BACKGROUND

[0001] Clients utilize backup servers to securely store sensitive data (e.g., images, documents, videos, etc.). The client devices (e.g., personal computers, mobile devices, etc.) may access the backup servers using various

communication networks, communications protocols, or communication devices. With the use of the Internet, cloud computing, etc. the client devices may access the backup servers regardless of the locations of the client device and the backup servers, respectively.

BRIEF DESCRIPTION OF THE DRAWINGS

[0002] FIG. 1 is a schematic diagram of an example client/server system including an access manager that may be implemented in accordance with an aspect of this disclosure.

[0003] FIG. 2 a block diagram of an example access manager that may be used to implement the access manager of FIG. 1 .

[0004] FIG. 3 is a message diagram representative of communications in the client/server system of FIG. 1 .

[0005] FIG. 4 is a flowchart representative of example machine readable instructions that may be executed to implement the access manager of FIG. 2.

[0006] FIG. 5 is a block diagram of an example processor platform capable of executing the instructions of FIG. 4 to implement the access manager of FIG. 2.

[0007] Wherever possible, the same reference numbers will be used throughout the drawing(s) and accompanying written description to refer to the same or like parts. DETAILED DESCRIPTION

[0008] Examples disclosed herein involve dynamically setting an encryption level for a data session between a client and a server based on characteristics of a network. In examples disclosed herein, an access manager may determine a security level of a network through which a client is attempting to access the server. The security level of the network may depend on whether the network is public or private, includes a firewall, includes a secure

communication protocol, etc. Based on the security level of the network, the access manager selects an appropriate encryption technology for the data session to provide an efficient secure data session between the client and server.

[0009] Encryption provides secure data between two devices, such as a client and a server (e.g., a backup server). Advanced encryption technologies or encryption technologies that provide a high level of encryption increase security over data transmitted in a data session. However, the advanced encryption (e.g., cascading encryption, multiple encryption, etc.) may limit the speed of the data session due to the time constraints imposed by such encryption technologies. Accordingly, in some instances, it may be beneficial to use low level encryption technologies for a data session when a secure communication link may be established for the data session. Examples disclosed herein provide an access manager that analyzes a network through which a client is seeking to access a server and determines an appropriate encryption technology for a data session between the client and the server based on the characteristics (e.g., level of security, geographic location, etc.) of the network (or a portion thereof).

[0010] Examples disclosed herein involve determining a level of security of the network in response to receiving a request, via the network, to establish a data session between a client and a server, and selecting an encryption technology for use by the client and the server in the data session based on the level of security of the network. An example method includes receiving a request to initiate a data session between a client and a server via a network, analyzing characteristics of the network, and selecting an encryption technology for the data session based on the characteristics of the network. An example apparatus includes a session manager to receive a request from a client to initiate a data session between the client and a server via a network, a network analyzer to determine a level of security of the network, and an encryption selector to select an encryption technology for the data session based on the level of security of the network.

[0011] FIG. 1 is a schematic diagram of an example client/server system 100 including an access manager 1 10 that may be implemented in accordance with an aspect of this disclosure. The example client server system 100 includes the access manager 1 10, a client 120, a server 130, and a network 140. In the illustrated example of FIG. 1 , the client communicates with the access manager 1 10 and the server 130 via the network 140. In examples disclosed herein, the access manager 1 10 allows the client 120 to access the server 130 using an encryption technology based on the characteristics of the network 140.

[0012]The example client 120 of FIG. 1 may access the server 130 using any suitable communication techniques via the network 140. The client 120 may be a personal computer (e.g., a laptop computer, a desktop computer, etc.), a mobile device (e.g., a tablet, a smartphone, a cellular phone, etc.), or any other type of device. In examples disclosed herein, the client 120 may access the server to backup data from the client 120 to the server 130 or to retrieve backup data from the server 130. Accordingly, in examples disclosed herein, when the client 120 requests to initiate or establish a data session with the server 130, the client 120 may be seeking to backup data to the server 130 or retrieve backed up data from the server 130.

[0013]The example server 130 of FIG. 1 may be any suitable type of server. In examples disclosed herein, the server 130 may be a backup server for storing backup data of the client 120. For example, the server 130 may periodically (or aperiodically) receive data (e.g., images, documents, videos, texts, messages, emails, etc.) locally stored on the client 120 to safely secure the data. In some examples, the server 130 may be a different type of server that provides a service (e.g., gaming, security, identity, etc.) to the client 120. [0014]The example network 140 may be any type of network (e.g., the Internet, a local area network (LAN), a wide area network (WAN), a cellular network). Additionally, the network 140 may include a plurality of networks (e.g., a cellular network, the Internet, and a LAN). The example network 140 may include a public network, a private network, a virtual private network, a firewall, etc. In examples disclosed herein, the network 140 may employ any suitable communication protocol. For example, the network 140 may utilize secure communication protocols (e.g., Secure Socket Layer (SSL)

communication, Transport Layer Security (TSL) communication, etc.) or insecure communication protocols.

[0015] In examples disclosed herein, the access manager 1 10 analyzes the characteristics of the communication link between the client 120 and the server 130. For example, the access manager 1 10 may analyze characteristics of the network 140 to determine a type of encryption technology that is to be used for a data session between the client 120 and the server 130. Such characteristics may include whether the network 140 is a public network or a private network (e.g., a managed private network). Additionally or alternatively, the access manager 1 10 may identify whether the client 120 is attempting to access the server 130 via secure communication link. For example, the access manager 1 10 may determine whether the client 120 is behind a firewall or if the client 120 is communicating via the network 140 using SSL communication or TSL communication.

[0016] FIG. 2 is a block diagram of an example access manager 1 10 that may be used to implement the access manager 1 10 of FIG. 1 . The example access manager 1 10 of FIG. 2 includes a session manager 210, a network analyzer 220, and an encryption selector 230. In the illustrated example of FIG. 2, a communication bus 240 facilitates communication between the session manager 210, the network analyzer 220, and the encryption selector 230. In examples disclosed herein, the session manager 210 facilitates establishing a connection between the client 120 and the server 130 via the network 140 and the network analyzer 220 and encryption selector 230 determine encryption settings for the data session. [0017] The example session manager 210 of the access manager 1 10 of FIG. 2 facilitates communication with the client 120 and the server 130. In examples disclosed herein, the session manager 210 may receive/identify requests from the client 120 to initiate a data session (e.g., to send data or backup data from the client 120, to retrieve data from the server 130, etc.). The session manager 210 may communicate encryption settings to the client 120 and/or the server 130 for a data session to facilitate establishing the data session.

[0018]The network analyzer 220 of FIG. 2 analyzes characteristics of the network 140 to determine a level of security of the network. In examples disclosed herein, the network analyzer 220 may analyze network or

communication information received in communications (e.g., requests, messages, etc.) from the client 120 and/or the server 130. For example, network information (e.g., address information, security information,

communication protocol, network type (e.g., public or private), etc.) may be included in a request to access the server 130 (e.g., to initiate a data session). In some examples, the network analyzer 220 may analyze whether the network is a public or a managed private network, whether the network includes a firewall, whether the communication protocol used by the client is a secure communication protocol (e.g., SSL communication, TSL communication, etc.). The network analyzer 220 forwards network characteristics to the encryption selector 230 to select an encryption technology for a data session between the client 120 and the server 130 based on the characteristics of the network (or the communication link between the client 120 and the server 130).

[0019]The encryption selector 130 of FIG. 2 selects an encryption technology for a data session between the client 120 and the server 130 of FIG. 1 . Based on the characteristics of the network determined by the network analyzer 220, the encryption selector 230 selects an appropriate encryption technology for the data session. For example, if the network analyzer 220 determines that the characteristics of the network 140 indicate that the network 140 is secure (e.g., the network 140 is a managed private network, the network 140 includes a firewall, the network 140 utilizes a secure communication protocol, etc.), the encryption selector 230 may select a low level of encryption (e.g., bit level encryption, such as 40-bit encryption, 128-bit encryption, etc.) for the data session because the data session may be secured via the network 140. In such an example, the low level of encryption may allow for a quicker, more efficient data session because encrypting the data transmitted between the client 120 and the server 130 takes less time than using a high level of encryption for the data session. On the other hand, if the network analyzer 220 determines that the characteristics of the network indicate that the network 140 is insecure (e.g., the network 140 is a public network, the network 140 does not use a secure communication protocol, the network 140 (or a portion thereof) or the server 130 is physically located in geographical location that is considered to be insecure, etc.), the encryption selector 230 may select a high level of encryption (e.g., cascading encryption, multiple encryption, etc.) for the data session to provide a secure data session via the network 140.

[0020] Accordingly, the access manager 1 10 provides dynamic encryption settings for data sessions between the client 120 and the server 130 based on characteristics of the network 140 (or characteristics of the

communication link between the client 120 and the server 130). For example, a first data session between the client 120 and the server 130 may use a first encryption technology (e.g., a low level encryption technology) when the client 120 is accessing the server via a secure network (e.g., a managed private network), and a second data session between the client 120 and the server 130 may use a second encryption technology (e.g., a high level encryption technology) when the client 120 is accessing the server 130 via an insecure network (e.g., a public network).

[0021]While an example manner of implementing the access manager 1 10 of FIG. 1 is illustrated in FIG. 2, at least one of the elements, processes and/or devices illustrated in FIG. 2 may be combined, divided, re-arranged, omitted, eliminated and/or implemented in any other way. Further, the session manager 210, the network analyzer 220, the encryption selector 230 and/or, more generally, the example access manager 1 10 of FIG. 2 may be

implemented by hardware and/or any combination of hardware and executable instructions (e.g., software and/or firmware). Thus, for example, any of the session manager 210, the network analyzer 220, the encryption selector 230 and/or, more generally, the example access manager 1 10 may be implemented by at least one of an analog or digital circuit, a logic circuit, a programmable processor, an application specific integrated circuit (ASIC), a programmable logic device (PLD) and/or a field programmable logic device (FPLD). When reading any of the apparatus or system claims of this patent to cover a purely software and/or firmware implementation, at least one of the session manager 210, the network analyzer 220, and/or the encryption selector 230 is/are hereby expressly defined to include a tangible computer readable storage device or storage disk such as a memory, a digital versatile disk (DVD), a compact disk (CD), a Blu-ray disk, etc. storing the executable instructions. Further still, the example access manager 1 10 of FIG. 2 may include at least one element, process, and/or device in addition to, or instead of, those illustrated in FIG. 2, and/or may include more than one of any or all of the illustrated elements, processes and devices.

[0022] FIG. 3 is a communication diagram representative of an example sequence of communications that may be sent within the example client/server system 100 of FIG. 1 . The sequence of communications of FIG. 3 are representative of communications that may establish a data session between the client 120 and the server 130 of FIG. 1 in accordance with the teachings of this disclosure. Communications illustrated in the example communication diagram 300 of FIG. 3 are sent between the client 120, the access manager 1 10, and the server 130, which are representative of the respective components of the communication system 100 of FIG. 1 . The example communications (302-310) of FIG. 3 are sent/received between T _s and Tf, denoted by the dotted lines. Each communication 302-310 may include or represent a single communication interaction (e.g., a message, a request, a response, an acknowledgement, a beacon, a ping, etc.), a plurality of communications, or a communication session.

[0023] In FIG. 3, at time T _s , the client 120 sends a request 302 to initiate a data session with the server 130. The request 302 is received by the access manager 1 10. In response to receiving the request, the access manager 1 10 determines an appropriate encryption level for the data session in accordance with the teachings of this disclosure. The access manager 1 10 then

communicates the encryption technology to the client 120 via the response message 304 and to the server 130 via the communication 306. In response to receiving the response message 304, as illustrated in the example of FIG. 3, the client 120 initiates the data session with the server 130 via communication 308 using the selected encryption technology. In some examples, the server 130 may initiate the data session via communication 308. At time Tf, the data session 310 is established between the client and the server 130 and may send or receive data (e.g., backup data) via the data session 310.

[0024] A flowchart representative of example machine readable instructions for implementing the access manager 1 10 of FIG. 2 is shown in FIG. 4. In this example, the machine readable instructions comprise a program/process for execution by a processor such as the processor 512 shown in the example processor platform 500 discussed below in connection with FIG. 4. The program/process may be embodied in executable instructions (e.g., software) stored on a tangible computer readable storage medium such as a CD-ROM, a floppy disk, a hard drive, a digital versatile disk (DVD), a Blu-ray disk, or a memory associated with the processor 512, but the entire

program/process and/or parts thereof could alternatively be executed by a device other than the processor 512 and/or embodied in firmware or dedicated hardware. Further, although the example program is described with reference to the flowchart illustrated in FIG. 4, many other methods of implementing the example access manager 1 10 may alternatively be used. For example, the order of execution of the blocks may be changed, and/or some of the blocks described may be changed, eliminated, or combined.

[0025]The example process 400 of FIG. 4 begins with an initiation of the access manager 1 10 (e.g., upon startup, upon instructions from a user, upon startup of a device implementing the code access manager 1 10 (e.g., the server 130, a server controller associated with the server 130, etc.), etc.). The example process 400 may be executed to select an encryption technology for a data session between the client 120 and the server 130. At block 410, the session manager 210 receives a request to initiate a data session between the client 120 and the server 130. In examples disclosed herein, the request may be received from the client 120 and/or the server 130. At block 420, the network analyzer 220 analyzes characteristics of the network (e.g., the network from which the request was received). For example, at block 420, the network analyzer 220 determines a type of network (e.g., public or private) that the network 140 is, determines geographic locations of all or portions of the network 140, whether the network 140 includes a firewall, whether the network 140 uses a secure communication protocol, etc. In other words, at block 420, the network analyzer 220 may determine a security level of the network 140.

[0026]At block 430, the encryption selector 230 selects an encryption technology for the data session based on the characteristics of the network. For example, the more secure the network 140 is determined to be by the network analyzer, the lesser a level of encryption selected for the data session by the encryption selector 230. On the other hand, the less secure the network 140 is determined to be by the network analyzer 220, the higher the level of encryption selected for the data session by the encryption selector 230. After block 430, the example process 400 ends. In some examples after block 430, the session manager 210 may communicate the selected encryption level to the client 120 and the server 130 to establish the data session.

[0027]As mentioned above, the example process(es) of FIG. 4 may be implemented using coded instructions (e.g., computer and/or machine readable instructions) stored on a tangible computer readable storage medium such as a hard disk drive, a flash memory, a read-only memory (ROM), a compact disk (CD), a digital versatile disk (DVD), a cache, a random-access memory (RAM) and/or any other storage device or storage disk in which information is stored for any duration (e.g., for extended time periods, permanently, for brief instances, for temporarily buffering, and/or for caching of the information). As used herein, the term tangible computer readable storage medium is expressly defined to include any type of computer readable storage device and/or storage disk and to exclude propagating signals and to exclude transmission media. As used herein, "tangible computer readable storage medium" and "tangible machine readable storage medium" are used interchangeably. Additionally or alternatively, the example processes of FIG. 4 may be implemented using coded instructions (e.g., computer and/or machine readable instructions) stored on a non-transitory computer and/or machine readable medium such as a hard disk drive, a flash memory, a read-only memory, a compact disk, a digital versatile disk, a cache, a random-access memory and/or any other storage device or storage disk in which information is stored for any duration (e.g., for extended time periods, permanently, for brief instances, for temporarily buffering, and/or for caching of the information). As used herein, the term non- transitory computer readable medium is expressly defined to include any type of computer readable storage device and/or storage disk and to exclude propagating signals and to exclude transmission media. As used herein, when the phrase "at least" is used as the transition term in a preamble of a claim, it is open-ended in the same manner as the term "comprising" is open ended. As used herein the term "a" or "an" may mean "at least one," and therefore, "a" or "an" do not necessarily limit a particular element to a single element when used to describe the element. As used herein, when the term "or" is used in a series, it is not, unless otherwise indicated, considered an "exclusive or."

[0028] FIG. 5 is a block diagram of an example processor platform 500 capable of executing the instructions of FIG. 4 to implement the access manager 1 10 of FIG. 2. The example processor platform 500 may be any apparatus or may be included in any type of apparatus, such as a server, a personal computer, a mobile device (e.g., a cell phone, a smart phone, a tablet, etc.), or any other type of computing device.

[0029]The processor platform 500 of the illustrated example of FIG. 5 includes a processor 512. The processor 512 of the illustrated example is hardware. For example, the processor 512 can be implemented by at least one integrated circuit, logic circuit, microprocessor or controller from any desired family or manufacturer.

[0030] The processor 512 of the illustrated example includes a local memory 513 (e.g., a cache). The processor 512 of the illustrated example is in communication with a main memory including a volatile memory 514 and a nonvolatile memory 516 via a bus 518. The volatile memory 514 may be

implemented by Synchronous Dynamic Random Access Memory (SDRAM), Dynamic Random Access Memory (DRAM), RAMBUS Dynamic Random Access Memory (RDRAM) and/or any other type of random access memory device. The non-volatile memory 516 may be implemented by flash memory and/or any other desired type of memory device. Access to the main memory 514, 516 is controlled by a memory controller.

[0031]The processor platform 500 of the illustrated example also includes an interface circuit 520. The interface circuit 520 may be implemented by any type of interface standard, such as an Ethernet interface, a universal serial bus (USB), and/or a peripheral component interconnect (PCI) express interface.

[0032] In the illustrated example, at least one input device 522 is connected to the interface circuit 520. The input device(s) 522 permit(s) a user to enter data and commands into the processor 512. The input device(s) can be implemented by, for example, an audio sensor, a microphone, a keyboard, a button, a mouse, a touchscreen, a track-pad, a trackball, and/or a voice recognition system.

[0033] At least one output device 524 is also connected to the interface circuit 520 of the illustrated example. The output device(s) 524 can be implemented, for example, by display devices (e.g., a light emitting diode (LED), an organic light emitting diode (OLED), a liquid crystal display, a cathode ray tube display (CRT), a touchscreen, a tactile output device, a light emitting diode (LED), a printer and/or speakers). The interface circuit 520 of the illustrated example, thus, may include a graphics driver card, a graphics driver chip or a graphics driver processor.

[0034]The interface circuit 520 of the illustrated example also includes a communication device such as a transmitter, a receiver, a transceiver, a modem and/or network interface card to facilitate exchange of data with external machines (e.g., computing devices of any kind) via a network 526 (e.g., an Ethernet connection, a digital subscriber line (DSL), a telephone line, coaxial cable, a cellular telephone system, etc.)- The network 526 may implement the network 140 of FIG. 1 or be in communication with the network 140.

[0035] The processor platform 500 of the illustrated example also includes at least one mass storage device 528 for storing executable

instructions (e.g., software) and/or data. Examples of such mass storage device(s) 528 include floppy disk drives, hard drive disks, compact disk drives, Blu-ray disk drives, RAID systems, and digital versatile disk (DVD) drives.

[0036] The coded instructions 532 of FIGS. 4 may be stored in the mass storage device 528, in the local memory 513 in the volatile memory 514, in the non-volatile memory 516, and/or on a removable tangible computer readable storage medium such as a CD or DVD.

[0037] From the foregoing, it will be appreciated that the above disclosed methods, apparatus and articles of manufacture provide for dynamically adjusting an encryption technology for communication with a server based on characteristics or a security level of network handling the data session.

Examples disclosed herein provide for fast, efficient data sessions when a secure network is identified for the data session by using a low level encryption technology, and secure, robust data sessions when an insecure network is identified for the data session.

[0038]Although certain example methods, apparatus and articles of manufacture have been disclosed herein, the scope of coverage of this patent is not limited thereto. On the contrary, this patent covers all methods, apparatus and articles of manufacture fairly falling within the scope of the claims of this patent.