PREVENTING SECURE DATA FROM LEAVING THE NETWORK PERIMETER

US 20090183257A1
Filed: 01/15/2008
Published: 07/16/2009
Est. Priority Date: 01/15/2008
Status: Active Grant

First Claim

Patent Images

1. A method for preventing secure data from leaving a perimeter of an enterprise network, the method comprising the steps of:

monitoring outbound data that is being sent out across the enterprise network perimeter;

computing a hash of the outbound data;

comparing the hash of the outbound data to each of a plurality of stored hashes, the stored hashes being associated with respective data files that are each designated as secure by an administrator or authorized user of the enterprise network;

blocking the outbound data from leaving the perimeter if the hash of the outbound data matches one of the stored hashes; and

allowing the outbound data to exit across the network perimeter if the hash of the outbound data does not match any of the stored hashes.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Secure data is prevented from leaving the perimeter of a network such as an enterprise network or corporate network (“corpnet”) by an arrangement in which a hash of the secure data is periodically computed, and the hashes are pushed out to an edge device on the network such as a firewall where they are stored for later access. The edge device is configured so that it has access to all traffic that flows between the enterprise network and an external network, such as the Internet, that is located outside the enterprise network perimeter. Whenever a user attempts to send data to the external network, a process running on the edge device computes a hash for the outbound data and compares it against the stored hashes associated with the secure data. If a match is made between the hash for the outbound data and a stored hash for secure data, then the edge device blocks the outbound data from leaving the network perimeter.

Citations

20 Claims

1. A method for preventing secure data from leaving a perimeter of an enterprise network, the method comprising the steps of:
- monitoring outbound data that is being sent out across the enterprise network perimeter;
  
  computing a hash of the outbound data;
  
  comparing the hash of the outbound data to each of a plurality of stored hashes, the stored hashes being associated with respective data files that are each designated as secure by an administrator or authorized user of the enterprise network;
  
  blocking the outbound data from leaving the perimeter if the hash of the outbound data matches one of the stored hashes; and
  
  allowing the outbound data to exit across the network perimeter if the hash of the outbound data does not match any of the stored hashes.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 including a further step of performing the monitoring, computing, comparing, blocking, and allowing in an edge device that is positioned on the network perimeter.
  - 3. The method of claim 2 in which the edge device is further configured to function as a gateway to an external network and the outbound data is intended to be received by an address on the external network.
  - 4. The method of claim 3 in which the edge device is further configured to provide edge security including a firewall functionality, and network optimization selected from one of caching, HTTP compression, or QoS policy enforcement.
  - 5. The method of claim 4 including the further steps of receiving a hash that is computed for data that is designated as secure, and storing the received hash with the plurality of stored hashes, the received hash functioning to uniquely identify the designated secure data.
  - 6. The method of claim 5 in which the stored hashes are stored on a persistent basis in a repository that is disposed in one of the edge device, or an external device that is capable of being operatively coupled to the edge device.
  - 7. The method of claim 6 including a further step of sending a notification to an administrator management function in the enterprise network when the outbound data is blocked from leaving the perimeter.
  - 8. The method of claim 7 including a further step of receiving a manual override from a network administrator in response to the notification, the manual override indicating that the outbound data is permitted to leave the network perimeter.
  - 9. The method of claim 8 in which the administrator management function includes features selected from one of configuration management, monitoring, reporting, or auditing.
  - 10. The method of claim 9 in which the administrator management function is configured to enable selection among a plurality of different hashing algorithms.

11. A method for identifying data in an enterprise network as being secure, the method comprising the steps of:
- receiving a designation from an administrator or authorized user of the enterprise network that a data file is secure;
  
  computing a hash for the data file to uniquely identify it as secure data, secure data being subject to restrictions on leaving the enterprise network perimeter; and
  
  sending the hash to an edge device that is positioned on the enterprise network perimeter, the edge device being arranged to block secure data that is outbound from the enterprise network.
- View Dependent Claims (12, 13, 14)
- - 12. The method of claim 11 including a further step of computing a hash for other data that is designated secure so that the edge device is kept updated with identities of currently secure data in the enterprise network.
  - 13. The method of claim 12 in which the computing is performed at predetermined intervals.
  - 14. The method of claim 13 including a further step of setting the predetermined intervals using an administrator console that is arranged to manage configuration of devices in the enterprise network.

15. A method for identifying data that has been modified at a host in an enterprise network as being secure, secure data being subject to restrictions on leaving the enterprise network perimeter, the method comprising the steps of:
- monitoring activity at the host to identify when secure data that has been downloaded from a source in the enterprise network has been modified;
  
  computing a hash for the modified data to uniquely identify the modified data as being secure; and
  
  sending the hash to an edge device that is positioned on the enterprise network perimeter, the edge device being arranged to block secure data that is outbound from the enterprise network.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15 including a further step of generating an administrator notification responsively to the monitoring.
  - 17. The method of claim 16 in which the edge device is selected from one of firewall, router, proxy server, switch, or gateway.
  - 18. The method of claim 17 in which the host is a computing device being selected from one of desktop, laptop, or workstation, the computing device being coupled to the source, the source being a server.
  - 19. The method of claim 18 in which the hash is computing using an algorithm selected from one of LM, MD4, MD5, CRC16, CRC32, SHA-0/1, SHA-0, SHA-1, SHA-2, Tiger, or RIPEMD.
  - 20. The method of claim 19 in which the monitoring, computing, and sending are performed by a client-side agent disposed in a host machine in the enterprise network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Prahalad, Prashanth

Granted Patent

US 8,316,442 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2101   Auditing as a secondary aspect

H04L 63/0209   Architectural arrangements,...

H04L 63/0227   Filtering policies mail mes...

PREVENTING SECURE DATA FROM LEAVING THE NETWORK PERIMETER

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

PREVENTING SECURE DATA FROM LEAVING THE NETWORK PERIMETER

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links