Securing Data in a Networked Environment

US 20090063869A1
Filed: 01/17/2007
Published: 03/05/2009
Est. Priority Date: 01/17/2006
Status: Active Grant

First Claim

Patent Images

1. Apparatus for securing data comprising:

a secure environment definer configured to define a secure environment within an existing user environment, said definer configured to define a boundary about said environment across which data cannot pass and a channel out of said secure environment, the secure environment definer further being configured to define a filter associated with said channel out of said secure environment, said filter being definable to control passage of data out of said secure environment.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Apparatus for securing data, comprising: an isolated processing environment having a boundary across which data cannot cross and a channel for allowing data to cross the boundary. A filter restricts data passage across the channel. Protected data is initially located in a secure area and is only released to such a secure processing environment so that access for authorized users to the secure data is available, but subsequent release of the secure data by the authorized users to the outside world is controlled.

Citations

39 Claims

1. Apparatus for securing data comprising:
- a secure environment definer configured to define a secure environment within an existing user environment, said definer configured to define a boundary about said environment across which data cannot pass and a channel out of said secure environment, the secure environment definer further being configured to define a filter associated with said channel out of said secure environment, said filter being definable to control passage of data out of said secure environment.
- View Dependent Claims (2, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 16, 17, 19)
- - 2. The secure environment definer of claim 1, further for use with a predefined classified data area, and configured to ensure that data from said predefined classified area can only go to said secure environment.
  - 4. The apparatus of claim 1, further comprising a data classifier, associated with said filter and configured to classify an output data unit according to a predefined policy, wherein said filter is further configured to restrict the outputting of the data unit according to the classification.
  - 5. The apparatus of claim 1, further comprising an output data modifier, associated with said filter and configured to modify the output data unit according to a predefined policy.
  - 6. The apparatus of claim 5, wherein said output data modifier is further configured to use the classification of the output data unit for the modifying.
  - 7. The apparatus of claim 5, wherein said modifying comprises encrypting the output data unit.
  - 8. The apparatus of claim 1, wherein said filter comprises an input filter and an output filter, said input filter being configured to restrict inputting of a data unit into said secure environment, wherein said secure environment is further operable to forward the input data unit to the classified area.
  - 9. The apparatus of claim 8, further comprising an input data modifier associated with said input filter and configured to modify the input data unit according to a predefined policy.
  - 10. The apparatus of claim 9, wherein said modifying comprises decrypting the input data unit.
  - 11. The apparatus of claim 1, comprising a plurality of isolated processing environments, and further comprising an environment selector associated with at least one of said isolated processing environments and configured to detect an attempt to perform an operation on a data unit and restrict the performance of the operation to a selected one of said isolated processing environments according to a predefined policy.
  - 12. The apparatus of claim 1, further comprising an authenticator, associated with said filter and configured to authenticate identity of a user attempting to access the output data unit and restrict access to the output data unit according to the authenticated identity.
  - 13. The apparatus of claim 1, further comprising an authenticator, associated with said filter and configured to authenticate identity of a user attempting to access said secure environment and restrict access of the user to said secure environment according to the authenticated identity.
  - 14. The apparatus of claim 1, further comprising a logger, associated with said secure environment and configured to log activity in said secure environment.
  - 16. The apparatus of claim 1, wherein said secure environment comprises an automatically encrypted local file system, configured to automatically encrypt a data unit stored in said secure environment.
  - 17. The apparatus of claim 1, further comprising a graphical user interface (GUI) manager, associated with said secure environment and configured to manage a GUI, for presenting a data unit to a user of an endpoint computer, with a distinctive visual mark, in accordance with a predefined policy.
  - 19. The apparatus of claim 1, wherein said secure environment is allowed access to at least one classified area, in accordance with a predefined policy pertaining to classification group of the classified area.

3. (canceled)

15. (canceled)

18. (canceled)

20. Apparatus for securing data, comprising:
- an isolated processing environment, associated with a predefined classified area of data sources, having a boundary across which data cannot pass and a channel for passage of data across said boundary, the isolated processing environment being operable to receive a data unit from the classified area, wherein said isolated processing environment is installed on an endpoint computer;
  
  a data classifier, associated with said isolated processing environment, and configured to classify the data unit, according to a predefined policy;
  
  an output restrictor, associated with said channel and configured to restrict the outputting of the data unit across said channel, according to said classification; and
  
  an output data modifier associated with said output restrictor and configured to modify the output data unit, according to said classification.

21. (canceled)

22. Apparatus for securing data, comprising:
- an isolated processing environment, associated with a predefined classified area of data sources, wherein said isolated processing environment is installed on an endpoint computer; and
  
  an input restrictor, associated with said isolating processing environment, and configured to restrict input of a data unit into said isolated processing environment, wherein said isolated processing environment is further operable to forward the input data unit to the classified area.
- View Dependent Claims (23, 24)
- - 23. The apparatus of claim 22, wherein the classified area is external to the endpoint computer.
  - 24. The apparatus of claim 22, further comprising an input data modifier, associated with said input restrictor and configured to modify the input data unit according to a predefined policy.

25. Apparatus for securing data, comprising:
- an isolated processing environment, associated with a predefined classified area of data sources, wherein said isolated processing environment is installed on an endpoint computer, said isolated processing environment comprising a boundary across which data cannot pass and a channel for allowing data to pass across said boundary;
  
  an input restrictor, associated with said channel, and configured to restrict input of a data unit into said isolated processing environment; and
  
  an input data modifier, associated with said input restrictor and configured to modify said input data unit according to a predefined policy; and
  
  wherein said isolated processing environment is further operable to forward the input data unit to the classified area.
- View Dependent Claims (27)
- - 27. Apparatus according to claim 25, further comprising:
    - a data classifier, associated with said isolated processing environment, and configured to classify the data unit, according to a predefined policy;
      
      an output restrictor, associated with said channel and configured to restrict the outputting of the data unit, according to said classification; and
      
      an output data modifier associated with said output restrictor and configured to modify the output data unit, according to said classification.

26. (canceled)

28. (canceled)

29. System for securing data, comprising:
- at least two isolated processing environments, each environment comprising a boundary across which data cannot pass and a channel through which data may cross said boundary, each environment operatively associated with a respective predefined classified area of data sources thereby to receive a data unit from the classified area, and installed on an endpoint computer; and
  
  at least two output restrictors, each output restrictor associated with a channel of a respective one of said isolating processing environments and configured to control outputting of the received data unit from the isolated processing environment.

30. A computer program on a computer readable medium, for providing when run on a computer:
- an isolated processing environment definer, operable to define an isolated processing environment comprising a boundary across which data may not pass and a channel through which data may cross said boundary, the environment being associatable with a predefined classified area of data sources on an endpoint computer; and
  
  an output restrictor, installable on the endpoint computer, and configured to restrict outputting of the data unit through said channel.
- View Dependent Claims (31)
- - 31. The computer program on a computer readable medium of claim 30, wherein the classified area is external to the endpoint computer.

32. Method for securing data, comprising:
- a) creating an isolated processing environment at an endpoint computer, by defining a boundary across which data may not pass and a channel across which data may pass across said boundary;
  
  b) receiving within said isolated processing environment a data unit originating from a predefined classified area associated with the isolated processing environment; and
  
  c) monitoring said channel in order to restrict outputting of the received data unit from said isolated processing environment.
- View Dependent Claims (34, 36, 37)
- - 34. The method of claim 32, further comprising classifying the output data unit according to a predefined policy, wherein said restricting the outputting of the data unit is carried out according to the classification of the data unit.
  - 36. The method of claim 32, further comprising restricting inputting of a data unit into said isolated processing environment, according to a predefined policy.
  - 37. The method of claim 32, further comprising modifying a data unit input into said isolated processing environment according to a predefined policy.

33. (canceled)

35. (canceled)

38. Method for securing data, comprising:
- a) creating an isolated processing environment at an endpoint computer, by defining a boundary across which data may not pass and a channel across which data may pass across said boundary;
  
  b) monitoring said channel to restrict input of data units to said isolated processing environment; and
  
  c) forwarding the restricted input data units from said isolated processing environment to a classified area associated with the isolated processing environment, thereby to protect data input to said classified area.
- View Dependent Claims (39)
- - 39. The method of claim 38, further comprising modifying the input data unit, according to a predefined policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Israel, Ltd. (Microsoft Corporation)
Inventors
Oelgiesser, Ran, Kohavi, Ran, Levy, Yizhak

Granted Patent

US 8,341,756 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/189
CPC Class Codes

G06F 21/53 by executing in a restricte...

G06F 21/6218 to a system of files or obj...

Securing Data in a Networked Environment

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

Securing Data in a Networked Environment

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links