SYSTEM AND METHOD FOR PREVENTING DATA LOSS USING VIRTUAL MACHINE WRAPPED APPLICATIONS
A method in one example implementation includes selecting at least one criterion for controlling data transmission from within a virtual machine. At least one application is included within the virtual machine, which includes a policy module. The selected criterion corresponds to at least one policy associated with the policy module. The method also includes evaluating the selected criterion of the policy to permit an attempt to transmit the data from within the virtual machine. In more specific embodiments, the policy may include a plurality of criteria with a first selected criterion permitting transmission of the data to a first application and a second selected criterion prohibiting transmission of the data to a second application. In another specific embodiment, the method may include updating the policy module through an administration module to modify the selected criterion.
Latest McAfee, Inc. Patents:
This disclosure relates in general to the field of security and, more particularly, to preventing data loss in a virtual environment.
BACKGROUNDThe field of network security has become increasingly important in today's society. In particular, the ability to effectively protect computers, systems, and the data residing on such computers and systems presents a significant obstacle for component manufacturers, system designers, and network operators. This obstacle is made even more difficult due to continuously evolving security threats. Virtualization is a software technology that allows a complete operating system to run on an isolated virtual environment (typically referred to as a virtual machine), where a platform's physical characteristics and behaviors are reproduced. Virtualization can also provide for execution of a single application within a virtual machine. A virtual machine can represent an isolated, virtual environment (lying on top of a host operating system (OS) or running on bare hardware), equipped with virtual hardware (processor, memory, disks, network interfaces, etc.). Commonly, the virtual machine is managed by a virtualization product. A virtual machine monitor (VMM) is typically the virtualization software layer that manages hardware requests from a guest OS (e.g., simulating answers from real hardware). A hypervisor is typically computer software/hardware platform virtualization software that allows multiple operating systems to run on a host computer concurrently. Applications represent a unique challenge in virtual environments because they can easily be manipulated in order to infect a given computer system. Security professionals and network administrators should account for these issues in order to protect computers and systems from emerging security threats.
To provide a more complete understanding of the present disclosure and features and advantages thereof, reference is made to the following description, taken in conjunction with the accompanying figures, wherein like reference numerals represent like parts, in which:
A method in one example implementation includes selecting at least one criterion for controlling data transmission from within a virtual machine. At least one application is included within the virtual machine and the virtual machine includes a policy module. The selected criterion corresponds to at least one policy associated with the policy module. The method also includes evaluating the selected criterion of the policy to permit an attempt to transmit the data from within the virtual machine. In more specific embodiments, the policy includes a plurality of selected criteria, including a first selected criterion that permits transmission of the data to a first other application and a second selected criterion that prohibits transmission of the data to a second other application. In other more specific embodiments, the selected criterion permits transmission of the data to a client device of one of a plurality of users if the client device is requesting access to the application from within a secured network environment. In another more specific embodiment, the method includes updating the policy module through an administration module to modify the selected criterion.
Example EmbodimentsIn example embodiments, system 10 wraps each application or suite of applications within a virtual machine in order to protect data associated with the application from accidental and deliberate leakage. For purposes of illustrating the techniques of system 10, it is important to understand the activities occurring within a given network. The following foundational information may be viewed as a basis from which the present disclosure may be properly explained. Such information is offered earnestly for purposes of explanation only and, accordingly, should not be construed in any way to limit the broad scope of the present disclosure and its potential applications.
Typical network environments including, among others, local area networks (LANs), wide area networks (WANs), Campus Area Networks (CANS), intranets, and extranets are used by businesses, schools, and other organizations to link multiple personal computers or client devices together, along with servers that allow the client devices to access shared data and applications related to the function of the organization. In addition, these networks are often configured to provide internet connections from client devices in the network to the Internet, enabling access to the World Wide Web and possibly other networks. The data maintained by the organizations typically includes varying types and degrees of confidential data, where data such as payroll records and legal documents often requires a high degree of protection, whereas data such as customer sales may require a lesser degree of protection. Network administrators typically configure their networks to allow particular persons (or groups of persons) access to specific applications, depending upon the type and degree of confidential data associated with the applications. For example, persons working within a human resources department would possibly have access to data and applications associated with the human resources department, but not have access to data and applications associated with the legal department. This type of security is typically applied at the operating system level.
Security at the operating system level alone is flawed because it relies on individuals properly controlling the data and applications to avoid accidental and deliberate misuse of confidential data. When multiple applications are running on an operating system, it is possible to share data between them using the operating system clipboard, a file system, and the like (e.g., using copy and paste functions, save, move, send to, import and export type functions, etc.). Thus, an authorized user accessing legal department data could mistakenly (or deliberately) share a confidential legal file or data with another user who is not authorized to access such information. This could be accomplished, for example, by using copy and paste functions between the legal application and another application to store the confidential data in an unprotected memory space to which unauthorized users in the organization have access. In another example, a user could email a message from the legal application containing confidential data that was copied into the message, or included as an attachment, to an unauthorized user. In addition, temporary files may also be at risk for leaking confidential data as they are normally available within the operating system. If an application terminates before all temporary files are deleted, then those remaining temporary files could be accessed by a savvy user, or by malicious third party software. Temporary files could contain confidential data from an application being run by an authorized user, or other information that was downloaded, such as, for example, details of a user's bank account. Such temporary files are at risk of exposure because they are often not protected.
Data leakage problems can also occur when authorized users access their organization's network from an unsecured or less secure environment. For example, users often take their laptops home or otherwise outside the corporate environment and remotely logon to their organization's network. Such networks typically have a firewall, which is a device or set of devices configured to control computer traffic sent to/from the network. Firewalls are usually designed to block unauthorized access, while permitting authorized communications based upon a set of rules and other criteria. Even with appropriate firewall protections, data leakage can occur, for example, if an authorized user accesses the network from a less secure (remote) location and begins retrieving confidential data. The confidential data may travel from the firewall-protected network to the user's computer through various communication paths and networking devices such as telephone lines, cable modems, fiber optic cables, satellites, microwaves, routers, gateways, switches, etc. Furthermore, the user's computer may no longer be protected by a firewall when it is remotely accessing the organization's network, thereby exposing the user's computer to various forms of malware, which could put the confidential data at risk.
A system for preventing data loss as outlined by
Generally, virtual machines can be implemented to run complete operating systems and their associated applications (system virtual machines), or to run a single application or suite of applications (process virtual machines). Virtual machines can be implemented as Type 1, running below the host operating system directly on the hardware or as Type 2, running on top of a host operating system. Both system and process virtual machines can have some type of virtualization software that manages virtual machines and any guest operating systems. As used herein in this Specification, the term ‘virtual machine monitor’ is meant to include hypervisors, or other software or objects that can operate to manage one or more virtual machines and allow desired policy administration as detailed below.
Note that in computing, an executable (file) can cause a computer to perform indicated tasks according to encoded instructions, as opposed to a file that only contains data. Files that contain instructions for an interpreter or virtual machine may be considered ‘executables’ or ‘binaries’ in contrast to program source code. The more generic term ‘object’ (as used herein in this Specification) is meant to include any such executables, binaries, kernel modules, etc., which are sought to be invoked, initiated, or otherwise executed.
Turning to the infrastructure of
In this example embodiment, a user with appropriate authority such as a network administrator is provided with an interface to manage the complete setup of virtual machines 12, 14, 24, and 26 and associated firewall policy modules 34a, 34b, 34c, and 34d. This management can include configurations of the virtual machine monitor and the virtual machines, creation, deletion, modification, shutdown, updating, and startup of the virtual machines, etc. The interface may allow the network administrator to initially configure and maintain master image 38 comprising entries that correspond to particular versions of the applications within the network. Alternatively, system 10 may automatically generate and update master image 38. Through policy administration module 20, the network administrator can select desired specific criteria for the policies to be applied to each virtual machine 12, 14, 24, and 26, through respective firewall policy modules 34a, 34b, 34c, and 34d. The policies can be tailored to meet particular desired security for data depending upon, for example, the confidentiality of the data accessible through the virtual machine wrapped application, the particular users seeking access to the data, particular job titles, particular department types, particular timestamps of information, particular locations in which a request for data access originates, particular days and times of days a request for data access originates, specifically configured permissions, etc. Once virtual machines 12, 14, 24, and 26 are configured with associated firewall policy modules 34a, 34b, 34c, and 34d, the virtual machines can be deployed to targeted computers, such as an end user's client device, a server, or any other device configured to host the virtual machine wrapped applications, which can be made accessible to authorized users. Policy administration module 20 is also configured to allow the network administrator to maintain virtual machines 12, 14, 24, and 26 and to update or change the security policies on firewall policy modules 34a, 34b, 34c, and 34d, as needed.
A first level of security associated with system 10 can relate to authentication. Authentication determines whether a user is authorized to access the network and within the network, which particular applications or data the user is allowed to access. Although authentication is typically applied at the operating system level, at least a portion of the authentication process may also be applied through firewall policy modules 34a, 34b, 34c, and 34d. Once an authorized user is granted access to an application within virtual machine 12, 14, 24, or 26, the associated firewall policy module 34a, 34b, 34c, or 34d may restrict what the user can do within the application. In one example embodiment, a policy may be applied to firewall policy module 34a for human resources virtual machine 12, preventing an authorized user from transmitting (e.g., copying, pasting, moving, sending, exporting, emailing, etc.) confidential data, such as employee salary data, from human resources virtual machine 12 to another application or user, such as, for example, application suite virtual machine 24. Alternatively, if the user has a higher approved level of authorization, then the policy may be tailored to allow data transmission with data tracking. In this situation, when the user is allowed to transmit confidential data from human resources application virtual machine 12 to another application or user, the transmitted confidential data may be recorded in a data log stored in a memory element. As used herein in this Specification, the terms ‘transmit’ and ‘transmission’ are meant to encompass any operations associated with copying, cutting, pasting, saving, moving, sending, importing, exporting, emailing, or otherwise manipulating data.
Another form of policy that may be used within firewall policy modules 34a, 34b, 34c, and 34d, includes policies related to the environment from which a user requests access to particular applications. For example, if a user requests access to human resources virtual machine 12 from a client device (e.g., a laptop, etc.) when the user is physically located within the network's secure environment, then firewall policy module 34a can perform a check to determine if the user is within a secure environment and allow access accordingly. However, if the user is out of the office, such as on a commuter train, and is therefore outside of the network's secure environment, then because of the confidential nature of the information within human resources virtual machine 12, the policies of firewall policy module 34a may be configured to prohibit the user from accessing the human resources application within virtual machine 12. Thus, the protocol can prevent the user from potentially leaking data when the user is in a less secure environment. The scope of this disclosure is intended to encompass any type or combination of firewall policies desired by a particular organization for controlling data leakage from one or more of its applications within its network. Such policies include, but are not limited to, policies restricting data movement between particular applications, policies restricting application access depending upon the user's environment, policies restricting application access depending upon the time of day or particular days access is requested, and policies restricting data movement from particular applications to particular individuals or groups of individuals.
Turning to
In the implementation shown in
In the particular example implementation shown in
Turning to
Software for configuring and maintaining the virtual machine wrapped applications and associated firewall policy modules can be provided at various locations (e.g., the central base or IT headquarters). In other embodiments, this software could be received or downloaded from a web server (e.g., in the context of purchasing individual end-user licenses for separate networks, devices, virtual machines, servers, etc.) in order to provide this system for preventing data loss using virtual machine wrapped applications. Software for controlling data transmission from within virtual machine wrapped applications in a network can also be provided at various locations (e.g., within firewall policy modules 34a, 34b, 34c, and 34d) once the virtual machine wrapped applications and associated firewall policy modules have been initially configured. In one example implementation, this software is resident in a computer sought to be protected from a security attack (or protected from unwanted, or unauthorized manipulations of data). In a more detailed configuration, this software is specifically resident in a security layer of a virtual machine and provides an interface between the virtual machine and the underlying operating system and between the virtual machine and other virtual machines within the system, which also may include (or otherwise interface with) the components depicted by
In other examples, the data loss prevention software could involve a proprietary element (e.g., as part of a network security authentication solution), which could be provided in (or be proximate to) these identified elements, or be provided in any other device, server, network appliance, console, firewall, switch, information technology (IT) device, etc., or be provided as a complementary solution (e.g., in conjunction with a firewall), or provisioned somewhere in the network. As used herein in this Specification, the term ‘computer’ is meant to encompass these possible elements (VMMs, hypervisors, Xen devices, virtual machines or other devices, network appliances, routers, switches, gateways, processors, servers, loadbalancers, firewalls, or any other suitable device, machine, component, element, or object) operable to affect or process electronic information in a security environment. Moreover, this computer may include any suitable hardware, software, components, modules, interfaces, or objects that facilitate the operations thereof. This may be inclusive of appropriate algorithms and communication protocols that allow for the effective protection of data. In addition, the data loss prevention system can be consolidated in any suitable manner. Along similar design alternatives, any of the illustrated modules and components of
In certain example implementations, the data loss prevention system outlined herein may be implemented by logic encoded in one or more tangible media (e.g., embedded logic provided in an application specific integrated circuit (ASIC), digital signal processor (DSP) instructions, software (potentially inclusive of object code and source code) to be executed by a processor, or other similar machine, etc.). In some of these instances, a memory element (as shown in
Any of these elements (e.g., a computer, a server, a network appliance, a firewall, a virtual machine monitor, any other type of virtual element, etc.) can include memory elements for storing information to be used in achieving the data loss prevention system operations as outlined herein. Additionally, each of these devices may include a processor that can execute software or an algorithm to perform the data loss prevention activities as discussed in this Specification. These devices may further keep information in any suitable memory element (random access memory (RAM), ROM, EPROM, EEPROM, ASIC, etc.), software, hardware, or in any other suitable component, device, element, or object where appropriate and based on particular needs. Any of the memory items discussed herein (e.g., data log, master image, etc.) should be construed as being encompassed within the broad term ‘memory element.’ Similarly, any of the potential processing elements, modules, and machines described in this Specification should be construed as being encompassed within the broad term ‘processor.’ Each of the computers, network appliances, virtual elements, etc. can also include suitable interfaces for receiving, transmitting, and/or otherwise communicating data or information in a secure environment.
Note that with the examples provided herein, interaction may be described in terms of two, three, four, or more network elements. However, this has been done for purposes of clarity and example only. In certain cases, it may be easier to describe one or more of the functionalities of a given set of flows by only referencing a limited number of components or network elements. It should be appreciated that the systems of
It is also important to note that the steps described with reference to the preceding FIGURES illustrate only some of the possible scenarios that may be executed by, or within, system 10. Some of these steps may be deleted or removed where appropriate, or these steps may be modified or changed considerably without departing from the scope of the discussed concepts. In addition, the timing of these operations may be altered considerably and still achieve the results taught in this disclosure. The preceding operational flows have been offered for purposes of example and discussion. Substantial flexibility is provided by system 10 in that any suitable arrangements, chronologies, configurations, and timing mechanisms may be provided without departing from the teachings of the discussed concepts.
Claims
1-20. (canceled)
21. A method implemented by a system including an operating system and a virtual machine monitor, the method comprising:
- downloading a browser wrapped in a virtual machine, based on a determination that the browser is not being used in an access to an institution;
- updating the browser if the browser is determined to not be current; and
- allowing a connection to the institution through the browser, the system including the browser, the operating system underlying the virtual machine.
22. The method of claim 21, further comprising:
- determining whether the browser is allowed to share data, based on an evaluation of a firewall policy.
23. The method of claim 22, wherein the browser shares the data using a copy buffer or a paste buffer, and the operating system cannot access the copy buffer or the paste buffer.
24. The method of claim 21, further comprising:
- evaluating a criterion of a policy to determine whether to permit access to the virtual machine, based on a determination that a master image is not available, the master image corresponding to a version of the browser or a version of the virtual machine.
25. The method of claim 21, further comprising:
- comparing the browser to a master image, the master image corresponding to a version of the browser or a version of the virtual machine.
26. The method of claim 21, further comprising:
- performing a self-integrity check, wherein the allowing is performed if the self-integrity check passes.
27. A system, comprising:
- a memory element that stores instructions; and
- a processor configured to execute a browser wrapped in a virtual machine, an operating system underlying the virtual machine, wherein the browser is downloaded based on a determination that the browser is not being used in an access to an institution, the browser is updated if the browser is determined to not be current, and a connection to the institution is allowed through the browser.
28. The system of claim 27, wherein the browser shares data, based on an evaluation of a firewall policy.
29. The system of claim 28, wherein the browser shares the data using a copy buffer or a paste buffer, and the operating system cannot access the copy buffer or the paste buffer.
30. The system of claim 27, wherein a criterion of a policy is evaluated to determine whether to permit access to the virtual machine, based on a determination that a master image is not available, the master image corresponding to a version of the browser or a version of the virtual machine.
31. The system of claim 27, wherein the browser is compared to a master image, the master image corresponding to a version of the browser or a version of the virtual machine.
32. The system of claim 27, wherein a self-integrity check is performed, and the connection is allowed if the self-integrity check passes.
33. The system of claim 27, wherein a policy prohibits accessing the virtual machine if a client device requests access to the virtual machine from an unsecured network environment.
34. A non-transitory computer readable storage medium, comprising:
- instructions to download a browser wrapped in a virtual machine, based on a determination that the browser is not being used in an access to an institution, an operating system underlying the virtual machine;
- instructions to update the browser if the browser is determined to not be current; and
- instructions to allow a connection to the institution through the browser.
35. The medium of claim 34, further comprising:
- instructions to determine whether the browser is allowed to share data, based on an evaluation of a firewall policy.
36. The medium of claim 35, wherein the browser shares the data using a copy buffer or a paste buffer, and the operating system cannot access the copy buffer or the paste buffer.
37. The medium of claim 34, further comprising:
- instructions to evaluate a criterion of a policy to determine whether to permit access to the virtual machine, based on a determination that a master image is not available, the master image corresponding to a version of the browser or a version of the virtual machine.
38. The medium of claim 34, further comprising:
- instructions to compare the browser to a master image, the master image corresponding to a version of the browser or a version of the virtual machine.
39. The medium of claim 34, further comprising:
- instructions to perform a self-integrity check, wherein the connection is allowed if the self-integrity check passes.
40. The medium of claim 34, wherein a policy prohibits accessing the virtual machine if a client device requests access to the virtual machine from an unsecured network environment.
Type: Application
Filed: Jan 23, 2017
Publication Date: May 11, 2017
Applicant: McAfee, Inc. (Santa Clara, CA)
Inventors: Sonali Agarwal (Bangalore), Lee Codel Lawson Tarbotton (Aylesbury)
Application Number: 15/412,337