Electronic data security system and method

US 20050154885A1
Filed: 12/03/2004
Published: 07/14/2005
Est. Priority Date: 05/15/2000
Status: Abandoned Application

First Claim

Patent Images

1. An electronic data security system comprising:

an operating environment;

at least one Productivity Application capable of operating within the operating environment;

a Policy Administrator component, wherein the Policy Administrator component allows a data security system administrator to create, edit, and delete at least one security policy attribute which is associated with the system;

a Workgroup Management component, wherein the Workgroup Management component allows an operating environment user to create, edit, and delete at least one secure workgroup, including creating, editing, and deleting at least one attribute associated with each at least one secure workgroup;

a User Authentication component, wherein the User Authentication component controls identification of, and access by, the operating environment user to system resources and functions, including identifying at least one secure workgroup to which the operating environment user belongs;

a File Authority component, wherein the File Authority component interprets at least one security policy attribute and at least one attribute associated with at least one secure workgroup to which the operating environment user belongs to determine what actions the operating environment user can take on particular data associated with the Productivity Application; and

, a Runtime component, wherein the Runtime component coordinates communications between the other system components, the operating environment, and the at least one Productivity Application to protect the particular data associated with the Productivity Application.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security system capable of providing seamless access to, and encryption of, electronic data. The security system integrates into an operating environment and intercepts calls between the operating environment and one or more Productivity Applications within the operating environment, thereby ensuring security policies are properly applied to all sensitive data wherever the data travels or resides.

132 Citations

33 Claims

1. An electronic data security system comprising:
- an operating environment;
  
  at least one Productivity Application capable of operating within the operating environment;
  
  a Policy Administrator component, wherein the Policy Administrator component allows a data security system administrator to create, edit, and delete at least one security policy attribute which is associated with the system;
  
  a Workgroup Management component, wherein the Workgroup Management component allows an operating environment user to create, edit, and delete at least one secure workgroup, including creating, editing, and deleting at least one attribute associated with each at least one secure workgroup;
  
  a User Authentication component, wherein the User Authentication component controls identification of, and access by, the operating environment user to system resources and functions, including identifying at least one secure workgroup to which the operating environment user belongs;
  
  a File Authority component, wherein the File Authority component interprets at least one security policy attribute and at least one attribute associated with at least one secure workgroup to which the operating environment user belongs to determine what actions the operating environment user can take on particular data associated with the Productivity Application; and
  
  , a Runtime component, wherein the Runtime component coordinates communications between the other system components, the operating environment, and the at least one Productivity Application to protect the particular data associated with the Productivity Application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The electronic data security system of claim 1, wherein the Policy Administrator component allows a system administrator to create, edit, and delete security policy attributes at at least one of a plurality of levels;
  - 3. The electronic data security system of claim 2, wherein the Policy Administrator component allows a system administrator to create, edit, and delete security policy attributes at the enterprise, user group, and user levels.
  - 4. The electronic data security system of claim 3, wherein the User Authentication component applies the security policy attributes in a hierarchical fashion.
  - 5. The electronic data security system of claim 4, wherein the User Authentication component applies the security policy attributes by default such that the user level security policy attributes take precedence over the user group level and enterprise level security policy attributes, and the user group level security policy attributes take precedence over the enterprise level security policy attributes;
  - 6. The electronic data security system of claim 5, wherein a data security system administrator can alter individual policy attribute precedences through at least one security policy attribute setting.
  - 7. The electronic data security system of claim 1, wherein the user authentication component controls identification of an individual operating environment user and controls access to electronic data within the system by the individual operating environment user based on the security policy attributes.
  - 8. The electronic data security system of claim 1, wherein the Policy Administrator allows defining of user groups and the Workgroup Management component allows the operating environment user to be a member of at least one user group.
  - 9. The electronic data security system of claim 1, wherein the runtime component is configured to intercept calls made by the Productivity Application to the operating environment.
  - 10. The electronic data security system of claim 9, wherein the runtime component allows, prevents, transforms, or redirects the intercepted calls based on a current file policy associated with the particular data.
  - 11. The electronic data security system of claim 9, wherein the runtime component is configured to intercept calls made by the Productivity Application to other applications running within the operating environment.
  - 12. The electronic data security system of claim 11, wherein the runtime component allows, prevents, transforms, or redirects the intercepted calls based on a current file policy associated with the particular data.
  - 13. The electronic data security system of claim 1, wherein the particular data includes at least one Clear Information Block, at least one Secure Information Block, at least one Clear Content Block, and at least one Secure Content Block.
  - 14. The electronic data security system of claim 13, wherein the content of the at least one Secure Content Block is encrypted.
  - 15. The electronic data security system of claim 13, wherein the at least one Secure Information Block includes rights management information and is associated with at least one tamper indication element.
  - 16. The electronic data security system of claim 15, wherein the tamper indication element is indicative of unauthorized alterations to the Secure Information Block.
  - 17. The electronic data security system of claim 15, wherein the tamper indication element is indicative of unauthorized alterations of the particular data as a whole.
  - 18. The electronic data security system of claim 15, wherein the tamper indication element is indicative of unauthorized alterations of the Secure Content Block.

19. A method of protecting electronic data, comprising:
- loading an operating environment to be used by a user;
  
  loading a monitoring application within the operating environment, wherein the monitoring application performs the following as it loads;
  
  authenticating the user;
  
  if a Policy Server is available, retrieving Policy Block and User Configuration information from a Policy Server, processing the Policy Block and User Configuration information, and caching the Policy Block and User Configuration;
  
  if a Policy Server is unavailable, processing the cached Policy Block and User configuration information;
  
  evaluating the current user context to determine whether the user is at risk and preventing any access to protected electronic data if the user is at risk;
  
  monitoring each application launched within the operating environment to determine whether the launched application is a Productivity Application;
  
  if the launched application is not a Productivity Application, permitting the launched application to directly interact with the operating environment;
  
  if the launched application is a Productivity Application, performing the following;
  
  decrypting protected electronic data if the user is a member of the secure workgroup associated with the protected electronic data and making the decrypted data available to the Productivity Application;
  
  loading data security policy attributes stored with the protected electronic data;
  
  monitoring interactions between the Productivity Application and the operating environment and allowing, preventing, transforming, or redirecting the interactions based on system security policy attributes contained within the Policy Block and the data security policy attributes stored with the protected electronic data; and
  
  permanently deleting any temporary files created by the Productivity Application when the temporary files are no longer in use.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 20. The method of claim 19, wherein the permanent deletion of the temporary files is done to NISPOM standards.
  - 21. The method of claim 19, wherein interactions between the Productivity Application and the operating environment which cause protected data to be written to a file results in encryption of the protected data according to the corresponding system security policy attributes and the data security policy attributes.
  - 22. The method of claim 21, wherein the encryption includes a group-level key.
  - 23. The method of claim 19, further comprising validating the decrypted protected electronic data and the data security policy attributes using a tamper indicator associated with the data.
  - 24. The method of claim 19, further comprising logging any events that are to be logged according to a current file policy.
  - 25. The method of claim 24, wherein the current file policy is generated from the contents of the Policy Block and the policy attributes which are part of the protected electronic data.
  - 26. The method of claim 24, wherein the corresponding attributes of the current file policy are stored as part of the protected data.
  - 27. The method of claim 19, wherein the protected data includes at least one Clear Information Block, at least one Secure Information Block, at least one Clear Content Block, and at least one Secure Content Block.
  - 28. The method of claim 27, wherein the at least one Secure Information Block and the at least one Secure Content Block are the only encrypted portion of the protected data.
  - 29. The method of claim 27, wherein the Secure Information Block and the Secure Content Block have at least one tamper indicator element associated with them.

30. A method of defining user access to protected electronic data, comprising:
- permitting a system administrator to define a set of possible users;
  
  permitting the system administrator to define a set of user groups;
  
  permitting the system administrator to define a set of policy attributes applicable to at least one user group;
  
  allowing a system user to create data which is to be protected;
  
  allowing the system user to define a secure workgroup, such that members of secure workgroup are given access to the protected data;
  
  creating at least one encryption key for the at least one secure workgroup;
  
  encrypting the data which is to be protected using the encryption key for the secure workgroup;
  
  inviting users, and members of user groups to join the secured workgroup; and
  
  authenticating an invitee invitation and, if authenticated, providing the encryption key for the secure workgroup to the invitee.
- View Dependent Claims (31, 32, 33)
- - 31. The method of claim 30, wherein invitee authentication is based on single factor authentication.
  - 32. The method of claim 31, wherein the single factor authentication is a biometric identifier.
  - 33. The method of claim 31, wherein the single factor authentication is a shared passphrase provided to the invitee by the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Controlguard Software Technologies Limited
Original Assignee
Interfuse Technology Incorporated
Inventors
Rodney, Steven R., Tessaro, William E., Viscomi, Phillip A.

Application Number

US11/002,979
Publication Number

US 20050154885A1
Time in Patent Office

Days
Field of Search
US Class Current

713/165
CPC Class Codes

G06F 11/3466   Performance evaluation by t...

G06F 21/56   Computer malware detection ...

G06F 21/6218   to a system of files or obj...

G06F 9/44521   Dynamic linking or loading;...

Electronic data security system and method

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

132 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Electronic data security system and method

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

132 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links