Data classification and access control for cloud based data

US 10,404,716 B2
Filed: 03/15/2017
Issued: 09/03/2019
Est. Priority Date: 02/13/2017
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method of reducing or preventing data leakage which would otherwise occur from applications running at a client operating system (OS) and which do not operate in accordance with restrictions imposed by a data protection policy for confidential resources stored at a network resource server, wherein the computer-implemented method is performed by one or more processors when executing computer-executable instructions for the computer-implemented method, which comprises:

storing at the network resource server first data or resources that are designated as confidential, and second data or resources that are designated as public;

storing at a policy server the data protection policy that determines the restrictions imposed by the data protection policy as to how one or more applications running at the client OS are to be restricted in terms of how the first data or resources are used or where the first data or resources are located or accessed;

distributing the data protection policy from the policy server to the one or more client OS of one or more client systems, and wherein each client OS of the one or more client OS that receives the data protection policy has a credential store in which access credentials are stored that are required for authentication by the network resource server before granting access to an application running at a client OS of a given client of the one or more client systems to the first data or resources;

determining at the client OS of the given client that a first application running at the client OS of the given client complies with the restrictions imposed by the data protection policy and that the first application is a compliant application;

providing the compliant application with the access credentials stored at the credential store of the client OS of the given client required by the compliant application to access the first data or resources at the network resource server;

determining at the client OS of the given client that a second application running at the client OS of the given client does not comply with the restrictions imposed by the data protection policy and that the second application is a noncompliant application; and

denying the access credentials stored at the credential store of the client OS of the given client required by the noncompliant application to access the first data or resources at the network resource server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A data protection policy can specify which applications are allowed and/or dis-allowed from accessing cloud data that is subject to a data protection policy (i.e., data that has been assigned a classification and/or an owner.) To enforce that policy, the operating system (or other trusted entity) that stores or caches access credentials only provides these credentials to applications that are allowed by the policy. In this manner, because they are not provided with the credentials required to access the network resource, the dis-allowed applications cannot access the ‘protected’ data thereby helping prevent these dis-allowed (or noncompliant) applications from leaking data.

11 Citations

View as Search Results

19 Claims

1. A computer implemented method of reducing or preventing data leakage which would otherwise occur from applications running at a client operating system (OS) and which do not operate in accordance with restrictions imposed by a data protection policy for confidential resources stored at a network resource server, wherein the computer-implemented method is performed by one or more processors when executing computer-executable instructions for the computer-implemented method, which comprises:
- storing at the network resource server first data or resources that are designated as confidential, and second data or resources that are designated as public;
  
  storing at a policy server the data protection policy that determines the restrictions imposed by the data protection policy as to how one or more applications running at the client OS are to be restricted in terms of how the first data or resources are used or where the first data or resources are located or accessed;
  
  distributing the data protection policy from the policy server to the one or more client OS of one or more client systems, and wherein each client OS of the one or more client OS that receives the data protection policy has a credential store in which access credentials are stored that are required for authentication by the network resource server before granting access to an application running at a client OS of a given client of the one or more client systems to the first data or resources;
  
  determining at the client OS of the given client that a first application running at the client OS of the given client complies with the restrictions imposed by the data protection policy and that the first application is a compliant application;
  
  providing the compliant application with the access credentials stored at the credential store of the client OS of the given client required by the compliant application to access the first data or resources at the network resource server;
  
  determining at the client OS of the given client that a second application running at the client OS of the given client does not comply with the restrictions imposed by the data protection policy and that the second application is a noncompliant application; and
  
  denying the access credentials stored at the credential store of the client OS of the given client required by the noncompliant application to access the first data or resources at the network resource server.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method of claim 1, further comprising configuring the network resource server to indicate that the first data or resources are subject to the data protection policy.
  - 3. The computer-implemented method of claim 2, wherein the access credentials stored at the credential store of the client OS of the given client comprise a single sign-on token associated with the network resource server.
  - 4. The computer-implemented method of claim 1, wherein the second data or resources designated as public are not subject to the restrictions imposed by the data protection policy, but wherein the second data or resources designated as public still require particular access credentials in order to access the second data or resources at the network resource server.
  - 5. The computer-implemented method of claim 4, wherein, based at least in part on determining that the second data or resources are not subject to the restrictions imposed by the data protection policy but that the second data or resources still require authentication by an application when accessing the second data or resources, providing the second application running at the client OS of the given client with the particular access credentials in order to permit the second application running at the client OS of the given client to access the second data or resources designated as public, but not the first data or resources designated as confidential.
  - 6. The computer-implemented method of claim 1, wherein the data protection policy specifies which applications are compliant, and wherein applications not specified as compliant are designated by the data protection policy as noncompliant by default.
  - 7. The computer-implemented method of claim 3, wherein the access credentials stored at the credential store of the client OS of the given client are also associated with an identity credential such that both the single sign-on token and the identity credential are presented by an application being authenticated at the network resource server.

8. A computer system comprising a memory containing computer-executable instructions, and one or more processors which, when executing the computer-executable instructions, configure the computer system with an architecture for a classification and access control system that reduces or prevents data leakage which would otherwise occur from applications running at a client operating system (OS) and which do not operate in accordance with restrictions imposed by a data protection policy for confidential resources stored at a network resource server, and wherein the architecture for the classification and access control system comprises:
- a network resource server that stores first data or resources that are designated as confidential, and second data or resources that are designated as public;
  
  a policy server that stores the data protection policy that determines the restrictions imposed by the data protection policy as to how one or more applications running at the client OS are to be restricted in terms of how the first data or resources are used or where the first data or resources are located or accessed;
  
  one or more client systems comprising one or more client OS to which the data protection policy from the policy server is distributed, and wherein each client OS of the one or more client OS that receives the data protection policy has a credential store in which access credentials are stored that are required for authentication by the network resource server before granting access to an application running at a client OS of a given client of the one or more client systems to the first data or resources;
  
  wherein the client OS of the given client determines that a first application running at the client OS of the given client complies with the restrictions imposed by the data protection policy and that the first application is a compliant application, and then provides the compliant application with the access credentials stored at the credential store of the client OS of the given client required by the compliant application to access the first data or resources at the network resource server; and
  
  wherein the client OS of the given client determines that a second application running at the client OS of the given client does not comply with the restrictions imposed by the data protection policy and that the second application is a noncompliant application, and then denies the access credentials stored at the credential store of the client OS of the given client required by the noncompliant application to access the first data or resources at the network resource server.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer system of claim 8, wherein the architecture for the classification and access control system further operates to configure the network resource server to indicate that the first data or resources are subject to the data protection policy.
  - 10. The computer system of claim 9, wherein the access credentials stored at the credential store of the client OS of the given client comprise a single sign-on token associated with the network resource server.
  - 11. The computer system of claim 10, wherein the access credentials stored at the credential store of the client OS of the given client are also associated with an identity credential such that both the single sign-on token and the identity credential are presented by an application being authenticated at the network resource server.
  - 12. The computer system of claim 8, wherein the second data or resources designated as public are not subject to the restrictions imposed by the data protection policy, but wherein the second data or resources designated as public still require particular access credentials in order to access the second data or resources at the network resource server.
  - 13. The computer system of claim 12, wherein, based at least in part on a determination that the second data or resources at the network resource server are not subject to the restrictions imposed by the data protection policy but that the second data or resources still require authentication by an application when accessing the second data or resources, the architecture of the computer system causes the client OS of the given client to provide the second application running at the client OS of the given client with the particular access credentials in order to permit the second application running at the client OS of the given client to access the second data or resources designated as public, but not the first data or resources designated as confidential.
  - 14. The computer system of claim 8, wherein the data protection policy specifies which applications are compliant, and wherein applications not specified as compliant are designated by the data protection policy as noncompliant by default.

15. A computer system for providing a classification and access control system that reduces or prevents data leakage which would otherwise occur from applications running at a client operating system (OS) and which do not operate in accordance with restrictions imposed by a data protection policy for confidential resources stored at a network resource server, the computer system comprising:
- a memory;
  
  a network resource server that stores;
  
  first data or resources that are designated as confidential;
  
  second data or resources that are designated as public; and
  
  authentication credentials required to access at least the first data or resources designated as confidential;
  
  a policy server that stores the data protection policy that determines the restrictions imposed by the data protection policy as to how one or more applications running at the client OS are to be restricted in terms of how the first data or resources are used or where the first data or resources are located or accessed, and wherein the data protection policy specifies applications that are compliant, and wherein applications not specified as compliant are designated by the data protection policy as noncompliant by default;
  
  one or more client systems comprising one or more client OS to which the data protection policy from the policy server is distributed, and wherein each client OS of the one or more client OS that receives the data protection policy has a credential store in which access credentials are stored that correspond to the authentication credentials required at the network resource server to access at least the first data or resources designated as confidential before granting access to an application running at a client OS of a given client of the one or more client systems to the first data or resources;
  
  wherein the client OS of the given client determines that a first application running at the client OS of the given client complies with the restrictions imposed by the data protection policy and that the first application is thus specified as a compliant application, and then provides the compliant application with the access credentials stored at the credential store of the client OS of the given client required by the compliant application to access the first data or resources at the network resource server; and
  
  wherein the client OS of the given client also determines that a second application running at the client OS of the given client is not specified as compliant and by default the second application is a noncompliant application, and then denies the access credentials stored at the credential store of the client OS of the given client required by the noncompliant application to access the first data or resources at the network resource server.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The computer system of claim 15, wherein the access credentials stored at the credential store of the client OS of the given client comprise a single sign-on token associated with the network resource server.
  - 17. The computer system of claim 16, wherein the access credentials stored at the credential store of the client OS of the given client are also associated with an identity credential such that both the single sign-on token and the identity credential are presented by an application being authenticated at the network resource server.
  - 18. The computer system of claim 15, wherein the second data or resources designated as public are not subject to the restrictions imposed by the data protection policy, but wherein the second data or resources designated as public still require particular access credentials in order to access the second data or resources at the network resource server.
  - 19. The computer system of claim 18, wherein, based at least in part on a determination that the second data or resources at the network resource server are not subject to the restrictions imposed by the data protection policy but that the second data or resources still require authentication by an application when accessing the second data or resources, the client OS of the given client provides the second application running at the client OS of the given client with the particular access credentials in order to permit the second application running at the client OS of the given client to access the second data or resources designated as public, but not the first data or resources designated as confidential.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Walstad, Christopher Leonard, Agarwal, Vishal, Acharya, Narendra S., Ureche, Octavian T., Adam, Preston Derek
Primary Examiner(s)
Nguyen, Trong H
Assistant Examiner(s)
Lin, Amie C.

Application Number

US15/460,101
Publication Number

US 20180234430A1
Time in Patent Office

902 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0815   providing single-sign-on or...

H04L 63/083   using passwords cryptograph...

H04L 63/105   Multiple levels of security

Data classification and access control for cloud based data

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

11 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Data classification and access control for cloud based data

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

11 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links