Automatically applying data loss prevention rules during migration

US 10,447,638 B2
Filed: 09/03/2015
Issued: 10/15/2019
Est. Priority Date: 09/03/2015
Status: Active Grant

First Claim

Patent Images

1. A method, implemented by a system that includes one or more processors and computer executable instructions which implement a migration engine and a data loss prevention (DLP) engine when executed by at least one of the one or more processors, for performing DLP processing on selected items during an email migration from a source system to a target system, the method comprising:

accessing, by the migration engine and as part of the email migration, a first email that is stored in a first mailbox that corresponds to a first user on the source system;

processing, by the migration engine, the first email to determine, based on DLP configuration settings that define rules for protecting against loss, misuse or unauthorized access of sensitive data, whether the first email should be subjected to the DLP processing;

upon determining, based on the DLP configuration settings, that the first email should not be subjected to the DLP processing, migrating, by the migration engine, the first email to the target system without routing the first email to the DLP engine by storing the first email in a first mailbox that corresponds to the first user on the target system;

accessing, by the migration engine and as part of the email migration, a second email that is stored in the first mailbox that corresponds to the first user on the source system;

processing, by the migration engine, the second email to determine, based on the DLP configuration settings, whether the second email should be subjected to the DLP processing;

upon determining, based on the DLP configuration settings, that the second email should be subject to the DLP processing, routing, by the migration engine, the second email to the DLP engine rather than migrating the second email to the target system;

performing, by the DLP engine, the DLP processing on the second email to generate a processed version of the second email, wherein performing the DLP processing on the second email to generate the processed version of the second email comprises removing sensitive data from the second email to ensure that the sensitive data is not lost, misused or accessed by unauthorized users once the processed version of the second email is migrated to the target system;

providing, by the DLP engine, the processed version of the second email to the migration engine; and

migrating, by the migration engine, the processed version of the second email, rather than the second email, to the target system by storing the processed version of the second email in the first mailbox that corresponds to the first user on the target system.

View all claims

23 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Data loss prevention (“DLP”) rules can be automatically applied to items during a migration. When a migration is performed, a migration engine may be configured with migration configuration settings which define the items to be migrated from the source system to the target system. The migration engine may also be configured with DLP configuration settings which define the type of items on which DLP should be performed. When the DLP configuration settings indicate that DLP should be applied to an item to be migrated, the migration engine routes the item to a DLP engine rather than directly migrating the item to the target system. After the DLP engine has processed the item, the DLP engine can return the processed item to the migration engine which in turn can migrate the processed item to the appropriate location in the target system.

10 Citations

20 Claims

1. A method, implemented by a system that includes one or more processors and computer executable instructions which implement a migration engine and a data loss prevention (DLP) engine when executed by at least one of the one or more processors, for performing DLP processing on selected items during an email migration from a source system to a target system, the method comprising:
- accessing, by the migration engine and as part of the email migration, a first email that is stored in a first mailbox that corresponds to a first user on the source system;
  
  processing, by the migration engine, the first email to determine, based on DLP configuration settings that define rules for protecting against loss, misuse or unauthorized access of sensitive data, whether the first email should be subjected to the DLP processing;
  
  upon determining, based on the DLP configuration settings, that the first email should not be subjected to the DLP processing, migrating, by the migration engine, the first email to the target system without routing the first email to the DLP engine by storing the first email in a first mailbox that corresponds to the first user on the target system;
  
  accessing, by the migration engine and as part of the email migration, a second email that is stored in the first mailbox that corresponds to the first user on the source system;
  
  processing, by the migration engine, the second email to determine, based on the DLP configuration settings, whether the second email should be subjected to the DLP processing;
  
  upon determining, based on the DLP configuration settings, that the second email should be subject to the DLP processing, routing, by the migration engine, the second email to the DLP engine rather than migrating the second email to the target system;
  
  performing, by the DLP engine, the DLP processing on the second email to generate a processed version of the second email, wherein performing the DLP processing on the second email to generate the processed version of the second email comprises removing sensitive data from the second email to ensure that the sensitive data is not lost, misused or accessed by unauthorized users once the processed version of the second email is migrated to the target system;
  
  providing, by the DLP engine, the processed version of the second email to the migration engine; and
  
  migrating, by the migration engine, the processed version of the second email, rather than the second email, to the target system by storing the processed version of the second email in the first mailbox that corresponds to the first user on the target system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, further comprising:
    - accessing, by the migration engine and as part of the email migration, a third email that is stored in a second mailbox that corresponds to a second user on the source system;
      
      processing, by the migration engine, the third email to determine, based on the DLP configuration settings, whether the third email should be subjected to the DLP processing;
      
      upon determining, based on the DLP configuration settings, that the third email should not be subjected to the DLP processing, migrating, by the migration engine, the third email to the target system without routing the third email to the DLP engine by storing the third email in a second mailbox that corresponds to the second user on the target system;
      
      accessing, by the migration engine and as part of the email migration, a fourth email that is stored in the second mailbox that corresponds to the second user on the source system;
      
      processing, by the migration engine, the fourth email to determine, based on the DLP configuration settings, whether the fourth email should be subjected to the DLP processing;
      
      upon determining, based on the DLP configuration settings, that the fourth email should be subject to the DLP processing, routing, by the migration engine, the fourth email to the DLP engine rather than migrating the fourth email to the target system;
      
      performing, by the DLP engine, the DLP processing on the fourth email to generate a processed version of the fourth email;
      
      providing, by the DLP engine, the processed version of the fourth email to the migration engine; and
      
      migrating, by the migration engine, the processed version of the fourth email, rather than the fourth email, to the target system by storing the processed version of the fourth email in the second mailbox that corresponds to the second user on the target system.
  - 3. The method of claim 1, further comprising:
    - accessing, by the migration engine and as part of the email migration, a first item that is stored in association with the first mailbox of the first user on the source system, the first item comprising one of a contact, a task, a calendar item, a journal, an instant messaging conversation, a posted attachment, or a sticky note;
      
      processing, by the migration engine, the first item to determine, based on the DLP configuration settings, whether the first item should be subjected to the DLP processing;
      
      upon determining, based on the DLP configuration settings, that the first item should not be subjected to the DLP processing, migrating, by the migration engine, the first item to the target system without routing the first item to the DLP engine by storing the first item in association with the first mailbox of the first user on the target system;
      
      accessing, by the migration engine and as part of the email migration, a second item that is stored in the second mailbox that corresponds to the second user on the source system;
      
      processing, by the migration engine, the second item to determine, based on the DLP configuration settings, whether the second item should be subjected to the DLP processing;
      
      upon determining, based on the DLP configuration settings, that the second item should be subject to the DLP processing, routing, by the migration engine, the second item to the DLP engine rather than migrating the second item to the target system;
      
      performing, by the DLP engine, the DLP processing on the second item to generate a processed version of the second item;
      
      providing, by the DLP engine, the processed version of the second item to the migration engine; and
      
      migrating, by the migration engine, the processed version of the second item, rather than the second item, to the target system by storing the processed version of the second item in association with the first mailbox of the first user on the target system.
  - 4. The method of claim 3, wherein the DLP configuration settings define which type of items are to be subjected to the DLP processing.
  - 5. The method of claim 1, wherein the DLP configuration settings define that emails associated with one or more particular users should be subjected to the DLP processing.
  - 6. The method of claim 1, wherein the DLP configuration settings identify DLP rules that are to be used when performing the DLP processing.
  - 7. The method of claim 1, wherein removing sensitive data from the second email comprises redacting the sensitive data.
  - 8. The method of claim 1, wherein removing sensitive data from the second email comprises one of:
    - removing content from the body of the second email;
      
      orremoving an attachment from the second email.
  - 9. The method of claim 1, further comprising:
    - adding an entry to a log that describes that sensitive data was removed from the second email.
  - 10. The method of claim 1, further comprising:
    - generating and sending a notification that describes that sensitive data was removed from the second email.
  - 11. The method of claim 1, wherein performing the DLP processing on the second email to generate the processed version of the second email comprises comparing content of the second email to DLP rules.
  - 12. The method of claim 11, wherein the DLP rules define one or more actions to take on the second email when the second email contains specified content.
  - 13. The method of claim 12, wherein removing the sensitive data comprises one or more of removing an attachment to the second email or removing content within a body or title of the second email.
  - 14. The method of claim 1, wherein the second email comprises a group communication.

15. One or more computer storage media storing computer executable instructions which implement a migration engine and a data loss prevention (DLP) engine when executed by at least one processor, the migration engine and the DLP engine being configured to implement a method for performing DLP processing on selected items during an email migration from a source system to a target system, the method comprising:
- accessing, by the migration engine and as part of the email migration, a first email that is stored in a first mailbox that corresponds to a first user on the source system;
  
  processing, by the migration engine, the first email to determine, based on DLP configuration settings that define rules for protecting against loss, misuse or unauthorized access of sensitive data, whether the first email should be subjected to the DLP processing;
  
  upon determining, based on the DLP configuration settings, that the first email should not be subjected to the DLP processing, migrating, by the migration engine, the first email to the target system without routing the first email to the DLP engine by storing the first email in a first mailbox that corresponds to the first user on the target system;
  
  accessing, by the migration engine and as part of the email migration, a second email that is stored in the first mailbox that corresponds to the first user on the source system;
  
  processing, by the migration engine, the second email to determine, based on the DLP configuration settings, whether the second email should be subjected to the DLP processing;
  
  upon determining, based on the DLP configuration settings, that the second email should be subject to the DLP processing, routing, by the migration engine, the second email to the DLP engine rather than migrating the second email to the target system;
  
  performing, by the DLP engine, the DLP processing on the second email to generate a processed version of the second email, wherein performing the DLP processing on the second email to generate the processed version of the second email comprises removing sensitive data from the second email to ensure that the sensitive data is not lost, misused or accessed by unauthorized users once the processed version of the second email is migrated to the target system;
  
  providing, by the DLP engine, the processed version of the second email to the migration engine; and
  
  migrating, by the migration engine, the processed version of the second email, rather than the second email, to the target system by storing the processed version of the second email in the first mailbox that corresponds to the first user on the target system.
- View Dependent Claims (16, 17, 18)
- - 16. The computer storage media of claim 15, wherein the method further comprises:
    - accessing, by the migration engine and as part of the email migration, a first item that is stored in association with the first mailbox of the first user on the source system, the first item comprising one of a contact, a task, a calendar item, a journal, an instant messaging conversation, a posted attachment, or a sticky note;
      
      processing, by the migration engine, the first item to determine, based on the DLP configuration settings, whether the first item should be subjected to the DLP processing;
      
      upon determining, based on the DLP configuration settings, that the first item should not be subjected to the DLP processing, migrating, by the migration engine, the first item to the target system without routing the first item to the DLP engine by storing the first item in association with the first mailbox of the first user on the target system;
      
      accessing, by the migration engine and as part of the email migration, a second item that is stored in the second mailbox that corresponds to the second user on the source system;
      
      processing, by the migration engine, the second item to determine, based on the DLP configuration settings, whether the second item should be subjected to the DLP processing;
      
      upon determining, based on the DLP configuration settings, that the second item should be subject to the DLP processing, routing, by the migration engine, the second item to the DLP engine rather than migrating the second item to the target system;
      
      performing, by the DLP engine, the DLP processing on the second item to generate a processed version of the second item;
      
      providing, by the DLP engine, the processed version of the second item to the migration engine; and
      
      migrating, by the migration engine, the processed version of the second item, rather than the second item, to the target system by storing the processed version of the second item in association with the first mailbox of the first user on the target system.
  - 17. The computer storage media of claim 15, wherein the DLP configuration settings define that emails associated with one or more particular users should be subjected to the DLP processing.
  - 18. The computer storage media of claim 15, wherein removing sensitive data from the second email comprises one of:
    - removing content from the body of the second email;
      
      orremoving an attachment from the second email.

19. A method, implemented by a system that includes one or more processors and computer executable instructions which implement a migration engine and a data loss prevention (DLP) engine when executed by at least one of the one or more processors, for performing DLP processing on selected items during an email migration from a source system to a target system, the method comprising:
- accessing, by the migration engine and as part of the email migration, a first email that is stored in a first user'"'"'s inbox on the source system;
  
  processing, by the migration engine, the first email to determine, based on DLP configuration settings that define rules for protecting against loss, misuse or unauthorized access of sensitive data, whether the first email should be subjected to the DLP processing;
  
  upon determining, based on the DLP configuration settings, that the first email should not be subjected to the DLP processing, migrating, by the migration engine, the first email to the target system without routing the first email to the DLP engine by storing the first email in an inbox that has been created for the first user on the target system;
  
  accessing, by the migration engine and as part of the email migration, a second email that is stored in the first user'"'"'s inbox on the source system;
  
  processing, by the migration engine, the second email to determine, based on the DLP configuration settings, whether the second email should be subjected to the DLP processing;
  
  upon determining, based on the DLP configuration settings, that the second email should be subject to the DLP processing, routing, by the migration engine, the second email to the DLP engine rather than migrating the second email to the target system;
  
  performing, by the DLP engine, the DLP processing on the second email to generate a processed version of the second email, wherein performing the DLP processing on the second email to generate the processed version of the second email comprises removing sensitive data from the second email to ensure that the sensitive data is not lost, misused or accessed by unauthorized users once the processed version of the second email is migrated to the target system;
  
  providing, by the DLP engine, the processed version of the second email to the migration engine; and
  
  migrating, by the migration engine, the processed version of the second email, rather than the second email, to the target system by storing the processed version of the second email in the inbox that has been created for the first user on the target system.
- View Dependent Claims (20)
- - 20. The method of claim 19, further comprising:
    - accessing, by the migration engine and as part of the email migration, a first item that is stored in association with the first user'"'"'s inbox on the source system, the first item comprising one of a contact, a task, a calendar item, a journal, an instant messaging conversation, a posted attachment, or a sticky note;
      
      processing, by the migration engine, the first item to determine, based on the DLP configuration settings, whether the first item should be subjected to the DLP processing;
      
      upon determining, based on the DLP configuration settings, that the first item should not be subjected to the DLP processing, migrating, by the migration engine, the first item to the target system without routing the first item to the DLP engine by storing the first item in association with the inbox that has been created for the first user on the target system;
      
      accessing, by the migration engine and as part of the email migration, a second item that is stored in association with the first user'"'"'s inbox on the source system;
      
      processing, by the migration engine, the second item to determine, based on the DLP configuration settings, whether the second item should be subjected to the DLP processing;
      
      upon determining, based on the DLP configuration settings, that the second item should be subject to the DLP processing, routing, by the migration engine, the second item to the DLP engine rather than migrating the second item to the target system;
      
      performing, by the DLP engine, the DLP processing on the second item to generate a processed version of the second item;
      
      providing, by the DLP engine, the processed version of the second item to the migration engine; and
      
      migrating, by the migration engine, the processed version of the second item, rather than the second item, to the target system by storing the processed version of the second item in association with the inbox that has been created for the first user on the target system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Quest Software, Inc.
Original Assignee
Quest Software, Inc.
Inventors
Willis, Tom, Lindley, Chad
Primary Examiner(s)
Lazaro, David R
Assistant Examiner(s)
Henry, Mariegeorges A

Application Number

US14/844,951
Publication Number

US 20170070464A1
Time in Patent Office

1,503 Days
Field of Search

709204-206
US Class Current
CPC Class Codes

H04L 51/42   Mailbox-related aspects, e....

H04L 63/0227   Filtering policies mail mes...

H04W 4/12   Messaging; Mailboxes; Annou...

Automatically applying data loss prevention rules during migration

First Claim

23 Assignments

0 Petitions

Accused Products

Abstract

10 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Automatically applying data loss prevention rules during migration

First Claim

23 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

10 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links