Policy enforcement system

US 10,277,633 B2
Filed: 01/08/2018
Issued: 04/30/2019
Est. Priority Date: 09/28/2015
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

storing, by a policy enforcement system, a plurality of policies and data associating a plurality of user credentials with the plurality of policies;

intercepting, by the policy enforcement system, a request for data submitted from a client device to a file system that stores the data, the request including a first user credentials;

forwarding, by the policy enforcement system, the request for data to a first node of the file system, the first node mapping the requested data to a second node that stores the data in the file system;

receiving, by the policy enforcement system and from the first node, a redirect request comprising information specifying the second node;

encrypting, by the policy enforcement system, the first user credentials to provide encrypted user credentials;

appending, by the policy enforcement system, the encrypted user credentials to the redirect request to provide a custom redirect request;

sending, by the policy enforcement system, the custom redirect request to the second node;

intercepting, by the policy enforcement system, a response to the custom redirect request sent from the second node to the client device;

selecting, by the policy enforcement system and from the plurality of policies, based on the first user credentials and the data associating the plurality of user credentials with the plurality of policies, one or more policies that correspond to the first user credentials;

filtering, by the policy enforcement system, the data from the file system based on the one or more policies to generate filtered data by inserting one or more masking characters in one or more data entries of the data; and

sending the filtered data to the client device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and apparatus, including computer programs encoded on computer storage media, for storing, by a policy enforcement system, a plurality of policies and data associating a plurality of user credentials with the plurality of policies; receiving, from a client device, a request for data from a file system, the request further comprising user credentials; forwarding the request for data to a second node that stores the data from the file system; receiving, from the node, the data from the file system; selecting from the plurality of policies, based on the received user credentials and the data associating the plurality of user credentials with the plurality of policies, one or more policies that correspond to the received user credentials; filtering, by the policy enforcement system, the data from the file system based on the one or more policies; and sending the filtered data to the client device.

98 Citations

View as Search Results

20 Claims

1. A method, comprising:
- storing, by a policy enforcement system, a plurality of policies and data associating a plurality of user credentials with the plurality of policies;
  
  intercepting, by the policy enforcement system, a request for data submitted from a client device to a file system that stores the data, the request including a first user credentials;
  
  forwarding, by the policy enforcement system, the request for data to a first node of the file system, the first node mapping the requested data to a second node that stores the data in the file system;
  
  receiving, by the policy enforcement system and from the first node, a redirect request comprising information specifying the second node;
  
  encrypting, by the policy enforcement system, the first user credentials to provide encrypted user credentials;
  
  appending, by the policy enforcement system, the encrypted user credentials to the redirect request to provide a custom redirect request;
  
  sending, by the policy enforcement system, the custom redirect request to the second node;
  
  intercepting, by the policy enforcement system, a response to the custom redirect request sent from the second node to the client device;
  
  selecting, by the policy enforcement system and from the plurality of policies, based on the first user credentials and the data associating the plurality of user credentials with the plurality of policies, one or more policies that correspond to the first user credentials;
  
  filtering, by the policy enforcement system, the data from the file system based on the one or more policies to generate filtered data by inserting one or more masking characters in one or more data entries of the data; and
  
  sending the filtered data to the client device.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the data from the file system is organized by a table of columns and rows, wherein filtering the data from the file system comprises:
    - determining, based on the one or more policies associated with the first user credentials, that one or more columns of data in the table are restricted; and
      
      masking the one or more columns of data, wherein the one or more columns include the one or more data entries.
  - 3. The method of claim 2, wherein:
    - each of the one or more policies includes a predicate that determines whether the data is filtered or not,determining that the one or more columns of data in the table are restricted including evaluating the predicate, andmasking the one or more columns of data is in response to determining that the predicate evaluates to true.
  - 4. The method of claim 3, wherein the predicate is whether the data has a particular regular expression in a programming language.
  - 5. The method of claim 1, wherein the policy enforcement system is logically positioned between the client device and the file system, and the policy enforcement system does not interfere with existing file retrieval protocols between the client device and the file system.
  - 6. The method of claim 1, wherein each policy of the plurality of policies is generated by an administrator using a user interface that communicates with the policy enforcement system, wherein the administrator provides, at the user interface, user input specifying policies associated with a user credentials, and wherein the policy enforcement system stores the policies and the associated user credentials in an internal database.
  - 7. The method of claim 1, wherein each policy of the plurality of policies is associated with one or more user credentials, each of the one or more user credentials including at least one of a user identification or a group identification.

8. A system comprising:
- a client device;
  
  a file system comprising a node;
  
  a policy enforcement system comprising;
  
  a processor; and
  
  a non-transitory computer-readable medium coupled to the processor and having instructions stored thereon, which, when executed by the processor, cause the processor to perform operations comprising;
  
  storing a plurality of policies and data associating a plurality of user credentials with the plurality of policies;
  
  intercepting a request for data submitted from a client device to a file system that stores the data, the request including a first user credentials;
  
  forwarding the request for data to a first node of the file system, the first node mapping the requested data to a second node that stores the data in the file system;
  
  receiving, from the first node, a redirect request comprising information specifying the second node;
  
  encrypting the first user credentials to provide encrypted user credentials;
  
  appending the encrypted user credentials to the redirect request to provide a custom redirect request;
  
  sending the custom redirect request to the second node;
  
  intercepting a response to the custom redirect request sent from the second node to the client device;
  
  selecting from the plurality of policies, based on the first user credentials and the data associating the plurality of user credentials with the plurality of policies, one or more policies that correspond to the first user credentials;
  
  filtering the data from the file system based on the one or more policies to generate filtered data by inserting one or more masking characters in one or more data entries of the data; and
  
  sending the filtered data to the client device.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the data from the file system is organized by a table of columns and rows, wherein filtering the data from the file system comprises:
    - determining, based on the one or more policies associated with the first user credentials, that one or more columns of data in the table are restricted; and
      
      masking the one or more columns of data, wherein the one or more columns include the one or more data entries.
  - 10. The system of claim 9, wherein:
    - each of the one or more policies includes a predicate that determines whether the data is filtered or not,determining that the one or more columns of data in the table are restricted including evaluating the predicate, andmasking the one or more columns of data is in response to determining that the predicate evaluates to true.
  - 11. The system of claim 10, wherein the predicate is whether the data has a particular regular expression in a programming language.
  - 12. The system of claim 8, wherein the policy enforcement system is logically positioned between the client device and the file system, and the policy enforcement system does not interfere with existing file retrieval protocols between the client device and the file system.
  - 13. The system of claim 8, wherein each policy of the plurality of policies is generated by an administrator using a user interface that communicates with the policy enforcement system, wherein the administrator provides, at the user interface, user input specifying policies associated with a user credentials, and wherein the policy enforcement system stores the policies and the associated user credentials in an internal database.
  - 14. The system of claim 8, wherein each policy of the plurality of policies is associated with one or more user credentials, each of the one or more user credentials including at least one of a user identification or a group identification.

15. A non-transitory computer-readable medium having instructions stored thereon, which, when executed by a processor, cause the processor to perform operations comprising:
- storing, by a policy enforcement system, a plurality of policies and data associating a plurality of user credentials with the plurality of policies;
  
  intercepting, by the policy enforcement system, a request for data submitted from a client device to a file system that stores the data, the request including a first user credentials;
  
  forwarding, by the policy enforcement system, the request for data to a first node of the file system, the first node mapping the requested data to a second node that stores the data in the file system;
  
  receiving, from the first node, a redirect request comprising information specifying the second node;
  
  encrypting the first user credentials to provide encrypted user credentials;
  
  appending the encrypted user credentials to the redirect request to provide a custom redirect request;
  
  sending the custom redirect request to the second node;
  
  intercepting, by the policy enforcement system, a response to the custom redirect request sent from the second node to the client device;
  
  selecting from the plurality of policies, based on the first user credentials and the data associating the plurality of user credentials with the plurality of policies, one or more policies that correspond to the first user credentials;
  
  filtering, by the policy enforcement system, the data from the file system based on the one or more policies to generate filtered data by inserting one or more masking characters in one or more data entries of the data; and
  
  sending the filtered data to the client device.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer-readable medium of claim 15, wherein the data from the file system is organized by a table of columns and rows, wherein filtering the data from the file system comprises:
    - determining, based on the one or more policies associated with the first user credentials, that one or more columns of data in the table are restricted; and
      
      masking the one or more columns of data, wherein the one or more columns include the one or more data entries.
  - 17. The non-transitory computer-readable medium of claim 16, wherein:
    - each of the one or more policies includes a predicate that determines whether the data is filtered or not,determining that the one or more columns of data in the table are restricted including evaluating the predicate, andmasking the one or more columns of data is in response to determining that the predicate evaluates to true.
  - 18. The non-transitory computer-readable medium of claim 17, wherein the predicate is whether the data has a particular regular expression in a programming language.
  - 19. The non-transitory computer-readable medium of claim 15, wherein the policy enforcement system is logically positioned between the client device and the file system, and the policy enforcement system does not interfere with existing file retrieval protocols between the client device and the file system.
  - 20. The non-transitory computer-readable medium of claim 15, wherein each policy of the plurality of policies is generated by an administrator using a user interface that communicates with the policy enforcement system, wherein the administrator provides, at the user interface, user input specifying policies associated with a user credentials, and wherein the policy enforcement system stores the policies and the associated user credentials in an internal database.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
BlueTalon, Inc. (Microsoft Corporation)
Inventors
Arumugam, Dilli Dorai Minnal, Mujumdar, Prasad
Primary Examiner(s)
Zarrineh, Shahriar

Application Number

US15/864,886
Publication Number

US 20180131727A1
Time in Patent Office

477 Days
Field of Search

713168
US Class Current
CPC Class Codes

G06F 16/122   using management policies b...

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0281   Proxies

H04L 63/0421   Anonymous communication, i....

H04L 63/0428   wherein the data content is...

H04L 63/20   for managing network securi...

Policy enforcement system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

98 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Policy enforcement system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

98 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links