Search

US-12627714-B2 - Adaptable telemetry orchestration in zero-trust computing environments

US12627714B2US 12627714 B2US12627714 B2US 12627714B2US-12627714-B2

Abstract

Systems and methods provide adaptive collection of telemetry. A telemetry orchestrator of a IHS (Information Handling System) collects telemetry related to a session used by the IHS to access a protected resource of a zero-trust environment, where the telemetry is collected based on a telemetry definition received from a policy decision point of the zero-trust environment. The telemetry orchestrator of the IHS monitors for updates to the telemetry definition, where the updates are generated by the policy decision point of the zero-trust environment. The telemetry orchestrator adjusts measurements by one or more of the sensors of the IHS based on updates to the telemetry definition received from the policy decision point. Telemetry that is generated based on the adjusted measurements is transmitted by the telemetry orchestrator to one or more destinations specified in the update telemetry definition.

Inventors

  • Srikanth Kondapi
  • Joseph Kozlowski
  • Mohit Arora
  • Girish S. Dhoble

Assignees

  • DELL PRODUCTS, L.P.

Dates

Publication Date
20260512
Application Date
20231215

Claims (20)

  1. 1 . An Information Handling System (IHS) that comprises: a plurality of sensors that generate measurements for telemetry; one or more processors; a memory coupled to the one or more processors, the memory configured with program instructions stored thereon that, upon execution by the one or more processors, cause the IHS to access a protected resource of a zero-trust environment; a remote access controller configured to operate from a power plane separate from the one or more processors even when the one or more processors are powered off, wherein the remote access controller comprises one or more logic units and one or more memory devices that store computer-readable instructions that, upon execution by the one or more logic units, cause the remote access controller to operate a local telemetry orchestrator that is configured to: collect telemetry related to a session used by the IHS to access the protected resource of the zero-trust environment, wherein the telemetry is collected based on a telemetry definition received from a policy decision point of the zero-trust environment, wherein the telemetry definition is configured to identify a plurality of telemetry tiers with a specification, for the IHS, of at least one telemetry tier of the plurality of telemetry tiers to be enabled without any knowledge by the policy decision point of telemetry available for collection by the IHS, and wherein the plurality of telemetry tiers comprise: a base tier of operational high-priority telemetry, a middle tier of analytical telemetry, and a bottom tier of optional telemetry; monitor for updates to the telemetry definition, where the updates are generated by the policy decision point of the zero-trust environment; adjust at least one measurement by one or more sensors of the plurality of sensors of the IHS based on an updated telemetry definition received from the policy decision point of the zero-trust environment; and transmit telemetry associated with at least one enabled telemetry tier that is generated based on the adjusted at least one measurement, to one or more destinations specified in the updated telemetry definition, wherein the transmitted telemetry is restricted based at least in part on the updated telemetry definition without any knowledge by the policy decision point of the specific telemetry available to the IHS.
  2. 2 . The IHS of claim 1 , wherein the policy decision point is comprised of one or more server IHSs that each collect and transmit telemetry based on a respective telemetry definition.
  3. 3 . The IHS of claim 2 , wherein the one or more server IHSs each comprise a remote access controller that collects telemetry related to operations of a respective server IHS in implementing the zero-trust environment.
  4. 4 . The IHS of claim 1 , wherein the local telemetry orchestrator is further configured to convert the updated telemetry definition into at least one adjustment to the at least one measurement.
  5. 5 . The IHS of claim 1 , wherein the local telemetry orchestrator receives the telemetry definition from the policy decision point via a sideband network connection utilized by the remote access controller in remote management of the IHS.
  6. 6 . The IHS of claim 5 , wherein the local telemetry orchestrator adjusts the one or more sensors of the plurality of sensors of the IHS via sideband management connections utilized by the remote access controller in management of hardware components of the IHS.
  7. 7 . The IHS of claim 1 , wherein the protected resource comprises a data store and the updated telemetry definition specifies increased telemetry related to all sessions by the IHS that access the data store.
  8. 8 . The IHS of claim 7 , wherein the updated telemetry definition specifies increased user-presence telemetry while a user of the IHS is accessing the data store.
  9. 9 . The IHS of claim 7 , wherein the updated telemetry definition specifies increased telemetry specifying a location of the IHS while the IHS is accessing the data store.
  10. 10 . The IHS of claim 9 , wherein the local telemetry orchestrator is further configured to generate telemetry reporting compliance of telemetry transmissions with the telemetry definition received from the policy decision point.
  11. 11 . The IHS of claim 1 , wherein the local telemetry orchestrator is further configured to monitor for compliance of telemetry transmissions by the one or more sensors of the plurality of sensors of the IHS with the telemetry definition received from the policy decision point.
  12. 12 . The IHS of claim 1 , wherein the local telemetry orchestrator is further configured to detect telemetry collected by the one or more sensors of the plurality of sensors of the IHS that is contrary to restrictions on sharing of personal data of a user of the IHS.
  13. 13 . The IHS of claim 12 , wherein the restrictions on sharing of personal data of the user of the IHS comprises restrictions on sharing a location of the user.
  14. 14 . The IHS of claim 12 , wherein the local telemetry orchestrator is further configured to convert collected telemetry specifying a location of the user to telemetry specifying a geographic region in which the IHS is currently located.
  15. 15 . A method comprising: accessing a protected resource of a zero-trust environment by an operating system application of an Information Handling System (IHS); collecting, by a local telemetry orchestrator operated by a remote access controller configured to be used in remote management of the IHS even when every processor of the IHS is powered off, wherein the remote access controller is powered by a power plane separate from any host processor of the IHS, telemetry related to a session used by the IHS to access the protected resource of the zero-trust environment, wherein the telemetry is collected based on a telemetry definition received from a policy decision point of the zero-trust environment, wherein the telemetry definition designates telemetry that is available for collection by the IHS according to a plurality of telemetry tiers that comprise: a base tier of operational high-priority telemetry, a middle tier of analytical telemetry, and a bottom tier of optional telemetry, and wherein the telemetry definition specifies, for the IHS, which of the plurality of telemetry tiers are to be enabled without any knowledge by the policy decision point of telemetry available for collection by the IHS; monitoring for updates to the telemetry definition, where the updates are generated by the policy decision point of the zero-trust environment; adjusting measurements by one or more sensors of the IHS based on an updated telemetry definition received from the policy decision point of the zero-trust environment, comprising enabling collection and transmission of telemetry that belongs to one or more telemetry tiers specified as enabled for the IHS and disabling collection and transmission of telemetry that belongs to at least one other telemetry tier of the plurality of telemetry tiers; and transmitting at least telemetry associated with at least one enabled telemetry tier and continuous user-presence information, wherein the telemetry is generated based on the adjusted measurements, to a plurality of destinations specified in the updated telemetry definition, wherein the transmitted telemetry is restricted based at least in part on the updated telemetry definition without any knowledge by the policy decision point of telemetry available to the IHS.
  16. 16 . The method of claim 15 , wherein the protected resource comprises a data store and the updated telemetry definition specifies increased telemetry related to all sessions by the IHS that access the data store.
  17. 17 . The method of claim 15 , wherein the telemetry further comprises user-presence information, and wherein the method further comprises access to the protected resource being revoked based, at least in part, on the user-presence information.
  18. 18 . The method of claim 15 , wherein the local telemetry orchestrator is further configured to detect telemetry collected by the one or more sensors of the IHS that is contrary to restrictions on sharing of personal data of a user of the IHS.
  19. 19 . A system that comprises: a policy decision point comprised of one or more server Information Handling System (IHS); and a personal IHS comprising: a plurality of sensors that generate measurements used in generating telemetry; one or more processors; a memory coupled to the one or more processors, the memory storing program instructions that, upon execution by the one or more processors, cause the personal IHS to access a protected resource of a zero-trust environment; and a remote access controller configured to operate from a power plane separate from the one or more processors even when the one or more processors are powered off, wherein the remote access controller comprises one or more logic units and further comprising one or more memory devices which store computer-readable instructions that, upon execution by the one or more logic units, cause the remote access controller to operate a local telemetry orchestrator that is configured to: collect telemetry related to a session used by the personal IHS to access the protected resource of the zero-trust environment, wherein the telemetry is collected based on a telemetry definition received from a policy decision point of the zero-trust environment, wherein the telemetry definition is configured to designate telemetry that is available for collection by the IHS based at least in part on a plurality of telemetry tiers that comprise: a base tier of operational high-priority telemetry used to support validation of access to protected resources of the zero-trust environment, a middle tier of analytical telemetry used to monitor for change in risk posture in the zero-trust environment, and a bottom tier of optional telemetry, and wherein the telemetry definition incudes a specification, for the IHS, which of the plurality of telemetry tiers are to be enabled without any knowledge by the policy decision point of telemetry available for collection by the IHS; monitor for updates to the telemetry definition, where the updates are generated by the policy decision point of the zero-trust environment; adjust measurements by one or more sensors of the plurality of sensors of the personal IHS based on an updated telemetry definition received from the policy decision point of the zero-trust environment, comprising enable collection and transmission of telemetry that belongs to one or more telemetry tiers specified as enabled for the IHS and disable collection and transmission of telemetry that belongs to at least one other telemetry tier of the plurality of telemetry tiers; and transmit at least telemetry associated with at least one enabled telemetry tier and continuous user biometric information, wherein the telemetry associated with the at least one enabled telemetry tier is generated based on the adjusted measurements, to a plurality of destinations specified in the updated telemetry definition, and wherein the transmitted telemetry is restricted based at least in part on the updated telemetry definition without any knowledge by the policy decision point of the specific telemetry available to the IHS.
  20. 20 . The system of claim 19 , wherein the local telemetry orchestrator receives the telemetry definition from the policy decision point via a sideband network connection utilized by the remote access controller in remote management of the personal IHS.

Description

FIELD This disclosure relates generally to Information Handling Systems (IHSs), and, more specifically, to supporting management of networks of IHSs. BACKGROUND As the value and use of information continue to increase, individuals and businesses seek additional ways to process and store information. One option is an Information Handling System (IHS). An IHS generally processes, compiles, stores, and/or communicates information or data for business, personal, or other purposes. Because technology and information handling needs and requirements may vary between different applications, IHSs may also vary regarding what information is handled, how the information is handled, how much information is processed, stored, or communicated, and how quickly and efficiently the information may be processed, stored, or communicated. The variations in IHSs allow for IHSs to be general or configured for a specific user, or for a specific use such as financial transaction processing, airline reservations, enterprise data storage, global communications, etc. In addition, IHSs may include a variety of hardware and software components that may be configured to process, store, and communicate information and may include one or more computer systems, data storage systems, and networking systems. The operation of an IHS may be characterized by telemetry data that provides information describing the IHS's operation, in some instances providing measurable information. For instance, IHS telemetry may include environmental sensor readings, such a temperature sensor measurement, or an operational sensor reading, such as the amps being drawn by a hardware component of the IHS. Telemetry generated by an IHS may also provide discrete information, such as the operational status of a hardware component. Telemetry generated by an IHS may also provide a logical rather than physical sensor measurement, such as a telemetry relating the amount of data transferred by a networking component of the IHS. Such telemetry data may collected and used in the management of an IHS. SUMMARY In various embodiments, systems and methods include an Information Handling System (IHS) that supports adaptive telemetry. The IHS may include: a plurality of sensors that generate measurements used in generating telemetry; one or more processors; a memory coupled to the processors, the memory storing program instructions that, upon execution by the processors, cause the IHS to access a protected resource of the zero-trust environment; and a remote access controller comprising one or more logic units and further comprising one or more memory devices storing computer-readable instructions that, upon execution by the logic units, cause the remote access controller to operate a telemetry orchestrator that is configured to: collect telemetry related to the session used by the IHS to access the protected resource of the zero-trust environment, wherein the telemetry is collected based on a telemetry definition received from a policy decision point of the zero-trust environment; monitor for updates to the telemetry definition, where the updates are generated by the policy decision point of the zero-trust environment; adjust measurements by one or more of the sensors of the first IHS based on an update to the telemetry definition received from the policy decision point of the zero-trust environment; and transmit telemetry generated based on the adjusted measurements to one or more destinations specified in the update telemetry definition. In some embodiments, the policy decision point is comprised of one or more server IHSs that each collect and transmit telemetry based on a respective telemetry definition. In some embodiments, the one or more server IHSs each comprise a remote access controller that collects telemetry related to operations of a respective server IHS in implementing the zero-trust environment. In some embodiments, the local telemetry orchestrator is further configured to convert the received update to the telemetry definition into the adjustments to the one or more of the sensors of the first IHS. In some embodiments, the local telemetry orchestrator receives the telemetry definition from the policy decision point via a sideband network connection utilized by the remote access controller in remote management of the first IHS. In some embodiments, the local telemetry orchestrator adjusts the one or more of the sensors of the first IHS via sideband management connections utilized by the remote access controller in management of hardware components of the first IHS. In some embodiments, the protected resource comprises a data store and the updated telemetry definition specifies increased telemetry related to all sessions by the first IHS that access the data store. In some embodiments, the updated telemetry definition specifies increased user-presence telemetry while a user of the first IHS is accessing the data store. In some embodiments, the updated telemetry de