A majority of today's businesses utilize some form of computer network These businesses can range from large Fortune 500 organizations, such as Wal-Mart, IBM and Hewlett-Packard, each operating in thousands of locations globally with a combined total of 2.3 million employees, to small family owned businesses with a couple of employees. As such their computer networks may range in scale from hundreds of thousands of electronic devices including for example laptops, personal computers, Personal Digital Assistants (PDAs), Internet enabled cellular telephones, etc. distributed globally, to a couple of devices operated within a restricted geographic area.
However, in each instance these electronic devices are critical elements in the commercial success and viability of each business and enterprise. The necessity of these devices, combined with the ability to employ these electronic devices wirelessly, and increasingly in more remote areas, has resulted in substantial growth in the human resources required to manage these computer networks. Equally, in many instances the requisite knowledge and skills to support the computer network equipment have become resident within a limited number of individuals, such as within Information Systems (IS) departments. Further, IS departments have often been outsourced; or are severely limited or even absent in small businesses. Meanwhile, technological advances in wireless networking, high speed Internet services, the widespread deployment of wireless routers, peer-to-peer applications, and even ad-hoc networking are acting to facilitate the establishment of dynamic local networks as well as to facilitate the provisioning of entire organizational networks without substantial physical infrastructure.
As a result, organizations are increasingly focused on security technologies and security applications to ensure that their critical electronic infrastructure operates and that critical business data is secure. Typically these security technologies and applications are categorized based on the different parts of the problem they solve, including: encryption, digital certificates, firewalls, anti-virus, biometrics, identity management, and intrusion detection and management. At their core these each provide part of the solution to either one of the two major security problems organizations face: loss of computing infrastructure due to denial of service and other types of damaging attacks, and publication or misuse of sensitive corporate information due to unauthorized users gaining access to that information. However, these types of systems are inherently weak when dealing with internally generated trusted user threats—threats that are created by trusted users in conjunction with other “semi-trusted” users that may be inside or outside the enterprise. Additionally, these systems do not address the fundamental management, updating and establishment of security rights and privileges to the trusted users within the current network environment, where the older established server—client architectures no longer exist in the majority of cases.
An annual survey conducted by CIO Magazine has consistently shown that more than two thirds of a company's critical data is stored on trusted users' PCs and laptops and less than one third is controlled through a server. Management of security, applications, and user rights on remote computers poses several problems. Historically, providing, amending, removing or otherwise interfacing to security software application(s) on a user's electronic device required a system administrator or other person responsible for administering network applications to either physically go to the user's electronic device or have the user visit with the electronic device to load, configure or unload either server software or security software. Such administrator access was necessary due to the provisioning of an administrator password that allowed the necessary changes to the security application(s). In order to address the need for the administrator to be present, several solutions were developed. In a first solution, the administrator travels to each office to initiate changes in security processes. In another solution, a series of administrators has access to the passwords and to the data resulting in less security since the secret data is known by more people.
Clearly, for these two solutions, the requirement for an administrator presence causes logistical issues such that amendments to security practices, protocols, encryption, passwords, etc often occurred over an extended period of time, if they are completed at all. This is in contrast to the optimal situation wherein security changes are provisioned near instantaneously to all electronic devices associated with the organization, in order to react to external and internal threats and events.
As a result of the above, in recent years security solutions have tended to diverge such that either the sensitive information is secured as a discrete entity or administrators are empowered to access the electronic devices remotely. In the former approach of securing the discrete entity the predominant approaches include passwords, watermarks, and digital signatures, such as provided for example by Microsoft® Office or Portable Document Format (PDF) by Adobe Systems®, or providing secure wrappers which include security authorizations and access protocols. See for example Duncan et al. in US Patent Application 2005/0114672 “Data Rights Management of Digital Information in a Portable Software Permission Wrapper”.
In the second scenario with network administrators exploiting new network management hardware and software to provide remote access to a networked computer, administrators are often tasked with performing such duties at times when the trusted user will not be negatively impacted (for example at night). Such an approach is outlined by Angelo in U.S. Pat. No. 5,949,882 “Method and Apparatus for Allowing Access to Secured Computer Resources by Utilizing a Password and an External Encryption Algorithm”. In some instances, national directives conflict with the network administrators' intentions, such as for example the US Environmental Protection Agency (EPA), where the Energy Star Program has been very successful in reducing computer power consumption via the creation of so-called “green” computers. The term “green computer” typically refers to a computer that enters low-power mode following a specified period of inactivity. The proliferation of green computers in networks, while laudable, can interfere with a network administrators duties since a computer in sleep mode (or another low power state) often cannot be accessed from the network. As such, techniques to remotely power on “sleeping” electronic devices have become available through commercial activities such as MAGIC PACKET™, led by Advanced Micro Devices® and Hewlett Packard®. Equally, others have addressed remotely powering down electronic devices, such as for example Angelo et al. in U.S. Pat. No. 6,119,228 “Method for Securely Communicating Remote Control Commands in a Computer Network”, to prevent unauthorized access.
However, in establishing their administrator access Tights to the electronic device whilst the trusted user is probably not present, the network administrator may inadvertently provide access to an untrusted user who can access and utilize the electronic device whilst the administrator's rights are established. The untrusted user may be physically present or be represented by malware established on the trusted user's electronic device, awaiting such admninistrator access prior to activating. Such malware could for example then take control of the electronic device by resetting passwords, security rights etc, and communicating sensitive data or security information to another party. Equally, the trusted user may themselves exploit the temporary access to copy, move, delete or modify information that would otherwise be protected or invisible to them. Further, the techniques of Angelo (U.S. Pat. No. 5,949,882) and Angelo et al. (U.S. Pat. No. 6,119,228) exploit encryption/decryption according to normal practices such as the network administrator's public key. In this scenario a “hacker” benefits significantly from expending the effort to crack the encryption as doing so provides them with access to potentially thousands of devices and substantial amounts of sensitive corporate and personal information, unlike an attack on a single discrete user or user's electronic device.
Accordingly, it would be beneficial to provide a method for allowing a network administrator or authorized user to simply augment or modify the security aspects of an electronic device irrespective of location and current user activities without suffering at least some of the above noted disadvantages.