Access blocking for data loss prevention in collaborative environments

US 10,216,919 B2
Filed: 01/17/2017
Issued: 02/26/2019
Est. Priority Date: 10/26/2014
Status: Active Grant

First Claim

Patent Images

1. A method to provide access blocking as part of data loss prevention (DLP) within a collaborative service environment, the method comprising:

evaluating content of a user processed by a collaborative service, wherein the content is associated with an application executed within an infrastructure provided by the collaborative service;

determining if information associated with the content matches access blocking criteria defined by one or more DLP policy rules;

in response to a determination that a portion of the information matches at least one access blocking criterion defined by the one or more DLP policy rules, automatically activating a block access tag associated with the content to restrict access to the content;

providing for display, on a user experience of the application that is displaying the content, a notification to the user, wherein the notification describes the at least one access blocking criterion and the portion of the information, and the notification includes a control element associated with an action to remove the portion of the information in order to deactivate the block access tag associated with the content;

detecting a selection of the control element on the user experience by the user to remove the portion of the information that matches the at least one access blocking criterion defined by the one or more DLP policy rules from the content; and

responsive to the removal, automatically deactivating the block access tag associated with the content to provide access to the content based on a determination that the information associated with the content does not match the access blocking criteria defined by the one or more DLP policy rules.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Data loss prevention (DLP) systems may be implemented in conjunction with collaborative services that may be integrated with or work in coordination with productivity services. Administrators may be enabled to configure DLP policies in the collaborative service to mitigate their organization'"'"'s information disclosure risks, along with the detection and remediation of sensitive information. Access blocking may be one feature of the DLP system, where provision of access blocking may include determining if a detected action associated with content processed by the collaborative service matches access blocking criteria defined by DLP policy rules. In response to the determination that the action matches at least one access blocking criterion defined by the DLP policy rules, a block access tag associated with the content may be activated, previously defined permissions associated with the content may be ignored or altered, and access to the content may be restricted to a number of predefined users.

Citations

20 Claims

1. A method to provide access blocking as part of data loss prevention (DLP) within a collaborative service environment, the method comprising:
- evaluating content of a user processed by a collaborative service, wherein the content is associated with an application executed within an infrastructure provided by the collaborative service;
  
  determining if information associated with the content matches access blocking criteria defined by one or more DLP policy rules;
  
  in response to a determination that a portion of the information matches at least one access blocking criterion defined by the one or more DLP policy rules, automatically activating a block access tag associated with the content to restrict access to the content;
  
  providing for display, on a user experience of the application that is displaying the content, a notification to the user, wherein the notification describes the at least one access blocking criterion and the portion of the information, and the notification includes a control element associated with an action to remove the portion of the information in order to deactivate the block access tag associated with the content;
  
  detecting a selection of the control element on the user experience by the user to remove the portion of the information that matches the at least one access blocking criterion defined by the one or more DLP policy rules from the content; and
  
  responsive to the removal, automatically deactivating the block access tag associated with the content to provide access to the content based on a determination that the information associated with the content does not match the access blocking criteria defined by the one or more DLP policy rules.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising:
    - deactivating the block access tag associated with the content to provide access to the content in response to receipt of a business justification to override the restricted access to the content.
  - 3. The method of claim 1, further comprising:
    - deactivating the block access tag associated with the content to provide access to the content in response to receipt of a false positive report associated with the at least one access blocking criterion matched.
  - 4. The method of claim 1, further comprising:
    - deactivating the block access tag associated with the content to provide access to the content in response to receipt of a request to perform one of a policy check and a reclassification.
  - 5. The method of claim 1, further comprising:
    - determining if a user with access to the content matches the access blocking criteria defined by one or more DLP policy rules;
      
      in response to a determination that the user matches at least one access blocking criterion defined by the one or more DLP policy rules, activating the block access tag associated with the content to restrict access to the content; and
      
      deactivating the block access tag associated with the content to provide access to the content in response to detecting removal of the user corresponding to the at least one access blocking criterion from access to the content.
  - 6. The method of claim 1, further comprising:
    - determining if a location of the content matches the access blocking criteria defined by one or more DLP policy rules;
      
      in response to a determination that the location matches at least one access blocking criterion defined by the one or more DLP policy rules, activating the block access tag associated with the content to restrict access to the content; and
      
      deactivating the block access tag associated with the content to provide access to the content in response to detecting a change of the location corresponding to the at least one access blocking criterion.
  - 7. The method of claim 1, further comprising:
    - ignoring previously defined permissions associated with the content while the block access tag is activated; and
      
      reinstating the previously defined permissions associated with the content in response to deactivation of the block access tag.
  - 8. The method of claim 1, further comprising:
    - providing for display, on the user experience of the application that is displaying the content, another notification to the user, wherein the other notification indicates the restricted access to the content.
  - 9. The method of claim 1, further comprising:
    - in response to a determination that the information associated with the content does not match at least one of the access blocking criterion, providing for display, on the user experience of the application that is displaying the content, a further notification to the user, wherein the further notification includes a link to a DLP policy document comprising one or more DLP policy rules, a link to a location of the content and control elements associated with one or more actions.

10. A computing device to provide access blocking as part of data loss prevention (DLP) within a collaborative service environment, the computing device comprising:
- a communication interface configured to facilitate communication between the computing device and a collaboration service;
  
  a memory configured to store instructions; and
  
  a processor coupled to the communication interface and the memory, wherein the processor is configured to;
  
  evaluate content of a user processed by the collaborative service, wherein the content is associated with an application executed within an infrastructure provided by the collaborative service;
  
  determine if information associated with the content matches access blocking criteria defined by one or more DLP policy rules;
  
  in response to a determination that a portion of the information matches at least one access blocking criterion defined by the one or more DLP policy rules, automatically activate a block access tag associated with the content to restrict access to the content;
  
  provide for display, on a user experience of the application that is displaying the content, a notification to the user, wherein the notification describes the at least one access blocking criterion and the portion of the information, and the notification includes a control element associated with an action to remove the portion of the information in order to deactivate the block access tag associated with the content;
  
  detect a selection of the control element on the user experience by the user to remove the portion of the information that matches the at least one access blocking criterion defined by the one or more DLP policy rules from the content; and
  
  responsive to the removal, automatically deactivate the block access tag associated with the content to provide access to the content based on a determination that the information associated with the content does not match the access blocking criteria defined by the one or more DLP policy rules.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The computing device of claim 10, wherein the computing device is associated with a client comprising a classification engine and a policy engine.
  - 12. The computing device of claim 11, wherein the processor is further configured to execute one or more of the classification engine and the policy engine to evaluate the content.
  - 13. The computing device of claim 10, wherein the content is evaluated in response to one of:
    - an opening of the content, an editing of the content, a sharing of the content, a copying of the content, a moving of the content, a publishing of the content, a saving of the content, a printing of the content, an uploading of the content, a downloading of the content, and an expiration of a predefined time interval.
  - 14. The computing device of claim 10, wherein the restricted access to the content includes one or more of read, edit, and share permissions.
  - 15. The computing device of claim 10, wherein the processor is further configured to:
    - record one or more of the match, the restricted access to the content, the provision of access to the content, an override of the restricted access to the content, and a false positive report within a log associated with the collaborative service.
  - 16. The computing device of claim 10, wherein the block access tag associated with the content is persisted to an index of the collaborative service.

17. A method to provide access blocking as part of data loss prevention (DLP) within a collaborative service environment, the method comprising:
- evaluating content of a user processed by a collaborative service, wherein the content is associated with an application executed within an infrastructure provided by the collaborative service;
  
  determining if information associated with the content, a user with access to the content, or a location of the content matches access blocking criteria defined by one or more DLP policy rules;
  
  in response to a determination that one or more of a portion of the information, the user, and the location matches at least one access blocking criterion defined by the one or more DLP policy rules, automatically activating a block access tag associated with the content to restrict access to the content;
  
  providing for display, on a user experience of the application that is displaying the content, a notification to the user, wherein the notification describes the at least one access blocking criterion and the one or more of the portion of the information, the user, and the location, and the notification includes a control element associated with an action to remove the one or more of the portion of the information, the user, and the location in order to deactivate the block access tag associated with the content;
  
  detecting a selection of the control element on the user experience by the user to remove the one or more of the portion of the information, the user, and the location that matches the at least one access blocking criterion defined by the one or more DLP policy rules from the content; and
  
  responsive to the removal, automatically deactivating the block access tag to provide access to the content based on a determination that the information associated with the content, the user with access to the content, and the location of the content do not match the access blocking criteria defined by the one or more DLP policy rules.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, further comprising:
    - deactivating the block access tag associated with the content to provide access to the content in response to receipt of;
      
      a business justification to override the restricted access to the content;
      
      a false positive report associated with the at least one access blocking criterion matched, ora request to perform one of a policy check and a reclassification.
  - 19. The method of claim 17, further comprising:
    - in response to a determination that the information associated with the content does not match at least one of the access blocking criterion, providing for display, on the user experience of the application that is displaying the content, another notification to the user.
  - 20. The method of claim 19, wherein the other notification includes a link to a DLP policy document that includes the one or more DLP rules, a link to a location of the content, and control elements associated with one or more actions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Li, Yu, Jones, Willard Bruce, Wilhelm, Ryan, Holley, Richard Wesley
Primary Examiner(s)
Doan, Trang T

Application Number

US15/408,410
Publication Number

US 20170126697A1
Time in Patent Office

770 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/31   User authentication

G06F 21/44   Program or device authentic...

G06F 21/6209   to a single file or object,...

G06F 40/103   Formatting, i.e. changing o...

G06Q 10/103   Workflow collaboration or p...

H04L 63/105   Multiple levels of security

H04L 67/10   in which an application is ...

Access blocking for data loss prevention in collaborative environments

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Access blocking for data loss prevention in collaborative environments

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links