather than a restrictive sense.
