SECURE DOMAIN INFORMATION PROTECTION APPARATUS AND METHODS

US 20070294253A1
Filed: 08/25/2006
Published: 12/20/2007
Est. Priority Date: 06/20/2006
Status: Abandoned Application

First Claim

Patent Images

1. A machine-implemented method comprising:

determining whether service access information associated with access, by an external user that is outside a secure domain, to a service provided in the secure domain includes sensitive information; and

performing a protection action to protect the sensitive information, where the service access information includes sensitive information.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Secure domain information protection apparatus and methods are disclosed. Service access information associated with access, by an external user that is outside a secure domain, to a service that is provided in the secure domain is processed to determine whether it includes sensitive information. If so, a protection action is performed on the service access information, on an entire service message or to one or more portions thereof, for example, to protect the sensitive information. A specification language and execution environment are also proposed to provide for high speed processing. Sensitive information detection criteria, protection actions, and possibly targets on which the protection actions are to be performed, may be identified in a data structure stored on a machine-readable medium.

28 Citations

View as Search Results

26 Claims

1. A machine-implemented method comprising:
- determining whether service access information associated with access, by an external user that is outside a secure domain, to a service provided in the secure domain includes sensitive information; and
  
  performing a protection action to protect the sensitive information, where the service access information includes sensitive information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the protection action comprises one or more of:
    - dropping all of the service access information, removing only the sensitive information from the service access information, encrypting all of the service access information, encrypting only the sensitive information in the service access information, digitally signing all of the service access information, and digitally signing only the sensitive information in the service access information.
  - 3. The method of claim 1, wherein performing comprises performing the protection action on a portion of the service access information.
  - 4. The method of claim 1, wherein determining comprises parsing the service access information.
  - 5. The method of claim 1, wherein determining and performing comprise executing a regulation specification language (RSL) program that defines sensitive information detection criteria and protection actions associated with an information protection regulation.
  - 6. The method of claim 5, wherein the RSL program comprises table entries specifying respective sensitive information detection criteria and corresponding protection actions, and wherein executing comprises sequentially processing the service access information for each table entry.
  - 7. The method of claim 5, wherein the RSL program comprises eXtensible Stylesheet Language Transformation (XSLT) operations.
  - 8. The method of claim 7, wherein the XSLT operations employ eXtensible Markup Language (XML) extensions to support encryption as the protection action.
  - 9. The method of claim 1, further comprising:
    - identifying a protection policy associated with the service access information,wherein determining comprises determining whether the service access information includes sensitive information specified in the protection policy.
  - 10. The method of claim 9, wherein identifying comprises identifying a protection policy based on one or more of:
    - a destination of the service access information, a source of the service access information, the external user, and an external domain with which the external user is associated.
  - 11. The method of claim 1, implemented at a web services node of a communication network within the secure domain.
  - 12. A machine-readable medium storing instructions which when executed perform the method of claim 1.

13. An apparatus comprising:
- a service access information processor operable to determine whether service access information associated with access, by an external user that is outside a secure domain, to a service provided in the secure domain includes sensitive information; and
  
  a protection module operatively coupled to the service access information processor and operable to perform a protection action to protect the sensitive information, where the service access information includes sensitive information.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The apparatus of claim 13, wherein the protection action comprises one or more of:
    - dropping all of the service access information, removing only the sensitive information from the service access information, encrypting all of the service access information, encrypting only the sensitive information in the service access information, digitally signing all of the service access information, and digitally signing only the sensitive information in the service access information.
  - 15. The apparatus of claim 13, wherein the service access information processor comprises a parser for parsing the service access information.
  - 16. The apparatus of claim 13, wherein at least one of the service access information processor and the protection module implements a regulation specification language (RSL) execution environment for executing an RSL program that defines sensitive information detection criteria and protection actions associated with an information protection regulation.
  - 17. The apparatus of claim 16, wherein the RSL program comprises table entries specifying respective sensitive information detection criteria and corresponding protection actions, and wherein executing comprises sequentially processing the service access information for each table entry.
  - 18. The apparatus of claim 16, wherein the RSL program comprises eXtensible Stylesheet Language Transformation (XSLT) operations.
  - 19. The apparatus of claim 18, wherein the XSLT operations employ eXtensible Markup Language (XML) extensions to support encryption as the protection action.
  - 20. The apparatus of claim 13, further comprising:
    - a memory, operatively coupled to the service access information processor, for storing protection policies,wherein the service access information processor is further operable to identify in the memory a protection policy associated with the service access information, and to determine whether the service access information includes sensitive information by determining whether the service access information includes sensitive information specified in the protection policy.
  - 21. The apparatus of claim 20, wherein the service access information processor is operable to identify a protection policy based on one or more of:
    - a destination of the service access information, a source of the service access information, the external user, and an external domain with which the external user is associated.
  - 22. A web services node comprising:
    - the apparatus of claim 13.
  - 23. The web services node of claim 22, implemented in the secure domain.
  - 24. The web services node of claim 22, implemented in an external domain with which the external user is associated.

25. A machine-readable medium storing a data structure, the data structure comprising:
- a detection criterion identifying sensitive information; and
  
  a protection action field identifying a protection action to be performed to protect the sensitive information identified in the detection criterion where the identified sensitive information is detected in service access information associated with access, by an external user that is outside a secure domain, to a service provided in the secure domain.
- View Dependent Claims (26)
- - 26. The medium of claim 25, wherein the data structure further comprises:
    - an action target field identifying a portion of the service access information on which the protection action is to be performed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alcatel-Lucent SA (Nokia Corporation)
Original Assignee
Alcatel-Lucent SA (Nokia Corporation)
Inventors
Whitehead, Brad James, Strub, Lyle, Papandreou, George

Application Number

US11/467,387
Publication Number

US 20070294253A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/1458   Denial of Service

SECURE DOMAIN INFORMATION PROTECTION APPARATUS AND METHODS

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

28 Citations

26 Claims

Specification

Use Cases

Quick Links

Others

SECURE DOMAIN INFORMATION PROTECTION APPARATUS AND METHODS

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

26 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others