The present invention relates to the field of private network security and, more particularly, to protecting private networks from leakage or extraction of information or insertion of unapproved material both when the clients are connected to the private network and when they are not connected (i.e., working online or offline).
Commercial corporations, enterprises, organizations, such as government bodies, health care providers, military organizations, financial institutes, etc., face several computer security concerns. One of these concerns is the leakage of information from their internal computer network to the outside world. The threat of information leakage may come from outsiders attempting to hack into the organization's computer system as well as from disloyal, disgruntled or simply careless employees working inside the organization.
Internal employees, utilizing the permissions that have been granted to them, may gain access to the enterprise's information stored on the organization's computer system, download the information to their client computer and then transfer the information to an external storage device. The external storage device may be a removable storage device (e.g. flash memory, such as but not limited to, DISCONKEY provided by M-SYSTEMS or a other removable hard disk drives), a removable storage media (e.g., floppy disk, write able CD ROM or external hard drives), an internal hard drive (e.g., IDE hard drive or SCSI hard drive), a PDA with storage, a digital camera with storage, etc.
One common approach to deal with this type of security threat is by preventing access to all external storage devices from the computer system. This can be accomplished by blocking all the ports on which such external storage devices can appear on, or blocking the mount operation of a storage device. However, such drastic approaches adversely affect the productivity of the computer system users in that they prevent the employees from using any removable media.
Therefore, there is a need in the art for new method that can limit the ability for an employee to copy confidential information to an external device by providing a technique of selectively choosing the storage devices that can be used in the corporation's computing devices. This method can be accomplished by applying general rules based on the various parameters of the device, such as but not limited to the bus type of the device (e.g., SCSI, USB, IDE, Firewire, etc. . . . ), the disk or memory size, the vendor providing the device, geometry, as well as other parameters. One approach dealt with in the current invention is identifying a unique device and letting it connect to the corporation's computing devices based on a digital certificate, which was given on that unique storage device.
Once a unique storage device is securely identified, it can then be controlled according to a given policy. The policy may be selected according to parameters gathered from the storage device and can be operationally enforced by setting up procedural rules for employees, may be computer enforced, or may be a combination. Exemplary embodiments of the present invention may be used on a storage device that is given to personnel in the Public Relation (PR) department of an organization. The PR personal may be allowed to use the storage device only within that department. An employee from a different department should not be able to see the content of this device nor to be able to change it.