SECURE, POLICY-BASED COMMUNICATIONS SECURITY AND FILE SHARING ACROSS MIXED MEDIA, MIXED-COMMUNICATIONS MODALITIES AND EXTENSIBLE TO CLOUD COMPUTING SUCH AS SOA

US 20110209193A1
Filed: 02/18/2011
Published: 08/25/2011
Est. Priority Date: 02/22/2010
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

providing an enterprise network having a plurality of subscribers, a plurality of nodes, each node comprising a policy agent to monitor and/or track behavior of the respective node and/or a subscriber associated with the respective node, and a policy enforcement server to enforce polices and/or rules of an enterprise corresponding to the enterprise network;

determining, by a first policy agent corresponding to a first node and first subscriber, a behavioral instance potentially relevant to a policy and/or rule;

notifying, by the first policy agent, the policy enforcement server of the determined behavioral instance; and

applying, by the policy enforcement server, a policy and/or rule to the determined behavioral instance, whereby a policy measure is implemented.

View all claims

18 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method are provided to monitor and prevent potential enterprise policy and/or rule violations by subscribers.

Citations

20 Claims

1. A method, comprising:
- providing an enterprise network having a plurality of subscribers, a plurality of nodes, each node comprising a policy agent to monitor and/or track behavior of the respective node and/or a subscriber associated with the respective node, and a policy enforcement server to enforce polices and/or rules of an enterprise corresponding to the enterprise network;
  
  determining, by a first policy agent corresponding to a first node and first subscriber, a behavioral instance potentially relevant to a policy and/or rule;
  
  notifying, by the first policy agent, the policy enforcement server of the determined behavioral instance; and
  
  applying, by the policy enforcement server, a policy and/or rule to the determined behavioral instance, whereby a policy measure is implemented.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the behavioral instance is the first subscriber intending to make the one or more of a selected communication and content accessible to one or more selected parties and wherein the applying step comprises the sub-steps:
    - receiving, by the policy enforcement server, a policy tag respecting one or more of the selected communication and content and wherein the policy tag comprises one or more of the following;
      
      a persona and/or role of the first subscriber,a persona and/or role of the one or more selected parties,a degree of trust of the enterprise network with the first subscriber and/or one or more selected parties,a capability, provisioning, and/or preference of a communication device of the first subscriber and/or the one or more selected parties,a context of the first subscriber and/or the one or more selected parties,a context of the communication device of the first subscriber and/or the one or more selected parties,an existing policy compliance measure selected by the first subscriber for the one or more of the selected communication and content,a venue for the one or more of the selected communication and content to be made accessible to the one or more selected parties,a description of the one or more of the selected communication and content,a context of the selected communication and/or content, anda policy and/or rule relevant to the one or more of the selected communication and content; and
      
      determining, by the policy enforcement server and based on the policy tag, an applicable policy and/or rule; and
      
      determining, by the policy enforcement server and based on the applicable policy and/or rule, a policy measure to be implemented.
  - 3. The method of claim 2, wherein the first node is a first communication device, wherein the policy agent is in a class driver, wherein the policy tag comprises one or more of a persona and/or role of the one or more selected parties and a persona and/or role of the first subscriber, and wherein the persona and/or role is defined by one or more of the following:
    - employer name, user level, user organization, the subscriber'"'"'s business-related electronic addresses, satellite-based physical location coordinates associated with a business location, Web browsed URL'"'"'s corresponding with business interests, times-of-day associated with business time, days-of-week associated with business time, contact lists of business associates, client, supplier, customer, family member name, the first subscriber'"'"'s personal electronic addresses, satellite-based physical location coordinates associated with personal location, Web browsed URL'"'"'s corresponding with personal interests, times-of-day associated with personal time, days-of-week associated with personal time, contact list of friends, hobby supplier, charitable organization, and other volunteer activity.
  - 4. The method of claim 2, wherein the first node is a first communication device, wherein the policy tag comprises a degree of trust of the enterprise network with the one or more selected parties, and wherein the one or more selected parties is no longer trusted upon occurrence of a determined event and/or passage of determined time.
  - 5. The method of claim 2, wherein the first node is a first communication device, wherein the policy agent is in a class driver, and wherein the policy tag comprises one or more of a context of the first subscriber and/or the one or more selected parties and a context of the first communication device of the first subscriber and/or a communication device of the one or more selected parties.
  - 6. The method of claim 2, wherein the first node is a first communication device, wherein the policy agent is in a class driver, and wherein the policy tag comprises one or more of a capability, provisioning, and/or preference of the first communication device of the first subscriber and/or a communication device of the one or more selected parties and an existing policy compliance measure selected by the first subscriber for the one or more of the selected communication and content.
  - 7. The method of claim 2, wherein the first node is a first communication device, wherein the policy agent is in a class driver, wherein the policy tag comprises a venue for the one or more of the selected communication and content to be made accessible to the one or more selected parties, and wherein the venue comprises one of a blog, micro-blog, Really Simple Syndication (“
    - RSS”
      
      ) feed, chat room, social network posting, news aggregator, and private party.
  - 8. The method of claim 2, wherein the policy measure to be implemented comprises one or more of the following:
    - modification of an existing security measure for the one or more of the selected communication and/or content,implementation of a new and/or additional security measure for the one or more of the selected communication and/or content,use of a different network path and/or channel than currently chosen to effect transmission or transfer of the one or more of the selected communication and/or content,implementation of an action to remedy a prior policy or rule violation,block, delay, and/or buffer the one or more of the selected communication and/or content,mark or delete a portion of the one or more of the selected communication and/or content prior to access by one or more other parties,send a notice of policy and/or rule violation to one or more selected destinations,embed a flag indicating an area of redundant and processor intensive encryption or security transcoding,prevent access of the one or more of the selected communication and/or content by the one or more selected parties,prevent the first subscriber from selecting, such as by dragging and dropping, selected content into a communication,provide read-only access to the one or more of the selected communication and/or content,set a hop restriction on the one or more of the selected communication and/or content whereby, when the hop restriction is met or exceeded and/or a hop counter is incremented or decremented to a selected value, the one or more of the selected communication and/or content is dropped or otherwise prohibited from delivery to an intended recipient,tear down a communication channel before transmission of the one or more of the selected communication and/or content,redirect the one or more of the selected communication and/or content to a different destination, anddisplay different portions of the one or more of the selected communication and/or content to different ones of the one or more of the selected parties based on a respective degree of trust or privilege of each party.
  - 9. A non-transitory computer readable medium comprising processor executable instructions to perform the determining, notifying and applying steps of claim 1.

10. A system, comprising:
- an enterprise network having a plurality of subscribers, a plurality of nodes, and a policy enforcement server to enforce polices and/or rules of an enterprise corresponding to the enterprise network;
  
  wherein;
  
  each node comprises a respective policy agent to monitor and/or track behavior of the respective node and/or a subscriber associated with the respective node,a first policy agent of the plurality of policy agents corresponds to a first node and first subscriber and identifies a behavioral instance potentially relevant to a policy and/or rule;
  
  the first policy agent notifies the policy enforcement server of the determined behavioral instance; and
  
  the policy enforcement server applies a policy and/or rule to the determined behavioral instance, whereby a policy measure is implemented.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The system of claim 10, wherein the behavioral instance is the first subscriber intending to make the one or more of a selected communication and content accessible to one or more selected parties and wherein the applying operation comprises the sub-operations:
    - receiving a policy tag respecting one or more of the selected communication and content and wherein the policy tag comprises one or more of the following;
      
      a persona and/or role of the first subscriber,a persona and/or role of the one or more selected parties,a degree of trust of the enterprise network with the first subscriber and/or one or more selected parties,a capability, provisioning, and/or preference of a communication device of the first subscriber and/or the one or more selected parties,a context of the first subscriber and/or the one or more selected parties,a context of the communication device of the first subscriber and/or the one or more selected parties,an existing policy compliance measure selected by the first subscriber for the one or more of the selected communication and content,a venue for the one or more of the selected communication and content to be made accessible to the one or more selected parties,a description of the one or more of the selected communication and content,a context of the selected communication and/or content, anda policy and/or rule relevant to the one or more of the selected communication and content; and
      
      determine, based on the policy tag, an applicable policy and/or rule; and
      
      determine, based on the applicable policy and/or rule, a policy measure to be implemented.
  - 12. The system of claim 11, wherein the first node is a first communication device, wherein the policy agent is in a class driver, wherein the policy tag comprises one or more of a persona and/or role of the one or more selected parties and a persona and/or role of the first subscriber, and wherein the persona and/or role is defined by one or more of the following:
    - employer name, user level, user organization, the subscriber'"'"'s business-related electronic addresses, satellite-based physical location coordinates associated with a business location, Web browsed URL'"'"'s corresponding with business interests, times-of-day associated with business time, days-of-week associated with business time, contact lists of business associates, client, supplier, customer, family member name, the first subscriber'"'"'s personal electronic addresses, satellite-based physical location coordinates associated with personal location, Web browsed URL'"'"'s corresponding with personal interests, times-of-day associated with personal time, days-of-week associated with personal time, contact list of friends, hobby supplier, charitable organization, and other volunteer activity.
  - 13. The system of claim 11, wherein the first node is a first communication device, wherein the policy tag comprises a degree of trust of the enterprise network with the one or more selected parties, and wherein the one or more selected parties is no longer trusted upon occurrence of a determined event and/or passage of determined time.
  - 14. The system of claim 11, wherein the first node is a first communication device, wherein the policy agent is in a class driver, and wherein the policy tag comprises one or more of a context of the first subscriber and/or the one or more selected parties and a context of the first communication device of the first subscriber and/or a communication device of the one or more selected parties.
  - 15. The system of claim 11, wherein the first node is a first communication device, wherein the policy agent is in a class driver, and wherein the policy tag comprises one or more of a capability, provisioning, and/or preference of the first communication device of the first subscriber and/or a communication device of the one or more selected parties and an existing policy compliance measure selected by the first subscriber for the one or more of the selected communication and content.
  - 16. The system of claim 11, wherein the first node is a first communication device, wherein the policy agent is in a class driver, wherein the policy tag comprises a venue for the one or more of the selected communication and content to be made accessible to the one or more selected parties, and wherein the venue comprises one of a blog, micro-blog, Really Simple Syndication (“
    - RSS”
      
      ) feed, chat room, social network posting, news aggregator, and private party.
  - 17. The system of claim 11, wherein the policy measure to be implemented comprises one or more of the following:
    - modification of an existing security measure for the one or more of the selected communication and/or content,implementation of a new and/or additional security measure for the one or more of the selected communication and/or content,use of a different network path and/or channel than currently chosen to effect transmission or transfer of the one or more of the selected communication and/or content,implementation of an action to remedy a prior policy or rule violation,block, delay, and/or buffer the one or more of the selected communication and/or content,mark or delete a portion of the one or more of the selected communication and/or content prior to access by one or more other parties,send a notice of policy and/or rule violation to one or more selected destinations,embed a flag indicating an area of redundant and processor intensive encryption or security transcoding,prevent access of the one or more of the selected communication and/or content by the one or more selected parties,prevent the first subscriber from selecting, such as by dragging and dropping, selected content into a communication,provide read-only access to the one or more of the selected communication and/or content,set a hop restriction on the one or more of the selected communication and/or content whereby, when the hop restriction is met or exceeded and/or a hop counter is incremented or decremented to a selected value, the one or more of the selected communication and/or content is dropped or otherwise prohibited from delivery to an intended recipient,tear down a communication channel before transmission of the one or more of the selected communication and/or content,redirect the one or more of the selected communication and/or content to a different destination, anddisplay different portions of the one or more of the selected communication and/or content to different ones of the one or more of the selected parties based on a respective degree of trust or privilege of each party.

18. A non-transitory computer readable medium, comprising:
- a machine readable policy tag related to an actual or potential violation of a rule and/or policy by a subscriber of an enterprise network, comprising at least one of the following fields;
  
  a subscriber and/or role persona field defining a persona and/or role of the subscriber at the time of the actual or potential violation;
  
  a nonsubscriber and/or role persona field defining a persona and/or role of a nonsubscriber involved in and at the time of the actual or potential violation;
  
  a degree of trust field defining a degree of trust of the enterprise network and/or the subscriber with a person and/or computational entity having or to have access to a selected communication and/or content associated with the actual or potential violation, the person and/or computational entity being involved in the actual or potential rule violation;
  
  an existing policy and/or rule compliance measure field describing a measure currently in place to comply with the actually or potentially violated rule and/or policy;
  
  a venue field defining a degree of public exposure and/or security of an intended recipient of the selected communication and/or content, the intended recipient being involved in the actual or potential violation;
  
  a context field describing a context of the subscriber and/or other entity having access to the selected communication and/or content;
  
  a content description field describing the selected communication and/or content, the content description describing the content in terms of the rule and/or policy actually or potentially violated;
  
  a policy and/or rule field identifying the policy and/or rule actually or potentially violated; and
  
  a recommendation and/or decision field indicating a recommended action to be taken in response to the actual or potential violation.
- View Dependent Claims (19, 20)
- - 19. The medium of claim 18, wherein the policy tag comprises the degree of trust field, wherein the degree of trust is associated with a defined group of entities, and wherein the group members comprise entities that are not subscribers to or otherwise part of the enterprise network.
  - 20. The medium of claim 18, wherein the policy tag comprises at least one of the existing policy and/or rule compliance measure and recommendation and/or decision fields and wherein the at least one of the existing policy and/or rule compliance measure and recommendation and/or decision fields comprises one or more of the following actions:
    - modification of an existing security measure for the one or more of the selected communication and/or content,implementation of a new and/or additional security measure for the one or more of the selected communication and/or content,use of a different network path and/or channel than currently chosen to effect transmission or transfer of the one or more of the selected communication and/or content,implementation of an action to remedy a prior policy or rule violation,block, delay, and/or buffer the one or more of the selected communication and/or content,mark or delete a portion of the one or more of the selected communication and/or content prior to access by one or more other parties,send a notice of policy and/or rule violation to one or more selected destinations,embed a flag indicating an area of redundant and processor intensive encryption or security transcoding,prevent access of the one or more of the selected communication and/or content by the one or more selected parties,prevent the first subscriber from selecting, such as by dragging and dropping, selected content into a communication,provide read-only access to the one or more of the selected communication and/or content,set a hop restriction on the one or more of the selected communication and/or content whereby, when the hop restriction is met or exceeded and/or a hop counter is incremented or decremented to a selected value, the one or more of the selected communication and/or content is dropped or otherwise prohibited from delivery to an intended recipient,tear down a communication channel before transmission of the one or more of the selected communication and/or content,redirect the one or more of the selected communication and/or content to a different destination, anddisplay different portions of the one or more of the selected communication and/or content to different ones of the one or more of the selected parties based on a respective degree of trust or privilege of each party.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avaya Incorporated
Original Assignee
Avaya Incorporated
Inventors
Kennedy, Kevin J.

Granted Patent

US 9,215,236 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/121   Restricting unauthorised ex...

G06F 21/44   Program or device authentic...

G06F 21/55   Detecting local intrusion o...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/60   Protecting data

G06Q 30/02   Marketing; Price estimation...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

H04L 67/02   based on web technology, e....

SECURE, POLICY-BASED COMMUNICATIONS SECURITY AND FILE SHARING ACROSS MIXED MEDIA, MIXED-COMMUNICATIONS MODALITIES AND EXTENSIBLE TO CLOUD COMPUTING SUCH AS SOA

First Claim

18 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SECURE, POLICY-BASED COMMUNICATIONS SECURITY AND FILE SHARING ACROSS MIXED MEDIA, MIXED-COMMUNICATIONS MODALITIES AND EXTENSIBLE TO CLOUD COMPUTING SUCH AS SOA

First Claim

18 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links