FLEXIBLE SECURITY BOUNDARIES IN AN ENTERPRISE NETWORK

US 20110209195A1
Filed: 02/18/2011
Published: 08/25/2011
Est. Priority Date: 02/22/2010
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving, by a node in an enterprise network, at least one of a request to send a selected communication and/or content and a provide a nonsubscriber with access to the selected communication and/or content, the selected communication and/or content comprising sensitive information to an enterprise corresponding to the enterprise network;

determining, by the node, that the nonsubscriber is a member of a trusted group, the trusted group comprising, as members, at least one subscriber and at least one nonsubscriber and each member of the trusted group being trusted by the enterprise; and

in response to the nonsubscriber being a member of the trusted group, the node at least one of sending the selected communication and/or content and providing the nonsubscriber access to the selected communication and/or content.

View all claims

16 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method are provided to monitor and prevent potential enterprise policy and/or rule violations by subscribers.

86 Citations

View as Search Results

22 Claims

1. A method, comprising:
- receiving, by a node in an enterprise network, at least one of a request to send a selected communication and/or content and a provide a nonsubscriber with access to the selected communication and/or content, the selected communication and/or content comprising sensitive information to an enterprise corresponding to the enterprise network;
  
  determining, by the node, that the nonsubscriber is a member of a trusted group, the trusted group comprising, as members, at least one subscriber and at least one nonsubscriber and each member of the trusted group being trusted by the enterprise; and
  
  in response to the nonsubscriber being a member of the trusted group, the node at least one of sending the selected communication and/or content and providing the nonsubscriber access to the selected communication and/or content.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein at least one of the subscriber and nonsubscriber is a member of multiple trusted groups recognized by the enterprise network and wherein at least two of the trusted groups have differing levels of authorization to access differing bodies of enterprise sensitive information.
  - 3. The method of claim 1, wherein a computational component in the enterprise network forms trusted groups based on one or more of authoritative and/or trusted input from a firewall, authoritative and/or trusted input from a gateway, a virtual private network definition and/or configuration, an electronic directory for phone numbers, an electronic directory for email, an electronic enterprise directory, authoritative and/or trusted input from a back office application, an enterprise personnel record, an enterprise payroll system, a security credential from an internal and/or enterprise network source, an identity server, a white list, a black list, an access control list, and an administrative setting.
  - 4. The method of claim 1, wherein the trusted group corresponds to one or more of a business organization, a project team, a board, a panel, a task group, a business team, and a business group and wherein each member of the trusted group has a respective degree of trust rating defined by the enterprise and wherein at least two members of the trusted group have differing respective degree of trust ratings.
  - 5. The method of claim 1, wherein a selected member of the trusted group other than the subscriber and nonsubscriber is not privileged to receive and/or access at least a portion of the selected communication and/or content and further comprising:
    - restricting the selected member of the trusted group from receiving and/or accessing the at least a portion of the selected communication and/or content.
  - 6. The method of claim 1, wherein the trusted group is no longer recognized after at least one of (a) occurrence of a predetermined event adversely impacting a degree of trust between the enterprise and nonsubscriber and (b) passage of a determined period of time.
  - 7. The method of claim 6, wherein a security mechanism is at least one of deleted, disabled, and denied permission to execute in response to the at least one of occurrence of a predetermined event and passage of a determined period of time.
  - 8. The method of claim 1, further comprising:
    - analyzing, by a policy agent corresponding to a first node of the enterprise network and first subscriber, at least one of the selected communication and/or content to identify a behavioral instance potentially relevant to a policy and/or rule;
      
      notifying, by the policy agent, a policy enforcement server of the identified determined behavioral instance; and
      
      receiving, by the policy agent and from the policy enforcement server, a policy measure to be implemented; and
      
      implementing, by the policy agent, the received policy measure.
  - 9. The method of claim 8, wherein the policy measure to be implemented comprises one or more of the following:
    - modification of an existing security measure for the one or more of the selected communication and/or content,implementation of a new and/or additional security measure for the one or more of the selected communication and/or content,use of a different network path and/or channel than currently chosen to effect transmission or transfer of the one or more of the selected communication and/or content,implementation of an action to remedy a prior policy or rule violation,block, delay, and/or buffer the one or more of the selected communication and/or content,mark or delete a portion of the one or more of the selected communication and/or content prior to access by one or more other parties,send a notice of policy and/or rule violation to one or more selected destinations,embed a flag indicating an area of redundant and processor intensive encryption or security transcoding,prevent access of the one or more of the selected communication and/or content by the one or more selected parties,prevent the subscriber from selecting, such as by dragging and dropping, selected content into a communication,provide read-only access to the one or more of the selected communication and/or content,set a hop restriction on the one or more of the selected communication and/or content whereby, when the hop restriction is met or exceeded and/or a hop counter is incremented or decremented to a selected value, the one or more of the selected communication and/or content is dropped or otherwise prohibited from delivery to an intended recipient,tear down a communication channel before transmission of the one or more of the selected communication and/or content,redirect the one or more of the selected communication and/or content to a different destination, anddisplay different portions of the one or more of the selected communication and/or content to different ones of the one or more of the selected parties based on a respective degree of trust or privilege of each party.
  - 10. A non-transitory computer readable medium comprising processor executable instructions to perform the determining, notifying and applying steps of claim 1.

11. A system, comprising:
- a policy agent, in an enterprise network, operable to;
  
  receive at least one of a request to send a selected communication and/or content and a provide a nonsubscriber with access to the selected communication and/or content, the selected communication and/or content comprising sensitive information to an enterprise corresponding to the enterprise network;
  
  determine that the nonsubscriber is a member of a trusted group, the trusted group comprising, as members, at least one subscriber and at least one nonsubscriber and each member of the trusted group being trusted by the enterprise; and
  
  in response to the nonsubscriber being a member of the trusted group, at least one of send the selected communication and/or content and provide the nonsubscriber access to the selected communication and/or content.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The system of claim 11, wherein at least one of the subscriber and nonsubscriber is a member of multiple trusted groups recognized by the enterprise network and wherein at least two of the trusted groups have differing levels of authorization to access differing bodies of enterprise sensitive information.
  - 13. The system of claim 11, wherein a computational component in the enterprise network forms trusted groups based on one or more of authoritative and/or trusted input from a firewall, authoritative and/or trusted input from a gateway, a virtual private network definition and/or configuration, an electronic directory for phone numbers, an electronic directory for email, an electronic enterprise directory, authoritative and/or trusted input from a back office application, an enterprise personnel record, an enterprise payroll system, a security credential from an internal and/or enterprise network source, an identity server, a white list, a black list, an access control list, and an administrative setting.
  - 14. The system of claim 11, wherein each member of the trusted group has a respective degree of trust rating defined by the enterprise and wherein at least two members of the trusted group have differing respective degree of trust ratings and wherein the trusted group corresponds to one or more of a business organization, a project team, a board, a panel, a task group, a business team, and a business group.
  - 15. The system of claim 11, wherein a selected member of the trusted group other than the subscriber and nonsubscriber is not privileged to receive and/or access at least a portion of the selected communication and/or content and further comprising the operation:
    - restrict the selected member of the trusted group from receiving and/or accessing the at least a portion of the selected communication and/or content.
  - 16. The system of claim 11, wherein the trusted group is no longer recognized after at least one of (a) occurrence of a predetermined event adversely impacting a degree of trust between the enterprise and nonsubscriber and (b) passage of a determined period of time.
  - 17. The system of claim 16, wherein a security mechanism is at least one of deleted, disabled, and denied permission to execute in response to the at least one of occurrence of a predetermined event and passage of a determined period of time.
  - 18. The system of claim 11, further comprising a policy agent, in a node of the enterprise network, operable to:
    - analyze at least one of the selected communication and/or content to identify a behavioral instance potentially relevant to a policy and/or rule;
      
      notify a policy enforcement server of the identified determined behavioral instance; and
      
      receive, from the policy enforcement server, a policy measure to be implemented; and
      
      implement the received policy measure.
  - 19. The system of claim 18, wherein the policy measure to be implemented comprises one or more of the following:
    - modification of an existing security measure for the one or more of the selected communication and/or content,implementation of a new and/or additional security measure for the one or more of the selected communication and/or content,use of a different network path and/or channel than currently chosen to effect transmission or transfer of the one or more of the selected communication and/or content,implementation of an action to remedy a prior policy or rule violation,block, delay, and/or buffer the one or more of the selected communication and/or content,mark or delete a portion of the one or more of the selected communication and/or content prior to access by one or more other parties,send a notice of policy and/or rule violation to one or more selected destinations,embed a flag indicating an area of redundant and processor intensive encryption or security transcoding,prevent access of the one or more of the selected communication and/or content by the one or more selected parties,prevent the subscriber from selecting, such as by dragging and dropping, selected content into a communication,provide read-only access to the one or more of the selected communication and/or content,set a hop restriction on the one or more of the selected communication and/or content whereby, when the hop restriction is met or exceeded and/or a hop counter is incremented or decremented to a selected value, the one or more of the selected communication and/or content is dropped or otherwise prohibited from delivery to an intended recipient,tear down a communication channel before transmission of the one or more of the selected communication and/or content,redirect the one or more of the selected communication and/or content to a different destination, anddisplay different portions of the one or more of the selected communication and/or content to different ones of the one or more of the selected parties based on a respective degree of trust or privilege of each party.

20. A method, comprising:
- determining, by at least one of a policy agent and policy enforcement server, that a selected stimulus has occurred, the stimulus being one or more of a passage of a selected time interval and an event relevant to a degree of trust between an enterprise and a nonsubscriber, the degree of trust controlling whether the nonsubscriber has access to a selected communication and/or content, the selected communication and/or content comprising sensitive information to an enterprise corresponding to the enterprise network; and
  
  in response to the determined stimulus, changing, by at least one of a policy agent and policy enforcement server, the degree of trust of the nonsubscriber such that the nonsubscriber at least one of (i) the nonsubscriber, as a result of the changed degree of trust, is authorized to access the selected communication and/or content and (ii) the nonsubscriber, as a result of the changed degree of trust, is now authorized to access the selected communication and/or content.
- View Dependent Claims (21, 22)
- - 21. The method of claim 20, wherein the policy agent inspects a plurality of emails, instant messages, live voice communications, voice messages, electronic documents, and Web browsing sessions and wherein the policy agent generates a policy tag associated with the at least one of a selected communication and content, the policy tag comprising information relevant to a potential policy and/or rule violation.
  - 22. The node of claim 21, wherein the policy agent further implements a policy measure to address an actual or potential policy or rule violation and wherein the policy measure comprises at least one of the following:
    - modification of an existing security measure for the one or more of the selected communication and/or content,implementation of a new and/or additional security measure for the one or more of the selected communication and/or content,use of a different network path and/or channel than currently chosen to effect transmission or transfer of the one or more of the selected communication and/or content,block, delay, and/or buffer the one or more of the selected communication and/or content,embed a flag indicating an area of redundant and processor intensive encryption or security transcoding,prevent access of the one or more of the selected communication and/or content by one or more selected parties,prevent a subscriber from selecting the one or more of the selected content into a communication,provide read-only access to the one or more of the selected communication and/or content,set a hop restriction on the one or more of the selected communication and/or content whereby, when the hop restriction is met or exceeded and/or a hop counter is incremented or decremented to a selected value, the one or more of the selected communication and/or content is dropped or otherwise prohibited from delivery to an intended recipient,tear down a communication channel before transmission of the one or more of the selected communication and/or content,redirect the one or more of the selected communication and/or content to a different destination, anddisplay different portions of the one or more of the selected communication and/or content to different selected parties based on a respective degree of trust or privilege of each party.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avaya Incorporated
Original Assignee
Avaya Incorporated
Inventors
Kennedy, Kevin J.

Granted Patent

US 8,607,325 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/121   Restricting unauthorised ex...

G06F 21/44   Program or device authentic...

G06F 21/55   Detecting local intrusion o...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/60   Protecting data

G06Q 30/02   Marketing; Price estimation...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

H04L 67/02   based on web technology, e....

FLEXIBLE SECURITY BOUNDARIES IN AN ENTERPRISE NETWORK

First Claim

16 Assignments

0 Petitions

Accused Products

Abstract

86 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

FLEXIBLE SECURITY BOUNDARIES IN AN ENTERPRISE NETWORK

First Claim

16 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

86 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links