Techniques for permitting secure access to computing resources have limits. For example, when users seek access to secured computers, or secure applications or data accessible via a computing resource, the users may be prompted for authentication, authorization, or some other type of verification before access is permitted. While these techniques are designed to verify access to secure computing resources at the beginning of a session, they are powerless to detect improper access or wrongful activity during a session, much less control such behavior.
Improper access to an otherwise authorized computing session may occur in numerous ways. For example, after a user logs in to their computer in their office, they may leave the office for a period of time before returning. If the computing session is open while the user leaves, it is vulnerable to a malicious individual improperly using the session while the user is gone. As another illustration, while a user is accessing a secure application or data in a public area, such as a coffee shop or airport, they may temporarily step away from their computer to use the restroom, pay a cashier, or talk with another person. In that situation, a malicious individual may potentially view or utilize the secure application or data. A further situation may involve a user's computer being stolen while logged into a secure session. The thief may potentially be able to use the secure session while the session is ongoing. Ultimately, in these scenarios and many others, sensitive or privileged access to computing resources may be limited initially, but not while a session is ongoing.
One attempt to address these problems may include installing a dedicated software agent on the user's computer. According to such a technique, the dedicated agent may detect when the user is no longer physically present, or may detect a period of inactivity, and may consequently lock the computer screen. One significant technical deficiency in this approach is that it requires the user to download and use the dedicated software agent. Because the dedicated agent is separate software from the software being used by the user which is to be secured, issues of compatibility and integration may exist. Further, this type of technique is significantly limited in its capabilities. This technique simply detects inactivity over time, but not other forms of insecure actions, behavior, or situations. For example, this technique generally cannot detect when a malicious user begins to access a computing device soon after the authorized user has left the computing device. Because no period of inactivity over a threshold amount of time would be detected, this technique would detect no threat or vulnerability. Thus, even if the user's computer is stolen and used by a malicious individual, this type of technique would detect no problem.
Another attempted approach may involve monitoring actual network traffic exchanged between an endpoint computing device and a remote computer or application. While this technique may allow for continuous evaluation of a user's session, it is high-overhead in terms of bandwidth, latency, processing, and storage. These problems are exacerbated when implementations scale up to involve many users or machines being monitored. Further, this approach gives rise to serious privacy concerns, both for end users and for the computers or applications they are communicating with. These privacy problems, together with the inefficiencies of this approach, make it unsuitable in most if not all implementations.
Accordingly, in view of these and other deficiencies in existing techniques for controlling access to secure network resources, technological solutions are needed for automatically and transparently detecting potential compromises or unauthorized use of endpoint computing devices or sensitive data. Solutions should advantageously be agentless and transparent from the perspective of an endpoint computing device and the user who uses the endpoint computing device. That is, no dedicated software agent should be required to be installed on the endpoint machine. While the user's session with the endpoint machine is ongoing, the techniques for detecting potential compromises or unauthorized use should in some embodiments be hidden or transparent to the user. The technical effectiveness of such solutions would also be improved by allowing various types of compromises or unauthorized use to be detected. Further, additional technical improvements would result from allowing multiple different types of control actions to be implemented (e.g., terminating a session, freezing a session, requiring re-authentication, generating an alert, recording a session, making a session read-only, etc.) when compromises or unauthorized use are detected. Additional technical advantages may arise from embodiments where the control or management session running on the endpoint device integrates code (e.g., Java™, HTML, Python, etc.), into the user's session (e.g., into the HTML-based, Java™-based, or other type of web-based document). In this manner, the code may instruct the user's session to perform one or more of the above control actions when the control or management session is lost. Thus, even if a malicious user unplugs the network connection (e.g., CAT-5, etc.) to the endpoint device or disables its wireless adapter card, a control action may still be implemented in that situation. Namely, the inserted code may instruct the endpoint computing device to perform the control action, even after a network connection is lost. These and other technological improvements over current secure access techniques are discussed below.