Data classification and access control for cloud based data
First Claim
1. A computer implemented method of reducing or preventing data leakage which would otherwise occur from applications running at a client operating system (OS) and which do not operate in accordance with restrictions imposed by a data protection policy for confidential resources stored at a network resource server, wherein the computer-implemented method is performed by one or more processors when executing computer-executable instructions for the computer-implemented method, which comprises:
- storing at the network resource server first data or resources that are designated as confidential, and second data or resources that are designated as public;
storing at a policy server the data protection policy that determines the restrictions imposed by the data protection policy as to how one or more applications running at the client OS are to be restricted in terms of how the first data or resources are used or where the first data or resources are located or accessed;
distributing the data protection policy from the policy server to the one or more client OS of one or more client systems, and wherein each client OS of the one or more client OS that receives the data protection policy has a credential store in which access credentials are stored that are required for authentication by the network resource server before granting access to an application running at a client OS of a given client of the one or more client systems to the first data or resources;
determining at the client OS of the given client that a first application running at the client OS of the given client complies with the restrictions imposed by the data protection policy and that the first application is a compliant application;
providing the compliant application with the access credentials stored at the credential store of the client OS of the given client required by the compliant application to access the first data or resources at the network resource server;
determining at the client OS of the given client that a second application running at the client OS of the given client does not comply with the restrictions imposed by the data protection policy and that the second application is a noncompliant application; and
denying the access credentials stored at the credential store of the client OS of the given client required by the noncompliant application to access the first data or resources at the network resource server.
1 Assignment
0 Petitions
Accused Products
Abstract
A data protection policy can specify which applications are allowed and/or dis-allowed from accessing cloud data that is subject to a data protection policy (i.e., data that has been assigned a classification and/or an owner.) To enforce that policy, the operating system (or other trusted entity) that stores or caches access credentials only provides these credentials to applications that are allowed by the policy. In this manner, because they are not provided with the credentials required to access the network resource, the dis-allowed applications cannot access the ‘protected’ data thereby helping prevent these dis-allowed (or noncompliant) applications from leaking data.
11 Citations
19 Claims
-
1. A computer implemented method of reducing or preventing data leakage which would otherwise occur from applications running at a client operating system (OS) and which do not operate in accordance with restrictions imposed by a data protection policy for confidential resources stored at a network resource server, wherein the computer-implemented method is performed by one or more processors when executing computer-executable instructions for the computer-implemented method, which comprises:
-
storing at the network resource server first data or resources that are designated as confidential, and second data or resources that are designated as public; storing at a policy server the data protection policy that determines the restrictions imposed by the data protection policy as to how one or more applications running at the client OS are to be restricted in terms of how the first data or resources are used or where the first data or resources are located or accessed; distributing the data protection policy from the policy server to the one or more client OS of one or more client systems, and wherein each client OS of the one or more client OS that receives the data protection policy has a credential store in which access credentials are stored that are required for authentication by the network resource server before granting access to an application running at a client OS of a given client of the one or more client systems to the first data or resources; determining at the client OS of the given client that a first application running at the client OS of the given client complies with the restrictions imposed by the data protection policy and that the first application is a compliant application; providing the compliant application with the access credentials stored at the credential store of the client OS of the given client required by the compliant application to access the first data or resources at the network resource server; determining at the client OS of the given client that a second application running at the client OS of the given client does not comply with the restrictions imposed by the data protection policy and that the second application is a noncompliant application; and denying the access credentials stored at the credential store of the client OS of the given client required by the noncompliant application to access the first data or resources at the network resource server. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer system comprising a memory containing computer-executable instructions, and one or more processors which, when executing the computer-executable instructions, configure the computer system with an architecture for a classification and access control system that reduces or prevents data leakage which would otherwise occur from applications running at a client operating system (OS) and which do not operate in accordance with restrictions imposed by a data protection policy for confidential resources stored at a network resource server, and wherein the architecture for the classification and access control system comprises:
-
a network resource server that stores first data or resources that are designated as confidential, and second data or resources that are designated as public; a policy server that stores the data protection policy that determines the restrictions imposed by the data protection policy as to how one or more applications running at the client OS are to be restricted in terms of how the first data or resources are used or where the first data or resources are located or accessed; one or more client systems comprising one or more client OS to which the data protection policy from the policy server is distributed, and wherein each client OS of the one or more client OS that receives the data protection policy has a credential store in which access credentials are stored that are required for authentication by the network resource server before granting access to an application running at a client OS of a given client of the one or more client systems to the first data or resources; wherein the client OS of the given client determines that a first application running at the client OS of the given client complies with the restrictions imposed by the data protection policy and that the first application is a compliant application, and then provides the compliant application with the access credentials stored at the credential store of the client OS of the given client required by the compliant application to access the first data or resources at the network resource server; and wherein the client OS of the given client determines that a second application running at the client OS of the given client does not comply with the restrictions imposed by the data protection policy and that the second application is a noncompliant application, and then denies the access credentials stored at the credential store of the client OS of the given client required by the noncompliant application to access the first data or resources at the network resource server. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer system for providing a classification and access control system that reduces or prevents data leakage which would otherwise occur from applications running at a client operating system (OS) and which do not operate in accordance with restrictions imposed by a data protection policy for confidential resources stored at a network resource server, the computer system comprising:
-
a memory; a network resource server that stores; first data or resources that are designated as confidential; second data or resources that are designated as public; and authentication credentials required to access at least the first data or resources designated as confidential; a policy server that stores the data protection policy that determines the restrictions imposed by the data protection policy as to how one or more applications running at the client OS are to be restricted in terms of how the first data or resources are used or where the first data or resources are located or accessed, and wherein the data protection policy specifies applications that are compliant, and wherein applications not specified as compliant are designated by the data protection policy as noncompliant by default; one or more client systems comprising one or more client OS to which the data protection policy from the policy server is distributed, and wherein each client OS of the one or more client OS that receives the data protection policy has a credential store in which access credentials are stored that correspond to the authentication credentials required at the network resource server to access at least the first data or resources designated as confidential before granting access to an application running at a client OS of a given client of the one or more client systems to the first data or resources; wherein the client OS of the given client determines that a first application running at the client OS of the given client complies with the restrictions imposed by the data protection policy and that the first application is thus specified as a compliant application, and then provides the compliant application with the access credentials stored at the credential store of the client OS of the given client required by the compliant application to access the first data or resources at the network resource server; and wherein the client OS of the given client also determines that a second application running at the client OS of the given client is not specified as compliant and by default the second application is a noncompliant application, and then denies the access credentials stored at the credential store of the client OS of the given client required by the noncompliant application to access the first data or resources at the network resource server. - View Dependent Claims (16, 17, 18, 19)
-
Specification