System and method for secure synchronization of data across multiple computing devices

US 10,075,473 B2
Filed: 02/12/2015
Issued: 09/11/2018
Est. Priority Date: 08/14/2012
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method comprising:

detecting, at a server computing device, a file content update on a first computing device, the file, in a first format, created by a first application and the file to be synchronized on a plurality of different computing devices in a plurality of different formats optimized for rendering on different device types, the plurality of different computing devices including a second computing device receiving the file in a second format optimized for the second computing device;

associating, at the server computing device, a security policy with the file, wherein security controls are to be applied to the file based on the security policy, and wherein the security controls comprise one or more of viewing restrictions, copying restrictions, printing restrictions, forwarding restrictions, access restrictions, application of watermarks, setting of expiration dates and times, authentication requirements, redaction, and prevention of screen captures;

responsive to determining at the second computing device that one or more of the security controls to be applied to the file are unenforceable by a second application of the second computing device when the security controls are applied to the file in the second format;

transforming, at the server computing device, the file to a different format of the plurality of different formats, wherein the security controls, when applied to the file in the different format, are enforceable by the second application of the second computing device; and

applying, at the server computing device, the security controls to the file in the different format for enforcement, by the second application at the second computing device, of the applied security controls with respect to the file in the different format; and

propagating, at the server computing device, the file content update to the file in the different format comprising transforming the update to a corresponding update for the file in the different format.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer implemented method and apparatus comprises detecting a file content update on a first client computer system, the file to be synchronized on a plurality of different types of client computer systems in a plurality of formats. The method further comprises associating a security policy with the file, wherein the security policy includes restrictions to limit one or more actions that can be performed with the file, and synchronizing the file to a second client computing system while applying the security policy to provide controls for enforcement of the restrictions at the second client computer system.

34 Citations

View as Search Results

29 Claims

1. A computer implemented method comprising:
- detecting, at a server computing device, a file content update on a first computing device, the file, in a first format, created by a first application and the file to be synchronized on a plurality of different computing devices in a plurality of different formats optimized for rendering on different device types, the plurality of different computing devices including a second computing device receiving the file in a second format optimized for the second computing device;
  
  associating, at the server computing device, a security policy with the file, wherein security controls are to be applied to the file based on the security policy, and wherein the security controls comprise one or more of viewing restrictions, copying restrictions, printing restrictions, forwarding restrictions, access restrictions, application of watermarks, setting of expiration dates and times, authentication requirements, redaction, and prevention of screen captures;
  
  responsive to determining at the second computing device that one or more of the security controls to be applied to the file are unenforceable by a second application of the second computing device when the security controls are applied to the file in the second format;
  
  transforming, at the server computing device, the file to a different format of the plurality of different formats, wherein the security controls, when applied to the file in the different format, are enforceable by the second application of the second computing device; and
  
  applying, at the server computing device, the security controls to the file in the different format for enforcement, by the second application at the second computing device, of the applied security controls with respect to the file in the different format; and
  
  propagating, at the server computing device, the file content update to the file in the different format comprising transforming the update to a corresponding update for the file in the different format.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The method of claim 1, further comprising:
    - transforming the file into the plurality of different formats; and
      
      propagating the file content update to each of the plurality of different formats of the file, comprising transforming the update to corresponding updates for each of the plurality of different formats of the file.
  - 3. The method of claim 1, further comprising:
    - receiving an update to metadata of the file from one of the plurality of different computing devices, wherein the metadata update is an annotation associated with a location within the file, and the annotation metadata is propagated to annotations at corresponding locations within each of the plurality of different formats of the file, and thereafter distributed to each of the plurality of different computing devices.
  - 4. The method of claim 1, further comprising:
    - detecting an update to metadata of the file from one of the plurality of different computing devices, wherein the updated metadata comprises an update to the security policy;
      
      propagating the metadata update through each of the plurality of different formats of the file; and
      
      distributing the security controls derived from the metadata update to each of the plurality of computing devices comprising determining whether the update to the metadata can be applied to an existing file.
  - 5. The method of claim 4, further comprising causing the second computing device to acquire the file in the different format when the update to the metadata cannot be applied to the file in the second format on the second computing device.
  - 6. The method of claim 1, further comprising:
    - receiving tracking information from one or more of the plurality of different computing devices, the tracking information including at least data indicative of actions performed or attempted to be performed on the file with respect to the security policy; and
      
      logging the tracking information on a centralized server.
  - 7. The method of claim 1, wherein the security policy associated with the file causes the application of a plurality of different levels of control, wherein each of the different levels of control provides a different level of access for actions that can be performed on the file.
  - 8. The method of claim 1, wherein the format of the file is transformed to one or more of:
    - a clear text, unprotected file;
      
      an encrypted file with controls associated with it, restricting one or more of;
      
      who is permitted to access the file, where, on what device, at what time, and what operation a user is permitted to perform on the file; and
      
      a link or shortcut to a controlled online version of the file.
  - 9. The method of claim 1, further comprising:
    - controlling use of the file synchronized on a computing device, as determined by the security policy associated with the file, and by one or more of the following parameters;
      
      an identity of a user of the computing device, a type of the computing device, network connection type and availability, time of day, a geographic location of the computing device, file content, file classification or metadata, level of authentication used, and file location in file system.
  - 10. The method of claim 9, wherein controlling use comprises requiring re-acquisition of the security controls applied to the file, thereby enabling updates to the security policy associated with the file to be automatically enforced at the computing device.
  - 11. The method of claim 1, further comprising:
    - providing a folder, wherein a file, when placed into the folder, is automatically synchronized.
  - 12. The method of claim 11, wherein when the file is placed into the folder, one or more security controls based on the security policy are automatically applied to the file.
  - 13. The method of claim 11, wherein when the file is removed from the folder, the security policy adjusts the restrictions associated with the file.
  - 14. The method of claim 11, wherein placement of the file in the folder does not permit removal of the file from the folder.
  - 15. The method of claim 1, further comprising:
    - displaying an indication of file status as an overlay over a file icon or a notification message to an end user or both, wherein the file status indicates one or more of;
      
      a file protection status, a file offline availability status, a file expiration status, a file synchronization status, and a display indicative of controls that have been applied to the file.
  - 16. The method of claim 1, further comprising:
    - enabling an end user to select a local file to retrieve additional information on the file or perform one or more operations that include;
      
      view an audit trail of the file, view current controls associated with the file, view versioning history of the file, modify file controls, and revoke file access.
  - 17. The method of claim 1, further comprising:
    - generating a searchable index of contents and metadata associated with the file prior to encrypting the file and the metadata, wherein the index enables search queries to be performed on file contents by end users, and wherein search queries return results that an end user is authorized to receive based on the security policy associated with the file.
  - 18. The method of claim 1, wherein the file is encrypted and wherein detecting a file content update on the first computing device further comprises:
    - decrypting the file upon receipt;
      
      calculating two types of checksums for fixed-length non-overlapping blocks within the decrypted file;
      
      a rolling checksum and a cryptographic hash;
      
      caching the checksums;
      
      comparing the calculated rolling checksums against rolling checksums calculated by a server computing system from a current version of the file maintained by the server computing system;
      
      upon obtaining a match of rolling checksums for a block, comparing cryptographic hashes calculated for the block;
      
      when a match is found for a cryptographic hash of a fixed-length non-overlapping block of data in the file, using a corresponding fixed-length non-overlapping block of data block of data from the current version of the file on the server computing system, in lieu of transferring it from the first computing system over a network; and
      
      when a match is not found for the cryptographic hash of the fixed-length non-overlapping block of data in the file, transferring the fixed-length non-overlapping block of data as an updated data block of the file to the server computing system.
  - 19. The method of claim 18, wherein the file is stored in blocks corresponding to the non-overlapping chunks of data along with checksums for the blocks.
  - 20. The method of claim 1, wherein files to be synchronized reside in one or more disparate storage systems selected from a network drive, a network attached storage (NAS), a storage area network (SAN), a content management system, and a cloud service.

21. A secure synchronization system comprising:
- a memory to store a file; and
  
  a hardware processor coupled with the memory, and configured;
  
  to detect, at a server computing device, a file content update on a first computing device, the file, in a first format, created by a first application and the file to be synchronized on a plurality of different computing devices in a plurality of different formats optimized for rendering on different device types, the plurality of different computing devices including a second computing device receiving the file in a second format optimized for the second computing device;
  
  to associate, at the server computing device, a security policy with the file, wherein security controls are to be applied to the file based on the security policy, and wherein the security controls comprise one or more of viewing restrictions, copying restrictions, printing restrictions, forwarding restrictions, access restrictions, application of watermarks, setting of expiration dates and times, authentication requirements, redaction, and prevention of screen captures;
  
  responsive to determining at the second computing device that one or more of the security controls to be applied to the file are unenforceable by a second application of the second computing device when the security controls are applied to the file in the second format;
  
  to transform, at the server computing device, the file to a different format of the plurality of different formats, wherein the security controls, when applied to the file in the different format, are enforceable by the second application of the second computing device; and
  
  to apply, at the server computing device, the security controls to the file in the different format for enforcement, by the second application at the second computing device, of the applied security controls with respect to the file in the different format; and
  
  to propagate, at the server computing device, the file content update to the file in the different format comprising transforming the update to a corresponding update for the file in the different format.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29)
- - 22. The system of claim 21, further comprising the processor configured:
    - to transform the file into the plurality of different formats; and
      
      to propagate the file content update to each of the plurality of different formats of the file, comprising transforming the update to corresponding updates for each of the plurality of different formats of the file.
  - 23. The system of claim 21, further comprising the processor configured:
    - to detect an update to metadata of the file from one of the plurality of different computing devices, wherein the updated metadata comprises an update to the security policy;
      
      to propagate the metadata update through each of the plurality of different formats of the file; and
      
      to distribute the security controls derived from the metadata update to each of the plurality of computing devices comprising determining whether the update to the metadata can be applied to an existing file.
  - 24. The system of claim 23, further comprising the processor configured to cause the second computing device to acquire the file in the different format when the update to the metadata cannot be applied to the file in the second format on the second computing device.
  - 25. The system of claim 21, further comprising the processor configured to receive tracking information from one or more of the plurality of different computing devices, the tracking information including at least data indicative of actions performed or attempted to be performed on the file with respect to the security policy, and logging the tracking information on a centralized server.
  - 26. The system of claim 21, wherein the security policy associated with the file causes the application of a plurality of different levels of control, wherein each of the different levels of control provides a different level of access for actions that can be performed on the file.
  - 27. The system of claim 21, wherein the format of the file is transformed to one or more of:
    - a clear text, unprotected file;
      
      an encrypted file with controls associated with it, restricting one or more of;
      
      who is permitted to access the file, where, on what device, at what time, and what operation a user is permitted to perform on the file; and
      
      a link or shortcut to a controlled online version of the file.
  - 28. The system of claim 21, further comprising the processor configured to control use of the file synchronized on a computing device, as determined by the security policy associated with the file, and by one or more of the following parameters:
    - an identity of a user of the computing device, a type of the computing device, network connection type and availability, time of day, a geographic location of the computing device, file content, file classification or metadata, level of authentication used, and file location in file system.
  - 29. The system of claim 21, further comprising a folder for automatic synchronization, wherein the processor is configured, when a file is placed into the folder, to automatically synchronize the file to a centralized server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Malikie Innovations Limited (Key Patent Innovations Limited)
Original Assignee
Blackberry Limited
Inventors
Ruppin, Adi, Peri, Doron, Ben-Natan, Yigal, Shidlansik, Gil S., Liram, Miron, Saporta, Ori, Potashinsky, David, Yulevich, Uri, Choi, Timothy
Primary Examiner(s)
Schmidt, Kari L
Assistant Examiner(s)
Mohammadi, Fahimeh

Application Number

US14/620,645
Publication Number

US 20150180905A1
Time in Patent Office

1,307 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/178   Techniques for file synchro...

G06F 21/10   Protecting distributed prog...

G06F 21/128   involving web programs, i.e...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

H04L 67/06   specially adapted for file ...

H04L 67/10   in which an application is ...

H04L 67/1095   Replication or mirroring of...

System and method for secure synchronization of data across multiple computing devices

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

34 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for secure synchronization of data across multiple computing devices

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links