[go: up one dir, main page]

WO2016175772A1 - Data protection - Google Patents

Data protection Download PDF

Info

Publication number
WO2016175772A1
WO2016175772A1 PCT/US2015/028110 US2015028110W WO2016175772A1 WO 2016175772 A1 WO2016175772 A1 WO 2016175772A1 US 2015028110 W US2015028110 W US 2015028110W WO 2016175772 A1 WO2016175772 A1 WO 2016175772A1
Authority
WO
WIPO (PCT)
Prior art keywords
data storage
command
user
security violation
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/US2015/028110
Other languages
French (fr)
Inventor
John Butt
Ben SIMPSON
Dave DONAGHY
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hewlett Packard Enterprise Development LP
Original Assignee
Hewlett Packard Enterprise Development LP
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hewlett Packard Enterprise Development LP filed Critical Hewlett Packard Enterprise Development LP
Priority to PCT/US2015/028110 priority Critical patent/WO2016175772A1/en
Publication of WO2016175772A1 publication Critical patent/WO2016175772A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2101Auditing as a secondary aspect

Definitions

  • Data protection allows for preventing changes to data that may have been compromised.
  • active processes and/or sessions may be reading and writing to a data storage device after a security violation has occurred.
  • FIG. 1 is a block diagram of an example data protection device
  • FIG. 2 is a flowchart of an example of a method for data protection
  • FIG. 3 is a block diagram of an example system for data protection.
  • data protection may identify when a security violation has occurred on a data storage device. After identifying such a violation, active processes and/or network sessions may be blocked from reading and/or writing to the storage device in order to prevent access to corrupted data and/or to prevent adding data to the compromised storage device.
  • machine-readable storage medium refers to any electronic, magnetic, optical, or other physical storage device that stores executable instructions or other data (e.g., a hard disk drive, random access memory, flash memory, etc.).
  • FIG. 1 is a block diagram of an example data protection device 100 consistent with disclosed implementations.
  • Data protection device 100 may comprise a processor 1 10 and a non-transitory machine- readable storage medium 120.
  • Data protection device 100 may comprise a computing device such as a server computer, a desktop computer, a laptop computer, a handheld computing device, a smart phone, a tablet computing device, a mobile phone, or the like.
  • Device 100 may further comprise a data storage 150.
  • Processor 1 10 may comprise a central processing unit (CPU), a semiconductor-based microprocessor, or any other hardware device suitable for retrieval and execution of instructions stored in machine-readable storage medium 120.
  • processor 1 10 may fetch, decode, and execute a plurality of detect security violation instructions 130, restrict access instructions 132, determine violation remediation instructions 134, and restore access instructions 136 to implement the functionality described in detail below.
  • Executable instructions may be stored in any portion and/or component of machine-readable storage medium 120.
  • the machine-readable storage medium 120 may comprise both volatile and/or nonvolatile memory and data storage components. Volatile components are those that do not retain data values upon loss of power. Nonvolatile components are those that retain data upon a loss of power.
  • the machine-readable storage medium 120 and data storage 150 may comprise, for example, random access memory (RAM), read-only memory (ROM), hard disk drives, solid-state drives, USB flash drives, memory cards accessed via a memory card reader, floppy disks accessed via an associated floppy disk drive, optical discs accessed via an optical disc drive, magnetic tapes accessed via an appropriate tape drive, and/or other memory components, and/or a combination of any two and/or more of these memory components.
  • the RAM may comprise, for example, static random access memory (SRAM), dynamic random access memory (DRAM), and/or magnetic random access memory (MRAM) and other such devices.
  • the ROM may comprise, for example, a programmable readonly memory (PROM), an erasable programmable read-only memory (EPROM), an electrically erasable programmable read-only memory (EEPROM), and/or other like memory device.
  • Data storage 150 may comprise a physical storage device, such as a hard disk drive and/or a solid state drive, and/or a logical storage device, such as a database, a user-based logical data storage (e.g., a user's home directory and associated files), a network-attached storage, and a logical partition.
  • a logical storage device may comprise data stored on part of and/or across a plurality of physical storage devices.
  • Detect security violation instructions 130 may detect, according to a command execution, that a security violation associated with a data storage has occurred.
  • the executed commands may be associated with assessing and/or remediating unauthorized access to data storage 150, such as by securing and/or removing data in data storage 150.
  • detect security violation instructions 130 may comprise a list of secure commands associated with addressing suspected security breaches on data storage 150.
  • Such commands may comprise, for example, secure delete commands for files in data storage 150, encryption commands, network configuration commands such as firewall adjustments and/or commands to disconnect users, applications, and/or communication sessions, and/or audit commands for security information such as access logs for device 100 and/or data storage 150.
  • a secure delete command for example, erases the data specified in the command and then overwrites the memory and storage location with random bits of data to prevent recovery.
  • any command run with elevated permissions such as those performed via a SUDO operation, may comprise a command associated with addressing a security breach.
  • Restrict access instructions 132 may, in response to detecting that the security violation has occurred, restrict access to data storage 150. For example, user sessions interacting with data storage 150 may be blocked from reading and/or writing to data storage 150. [0016] Different types and/or levels of restriction may be used, such as restricting non-administrative/super users, only restricting non-secure commands on data storage 150, and/or blocking only reads from data storage 150 or writes to data storage 150. In some implementations, users may be notified of the security violation and/or may receive an error message regarding the block on reading/writing to data storage 150. In some implementations, read and/or write requests may be paused and/or the read/write processes may be placed in an idle state. In some implementations, user sessions interacting with data storage 150 may be closed and/or disconnected, and/or processes associated with such sessions may be terminated.
  • Determine violation remediation instructions 134 may determine whether the security violation has been remediated. For example, the security violation may be determined to have been remediated after the command associated with detecting the violation has been completed. For another example, the security violation may be determined to have been remediated after the session in which the command was detected has disconnected and/or exited a privileged state (e.g., a user of the session switches to a non-administrator user).
  • a privileged state e.g., a user of the session switches to a non-administrator user.
  • Restore access instructions 136 may, in response to determining that the security violation has been remediated, restore access to the data storage. For example, idled read/write processes may be permitted to complete execution and/or new sessions may be permitted to connect to data storage 150.
  • FIG. 2 is a flowchart of a method 200 for data protection consistent with disclosed implementations. Although execution of method 200 is described below with reference to the components of data protection device 100, other suitable components for execution of method 200 may be used.
  • Method 200 may start in stage 205 and proceed to stage 210 where device 100 may detect, according to a first command performed on a data storage, that a security violation has occurred.
  • the first command may comprise a secure command.
  • detect security violation instructions 130 may detect, according to a command execution, that a security violation associated with a data storage has occurred.
  • the executed commands may be associated with assessing and/or remediating unauthorized access to data storage 150, such as by securing and/or removing data in data storage 150.
  • detect security violation instructions 130 may comprise a list of secure commands associated with addressing suspected security breaches on data storage 150.
  • Such commands may comprise, for example, secure delete commands for files in data storage 150, encryption commands, network configuration commands such as firewall adjustments and/or commands to disconnect users, applications, and/or communication sessions, and/or audit commands for security information such as access logs for device 100 and/or data storage 150.
  • a secure delete command for example, erases the data specified in the command and then overwrites the memory and storage location with random bits of data to prevent recovery.
  • any command run with elevated permissions such as those performed via a SUDO operation, may comprise a command associated with addressing a security breach.
  • Method 200 may then advance to stage 215 where device 100 may restrict access to the data storage for a user session.
  • a user session may comprise a local and/or network communication session with a computer such as device 100, such as may occur when a user has logged into device 100 and/or an application or service executing on device 100.
  • a user session may be associated with a user of a web-based application wherein the user's web browser is accessing device 100 and data storage 150 via a network.
  • the user session may be associated with a second command comprising a non-secure command, such as a standard data read and/or write command.
  • restrict access instructions 132 may, in response to detecting that the security violation has occurred, restrict access to data storage 150. For example, user sessions interacting with data storage 150 may be blocked from reading and/or writing to data storage 150 entirely, blocked writing while permitted to read, or vice versa, and/or blocked from executing nonsecure commands while permitting other, secure commands to still be executed.
  • Different types and/or levels of restriction may be used, such as restricting non-administrative/super users, only restricting non-secure commands on data storage 150, and/or blocking only reads from data storage 150 or writes to data storage 150.
  • restriction may be used, such as restricting non-administrative/super users, only restricting non-secure commands on data storage 150, and/or blocking only reads from data storage 150 or writes to data storage 150.
  • continued access to the data storage may be permitted.
  • the administrator user may be notified of the detected security violation.
  • users may be notified of the security violation and/or may receive an error message regarding the block on reading/writing to data storage 150.
  • read and/or write requests may be paused and/or the read/write processes may be placed in an idle state.
  • user sessions interacting with data storage 150 may be closed and/or disconnected, and/or processes associated with such sessions may be terminated.
  • restricting access to data storage 150 may comprise preventing a new user session from connecting to the data storage.
  • Method 200 may then advance to stage 220 where device 100 may determine whether the security violation has been remediated.
  • determine violation remediation instructions 134 may determine whether the security violation has been remediated.
  • the security violation may be determined to have been remediated after the command associated with detecting the violation has been completed.
  • the security violation may be determined to have been remediated after the session in which the command was detected has disconnected and/or exited a privileged state (e.g., a user of the session switches to a non-administrator user).
  • a privileged state e.g., a user of the session switches to a non-administrator user.
  • method 200 may return to stage 215 and device 100 may maintain the restriction on access to the data storage. Otherwise, method 200 may advance to stage 240 where device 100 may restore access to the data storage for the user session.
  • restore access instructions 136 may, in response to determining that the security violation has been remediated, restore access to the data storage. For example, idled read/write processes may be permitted to complete execution and/or new sessions may be permitted to connect to data storage 150.
  • method 200 may then end at stage 250.
  • FIG. 3 is a block diagram of a system 300 for data protection.
  • System 300 may comprise a computing device 310 comprising a command engine 315, a security engine 320, and a session engine 325.
  • Session engine 325 may manage and control a plurality of user sessions 330(A)-(C) and an administrator user session 335.
  • System 300 may further comprise a data storage 340.
  • Computing device 310 may comprise, for example, a general and/or special purpose computer, server, mainframe, desktop, laptop, tablet, smart phone, game console, and/or any other system capable of providing computing capability consistent with providing the implementations described herein.
  • Data storage 340 may comprise a physical storage device, such as a hard disk drive and/or a solid state drive, and/or a logical storage device, such as a database, a user-based logical data storage (e.g., a user's home directory and associated files), a network- attached storage, and a logical partition.
  • a logical storage device may comprise data stored on part of and/or across a plurality of physical storage devices.
  • Each of engines 315, 320, and 325 may comprise any combination of hardware and programming to implement the functionalities of the respective engine.
  • the programming for the engines may be processor executable instructions stored on a non-transitory machine-readable storage medium and the hardware for the engines may include a processing resource to execute those instructions.
  • the machine- readable storage medium may store instructions that, when executed by the processing resource, implement engines 315, 320, and 325.
  • system 300 may comprise the machine-readable storage medium storing the instructions and the processing resource to execute the instructions, or the machine- readable storage medium may be separate but accessible to system 300 and the processing resource.
  • Command engine 315 may detect, according to a secure command performed on a data storage, that a security violation has occurred. For example, detect security violation instructions 130 may detect, according to a command execution, that a security violation associated with a data storage has occurred. The executed commands may be associated with assessing and/or remediating unauthorized access to data storage 150, such as by securing and/or removing data in data storage 150.
  • detect security violation instructions 130 may comprise a list of secure commands associated with addressing suspected security breaches on data storage 150.
  • Such commands may comprise, for example, secure delete commands for files in data storage 150, encryption commands, network configuration commands such as firewall adjustments and/or commands to disconnect users, applications, and/or communication sessions, and/or audit commands for security information such as access logs for device 100 and/or data storage 150.
  • a secure delete command for example, erases the data specified in the command and then overwrites the memory and storage location with random bits of data to prevent recovery.
  • any command run with elevated permissions such as those performed via a SUDO operation, may comprise a command associated with addressing a security breach.
  • Session engine 325 may determine, for at least one of a plurality of user sessions, whether the at least one of the plurality of user sessions is associated with an administrator user. For example, session engine 325 may identify user sessions 330(A)-(C) as not associated with administrators while administrator session 335 is associated with an administrator user.
  • a user session may comprise a local and/or network communication session with a computer such as device 310, such as may occur when a user has logged into device 310 and/or an application or service executing on device 310.
  • a user session may be associated with a user of a web-based application wherein the user's web browser is accessing device 310 and data storage 340 via a network.
  • the user session may be associated with a second command comprising a non-secure command, such as a standard data read and/or write command.
  • An administrator user may comprise a higher privileged user account than a non-administrator user. Such an account may be permitted to execute commands and/or applications, such as those that may affect an operating system of computing device 310. An administrator user may also be permitted to make changes that will affect other users. Administrators may change security settings, install software and hardware, and/or access all files on computing device 310.
  • session engine 325 In response to determining that the at least one of the plurality of user sessions is not associated with the administrator user, session engine 325 apply a restriction on access to the data storage for the at least one of the plurality of user sessions.
  • the restriction may comprise a disconnection from the data storage, a blocking of an executing command associated with the data storage, a write restriction for the data storage, and/or a read restriction for the data storage.
  • restrict access instructions 132 may, in response to detecting that the security violation has occurred, restrict access to data storage 340.
  • user sessions interacting with data storage 340 may be blocked from reading and/or writing to data storage 340 entirely, blocked writing while permitted to read, or vice versa, and/or blocked from executing non-secure commands while permitting other, secure commands to still be executed.
  • Different types and/or levels of restriction may be used, such as restricting non-administrative/super users, only restricting non-secure commands on data storage 340, and/or blocking only reads from data storage 340 or writes to data storage 340.
  • restriction may be used, such as restricting non-administrative/super users, only restricting non-secure commands on data storage 340, and/or blocking only reads from data storage 340 or writes to data storage 340.
  • continued access to the data storage may be permitted.
  • the administrator user may be notified of the detected security violation.
  • user sessions 330(A)-(C) and/or administrator session 335 may be notified of the security violation and/or may receive an error message regarding the block on reading/writing to data storage 340.
  • read and/or write requests may be paused and/or the read/write processes may be placed in an idle state.
  • user sessions interacting with data storage 340 may be closed and/or disconnected, and/or processes associated with such sessions may be terminated.
  • restricting access to data storage 340 may comprise preventing a new user session from connecting to the data storage.
  • Security engine 320 may determine whether the security violation has been remediated according to whether the secure command has completed executing. For example, determine violation remediation instructions 134 may determine whether the security violation has been remediated. In some implementations, the security violation may be determined to have been remediated after the command associated with detecting the violation has been completed. For another example, the security violation may be determined to have been remediated after the session in which the command was detected has disconnected and/or exited a privileged state (e.g., a user of the session switches to a non-administrator user).
  • a privileged state e.g., a user of the session switches to a non-administrator user.
  • security engine 320 may cause session engine 325 to remove the restriction applied to the at least one of the plurality of user sessions.
  • restore access instructions 136 may, in response to determining that the security violation has been remediated, restore access to data storage 340 for user sessions 330(A)-(C).
  • idled read/write processes may be permitted to complete execution and/or new sessions may be permitted to connect to data storage 150.
  • the disclosed examples may include systems, devices, computer- readable storage media, and methods for data protection. For purposes of explanation, certain examples are described with reference to the components illustrated in the Figures.
  • the functionality of the illustrated components may overlap, however, and may be present in a fewer or greater number of elements and components. Further, all or part of the functionality of illustrated elements may coexist or be distributed among several geographically dispersed locations. Moreover, the disclosed examples may be implemented in various environments and are not limited to the illustrated examples.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

Examples disclosed herein relate to data protection instructions to detect, according to a command execution, that a security violation associated with a data storage has occurred. In response to detecting that the security violation has occurred, data protection instructions may restrict access to the data storage, determine whether the security violation has been remediated, and in response to determining that the security violation has been remediated, restore access to the data storage.

Description

DATA PROTECTION
BACKGROUND
[0001 ] Data protection allows for preventing changes to data that may have been compromised. In some situations, active processes and/or sessions may be reading and writing to a data storage device after a security violation has occurred.
BRIEF DESCRIPTION OF THE DRAWINGS
[0002] In the accompanying drawings, like numerals refer to like components or blocks. The following detailed description references the drawings, wherein:
[0003] FIG. 1 is a block diagram of an example data protection device;
[0004] FIG. 2 is a flowchart of an example of a method for data protection; and [0005] FIG. 3 is a block diagram of an example system for data protection.
DETAILED DESCRIPTION
[0006] As described above, data protection may identify when a security violation has occurred on a data storage device. After identifying such a violation, active processes and/or network sessions may be blocked from reading and/or writing to the storage device in order to prevent access to corrupted data and/or to prevent adding data to the compromised storage device.
[0007] In the description that follows, reference is made to the term, "machine- readable storage medium." As used herein, the term "machine-readable storage medium" refers to any electronic, magnetic, optical, or other physical storage device that stores executable instructions or other data (e.g., a hard disk drive, random access memory, flash memory, etc.).
[0008] Referring now to the drawings, FIG. 1 is a block diagram of an example data protection device 100 consistent with disclosed implementations. Data protection device 100 may comprise a processor 1 10 and a non-transitory machine- readable storage medium 120. Data protection device 100 may comprise a computing device such as a server computer, a desktop computer, a laptop computer, a handheld computing device, a smart phone, a tablet computing device, a mobile phone, or the like. Device 100 may further comprise a data storage 150.
[0009] Processor 1 10 may comprise a central processing unit (CPU), a semiconductor-based microprocessor, or any other hardware device suitable for retrieval and execution of instructions stored in machine-readable storage medium 120. In particular, processor 1 10 may fetch, decode, and execute a plurality of detect security violation instructions 130, restrict access instructions 132, determine violation remediation instructions 134, and restore access instructions 136 to implement the functionality described in detail below.
[0010] Executable instructions may be stored in any portion and/or component of machine-readable storage medium 120. The machine-readable storage medium 120 may comprise both volatile and/or nonvolatile memory and data storage components. Volatile components are those that do not retain data values upon loss of power. Nonvolatile components are those that retain data upon a loss of power.
[001 1 ] The machine-readable storage medium 120 and data storage 150 may comprise, for example, random access memory (RAM), read-only memory (ROM), hard disk drives, solid-state drives, USB flash drives, memory cards accessed via a memory card reader, floppy disks accessed via an associated floppy disk drive, optical discs accessed via an optical disc drive, magnetic tapes accessed via an appropriate tape drive, and/or other memory components, and/or a combination of any two and/or more of these memory components. In addition, the RAM may comprise, for example, static random access memory (SRAM), dynamic random access memory (DRAM), and/or magnetic random access memory (MRAM) and other such devices. The ROM may comprise, for example, a programmable readonly memory (PROM), an erasable programmable read-only memory (EPROM), an electrically erasable programmable read-only memory (EEPROM), and/or other like memory device.
[0012] Data storage 150 may comprise a physical storage device, such as a hard disk drive and/or a solid state drive, and/or a logical storage device, such as a database, a user-based logical data storage (e.g., a user's home directory and associated files), a network-attached storage, and a logical partition. A logical storage device may comprise data stored on part of and/or across a plurality of physical storage devices.
[0013] Detect security violation instructions 130 may detect, according to a command execution, that a security violation associated with a data storage has occurred. The executed commands may be associated with assessing and/or remediating unauthorized access to data storage 150, such as by securing and/or removing data in data storage 150.
[0014] For example, detect security violation instructions 130 may comprise a list of secure commands associated with addressing suspected security breaches on data storage 150. Such commands may comprise, for example, secure delete commands for files in data storage 150, encryption commands, network configuration commands such as firewall adjustments and/or commands to disconnect users, applications, and/or communication sessions, and/or audit commands for security information such as access logs for device 100 and/or data storage 150. A secure delete command, for example, erases the data specified in the command and then overwrites the memory and storage location with random bits of data to prevent recovery. In some implementations, any command run with elevated permissions, such as those performed via a SUDO operation, may comprise a command associated with addressing a security breach.
[0015] Restrict access instructions 132 may, in response to detecting that the security violation has occurred, restrict access to data storage 150. For example, user sessions interacting with data storage 150 may be blocked from reading and/or writing to data storage 150. [0016] Different types and/or levels of restriction may be used, such as restricting non-administrative/super users, only restricting non-secure commands on data storage 150, and/or blocking only reads from data storage 150 or writes to data storage 150. In some implementations, users may be notified of the security violation and/or may receive an error message regarding the block on reading/writing to data storage 150. In some implementations, read and/or write requests may be paused and/or the read/write processes may be placed in an idle state. In some implementations, user sessions interacting with data storage 150 may be closed and/or disconnected, and/or processes associated with such sessions may be terminated.
[0017] Determine violation remediation instructions 134 may determine whether the security violation has been remediated. For example, the security violation may be determined to have been remediated after the command associated with detecting the violation has been completed. For another example, the security violation may be determined to have been remediated after the session in which the command was detected has disconnected and/or exited a privileged state (e.g., a user of the session switches to a non-administrator user).
[0018] Restore access instructions 136 may, in response to determining that the security violation has been remediated, restore access to the data storage. For example, idled read/write processes may be permitted to complete execution and/or new sessions may be permitted to connect to data storage 150.
[0019] FIG. 2 is a flowchart of a method 200 for data protection consistent with disclosed implementations. Although execution of method 200 is described below with reference to the components of data protection device 100, other suitable components for execution of method 200 may be used.
[0020] Method 200 may start in stage 205 and proceed to stage 210 where device 100 may detect, according to a first command performed on a data storage, that a security violation has occurred. In some implementations, the first command may comprise a secure command. For example, detect security violation instructions 130 may detect, according to a command execution, that a security violation associated with a data storage has occurred. The executed commands may be associated with assessing and/or remediating unauthorized access to data storage 150, such as by securing and/or removing data in data storage 150.
[0021 ] For example, detect security violation instructions 130 may comprise a list of secure commands associated with addressing suspected security breaches on data storage 150. Such commands may comprise, for example, secure delete commands for files in data storage 150, encryption commands, network configuration commands such as firewall adjustments and/or commands to disconnect users, applications, and/or communication sessions, and/or audit commands for security information such as access logs for device 100 and/or data storage 150. A secure delete command, for example, erases the data specified in the command and then overwrites the memory and storage location with random bits of data to prevent recovery. In some implementations, any command run with elevated permissions, such as those performed via a SUDO operation, may comprise a command associated with addressing a security breach.
[0022] Method 200 may then advance to stage 215 where device 100 may restrict access to the data storage for a user session. A user session may comprise a local and/or network communication session with a computer such as device 100, such as may occur when a user has logged into device 100 and/or an application or service executing on device 100. For example, a user session may be associated with a user of a web-based application wherein the user's web browser is accessing device 100 and data storage 150 via a network. In some implementations, the user session may be associated with a second command comprising a non-secure command, such as a standard data read and/or write command.
[0023] In some implementations, restrict access instructions 132 may, in response to detecting that the security violation has occurred, restrict access to data storage 150. For example, user sessions interacting with data storage 150 may be blocked from reading and/or writing to data storage 150 entirely, blocked writing while permitted to read, or vice versa, and/or blocked from executing nonsecure commands while permitting other, secure commands to still be executed.
[0024] Different types and/or levels of restriction may be used, such as restricting non-administrative/super users, only restricting non-secure commands on data storage 150, and/or blocking only reads from data storage 150 or writes to data storage 150. For example, in response to determining that the second user session is associated with an administrator user, continued access to the data storage may be permitted. In such an example, the administrator user may be notified of the detected security violation.
[0025] In some implementations, users may be notified of the security violation and/or may receive an error message regarding the block on reading/writing to data storage 150. In some implementations, read and/or write requests may be paused and/or the read/write processes may be placed in an idle state. In some implementations, user sessions interacting with data storage 150 may be closed and/or disconnected, and/or processes associated with such sessions may be terminated. In some implementations, restricting access to data storage 150 may comprise preventing a new user session from connecting to the data storage.
[0026] Method 200 may then advance to stage 220 where device 100 may determine whether the security violation has been remediated. For example, determine violation remediation instructions 134 may determine whether the security violation has been remediated. For example, the security violation may be determined to have been remediated after the command associated with detecting the violation has been completed. For another example, the security violation may be determined to have been remediated after the session in which the command was detected has disconnected and/or exited a privileged state (e.g., a user of the session switches to a non-administrator user).
[0027] If the security violation has not been remediated, then method 200 may return to stage 215 and device 100 may maintain the restriction on access to the data storage. Otherwise, method 200 may advance to stage 240 where device 100 may restore access to the data storage for the user session. For example, restore access instructions 136 may, in response to determining that the security violation has been remediated, restore access to the data storage. For example, idled read/write processes may be permitted to complete execution and/or new sessions may be permitted to connect to data storage 150.
[0028] After restoring access to the data storage at stage 240, method 200 may then end at stage 250.
[0029] FIG. 3 is a block diagram of a system 300 for data protection. System 300 may comprise a computing device 310 comprising a command engine 315, a security engine 320, and a session engine 325. Session engine 325 may manage and control a plurality of user sessions 330(A)-(C) and an administrator user session 335. System 300 may further comprise a data storage 340.
[0030] Computing device 310 may comprise, for example, a general and/or special purpose computer, server, mainframe, desktop, laptop, tablet, smart phone, game console, and/or any other system capable of providing computing capability consistent with providing the implementations described herein. Data storage 340 may comprise a physical storage device, such as a hard disk drive and/or a solid state drive, and/or a logical storage device, such as a database, a user-based logical data storage (e.g., a user's home directory and associated files), a network- attached storage, and a logical partition. A logical storage device may comprise data stored on part of and/or across a plurality of physical storage devices.
[0031] Each of engines 315, 320, and 325 may comprise any combination of hardware and programming to implement the functionalities of the respective engine. In examples described herein, such combinations of hardware and programming may be implemented in a number of different ways. For example, the programming for the engines may be processor executable instructions stored on a non-transitory machine-readable storage medium and the hardware for the engines may include a processing resource to execute those instructions. In such examples, the machine- readable storage medium may store instructions that, when executed by the processing resource, implement engines 315, 320, and 325. In such examples, system 300 may comprise the machine-readable storage medium storing the instructions and the processing resource to execute the instructions, or the machine- readable storage medium may be separate but accessible to system 300 and the processing resource.
[0032] Command engine 315 may detect, according to a secure command performed on a data storage, that a security violation has occurred. For example, detect security violation instructions 130 may detect, according to a command execution, that a security violation associated with a data storage has occurred. The executed commands may be associated with assessing and/or remediating unauthorized access to data storage 150, such as by securing and/or removing data in data storage 150.
[0033] For example, detect security violation instructions 130 may comprise a list of secure commands associated with addressing suspected security breaches on data storage 150. Such commands may comprise, for example, secure delete commands for files in data storage 150, encryption commands, network configuration commands such as firewall adjustments and/or commands to disconnect users, applications, and/or communication sessions, and/or audit commands for security information such as access logs for device 100 and/or data storage 150. A secure delete command, for example, erases the data specified in the command and then overwrites the memory and storage location with random bits of data to prevent recovery. In some implementations, any command run with elevated permissions, such as those performed via a SUDO operation, may comprise a command associated with addressing a security breach.
[0034] Session engine 325 may determine, for at least one of a plurality of user sessions, whether the at least one of the plurality of user sessions is associated with an administrator user. For example, session engine 325 may identify user sessions 330(A)-(C) as not associated with administrators while administrator session 335 is associated with an administrator user.
[0035] A user session may comprise a local and/or network communication session with a computer such as device 310, such as may occur when a user has logged into device 310 and/or an application or service executing on device 310. For example, a user session may be associated with a user of a web-based application wherein the user's web browser is accessing device 310 and data storage 340 via a network. In some implementations, the user session may be associated with a second command comprising a non-secure command, such as a standard data read and/or write command.
[0036] An administrator user may comprise a higher privileged user account than a non-administrator user. Such an account may be permitted to execute commands and/or applications, such as those that may affect an operating system of computing device 310. An administrator user may also be permitted to make changes that will affect other users. Administrators may change security settings, install software and hardware, and/or access all files on computing device 310.
[0037] In response to determining that the at least one of the plurality of user sessions is not associated with the administrator user, session engine 325 apply a restriction on access to the data storage for the at least one of the plurality of user sessions. In some implementations, the restriction may comprise a disconnection from the data storage, a blocking of an executing command associated with the data storage, a write restriction for the data storage, and/or a read restriction for the data storage.
[0038] For example, restrict access instructions 132 may, in response to detecting that the security violation has occurred, restrict access to data storage 340. For example, user sessions interacting with data storage 340 may be blocked from reading and/or writing to data storage 340 entirely, blocked writing while permitted to read, or vice versa, and/or blocked from executing non-secure commands while permitting other, secure commands to still be executed.
[0039] Different types and/or levels of restriction may be used, such as restricting non-administrative/super users, only restricting non-secure commands on data storage 340, and/or blocking only reads from data storage 340 or writes to data storage 340. For example, in response to determining that the second user session is associated with an administrator user, continued access to the data storage may be permitted. In such an example, the administrator user may be notified of the detected security violation.
[0040] In some implementations, user sessions 330(A)-(C) and/or administrator session 335 may be notified of the security violation and/or may receive an error message regarding the block on reading/writing to data storage 340. In some implementations, read and/or write requests may be paused and/or the read/write processes may be placed in an idle state. In some implementations, user sessions interacting with data storage 340 may be closed and/or disconnected, and/or processes associated with such sessions may be terminated. In some implementations, restricting access to data storage 340 may comprise preventing a new user session from connecting to the data storage.
[0041 ] Security engine 320 may determine whether the security violation has been remediated according to whether the secure command has completed executing. For example, determine violation remediation instructions 134 may determine whether the security violation has been remediated. In some implementations, the security violation may be determined to have been remediated after the command associated with detecting the violation has been completed. For another example, the security violation may be determined to have been remediated after the session in which the command was detected has disconnected and/or exited a privileged state (e.g., a user of the session switches to a non-administrator user).
[0042] In response to determining that the security violation has been remediated, security engine 320 may cause session engine 325 to remove the restriction applied to the at least one of the plurality of user sessions. For example, restore access instructions 136 may, in response to determining that the security violation has been remediated, restore access to data storage 340 for user sessions 330(A)-(C). For example, idled read/write processes may be permitted to complete execution and/or new sessions may be permitted to connect to data storage 150. [0043] The disclosed examples may include systems, devices, computer- readable storage media, and methods for data protection. For purposes of explanation, certain examples are described with reference to the components illustrated in the Figures. The functionality of the illustrated components may overlap, however, and may be present in a fewer or greater number of elements and components. Further, all or part of the functionality of illustrated elements may coexist or be distributed among several geographically dispersed locations. Moreover, the disclosed examples may be implemented in various environments and are not limited to the illustrated examples.
[0044] Moreover, as used in the specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context indicates otherwise. Additionally, although the terms first, second, etc. may be used herein to describe various elements, these elements should not be limited by these terms. Instead, these terms are only used to distinguish one element from another.
[0045] Further, the sequence of operations described in connection with the Figures are examples and are not intended to be limiting. Additional or fewer operations or combinations of operations may be used or may vary without departing from the scope of the disclosed examples. Thus, the present disclosure merely sets forth possible examples of implementations, and many variations and modifications may be made to the described examples. All such modifications and variations are intended to be included within the scope of this disclosure and protected by the following claims.

Claims

CLAIMS We claim:
1 . A non-transitory machine-readable storage medium comprising instructions for data protection which, when executed by a processor, cause the processor to:
detect, according to a command execution, that a security violation associated with a data storage has occurred; and
in response to detecting that the security violation has occurred:
restrict access to the data storage,
determine whether the security violation has been remediated, and in response to determining that the security violation has been remediated, restore access to the data storage.
2. The non-transitory machine-readable medium of claim 1 , wherein the instructions to restrict access to the data storage comprise instructions to restrict access to a physical storage device.
3. The non-transitory machine-readable medium of claim 1 , wherein the instructions to restrict access to the data storage comprise instructions to restrict access to a logical data storage.
4. The non-transitory machine-readable medium of claim 3, wherein the logical data storage comprises at least one of the following: a database, a user- based logical data storage, a network-attached storage, and a logical partition.
5. The non-transitory machine-readable medium of claim 1 , wherein the command execution comprises a secure delete command.
6. The non-transitory machine-readable medium of claim 5, wherein the instructions to determine whether the security violation has been remediated comprise instructions to determine whether the secure delete command has completed.
7. The non-transitory machine-readable medium of claim 1 , wherein the instructions to restrict access to the data storage comprise instructions to block performance of at least one of the following: a non-secure data read command and a non-secure data write command.
8. A computer-implemented method for data protection comprising: detecting, according to a first command performed on a data storage, that a security violation has occurred, wherein the first command comprises a secure command;
restricting access to the data storage for a user session, wherein the user session is associated with a second command comprising a nonsecure command;
determining whether the security violation has been remediated; and in response to determining that the security violation has been remediated, restoring access to the data storage for the user session.
9. The computer-implemented method of claim 8, wherein restricting access to the data storage for the user session comprises disconnecting the user session.
10. The computer-implemented method of claim 8, wherein restricting access to the data storage for the user session comprises permitting a third command to be executed.
1 1 . The computer-implemented method of claim 10, wherein the third command comprises a read command associated with the data storage.
12. The computer-implemented method of claim 8, wherein restricting access to the data storage for the user session further comprises preventing a new user session from connecting to the data storage.
13. The computer implemented method of claim 8, wherein restricting access to the data storage for the user session further comprises determining whether a second user session is associated with an administrator user; and
in response to determining that the second user session is associated with the administrator user, permitting continued access to the data storage for the second user session.
14. The computer implemented method of claim 13, further comprising, in response to determining that the second user session is associated with the administrator user, notifying the administrator user of the security violation.
15. A system for data protection, comprising:
a command engine to:
detect, according to a secure command performed on a data storage, that a security violation has occurred;
a session engine to:
determine, for at least one of a plurality of user sessions, whether the at least one of the plurality of user sessions is associated with an administrator user;
in response to determining that the at least one of the plurality of user sessions is not associated with the administrator user, apply a restriction on access to the data storage for the at least one of the plurality of user sessions, wherein the restriction comprises at least one of the following: a disconnection from the data storage, a blocking of an executing command associated with the data storage, a write restriction for the data storage, and a read restriction for the data storage; and
a security engine to:
determine whether the security violation has been remediated according to whether the secure command has completed executing; and
in response to determining that the security violation has been remediated, cause the session engine to remove the restriction applied to the at least one of the plurality of user sessions.
PCT/US2015/028110 2015-04-29 2015-04-29 Data protection Ceased WO2016175772A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/US2015/028110 WO2016175772A1 (en) 2015-04-29 2015-04-29 Data protection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US2015/028110 WO2016175772A1 (en) 2015-04-29 2015-04-29 Data protection

Publications (1)

Publication Number Publication Date
WO2016175772A1 true WO2016175772A1 (en) 2016-11-03

Family

ID=57199801

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2015/028110 Ceased WO2016175772A1 (en) 2015-04-29 2015-04-29 Data protection

Country Status (1)

Country Link
WO (1) WO2016175772A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020112131A1 (en) * 1995-10-25 2002-08-15 Fong Anthony S. Specifying access control and caching on operands
US20080162784A1 (en) * 2006-12-29 2008-07-03 Spansion Llc Systems and methods for access violation management of secured memory
US20100242082A1 (en) * 2009-03-17 2010-09-23 Keene David P Protecting sensitive information from a secure data store
US8255370B1 (en) * 2008-03-28 2012-08-28 Symantec Corporation Method and apparatus for detecting policy violations in a data repository having an arbitrary data schema
JP2015052950A (en) * 2013-09-06 2015-03-19 独立行政法人産業技術総合研究所 Data storage device, secure io device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020112131A1 (en) * 1995-10-25 2002-08-15 Fong Anthony S. Specifying access control and caching on operands
US20080162784A1 (en) * 2006-12-29 2008-07-03 Spansion Llc Systems and methods for access violation management of secured memory
US8255370B1 (en) * 2008-03-28 2012-08-28 Symantec Corporation Method and apparatus for detecting policy violations in a data repository having an arbitrary data schema
US20100242082A1 (en) * 2009-03-17 2010-09-23 Keene David P Protecting sensitive information from a secure data store
JP2015052950A (en) * 2013-09-06 2015-03-19 独立行政法人産業技術総合研究所 Data storage device, secure io device

Similar Documents

Publication Publication Date Title
US9323930B1 (en) Systems and methods for reporting security vulnerabilities
US20180113638A1 (en) Securing a media storage device using write restriction mechanisms
US11601281B2 (en) Managing user profiles securely in a user environment
US11403180B2 (en) Auxiliary storage device having independent recovery area, and device applied with same
US9485271B1 (en) Systems and methods for anomaly-based detection of compromised IT administration accounts
EP2030124A2 (en) Method and system for defending security application in a user's computer
US20190108333A1 (en) Systems and methods for monitoring bait to protect users from security threats
US11469880B2 (en) Data at rest encryption (DARE) using credential vault
CN109766215B (en) Data processing method and device
US10339307B2 (en) Intrusion detection system in a device comprising a first operating system and a second operating system
CA2915068A1 (en) Systems and methods for directing application updates
US10466924B1 (en) Systems and methods for generating memory images of computing devices
US11960606B2 (en) System and method for protecting against data storage attacks
CN103218573A (en) Traceless access controlling method and device based on protection of visual magnetic disc
US8108935B1 (en) Methods and systems for protecting active copies of data
EP4121881B1 (en) Method and non-transitory computer-readable medium for protecting a folder from unauthorized file modification
US9037792B1 (en) Systems and methods for providing caching for applications with solid-state storage devices
US9792431B1 (en) Systems and methods for selectively masking data on virtual storage devices
US10572692B2 (en) Detecting camera access breaches
CN104869361B (en) A kind of Video Monitoring Terminal equipment in video monitoring system
WO2016175772A1 (en) Data protection
KR101290852B1 (en) Apparatus and Method for Preventing Data Loss Using Virtual Machine
KR102522217B1 (en) Apparatus to back up data in secure storage and to restore based on the backup data comprising time information
US12282573B2 (en) File system protection apparatus and method in auxiliary storage device
KR20200100471A (en) Blockchain Network Node and Method for Controlling Access

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15890909

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15890909

Country of ref document: EP

Kind code of ref document: A1