Compartment-based data security

US 10,242,222 B2
Filed: 01/13/2015
Issued: 03/26/2019
Est. Priority Date: 01/14/2014
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable storage medium storing instructions which, when processed by a processor, cause the processor to implement a method of securing data, the method comprising:

storing, by a first user, a data set as an object in a data storage system accessible by multiple users, and associating the object with an object security label;

creating a user-controlled compartment and storing the user-controlled compartment in the object security label, the object security label being represented as a text string having a syntax of a tuple, the user-controlled compartment configured to be administered by the first user and having an identifier, the first user being associated with a first security label;

associating the first security label with the user-controlled compartment, the user-controlled compartment defining a plurality of access rights to the object as set by the user; and

defining, by the first user, one or more of the plurality of access rights to be given to a second user, and storing the one or more of the plurality of access rights in a common compartment stored in a second security label, the second security label associated with the second user, the common compartment having the identifier and configured to be administered by the first user.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An embodiment of a non-transitory computer-readable storage medium stores instructions which, when processed by a processor, cause the processor to implement a method of securing data. The method includes: creating a user-controlled compartment associated with an object security label, the user-controlled compartment configured to be administered by a first user, the first user being associated with a first security label; storing, by the first user, a data set as an object in a data storage system accessible by multiple users, and associating the object with the object security label; and associating the first user security label with the user-controlled compartment, the user-controlled compartment defining access to the object as set by the user.

47 Citations

View as Search Results

18 Claims

1. A non-transitory computer-readable storage medium storing instructions which, when processed by a processor, cause the processor to implement a method of securing data, the method comprising:
- storing, by a first user, a data set as an object in a data storage system accessible by multiple users, and associating the object with an object security label;
  
  creating a user-controlled compartment and storing the user-controlled compartment in the object security label, the object security label being represented as a text string having a syntax of a tuple, the user-controlled compartment configured to be administered by the first user and having an identifier, the first user being associated with a first security label;
  
  associating the first security label with the user-controlled compartment, the user-controlled compartment defining a plurality of access rights to the object as set by the user; and
  
  defining, by the first user, one or more of the plurality of access rights to be given to a second user, and storing the one or more of the plurality of access rights in a common compartment stored in a second security label, the second security label associated with the second user, the common compartment having the identifier and configured to be administered by the first user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The non-transitory computer-readable storage medium of claim 1, wherein the method further comprises:
    - based on the second user creating a new version of the object, creating a second user-controlled compartment and associating the second user-controlled compartment with a second object security label associated with the new version and the second user security label;
      
      defining, by the second user, access to the new version of the object, wherein access includes at least one of access levels and an access rights; and
      
      based on the second user desiring to provide access to the new version to another user, adding the another user as a member of the second user-controlled compartment and assigning selected access levels and access rights to the another user, the selected access levels and rights stored in a respective compartment associated with the another user.
  - 3. The non-transitory computer-readable storage medium of claim 1, wherein the identifier is a globally unique compartment identifier.
  - 4. The non-transitory computer-readable storage medium of claim 1, further comprising defining, by the first user, access levels and access rights to the object, and storing the access levels and access rights in the user-controlled compartment in the object security label.
  - 5. The non-transitory computer-readable storage medium of claim 1, wherein the object security label is stored as part of metadata associated with the object, the metadata including a globally unique object identifier that identifies the object and a version table having a relation to the globally unique object identifier, the object identifier in combination with the version identifier precisely identifying a particular version of the object.
  - 6. The non-transitory computer-readable storage medium of claim 1, further comprising determining whether a second user has access to the data set, wherein determining includes comparing the second user security label with the object security label.
  - 7. The non-transitory computer-readable storage medium of claim 6, wherein the second user is determined to have access to the data set based on both the object security label including the user-controlled compartment and the second user security label including the common compartment.
  - 8. The non-transitory computer-readable storage medium of claim 5, wherein the metadata is organized according to an entity-attribute-value (“
    - EAV”
      
      ) model, and further includes a descriptor table having the object identifier and a type identifier, a property table having the type identifier and a property identifier, and a value table related to the property table and the version table.
  - 9. The non-transitory computer-readable storage medium of claim 1, wherein the data set includes data acquired in conjunction with an energy industry operation.

10. A method of securing data, the method comprising:
- storing, by a first user, a data set as an object in a data storage system accessible by multiple users, and associating the object with an object security label;
  
  creating a user-controlled compartment and storing the user-controlled compartment in the object security label, the object security label being represented as a text string having a syntax of a tuple, the user-controlled compartment configured to be administered by the first user and having an identifier, the first user being associated with a first security label;
  
  associating the first security label with the user-controlled compartment, the user-controlled compartment defining a plurality of access rights to the object as set by the user; and
  
  defining, by the first user, one or more of the plurality of access rights to be given to a second user, and storing the one or more of the plurality of access rights in a common compartment stored in a second security label, the second security label associated with the second user, the common compartment having the identifier and configured to be administered by the first user.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The method of claim 10, further comprising:
    - based on the second user creating a new version of the object, creating a second user-controlled compartment and associating the second user-controlled compartment with a second object security label associated with the new version and the second user security label;
      
      defining, by the second user, access to the new version of the object, wherein access includes at least one of access levels and an access rights; and
      
      based on the second user desiring to provide access to the new version to another user, adding the another user as a member of the second user-controlled compartment and assigning selected access levels and access rights to the another user, the selected access levels and rights stored in a respective compartment associated with the another user.
  - 12. The method of claim 10, wherein the identifier is a globally unique compartment identifier.
  - 13. The method of claim 10, further comprising defining, by the first user, access levels and access rights to the object, and storing the access levels and access rights in the user-controlled compartment in the object security label.
  - 14. The method of claim 10, wherein the object security label is stored as part of metadata associated with the object.
  - 15. The method of claim 14, wherein the metadata includes a globally unique object identifier that identifies the object, and a version table having a relation to the globally unique object identifier.
  - 16. The method of claim 15, wherein the object identifier in combination with a version identifier precisely identifies a particular version of the object.
  - 17. The method of claim 15, wherein the metadata is organized according to an entity-attribute-value (“
    - EAV”
      
      ) model, and further includes a descriptor table having the object identifier and a type identifier, a property table having a type identifier and a property identifier, and a value table related to the property table and the version table.
  - 18. The method of claim 10, wherein the data set includes data acquired in conjunction with an energy industry operation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Baker Hughes Incorporated (Baker Hughes Company)
Original Assignee
Baker Hughes, a GE Company, LLC (Baker Hughes Company)
Inventors
Rundle, Robert, Bax, Nicolaas Pleun, Partipilo, Michelangelo
Primary Examiner(s)
Beausoliel, Jr., Robert W
Assistant Examiner(s)
Santos, Pedro J

Application Number

US14/595,763
Publication Number

US 20150205977A1
Time in Patent Office

1,533 Days
Field of Search

707999009, 707781, 707783, 707784
US Class Current
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 21/6227   where protection concerns t...

G06F 2221/2113   Multi-level security, e.g. ...

G06F 2221/2145   Inheriting rights or proper...

Compartment-based data security

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

47 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Compartment-based data security

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

47 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links