Node-based policy-enforcement across mixed media, mixed-communications modalities and extensible to cloud computing such as SOA

US 10,015,169 B2
Filed: 02/18/2011
Issued: 07/03/2018
Est. Priority Date: 02/22/2010
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving, by a hardware microprocessor, in a first communication session, existing media content from a communication device of a first subscriber, wherein the first subscriber has privileged access to the existing media content;

analyzing, by the hardware microprocessor, the existing media content in the first communication session to identify a behavior of a second subscriber relevant to a policy or rule, wherein the second subscriber has privileged access to the existing media content, wherein the existing media content of the first communication session is accessed by a communication device of the second subscriber, wherein the behavior is the communication device of the second subscriber receiving input attempting to make the existing media content in the first communication session accessible to one or more communication devices of one or more selected other parties in another communication session, and wherein at least one of the one or more selected other parties does not have privileged access to the existing media content;

notifying, by the hardware microprocessor, a policy enforcement server of the identified behavior; and

receiving, by the hardware microprocessor, and from the policy enforcement server, a policy measure to be implemented; and

implementing, by the hardware processor, the received policy measure, wherein the implemented received policy measure is to deny the input attempting to make the existing media content in the first communication session accessible to the communication device of the at least one of the one or more selected other parties who does not have privileged access to the existing media content.

View all claims

18 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method are provided to monitor and prevent potential enterprise policy and/or rule violations by subscribers.

Citations

20 Claims

1. A method, comprising:
- receiving, by a hardware microprocessor, in a first communication session, existing media content from a communication device of a first subscriber, wherein the first subscriber has privileged access to the existing media content;
  
  analyzing, by the hardware microprocessor, the existing media content in the first communication session to identify a behavior of a second subscriber relevant to a policy or rule, wherein the second subscriber has privileged access to the existing media content, wherein the existing media content of the first communication session is accessed by a communication device of the second subscriber, wherein the behavior is the communication device of the second subscriber receiving input attempting to make the existing media content in the first communication session accessible to one or more communication devices of one or more selected other parties in another communication session, and wherein at least one of the one or more selected other parties does not have privileged access to the existing media content;
  
  notifying, by the hardware microprocessor, a policy enforcement server of the identified behavior; and
  
  receiving, by the hardware microprocessor, and from the policy enforcement server, a policy measure to be implemented; and
  
  implementing, by the hardware processor, the received policy measure, wherein the implemented received policy measure is to deny the input attempting to make the existing media content in the first communication session accessible to the communication device of the at least one of the one or more selected other parties who does not have privileged access to the existing media content.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1 further comprising:
    - sending, by the hardware processor, a policy tag respecting the first communication session and the existing media content in the first communication session and wherein the policy tag comprises one or more of the following;
      
      a persona or role of the second subscriber,a persona or role of the one or more selected other parties,a degree of trust of an enterprise network with the second subscriber or the one or more selected other parties, wherein the degree of trust is a rating defined by an enterprise,a context of the second subscriber or the one or more selected other parties,a context of the second subscriber communication device or the one or more communication devices of one or more selected other parties,an existing policy compliance measure selected by the second subscriber communication device for the first communication session and the existing media content in the first communication session,a venue for the first communication session and the existing media content in the first communication session to be made accessible to the one or more communication devices of the one or more selected other parties,a description of the first communication session and the existing media content in the first communication session,a context of the first communication session or the existing media content in the first communication session, ora policy or rule relevant to the first communication session and the existing media content in the first communication session.
  - 3. The method of claim 2, wherein the hardware microprocessor is in the second communication device, wherein the policy tag comprises one or more of a persona or role of the one or more selected other parties and a persona or role of the second subscriber, and wherein the persona or role is defined by one or more of the following:
    - employer name, user level, user organization, the subscriber'"'"'s business-related electronic addresses, satellite-based physical location coordinates associated with a business location, Web browsed Universal Resource Locator (URL)'"'"'s corresponding with business interests, times-of-day associated with business time, days-of-week associated with business time, contact lists of business associates, client, supplier, customer, family member name, the second subscriber'"'"'s personal electronic addresses, satellite-based physical location coordinates associated with personal location, Web browsed URL'"'"'s corresponding with personal interests, times-of-day associated with personal time, days-of-week associated with personal time, contact list of friends, hobby supplier, charitable organization, or other volunteer activity.
  - 4. The method of claim 2, wherein the hardware microprocessor is in the second subscriber communication device, wherein the policy tag comprises the degree of trust of the enterprise network with the one or more selected other parties, and wherein the at least one of the one or more selected other parties is no longer trusted upon occurrence of a determined event or passage of determined time.
  - 5. The method of claim 2, wherein the hardware processor is in the second subscriber communication device, and wherein the policy tag comprises one or more of the context of the second subscriber or the one or more selected other parties and the context of the second subscriber communication device or the one or more communication devices of the one or more selected other parties.
  - 6. The method of claim 2, wherein the hardware microprocessor is in the second subscriber communication device, and wherein the existing policy compliance measure is selected by the second subscriber for the first communication session and the existing media content in the first communication session.
  - 7. The method of claim 2, wherein the hardware microprocessor is in the second subscriber communication device, wherein the policy tag comprises a venue for the first communication session and the existing media content in the first communication session to be made accessible to the one or more selected other parties, and wherein the venue comprises one of a blog, micro-blog, Really Simple Syndication (“
    - RSS”
      
      ) feed, chat room, social network posting, news aggregator, or private party.
  - 8. The method of claim 2, wherein the policy measure to be implemented further comprises one or more of the following:
    - modification of an existing security measure for the first communication session or the existing media content in the first communication session,implementation of a new or additional security measure for the first communication session or the existing media content in the first communication session,use of a different network path or channel than currently chosen to effect transmission or transfer of the first communication session or the existing media content in the first communication session,implementation of an action to remedy a prior policy or rule violation,block, delay, or buffer the first communication session or the existing media content in the first communication session,mark or delete a portion of the first communication session or the existing media content in the first communication session prior to access by the one or more selected other parties,send a notice of policy or rule violation to one or more selected destinations,embed a flag indicating an area of redundant and processor intensive encryption or security transcoding,prevent access of the first communication session or the existing media content in the first communication session by the one or more selected other parties,prevent the second subscriber from selecting, by dragging and dropping, selected existing media content into the first communication session,provide read-only access to the first communication session or the existing media content in the first communication session,set a hop restriction on the first communication session or the existing media content in the first communication session whereby, when the hop restriction is met or exceeded or a hop counter is incremented or decremented to a selected value, the first communication session or the existing media content in the first communication session is dropped or otherwise prohibited from delivery to an intended recipient,tear down a communication channel before transmission of the first communication session or the existing media content in the first communication session,redirect the first communication session or the existing media content in the first communication session to a different destination, ordisplay different portions of the first communication session or the existing media content in the first communication session to different ones of the one or more of the selected other parties based on a respective degree of trust or privilege of each party.
  - 9. The method of claim 8, wherein the policy measure to be implemented is to prevent the second subscriber from selecting, by dragging and dropping, the existing media content into the second communication session.
  - 10. The method of claim 8, wherein the policy measure to be implemented is to set the hop restriction on the first communication session or the existing media content in the first communication session whereby, when the hop restriction is met or exceeded or a hop counter is incremented or decremented to a selected value, the first communication session or the existing media content in the first communication session is dropped or otherwise prohibited from delivery to the intended recipient.
  - 11. The method of claim 2, wherein the venue is a blog, a micro blog, or a social network, and further comprising:
    - determining the trustworthiness of the venue;
      
      in response to determining that the venue is not trustworthy, not allowing the second subscriber to post the existing media content in the first communication session onto the venue; and
      
      in response to determining that the venue is trustworthy, allowing the second subscriber to post the existing media content in the first communication session onto the venue.
  - 12. The method of claim 1, further comprising:
    - determining a date and time of the existing media content, wherein the date and time are in policy tags associated with the existing media content;
      
      determining if the date and time of the existing media content would remove security restrictions on the existing media content;
      
      in response to determining that the date and time of the existing media content removes the security restrictions on the existing media content, allowing the behavior;
      
      in response to determining that the date and time of the existing media content does not remove the security restrictions on the existing media content, determining if the existing media content in the first communication session is not to be located publicly;
      
      in response to determining that existing media content of the first communication session is not to be located publicly, not allowing the behavior; and
      
      in response to determining that the existing media content of the first communication is to be located publically, allowing the behavior.

13. A system, comprising:
- a hardware microprocessor; and
  
  a computer readable medium, coupled with the microprocessor and comprising microprocessor readable and executable instructions that cause the microprocessor to execute;
  
  a first policy agent, implemented in a driver and corresponding to a first node and a communication device of a second subscriber that;
  
  receives, in a first communication session, existing media content from a communication device of a first subscriber, wherein the first subscriber has privileged access to the existing media content, analyzes the first communication session and the existing media content in the first communication session to identify a behavior of the second subscriber relevant to a policy or rule, wherein the second subscriber has privileged access to the existing media content, wherein the existing media content in the first communication session is accessed by the second subscriber communication device, wherein the behavior is the communication device of the second subscriber receiving input attempting to make the existing media content in the first communication session accessible to one or more communication devices of one or more selected other parties in another communication session, and wherein at least one of the one or more selected other parties does not have privileged access to the existing media content;
  
  notifies a policy enforcement server of the identified behavior; and
  
  implements a policy measure received from the policy enforcement server in response to the notification, wherein the implemented received policy measure is to deny the input attempting to make the existing media content in the first communication session accessible to the communication device of the at least one of the one or more selected other parties who does not have privileged access to the existing media content.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The system of claim 13, wherein the first policy agent sends a policy tag respecting the first communication session and the existing media content in the first communication session and wherein the policy tag comprises one or more of the following:
    - a persona or role of the second subscriber,a persona or role of the one or more selected other parties,a degree of trust of an enterprise network with the second subscriber or one or more selected other parties, wherein the degree of trust is a rating defined by an enterprise,a context of the second subscriber or the one or more selected other parties,a context of the second subscriber communication device or the one or more communication devices of the one or more selected other parties,an existing policy compliance measure selected by the second subscriber communication device for the first communication session and the existing media content in the first communication session,a venue for the first communication session and the existing media content in the first communication session to be made accessible to the one or more communication devices of the one or more selected other parties,a description of the first communication session and the existing media content in the first communication session,a context of the first communication session or the existing media content in the first communication session, ora policy or rule relevant to the first communication session and the existing media content in the first communication session.
  - 15. The system of claim 14, wherein the first node is the second subscriber communication device, wherein the policy agent is in a class driver, wherein the policy tag comprises one or more of a persona or role of the one or more selected other parties and a persona or role of the first subscriber, and wherein the persona or role is defined by one or more of the following:
    - employer name, user level, user organization, the subscriber'"'"'s business-related electronic addresses, satellite-based physical location coordinates associated with a business location, Web browsed Universal Resource Locator (URL)'"'"'s corresponding with business interests, times-of-day associated with business time, days-of-week associated with business time, contact lists of business associates, client, supplier, customer, family member name, the first subscriber'"'"'s personal electronic addresses, satellite-based physical location coordinates associated with personal location, Web browsed URL'"'"'s corresponding with personal interests, times-of-day associated with personal time, days-of-week associated with personal time, contact list of friends, hobby supplier, charitable organization, or other volunteer activity.
  - 16. The system of claim 14, wherein the first node is the second subscriber communication device, wherein the existing policy compliance measure is selected by the first subscriber for the first communication session and the existing media content in the first communication session.
  - 17. The system of claim 14, wherein the first node is second subscriber communication device, wherein the policy agent is in a class driver, wherein the policy tag comprises a venue for the first communication session and the existing media content in the first communication session to be made accessible to the one or more selected other parties, and wherein the venue comprises one of a blog, micro-blog, Really Simple Syndication (“
    - RSS”
      
      ) feed, chat room, social network posting, news aggregator, and private party.
  - 18. The system of claim 14, wherein the policy measure to be implemented further comprises one or more of the following:
    - modification of an existing security measure for the first communication session or the existing media content in the first communication session,implementation of a new or additional security measure for the first communication session or the existing media content in the first communication session,use of a different network path or channel than currently chosen to effect transmission or transfer of the first communication session or the existing media content in the first communication session,implementation of an action to remedy a prior policy or rule violation,block, delay, or buffer the first communication session or the existing media content in the first communication session,mark or delete a portion of the first communication session or the existing media content in the first communication session prior to access by the one or more selected other parties,send a notice of policy or rule violation to one or more selected destinations,embed a flag indicating an area of redundant and processor intensive encryption or security transcoding,prevent access of the first communication session or the existing media content in the first communication session by the one or more selected other parties,prevent the first subscriber from selecting, by dragging and dropping, selected existing media content into the first communication session,provide read-only access to the first communication session or the existing media content in the first communication session,set a hop restriction on the first communication session or the existing media content in the first communication session whereby, when the hop restriction is met or exceeded or a hop counter is incremented or decremented to a selected value, the first communication session or the existing media content in the first communication session is dropped or otherwise prohibited from delivery to an intended recipient,tear down a communication channel before transmission of the first communication session or the existing media content in the first communication session,redirect the first communication session or the existing media content in the first communication session to a different destination, ordisplay different portions of the first communication session or the existing media content in the first communication session to different ones of the one or more selected other parties based on a respective degree of trust or privilege of each party.

19. A communication node with a hardware microprocessor, comprising:
- a policy agent, executed by the hardware microprocessor, in a class driver, that searches, analyzes, or tags a received first communication session and existing media content in the first communication session to identify an actual or potential policy or rule violation, wherein the first communication is with a communication device of a first subscriber, wherein the first subscriber has privileged access to the existing media content, reports the actual or potential policy or rule violation to a policy enforcement server, wherein the existing media content in the first communication session is accessed by a communication device of a second subscriber, wherein the violation is the second subscriber communication device receiving input attempting to make the existing media content in the first communication session accessible to one or more communication devices of one or more selected other parties in another communication session, and wherein at least one of the one or more selected other parties does not have privileged access to the existing media content, and implements a received policy measure is to deny the input attempting to make the existing media content in the first communication session accessible to the communication device of the at least one of the one or more selected other parties who does not have privileged access to the existing media content.
- View Dependent Claims (20)
- - 20. The node of claim 19, wherein the policy agent further implements a policy measure to address an actual or potential policy or rule violation and wherein the policy measure further comprises one of the following:
    - modification of an existing security measure for the first communication session or the existing media content in the first communication session,implementation of a new or additional security measure for the first communication session or the existing media content in the first communication session,use of a different network path or channel than currently chosen to effect transmission or transfer of the first communication session or the existing media content in the first communication session,block, delay, or buffer the first communication session or the existing media content in the first communication session,embed a flag indicating an area of redundant and processor intensive encryption or security transcoding,prevent access of the first communication session or the existing media content in the first communication session by one or more selected other parties,prevent the subscriber from selecting the one or more of the selected existing media content into a communication,provide read-only access to the first communication session or the existing media content in the first communication session,set a hop restriction on the first communication session or the existing media content in the first communication session whereby, when the hop restriction is met or exceeded or a hop counter is incremented or decremented to a selected value, the first communication session or the existing media content in the first communication session is dropped or otherwise prohibited from delivery to an intended recipient,tear down a communication channel before transmission of the first communication session or the existing media content in the first communication session,redirect the one or more of the first communication session or existing media content in the first communication session to a different destination, ordisplay different portions of the first communication session or the existing media content in the first communication session to different selected other parties based on a respective degree of trust or privilege of each party.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avaya Incorporated
Original Assignee
Avaya Incorporated
Inventors
Kennedy, Kevin J.
Primary Examiner(s)
SCHMIDT, KARI L

Application Number

US13/030,537
Publication Number

US 20110209194A1
Time in Patent Office

2,692 Days
Field of Search

726 1, 726 4, 726 26
US Class Current
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/121   Restricting unauthorised ex...

G06F 21/44   Program or device authentic...

G06F 21/55   Detecting local intrusion o...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/60   Protecting data

G06Q 30/02   Marketing; Price estimation...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

H04L 67/02   based on web technology, e....

Node-based policy-enforcement across mixed media, mixed-communications modalities and extensible to cloud computing such as SOA

First Claim

18 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Node-based policy-enforcement across mixed media, mixed-communications modalities and extensible to cloud computing such as SOA

First Claim

18 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links