Protecting sensitive information from a secure data store

US 10,367,815 B2
Filed: 08/19/2016
Issued: 07/30/2019
Est. Priority Date: 03/17/2009
Status: Active Grant

First Claim

Patent Images

1. A method of protecting stored information, the method comprising:

storing a security policy for controlling access by a network endpoint to an encrypted remote data store, the security policy requiring a data store connected to the network endpoint to meet one or more security requirements for identification as a secure data store, the one or more security requirements including a requirement that the data store connected to the network endpoint be encrypted;

receiving an indication at a threat management facility that a first endpoint has access to the encrypted remote data store;

auditing the first endpoint to determine whether a security parameter of a first data store connected to the first endpoint is compliant with the one or more security requirements for identification as a secure data store;

when the security parameter of the first data store is compliant with the one or more security requirements for identification as a secure data store, permitting dissemination of data from the encrypted remote data store to the first endpoint; and

when the security parameter of the first data store is not compliant with at least one of the one or more security requirements, causing the first endpoint to implement an action by the first endpoint to regulate dissemination of data from the encrypted remote data store to the first endpoint.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In embodiments of the present invention improved capabilities are described for the steps of receiving an indication that a computer facility has access to a secure data store, causing a security parameter of a storage medium local to the computer facility to be assessed, determining if the security parameter is compliant with a security policy relating to computer access of the remote secure data store, and in response to an indication that the security parameter is non-compliant, cause the computer facility to implement an action to prevent further dissemination of information, to disable access to network communications, to implement an action to prevent further dissemination of information, and the like.

40 Citations

19 Claims

1. A method of protecting stored information, the method comprising:
- storing a security policy for controlling access by a network endpoint to an encrypted remote data store, the security policy requiring a data store connected to the network endpoint to meet one or more security requirements for identification as a secure data store, the one or more security requirements including a requirement that the data store connected to the network endpoint be encrypted;
  
  receiving an indication at a threat management facility that a first endpoint has access to the encrypted remote data store;
  
  auditing the first endpoint to determine whether a security parameter of a first data store connected to the first endpoint is compliant with the one or more security requirements for identification as a secure data store;
  
  when the security parameter of the first data store is compliant with the one or more security requirements for identification as a secure data store, permitting dissemination of data from the encrypted remote data store to the first endpoint; and
  
  when the security parameter of the first data store is not compliant with at least one of the one or more security requirements, causing the first endpoint to implement an action by the first endpoint to regulate dissemination of data from the encrypted remote data store to the first endpoint.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the action includes at least one of disabling network communications to the first endpoint and disabling network communications from the first endpoint.
  - 3. The method of claim 1, wherein the action includes at least one of disabling all network communications to the first endpoint, except for communication between the threat management facility and the first endpoint, and disabling all network communications from the first endpoint, except for communication between the threat management facility and the first endpoint.
  - 4. The method of claim 1, wherein the action includes disabling communications between the first endpoint and the encrypted remote data store.
  - 5. The method of claim 1, wherein the action includes disabling write capabilities to data stores associated with the first endpoint.
  - 6. The method of claim 1, wherein the action includes disabling local port communications.
  - 7. The method of claim 1, wherein the one or more security requirements include a requirement that the data store connected to the network endpoint be password protected.
  - 8. The method of claim 1, wherein the one or more security requirements include a requirement that the data store connected to the network endpoint be accessible only by the network endpoint.
  - 9. The method of claim 1, wherein the one or more security requirements include a requirement of anti-virus software running on the network endpoint.
  - 10. The method of claim 1, wherein the one or more security requirements include a requirement of the network endpoint having full disk encryption.
  - 11. The method of claim 1, wherein the one or more security requirements include a requirement of a correct version of endpoint compliance software running on the network endpoint.
  - 12. The method of claim 1, wherein the one or more security requirements include a requirement of the network endpoint having an appropriate operating firewall.

13. A computer program product embodied in a non-transitory computer readable medium that, when executing on a threat management facility, performs steps comprising:
- storing a security policy for controlling access by a network endpoint to an encrypted remote data store, the security policy requiring a data store connected to the network endpoint to meet one or more security requirements for identification as a secure data store, the one or more security requirements including a requirement that the data store connected to the network endpoint be encrypted;
  
  receiving an indication at the threat management facility that a first endpoint has access to the encrypted remote data store;
  
  auditing the first endpoint to determine whether a security parameter of a first data store connected to the first endpoint is compliant with the one or more security requirements for identification as a secure data store;
  
  when the security parameter of the first data store is compliant with the one or more security requirements for identification as a secure data store, permitting dissemination of data from the encrypted remote data store to the first endpoint; and
  
  when the security parameter of the first data store is not compliant with at least one of the one or more security requirements, causing the first endpoint to implement an action by the first endpoint to regulate dissemination of data from the encrypted remote data store to the first endpoint.
- View Dependent Claims (14, 15, 16)
- - 14. The computer program product of claim 13, wherein the action includes at least one of disabling network communications to the first endpoint and disabling network communications from the first endpoint.
  - 15. The computer program product of claim 13, wherein the action includes one or more of the following:
    - disabling communications between the first endpoint and the encrypted remote data store;
      
      disabling write capabilities to data stores associated with the first endpoint; and
      
      disabling local port communications.
  - 16. The computer program product of claim 13, wherein the one or more security requirements include one or more of the following:
    - a requirement that the data store connected to the network endpoint be password protected; and
      
      a requirement that the data store connected to the network endpoint be accessible only by the network endpoint.

17. A system comprising:
- an encrypted remote data store;
  
  a first endpoint including a computing device comprising a memory and a processor, the first endpoint in a communicating relationship with the encrypted remote data store, and the first endpoint storing a security policy for controlling access by a network endpoint to the encrypted remote data store, the security policy requiring a data store connected to the network endpoint to meet one or more security requirements for identification as a secure data store, the one or more security requirements including a requirement that the data store connected to the network endpoint be encrypted; and
  
  a threat management facility coupled in a communicating relationship with the first endpoint, the threat management facility configured to, in response to an indication that the first endpoint has access to the encrypted remote data store, audit the first endpoint to determine whether a first internal data store connected to the first endpoint is compliant with one or more security requirements for identification as a secure data store, to permit dissemination of data from the encrypted remote data store to the first endpoint when the first internal data store is compliant with the one or more security requirements for identification as a secure data store, and, when the first internal data store is not compliant with at least one of the one or more security requirements, to cause the first endpoint to implement an action, by the first endpoint to regulate dissemination of data from the encrypted remote data store to the first endpoint.
- View Dependent Claims (18, 19)
- - 18. The system of claim 17, wherein regulating dissemination of data includes one or more of the following:
    - disabling communications between the first endpoint and the encrypted remote data store;
      
      disabling write capabilities to data stores associated with the first endpoint; and
      
      disabling all local port communications.
  - 19. The system of claim 17, wherein the one or more security requirements include one or more of the following:
    - a requirement that the data store connected to the network endpoint be password protected; and
      
      a requirement that the data store connected to the network endpoint be accessible only by the network endpoint.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sophos Limited (Sophos Group Ltd.)
Original Assignee
Sophos Limited (Sophos Group Ltd.)
Inventors
Keene, David P., Donley, Daryl E.
Primary Examiner(s)
Kim, Jung W
Assistant Examiner(s)
De Jesus Lassala, Carlos M

Application Number

US15/241,915
Publication Number

US 20160373448A1
Time in Patent Office

1,075 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

G06F 21/88   Detecting or preventing the...

H04L 63/02   for separating internal fro...

H04L 63/083   using passwords cryptograph...

H04L 63/10   for controlling access to d...

H04L 63/14   for detecting or protecting...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

H04W 12/065   Continuous authentication

H04W 12/088   using filters or firewalls

Protecting sensitive information from a secure data store

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

40 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Protecting sensitive information from a secure data store

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

40 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links