Secure e-mail services system and methods implementing inversion of security control
First Claim
1. A secure e-mail service, executable on a designated computer system having a defined association with a recipient e-mail server, implementing inverted security control over recipient content as persistently stored within a repository maintained on behalf of a recipient by said recipient e-mail server, said recipient content being provided in association with a message transmitted over a communications network from a sender computer system unassociated with said designated computer system directed to said recipient, said recipient content being accessible by said recipient from said repository, said secure e-mail service comprising:
- a) a policy engine responsive to an e-mail message received from a communications network, said policy engine being operative to evaluate said e-mail message and provide for selection of a corresponding encryption key;
b) a content processing engine, coupled to said policy engine, operative to encrypt a portion of said e-mail message, the encryption of said portion of said e-mail message performed to permit subsequent decryption of said portion using said corresponding encryption key; and
c) an interface, coupled to said content processing engine, operative to provide said e-mail message, including said portion as encrypted, to said repository.
0 Assignments
0 Petitions
Accused Products
Abstract
A secure e-mail service, executable on a recipient e-mail server or associated computer system, implements inverted security control over recipient content stored by the recipient e-mail server. Recipient content is received in conjunction with e-mail messages transmitted directed to recipients from sender computer systems unassociated with the secure e-mail service. The secure e-mail service includes a policy engine that operates on e-mail messages, as received from a communications network, to evaluate metadata features of the message and select a corresponding encryption key. The service further includes a content processing engine that operates to encrypt a portion of the message in a manner that allows subsequent decryption of said portion using the selected encryption key. A service interface enables transfer of the e-mail message, including the portion as encrypted, to the recipient e-mail server, which supports access by the recipients.
-
Citations
31 Claims
-
1. A secure e-mail service, executable on a designated computer system having a defined association with a recipient e-mail server, implementing inverted security control over recipient content as persistently stored within a repository maintained on behalf of a recipient by said recipient e-mail server, said recipient content being provided in association with a message transmitted over a communications network from a sender computer system unassociated with said designated computer system directed to said recipient, said recipient content being accessible by said recipient from said repository, said secure e-mail service comprising:
-
a) a policy engine responsive to an e-mail message received from a communications network, said policy engine being operative to evaluate said e-mail message and provide for selection of a corresponding encryption key; b) a content processing engine, coupled to said policy engine, operative to encrypt a portion of said e-mail message, the encryption of said portion of said e-mail message performed to permit subsequent decryption of said portion using said corresponding encryption key; and c) an interface, coupled to said content processing engine, operative to provide said e-mail message, including said portion as encrypted, to said repository. - View Dependent Claims (2, 3, 4)
-
-
5. A method of securing content electronically transmitted as part of a message passed between computer systems from a sender directed to a recipient, wherein the content is persistently stored for the benefit of the recipient subject to security constraints defined on behalf of the recipient, said method comprising the steps of:
-
a) receiving an electronic message, including a content instance, directed to a first recipient user; b) parsing said electronic message to recognize a metadata feature associated with said content instance; c) encrypting said content subject to a constraint that an encryption key associated with a second recipient user identified by defined relation to said metadata feature will enable decryption of said content; and d) providing access to said message to said first and second recipient users. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. An e-mail security service, interoperable with an e-mail server, implementing inverted security control over e-mail content directed to said e-mail server, said e-mail security service comprising:
-
a) a first interface coupleable to an e-mail transmission path between a sending computer system and said e-mail server, said first interface being operable to intercept an e-mail message directed to said e-mail server on behalf of at least one of said recipient users; b) a security service engine, coupled to said first interface, operative to evaluate said e-mail message to recognize a metadata feature of said e-mail message, said security service engine being further operable to select an encryption key dependent on a value of said metadata feature and selectively encrypt a portion of said e-mail message subject to decryption using said encryption key; and c) a second interface coupled to said security service engine and coupleable to said e-mail transmission path, said second interface being operable to transfer said e-mail message, as processed by said security service engine, to said e-mail server. - View Dependent Claims (15, 16, 17, 18, 19, 28, 29, 30, 31)
-
-
20. An e-mail security service, interoperable with an e-mail server, implementing inverted security control over e-mail content directed to said e-mail server, said e-mail security service comprising:
-
a) a first interface coupleable to an e-mail transmission path between a sending computer system and said e-mail server, said first interface being operable to intercept an e-mail message directed to said e-mail server on behalf of at least one of said recipient users; b) a security service engine, coupled to said first interface, operative to evaluate said e-mail message to recognize a metadata feature of said e-mail message, said security service engine being further operable to select an encryption key dependent on a value of said metadata feature and selectively encrypt a portion of said e-mail message subject to decryption using said encryption key; and c) a second interface coupled to said security service engine and coupleable to said e-mail transmission path, said second interface being operable to transfer said e-mail message, as processed by said security service engine, to said e-mail server. - View Dependent Claims (21, 22, 23, 24)
-
-
25. A method, executed on a computer system, of establishing an inversion of security control over content received from senders and persistently held for the benefit of recipients, said method comprising the steps of:
-
a) receiving, through a communications network, an electronic message originated by a sending user, wherein the content of said electronic message is secured by a source security control specified by said sending user; b) autonomously removing said source security control from said electronic message as received; c) autonomously applying a recipient security control to said electronic message to secure the content of said electronic message wherein selection of the applied said recipient security control is determined from a policy defined relative to a recipient and unspecified by said sending user; and d) storing said electronic message subject to said recipient security control subject to access by said recipient. - View Dependent Claims (26, 27)
-
Specification