Secure data corridors for data feeds

US 10,432,642 B2
Filed: 12/29/2016
Issued: 10/01/2019
Est. Priority Date: 09/25/2015
Status: Active Grant

First Claim

Patent Images

1. A computing device configured to provide a secure data corridor, the computing device comprising:

a processor;

a network interface communicatively coupled to the processor and configured to enable communications with a mobile traffic network;

a storage device for content and programming;

a security application stored in the storage device, wherein execution of the security application by the processor configures the computing device to perform acts comprising;

receiving a request from a subject for at least one data element of a data feed;

identifying a use-case for the data feed;

assigning a security label to the use-case that includes a data sensitivity rating of the use-case;

comparing a clearance of the subject to the security label of the use-case;

upon determining that the clearance of the subject is at or above the data sensitivity rating of the use-case, allowing the subject access privilege to the data feed via the secure data corridor; and

assigning an additional data sensitivity rating to the secure data corridor that corresponds with or is substantially similar to a particular data sensitivity rating of the data feed that is transmitted through the secure data corridor.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method of providing a secure data corridor are provided. A request from a subject for at least one data element of a data feed is received. A use-case is identified for the data feed. A security label is assigned to the use-case. A clearance of the subject is compared to the security label of the use-case. Upon determining that a clearance of the subject is at or above the data sensitivity rating of the use-case, the subject is allowed access privilege to the data feed via the secure data corridor.

46 Citations

20 Claims

1. A computing device configured to provide a secure data corridor, the computing device comprising:
- a processor;
  
  a network interface communicatively coupled to the processor and configured to enable communications with a mobile traffic network;
  
  a storage device for content and programming;
  
  a security application stored in the storage device, wherein execution of the security application by the processor configures the computing device to perform acts comprising;
  
  receiving a request from a subject for at least one data element of a data feed;
  
  identifying a use-case for the data feed;
  
  assigning a security label to the use-case that includes a data sensitivity rating of the use-case;
  
  comparing a clearance of the subject to the security label of the use-case;
  
  upon determining that the clearance of the subject is at or above the data sensitivity rating of the use-case, allowing the subject access privilege to the data feed via the secure data corridor; and
  
  assigning an additional data sensitivity rating to the secure data corridor that corresponds with or is substantially similar to a particular data sensitivity rating of the data feed that is transmitted through the secure data corridor.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The computing device of claim 1, wherein execution of the security application further configures the computing device to perform acts comprising:
    - determining the particular data sensitivity rating of the data feed;
      
      determining a security level of each data element of the data feed; and
      
      determining, for each data element of the data feed, one or more security controls that are mapped to the data element.
  - 3. The computing device of claim 2, wherein assigning the security label includes assigning the security label to the use-case based on at least one of:
    - the particular data sensitivity rating of the data feed;
      
      the security level of each data element of the data feed; and
      
      the one or more security controls that are mapped to each data element.
  - 4. The computing device of claim 2, wherein the particular data sensitivity rating is a score that quantifies a security measure that mandates a predetermined confidentiality protection and data integrity protection of the data feed.
  - 5. The computing device of claim 2, wherein the particular data sensitivity rating of the data feed, the security level of each data element of the data feed, and the one or more security controls that are mapped to each data element are provided by a data linkage map set (DLMS) table.
  - 6. The computing device of claim 1, wherein the additional data sensitivity rating of the secure data corridor is dynamically set in substantially real-time based on the particular data sensitivity rating of the data feed that is transmitted through the secure data corridor.
  - 7. The computing device of claim 1, wherein the at least one data element is associated with a plurality of data objects, and wherein a data object of the plurality of data objects is configured to store one or more data elements mapped to the data object at a storage location.
  - 8. The computing device of claim 1, wherein execution of the security application further configures the computing device to perform acts comprising:
    - upon determining that a subject has access privilege to the data feed, allowing the subject to access all data elements and data objects related to the data feed.
  - 9. The computing device of claim 1, wherein:
    - the data feed comprises a first data element having a first security level and a second data element having a second security level; and
      
      the first security level is more sensitive than the second security level.
  - 10. The computing device of claim 9, wherein execution of the security application further configures the computing device to perform acts comprising:
    - upon determining that (i) the clearance of the subject is not at or above the data sensitivity rating of the use-case, (ii) the clearance of the subject is below the first security level, and (iii) the clearance of the subject is at or above the second security level, allowing the subject access privilege to the second data element and denying the subject access privilege to the first data element.
  - 11. The computing device of claim 9, wherein execution of the security application further configures the computing device to perform acts comprising:
    - upon determining that (i) the clearance of the subject is not at or above the data sensitivity rating of the use-case, (ii) the clearance of the subject is below the first security level, and (iii) the clearance of the subject is at or above the second security level;
      
      allowing the subject to write to but not read from the first data element; and
      
      allowing the subject to write to and read from the second data element.
  - 12. The computing device of claim 9, wherein execution of the security application further configures the computing device to perform acts comprising:
    - upon determining that the clearance of the subject is at or above the first security level;
      
      allowing the subject to read from but not write to the second data element; and
      
      allowing the subject to write to and read from the first data element.
  - 13. The computing device of claim 3, wherein control parameters of a security control mapped to a data element include at least one of following limitations:
    - (i) no read-up, (ii) no write-down, (iii) tranquility, (iv) explicit read-in, or (v) explicit write-out.

14. A non-transitory computer-readable medium having stored thereon a plurality of sequences of instructions which, when executed by a processor, cause the processor to perform a plurality of actions comprising:
- receiving a request from a subject for at least one data element of a data feed;
  
  identifying a use-case for the data feed;
  
  assigning a security label to the use-case that includes a data sensitivity rating of the use-case;
  
  comparing a clearance of the subject to the security label of the use-case;
  
  upon determining that the clearance of the subject is at or above the data sensitivity rating of the use-case, allowing the subject access privilege to the data feed via a secure data corridor; and
  
  assigning an additional data sensitivity rating to the secure data corridor that corresponds with or is substantially similar to a particular data sensitivity rating of the data feed that is transmitted through the secure data corridor.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The non-transitory computer-readable medium of claim 14, wherein the actions further comprise:
    - Determining the particular data sensitivity rating of the data feed;
      
      determining a security level of each data element of the data feed; and
      
      determining, for each data element of the data feed, one or more security controls that are mapped to the data element.
  - 16. The non-transitory computer-readable medium of claim 15, wherein assigning the security label includes assigning the security label to the use-case based on at least one of:
    - the data sensitivity rating of the data feed;
      
      the security level of each data element of the data feed; and
      
      the one or more security controls that are mapped to each data element.
  - 17. The non-transitory computer-readable medium of claim 14, wherein the actions further comprise:
    - upon determining that a subject has access privilege to the data feed, allowing the subject to access all data elements and data objects related to the data feed.
  - 18. The non-transitory computer-readable medium of claim 14, wherein:
    - the data feed comprises a first data element having a first security level and a second data element having a second security level; and
      
      the first security level is more sensitive than the second security level.
  - 19. The non-transitory computer-readable medium of claim 18, wherein the actions further comprise:
    - upon determining that (i) the clearance of the subject is not at or above the data sensitivity rating of the use-case, (ii) the clearance of the subject is below the first security level, and (iii) the clearance of the subject is at or above the second security level, allowing the subject access privilege to the second data element and denying the subject access privilege to the first data element.
  - 20. The non-transitory computer-readable medium of claim 18, wherein the actions further comprise:
    - upon determining that (i) the clearance of the subject is not at or above the data sensitivity rating of the use-case, (ii) the clearance of the subject is below the first security level, and (iii) the clearance of the subject is at or above the second security level;
      
      allowing the subject to write to but not read from the first data element; and
      
      allowing the subject to write to and read from the second data element; and
      
      upon determining that the clearance of the subject is at or above the first security level;
      
      allowing the subject to read from but not write to the second data element; and
      
      allowing the subject to write to and read from the first data element.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
T-Mobile USA, Inc. (Deutsche Telekom AG)
Original Assignee
T-Mobile USA, Inc. (Deutsche Telekom AG)
Inventors
Peppe, Brett, Reith, Greg
Primary Examiner(s)
Kanaan, Simon P

Application Number

US15/394,170
Publication Number

US 20170163654A1
Time in Patent Office

1,006 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/606   by securing the transmissio...

G06F 21/6218   to a system of files or obj...

G06F 21/6245   Protecting personal data, e...

G06F 2221/2113   Multi-level security, e.g. ...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

Secure data corridors for data feeds

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

46 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Secure data corridors for data feeds

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

46 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links