Methods and Apparatus for Implementing Context-Dependent File Security

US 20080235806A1
Filed: 06/02/2008
Published: 09/25/2008
Est. Priority Date: 07/01/2005
Status: Abandoned Application

First Claim

Patent Images

1. A signal-bearing medium tangibly embodying a program of machine readable instructions executable by a digital processing apparatus of a computer system to perform context-based file security operations, the operations comprising:

receiving a selection of at least one context-based permission to be applied to at least one file stored in a computer memory resource associated with the computer system, whereby the at least one context-based permission will be used by the computer system to control access to the at least one file; and

saving the at least one context-based permission to a memory of the computer system as context-based permission information.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention concerns methods and apparatus for implementing context-dependent security for files and other computer system resources. In particular, methods and apparatus of the present invention implement context-based permissions that are used in context-dependent file security. In examples of the present invention, the context-based permissions may allow access to a file only when an attempt to access the file is made at a certain time of day, or from an authorized computer system, or from a computer having a certain application program installed. In general terms, the context-based permissions may specify time, location and application information that either alone or in combination may be used to restrict access to a file.

Citations

32 Claims

1. A signal-bearing medium tangibly embodying a program of machine readable instructions executable by a digital processing apparatus of a computer system to perform context-based file security operations, the operations comprising:
- receiving a selection of at least one context-based permission to be applied to at least one file stored in a computer memory resource associated with the computer system, whereby the at least one context-based permission will be used by the computer system to control access to the at least one file; and
  
  saving the at least one context-based permission to a memory of the computer system as context-based permission information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 2. The signal-bearing medium of claim 1 where the operations further comprise:
    - monitoring access requests for files stored in the computer memory resource associated with the computer system;
      
      detecting a particular access request for files stored in the computer memory resource, where the particular access request encompasses the at least one file;
      
      retrieving the context-based permission information;
      
      deriving user context information from the particular access request; and
      
      comparing the context-based permission saved in the context-based permission information to the user context information derived from the particular access request.
  - 3. The signal-bearing medium of claim 2 whereby the context-based permission concerns an authorized use context and where the operations further comprise:
    - masking the existence of the at least one file from an entity that issued the particular access request when the user context information does not match the authorized use context.
  - 4. The signal-bearing medium of claim 2 whereby the context-based permission concerns an authorized use context and where the operations further comprise:
    - revealing the existence of the at least one file to an entity that issued the particular access request when the user context information matches the authorized use context.
  - 5. The signal-bearing medium of claim 2 whereby the context-based permission concerns an authorized use context and where the operations further comprise:
    - granting access to the at least one file to an entity that issued the particular access request when the user context information matches the authorized use context.
  - 6. The signal-bearing medium of claims 5 where the operations further comprise:
    - monitoring the entity that issued the particular access request;
      
      periodically updating the user context information associated with the entity based on the monitoring activities to create updated user context information;
      
      periodically comparing the updated user context information with the authorized use context contained in the context-based permission; and
      
      terminating access to the at least one file when the updated user context information no longer complies with the authorized use context.
  - 7. The signal-bearing medium of claim 1 where the context-based permission is instituted through an instrumentality of an application program.
  - 8. The signal-bearing medium of claim 1 where the context-based permission is instituted through an instrumentality of an operating system.
  - 9. The signal-bearing medium of claim 1 where the context-based permission is instituted through an instrumentality of a file system.
  - 10. The signal-bearing medium of claim 1 where the context-based permission restricts access to the at least one file to a particular time period.
  - 11. The signal-bearing medium of claim 1 where the context-based permission restricts access to the at least one file to a particular application program.
  - 12. The signal-bearing medium of claim 1 where the context-based permission restricts access to the at least one file based on at least one item selected from the group of:
    - computer identity;
      
      domain identity;
      
      geographic identity.
  - 13. The signal-bearing medium of claim 1 where the context-based permission restricts access to the at least one file based on vendor identity, where vendor identity concerns the identity of a vendor that originated an application program seeking access to the at least one file.
  - 14. The signal-bearing medium of claim 1 where the context-based permission restricts access to the at least one file based on content of the at least one file.
  - 15. The signal-bearing medium of claim 1 where the context-based permission restricts access to the at least one file based on a topic of the at least one file.
  - 16. The signal-bearing medium of claim 1 where the context-based permission restricts access to the at least one file based on keywords contained in the at least one file.
  - 17. The signal-bearing medium of claim 1 where the context-based permission restricts access to the at least one file to access through a particular hardware security device.
  - 18. The signal-bearing medium of claim 1 where the context-based permission restricts access to the at least one file to access through a particular security application.
  - 19. The signal-bearing medium of claim 1 where the context-based permission restricts a number of times that a file operation may be performed on the at least one file to a predetermined number, where the file operation comprises at least one task selected from the group of:
    - accessing the at least one file;
      
      copying the at least one file;
      
      modifying the at least one file;
      
      downloading the at least one file;
      
      printing the at least one file.
  - 20. The signal-bearing medium of claim 1 where the context-based permission information is saved to metadata associated with the at least one file.
  - 21. The signal-bearing medium of claim 1 where the context-based permission concerns multiple contexts where access to the at least one file will be controlled.
  - 22. The signal-bearing medium of claim 21 where the multiple contexts institute a hierarchical context-based permission system.
  - 23. The signal-bearing medium of claim 22 where different context-based permissions are granted to different entities.

24. A signal-bearing medium tangibly embodying a program of machine-readable instructions executable by a digital processing apparatus of a computer system to perform context-based file security operations concerning at least one file stored in a computer memory resource associated with the computer system, the operations comprising:
- monitoring access requests for files stored in the computer memory resource associated with the computer system;
  
  detecting a particular access request for files stored in the computer memory resource, where the particular access request encompasses the at least one file;
  
  retrieving context-based permission information associated with the at least one file, where the context-based permission information concerns a context-based permission used to control access to the at least one file;
  
  deriving user context information from the particular access request;
  
  comparing the context-based permission saved in the context-based permission information to the user context information derived from the particular access request; and
  
  granting access to the file if the context-based permission and user context information match.

25. A signal-bearing medium tangibly embodying a program of machine-readable instructions executable by a digital processing apparatus of a computer system to perform context-based security operations, the operations comprising:
- receiving a selection of at least one context-based permission to be applied to at least one computer system resource associated with the computer system, whereby the at least one context-based permission will be used by the computer system to control access to the at least one computer system resource; and
  
  saving the at least one context-based permission to a memory of the computer system as context-based permission information.
- View Dependent Claims (26, 27)
- - 26. The signal-bearing medium of claim 25 where the operations further comprise:
    - detecting an access request for the computer system resource;
      
      retrieving the context-based permission information;
      
      deriving user context information from the access request;
      
      comparing the context-based permission saved in the context-based permission information to the user context information derived from the particular access request; and
      
      granting access to the computer system resource if the context-based permission and user context information match.
  - 27. The signal-bearing medium of claim 25 where the at least one computer system resource comprises at least one item selected from the group of:
    - file, folder, application program, network, network interface, database.

28. A computer system for performing context-based security operations concerning at least one computer system resource, the computer system comprising:
- at least one memory to store at least one program of machine-readable instructions, where the at least one program performs context-based security operations concerning the at least one computer system resource when executed;
  
  at least one processor coupled to the at least one memory and computer system resource, where the at least one processor performs at least the following operations when the at least one program is executed;
  
  receiving at least one selection of a context-based permission to be applied to the at least one computer system resource, whereby the context-based permission will be used by the computer system to control access to the at least one computer system resource; and
  
  saving the at least one context-based permission to a memory of the computer system as context-based permission information.
- View Dependent Claims (29, 30)
- - 29. The computer system of claim 28 where the operations further comprise:
    - detecting an access request for the computer system resource;
      
      retrieving the context-based permission information;
      
      deriving user context information from the access request;
      
      comparing the context-based permission saved in the context-based permission information to the user context information derived from the access request; and
      
      granting access to the computer system resource if the context-based permission and user context information match.
  - 30. The computer system of claim 28 where the at least one computer system resource comprises at least one item selected from the group of:
    - file, folder, application program, network, network interface, database.

31. A computer system for performing context-based security operations concerning at least one computer system resource, the computer system comprising:
- at least one memory to store at least one program of machine-readable instructions, where the at least one program performs context-based security operations concerning the at least one computer system resource when executed;
  
  at least one processor coupled to the at least one memory, where the at least one processor performs at least the following operations when the at least one program is executed;
  
  monitoring access to the at least one computer system resource;
  
  detecting an attempt to access the at least one computer system resource;
  
  retrieving the context-based permission information;
  
  deriving user context information from the access attempt;
  
  comparing the context-based permission saved in the context-based permission information to the user context information derived from the access attempt; and
  
  granting access to the computer system resource if the context-based permission and user context information match.
- View Dependent Claims (32)
- - 32. The computer system of claim 31 where the at least one computer system resource comprises at least one item selected from the group of:
    - file, folder, application program, network, network interface, database.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Pickover, Clifford A., Mastrianni, Steven J., Chefalas, Thomas E., BANTZ, David F.

Application Number

US12/131,351
Publication Number

US 20080235806A1
Time in Patent Office

Days
Field of Search
US Class Current

726/27
CPC Class Codes

G06F 21/6218 to a system of files or obj...

G06F 2221/2141 Access rights, e.g. capabil...

Methods and Apparatus for Implementing Context-Dependent File Security

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and Apparatus for Implementing Context-Dependent File Security

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links