EVENT-BASED DISPLAY INFORMATION PROTECTION SYSTEM
A display information protection system includes a management system that stores a plurality of display information protection policies and that may provide any of the display information protection policies through a network. An endpoint device is coupled to the management system through the network and stores a display information protection policy that may have been automatically populated or received from the management system. The endpoint device displays a plurality of information and may determine that a first subset of the plurality of information that has been provided for display is defined by the display information protection policy. In response to detecting the first display information protection event and determining that the first subset of a plurality of information is defined by the display information protection policy, the endpoint device obfuscates the display of the first subset of the plurality of information on the endpoint device.
This is a Continuation application to U.S. patent application Ser. No. 15/943,440 filed Apr. 2, 2018, issuing as U.S. Pat. No. 10,572,694, which is a Continuation Application of U.S. patent application Ser. No. 14/814,006 filed Jul. 30, 2015, now U.S. Pat. No. 9,953,191, entitled “EVENT-BASED DISPLAY INFORMATION PROTECTION SYSTEM,” Attorney Docket No. 16356.1780US01, the disclosures of which are incorporated herein by reference in their entirety.
BACKGROUNDThe present disclosure relates generally to information handling systems, and more particularly to event-based protection of information displayed on an information handling system.
As the value and use of information continues to increase, individuals and businesses seek additional ways to process and store information. One option available to users is information handling systems. An information handling system generally processes, compiles, stores, and/or communicates information or data for business, personal, or other purposes thereby allowing users to take advantage of the value of the information. Because technology and information handling needs and requirements vary between different users or applications, information handling systems may also vary regarding what information is handled, how the information is handled, how much information is processed, stored, or communicated, and how quickly and efficiently the information may be processed, stored, or communicated. The variations in information handling systems allow for information handling systems to be general or configured for a specific user or specific use such as financial transaction processing, airline reservations, enterprise data storage, or global communications. In addition, information handling systems may include a variety of hardware and software components that may be configured to process, store, and communicate information and may include one or more computer systems, data storage systems, and networking systems.
Information handling systems such as, for example, desktop computers, laptop/notebook computers, tablet computers, mobile phones, and/or other computing systems are often used to handle sensitive information, and when doing so, it is desirable to implement security policies to ensure that such sensitive information cannot be accessed by unauthorized users. The vast majority of conventional information security systems focus on the security of information entering and leaving the computing system, including authentication of the user using the computing system, encryption/decryption of the information leaving/entering the computing system, and/or other information security functionality known in the art. However, there exist a variety of situations and events that are not addressed by such information security systems in which sensitive information located on such computing systems may be compromised. For example, an authorized user of the computing system may leave the computing system unattended while it is displaying sensitive information, and an unauthorized user may then be able to view that sensitive information. In another example, an unauthorized user may view the displayed sensitive information from behind an authorized user while that authorized user is at the computing system. In yet another example, an authorized user may “share” their screen (i.e., transmit the information being displayed on their computing system) across a network with the computing system of an unauthorized user while the computing system of the authorized user is displaying sensitive information. These and other situations risk the compromise of sensitive information to unauthorized users.
Accordingly, it would be desirable to provide an improved display information protection system.
SUMMARYAccording to one embodiment, an information handling system (IHS) include a primary display device; a database storing a display information protection policy; a processing system that is coupled to the primary display device and the database; and a memory system that is coupled to the processing system and that includes instruction that, when executed by the processing system, cause the processing system to provide a display information protection engine that is configured to: display a plurality of information on the primary display device; determine that a first subset of the plurality of information that has been provided for display on the primary display device is defined by the display information protection policy in the database; detect a display information protection event; and in response to detecting the display information protection event and determining that the first subset of a plurality of information is defined by the display information protection policy, obfuscate the display of the first subset of the plurality of information on the primary display device.
For purposes of this disclosure, an information handling system may include any instrumentality or aggregate of instrumentalities operable to compute, calculate, determine, classify, process, transmit, receive, retrieve, originate, switch, store, display, communicate, manifest, detect, record, reproduce, handle, or utilize any form of information, intelligence, or data for business, scientific, control, or other purposes. For example, an information handling system may be a personal computer (e.g., desktop or laptop), tablet computer, mobile device (e.g., personal digital assistant (PDA) or smart phone), server (e.g., blade server or rack server), a network storage device, or any other suitable device and may vary in size, shape, performance, functionality, and price. The information handling system may include random access memory (RAM), one or more processing resources such as a central processing unit (CPU) or hardware or software control logic, ROM, and/or other types of nonvolatile memory. Additional components of the information handling system may include one or more disk drives, one or more network ports for communicating with external devices as well as various input and output (I/O) devices, such as a keyboard, a mouse, touchscreen and/or a video display. The information handling system may also include one or more buses operable to transmit communications between the various hardware components.
In one embodiment, IHS 100,
Referring now to
Referring now to
In the illustrated example, those one or more databases include a policy/event database 306a, an endpoint device database 306b, and a protection action database 306c. As discussed in further detail below, the policy event database 306a may store display information protection policies and display information protection events (which may be, for example, generated, defined, and/or otherwise provided by a corporate network administrator), the endpoint device database 306b may store information about endpoint devices accessible through the network 204 (e.g., endpoint devices in the corporate LAN), and the protection action database 306c may store display information protection actions (which may be, for example, populated, defined, and/or otherwise provided by a corporate network administrator). While a few specific databases have been illustrated and described as separate databases included in the chassis 302 of the management system 300, one of skill in the art in possession of the present disclosure will recognize that those databases may be combined, further separated, and/or located outside the chassis 302 of the management system 300 (i.e., coupled to the management engine 304 through the network 204) while remaining within the scope of the present disclosure. The management engine 304 is also coupled to a communication subsystem 308 such as a network interface controller (NIC) or wireless communication device (e.g., via a coupling between the processing system and the communication subsystem 308) that is coupled to the network 204 and configured to allow the management engine 304 to communicate through the network 204 with the endpoint devices 206a-c.
Referring now to
The memory system may also include instructions that, when executed by the processing system, cause the processing system to provide a display engine 406 that performs the functions of the display engines and endpoint devices discussed below. For example, the processing system may include a graphics processing system (e.g., a central processing unit (CPU), a graphics processing unit (GPU) provided on a video card, etc.) that is configured to receive instructions from a user and/or application running on the endpoint device 400 to provide information for display on a display device, and performs processing functions to provide that information for display on the display device. The display engine 406 is coupled to the display information protection engine 404 (and specifically the data valuation engine 404a in the illustrated embodiment) either via a connection between processing subsystems in the processing system or due to a processing system providing both the display engine 406 and the display information protection engine 404. Furthermore, similarly as discussed above, in some embodiments the display engine 406 may be combined with the display information protection engine 404 while remaining within the scope of the present disclosure.
The chassis 402 may also house one or more storage systems (not illustrated, but which may be provided by the storage device 108 discussed above with reference to
In some embodiments, the chassis 402 may house a hardware-based storage system that may include the policy/event database 408a, the protection action database 408b, and/or that may store the policies, events, and actions described below. That hardware-based storage system may be a secure storage system that requires authentication by the processing system (i.e., by the policy/event engine 404b) for access and retrieval of the policies, events, and/or actions stored therein. For example, the hardware-based storage system that includes the databases 408a and 408b and/or stores the policies, events, and actions utilized by the policy/event engine 404b may be provided by a CONTROLVAULT™ system available from Dell, Inc. of Round Rock, Tex. However, other hardware-based storage systems that are configurable to provide for secure access by the policy/event engine 404b to the policies, events, and actions in the databases 408a and 408b will fall within the scope of the present disclosure.
The policy/event engine 404b is also coupled to a communication subsystem 410 such as a network interface controller (NIC) or wireless communication device (e.g., via a coupling between the processing system and the communication subsystem 410) that is coupled to the network 204 and configured to allow the policy/event engine 404b to communicate through the network 204 with the management system 202/300. The policy/event engine 404b is also coupled to a display device connector 412 (e.g., via a coupling between the processing system and the display device connector 412) that is coupled to a display device 414 that may be the display 110 discussed above with reference to
Referring now to
Referring now to
The method 600 begins at block 602 where one or more display information protection policies are stored. In an embodiment, at block 602 the policy/event engine 404b may store display information protection policies in the policy/event database 408a. In some embodiments, display information protection policies may be automatically populated by the policy/event engine 404b and/or other components in the endpoint device 400 and stored in the policy/event database 408a. For example, the policy/event engine 404b may communicate with applications operating on the endpoint device to determine the sensitivity of data or information being utilized with those applications, and in some situations the details that allow for the recognition of that sensitive data (i.e., display information protection policies) may then be automatically populated in the policy/event. In another embodiment, display information protection policies may be provided by the manufacturer of the endpoint device or an event-based display information protection application running on that endpoint device and enabled automatically (e.g., by default) unless modified by a user or administrator. For example, such automatically populated display information policies (i.e., enabled without instructions from the administrator or user) may allow data or information to be classified automatically and in real time to recognize specific patterns (with number generically indicated by the hash (#) marks and letters generically indicated by “x” below) such as, for example:
Social Security Numbers: ###-##-#### Money: $#,###.##Addresses: #### xxxx drive
Zip Codes: #####-#### Phone Numbers: 1-###-###-#### Names Xxxxx XxxxxFurthermore, classification levels may also be automatically populated based on the pattern of the information being displayed that is different from the patterns detailed above, and any personally identifiable data (i.e., any data for information that may be used to identify a person) that is recognized using any method known in the art may result in a sensitivity classification being automatically applied to that data or information.
In addition, the display information protection policies may be associated with display information protection events in the policy/event database 408a. As discussed in further detail below, the display information protection events may be defined for any detectable situation in which an unauthorized user may have viewing access to sensitive information on a display screen. Furthermore, display information protection actions may be defined for sensitive information and stored in the protection action database 408b. As discussed in further detail below, display information protection actions may be based on the sensitivity of the information that is to be displayed, the detected display information protection event, and/or any other factor associated with the protection of the information that is to be displayed. Thus, display information protection policies, display information detection events, and/or display information protection actions may be automatically determined by the endpoint device 500, continuously refined, and stored in the policy/event database 408a at block 602.
In some embodiments, display information protection policies may be created on the management system 202/300 (e.g., by an administrator) and stored in the policy/event database 306a using the management engine 304. As discussed above, the endpoint device database 306b in the management system 300 may include identifying information about the endpoint devices 206a-c in the display information protection system 200, users of the endpoint devices 206a-c in the display information protection system 200, and/or other information about the endpoint devices 206a-c in the display information protection system 200 that allows the management system 202 to push the display information protection polices to the endpoint devices 206a-c in the display information protection system 200 based on information accessible through those endpoint devices 206a-c, users authorized to use those endpoint devices 206a-c, and/or any other criteria that is associated with information that may be displayed on the endpoint devices 206a-c. Similarly as discussed above, the display information protection policies may be associated with display information protection events in the policy/event database 306a, and the display information protection events may be defined for any detectable situation in which an unauthorized user may have viewing access to sensitive information on a display screen. Also similarly as discussed above, display information protection actions may be defined for sensitive information and stored in the protection action database 306c, and the display information protection actions may be based on the sensitivity of the information that is to be displayed, the detected display information protection event, and/or any other factor associated with the protection of the information that is to be displayed. Thus, at block 602, the management engine 308 may be used to define and provide display information protection policies, display information protection events, and/or display information protection actions through the communication subsystem 308 and over the network 204 such that they are received by the policy/event engine 404b through the communication subsystem 410 and stored in the policy/event database 408a and/or the protection action database 408b.
While a few examples of the storage of the display information protection policies (and in some embodiments, other information such as display information protection events and display information protection actions) at block 602 have been provided, one of skill in the art in possession of the present disclosure will recognize that the policies, events, and actions discussed above and described below may be provided in any of a variety of manners while remaining within the scope of the present disclosure. For example, users of endpoint devices 206a-c may define policies, events, and/or actions utilized by the display information protection system. Furthermore, endpoint devices 206a-c may share policies, events, and/or actions between each other. Further still, applications provided on the endpoint devices 206a-c may define the policies, events, and/or actions, and may cause those policies, events, and/or actions to be shared between each other in an endpoint device or across endpoint devices. Thus, the provision and/or storage of the policies, events, and/or actions in the endpoint devices 206a-c is envisioned as being performed in any of a variety of manners while remaining within the scope of the present disclosure.
The method 600 then proceeds to block 604 where a plurality of information is displayed on a display device. Referring now to
Referring now to
Referring now to
Referring now to
While a few specific examples of information displayed at block 604 of the method 600 have been illustrated and described, one of skill in the art in possession of the present disclosure will recognize that the display information protection system and method taught herein may be applied to almost any information that may be displayed on a display screen. For example, while the embodiments provided herein focus on social security information, financial information, payment information, and confidential corporate information, a user or users may define any of a variety of other information as sensitive information that may be protected using the teachings provided herein. As such, the systems and methods of the present disclosure, while applicable to the security of sensitive information, may also be considered as enabling information privacy for users that wish to keep any or all of the information displayed on their display screens private. Thus, the “sensitivity” of the information protected using the systems and methods of the present disclosure may depend on the user implementing those systems and methods, and may include information that, while not confidential or access-restricted in many scenarios, will be protected according to the teachings provided herein based on events and actions defined by the user of that information.
The method 600 then proceeds to block 606 where it is determined that a first subset of the plurality of information that has been provided for display is defined by a display information protection policy. As discussed above with regard to block 604, in response to instructions from the user 700, the display engine 406 may retrieve, generate, and/or otherwise provide the plurality of information for display on the display screen 504a of the display device 504 (i.e., via the display device connector 412). However as discussed with regard to blocks 606 and 608 of the method 600, when information is provided for display on the display screen 504a of the display device 504, the display information protection system may determine whether any of that information is defined by a display information protection policy and, if so, whether a display information protection event is occurring. As discussed below with regard to block 610 of the method 600, if information is defined by a display information protection policy and a display information protection event is occurring, that information is obfuscated to protect that information from being viewed by unauthorized users. As such, in the specific example of the information displayed in
With reference to
Similarly, the data valuation engine 404a may be configured to parse images that have been provided for display on the display device to classify those images, recognize elements in those images, and/or perform any other image classification, recognition, and/or other functions known in the art. In a specific example, the data valuation engine 404a may be configured to recognize particular people in images (e.g., via face recognition), particular elements in images (e.g., drug paraphernalia), and/or any other definable image element. Similarly, the data valuation engine 404a may be configured to parse files that have been provided for display on the display device to classify those files, recognize metadata provided with those files, and/or perform any other file classification, recognition, and/or other functions known in the art. In a specific example, the data valuation engine 404a may be configured to recognize particular files (e.g., video files with adult content). Similarly, the data valuation engine 404a may be configured to parse applications that have been provided for display on the display device to classify those applications, recognize features provided with those applications, and/or perform any other file classification, recognition, and/or other functions known in the art. In a specific example, the data valuation engine 404a may be configured to recognize particular applications (e.g., gaming application with adult content) or application functions (e.g., a web browser directed to a website with adult content). While a few information formats (i.e., text, images, files, and applications) have been described as being processed by the data valuation engine 404a, any of a variety of other information may be processed by the data valuation engine 404a to enable the functionality discussed below. In some embodiments, the data valuation engine 404a may be configured to provide a classification of the information that has been provided for display on the display device 414. For example, information may be recognized and classified as highly sensitive, of medium sensitivity, of low sensitivity, of highly private, having medium privacy, of having low privacy, and/or using other classifications known in the art. In other examples, classifications may include more granularity than simply high, medium, and low, and in some embodiments the recognized information may simply be provided to the policy/event engine 404b for analysis and/or comparison to policies as discussed below.
The data valuation engine 404a then provides the results of the processing of the information that has been provided for display on the display device 414 to the policy/event engine 404b. In an embodiment, the data valuation engine 404a may provide the policy/event engine 404b text that has been recognized and classified, text strings that have been recognized and classified, images that have been recognized and classified, image elements that have been recognized and classified, files that have been recognized and classified, applications that have been recognized and classified, and/or any other information processed as discussed above to the policy/event engine 404b. At block 606, the policy/event engine 404b compares the information recognized and/or classified by the data valuation engine 404a to the display information protection policies in the policy/event database 408a to determine whether that information is defined by a display information protection policy. For example, with reference to the information provided for display in the application GUI 800 of
The method 600 then proceeds to block 608 where a display information event is detected. As discussed above, in the examples provided, the authorized user 700 is authorized to view any of the information provided for display on the display device as illustrated in
For example, a display information protection event may be detected by the policy/event engine 404b in response to a timing event such as a predetermined amount of time passing without an input or instruction being provided by the authorized user 700 using the input devices 508a and 508b (and in some cases in response to the associated display device or system performing a lock action, a sleep action, or other power saving action known in the art). In another example, a display information protection event may be detected by the policy/event engine 404b in response to receiving an image from the image capturing device 506 that doesn't include the authorized user 700. In such an example, the authorized user 700 may have been authorized to use the endpoint device 500 in response to that authorized user 700 being recognized in an image captured by the image capturing device 506. For example, the policy/event engine 404b and/or other subsystems in the endpoint device 500 may be configured to process the image(s) received from the image capturing device 506 to recognize the face, eyes, and/or other features of the authorized user 700 (e.g., using image recognition techniques) and compare the recognized face, eyes, and/or other features to those of authorized users to detect the authorized user 700. However, regardless of the method of authorization, the lack of the authorized user 700 in an image captured by the image capturing device may be defined as a display information protection event. While a few examples of display information protection events determined in response to the user 700 leaving the endpoint device 500 (i.e., such that the user is no longer providing inputs to the endpoint device 500 or is not located in front of the display device 504) have been provided, one of skill in the art in possession of the present disclosure will recognize that any of a variety of display information detection events may be defined and detected in response to a user leaving an endpoint device while remaining within the scope of the present disclosure.
Referring next to
In addition to those illustrated, a wide variety of other display information protection events are envisioned as falling within the scope of the present disclosure. In an embodiment, as detailed below with reference to
In another embodiment, a display information protection event may include an ambient light change. For example, the policy/event engine 408b may be coupled to an ambient light sensor that can report changes in ambient light that may be detected when the endpoint device is moved. In another embodiment, a display information protection event may include the detection of a connection of a display device to the endpoint device. For example, the authorized user 700 may connect a projector or other secondary display device to the endpoint device 500 to provide a presentation, and that connection may result in the information being displayed on the endpoint device 500 being projected into the view of unauthorized users. In another embodiment, a display information protection event may include the detection of a network change. For example, the authorized user 700 may move the endpoint device 500 such that it disconnects from a currently connected network and connects to a new network. In another embodiment, a display information protection event may include the authorized user logging into the endpoint device 500 after being logged out. For example, the authorized user 700 may be logged out from the endpoint device 500 after a period of inactivity while that endpoint device 500 was displaying sensitive information, and then may log back into that endpoint device 500 when the unauthorized user 1200 is able to view the display screen 504a of the display device 504. While several examples of display information protection events have been provided, one of skill in the art in possession of the present disclosure will recognize that any event, situation, or scenario that may result in an unauthorized user being able to view information on the display screen of a display device may be defined as a display information protection event while remaining within the scope of the present disclosure.
The method 600 then proceeds to block 610 where the display of the first subset of the plurality of information is obfuscated. In an embodiment, in response to determining that the subset of the plurality of information that has been provided for display on the display screen 504a of the display device 504 is defined by a display information protection policy at block 606, and detecting the display information protection event at block 608, the policy/event engine 404b may access the protection action database 408b to retrieve a display information protection action and apply that display information protection action to the subset of information that has been provided for display, followed by the provision of the plurality of information through the display device connector 412 to the display device 414 for display. However, the application of the display information protection action to the subset of information that has been provided for display will result in the plurality of information being displayed on the display screen 504a of the display device 504 with the subset of the information being obfuscated such that it cannot be viewed (or clearly viewed) by any users. While a variety of different display information protection actions are illustrated and described below, in some embodiments, the policy/event engine 404b may perform the same display information protection action on any information that is defined by a display information protection policy when a display information protection event is protected. However, the discussion below details how, in some embodiments, different levels of obfuscation of sensitive information may be performed depending on the sensitivity of that information (e.g., as determined by the display information protection engine 404), the level of authorization of unauthorized users, and/or any other factors that may be relevant to the viewing of that sensitive information.
Referring now to
Referring now to
Referring now to
Referring now to
While several examples of display information protection actions have been illustrated and described above, one of skill in the art in possession of the present disclosure will recognize that any of a variety of display information protection actions may be performed to prevent an unauthorized user from viewing information that is provided for display on the display screen of a display device. For example, display information protection actions may include terminating a process or application displaying the sensitive information, providing a display window over the display of the sensitive information, launching an application such that the application displaying the sensitive information is obscured, “cleaning” the desktop provided on the display screen, etc. In one specific embodiment, a display information protection action may include launching a secondary virtual desktop in place of the desktop provided on the display screen that includes the sensitive information that is being displayed (i.e., launching a virtual desktop that doesn't include the application displaying the sensitive information). Thus, any of a wide variety of obfuscation techniques may be applied to sensitive information, just a few of which are illustrated and described above, that will fall within the scope of the present disclosure.
Thus, systems and methods have been described that protect against the viewing of sensitive information by unauthorized users by obfuscating the display of that sensitive information according to policies and detected events. Such systems and methods address the security of data that may have been accessed by an authorized user and then subsequently be comprised by an unauthorized user that is within view of the display screen upon which it is being displayed. The systems and methods allow for the automatic generation and/or distribution of policies that define what viewing access users should have to sensitive information, and then monitor for events when that sensitive information is being displayed to determine when to obfuscate the display of that data to ensure that it is not compromised. In some embodiments, further security functions may be performed by the endpoint device upon which sensitivity information has been obfuscated if detected events indicate that the information may be compromised, including erasing that information from the endpoint device (e.g., wiping a storage system, clearing a browser history, etc.), shutting down the endpoint device, requiring re-authentication to use the endpoint device, and/or other security actions.
Although illustrative embodiments have been shown and described, a wide range of modification, change and substitution is contemplated in the foregoing disclosure and in some instances, some features of the embodiments may be employed without a corresponding use of other features. Accordingly, it is appropriate that the appended claims be construed broadly and in a manner consistent with the scope of the embodiments disclosed herein.
Claims
1. A display information security system, comprising:
- a server device that stores a plurality of display information protection policies; and
- a computing device that is coupled to the server device, wherein the computing device is configured to: receive, from the server device, a first display information protection policy included in the plurality of display information protection policies; store the first display information protection policy; provide a plurality of information for display on a display screen provided by the computing device; determine that a first subset of the plurality of information that has been provided for display on the display screen provided by the computing device is defined by the first display information protection policy; detect a display information protection event, wherein the detecting the display information protection event includes determining that an instruction has been received to share the display screen provided by the computing device through a network; and obfuscate, in response to determining that the first subset of a plurality of information is defined by the first display information protection policy and detecting the display information protection event that includes the instruction to share the display screen provided by the computing device through the network, the first subset of the plurality of information as part of the sharing of the display screen provided by the computing device through the network, while providing a second subset of the plurality of information for display as part of the sharing of the display screen provided by the computing device through the network.
2. The display information security system of claim 1, wherein the obfuscating the first subset of the plurality of information as part of the sharing of the display screen provided by the computing device through the network includes not transmitting the first subset of the plurality of information as part of the sharing of the display screen provided by the computing device through the network.
3. The display information security system of claim 1, wherein the computing device includes a first application that provides the first subset of the plurality of information for display on the display screen provided by the computing device, and wherein the computing device includes a second application that provides the second subset of the plurality of information for display on the display screen provided by the computing device.
4. The display information security system of claim 3, wherein the obfuscating the first subset of the plurality of information as part of the sharing of the display screen provided by the computing device through the network includes not transmitting a first Graphical User Interface (GUI) associated with the first application as part of the sharing of the display screen provided by the computing device through the network.
5. The display information security system of claim 4, wherein the providing the second subset of the plurality of information for display as part of the sharing of the display screen provided by the computing device through the network includes transmitting a second GUI associated with the second application for display as part of the sharing of the display screen provided by the computing device through the network.
6. The display information security system of claim 1, further comprising:
- a secure storage system that is included in the computing device and that stores the first display information protection policy, wherein the computing device is configured to authenticate to the secure storage system to retrieve the first display information protection policy.
7. An information handling system (IHS), comprising:
- a processing system; and
- a memory system that is coupled to the processing system and that includes instruction that, when executed by the processing system, cause the processing system to provide a display information protection engine that is configured to: provide a plurality of information for display on a display screen; determine that a first subset of the plurality of information that has been provided for display on the display screen is defined by a display information protection policy; detect a display information protection event, wherein the detecting the display information protection event includes determining that an instruction has been received to share the display screen through a network; and obfuscate, in response to determining that the first subset of a plurality of information is defined by the display information protection policy and detecting the display information protection event that includes the instruction to share the display screen through the network, the first subset of the plurality of information as part of the sharing of the display screen through the network, while providing a second subset of the plurality of information for display as part of the sharing of the display screen through the network.
8. The IHS of claim 7, wherein the obfuscating the first subset of the plurality of information as part of the sharing of the display screen through the network includes not transmitting the first subset of the plurality of information as part of the sharing of the display screen through the network.
9. The IHS of claim 7, wherein a first application provides the first subset of the plurality of information for display on the display screen, and wherein a second application provides the second subset of the plurality of information for display on the display screen.
10. The IHS of claim 9, wherein the obfuscating the first subset of the plurality of information as part of the sharing of the display screen through the network includes not transmitting a first Graphical User Interface (GUI) associated with the first application as part of the sharing of the display screen through the network.
11. The IHS of claim 10, wherein the providing the second subset of the plurality of information for display as part of the sharing of the display screen through the network includes transmitting a second GUI associated with the second application for display as part of the sharing of the display screen through the network.
12. The IHS of claim 7, wherein the display information protection engine is configured to:
- receive the display information protection policy from a management server; and
- store the display information protection policy in a database provided by a storage system.
13. The IHS of claim 12, wherein the display information protection engine is configured to:
- authenticate to the storage system to retrieve the display information protection policy.
14. A method for providing event-based display information protection, comprising:
- providing, by a computing device, a plurality of information for display on a display screen;
- determining, by the computing device, that a first subset of the plurality of information that has been provided for display on the display screen is defined by a display information protection policy;
- detecting, by the computing device, a display information protection event, wherein the detecting the display information protection event includes determining that an instruction has been received to share the display screen through a network; and
- obfuscating, by the computing device in response to determining that the first subset of a plurality of information is defined by the display information protection policy and detecting the display information protection event that includes the instruction to share the display screen through the network, the first subset of the plurality of information as part of the sharing of the display screen through the network, while providing a second subset of the plurality of information for display as part of the sharing of the display screen through the network.
15. The method of claim 14, wherein the obfuscating the first subset of the plurality of information as part of the sharing of the display screen through the network includes not transmitting the first subset of the plurality of information as part of the sharing of the display screen through the network.
16. The method of claim 14, wherein a first application provides the first subset of the plurality of information for display on the display screen, and wherein a second application provides the second subset of the plurality of information for display on the display screen.
17. The method of claim 16, wherein the obfuscating the first subset of the plurality of information as part of the sharing of the display screen through the network includes not transmitting a first Graphical User Interface (GUI) associated with the first application as part of the sharing of the display screen through the network.
18. The method of claim 17, wherein the providing the second subset of the plurality of information for display as part of the sharing of the display screen through the network includes transmitting a second GUI associated with the second application for display as part of the sharing of the display screen through the network.
19. The method of claim 14, further comprising:
- receiving, by the computing device, the display information protection policy from a management server; and
- storing, by the computing device, the display information protection policy in a database provided by a storage system.
20. The method of claim 19, further comprising:
- authenticating, by the computing device, to the storage system to retrieve the display information protection policy.
Type: Application
Filed: Feb 21, 2020
Publication Date: Jun 18, 2020
Inventors: Daniel L. Hamlin (Round Rock, TX), Charles D. Robison, JR. (Buford, GA)
Application Number: 16/797,916