WO2011148224A1 - Method and system of secure computing environment having auditable control of data movement - Google Patents

Method and system of secure computing environment having auditable control of data movement Download PDF

Info

Publication number
WO2011148224A1
WO2011148224A1 PCT/IB2010/052286 IB2010052286W WO2011148224A1 WO 2011148224 A1 WO2011148224 A1 WO 2011148224A1 IB 2010052286 W IB2010052286 W IB 2010052286W WO 2011148224 A1 WO2011148224 A1 WO 2011148224A1
Authority
WO
WIPO (PCT)
Prior art keywords
organization
external storage
storage device
data
user computing
Prior art date
Application number
PCT/IB2010/052286
Other languages
French (fr)
Inventor
Kwok Yan Karch Lam
Original Assignee
Privylink Private Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Privylink Private Limited filed Critical Privylink Private Limited
Priority to SG2012084786A priority Critical patent/SG185640A1/en
Priority to PCT/IB2010/052286 priority patent/WO2011148224A1/en
Publication of WO2011148224A1 publication Critical patent/WO2011148224A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2101Auditing as a secondary aspect

Definitions

  • the present invention relates to a secure computing system. More particularly, a method and system for extending the trusted computing environment of an organization or a central host to untrusted remote computing devices outside the organization, with auditable control of data movement between the organization and the untrusted computing devices.
  • Data proprietary to an organization may be legitimately moved out of the secure perimeter of the organization by a user through transferring the organization data to an external storage device such as a USB flash drive.
  • the user may remotely access the organization data stored in the organization server via an online means.
  • Data in transit may be secured by cryptographic protection of the online access channel (US 6732269 by Baskey et al . ) and even the data itself.
  • Such cryptographic protection extends the secure perimeter of the organization to include the storage device and the online access channel.
  • the organization data is susceptible to unauthorized access by malwares and file sharing software residing on the untrusted user computing device.
  • the untrusted user computing device is a fixed or portable computer used to exchange and process the organization data outside the organization.
  • the untrusted user computing device may interface with the user external storage device for data exchange and it may be connected to the Internet and the organization extranet.
  • the untrusted user computing device may be the user's personal computer (s) at home, off-site computers, shared computers for public use and even computers owned or pre- approved by the organization.
  • Malicious codes may also be downloaded to said untrusted user computing device via the Internet, Bluetooth and other means of wired and wireless communication without the user's knowledge.
  • Said malwares which include file sharing software and malicious scripts, may copy the organization data and send it to a remote requestor which may be an application ex- ecuting from a server of dubious nature.
  • the remote requestor may be another individual user running the same file sharing software .
  • the organization data may not have sufficient protection when copied or downloaded to the untrusted user computing device.
  • applications referencing the organization data on the untrusted user computing device are possible causes of data leakage when the malwares have successfully gained access to the organization data by prying into the registries, files and memories used by the applications.
  • the present application provides a method and system for implementing a secure computing environment having auditable control of data movement
  • a method of implementing a secure computing environment is provided.
  • at least one secure organization computing platform executing a first auditable data exchange application capable of recording events in a first audit log can be interfaced to and in communication with at least one external storage device for exchanging organization data between the memory of the organization computing platform and a secure partition of the external storage device, and the external storage device comprising at least one read/write secure partition, which stores organization data in encrypted form, and one read-only partition, and the external storage device can further be interfaced and in communication with at least one untrusted user computing device to which the organization data can be transferred for processing with pre- authorized software modules comprising an operating system, a plurality of authorized applications and drivers pre- installed in the read-only partition of the external storage device, and the method comprises the steps of an organization user interfacing the external storage device to the organization computing platform for checking out the organization data, the first auditable data exchange application recording parameters and events associated with data movement and any other pre-determined events in the first audit log, the organization user decoupling the external storage device with the organization data stored in
  • the checking out of the organization data may be performed by the first auditable data exchange application to encrypt the organization data from the organization compu- ting platform with an unlocked cryptographic key for accessing the secure partition, followed by writing the encrypted organization data to the secure partition of the external storage device.
  • the data check-in process may be performed by the first auditable data exchange application to decrypt the data from the secure partition of the external storage device with an unlocked cryptographic key and transfer the decrypted data to the memory of the organization computing platform.
  • the organization data protected in the secure partition of the external storage device may be firstly unlocked or decrypted before being accessed by the authorized applications running in the untrusted user computing device, and processed organization data and other application related data generated in the untrusted user computing device may be encrypted and transferred to the secure partition of the external storage device, and this data encryption and decryption may be executed by a cryptographic application executed in the user computing platform using an unlocked cryptographic key for accessing the secure partition, and the cryptographic application may be one of the plurality of authorized applications pre-installed in the read-only partition of the external storage device.
  • the cryptographic key for accessing the secure partition may be stored in protected form in a key memory of the external storage device.
  • the authorized applications may comprise a second auditable data exchange application which is loaded to and executed by the untrusted user computing device upon the completion of the booting processes, and the second auditable data exchange application may be used to record in a second audit log the data movement between the external storage device and the untrusted user computing device, and all the pa- rameters, events and the corresponding time stamps required by the audit policies of the organization, and the second audit log may be stored in the secure partition of the external storage device.
  • the second auditable data exchange application may replace the cryptographic application for encrypting and decrypting data exchanged between the secure partition of external storage device and the untrusted user computing device .
  • At least one of the organization computing platform and untrusted user computing device may execute a device verification process for determining whether the in- terfaced external storage device has been pre-authorized by the organization.
  • At least one of the organization computing platform and untrusted user computing device may unlock the protected cryptographic key for accessing the secure partition of the external storage device by means of a user password provided by the organization user in an authentication process .
  • At least one of the organization computing platform and untrusted user computing device may execute a key verification process in which the unlocked cryptographic key for accessing the secure partition may be compared against a parameter derived from the original cryptographic key for validating whether the unlocked cryptographic key matches the original cryptographic key, and the parameter may comprise the cryptographic checksum of the original cryptographic key stored in the external storage device.
  • At least one of the organization computing platform and untrusted user computing device may enforce data contro1 and security policies pre-determined by the organiza- tion, and the policies may comprise verification, authentication and authorization results, file movement control in accordance with file types, file size, time of usage and any other pre-determined criteria.
  • any of the above device verification, authentication, key verification and policy enforcement processes executed on the user computing device may be executable processes provided by one or a plurality of the authorized ap- plications pre-installed in the read-only partition of the external storage device.
  • any of the above device verification, authentication, key verification and policy enforcement processes may be executed by at least one of the first and second auditable data exchange applications.
  • the parameters logged by the first and second auditable data exchange applications may comprise the identi- bombs of either one or both of the organization computing platform and untrusted user computing device, and the identifiers can be constructed from one or a plurality of the identity codes associated with the central processing units (CPU) and subsystems of the organization computing platform and un- trusted user computing device respectively.
  • CPU central processing units
  • the drivers may be software codes used for enabling control signals and data exchange between the respective authorized input-output devices and the untrusted user computing device
  • the authorized input-output devices may include basic inputting devices such as mice and keyboards, essential outputting devices such as monitors and printers, but exclude any conventional external storage devices such as portable flash drives and external hard disks.
  • the authorized input-output devices may in- elude biometric scanners and portable crypto-token used for storing secret user cryptographic keys used in multi-factor authentication .
  • the untrusted user computing device may be a fixed or portable computer with which the organization user works outside the organization, and the untrusted user computing device may include the user's home computers, off-site computers and shared computers for public use, and the untrusted user computing device may have a standard Basic In- put-Output system (BIOS) editor which can be used to register with the untrusted user computing device that the external storage device should be searched for the operating system when the untrusted user computing device is powered up.
  • BIOS Basic In- put-Output system
  • the cryptographic key for accessing the secure partition may be cryptographically protected with a second cryptographic key derived from the user password and other parameters in accordance with a pre-determined algorithm, and the protected cryptographic key for accessing the secure par- tition can be unlocked in a decryption process with the second cryptographic key derived from the user password using the same pre-determined algorithm.
  • the cryptographic key for accessing the secure partition may be cryptographically protected by the user fingerprint to form a locked fingerprint module which is secure and can be stored in the external storage device without additional cryptographic protection.
  • the cryptographic operations handling the encrypting and decrypting of the data for the secure partition may be performed by a software application or a hardware mod- ule within the external storage device.
  • the operating system may allow the authorized applications pre-installed in the read-only partition of the external storage device to access the organization extranet, intranet and any other networks pre-authorized by the organization .
  • initialization of the external storage device may comprise the steps of deriving the cryptographic key for accessing the secure partition of the external storage device from at least a master key and the identifier of the external storage device, protecting or encrypting the cryptographic key for accessing the secure partition from an initial password assigned by the organization or selected by the user, and writing the protected cryptographic key for secure partition to the memory of the external storage device.
  • At least the volatile memory of the untrusted user computing device for holding any unlocked cryptographic key may be zeroized, followed by system shut-down of the untrusted user computing device when the external storage device is decoupled and disconnected from the untrusted user computing device.
  • the user computing device may be pre- configured to forbid the operating system to use any memory on the external storage device as the virtual memory.
  • the system comprises at least one secure organization computing platform, at least one external storage device comprising at least one read/write secure partition and at least one read- only partition, and at least one untrusted user computing device, wherein the organization computing platform executing a first auditable data exchange application capable of recording data movement and other pre-determined events in a first audit log, the external storage device can be interfaced to and in communication with the organization computing platform which can transfer organization data to the external storage device in a data check-out process upon successful verification and authentication, the secure partition of the external storage device storing organization data in encrypted form, the external storage device can be interfaced to and in communication with the untrusted user computing device to which the organization data can be transferred for processing with authorized software modules comprising operating system, authorized applications and drivers pre-installed in the read- only partition of the external storage device, the organization user decoupling the external storage device from the organization computing platform with the organization data stored in its the secure partition, and interfacing the external storage device with the untrusted user computing de- vice, the untrusted user computing device booting from the operating
  • the authorized applications may comprise a second auditable data exchange application which is loaded to the untrusted user computing device upon the completion of the booting processes, and the second auditable data exchange application may be used to record in a second audit log all the parameters, events and data movement between the external storage device and the untrusted user computing device as required by the audit policies of the organization, and the second audit log may be stored in the secure partition of the external storage device, and the second auditable data exchange application may be capable of encrypting and decrypting data for the secure partition of the external storage device .
  • the verification and authentication may com- prise a device verification process for determining whether the interfaced external storage device has been pre- authorized by the organization, and an authentication process may comprise prompting the organization user for a password for unlocking a protected cryptographic key for encrypting and decrypting data for the secure partition of the external storage device.
  • the present invention provides an innovative method and sys- tem for implementing a secure computing environment compris- ing an organization secure computing system, external storage devices and untrusted user computing devices on which the us- ers exchange and process data proprietary to the organization in a secure manner. Authentication events and data movement are recorded in auditable logs as per the organization data movement policy.
  • the present secure computing system extends the trusted computing environment of an organization to untrusted user computing devices outside the organization.
  • the present system allows secure home and off-site working by the organization staffers using low-cost and off-the-shelf external storage devices.
  • FIG. 1 illustrates the secure computing system of the pre sent invention
  • FIG. 2 illustrates the flow of a data check-in and checkout process executed by the first auditable data exchange application of FIG. 1,
  • FIG. 3 illustrates the flow of an audit logging process executed by a second auditable data exchange application in one embodiment of the secure computing system of FIG. 1, and
  • FIG. 4 illustrates a process executed for initializing the external storage device of the secure computing system of FIG. 1.
  • FIG. 1 shows a secure computing environment 100 comprising an organization secure computing system 110, at least one external storage device 150 and at least one untrusted user computing device 190.
  • the organization secure computing system 110 comprises at least one organization server 112 for executing a plurality of organization applications.
  • the organization server 112 is in communication with a plurality of organization computing platforms 120 which provide organization staffers or users access to server and client applications and data.
  • One such application is the first auditable data exchange application 130 for exchanging organization data 140 with external storage devices 150 authorized by the organization.
  • the first auditable data exchange application 130 further monitors and records device usage, data movement and it may enforce organizational governance requirements for auditable data control.
  • Organization data 140 is any data proprietary to the organization including text documents, image files and other multimedia data.
  • Verification of external storage devices 150 may be carried out by the organization computing platforms 120 or the first auditable data exchange application 130. Devices which have not been explicitly authorized are rejected. The device verification result is recorded in a first audit log (270) .
  • the memory of each of the external storage devices 150 comprises at least one read-only partition 160 and one secure partition 170.
  • the secure partition 170 which is read-and- write enabled, stores the organization data 140 and any other user and application-related data in encrypted form.
  • the cryptographic key for accessing secure partition 170 is stored in a key memory 180 of the external storage device 150 in a protected form. This protected cryptographic key can be unlocked by a user password provided by the organization user in an authentication process.
  • the read-only partition 160 stores an operating system 162 for booting the untrusted user computing device 190.
  • the read-only partition 160 further stores authorized applications 164 for processing the organization data 140 stored in the secure partition 170, as well as drivers of authorized input-output devices 166 allowed to be coupled to the untrusted user computing device 190.
  • the organization user may decouple an external storage device 150 from his assigned organization computing platform 120.
  • the user may interface the external storage device 150 to an untrusted user computing device 190 at home, a remote customer site or in public amenities.
  • the boot firmware of the untrusted user computing device 190 searches and executes the operating system 162, which is capable of executing the authorized applica- tions 164, pre-installed in the read-only partition 160 of the external storage device 150.
  • the untrusted user computing device 190 by itself is a fixed or portable computer used to exchange and process the organization data 140 outside the organization.
  • the untrusted user computing device 190 may interface with the external storage device 150 for data exchange.
  • the untrusted user computing device 190 may be the user's personal computer (s) at home, shared computers for public use and even computers owned or pre-approved by the organization.
  • the operating system 162 has been pre-configured to deactivate the local hard disk and any local non-volatile storage device of the untrusted user computing device 190.
  • the operating system 162 further prohibits the untrusted user computing device 190 or its applications from access to any networks, such as the Internet, which have not been pre-approved by the organization.
  • the system 162 prohibits any input-output devices which have not been authorized by the organization from exchanging data and signals with the untrusted user computing device 190.
  • FIG. 2 illustrates the data check-in, check-out process and audit logging executed by the first auditable data exchange application 130 of FIG. 1.
  • the process begins with step 230 in which the cryptographic key for accessing the secure partition 170 of the external storage device 150 is retrieved and unlocked.
  • the first auditable data exchange applica- tion 130 encrypts organization data 140 from the organization computing platform 120 with the unlocked cryptographic key for accessing the secure partition 170 in step 260.
  • the application 130 further writes the encrypted data to the secure partition 170 of the external storage device 150 in step 265.
  • the first auditable data exchange application 130 retrieves and decrypts data stored in the secure partition 170 of the external storage device 150 with the unlocked cryptographic key for accessing the secure partition 170 in step 250.
  • the application 130 further writes the decrypted data to a pre-assigned or user- specified memory of the organization computing platform 120 in step 255.
  • the first auditable data exchange application 130 records all data movement in the first audit log in step 270 according to pre-determined organization policies.
  • the audit logging process of step 270 may also be executed concurrently with any of the data check-in and check-out processes 200.
  • the first auditable data exchange application 130 retrieves and unlocks the protected cryptographic key for accessing secure partition 170 from a centralized database stored in the organization server 112.
  • the first auditable data exchange application 130 retains a copy of any data being written to the external storage device 150.
  • the memory of the external storage device 150 comprises at least one read-only partition 160 and at least one secure partition 170.
  • the secure partition 170 which is read-and- write enabled, stores the organization data 140 and any other user and application-related data in encrypted form.
  • the read-only partition 160 stores software modules comprising an operating system 162, authorized applications 164 and drivers of authorized input-output devices 166 allowed to be coupled to the untrusted user computing device 190.
  • the read-only and secure partitions 160 & 170 are implemented in the non-volatile memory of the external storage device 150 such that the stored information is retained even when the external storage device is not electrically powered.
  • the non- volatile memory may be flash memory, hard disk or optical based provided that the read-only partition 160 and the secure partition 170 can be created.
  • the secure partition 170 may be implemented in the form of disk encryption or file system encryption.
  • the external storage device 150 may comprise a controller and other means for enabling the required data access processes.
  • the external storage device 150 may be a customized or off- the-shelf product, typically with the aforesaid non-volatile memory, controller and other sub-systems housed in a portable chassis .
  • the external storage device 150 comprises an interface capable of exchanging signals and data with the untrusted user computing device 190 and the organization computing platform 120.
  • the interface may conform to international and proprie- tary interface standards adopted by manufacturers of fixed and portable computing devices.
  • the interface may support any of the wired or wireless data communications including the Universal Serial Bus (USB with specifications available at www.usb.org), IEEE 1394 (Firewire with specifications available at www.ieee.org) and Bluetooth (a short range communication standard - www.bluetooth.com).
  • USB Universal Serial Bus
  • IEEE 1394 FireWire with specifications available at www.ieee.org
  • Bluetooth a short range communication standard - www.bluetooth.com.
  • the interface standards include but are not limited to the protocols used by USB tokens, external hard disks, memory sticks, multimedia cards, secure digital (SD) cards, xD-picture cards, smart media cards and compact flash cards.
  • the external storage device 150 may be integrated with another device used primarily for telecommunications, entertain- ment or other applications.
  • An operating system 162 together with a plurality of authorized applications 164 and drivers for pre-approved input- output devices 166 are pre-installed in the read-only parti- tion 160.
  • the operating system 162 may be Microsoft Windows, Linux and their variants.
  • the operating system 162 may be any suitable system capable of executing the plurality of authorized computing applications 164 and drivers 166 can be executed in the untrusted user computing device 190.
  • the input-output device drivers are software codes used for enabling control signals and data exchange between the corresponding input-output devices and the untrusted user computing device 190. Only the drivers for pre-approved input- output devices are pre-installed in the read-only partition 160 of the external storage device 150.
  • the pre-approved input-output devices may include basic inputting devices such as mice and keyboards, as well as essential outputting devic- es including monitors and printers.
  • the pre-approved input- output devices may further include biometric scanners and portable crypto-tokens for storing secret user cryptographic keys used in multi-factor authentication applications. Driv- ers conforming to open standards, such as BioAPI (under Bi- oAPI Consortium with specifications available at
  • pre-approved input-output devices should exclude any conventional type of external storage devices.
  • Conventional external storage devices such as a USB flash drive or external hard disk, may inject malwares into the untrusted user computing device 190, hence diminishing the security level of the present secure computing environment 100.
  • the untrusted user computing device 190 is a fixed or portable computer used to exchange and process the organization data 140 outside the organization. It may be the user's personal computer (s) at home, off-site computers and shared computers for public use.
  • the boot firmware of the untrusted user computing device 190 is capable of searching and executing the operating system 162 pre-installed in the external storage device 150 when the external storage device 150 is interfaced to and in communi- cation with the untrusted user computing device 190.
  • the authorized applications 164 pre-installed in the same read-only partition 160 are executable by the operating system 162 within the untrusted user computing device 190.
  • the local hard disk and any local non-volatile storage device of the untrusted user computing device 190 are deactivated such that the external storage device 150 has no access to the local hard disk.
  • Possible harmful executables such as malwares, residing in the untrusted user computing device 190 are unable to execute because the executables have no access to the processing resources of the untrusted user computing device 190.
  • the user computing device 190 may be pre-configured to forbid the operating system 162 to use any memory on the external storage device 150 as the virtual memory for processing.
  • the standard Basic Input-Output System Editor (BIOS editor) on the untrusted user computing device 190 may be used to register with the untrusted user computing device 190 that the connected external storage device 150 should be searched for the operating system 162 when the untrusted user computing device 190 is powered up.
  • the external storage device 150 may be listed as the first boot device in the booting sequence of the untrusted user computing device 190.
  • the operating system 162 may further prohibit the untrusted user computing device 190 or its applications from access to any networks, such as the Internet, which have not been pre- approved by the organization.
  • Organization data 140 protected in the secure partition 170 of the external storage device 150 is first decrypted before the authorized applications 164 running in the untrusted user computing device 190 can access it.
  • Processed organization data and other application related data generated in the untrusted user computing device 190 are encrypted and trans- ferred to the secure partition 170 of the external storage device 150.
  • Analogous to the aforesaid data check-in and check-out processes 200, these cryptographic operations are transparent to the user and they are performed by a crypto- graphic software application executable in the user computing platform 190.
  • Said cryptographic software application is one of the plurality of authorized applications 164 pre-installed in the read-only partition 160 of the external storage device 150.
  • the cryptographic software application is loaded to the untrusted user computing device 190 when the external storage device 150 is connected and in communication with the untrusted user computing device 190.
  • the protected cryptographic key for accessing secure partition 170 is unlocked by at least the password provided by the user in the aforesaid au- thentication process.
  • Data communication between the untrusted user computing device 190 and the external storage device 150 includes reading of authorized applications 164 and drivers 166 and transfer- ring data associated with the secure partition 170. Within the secure computing environment 100, such data communication does not require the establishment of a special secure channel or tunnel . Second auditable data exchange application
  • FIG. 3 illustrates an embodiment in which an audit logging process flow is executed by a second auditable data exchange application .
  • the second auditable data exchange application 320 is a pre- installed authorized application 164 stored in the read-only partition 160 of the external storage device 150.
  • the boot firmware of the untrusted user computing device 190 executes the operating system 162 pre-installed in the read-only partition 160 of the external storage device 150 in step 310, followed by executing the second auditable data exchange application (320) within the untrusted user computing device 190.
  • the second auditable data exchange application records in a second audit log 330 all the parameters, events and the corresponding time stamps, and any information, such as the sizes, types and attributes associated with the transferred data, in accordance with the audit policies of the organization.
  • the second audit log 330 may be stored in the secure partition 170 of the external storage device 150 with its content directly updated by the second auditable data exchange application 320.
  • the second audit log 330 may be read and transferred (340) to the organization computing platform 120 by the first auditable data exchange application 130 when the external storage device 150 is interfaced and in communication with the first auditable data exchange application 130.
  • the second auditable data exchange application 320 may replace and perform the functions of the aforesaid cryptograph- ic software application for encrypting data written from the untrusted user computing device 190 to the secure partition 170 of the external storage device 150, as well as decrypting data copied from the secure partition 170 of the external storage device 150 to the memory of the untrusted user compu- ting device 190.
  • the cryptographic key for accessing secure partition 170 may be stored in protected form in the key memory 180 of the external storage device 150, and this pro- tected key is unlocked upon the user entering his or her password .
  • the cryptographic key for accessing secure partition 170 is stored in a key memory 180 of the external storage device 150 in a protected form.
  • This protected cryptographic key can be unlocked by a user password provided by the organization user through the aforesaid authentication process in which the us- er is prompted to enter at least his or her password among other credentials.
  • the authentication process may be executed by the organization computing platform 120 or the first auditable data ex- change application 130 upon the connection of the external storage device 150 with the organization computing platform 120.
  • the authentication process may be executed by the second au- ditable data exchange application (320) or one of the authorized applications 164 pre-installed in the read-only partition 160 of the external storage device 150 upon the connection of the external storage device 150 with the untrusted user computing device 190.
  • Either one or both of the organization computing platform 120 and the untrusted user computing device 190 may perform device verification of the external storage device 150 prior to transfer of any organization data 140 or the execution of any authorized applications 164. Devices which have not been explicitly authorized by the organization are rejected. A "white list" of pre-authorized external storage devices, which comply with the security requirements and device configuration described herein, is maintained in the organization server 112. During the device verification, the identifier of the external storage device 150 is compared against the white list of authorized devices each time an external storage device 150 is interfaced to the organization computing platform 120 and/or untrusted user computing device 190. Devices which have not been explicitly authorized are rejected. The device verification result may be recorded in the au- dit logs 270 & 330.
  • the identifier of the external storage device 150 may be read from the device.
  • the identifier may be hardcoded in the device by the device manufacturer. Some devices may allow the organization administrators with sufficient administrative right to amend the identifier through a suitable software development kit.
  • the identifier of the external storage device 150 together with the organization user to whom the device 150 has been allocated may be stored by the organization for accountability enforcement as per the data control policy requirements of the organization.
  • the first auditable data exchange application 130 may perform the device verification prior to executing the data check-in and the data check-out processes 200.
  • the authorized external storage device 150 may store the device verification status in its read-only partition 160 for use by the second auditable data exchange application 320 to determine whether the interfaced external storage device 150 has been authorized.
  • the second auditable data exchange application 320 may per- form the device verification prior to transfer of any organization data 140 or the execution of any authorized applications 164. Identifier of the external storage device 150 may be used for device verification. Alternatively, second au- ditable data exchange application 320 may check said device verification status stored in the read-only partition 160 of the authorized external storage device 150. Key Verification
  • the unlocked cryptographic key for accessing secure partition 170 may be verified, in a key verification process, against a parameter derived from the original cryptographic key for validating whether the unlocked cryptographic key matches the original cryptographic key.
  • the key verification process is executed by either one or both of the organization computing platform 120 and the untrusted user computing device 190 after the cryptographic key for accessing secure partition 170 of the external storage device 150 is unlocked in the afore- said authentication process.
  • the parameter may comprise the cryptographic checksum of the original cryptographic key.
  • the parameter may be stored side by side with the protected cryptographic key for accessing secure partition 170 in the external storage device 150.
  • Key verification results may be recorded in the audit logs 170 & 330. Any negative key verification results may cause the termination of any data transfer requests.
  • the key verification process may be executed by either one or both of the first (130) and second (320) auditable data exchange applications.
  • Either one or both of the organization computing platform 120 and the untrusted user computing device 190 may enforce policies by file types, file size, time of usage, keywords and any other pre-determined criteria. For instance, all executa- bles are blocked from being transferred as they may be embed- ded with malwares which may undermine the security level of the secure computing environment 100. Any requests for data transfer which have been rejected as a result of policy enforcement may be recorded in the audit logs 270 $& 330.
  • the policy enforcement process may be executed by either one or both of the first (130) and second (320) auditable data exchange applications.
  • Audit Log may be executed by either one or both of the first (130) and second (320) auditable data exchange applications.
  • the audit logs 270 & 330 have entries and formats conforming to the organizational governance requirements.
  • the audit logs 270 & 330 may record the identifier of the external storage device 150, the identifier of the organization computing platform 120, the identifier of the untrusted user computing device 190, any user identifier, device and key verification status, as well as any information, such as event time stamps, sizes, types and attributes, associated with data read from and written to the secure partition 170 of the ex- ternal storage device 150.
  • the identifiers of the organization computing platform 120 and untrusted user computing device 190 may be constructed from one or a plurality of the identity codes associated with the central processing unit (CPU) and subsystems of the respective organization computing platform 120 and untrusted user computing device 190.
  • the component and subsystem identity codes are typically set by the respective manufacturers.
  • the cryptographic key for accessing secure partition 170 used for encrypting and decrypting data in the secure partition 170 of the external storage device 150 may be a single symmetric key or an asymmetric key pair.
  • the cryptographic key for accessing secure partition 170 may be cryptographically protected with a second cryptographic key derived with the user password and other parameters in accordance with a pre-determined algorithm.
  • the protected cryptographic key for accessing secure partition 170 may be unlocked in a decryption process with the second cryptographic key derived from the user password using the same pre-determined algorithm.
  • the encrypted data stored in the secure partition 170 can be recovered if and only if the password entered by the user for unlocking the protected cryptographic key for accessing secure partition 170 is identical to the password used for locking the original cryptographic key for accessing secure partition 170.
  • Data encryption and decryption algorithms for the secure partition 170 may conform to an open cryptography standard such as AES (NIST FIPS 197 with specifications available at http://csrc.nist.gov/publications/PubsFIPS.html) and triple DES (NIST FIPS 463 with specifications available at
  • the cryptographic operations handling the encryption and decryption of the data for the secure partition 170 may be per- formed by a software application or a hardware module within the external storage device 150.
  • the cryptographic key for accessing secure partition 170 may be encrypted by the user fingerprint to form a locked finger- print which is by itself secure. Therefore, the locked fingerprint may be stored in the read-only partition 160 of the external storage device 150 without further cryptographic protection.
  • An authorized fingerprint scanner attached to or integrated with the external storage device 150 may be used to capture the user fingerprint for regenerating the original cryptographic key for accessing secure partition 170.
  • the operating system 162 may allow applications pre-installed in the read-only partition 160 of the external storage device 150 to access a remote organization server 112 through the organization extranet which may be a virtual private network.
  • the organization data 140 may be centrally stored in the or- ganization server 112 and accessed by the user on a need-to- use basis. This further reduces the risk of data leakage when external storage device 150 is misplaced or lost.
  • the organization data 140 may be further secured with application-level cryptographic protection.
  • Deployment of external storage devices 150 for the implementation of the secure computing environment 100 may be managed centrally .
  • FIG. 4 illustrates a process flow executed for initializing an external storage device 150 of the secure computing environment 100 of FIG. 1.
  • the cryptographic key for accessing secure partition 170 used for encrypting and decrypting data stored in the secure partition 170 in each external storage device 150 may be derived from a master key (410) and a plurality of parameters in step 420.
  • the master key 410 is securely held by one or a plurali- ty of personnel with sufficient privileges assigned by the organization.
  • the derived cryptographic key for accessing secure partition 170 is protected by an initial password assigned by the organization or selected by the user.
  • the password-protected cryptographic key for accessing secure partition 170 is then written to the key memory 180 in the external storage device 150 in step 440.
  • the organization master key 410 may be an asymmetric key or a symmetric key.
  • the master key may be stored in a secure smart chip on a smart card.
  • the master key may be split and stored in the secure smart chips of a plurality of smart cards each of which may be retained by a staffer assigned by the organi- zation.
  • the cryptographic key for accessing secure partition 170 used for encrypting and decrypting data stored in the secure partition 170 in each external storage device 150 may be derived from the master key 410 and an identifier unique to each external storage device 150 in step 420.
  • the identifier may be the serial number hardcoded in the external storage device 150 by the device manufacturer.
  • the algorithm(s) involved in the key derivation may be a standard or proprietary symmetric or asymmetric cryptographic algorithm.
  • the inputs to the cryptographic algorithm comprise the master key 410, the unique identifier of the external storage device 150 and any other parameters required to ensure that the master key 410 cannot be deduced from the derived cryptographic key for accessing secure partition 170 and / or the unique identifier of the external storage device 150.
  • the parameters may comprise a random value or salt.
  • the cryptographic key for accessing secure partition 170 can be derived when the user is able to provide the user identifier assigned by the organization or selected by the user, as well as the identifier of the external storage device 150.
  • the unique identifier of the external storage device 150 may be obtained by either reading the code from the external storage device 150 or through looking up a table or database which stores the device identifier corresponding to the user identifier provided by the user.
  • User passwords may be changed on the organization computing platform 120 or in a credential management application pre- installed in the read-only partition 160 of the external storage device 150.
  • the credential management application is executed on the untrusted user computing device 190.
  • a new password is accepted only if the user is able to provide the details of the current credentials including user identifier and current user password.
  • the authentication status is firstly recorded in the audit logs 270 & 330 and the untrusted user computing device 190 shuts down automatically.
  • decoupling the external storage device 150 from the untrusted user computing device 190 causes the untrusted user computing device 190 to shut down automatically, resulting in loss of data which has not been saved to the external storage device 150.
  • the volatile memory in the untrusted user computing device 190 which is used to temporarily hold the unlocked cryptographic key for accessing secure partition 170 may be zeroized as per the Federal Information Processing Standard (FIPS) Publica- tion 140-2 Level 3 and above
  • the secure computing environment 100 allows a user to transfer organization data 140 to an external storage device 150 authorized by the organization.
  • the external storage device 150 comprises two partitions one of which is readonly 160 whereas the second read/write-enabled secure partition 170 stores data in encrypted form.
  • the untrusted user computing device 190 is booted from the external storage device 150 followed by device verification, user authentication and deactivation of the Internet connection, local hard disk and all unauthorized input-output devices.
  • a cryptographic software application performs encryption and decryption of data to and from the secure partition 170 of the external storage device 150. Authentication events and data movement are recorded in audit logs 270 & 330 as per the organization security and data movement policy.
  • the secure computing environment 100 extends the trusted organization secure computing environment 100 to untrusted user computing devices 190 outside the organization .

Abstract

Method and system of secure computing environment are provided. The secure computing environment allows a user to transfer organization data to an external storage device authorized by the organization. The external storage device com- prises two partitions one of which is read-only whereas the second read/write-enabled partition stores organization data in encrypted form. When the user interfaces the external storage device with an untrusted user computing device, the untrusted user computing device is booted from an operating system pre-installed in the external storage device followed by deactivation of the Internet connection, local hard disk and all unauthorized input-output devices. Data movement and any other pre-determined events are recorded in auditable logs as per the organization security and data movement policy. The secure computing system extends the trusted computing environment of an organization to untrusted user computing devices outside the organization.

Description

METHOD AND SYSTEM OF SECURE COMPUTING ENVIRONMENT HAVING AUDITABLE CONTROL OF DATA MOVEMENT
FIELD OF THE INVENTION
The present invention relates to a secure computing system. More particularly, a method and system for extending the trusted computing environment of an organization or a central host to untrusted remote computing devices outside the organization, with auditable control of data movement between the organization and the untrusted computing devices.
BACKGROUND OF THE INVENTION
Work environments become increasingly dynamic. There is an increasing trend that organizations approve their staffers to temporarily move data out of the organizations. This may be due to the needs for meeting organizational or customer requirements in regard with productivity, service level commitments and business continuity.
Data proprietary to an organization may be legitimately moved out of the secure perimeter of the organization by a user through transferring the organization data to an external storage device such as a USB flash drive. The user may remotely access the organization data stored in the organization server via an online means.
In prior-art solutions, such proprietary data may be protect- ed against unauthorized access through cryptographic protec- tion of data stored in the external storage device (US
20040103288 by Ziv et al . ) . Data in transit may be secured by cryptographic protection of the online access channel (US 6732269 by Baskey et al . ) and even the data itself.
Effectively, such cryptographic protection extends the secure perimeter of the organization to include the storage device and the online access channel.
However, such conventional solutions fail to provide end-to- end protection. The organization data is susceptible to unauthorized access by malwares and file sharing software residing on the untrusted user computing device. The untrusted user computing device is a fixed or portable computer used to exchange and process the organization data outside the organization. The untrusted user computing device may interface with the user external storage device for data exchange and it may be connected to the Internet and the organization extranet. The untrusted user computing device may be the user's personal computer (s) at home, off-site computers, shared computers for public use and even computers owned or pre- approved by the organization.
Malicious codes may also be downloaded to said untrusted user computing device via the Internet, Bluetooth and other means of wired and wireless communication without the user's knowledge. Said malwares, which include file sharing software and malicious scripts, may copy the organization data and send it to a remote requestor which may be an application ex- ecuting from a server of dubious nature. The remote requestor may be another individual user running the same file sharing software . The organization data may not have sufficient protection when copied or downloaded to the untrusted user computing device. In addition, applications referencing the organization data on the untrusted user computing device are possible causes of data leakage when the malwares have successfully gained access to the organization data by prying into the registries, files and memories used by the applications.
SUMMARY OF THE INVENTION
The present application provides a method and system for implementing a secure computing environment having auditable control of data movement
A method of implementing a secure computing environment is provided. In the method, at least one secure organization computing platform executing a first auditable data exchange application capable of recording events in a first audit log can be interfaced to and in communication with at least one external storage device for exchanging organization data between the memory of the organization computing platform and a secure partition of the external storage device, and the external storage device comprising at least one read/write secure partition, which stores organization data in encrypted form, and one read-only partition, and the external storage device can further be interfaced and in communication with at least one untrusted user computing device to which the organization data can be transferred for processing with pre- authorized software modules comprising an operating system, a plurality of authorized applications and drivers pre- installed in the read-only partition of the external storage device, and the method comprises the steps of an organization user interfacing the external storage device to the organization computing platform for checking out the organization data, the first auditable data exchange application recording parameters and events associated with data movement and any other pre-determined events in the first audit log, the organization user decoupling the external storage device with the organization data stored in the secure partition and interfacing the external storage device with the untrusted user computing device, the untrusted user computing device booting from the operating system pre-installed in the read-only partition of the external storage device, with the hard disk, any non-volatile storage devices, Internet and any other unauthorized network connections on the untrusted user computing device deactivated, the organization user invoking one or a plurality of the authorized applications pre-installed in the read-only partition of the external storage device for processing the organization data stored in the secure partition of the external storage device, and the processed organization data can be transferred to the organization computing platform in a data check-in process.
In the method, the checking out of the organization data may be performed by the first auditable data exchange application to encrypt the organization data from the organization compu- ting platform with an unlocked cryptographic key for accessing the secure partition, followed by writing the encrypted organization data to the secure partition of the external storage device. In the method, the data check-in process may be performed by the first auditable data exchange application to decrypt the data from the secure partition of the external storage device with an unlocked cryptographic key and transfer the decrypted data to the memory of the organization computing platform.
In the method, the organization data protected in the secure partition of the external storage device may be firstly unlocked or decrypted before being accessed by the authorized applications running in the untrusted user computing device, and processed organization data and other application related data generated in the untrusted user computing device may be encrypted and transferred to the secure partition of the external storage device, and this data encryption and decryption may be executed by a cryptographic application executed in the user computing platform using an unlocked cryptographic key for accessing the secure partition, and the cryptographic application may be one of the plurality of authorized applications pre-installed in the read-only partition of the external storage device.
In the method, the cryptographic key for accessing the secure partition may be stored in protected form in a key memory of the external storage device.
In the method, the authorized applications may comprise a second auditable data exchange application which is loaded to and executed by the untrusted user computing device upon the completion of the booting processes, and the second auditable data exchange application may be used to record in a second audit log the data movement between the external storage device and the untrusted user computing device, and all the pa- rameters, events and the corresponding time stamps required by the audit policies of the organization, and the second audit log may be stored in the secure partition of the external storage device. In the method, the second auditable data exchange application may replace the cryptographic application for encrypting and decrypting data exchanged between the secure partition of external storage device and the untrusted user computing device .
In the method, at least one of the organization computing platform and untrusted user computing device may execute a device verification process for determining whether the in- terfaced external storage device has been pre-authorized by the organization.
In the method, at least one of the organization computing platform and untrusted user computing device may unlock the protected cryptographic key for accessing the secure partition of the external storage device by means of a user password provided by the organization user in an authentication process .
In the method, at least one of the organization computing platform and untrusted user computing device may execute a key verification process in which the unlocked cryptographic key for accessing the secure partition may be compared against a parameter derived from the original cryptographic key for validating whether the unlocked cryptographic key matches the original cryptographic key, and the parameter may comprise the cryptographic checksum of the original cryptographic key stored in the external storage device.
In the method, at least one of the organization computing platform and untrusted user computing device may enforce data contro1 and security policies pre-determined by the organiza- tion, and the policies may comprise verification, authentication and authorization results, file movement control in accordance with file types, file size, time of usage and any other pre-determined criteria.
In the method, any of the above device verification, authentication, key verification and policy enforcement processes executed on the user computing device may be executable processes provided by one or a plurality of the authorized ap- plications pre-installed in the read-only partition of the external storage device.
In the method, any of the above device verification, authentication, key verification and policy enforcement processes may be executed by at least one of the first and second auditable data exchange applications.
In the method, the parameters logged by the first and second auditable data exchange applications may comprise the identi- fiers of either one or both of the organization computing platform and untrusted user computing device, and the identifiers can be constructed from one or a plurality of the identity codes associated with the central processing units (CPU) and subsystems of the organization computing platform and un- trusted user computing device respectively.
In the method, the drivers may be software codes used for enabling control signals and data exchange between the respective authorized input-output devices and the untrusted user computing device, and the authorized input-output devices may include basic inputting devices such as mice and keyboards, essential outputting devices such as monitors and printers, but exclude any conventional external storage devices such as portable flash drives and external hard disks.
In the method, the authorized input-output devices may in- elude biometric scanners and portable crypto-token used for storing secret user cryptographic keys used in multi-factor authentication .
In the method, the untrusted user computing device may be a fixed or portable computer with which the organization user works outside the organization, and the untrusted user computing device may include the user's home computers, off-site computers and shared computers for public use, and the untrusted user computing device may have a standard Basic In- put-Output system (BIOS) editor which can be used to register with the untrusted user computing device that the external storage device should be searched for the operating system when the untrusted user computing device is powered up. In the method, the cryptographic key for accessing the secure partition may be cryptographically protected with a second cryptographic key derived from the user password and other parameters in accordance with a pre-determined algorithm, and the protected cryptographic key for accessing the secure par- tition can be unlocked in a decryption process with the second cryptographic key derived from the user password using the same pre-determined algorithm.
In the method, the cryptographic key for accessing the secure partition may be cryptographically protected by the user fingerprint to form a locked fingerprint module which is secure and can be stored in the external storage device without additional cryptographic protection. In the method, the cryptographic operations handling the encrypting and decrypting of the data for the secure partition may be performed by a software application or a hardware mod- ule within the external storage device.
In the method, the operating system may allow the authorized applications pre-installed in the read-only partition of the external storage device to access the organization extranet, intranet and any other networks pre-authorized by the organization .
In the method, initialization of the external storage device may comprise the steps of deriving the cryptographic key for accessing the secure partition of the external storage device from at least a master key and the identifier of the external storage device, protecting or encrypting the cryptographic key for accessing the secure partition from an initial password assigned by the organization or selected by the user, and writing the protected cryptographic key for secure partition to the memory of the external storage device.
In the method, at least the volatile memory of the untrusted user computing device for holding any unlocked cryptographic key may be zeroized, followed by system shut-down of the untrusted user computing device when the external storage device is decoupled and disconnected from the untrusted user computing device. In the method, the user computing device may be pre- configured to forbid the operating system to use any memory on the external storage device as the virtual memory. A system of secure computing environment is provided. The system comprises at least one secure organization computing platform, at least one external storage device comprising at least one read/write secure partition and at least one read- only partition, and at least one untrusted user computing device, wherein the organization computing platform executing a first auditable data exchange application capable of recording data movement and other pre-determined events in a first audit log, the external storage device can be interfaced to and in communication with the organization computing platform which can transfer organization data to the external storage device in a data check-out process upon successful verification and authentication, the secure partition of the external storage device storing organization data in encrypted form, the external storage device can be interfaced to and in communication with the untrusted user computing device to which the organization data can be transferred for processing with authorized software modules comprising operating system, authorized applications and drivers pre-installed in the read- only partition of the external storage device, the organization user decoupling the external storage device from the organization computing platform with the organization data stored in its the secure partition, and interfacing the external storage device with the untrusted user computing de- vice, the untrusted user computing device booting from the operating system pre-installed in the read-only partition of the external storage device, with the hard disk, any nonvolatile storage devices, Internet and any other unauthorized network connections on the untrusted user computing device deactivated, the organization user invoking one or a plurality of the authorized applications pre-installed in the readonly partition of the external storage device for processing the organization data stored in the secure partition of the external storage device, and the processed organization data can be transferred to the organization computing platform in a data check-in process upon successful verification and authentication .
In the system, the authorized applications may comprise a second auditable data exchange application which is loaded to the untrusted user computing device upon the completion of the booting processes, and the second auditable data exchange application may be used to record in a second audit log all the parameters, events and data movement between the external storage device and the untrusted user computing device as required by the audit policies of the organization, and the second audit log may be stored in the secure partition of the external storage device, and the second auditable data exchange application may be capable of encrypting and decrypting data for the secure partition of the external storage device .
In the system, the verification and authentication may com- prise a device verification process for determining whether the interfaced external storage device has been pre- authorized by the organization, and an authentication process may comprise prompting the organization user for a password for unlocking a protected cryptographic key for encrypting and decrypting data for the secure partition of the external storage device.
The present invention provides an innovative method and sys- tem for implementing a secure computing environment compris- ing an organization secure computing system, external storage devices and untrusted user computing devices on which the us- ers exchange and process data proprietary to the organization in a secure manner. Authentication events and data movement are recorded in auditable logs as per the organization data movement policy. As a result, the present secure computing system extends the trusted computing environment of an organization to untrusted user computing devices outside the organization. The present system allows secure home and off-site working by the organization staffers using low-cost and off-the-shelf external storage devices.
BRIEF DESCRIPTION
Embodiments according to the present invention will now be described with reference to the following figures, in which like reference numerals denote like elements.
FIG. 1 illustrates the secure computing system of the pre sent invention,
FIG. 2 illustrates the flow of a data check-in and checkout process executed by the first auditable data exchange application of FIG. 1,
FIG. 3 illustrates the flow of an audit logging process executed by a second auditable data exchange application in one embodiment of the secure computing system of FIG. 1, and
FIG. 4 illustrates a process executed for initializing the external storage device of the secure computing system of FIG. 1. DETAILED DESCRIPTION
The present invention may be understood more readily by reference to the following detailed description of certain embodiments of the invention.
Secure Computing System
FIG. 1 shows a secure computing environment 100 comprising an organization secure computing system 110, at least one external storage device 150 and at least one untrusted user computing device 190.
The organization secure computing system 110 comprises at least one organization server 112 for executing a plurality of organization applications. The organization server 112 is in communication with a plurality of organization computing platforms 120 which provide organization staffers or users access to server and client applications and data. One such application is the first auditable data exchange application 130 for exchanging organization data 140 with external storage devices 150 authorized by the organization. The first auditable data exchange application 130 further monitors and records device usage, data movement and it may enforce organizational governance requirements for auditable data control.
Organization data 140 is any data proprietary to the organization including text documents, image files and other multimedia data.
Verification of external storage devices 150 may be carried out by the organization computing platforms 120 or the first auditable data exchange application 130. Devices which have not been explicitly authorized are rejected. The device verification result is recorded in a first audit log (270) . The memory of each of the external storage devices 150 comprises at least one read-only partition 160 and one secure partition 170. The secure partition 170, which is read-and- write enabled, stores the organization data 140 and any other user and application-related data in encrypted form. The cryptographic key for accessing secure partition 170 is stored in a key memory 180 of the external storage device 150 in a protected form. This protected cryptographic key can be unlocked by a user password provided by the organization user in an authentication process.
The read-only partition 160 stores an operating system 162 for booting the untrusted user computing device 190. The read-only partition 160 further stores authorized applications 164 for processing the organization data 140 stored in the secure partition 170, as well as drivers of authorized input-output devices 166 allowed to be coupled to the untrusted user computing device 190.
The organization user may decouple an external storage device 150 from his assigned organization computing platform 120.
The user may interface the external storage device 150 to an untrusted user computing device 190 at home, a remote customer site or in public amenities. When the external storage device 150 is in communication with the untrusted user compu- ting device 190, the boot firmware of the untrusted user computing device 190 searches and executes the operating system 162, which is capable of executing the authorized applica- tions 164, pre-installed in the read-only partition 160 of the external storage device 150.
The untrusted user computing device 190 by itself is a fixed or portable computer used to exchange and process the organization data 140 outside the organization. The untrusted user computing device 190 may interface with the external storage device 150 for data exchange. The untrusted user computing device 190 may be the user's personal computer (s) at home, shared computers for public use and even computers owned or pre-approved by the organization.
In order to create a trusted environment in the untrusted user computing device 190, the operating system 162 has been pre-configured to deactivate the local hard disk and any local non-volatile storage device of the untrusted user computing device 190. The operating system 162 further prohibits the untrusted user computing device 190 or its applications from access to any networks, such as the Internet, which have not been pre-approved by the organization. Furthermore, the system 162 prohibits any input-output devices which have not been authorized by the organization from exchanging data and signals with the untrusted user computing device 190. First auditable data exchange application
FIG. 2 illustrates the data check-in, check-out process and audit logging executed by the first auditable data exchange application 130 of FIG. 1. The process begins with step 230 in which the cryptographic key for accessing the secure partition 170 of the external storage device 150 is retrieved and unlocked. To perform data check-out (240), the first auditable data exchange applica- tion 130 encrypts organization data 140 from the organization computing platform 120 with the unlocked cryptographic key for accessing the secure partition 170 in step 260. The application 130 further writes the encrypted data to the secure partition 170 of the external storage device 150 in step 265.
To perform data check-in in step 240, the first auditable data exchange application 130 retrieves and decrypts data stored in the secure partition 170 of the external storage device 150 with the unlocked cryptographic key for accessing the secure partition 170 in step 250. The application 130 further writes the decrypted data to a pre-assigned or user- specified memory of the organization computing platform 120 in step 255.
The first auditable data exchange application 130 records all data movement in the first audit log in step 270 according to pre-determined organization policies. The audit logging process of step 270 may also be executed concurrently with any of the data check-in and check-out processes 200.
In another embodiment, during the data check-in and check-out processes 200, the first auditable data exchange application 130 retrieves and unlocks the protected cryptographic key for accessing secure partition 170 from a centralized database stored in the organization server 112.
In yet another embodiment, the first auditable data exchange application 130 retains a copy of any data being written to the external storage device 150.
External Storage Device The memory of the external storage device 150 comprises at least one read-only partition 160 and at least one secure partition 170. The secure partition 170, which is read-and- write enabled, stores the organization data 140 and any other user and application-related data in encrypted form. The read-only partition 160 stores software modules comprising an operating system 162, authorized applications 164 and drivers of authorized input-output devices 166 allowed to be coupled to the untrusted user computing device 190.
The read-only and secure partitions 160 & 170 are implemented in the non-volatile memory of the external storage device 150 such that the stored information is retained even when the external storage device is not electrically powered. The non- volatile memory may be flash memory, hard disk or optical based provided that the read-only partition 160 and the secure partition 170 can be created.
The secure partition 170 may be implemented in the form of disk encryption or file system encryption.
The external storage device 150 may comprise a controller and other means for enabling the required data access processes. The external storage device 150 may be a customized or off- the-shelf product, typically with the aforesaid non-volatile memory, controller and other sub-systems housed in a portable chassis . The external storage device 150 comprises an interface capable of exchanging signals and data with the untrusted user computing device 190 and the organization computing platform 120. The interface may conform to international and proprie- tary interface standards adopted by manufacturers of fixed and portable computing devices. The interface may support any of the wired or wireless data communications including the Universal Serial Bus (USB with specifications available at www.usb.org), IEEE 1394 (Firewire with specifications available at www.ieee.org) and Bluetooth (a short range communication standard - www.bluetooth.com). The interface standards include but are not limited to the protocols used by USB tokens, external hard disks, memory sticks, multimedia cards, secure digital (SD) cards, xD-picture cards, smart media cards and compact flash cards.
The external storage device 150 may be integrated with another device used primarily for telecommunications, entertain- ment or other applications.
An operating system 162 together with a plurality of authorized applications 164 and drivers for pre-approved input- output devices 166 are pre-installed in the read-only parti- tion 160. The operating system 162 may be Microsoft Windows, Linux and their variants. The operating system 162 may be any suitable system capable of executing the plurality of authorized computing applications 164 and drivers 166 can be executed in the untrusted user computing device 190.
The input-output device drivers are software codes used for enabling control signals and data exchange between the corresponding input-output devices and the untrusted user computing device 190. Only the drivers for pre-approved input- output devices are pre-installed in the read-only partition 160 of the external storage device 150. The pre-approved input-output devices may include basic inputting devices such as mice and keyboards, as well as essential outputting devic- es including monitors and printers. The pre-approved input- output devices may further include biometric scanners and portable crypto-tokens for storing secret user cryptographic keys used in multi-factor authentication applications. Driv- ers conforming to open standards, such as BioAPI (under Bi- oAPI Consortium with specifications available at
www.bioapi.org) for biometric devices and PKCS#11 (under RSA Security with specifications available at www.rsa.com) for portable cryptographic tokens may be used.
It is important that the pre-approved input-output devices should exclude any conventional type of external storage devices. Conventional external storage devices, such as a USB flash drive or external hard disk, may inject malwares into the untrusted user computing device 190, hence diminishing the security level of the present secure computing environment 100.
Untrusted user computing device
The untrusted user computing device 190 is a fixed or portable computer used to exchange and process the organization data 140 outside the organization. It may be the user's personal computer (s) at home, off-site computers and shared computers for public use.
The boot firmware of the untrusted user computing device 190 is capable of searching and executing the operating system 162 pre-installed in the external storage device 150 when the external storage device 150 is interfaced to and in communi- cation with the untrusted user computing device 190. The authorized applications 164 pre-installed in the same read-only partition 160 are executable by the operating system 162 within the untrusted user computing device 190. The local hard disk and any local non-volatile storage device of the untrusted user computing device 190 are deactivated such that the external storage device 150 has no access to the local hard disk. Possible harmful executables, such as malwares, residing in the untrusted user computing device 190 are unable to execute because the executables have no access to the processing resources of the untrusted user computing device 190. The user computing device 190 may be pre-configured to forbid the operating system 162 to use any memory on the external storage device 150 as the virtual memory for processing.
The standard Basic Input-Output System Editor (BIOS editor) on the untrusted user computing device 190 may be used to register with the untrusted user computing device 190 that the connected external storage device 150 should be searched for the operating system 162 when the untrusted user computing device 190 is powered up. The external storage device 150 may be listed as the first boot device in the booting sequence of the untrusted user computing device 190.
The operating system 162 may further prohibit the untrusted user computing device 190 or its applications from access to any networks, such as the Internet, which have not been pre- approved by the organization.
Organization data 140 protected in the secure partition 170 of the external storage device 150 is first decrypted before the authorized applications 164 running in the untrusted user computing device 190 can access it. Processed organization data and other application related data generated in the untrusted user computing device 190 are encrypted and trans- ferred to the secure partition 170 of the external storage device 150. Analogous to the aforesaid data check-in and check-out processes 200, these cryptographic operations are transparent to the user and they are performed by a crypto- graphic software application executable in the user computing platform 190. Said cryptographic software application is one of the plurality of authorized applications 164 pre-installed in the read-only partition 160 of the external storage device 150. The cryptographic software application is loaded to the untrusted user computing device 190 when the external storage device 150 is connected and in communication with the untrusted user computing device 190. The protected cryptographic key for accessing secure partition 170 is unlocked by at least the password provided by the user in the aforesaid au- thentication process.
Data communication between the untrusted user computing device 190 and the external storage device 150 includes reading of authorized applications 164 and drivers 166 and transfer- ring data associated with the secure partition 170. Within the secure computing environment 100, such data communication does not require the establishment of a special secure channel or tunnel . Second auditable data exchange application
FIG. 3 illustrates an embodiment in which an audit logging process flow is executed by a second auditable data exchange application . The second auditable data exchange application 320 is a pre- installed authorized application 164 stored in the read-only partition 160 of the external storage device 150. As soon as the external storage device 150 is interfaced and in communication with the untrusted user computing device 190, the boot firmware of the untrusted user computing device 190 executes the operating system 162 pre-installed in the read-only partition 160 of the external storage device 150 in step 310, followed by executing the second auditable data exchange application (320) within the untrusted user computing device 190. In the next step 330, the second auditable data exchange application records in a second audit log 330 all the parameters, events and the corresponding time stamps, and any information, such as the sizes, types and attributes associated with the transferred data, in accordance with the audit policies of the organization. The second audit log 330 may be stored in the secure partition 170 of the external storage device 150 with its content directly updated by the second auditable data exchange application 320. The second audit log 330 may be read and transferred (340) to the organization computing platform 120 by the first auditable data exchange application 130 when the external storage device 150 is interfaced and in communication with the first auditable data exchange application 130.
The second auditable data exchange application 320 may replace and perform the functions of the aforesaid cryptograph- ic software application for encrypting data written from the untrusted user computing device 190 to the secure partition 170 of the external storage device 150, as well as decrypting data copied from the secure partition 170 of the external storage device 150 to the memory of the untrusted user compu- ting device 190. The cryptographic key for accessing secure partition 170 may be stored in protected form in the key memory 180 of the external storage device 150, and this pro- tected key is unlocked upon the user entering his or her password .
User Authentication
The cryptographic key for accessing secure partition 170 is stored in a key memory 180 of the external storage device 150 in a protected form. This protected cryptographic key can be unlocked by a user password provided by the organization user through the aforesaid authentication process in which the us- er is prompted to enter at least his or her password among other credentials.
The authentication process may be executed by the organization computing platform 120 or the first auditable data ex- change application 130 upon the connection of the external storage device 150 with the organization computing platform 120.
The authentication process may be executed by the second au- ditable data exchange application (320) or one of the authorized applications 164 pre-installed in the read-only partition 160 of the external storage device 150 upon the connection of the external storage device 150 with the untrusted user computing device 190.
Device Verification
Either one or both of the organization computing platform 120 and the untrusted user computing device 190 may perform device verification of the external storage device 150 prior to transfer of any organization data 140 or the execution of any authorized applications 164. Devices which have not been explicitly authorized by the organization are rejected. A "white list" of pre-authorized external storage devices, which comply with the security requirements and device configuration described herein, is maintained in the organization server 112. During the device verification, the identifier of the external storage device 150 is compared against the white list of authorized devices each time an external storage device 150 is interfaced to the organization computing platform 120 and/or untrusted user computing device 190. Devices which have not been explicitly authorized are rejected. The device verification result may be recorded in the au- dit logs 270 & 330. The identifier of the external storage device 150 may be read from the device. The identifier may be hardcoded in the device by the device manufacturer. Some devices may allow the organization administrators with sufficient administrative right to amend the identifier through a suitable software development kit. The identifier of the external storage device 150 together with the organization user to whom the device 150 has been allocated may be stored by the organization for accountability enforcement as per the data control policy requirements of the organization.
The first auditable data exchange application 130 may perform the device verification prior to executing the data check-in and the data check-out processes 200. The authorized external storage device 150 may store the device verification status in its read-only partition 160 for use by the second auditable data exchange application 320 to determine whether the interfaced external storage device 150 has been authorized.
The second auditable data exchange application 320 may per- form the device verification prior to transfer of any organization data 140 or the execution of any authorized applications 164. Identifier of the external storage device 150 may be used for device verification. Alternatively, second au- ditable data exchange application 320 may check said device verification status stored in the read-only partition 160 of the authorized external storage device 150. Key Verification
The unlocked cryptographic key for accessing secure partition 170 may be verified, in a key verification process, against a parameter derived from the original cryptographic key for validating whether the unlocked cryptographic key matches the original cryptographic key. The key verification process is executed by either one or both of the organization computing platform 120 and the untrusted user computing device 190 after the cryptographic key for accessing secure partition 170 of the external storage device 150 is unlocked in the afore- said authentication process. The parameter may comprise the cryptographic checksum of the original cryptographic key. The parameter may be stored side by side with the protected cryptographic key for accessing secure partition 170 in the external storage device 150. Key verification results may be recorded in the audit logs 170 & 330. Any negative key verification results may cause the termination of any data transfer requests.
The key verification process may be executed by either one or both of the first (130) and second (320) auditable data exchange applications.
Policy Enforcement
Either one or both of the organization computing platform 120 and the untrusted user computing device 190 may enforce policies by file types, file size, time of usage, keywords and any other pre-determined criteria. For instance, all executa- bles are blocked from being transferred as they may be embed- ded with malwares which may undermine the security level of the secure computing environment 100. Any requests for data transfer which have been rejected as a result of policy enforcement may be recorded in the audit logs 270 $& 330.
The policy enforcement process may be executed by either one or both of the first (130) and second (320) auditable data exchange applications. Audit Log
The audit logs 270 & 330 have entries and formats conforming to the organizational governance requirements. The audit logs 270 & 330 may record the identifier of the external storage device 150, the identifier of the organization computing platform 120, the identifier of the untrusted user computing device 190, any user identifier, device and key verification status, as well as any information, such as event time stamps, sizes, types and attributes, associated with data read from and written to the secure partition 170 of the ex- ternal storage device 150. The identifiers of the organization computing platform 120 and untrusted user computing device 190 may be constructed from one or a plurality of the identity codes associated with the central processing unit (CPU) and subsystems of the respective organization computing platform 120 and untrusted user computing device 190. The component and subsystem identity codes are typically set by the respective manufacturers.
Data and Key Protection in External Storage Device
The cryptographic key for accessing secure partition 170 used for encrypting and decrypting data in the secure partition 170 of the external storage device 150 may be a single symmetric key or an asymmetric key pair. The cryptographic key for accessing secure partition 170 may be cryptographically protected with a second cryptographic key derived with the user password and other parameters in accordance with a pre-determined algorithm. In this case, the protected cryptographic key for accessing secure partition 170 may be unlocked in a decryption process with the second cryptographic key derived from the user password using the same pre-determined algorithm. The encrypted data stored in the secure partition 170 can be recovered if and only if the password entered by the user for unlocking the protected cryptographic key for accessing secure partition 170 is identical to the password used for locking the original cryptographic key for accessing secure partition 170.
Data encryption and decryption algorithms for the secure partition 170 may conform to an open cryptography standard such as AES (NIST FIPS 197 with specifications available at http://csrc.nist.gov/publications/PubsFIPS.html) and triple DES (NIST FIPS 463 with specifications available at
http://csrc.nist. gov/publications/PubsFIPSArch . html ) .
The cryptographic operations handling the encryption and decryption of the data for the secure partition 170 may be per- formed by a software application or a hardware module within the external storage device 150.
The cryptographic key for accessing secure partition 170 may be encrypted by the user fingerprint to form a locked finger- print which is by itself secure. Therefore, the locked fingerprint may be stored in the read-only partition 160 of the external storage device 150 without further cryptographic protection. An authorized fingerprint scanner attached to or integrated with the external storage device 150 may be used to capture the user fingerprint for regenerating the original cryptographic key for accessing secure partition 170. The operating system 162 may allow applications pre-installed in the read-only partition 160 of the external storage device 150 to access a remote organization server 112 through the organization extranet which may be a virtual private network. The organization data 140 may be centrally stored in the or- ganization server 112 and accessed by the user on a need-to- use basis. This further reduces the risk of data leakage when external storage device 150 is misplaced or lost. The organization data 140 may be further secured with application-level cryptographic protection.
External Storage Device Initialization
Deployment of external storage devices 150 for the implementation of the secure computing environment 100 may be managed centrally .
FIG. 4 illustrates a process flow executed for initializing an external storage device 150 of the secure computing environment 100 of FIG. 1. The cryptographic key for accessing secure partition 170 used for encrypting and decrypting data stored in the secure partition 170 in each external storage device 150 may be derived from a master key (410) and a plurality of parameters in step 420. The master key 410 is securely held by one or a plurali- ty of personnel with sufficient privileges assigned by the organization. In the next step 430, the derived cryptographic key for accessing secure partition 170 is protected by an initial password assigned by the organization or selected by the user. The password-protected cryptographic key for accessing secure partition 170 is then written to the key memory 180 in the external storage device 150 in step 440. The organization master key 410 may be an asymmetric key or a symmetric key. The master key may be stored in a secure smart chip on a smart card. The master key may be split and stored in the secure smart chips of a plurality of smart cards each of which may be retained by a staffer assigned by the organi- zation.
The cryptographic key for accessing secure partition 170 used for encrypting and decrypting data stored in the secure partition 170 in each external storage device 150 may be derived from the master key 410 and an identifier unique to each external storage device 150 in step 420. The identifier may be the serial number hardcoded in the external storage device 150 by the device manufacturer. The algorithm(s) involved in the key derivation may be a standard or proprietary symmetric or asymmetric cryptographic algorithm. The inputs to the cryptographic algorithm comprise the master key 410, the unique identifier of the external storage device 150 and any other parameters required to ensure that the master key 410 cannot be deduced from the derived cryptographic key for accessing secure partition 170 and / or the unique identifier of the external storage device 150. The parameters may comprise a random value or salt.
In the event that the user fails to recall the password used to protect the cryptographic key for accessing secure partition 170, the cryptographic key for accessing secure partition 170 can be derived when the user is able to provide the user identifier assigned by the organization or selected by the user, as well as the identifier of the external storage device 150. The unique identifier of the external storage device 150 may be obtained by either reading the code from the external storage device 150 or through looking up a table or database which stores the device identifier corresponding to the user identifier provided by the user.
User passwords may be changed on the organization computing platform 120 or in a credential management application pre- installed in the read-only partition 160 of the external storage device 150. Upon request, the credential management application is executed on the untrusted user computing device 190. A new password is accepted only if the user is able to provide the details of the current credentials including user identifier and current user password.
System Shut-Down
During device verification and user authentication, when the number of failed attempts has exceeded a pre-determined threshold value(s), the authentication status is firstly recorded in the audit logs 270 & 330 and the untrusted user computing device 190 shuts down automatically.
Furthermore, decoupling the external storage device 150 from the untrusted user computing device 190 causes the untrusted user computing device 190 to shut down automatically, resulting in loss of data which has not been saved to the external storage device 150. Before shutting down the untrusted user computing device 190 upon user request, or other reasons including decoupling of the external storage device 150 from the untrusted user computing device 190 and failed authentication attempts, the volatile memory in the untrusted user computing device 190 which is used to temporarily hold the unlocked cryptographic key for accessing secure partition 170 may be zeroized as per the Federal Information Processing Standard (FIPS) Publica- tion 140-2 Level 3 and above
(csrc.nist. gov/publications/fips/fipsl 40-2/fipsl402. pdf ) .
In summary, the secure computing environment 100 allows a user to transfer organization data 140 to an external storage device 150 authorized by the organization. The external storage device 150 comprises two partitions one of which is readonly 160 whereas the second read/write-enabled secure partition 170 stores data in encrypted form. When the user interfaces the external storage device 150 with an untrusted user computing device 190, the untrusted user computing device 190 is booted from the external storage device 150 followed by device verification, user authentication and deactivation of the Internet connection, local hard disk and all unauthorized input-output devices. A cryptographic software application performs encryption and decryption of data to and from the secure partition 170 of the external storage device 150. Authentication events and data movement are recorded in audit logs 270 & 330 as per the organization security and data movement policy. The secure computing environment 100 extends the trusted organization secure computing environment 100 to untrusted user computing devices 190 outside the organization .
Although the above description contains much specificity, these should not be construed as limiting the scope of the embodiments but merely providing illustration of the foreseeable embodiments. Especially the above stated advantages of the embodiments should not be construed as limiting the scope of the embodiments but merely to explain possible achievements if the described embodiments are put into practise. Thus, the scope of the embodiments should be determined by the claims and their equivalents, rather than by the exampl given .

Claims

1. A method of implementing a secure computing environment, wherein
at least one secure organization computing platform executing a first auditable data exchange application capable of recording events in a first audit log can be interfaced to and in communication with at least one external storage device for exchanging organization data between the memory of said organization computing platform and a secure partition of said external storage device, and said external storage device comprising at least one read/write secure partition, which stores organization data in encrypted form, and one read-only partition, and said external storage device can further be interfaced and in communication with at least one un- trusted user computing device to which said organization data can be transferred for processing with pre- authorized software modules comprising an operating sys- tem, a plurality of authorized applications and drivers pre-installed in said read-only partition of said external storage device, and
the method comprising the steps of
an organization user interfacing said external storage device to said organization computing platform for checking out said organization data,
said first auditable data exchange application recording parameters and events associated with data movement and any other pre-determined events in said first audit log,
said organization user decoupling said external storage device with said organization data stored in its said secure partition and interfacing said external storage device with said untrusted user computing device,
said untrusted user computing device booting from said operating system pre-installed in said read-only partition of said external storage device, with the hard disk, any non-volatile storage devices, Internet and any other unauthorized network connections on said untrusted user computing device deactivated,
said organization user invoking one or a plurality of said authorized applications pre-installed in said read-only partition of said external storage device for processing said organization data stored in said secure partition of said external storage device, and
said processed organization data can be transferred to said organization computing platform in a data check- in process.
The method of claim 1, wherein
said checking out of said organization data being performed by said first auditable data exchange application to encrypt said organization data from said organization computing platform with an unlocked cryptographic key for accessing said secure partition, followed by writing said encrypted organization data to said secure partition of said external storage device.
The method of claim 1, wherein
said data check-in process being performed by said first auditable data exchange application to decrypt the data from said secure partition of said external storage device with an unlocked cryptographic key and transferring said decrypted data to the memory of said organization computing platform. The method of claim 1, wherein
said organization data protected in said secure partition of said external storage device being firstly unlocked or decrypted before being accessed by said authorized applications running in said untrusted user computing device, and processed organization data and other application related data generated in said untrusted user computing device being encrypted and transferred to said secure partition of said external storage device, and this data encryption and decryption being executed by a cryptographic application executed in said user computing platform using an unlocked cryptographic key for accessing said secure partition, and said cryptographic application being one of the plurality of authorized applications pre-installed in said read-only partition of said external storage device.
The method of any of claims 1 to 4, wherein
said cryptographic key for accessing said secure partition being stored in protected form in a key memory of said external storage device.
The method of claim 1, wherein
said authorized applications comprising a second auditable data exchange application which is loaded to and executed by said untrusted user computing device upon the completion of said booting processes, and said second auditable data exchange application being used to record in a second audit log the data movement between said external storage device and said untrusted user computing device, and all the parameters, events and the corresponding time stamps required by the audit policies of the organization, and said second audit log being stored in said secure partition of said external storage device .
The method of claims 4 and 6, wherein
said second auditable data exchange application replacing said cryptographic application for encrypting and decrypting data exchanged between said secure partition of external storage device and said untrusted user computing device.
The method of any of the above claims, wherein
at least one of said organization computing platform and untrusted user computing device executing a device verification process for determining whether said interfaced external storage device has been pre- authorized by said organization.
The method of any of the above claims, wherein
at least one of said organization computing platform and untrusted user computing device unlocking said protected cryptographic key for accessing said secure partition of said external storage device by means of a user password provided by said organization user in an authentication process.
The method of any of the above claims, wherein
at least one of said organization computing platform and untrusted user computing device executing a key verification process in which said unlocked cryptographic key for accessing said secure partition being compared against a parameter derived from the original cryptographic key for validating whether said unlocked cryptographic key matches said original cryptographic key, and said parameter comprising the cryptographic checksum of said original cryptographic key stored in said external storage device.
The method of any of the above claims, wherein
at least one of said organization computing platform and untrusted user computing device enforcing data control and security policies pre-determined by the organization, and said policies comprising verification, authentication and authorization results, file movement control in accordance with file types, file size, time of usage and any other pre-determined criteria.
The method of any of claims 1, 8 to 11, wherein
any of said device verification, said authentication, said key verification and said policy enforcement processes executed on said user computing device being executable processes provided by one or a plurality of said authorized applications pre-installed in said readonly partition of said external storage device.
The method of any of claims 1, 8 to 12, wherein
any of said device verification, said authentication, said key verification and said policy enforcement processes being executed by at least one of said first and second auditable data exchange applications.
The method of any of claims 1, 6, 7 and 13, wherein
said parameters logged by said first and second auditable data exchange applications comprising the identifiers of either one or both of said organization computing platform and untrusted user computing device, and said identifiers can be constructed from one or a plurality of the identity codes associated with the central processing units (CPU) and subsystems of said organization computing platform and untrusted user computing device respectively.
The method of claim 1, wherein
said drivers being software codes used for enabling control signals and data exchange between the respective authorized input-output devices and said untrusted user computing device, and said authorized input-output devices including basic inputting devices such as mice and keyboards, essential outputting devices such as monitors and printers, but excluding any conventional external storage devices such as portable flash drives and external hard disks.
The method of claim 15, wherein
said authorized input-output devices including bio- metric scanners and portable crypto-token used for storing secret user cryptographic keys used in multi-factor authentication .
The method of any of claims 1, 4, 6 to 11, 14 and 15, wherein
said untrusted user computing device being a fixed or portable computer with which the organization user works outside the organization, and said untrusted user computing device including said user's home computers, off-site computers and shared computers for public use, and said untrusted user computing device having a standard Basic Input-Output system (BIOS) editor which can be used to register with said untrusted user computing de- vice that said external storage device should be searched for said operating system when said untrusted user computing device is powered up.
The method of any of the above claims, wherein
said cryptographic key for accessing said secure partition being cryptographically protected with a second cryptographic key derived from the user password and other parameters in accordance with a pre-determined algorithm, and said protected cryptographic key for accessing said secure partition can be unlocked in a decryption process with said second cryptographic key derived from said user password using said same predetermined algorithm.
The method of any of the above claims, wherein
said cryptographic key for accessing said secure partition being cryptographically protected by the user fingerprint to form a locked fingerprint module which is secure and can be stored in said external storage device without additional cryptographic protection.
The method of any of the above claims, wherein
said cryptographic operations handling said encrypting and decrypting of the data for said secure partition being performed by a software application or a hardware module within said external storage device.
The method of claim 1, wherein
said operating system allowing said authorized applications pre-installed in said read-only partition of said external storage device to access the organization extranet, intranet and any other networks pre-authorized by the organization.
The method of claim 1, wherein
initialization of said external storage device comprising the steps of
deriving said cryptographic key for accessing said secure partition of said external storage device from at least a master key and the identifier of said external storage device,
protecting or encrypting said cryptographic key for accessing said secure partition from an initial password assigned by the organization or selected by said user, and
writing said protected cryptographic key for secure partition to the memory of said external storage device.
The method of any of the above claims, wherein
at least the volatile memory of said untrusted user computing device for holding any unlocked cryptographic key being zeroized, followed by system shut-down of said untrusted user computing device when said external storage device is decoupled and disconnected from said untrusted user computing device.
The method of any of the above claims, wherein
said user computing device being pre-configured to forbid said operating system to use any memory on said external storage device as the virtual memory.
A system of secure computing environment comprising
at least one secure organization computing platform, at least one external storage device comprising at least one read/write secure partition and at least one read-only partition, and at least one untrusted user computing device, wherein
said organization computing platform executing a first auditable data exchange application capable of recording data movement and other pre-determined events in a first audit log,
said external storage device can be interfaced to and in communication with said organization computing platform which can transfer organization data to said external storage device in a data check-out process upon successful verification and authentication,
said secure partition of said external storage device storing organization data in encrypted form,
said external storage device can be interfaced to and in communication with said untrusted user computing device to which said organization data can be transferred for processing with authorized software modules comprising operating system, authorized applications and drivers pre-installed in said read-only partition of said external storage device,
said organization user decoupling said external storage device from said organization computing platform with said organization data stored in its said secure partition, and interfacing said external storage device with said untrusted user computing device,
said untrusted user computing device booting from said operating system pre-installed in said read-only partition of said external storage device, with the hard disk, any non-volatile storage devices, Internet and any other unauthorized network connections on said untrusted user computing device deactivated, said organization user invoking one or a plurality of said authorized applications pre-installed in said read-only partition of said external storage device for processing said organization data stored in said secure partition of said external storage device, and
said processed organization data can be transferred to said organization computing platform in a data check- in process upon successful verification and authentication .
The system of claim 25, wherein
said authorized applications comprising a second auditable data exchange application which is loaded to said untrusted user computing device upon the completion of said booting processes, and said second auditable data exchange application being used to record in a second audit log all the parameters, events and data movement between said external storage device and said untrusted user computing device as required by the audit policies of the organization, and said second audit log being stored in said secure partition of said external storage device, and said second auditable data exchange application being capable of encrypting and decrypting data for said secure partition of said external storage device.
The system of claim 25, wherein
said verification and authentication comprising a device verification process for determining whether said interfaced external storage device has been pre-authorized by said organization, and
an authentication process comprising prompting said organization user for a password for unlocking a protected cryptographic key for encrypting and decrypting data for said secure partition of said external storage device .
PCT/IB2010/052286 2010-05-24 2010-05-24 Method and system of secure computing environment having auditable control of data movement WO2011148224A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
SG2012084786A SG185640A1 (en) 2010-05-24 2010-05-24 Method and system of secure computing environment having auditable control of data movement
PCT/IB2010/052286 WO2011148224A1 (en) 2010-05-24 2010-05-24 Method and system of secure computing environment having auditable control of data movement

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/IB2010/052286 WO2011148224A1 (en) 2010-05-24 2010-05-24 Method and system of secure computing environment having auditable control of data movement

Publications (1)

Publication Number Publication Date
WO2011148224A1 true WO2011148224A1 (en) 2011-12-01

Family

ID=45003392

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2010/052286 WO2011148224A1 (en) 2010-05-24 2010-05-24 Method and system of secure computing environment having auditable control of data movement

Country Status (2)

Country Link
SG (1) SG185640A1 (en)
WO (1) WO2011148224A1 (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017209965A1 (en) * 2016-06-03 2017-12-07 Honeywell International Inc. System and method for bridging cyber-security threat intelligence into a protected system using secure media
WO2017209953A1 (en) * 2016-06-03 2017-12-07 Honeywell International Inc. System and method for providing command and control parameters, configuration data, and other data to nodes of a protected system using secure media
WO2017209987A1 (en) * 2016-06-03 2017-12-07 Honeywell International Inc. Apparatus and method for locking and unlocking removable media for use inside and outside protected systems
WO2017209970A1 (en) * 2016-06-03 2017-12-07 Honeywell International Inc. System and method supporting secure data transfer into and out of protected systems using removable media
WO2017209952A3 (en) * 2016-06-03 2018-07-26 Honeywell International Inc. System and method for auditing file access to secure media by nodes of a protected system
WO2017209967A3 (en) * 2016-06-03 2018-07-26 Honeywell International Inc. Apparatus and method for preventing file access by nodes of a protected system
WO2019139875A1 (en) * 2018-01-12 2019-07-18 Honeywell International Inc. System and method for implementing secure media exchange on a single board computer
US10402577B2 (en) 2016-06-03 2019-09-03 Honeywell International Inc. Apparatus and method for device whitelisting and blacklisting to override protections for allowed media at nodes of a protected system
CN110321302A (en) * 2019-06-28 2019-10-11 兆讯恒达微电子技术(北京)有限公司 A kind of embedded system data memory area management method
US11425170B2 (en) 2018-10-11 2022-08-23 Honeywell International Inc. System and method for deploying and configuring cyber-security protection solution using portable storage device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040006585A1 (en) * 2002-06-05 2004-01-08 Sachar Paulus Collaborative audit framework
EP2116954A1 (en) * 2008-05-09 2009-11-11 Business Objects, S.A. Apparatus and method for accessing data in a multi-tenant database according to a trust hierarchy
US20090313319A1 (en) * 2008-06-16 2009-12-17 International Business Machines Corporation System and Method for Dynamic Partitioning of Applications in Client-Server Environments
US20100100967A1 (en) * 2004-07-15 2010-04-22 Douglas James E Secure collaborative environment

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040006585A1 (en) * 2002-06-05 2004-01-08 Sachar Paulus Collaborative audit framework
US20100100967A1 (en) * 2004-07-15 2010-04-22 Douglas James E Secure collaborative environment
EP2116954A1 (en) * 2008-05-09 2009-11-11 Business Objects, S.A. Apparatus and method for accessing data in a multi-tenant database according to a trust hierarchy
US20090313319A1 (en) * 2008-06-16 2009-12-17 International Business Machines Corporation System and Method for Dynamic Partitioning of Applications in Client-Server Environments

Cited By (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10643007B2 (en) 2016-06-03 2020-05-05 Honeywell International Inc. System and method for auditing file access to secure media by nodes of a protected system
WO2017209970A1 (en) * 2016-06-03 2017-12-07 Honeywell International Inc. System and method supporting secure data transfer into and out of protected systems using removable media
CN109196511B (en) * 2016-06-03 2024-03-12 霍尼韦尔国际公司 Apparatus and method for locking and unlocking removable media for use inside and outside a protected system
US10402559B2 (en) 2016-06-03 2019-09-03 Honeywell International Inc. System and method supporting secure data transfer into and out of protected systems using removable media
US10402577B2 (en) 2016-06-03 2019-09-03 Honeywell International Inc. Apparatus and method for device whitelisting and blacklisting to override protections for allowed media at nodes of a protected system
WO2017209952A3 (en) * 2016-06-03 2018-07-26 Honeywell International Inc. System and method for auditing file access to secure media by nodes of a protected system
WO2017209967A3 (en) * 2016-06-03 2018-07-26 Honeywell International Inc. Apparatus and method for preventing file access by nodes of a protected system
CN109196509A (en) * 2016-06-03 2019-01-11 霍尼韦尔国际公司 Device and method for the file access for preventing the node by protected system from carrying out
CN109196511A (en) * 2016-06-03 2019-01-11 霍尼韦尔国际公司 For locking and unlocking removable media in the inside and outside device and method used of protected system
US10205726B2 (en) 2016-06-03 2019-02-12 Honeywell International Inc. Apparatus and method for preventing file access by nodes of a protected system
WO2017209987A1 (en) * 2016-06-03 2017-12-07 Honeywell International Inc. Apparatus and method for locking and unlocking removable media for use inside and outside protected systems
WO2017209953A1 (en) * 2016-06-03 2017-12-07 Honeywell International Inc. System and method for providing command and control parameters, configuration data, and other data to nodes of a protected system using secure media
US20170351858A1 (en) * 2016-06-03 2017-12-07 Honeywell International Inc. Apparatus and method for locking and unlocking removable media for use inside and outside protected systems
CN109196509B (en) * 2016-06-03 2023-09-08 霍尼韦尔国际公司 Apparatus and method for preventing file access by nodes of protected system
US10614219B2 (en) 2016-06-03 2020-04-07 Honeywell International Inc. Apparatus and method for locking and unlocking removable media for use inside and outside protected systems
WO2017209965A1 (en) * 2016-06-03 2017-12-07 Honeywell International Inc. System and method for bridging cyber-security threat intelligence into a protected system using secure media
US10812517B2 (en) 2016-06-03 2020-10-20 Honeywell International Inc. System and method for bridging cyber-security threat intelligence into a protected system using secure media
US10990671B2 (en) 2018-01-12 2021-04-27 Honeywell International Inc. System and method for implementing secure media exchange on a single board computer
WO2019139875A1 (en) * 2018-01-12 2019-07-18 Honeywell International Inc. System and method for implementing secure media exchange on a single board computer
US11425170B2 (en) 2018-10-11 2022-08-23 Honeywell International Inc. System and method for deploying and configuring cyber-security protection solution using portable storage device
CN110321302A (en) * 2019-06-28 2019-10-11 兆讯恒达微电子技术(北京)有限公司 A kind of embedded system data memory area management method

Also Published As

Publication number Publication date
SG185640A1 (en) 2012-12-28

Similar Documents

Publication Publication Date Title
US10915633B2 (en) Method and apparatus for device security verification utilizing a virtual trusted computing base
US8103883B2 (en) Method and apparatus for enforcing use of danbury key management services for software applied full volume encryption
WO2011148224A1 (en) Method and system of secure computing environment having auditable control of data movement
US9507964B2 (en) Regulating access using information regarding a host machine of a portable storage drive
US9141815B2 (en) System and method for intelligence based security
US8261320B1 (en) Systems and methods for securely managing access to data
EP2345977B1 (en) Client computer for protecting confidential file, server computer therefor, method therefor, and computer program
CN112513857A (en) Personalized cryptographic security access control in a trusted execution environment
KR101719381B1 (en) Remote access control of storage devices
US20170277898A1 (en) Key management for secure memory address spaces
US20050114686A1 (en) System and method for multiple users to securely access encrypted data on computer system
US10897359B2 (en) Controlled storage device access
JP4610557B2 (en) DATA MANAGEMENT METHOD, PROGRAM THEREOF, AND PROGRAM RECORDING MEDIUM
US20080181406A1 (en) System and Method of Storage Device Data Encryption and Data Access Via a Hardware Key
JP2008072717A (en) Hard disc streaming cryptographic operations with embedded authentication
CN102884535A (en) Protected device management
US9015454B2 (en) Binding data to computers using cryptographic co-processor and machine-specific and platform-specific keys
US8843766B2 (en) Method and system for protecting against access to a machine code of a device
JP2016531508A (en) Data secure storage
CN105612715A (en) Security processing unit with configurable access control
US11469880B2 (en) Data at rest encryption (DARE) using credential vault
KR20140051350A (en) Digital signing authority dependent platform secret
CN109684866B (en) Safe USB flash disk system supporting multi-user data protection
CN113127141B (en) Container system management method and device, terminal equipment and storage medium
US11960737B2 (en) Self-deploying encrypted hard disk, deployment method thereof, self-deploying encrypted hard disk system and boot method thereof

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10852070

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10852070

Country of ref document: EP

Kind code of ref document: A1