The present invention relates to security systems for computer-related applications generally, and more particularly to methods for isolating data in data processing applications.
An ever-present issue associated with computers and computer-related applications is the security of data stored within the computers. Typically, electronic data is magnetically stored in specific physical locations within the computers. Examples of such physical locations include hard drives or hard disks, random access memory (RAM), and read-only memory (ROM). Electronic data may also be stored on portable devices such as floppy disks, recordable tapes, and compact digital disks. Such data may also be stored on a central database, which database is housed in a physically distinct structure and connected to a plurality of remote computers via electrical transmission means. The data in the central databases may then be remotely accessed and manipulated by a remote computer user at any time. Once the user is finished with the data, it can be re-saved to the database or deleted altogether.
Each category of data storage locations has particular characteristics which, in sum, provide a full spectrum of storage capabilities. Hard drives or hard disks are usually utilized to hold data that is intended to be kept in the computer on a quasi-permanent basis. As such, data in respective hard disks is maintained until specifically deleted, whether the respective computer is powered on or not.
A common modality for computer systems used in a variety of applications is the utilization of one or more hard disks. Such hard disks may be used to store a variety of information, such as operating system software, application software, drivers for various peripheral attachments, and data used by the various application program software. Operation system software typically resides on the xe2x80x9cbootxe2x80x9d hard disk. In the present systems, there is generally only one hard disk that may be designated as the xe2x80x9cbootxe2x80x9d hard disk. Such operating system software typically controls all computer functions, and it is usually the software through which all application software is executed.
Other hard disks connected to a respective computer are generally designated by the operating system software as data disks. If these additional hard disks also contain operating system software, such hard disks may only be utilized as the xe2x80x9cbootxe2x80x9d disk if the xe2x80x9cbootxe2x80x9d designation is reassigned and the operating system software has been booted up for use.
Random access memory is typically used as a temporary holding location for data viewed by the computer user. Information in the RAM is usually erased each time the respective computer is turned off. Internal computer instructions driving systems such as the boot up sequence, saving sequence, etc. are normally stored in the read only memory. Information in the ROM may be accessed by a computer user, but may not usually be manipulated.
In most applications, the most preferred mode of data storage maintains the information for as long as the computer operator desires. Accordingly, hard disks and central data repositories have become critically important in the field of data storage and management.
In many applications today, computers containing stored data are operably coupled to external communication means for communicating over a global computer network such as the internet. Such communication means may include telephone lines, digital service lines (DSL), dedicated digital fiber optic lines, cable and satellite links. When the communication means are active, information may be transferred between remote computers and central data repositories. Information received by such remote computers may be viewed temporarily, or may be stored in particular memory devices in the computers. As stated above, hard disks within the computers are typically utilized in situations where relatively long-term data storage is desired. Data imported from external databases is therefore regularly stored in hard disks, in which locally generated data is also held. Such imported and local data are generally commingled in the hard disk, wherein no physical separation exists between the two types of data. The same scenario is true in a central database, in that data from various sources is stored in common memory structures.
With the advent of computer networks allowing multiple computers to simultaneously communicate and receive information from one another, data security has become an increasingly important issue. Remote computers connected to such networks routinely store, or xe2x80x9cdownloadxe2x80x9d, data received through network communication channels. Such data may sometimes contain rogue computer instructions, often referred to as xe2x80x9cvirusesxe2x80x9d. The imported viruses are unwittingly stored to hard disks and databases along with the remainder of the imported data. Once the viruses are in the storage structures, the coded set of instructions defining the viruses automatically initiate, thereby causing the computer to carry out the instructions. These instructions may be relatively harmless, or may be totally destructive to key portions of the host computer. Often times, such viruses act to destroy other stored data in the memory structure at issue.
Computers connected to networks may also be susceptible to unauthorized users accessing stored information. In some cases, unauthorized users may be able to gain access to particular computers via respective network connections and subsequently take control of such computers. Once access to the computers has been achieved, the unauthorized user can remotely access software and data stored in those computers, and can read, write or erase any or all associated data or application software, thereby compromising the security of such computers.
Various systems have been implemented to counteract such security breaches, but have been met with only limited success. Anti-virus software has been developed to detect particular series of instructions that may constitute a virus. Such software scans data before the data is stored to find any suspicious instructions. If these instructions are detected, the virus software may automatically delete them, or may alert a system manager to the potential problem.
Most anti-virus programs in use today, however, can only efficiently detect known viruses or known virus instruction patterns. Thus, newly developed viruses having unique instruction patterns may not be detected by the anti-virus software programs. In addition, anti-virus programs may be circumvented by being attached to documents or other data groups which are not scanned by the anti-virus procedure. Such anti-virus software programs, therefore, do not typically form a complete barrier to the incursion of virus programs in sensitive computer memory structures.
Network security software has also been developed to provide security measures protecting particular computer network connections. Such software may provide, for example, encryption techniques, password-enabled security gates, and other tools for identifying the user requesting access to a particular network connection. To access a protected computer, a user typically needs to provide certain information given only to authorized users of the computer.
Some users, however, who do not have such information may still be able to access the protected computer by utilizing techniques to discover the information and subsequently use it to access the computer, or by utilizing techniques that allow the unauthorized user to circumvent or disable the security software. Once past the gate defined by the security software, the unauthorized user can access data stored on the computer, thus compromising the privacy of such data. The essence of the present invention is to make such access virtually impossible.
As discussed above, existing methods for protecting and securing electronic data stored on computers connected to a network of computers are inadequate for securing such data. One solution to this problem is to have multiple computers designated for particular applications. For example, one computer could be designated as a WWW/internet computer, while a different computer could be designated as a non-WWW/internet computer and would never be connected to the WWW/internet. In this manner, only the WWW/internet computer would be exposed to viruses and invasion by unauthorized users. Thus, the non-WWW/internet computer could safely store private and sensitive information without risk from problems transportable via the computer WWW network.
Such a multiple computer solution, however, is undesirable, in that multiple computers are needed to perform tasks that a single computer can do. In addition, data stored in one computer would not be easily transferable to another without compromising the security of the non-network computer.
A method of protecting data stored on a computer connected to a network of computers is therefore needed in the art. Such data may be stored on an individual computer, or may be stored in a central database which is accessible by a plurality of local and remote computers.
In the past, computer hardware has generally been expensive, so solutions calling for additional hardware elements have not been preferred. Now, however, computer hardware has become relatively inexpensive, thus allowing an increase in hardware-based solutions. Therefore, a hardware-based solution to the above stated problems is both needed and desired.
It is therefore a principle object of the present invention to provide a method for securing data stored in a device that is connected to a network of computers.
It is another object of the present invention to provide a method for allowing one computer to have the discrete function of multiple computers.
It is a further object of the present invention to provide a means for dynamically switching activation status among multiple data storage structures and their individual disk operating systems within an individual computer.
It is yet a further object of the present invention to provide a means for dynamically switching activation status among multiple hard disks within an individual computer.
It is a still further object of the present invention to provide a means for disabling non-activated data storage structures so that such non-activated storage structures are not connected to a specific logical computer network.
It is a yet further object of the present invention to provide a means for allowing connection of one or more of multiple data storage structures to a computer network while preventing network connection to the remaining data storage structures.
It is yet another object of the present invention to provide a means for connecting and disconnecting communication channels between multiple data storage structures.
It is a still further object of the present invention to provide multiple data storage structures having varying levels of security within a particular computer.
It is a still further object of the present invention to provide two or more complete working computer systems from a standard PC. The PC""s components along with additional hard drives are connected to the Master Control Board (MVB) and the MCB logically configures these hard drives and peripheral Internet connections so that two or more unique computer systems can be used sequentially but not simultaneously.
By means of the present invention, a system for dynamically controlling the activation status of multiple data storage structures within a single computer is provided. A preferred embodiment of the invention includes means for selectively automatically toggling between active data storage structures and inactive data storage structures.
By having both active and inactive data storage structures in a single computer, the above-identified objects are met. In some embodiments, less than all of the data storage structures are active and connected to an external computer network at any one time. Thus, data or communication being received through such a network is not directed into the deactivated storage structures, thereby securing the deactivated structures from unwanted data and communication.
In addition, the dynamic switching means allows a single computer to utilize multiple data storage structures as unique computers having distinct connections and entry authorization. The dynamic switching means further has the novel capability of activating inactive storage structures and deactivating active storage structures with only an electronic impulse initiated by the user from a remote pointer device. Furthermore, the dynamic switching means can accomplish the activation/deactivation switch without having to re-boot or re-power the computer.
An additional aspect of the present invention provides a means for developing a computer system having multiple data storage structures with varying levels of security. The dynamic switching means may be programmed to activate only the data storage structures to which a particular user has authorization. Furthermore, a system having multiple users may be programmed to allow only those users with authorization to activate restricted data control structures.