Enforcing control policies in an information management system with two or more interactive enforcement points

US 10,536,485 B2
Filed: 11/15/2016
Issued: 01/14/2020
Est. Priority Date: 12/29/2005
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

providing an interceptor code component and a policy engine code component executing on a first computer, wherein the interceptor code component resides within an operating system layer executing on the first computer, and the policy engine code component is outside of the operating system layer;

using the interceptor code component, intercepting at least one low level file operation to be executed by the operating system of the first computer to complete a document access operation;

using the policy engine code component, evaluating the document access operation on the first computer,wherein the evaluating step evaluates at least one rule pertaining to the document access operation,the at least one rule is among a plurality of rules stored on the first computer, andthe at least one rule contains at least one expression used by the evaluating step to control document access operation;

communicating with a second computer as indicated by the at least one rule; and

confirming on the first computer that the second computer has an ability to interact with the evaluating step.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for controlling document access and application usage using centrally managed rules. The rules are stored and manipulated in a central rule database via a rule server. Policy enforcers are installed on client systems and/or on servers and perform document access and application usage control for both direct user document accesses and application usage, and application program document accesses by evaluating the rules sent to the policy enforcer. The rule server decides which rules are required by each policy enforcer. A policy enforcer can also perform obligation and remediation operations as a part of rule evaluation. Policy enforcers on client systems and servers can operate autonomously, evaluating policies that have been received, when communications have been discontinued with the rule server.

Citations

21 Claims

1. A method comprising:
- providing an interceptor code component and a policy engine code component executing on a first computer, wherein the interceptor code component resides within an operating system layer executing on the first computer, and the policy engine code component is outside of the operating system layer;
  
  using the interceptor code component, intercepting at least one low level file operation to be executed by the operating system of the first computer to complete a document access operation;
  
  using the policy engine code component, evaluating the document access operation on the first computer,wherein the evaluating step evaluates at least one rule pertaining to the document access operation,the at least one rule is among a plurality of rules stored on the first computer, andthe at least one rule contains at least one expression used by the evaluating step to control document access operation;
  
  communicating with a second computer as indicated by the at least one rule; and
  
  confirming on the first computer that the second computer has an ability to interact with the evaluating step.
- View Dependent Claims (2, 3, 4, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The method of claim 1 comprising:
    - for a first application program on the first computer, performing the evaluating step for an operation of the first application program;
      
      determining if the first computer contains a first piece of information required to evaluate the at least one rule;
      
      if the first computer contains the first piece of information required to evaluate the at least one rule, determining that the first computer is capable of evaluating the at least one rule;
      
      if the first computer does not contain the first piece of information required to evaluate the at least one rule, determining that the first computer is incapable of evaluating the at least one rule; and
      
      if the first computer is incapable of evaluating the at least one rule, determining a second computer connected over a network to the first computer, wherein the second computer has access to the first piece of information.
  - 3. The method of claim 2 comprising:
    - determining first and second portions of the at least one rule, wherein evaluating the second portion of the at least one rule comprises accessing the first piece of information that causes the first computer to be incapable of evaluating the at least one rule;
      
      designating the second portion of the at least one rule to be evaluated with the first piece of information accessible by the second computer;
      
      accessing the first piece of information by the second computer; and
      
      evaluating the second portion of the at least one rule with the accessed first piece of information accessed by the second computer.
  - 4. The method of claim 3 comprising:
    - determining the first computer is capable of evaluating the first portion of the at least one rule by way of the first computer having access to a second piece of information required to evaluate the first portion of the at least one rule; and
      
      designating the first portion of the at least one rule to be evaluated with the second piece of information accessible by the first computer.
  - 7. The method of claim 1 further comprising:
    - detecting document access operation within an application program.
  - 8. The method of claim 1 further comprising:
    - detecting document access operation within the first computer'"'"'s operating system.
  - 9. The method of claim 1 wherein the evaluating step evaluates rules using information based on any combination of:
    - type of document access operation, user, user group, role of a user, a user'"'"'s business function, host, type of computer, group of computers, application program, type of application program, application module, geographical location, access mechanism, connectivity, bandwidth, time of day, day of the week, file path, file name, document size, document time stamp, document owner, document properties, historical data from previous document access operations, document type, document format, document classification, document characteristics, document content, element in a database query, element in a database query result set, attribute of a database query result set, attribute of a database, or metadata.
  - 10. The method of claim 1 wherein a rule applies to at least one particular operation within an application program.
  - 11. The method of claim 1 wherein a rule applies to at least one particular operation within the first computer'"'"'s operating system.
  - 12. The method of claim 1 wherein the evaluating step monitors operations of an operating system on the first computer.
  - 13. The method of claim 1 wherein at least a subset of the plurality of rules stored on the first computer is preinstalled on the first computer.
  - 14. The method of claim 1 wherein at least a subset of the plurality of rules stored on the first computer is dynamically updated from a central database.
  - 15. The method of claim 1 wherein the communicating step further comprises wherein the indication is specified explicitly in the at least one rule using at least one of:
    - a keyword or directive.
  - 16. The method of claim 1 wherein the communicating step further comprises wherein the indication is specified implicitly by the at least one rule.
  - 17. The method of claim 1 wherein the second computer sends its rule evaluation capabilities to the first computer, and wherein the first computer verifies that the rule evaluation capabilities of the second computer meets requirements of the at least one rule.
  - 18. The method of claim 1 wherein the first computer queries the second computer whether the second computer can enforce a specific rule.
  - 19. The method of claim 1 wherein the first computer queries the second computer to verify that the second computer'"'"'s rule evaluation capabilities meets requirements of the at least one rule.
  - 20. The method of claim 1 wherein the evaluation step obtains information from the second computer in order to evaluate the at least one rule.

5. A method comprising:
- providing an interceptor code component and a policy engine code component executing on a first computer, wherein the interceptor code component resides within an operating system layer executing on the first computer, and the policy engine code component is outside of the operating system layer;
  
  using the interceptor code component, intercepting at least one low level file operation the interceptor code component may access within the operating system layer to complete a document access operation;
  
  preventing the at least one low level file operation from executing;
  
  using the policy engine code component, evaluating the document access operation on the first computer,wherein the evaluating step evaluates at least one rule pertaining to the document access operation,the evaluating step monitors operations of a plurality of application programs on the first computer, and the application programs are outside of the operating system layer,the document access operation is initiated by an application program and detected by the interceptor code component, and the interceptor code component transfers handling of the document access operation to the policy engine code component,the at least one rule is among a plurality of rules stored on the first computer, andthe at least one rule contains at least one expression used by the evaluating step to control document access operation;
  
  for a first application program on the first computer, performing the evaluating step for an operation of the first application program;
  
  determining if the first computer contains a first piece of information required to evaluate the at least one rule;
  
  if the first computer contains the first piece of information required to evaluate the at least one rule, determining that the first computer is capable of evaluating the at least one rule;
  
  if the first computer does not contain the first piece of information required to evaluate the at least one rule, determining that the first computer is incapable of evaluating the at least one rule;
  
  if the first computer is incapable of evaluating the at least one rule, determining a second computer connected over a network to the first computer, wherein the second computer has access to the first piece of information; and
  
  confirming on the first computer that the second computer has an ability to interact with the evaluating step.
- View Dependent Claims (6)
- - 6. The method of claim 5 comprising:
    - determining first and second portions of the at least one rule, wherein evaluating the second portion of the at least one rule comprises accessing the first piece of information that causes the first computer to be incapable of evaluating the at least one rule;
      
      designating the second portion of the at least one rule to be evaluated with the first piece of information accessible by the second computer;
      
      accessing the first piece of information by the second computer;
      
      evaluating the second portion of the at least one rule with the accessed first piece of information accessed by the second computer;
      
      determining the first computer is capable of evaluating the first portion of the at least one rule by way of the first computer having access to a second piece of information required to evaluate the first portion of the at least one rule;
      
      designating the first portion of the at least one rule to be evaluated with the second piece of information accessible by the first computer;
      
      accessing the second piece of information by the first computer;
      
      evaluating the first portion of the at least one rule with the accessed second piece of information accessed by the first computer;
      
      based on the evaluated first portion of the at least one rule by the first computer and evaluated second portion of the least one rule by the second computer, determining whether to allow or deny the operation of the first application program;
      
      when the first computer is incapable of evaluating the at least one rule, transmitting an indication from the first computer to a helper decision point, wherein the indication comprises a request and a list of events; and
      
      based on the indication, determining at the helper decision point that the second computer has access to the first piece of information.

21. A method comprising:
- providing an interceptor code component and a policy engine code component executing on a first computer, wherein the interceptor code component resides within an operating system layer executing on the first computer, and the policy engine code component is outside of the operating system layer;
  
  determining whether to intercept at least one low level file operation to be executed at the operating system layer of the first computer to complete a document access operation, wherein the at least one low level file operation is generated in response to the document access operation but before the at least one low level file operation has executed;
  
  using the interceptor code component, intercepting the at least one low level file operation;
  
  collecting at an application layer of the first computer data needed to determine whether to allow the document access operation, wherein the collected application layer data is not included with the at least one low level file operation;
  
  using the policy engine code component, evaluating the document access operation on the first computer,wherein the evaluating step evaluates at least one rule pertaining to the document access operation,the at least one rule is among a plurality of rules stored on the first computer,the at least one rule contains at least one expression used by the evaluating step to control document access operation, andevaluating the document access operation comprises evaluating data identifying the at least one low level file operation to be executed at the operating system layer and the collected application layer data;
  
  communicating with a second computer as indicated by the at least one rule; and
  
  confirming on the first computer that the second computer has an ability to interact with the evaluating step.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nextlabs
Original Assignee
Nextlabs
Inventors
Lim, Keng
Primary Examiner(s)
Chang, Tom Y

Application Number

US15/352,522
Publication Number

US 20170063935A1
Time in Patent Office

1,155 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/51   at application loading time...

G06F 21/554   involving event detection a...

G06F 21/6281   at program execution time, ...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 9/468   Specific access rights for ...

H04L 2463/101   applying security measures ...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/28   Restricting access to netwo...

H04L 63/00   Network architectures or ne...

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

H04L 63/30   for supporting lawful inter...

H04L 67/01   Protocols

Enforcing control policies in an information management system with two or more interactive enforcement points

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Enforcing control policies in an information management system with two or more interactive enforcement points

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links