Patent Grant
11301557
Data processing devices may include multiple types of physical components. For example, data processing devices may include processors, memory, and persistent storage. To utilize the computing resources provided by these physical components, data processing devices may host any number of applications.
The operation of the data processing devices may be dictated by the combination of physical components included in the data processing devices and the applications hosted by the data processing devices. Depending on the types of physical components, the configuration of the components, and the operation of the applications, the behavior of the data processing devices may vary.
In one aspect, a data processing device in accordance with one or more embodiments of the invention includes primary resources; an out-of-band manager operably connected to the primary resources via an always-on in-band connection; and an authentication engine. The authentication engine obtains, via the always-on in-band connection, an operation request and an authentication token corresponding to the operation request; in response to obtaining the authentication token: obtains a list of authorized operations using the authentication token; makes a determination that an operation indicated by the operation request is allowable based on the list of authorized operations; and performs the operation based on the determination.
In one aspect, a method for managing a data processing device in accordance with one or more embodiments of the invention includes obtaining, from an out-of-band manager and via an always-on in-band connection, an operation request and an authentication token corresponding to the operation request; in response to obtaining the authentication token: obtaining, by an authentication engine, a list of authorized operations using the authentication token; making a determination that an operation indicated by the operation request is allowable based on the list of authorized operations; and performing the operation based on the determination.
In one aspect, a non-transitory computer readable medium in accordance with one or more embodiments of the invention includes computer readable program code, which when executed by a computer processor enables the computer processor to perform a method for managing a data processing device. The method includes obtaining, from an out-of-band manager and via an always-on in-band connection, an operation request and an authentication token corresponding to the operation request; in response to obtaining the authentication token: obtaining, by an authentication engine, a list of authorized operations using the authentication token; making a determination that an operation indicated by the operation request is allowable based on the list of authorized operations; and performing the operation based on the determination.
Certain embodiments of the invention will be described with reference to the accompanying drawings. However, the accompanying drawings illustrate only certain aspects or implementations of the invention by way of example and are not meant to limit the scope of the claims.
Specific embodiments will now be described with reference to the accompanying figures. In the following description, numerous details are set forth as examples of the invention. It will be understood by those skilled in the art that one or more embodiments of the present invention may be practiced without these specific details and that numerous variations or modifications may be possible without departing from the scope of the invention. Certain details known to those of ordinary skill in the art are omitted to avoid obscuring the description.
In the following description of the figures, any component described with regard to a figure, in various embodiments of the invention, may be equivalent to one or more like-named components described with regard to any other figure. For brevity, descriptions of these components will not be repeated with regard to each figure. Thus, each and every embodiment of the components of each figure is incorporated by reference and assumed to be optionally present within every other figure having one or more like-named components. Additionally, in accordance with various embodiments of the invention, any description of the components of a figure is to be interpreted as an optional embodiment, which may be implemented in addition to, in conjunction with, or in place of the embodiments described with regard to a corresponding like-named component in any other figure.
In general, embodiments of the invention relate to systems, devices, and methods for managing the state of a data processing device. Specifically, embodiments of the invention may provide methods for proactively determining whether to perform operations obtained via what are traditionally considered to be secure connections. Operations that are determined to be unauthorized may be rejected. By doing so, the state of the data processing device may be maintained by avoiding performance of such unauthorized operations.
To provide their respective functionalities, each of the data processing devices (102) may be in a predetermined state corresponding to the functionality. The state of a data processing device may reflect the configuration (e.g., hardware configuration, driver versions, hosted application, etc.) of the data processing device.
Over time, the predetermined state for any of the data processing devices may change. For example, the predetermined state of a data processing device may change to match changes in the operation of an application hosted by the data processing device. The predetermined state of a data processing device may change due to other reasons without departing from the invention.
To facilitate updating of the state of the data processing devices to match a predetermined state, each of the data processing devices may enable remote entities to modify their respective configurations. For example, a management entity (not shown) may remotely modify one or more portions (e.g., application configurations, application versions, configuration settings, etc.) of a data processing device (e.g., 102.2, 102.4) to update its state to match a predetermined state.
To manage the state of any number of data processing devices (102), the system may include an authenticator (100). The authenticator (100) may provide authentication services to the data processing devices (102) with respect to entities attempting to modify the states of the respective data processing devices (102). By utilizing the authentication services provided by the authenticator (100), the data processing devices (102) may selectively allow other entities to modify their states to reduce the likelihood of unauthorized parties modifying their states.
The components illustrated in
In one or more embodiments of the invention, the data processing devices (102) are connected to the authenticator via connection sets (106). A connection set may be multiple connections that enable different portions of a data processing device to independently communicate with the authenticator (100) and/or other entities (not shown). For example, two different portions of a data processing device may be operably connected to the network (104) via two different connections of a connection set. In this manner, each of the two different portions of the data processing device may independently (from the other portion) communicate with other entities.
To further clarify embodiments of the invention, each component of the system of
In one or more embodiments of the invention, each of the data processing devices (102) provides functionality. The functionality may correspond to one or more computer implemented services which a respective data processing device provides independently or in cooperation with any number of other data processing devices. A computer implemented service may be, for example, an electronic mail management service, database service, file storage service, etc. A data processing device may provide any number of computer implemented services that gives rise to the functionality provided by the data processing device.
In one or more embodiments of the invention, each of the data processing devices (102) selectively allows remote modifications to its state. In one or more embodiments of the invention, the state of a data processing device refers to the in-use application configuration settings, hardware configuration settings, applications hosted by the data processing devices, and/or other characteristics of the data processing device that control the manner in which the data processing device operates. The data processing devices (102) may selectively allow remote modifications to its state by: (i) identifying a remote entity attempting to modify its state, (ii) determining what, if any, characteristics of the data processing device that the remote entity is authorized to modify, and (iii) allow or reject any of the attempted modifications by the remote entity. By doing so, each of the data processing devices (102) may self-manage their respective states by reducing the likelihood of unauthorized parties modifying their respective states.
The each of the data processing devices (102) may include computing devices. The computing devices may be, for example, mobile phones, tablet computers, laptop computers, desktop computers, servers, or cloud resources. The computing devices may include one or more processors, memory (e.g., random access memory), and persistent storage (e.g., disk drives, solid state drives, etc.). The persistent storage may store computer instructions (in addition to other data), computer code, that (when executed by the processor(s) of the computing device) cause the computing device to perform the functions of the respective data processing devices (102) described in this application and/or all, or a portion, of the methods illustrated in
In one or more embodiments of the invention, each of the data processing devices (102) is a distributed computing device. As used herein, a distributed computing device refers to functionality provided by multiple computing devices cooperatively providing one or more functionalities. For example, a distributed computing device may include multiple, separate computing devices that are each programmed to perform all, or a part, of the one or more functionalities. In such a scenario, the functionality of the respective data processing devices (102) may be performed by multiple, different computing devices without departing from the invention.
To provide the functionality of the respective data processing devices (102), any of the computing devices of the respective data processing devices (102) may include computer instructions, e.g., computer code, that when executed by one or more processors of the computing devices of the respective data processing devices (102) cause the computing devices of the respective data processing devices (102) to perform the functions described in this application and/or all, or a portion, of the methods illustrated in
In one or more embodiments of the invention, all, or a portion, of the computing devices of the respective data processing devices (102) include special purpose hardware devices. The special purpose hardware devices may be, for example, storage controllers, raid controllers, load balancers, and/or any other type of special purpose hardware devices for providing computer implemented services. The special purpose hardware devices of the respective data processing devices (102) may perform different and/or similar functions. The special purpose hardware devices of the respective data processing devices (102) may, when providing the functionality of the respective data processing devices (102), invoke the functionality of the special purpose hardware devices.
All or a portion of the respective data processing devices (102) may be implemented using one or more logical devices without departing from the invention. For example, any of the data processing devices (102) may include a virtual machine (or multiple virtual machines) that utilizes computing resources of any number of computing devices to provide the functionality of the respective data processing device. Any of the data processing devices (102) may include other types of logical devices without departing from the invention.
For additional details regarding the data processing devices (102), refer to
In one or more embodiments of the invention, the authenticator (100) provides authentication services. The authentication services may be used by the data processing devices (102) to determine to what extent a remote entity is authorized to modify the state of the data processing devices (102). Different entities may be authorized to modify the state of each of the data processing devices (102) to varying extents. The authenticator (100) may maintain records regarding the extent of each entities authentication for state modification of all, or a portion, of the data processing devices (102).
To provide authentication services, the authenticator (100) may (i) obtain identity information regarding an entity, (ii) compare the identity information to the records maintained by the authenticator (100), (iii) determine the extent (if any) to which the remote entity is authorized to modify the state of a data processing device based on the comparison, (iv) generate a token based on the determination, (v) provide the token to a data processing device, and/or (vi) specify the extent to which the remote entity is authorized to modify the state of a data processing device in response to receiving the token. By doing so, as will be discussed in greater detail with respect to
The authenticator (100) may include computing devices. The computing devices may be, for example, mobile phones, tablet computers, laptop computers, desktop computers, servers, or cloud resources. The computing devices may include one or more processors, memory (e.g., random access memory), and persistent storage (e.g., disk drives, solid state drives, etc.). The persistent storage may store computer instructions (in addition to other data), e.g., computer code, that (when executed by the processor(s) of the computing device) cause the computing device to perform the functions of the authenticator (100) described in this application and/or all, or a portion, of the methods illustrated in
In one or more embodiments of the invention, the authenticator (100) is a distributed computing device. As used herein, a distributed computing device refers to functionality provided by multiple computing device cooperatively providing one or more functionalities. For example, a distributed computing device may include multiple, separate computing devices that are each programmed to perform all, or a part, of the one or more functionalities. In such a scenario, the functionality of the authenticator (100) may be performed by multiple, different computing devices without departing from the invention.
To provide the functionality of the authenticator (100), any of the computing devices of the authenticator (100) may include computer instructions, e.g., computer code, that when executed by one or more processors of the computing devices of the authenticator (100) cause the computing devices of the authenticator (100) to perform the functions described in this application and/or all, or a portion, of the methods illustrated in
In one or more embodiments of the invention, all, or a portion, of the computing devices of the authenticator (100) include special purpose hardware devices. The special purpose hardware devices may be, for example, storage controllers, raid controllers, load balancers, and/or any other type of special purpose hardware devices for providing computer implemented services. The special purpose hardware devices of the authenticator (100) may perform different and/or similar functions. The special purpose hardware devices of the authenticator (100) may, when providing the functionality of the authenticator (100), invoke the functionality of the special purpose hardware devices.
All or a portion of the authenticator (100) may be implemented using one or more logical devices without departing from the invention. For example, the authenticator (100) may include a virtual machine (or multiple virtual machines) that utilizes computing resources of any number of computing devices to provide the functionality of the respective data processing device. The authenticator (100) may include other types of logical devices without departing from the invention.
For additional details regarding the data processing devices (102), refer to
While the system of
To further clarify aspects of embodiments of the invention, diagrams of an example data processing device and example authenticator in accordance with embodiments of the invention in
As discussed above, the example data processing device (120) may (i) provide functionality and (ii) self-manage its state to efficiently provide its functionality.
To provide functionality, the example data processing device (120) may provide any number of computer implemented services. Each of the computer implemented services may provide similar and/or different functionality.
To provide the computer implemented services, the example data processing device (120) may host any number of applications (124.2). The applications (124.2) may include any number and/or type of applications that are hosted by the primary resources (122). In other word, the applications (124.2) may execute using the physical computing resources (126) of the primary resources (122). The physical computing resources (126) may include processor(s) (126.2), memory (126.4), persistent storage (126.6), and/or a network interface (126.8).
For example, the applications (124.2) may be implemented as computer code, i.e., computer instructions, that when executed by one or more processors (e.g., 126.2) of the primary resources (122) give rise to the functionality of the applications (124.2). The computer code corresponding to each of the applications (124.2) may be stored on the persistent storage (126.6) of the physical computing resources (126) or in other locations (e.g., locally on other persistent storage or remotely on other devices).
The applications (124.2) may provide any quantity and type of computer implemented services. A computer implemented service may be, for example, electronic communications services, data management services, database services, etc. Any number and type (local and/or remote) of entities may utilize the computer implemented services provided by the applications (124.2).
For example, an application hosted by the primary resources (122) may provide electronic mail services to an entity that is remote to the example data processing device (120). In another example, an application hosted by the primary resources (122) may provide database services to other applications hosted by the primary resources (122) and additional applications hosted by other data processing devices operably connected to the example data processing device (120).
To self-manage its state to efficiently provide its functionality, the example data processing device (120) may enable remote entities to change its configuration. Such remote entities may send requests to the example data processing device (120) to change its configuration via an in-hand connection (142) and/or an out-of-band connection (144). The in-band connection (142) may operably connect the primary resources (122) to other entities while the out-of-band connection (144) may operably connect the out-of-band manager (130) to other entities. The in-band connection (142) and the out-of-band connection may be a connection set that operably connects the example data processing device (120) to other entities.
The primary resources (122) and the out-of-band manager (130) may be operably connected to each other via an always-on in-band connection (140). The always-on in-band connection may enable the primary resources (122) and the out-of-band manager (130) to communicate with each other without using the in-band connection (142) or the out-of-band connection.
Both of the primary resources (122) and the out-of-band manager (130) may include functionality to modify the configuration of the example data processing device (120). For example, the both of the aforementioned entities may be capable of modifying hardware settings (e.g., settings associated with the physical computing resources (126) that control the operations of the various components), firmware settings, software settings (e.g., settings of the applications (124.2) and/or other software entities), instantiating and/or terminating applications, etc. By modifying the configuration of the example data processing device (120), the state of the example data processing device (120) may be modified. The state of the example data processing device (120) may impact the operation of any of the applications (124.2) hosted by the primary resources (122).
For example, consider a scenario in which the operational characteristics of the memory (126.4) are modified which results in a decrease in the bandwidth available for accessing the memory (126.4). In such a scenario, the modification may reduce the rate upon which an application of the applications (124.2) due to the decreased available bandwidth.
A request to modify the configuration of the example data processing device (120) may be received via the in-band connection (142) or the out-of-band connection. Such requests may implicate action by either the primary resources (122) or the out-of-band manager (130). Consequently, a request obtained by, for example, the out-of-band manager (130) may need to be performed by the primary resources (122) and a request obtained by the primary resources (122) may need to be performed by the out-of-band manager (130). In such a scenario, the entity receiving the request may send an operation request, correspond to the request, to the other entity for execution.
To self-manage its state to efficiently provide its functionality, the example data processing device (120) may manage operation requests transmitted via the always-on in-band connection (140). To do so, the primary resources (122) and the out-of-band manager may include respective authentication engines (124.2, 132). The authentication engines may (i) send operation requests and/or additional information via the always-on in-band connection (140) to service requests from remote entities and (ii) determine whether to perform operation requests received via the always-on in-band connection (140). To determine whether to perform operation requests received via the always-on in-band connection (140), the authentication engines (124.2, 132) may utilize services provided by an authenticator. By doing so, the example data processing device (120) may decrease the likelihood of an unauthorized change to its state.
In one or more embodiments of the invention, one or more of the authentication engines (124.2, 132) is implemented as a hardware device including circuitry. The hardware device may be, for example, a digital signal processor, a field programmable gate array, or an application specific integrated circuit. The authentication engines (124.2, 132) may be other types of hardware devices without departing from the invention.
In one or more embodiments of the invention, one or more of the authentication engines (124.2, 132) is implemented as computing code stored on a persistent storage that when executed by a processor performs the functionality of the authentication engines (124.2, 132). The processor may be a hardware processor including circuitry such as, for example, a central processing unit or a microcontroller. The processor may be other types of hardware devices for processing digital information without departing from the invention.
For example, the authentication engine (124.4) hosted by the primary resources (122) may utilize the physical computing resources (126) for its execution. The persistent storage (126.6) may store computer code corresponding to the authentication engine (124.4) that when executed by the processor(s) (126.2) cause the example data processing device (120) to perform the functionality of the authentication engine (124.4).
Similarly, the authentication engine (132) hosted by the out-of-band manager (130) may utilize physical computing resources (134) of the out-of-band manager for its execution. The physical computing resources (134) may include persistent storage (not shown) that may store computer code corresponding to the authentication engine (132) that when executed by processor(s) (not shown) of the physical computing resources (134) cause the out-of-band manager (130) to perform the functionality of the authentication engine (132).
To provide the above noted functionality of the authentication engines (124.4, 132), one or more of the authentication engines (124.4, 132) may perform all, or a portion, of the methods illustrated in
The out-of-band manager (130) may be implemented as a hardware device. For example, the out-of-band manager (130) may be implemented as a circuit card hosted by the example data processing device (120). The out-of-band manager (130) may operate as a computing device separate from the example data processing device (120).
The out-of-band manager (130) may be implemented as a logical entity. For example, the out-of-band manager (130) may be a virtual machine hosted by the example data processing device (120) that utilizes virtual resources for its execution. In such a scenario, the out-of-band connection (144) and the always-on in-band connection (140) may be implemented as virtual connections supported by logical network interfaces maintained by the example data processing device (120). The primary resources (122) and the out-of-band manager (130) may each be allocated separate end points on a virtual network supported by the example data processing device (120).
While illustrated in
While the example data processing device (120) of
As discussed above, the example data processing device (120) may utilize services provided by an authenticator when determining whether to perform operation requests obtained via the always-on in-band connection (140).
The example authenticator (150) may provide services that enable authentication engines hosted by data processing devices to determine whether to perform operation requests. Specifically, the example authenticator (150) may (i) generate authentication tokens based on identities of entities and (ii) provide lists of authorized actions based on authentication tokens.
For example, consider a scenario in which an authentication engine of an out-of-band manager receives a request to modify a configuration of a data processing device and the request implicates action by primary resources to complete the modification of the configuration. In such a scenario, the authentication engine may send a request for an authentication token to the example authenticator (150). In response, the example authenticator (150) may generate an authentication token based on the identity of the requesting entity (i.e., the identity of the entity that sent the request to the out-of-band manager) and provide the authentication token to the out-of-band manager.
The out-of-band manager may send an operation request to the primary resources and the authentication token. In response to receiving the operation request, an authentication engine of the primary resources may send the authentication token to the example authenticator (150). Based on the authentication token, the example authenticator (150) may identify one or more operations that are authorized (i.e., operations for which the requesting entity is authorized to have performed by the example data processing device) and notify the primary resources of the authorized operations. The authentication engine may use the authorized operations to determine whether to allow or reject the operation request.
To provide the above noted functionality, the example authenticator (150) may include an operations management engine (152) and persistent storage (154) that stores a user credential repository (156).
The operations management engine (152) may include functionality to (i) generate authentication tokens and (ii) identify authorized operation based on authentication tokens. For example, the operations management engine (152) may utilize a hash function to generate authentication tokens. The operations management engine (152) may generate authentication tokens using other methods without departing from the invention.
An authentication token may be a data structure associated with a particular entity. The authentication tokens may be generated based on the identities of corresponding entities for when the authentication tokens are generated, and the authentication tokens may be used to determine an identity of an entity corresponding to the respective authentication tokens by the entity that generated the authentication tokens.
In one or more embodiments of the invention, the operations management engine (152) is implemented as a hardware device including circuitry. The hardware device may be, for example, a digital signal processor, a field programmable gate array, or an application specific integrated circuit. The operations management engine (152) may be other types of hardware devices without departing from the invention.
In one or more embodiments of the invention, the operations management engine (152) is implemented as computing code stored on a persistent storage that when executed by a processor performs the functionality of the operations management engine (152). The processor may be a hardware processor including circuitry such as, for example, a central processing unit or a microcontroller. The processor may be other types of hardware devices for processing digital information without departing from the invention.
To provide the above noted functionality of the operations management engine (152), the operations management engine (152) may perform all, or a portion, of the methods illustrated in
In one or more embodiments of the invention, the persistent storage (154) provides data storage resources for the operations management engine (152). The data storage resources may enable the example authenticator (150) to persistently store digital data. The persistent storage (154) may store data structures including a user credential repository (156). The persistent storage (154) may be a physical storage device or a logical storage device.
A logical storage device may be an entity that utilizes the physical storage devices of one or more computing devices to provide data storage services. For example, a logical storage may be a virtualized storage that utilizes any quantity of storage resources (e.g., physical storage devices) of any number of computing devices.
A physical storage device may be a physical device that provides data storage services. For example, a physical storage device may include any number of physical devices such as, for example, hard disk drives, solid state drives, tape drives, and/or other types of hardware devices that store data. The physical storage device may include any number of other types of hardware devices for providing data storage services. For example, the physical storage device may include storage controllers that balance and/or allocate storage resources of hardware devices, load balancers that distribute storage workloads across any number of hardware devices, memory for providing cache services for the hardware devices, etc.
The user credential repository (156) may be a data structure that stores information regarding operations that are authorized to be initiated by different users. For example, the user credential repository (156) may be a list of users and the operations which each of the users is authorized to initiate. Such information may be used to ascertain the types of operations for which any user is authorized to initiate. The operations may be operations that may be performed by data processing devices that modify the configuration and, consequently, the states of the data processing devices. While described as a list, the user credential repository (156) may have different structures without departing from the invention.
While the persistent storage (154) has been illustrated as including specific data in a specific format, a persistent storage (154) in accordance with embodiments of the invention may include additional, different, and/or less data without departing from the invention. Additionally, while the user credential repository (156) is illustrated as being a discrete data structure, the user credential repository (156) may include additional, different, and/or less information without departing from the invention. Further, the user credential repository (156) may be combined with other data structure and/or may be subdivided into any number of data structures without departing from the invention. The user credential repository (156) may be stored in other locations and/or spanned across any number of devices without departing from the invention.
While the example authenticator (150) of
Returning to
While
In step 200, an operation request and an authentication token corresponding to the operation request is obtained via an always-on in-band connection. For example, primary resources or an out-of-band manager may receive a remote operation request from an entity. In response to receiving the remote operation request, the receiving entity (i.e., the primary resources or the out-of-band manager) may forward the request in the form of an operation request to another entity hosted by the data processing device hosting the receiving entity. Thus, if primary resources receive a request that implicates a corresponding out-of-band manager, the primary resources may send a request to the out-of-band manager via the always-on in-band connection.
The operation request may be a request for modifying the configuration of the entity that received the operation request. For example, if the operation request is received by primary resources, the primary resources may interpret the operation request as a request for modifying its configuration such as, for example, making changes to hardware settings, firmware settings, instantiation of new entities, termination of existing entities, and/or other modifications of its configuration.
The authentication token may be a data structure generated by an authenticator. For additional details regarding authenticators, refer to
As discussed above, the always-on in-band connection may provide productivity between primary resources and an out-of-band manager of the data processing device. For example, the always-on in-band connection may be a high-speed interconnect, a direct connection, or another type of operable connection that facilitates communications between the aforementioned entities.
In step 202, a list of authorized operations is obtained using the authentication token.
In one or more embodiments of the invention, the list of authorized operations is obtained based on an identity of an entity that sent an initial request, i.e., a remote request, to modify the configuration of the primary resources of the data processing device. For example, the identity may be used to determine the list of authorized operations. The identity may be used to query a database that includes a listing of authorized operations for each potential entity that can send a remote request to modify the configuration of the primary resources of the data processing device.
In one or more embodiments of the invention, the list of authorized operations is obtained via the method illustrated in
In step 204, it is determined whether an operation indicated by the operation request is allowable based on the list of authorized operations. The determination may be made by attempting to match one or more of the operations of the operation request to entries of the list of authorized operations. If it is determined that the operation indicated by the operation request is not allowable, the method may proceed to step 208. If it is determined that the operation indicated by the operation request is allowable, the method may proceed to step 206.
In step 206, the operation is performed. For example, the primary resources or the out-of-band manager that received the operation request or the operation. Performing the operation may modify configuration of the primary resources of the data processing device.
The method may end following step 206.
Returning to step 204, the method may proceed to step 208 if it is determined that an operation indicated by the operation request is not allowable.
In step 208, the operation is rejected. The operation may be rejected by not performing the operation. When operation is rejected, an entity that requested performance of the operation may be notified of the rejection. Other entities may also be notified of the rejection.
For example, management entities or security entities may be notified. Rejection of an operation to indicate an attempted illicit modification of the configuration and corresponding state of the data processing device. Such information may be used by the management entities and/or the security entities to police the data processing device and/or other data processing devices to prevent future attempts at illicit modification of the configuration and corresponding state of the data processing devices.
The method may end following step 208.
As discussed above, a list of authorized operations may be obtained when the method of
While
In step 210, an authentication token corresponding to an operation request is sent to an authenticator.
In one or more embodiments of the invention, the authentication token is sent via the network. For example, authentication token may be sent as portion of a request for the list of authorized operations.
In step 212, a list of authorized actions, associated with the authentication token, are obtained from the authenticator. List may be provided by the authenticator in response to receiving the authentication token.
In one or more embodiments of the invention, list of authorized actions specifies all of the operations that may be performed based on the authentication token. The authentication token may have been generated by the authenticator previously.
The method may end following step 212.
Thus, via the method illustrated in
While
In step 300, a remote operation request for an operation is obtained from an entity.
In one or more embodiments of the invention, the entity is remote to the data processing device. In other words, the remote operation request may be obtained via an in-band connection or an out-of-band connection depending on the component (e.g., primary resources or out-of-band manager) that obtained the remote operation request.
In one or more embodiments of the invention, the operation may specify a modification to the configuration of primary resources of the data processing device.
In step 302, an authentication token is obtained based on the entity.
In one or more embodiments of the invention, the authentication token is based on the identity of the entity. For example, the authentication token may be a hash of an identity of the entity. The authentication token may be other types of anonymizing but still identifying data structures. For example, authentication token may only include information that is meaningful to the entity that generated authentication token or has a key that enables an identity upon which the authentication token was generated to be recognized using the authentication token.
In one or more embodiments of the invention, authentication token is obtained via the method illustrated in
In step 304, the authentication token and the operation are sent to a second entity implicated by the remote operation request. As discussed above, depending on the entity that received the remote operation request of step 300, a different entity may be implicated by the remote operation request if the different entity is to perform the operation indicated by the remote operation request.
For example, if primary resources obtain the remote operation request, the authentication token and the operation may be sent to an out-of-band manager if action by the out-of-band manager is implicated by the operation indicated by the remote operation request.
In another example, if an out-of-band manager obtains the remote operation request, the authentication token and the operation may be sent to primary resources if action by the primary resources is implicated by the operation indicated by the remote operation request.
In one or more embodiments of the invention, the authentication token in the operation are sent via an always-on in-band connection.
In one or more embodiments of the invention, sending the operation may include sending a request for the operation to be performed. In other words, an operation request may be sent via the always-on in-band connection.
The method may end following step 304.
As discussed above, an authentication token may be obtained when the method of
While
In step 310, a request for an authentication token for an entity is sent to an authenticator.
In one or more embodiments of the invention, the entity is a remote entity that has sent a request to a data processing device to modify the configuration and corresponding state of primary resources of the data processing device. The entity may either be authorized or may not be authorized to modify configuration and corresponding state of the primary resources of the data processing device.
In one or more embodiments of the invention, the request for the authentication token is sent via an in-band connection or an out-of-band connection depending upon the entity that is sending the request for authentication token. As discussed with respect to
In one or more embodiments of the invention, the request for the authentication token specifies the identity of the entity. For example, the request for the authentication token may include the data structure that identifies the entity.
In step 312, the authentication token, associated with the entity, is obtained from the authenticator. For example, the authenticator may send the authentication token in response to the request of step 310.
The method may end following step 312.
Thus, via the methods illustrated in
As discussed above, an authenticator may be utilized to obtain authentication tokens and lists of authorized actions.
While
In step 400, an authentication token is obtained.
In one or more embodiments of the invention, the authentication token is obtained as part of the request obtained from a data processing device. For example, primary resources or an out-of-band manager may send authentication token as part of a request for a list of authorized operations based on the authentication token.
In step 402, a list of authorized operations is provided based on the authentication token.
In one or more embodiments of the invention, list of authorized operations is obtained by (i) determining an identity associated with authentication token, (ii) matching the identity to one or more authorized operations specified in a user credential repository (e.g. 156,
To determine the identity associated with authentication token, the key used to generate the authentication token may be utilized. For example, the authentication token may have been generated based on the identity previously. At that time key that associates the authentication token with identity may have been generated. Thus, the key may be used to determine the identity associated with the authentication token. The identity associated with the authentication token may be determined via other methods without departing from the invention. For example, a reverse hash function may be used. A hash function corresponding to the reverse hash function may have been utilized to generate the authentication token previously.
The list of authorized operations may specify any number of operations. One or more of the operations may implicate a modification to configuration of a data processing device. For example, any number of operations may modify hardware settings, software settings, for more settings, and/or other characteristics of the data processing device that contribute to its configuration and corresponding state.
List of authorized operations may be provided to the entity that sent the authentication token of step 400. For example, a list of authorized operations may be sent via a message to the entity that sent the authentication token. A list of authorized operations may be sent to other entities without departing from the invention.
The method may end following step 402.
In addition to providing list of authorized operations as discussed with respect to the method of
While
In step 410, a request for an authentication token for an entity is obtained.
In one or more embodiments of the invention, the request is obtained from a data processing device. For example, primary resources and/or an out-of-band manager may have sent the request.
In step 412, the authentication token is generated based on an identity of the entity.
In one or more embodiments of the invention, the authentication token is a data structure. The authentication token may be usable to determine an identity associated with the authentication token.
In one or more embodiments of the invention, the authentication token is a hash of an identity of the entity. For example, the authentication token may be generated by generating a hash of the identity of the entity. Authentication token may be generated using other types of functions without departing from the invention.
In step 414, the authentication token is provided in response to the request. For example, authentication token may be sent to the requesting entity of step 410.
The method may end following step 414.
Thus, via the methods illustrated in
To further clarify embodiments of the invention, a non-limiting example is provided in
Consider a scenario as illustrated in
The data processing device (504), similar to those discussed above, may utilize authentication services provided by an authenticator (500) when evaluating when to allow operations requested by remote entities to be performed on the data processing device (504).
At a first point in time, an unauthorized entity (506) attempts to modify the state of the data processing device (504). An action diagram, illustrated in
As seen in
In response to receiving the authentication token request (512), the authenticator (500) generates an authentication token (514). As discussed above, an authentication token may be a data structure that may be used to facilitate determining whether or not the unauthorized entity (506) is allowed to cause the data processing device to perform certain operations.
After generating the authentication token, authenticator (500) provides the authentication token (516) to the out-of-band manager (504.4). In response to receiving the authentication token, the out-of-band manager (504.4) provides the authentication token and an operation (518) indicated by the remote operation request (510) to the primary resources (504.2) via an always-on in-band connection. The out-of-band manager (504.4) does so because the primary resources (504.2) are implicated by the remote operation request (510) as opposed to the out-of-band manager (504.4).
In response to receiving the authentication token and the operation (518), the primary resources (504.2) provide the authentication token (520) to the authenticator (500). In response to being provided with the authentication token (520), the authenticator (500) determines an identity of the unauthorized entity (506) using the authentication token (520). Using the identity of the unauthorized entity (506) the authenticator (500) determines authorized operations (522) based on the identity of the unauthorized entity (506). Once authorized operations (522) are determined by the authenticator, authenticator provides the authorized operations (522) the primary resources (504.2).
In response to receiving authorized operations (522), the primary resources (504.2) compare the operation obtained when the authentication token and operation (518) were obtained to the authorized operations (522) to determine whether the operation is an authorized operation.
Because the unauthorized entity (506) does not have any privileges to modify the configuration of the data processing device and corresponding state, the authorized operations (522) indicated that no operations are authorized. Consequently, the primary resources (504.2.) reject the operation (524). Thus, via the series of actions illustrated in
End of Example
Embodiments of the invention may provide a method for managing the state of a data processing device to avoid malicious actions by remote entities. To do so, the data processing device may implement a method of validating that an operation to be performed is authorized prior to performing the operation. By doing so, unauthorized operation, even though received via what is traditionally considered to be a secure communication connection such as an always-on in-band connection, may be identified and appropriately dealt with prior to performing the operation.
Thus, embodiments of the invention may address the problem of operational security within a distributed environment that may include malicious parties. Specifically, embodiments of the invention may provide a method of validating whether operations are authorized prior to performance of the operations.
The problems discussed above should be understood as being examples of problems solved by embodiments of the invention disclosed herein and the invention should not be limited to solving the same/similar problems. The disclosed invention is broadly applicable to address a range of problems beyond those discussed herein.
One or more embodiments of the invention may be implemented using instructions executed by one or more processors of the data management device. Further, such instructions may correspond to computer readable instructions that are stored on one or more non-transitory computer readable mediums.
While the invention has been described above with respect to a limited number of embodiments, those skilled in the art, having the benefit of this disclosure, will appreciate that other embodiments can be devised which do not depart from the scope of the invention as disclosed herein. Accordingly, the scope of the invention should be limited only by the attached claims.
| Number | Name | Date | Kind |
|---|---|---|---|
| 5483637 | Winokur et al. | Jan 1996 | A |
| 5867714 | Todd et al. | Feb 1999 | A |
| 6012152 | Douik et al. | Jan 2000 | A |
| 6205409 | Zvonar | Mar 2001 | B1 |
| 6317028 | Valiulis | Nov 2001 | B1 |
| 6473794 | Guheen et al. | Oct 2002 | B1 |
| 6606744 | Mikurak | Aug 2003 | B1 |
| 6633782 | Schleiss et al. | Oct 2003 | B1 |
| 6742141 | Miller | May 2004 | B1 |
| 6774054 | Zhang et al. | Aug 2004 | B1 |
| 6795935 | Unkle et al. | Sep 2004 | B1 |
| 6871224 | Chu et al. | Mar 2005 | B1 |
| 7103874 | McCollum et al. | Sep 2006 | B2 |
| 7222127 | Bem et al. | May 2007 | B1 |
| 7334222 | Keller | Feb 2008 | B2 |
| 7370102 | Chu et al. | May 2008 | B1 |
| 7490073 | Qureshi et al. | Feb 2009 | B1 |
| 7500142 | Cowart et al. | Mar 2009 | B1 |
| 7516362 | Connelly et al. | Apr 2009 | B2 |
| 7536595 | Hiltunen et al. | May 2009 | B1 |
| 7757124 | Singh et al. | Jul 2010 | B1 |
| 7827136 | Wang | Nov 2010 | B1 |
| 7831693 | Lai | Nov 2010 | B2 |
| 7886031 | Taylor et al. | Feb 2011 | B1 |
| 7987353 | Holdaway et al. | Jul 2011 | B2 |
| 8001527 | Qureshi et al. | Aug 2011 | B1 |
| 8166552 | Prafullchandra et al. | Apr 2012 | B2 |
| 8290970 | Hohmann | Oct 2012 | B2 |
| 8386930 | Dillenberger et al. | Feb 2013 | B2 |
| 8401982 | Satish et al. | Mar 2013 | B1 |
| 8583769 | Peters et al. | Nov 2013 | B1 |
| 8639798 | Akiyama et al. | Jan 2014 | B2 |
| 8706682 | Blazek et al. | Apr 2014 | B1 |
| 8826077 | Bobak et al. | Sep 2014 | B2 |
| 8868987 | Wagner | Oct 2014 | B2 |
| 8874892 | Chan et al. | Oct 2014 | B1 |
| 8938621 | Mao et al. | Jan 2015 | B2 |
| 8973118 | Fitzpatrick, III | Mar 2015 | B2 |
| 8995439 | Field | Mar 2015 | B2 |
| 9122501 | Hsu et al. | Sep 2015 | B1 |
| 9122739 | Yadwadkar et al. | Sep 2015 | B1 |
| 9201751 | Muthirisavenugopal et al. | Dec 2015 | B1 |
| 9225625 | He et al. | Dec 2015 | B1 |
| 9229902 | Leis et al. | Jan 2016 | B1 |
| 9278481 | Hull | Mar 2016 | B2 |
| 9323789 | Elliott, IV | Apr 2016 | B1 |
| 9355036 | Beard et al. | May 2016 | B2 |
| 9384082 | Lee et al. | Jul 2016 | B1 |
| 9542177 | Johansson et al. | Jan 2017 | B1 |
| 9590849 | Shakirzyanov et al. | Mar 2017 | B2 |
| 9594620 | Xia et al. | Mar 2017 | B2 |
| 9703644 | Jagannatha et al. | Jul 2017 | B1 |
| 9729615 | Nair | Aug 2017 | B2 |
| 9864634 | Kenkre et al. | Jan 2018 | B2 |
| 9898224 | Marshak et al. | Feb 2018 | B1 |
| 9999030 | Gu et al. | Jun 2018 | B2 |
| 10048996 | Bell et al. | Aug 2018 | B1 |
| 10057184 | Prahlad et al. | Aug 2018 | B1 |
| 10097620 | Reddy et al. | Oct 2018 | B2 |
| 10514907 | Chaganti et al. | Dec 2019 | B2 |
| 10944561 | Cahill | Mar 2021 | B1 |
| 20010044782 | Hughes et al. | Nov 2001 | A1 |
| 20030149919 | Greenwald et al. | Aug 2003 | A1 |
| 20040078683 | Buia et al. | Apr 2004 | A1 |
| 20040088145 | Rosenthal et al. | May 2004 | A1 |
| 20040177168 | Alabraba et al. | Sep 2004 | A1 |
| 20040177354 | Gunyakti et al. | Sep 2004 | A1 |
| 20040225381 | Ritz et al. | Nov 2004 | A1 |
| 20040250260 | Pioso | Dec 2004 | A1 |
| 20050033770 | Oglesby et al. | Feb 2005 | A1 |
| 20050078656 | Bryant et al. | Apr 2005 | A1 |
| 20050120112 | Wing et al. | Jun 2005 | A1 |
| 20050144151 | Fischman et al. | Jun 2005 | A1 |
| 20050144188 | Bailey et al. | Jun 2005 | A1 |
| 20060117212 | Meyer et al. | Jun 2006 | A1 |
| 20060149408 | Speeter et al. | Jul 2006 | A1 |
| 20060178864 | Khanijo et al. | Aug 2006 | A1 |
| 20060179116 | Speeter et al. | Aug 2006 | A1 |
| 20060235962 | Vinberg et al. | Oct 2006 | A1 |
| 20070143851 | Nicodemus et al. | Jun 2007 | A1 |
| 20070202469 | Davidson | Aug 2007 | A1 |
| 20070283011 | Rakowski | Dec 2007 | A1 |
| 20080037532 | Sykes et al. | Feb 2008 | A1 |
| 20080065700 | Lim | Mar 2008 | A1 |
| 20080201470 | Sayama | Aug 2008 | A1 |
| 20080228755 | Haga et al. | Sep 2008 | A1 |
| 20080262860 | Schneider et al. | Oct 2008 | A1 |
| 20090012805 | Schnell et al. | Jan 2009 | A1 |
| 20090113248 | Bock et al. | Apr 2009 | A1 |
| 20090165099 | Eldar et al. | Jun 2009 | A1 |
| 20090183010 | Schnell et al. | Jul 2009 | A1 |
| 20090260071 | Sadovsky et al. | Oct 2009 | A1 |
| 20090282283 | Sakakura et al. | Nov 2009 | A1 |
| 20090307333 | Welingkar | Dec 2009 | A1 |
| 20100024001 | Campbell et al. | Jan 2010 | A1 |
| 20100057677 | Rapp et al. | Mar 2010 | A1 |
| 20100180221 | Cloward et al. | Jul 2010 | A1 |
| 20100229022 | Anand et al. | Sep 2010 | A1 |
| 20100306489 | Abts et al. | Dec 2010 | A1 |
| 20100312522 | Laberge et al. | Dec 2010 | A1 |
| 20100318487 | Marvasti | Dec 2010 | A1 |
| 20100325493 | Morimura et al. | Dec 2010 | A1 |
| 20110078428 | Hamid | Mar 2011 | A1 |
| 20110093703 | Etchegoyen | Apr 2011 | A1 |
| 20110270482 | Holzer | Nov 2011 | A1 |
| 20110289342 | Schaefer et al. | Nov 2011 | A1 |
| 20110289343 | Schaefer et al. | Nov 2011 | A1 |
| 20110302305 | Morimura et al. | Dec 2011 | A1 |
| 20120016841 | Karonde et al. | Jan 2012 | A1 |
| 20120041976 | Annapragada | Feb 2012 | A1 |
| 20120083917 | Zhou et al. | Apr 2012 | A1 |
| 20120096272 | Jasper | Apr 2012 | A1 |
| 20120110142 | Montagna et al. | May 2012 | A1 |
| 20120144244 | Dan et al. | Jun 2012 | A1 |
| 20120150926 | Adkins et al. | Jun 2012 | A1 |
| 20120166142 | Maeda et al. | Jun 2012 | A1 |
| 20120182151 | Tong et al. | Jul 2012 | A1 |
| 20120233216 | Lim | Sep 2012 | A1 |
| 20120265872 | Chilton | Oct 2012 | A1 |
| 20120271927 | Shakirzyanov et al. | Oct 2012 | A1 |
| 20120331526 | Caudle et al. | Dec 2012 | A1 |
| 20130151975 | Shadi et al. | Jun 2013 | A1 |
| 20130185667 | Harper et al. | Jul 2013 | A1 |
| 20130257627 | Rafael | Oct 2013 | A1 |
| 20130317870 | Franco et al. | Nov 2013 | A1 |
| 20130326029 | Flynn | Dec 2013 | A1 |
| 20140069291 | Yang et al. | Mar 2014 | A1 |
| 20140082417 | Barton et al. | Mar 2014 | A1 |
| 20140115176 | Kamboh et al. | Apr 2014 | A1 |
| 20140245085 | Halverson et al. | Aug 2014 | A1 |
| 20140281675 | Sreenivasan et al. | Sep 2014 | A1 |
| 20140304399 | Chaudhary et al. | Oct 2014 | A1 |
| 20140304402 | Prakash et al. | Oct 2014 | A1 |
| 20140324276 | Weaks | Oct 2014 | A1 |
| 20140337957 | Feekes | Nov 2014 | A1 |
| 20140344101 | Collet et al. | Nov 2014 | A1 |
| 20150106606 | Cao et al. | Apr 2015 | A1 |
| 20150117174 | Alber et al. | Apr 2015 | A1 |
| 20150120359 | Dongieux | Apr 2015 | A1 |
| 20150149822 | Coronado et al. | May 2015 | A1 |
| 20150256394 | Palmer et al. | Sep 2015 | A1 |
| 20150264012 | Rieke et al. | Sep 2015 | A1 |
| 20150324255 | Kochunni | Nov 2015 | A1 |
| 20160042288 | Cohen et al. | Feb 2016 | A1 |
| 20160048611 | Cox et al. | Feb 2016 | A1 |
| 20160050222 | Iyer et al. | Feb 2016 | A1 |
| 20160057009 | Kadayam et al. | Feb 2016 | A1 |
| 20160110240 | Reger et al. | Apr 2016 | A1 |
| 20160112504 | Mathur et al. | Apr 2016 | A1 |
| 20160173690 | Perez et al. | Jun 2016 | A1 |
| 20160294643 | Kim | Oct 2016 | A1 |
| 20160302323 | Gosselin | Oct 2016 | A1 |
| 20170017881 | Langley et al. | Jan 2017 | A1 |
| 20170032091 | Rudorfer et al. | Feb 2017 | A1 |
| 20170085644 | Chouhan et al. | Mar 2017 | A1 |
| 20170094003 | Gahlot et al. | Mar 2017 | A1 |
| 20170206128 | Anderson et al. | Jul 2017 | A1 |
| 20170228649 | Chatterjee et al. | Aug 2017 | A1 |
| 20170242740 | Bell et al. | Aug 2017 | A1 |
| 20170308420 | Korotaev et al. | Oct 2017 | A1 |
| 20170339005 | Yuan et al. | Nov 2017 | A1 |
| 20180025166 | Daniel et al. | Jan 2018 | A1 |
| 20180034709 | Chen et al. | Feb 2018 | A1 |
| 20180041388 | Moens et al. | Feb 2018 | A1 |
| 20180285009 | Guim Bernat et al. | Oct 2018 | A1 |
| 20180302277 | Shimamura et al. | Oct 2018 | A1 |
| 20180321934 | Chaganti et al. | Nov 2018 | A1 |
| 20180322019 | Stowell et al. | Nov 2018 | A1 |
| 20180329579 | Kaimal et al. | Nov 2018 | A1 |
| 20190123985 | Rao et al. | Apr 2019 | A1 |
| 20190149408 | Li | May 2019 | A1 |
| 20190182105 | Stephens et al. | Jun 2019 | A1 |
| 20190303137 | Chaganti et al. | Oct 2019 | A1 |
| 20190306013 | Ali et al. | Oct 2019 | A1 |
| 20190324841 | Patel et al. | Oct 2019 | A1 |
| 20200034069 | Batra et al. | Jan 2020 | A1 |
| 20200079403 | Setiawan et al. | Mar 2020 | A1 |
| Number | Date | Country |
|---|---|---|
| 104395855 | Mar 2015 | CN |
| 106533753 | Mar 2017 | CN |
| Entry |
|---|
| “Dell DRAC—Wikipedia”; XP055602141; Mar. 23, 2018; https://en.wikipedia.org/w/index.php?title=Dell_DRAC&oldid=831957421. |
| “Dell EMC OpenManage Essentials Version 2.3: User's Guide”; XP055602720; Oct. 1, 2017; https://topics-cdn.dell.com/pdf/openmanage-essentials-v23 users-guide en-US.pdf. |
| “Integrated Dell Remote Access Controller 8 (iDRAC8): Version 2.05.05.05 User's Guide”; Dell Inc.; 2014. |
| Doug Iler et al.; “Introducing iDRAC8 with Lifecycle Controller for Dell 13th Generation PowerEdge Servers”; Dell Inc., A Dell Deployment and Configuration Guide; Sep. 2014. |
| Duncan Tweed; “Baseline configuration”; BMC Software, Inc.; Apr. 7, 2015; retrieved from https://bmc.com/. |
| Duncan Tweed; “BMC Atrium Discovery User Guide”; BMC Software, Inc.; Mar. 2014; retrieved from https://bmc.com/. |
| Masoom Parvez; “AutomaticGroup Node”; BMC Software, Inc.; 2014; retrieved from https://bmc.com/. |
| George Coulouris et al, Dell EMC Data Protection Advisor: Distributed Systems Concepts and Design, Dell EMC Data Protection Advisor: Distributed Systems Concepts and Design, retrieved Nov. 29, 2020, pp. 1-25 (of 488) https://web.archive.org/web/20201129060023/https://www.delltechnologies.com/en-us/collaterals/unauth/technical-guides-support-information/products/networking-4/docu82478.pdf, Report Reference Guide 302-003-605 REV 1 (2017. |
| Coulouris et al.; “Distributed Systems: Concepts and Design, Fifth Edition”; Addison-Wesley; pp. 37-61; 2012. |
| Zhengyu Liang et al.; “ClusterProbe: An Open, Flexible and Scalable Cluster Monitoring Tool”; IEEE Computer Society International Workshop on Cluster Computing; pp. 261-268; 1999. |
| Anonymous, “Dell EMC OpenManage Essentials Version 2.3 User's Guide”, https://topics-cdn.dell.com/pdf/openmanage-essentials-v23_users-guide_en-US.pdf; Oct. 1, 2017 (4 pages). |
| Office Action issued in corresponding Chinese Patent Application No. 201910242816.8 dated Jul. 22, 2021 (10 pages). |
| Office Action issued in corresponding Chinese Patent Application No. 201910243208.9 dated Aug. 3, 2021 (13 pages). |
| Number | Date | Country | |
|---|---|---|---|
| 20210019392 A1 | Jan 2021 | US |
