Method and apparatus for associating data loss protection (DLP) policies with endpoints

US 20120151551A1
Filed: 12/09/2010
Published: 06/14/2012
Est. Priority Date: 12/09/2010
Status: Active Grant

First Claim

Patent Images

1. A method of policy management in a data loss prevention (DLP) system, comprising:

defining a policy model that associates a user with one or more endpoints, the user being associated with at least one role or group;

determining a set of policies for an endpoint in the DLP system using an identity of the user that is associated with the endpoint and a list of roles or groups for the user; and

determining a set of endpoints to which a policy is to be distributed.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of policy management in a Data Loss Prevention (DLP) system uses a policy model that associates a user with one or more DLP endpoints. When an endpoint is added to the system, a set of policies for that endpoint are determined using an identity of the user that is associated with the endpoint and a list of roles or groups for that user. At policy distribution time, the method determines a set of endpoints to which the policy is to be distributed.

Citations

24 Claims

1. A method of policy management in a data loss prevention (DLP) system, comprising:
- defining a policy model that associates a user with one or more endpoints, the user being associated with at least one role or group;
  
  determining a set of policies for an endpoint in the DLP system using an identity of the user that is associated with the endpoint and a list of roles or groups for the user; and
  
  determining a set of endpoints to which a policy is to be distributed.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method as described in claim 1 wherein the set of policies for the endpoint reference each role or group to which the user is associated.
  - 3. The method as described in claim 2 wherein the step of determining the set of policies for the endpoint includes:
    - identifying the user owning or responsible for the endpoint;
      
      retrieving a list of roles or groups for that user; and
      
      defining the set of policies as the policies that reference each role or group to which the user is associated.
  - 4. The method as described in claim 1 wherein the step of determining the set of endpoints to which the policy is to be distributed generates an endpoint set.
  - 5. The method as described in claim 4 wherein the endpoint set for the policy is generated by the following sub-steps:
    - for each role or group that is a target of the policy, identifying each user associated with the role or group;
      
      for each user associated with the role or group, identifying a list of one or more endpoints with which the user is associated; and
      
      adding the one or more endpoints from the list into the endpoint set.
  - 6. The method as described in claim 5 further including generating a policy distribution list that includes the endpoint set associated with one or more policies to be distributed to the endpoints.
  - 7. The method as described in claim 6 further including distributing each policy included in the distribution list to the endpoints identified in its associated endpoint set.

8. Apparatus for policy management in a data loss prevention (DLP) system, comprising:
- a processor;
  
  computer memory holding computer program instructions that when executed by the processor perform a method comprising;
  
  defining a policy model that associates a user with one or more endpoints, the user being associated with at least one role or group;
  
  determining a set of policies for an endpoint in the DLP system using an identity of the user that is associated with the endpoint and a list of roles or groups for the user; and
  
  determining a set of endpoints to which a policy is to be distributed.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The apparatus as described in claim 8 wherein the set of policies for the endpoint reference each role or group to which the user is associated.
  - 10. The apparatus as described in claim 9 wherein the step of determining the set of policies for the endpoint includes:
    - identifying the user owning or responsible for the endpoint;
      
      retrieving a list of roles or groups for that user; and
      
      defining the set of policies as the policies that reference each role or group to which the user is associated.
  - 11. The apparatus as described in claim 8 wherein the step of determining the set of endpoints to which the policy is to be distributed generates an endpoint set.
  - 12. The apparatus as described in claim 11 wherein the endpoint set for the policy is generated by the following sub-steps:
    - for each role or group that is a target of the policy, identifying each user associated with the role or group;
      
      for each user associated with the role or group, identifying a list of one or more endpoints with which the user is associated; and
      
      adding the one or more endpoints from the list into the endpoint set.
  - 13. The apparatus as described in claim 12 wherein the method further includes generating a policy distribution list that includes the endpoint set associated with one or more policies to be distributed to the endpoints.
  - 14. The apparatus as described in claim 13 wherein the method further includes distributing each policy included in the distribution list to the endpoints identified in its associated endpoint set.

15. A computer program product in a computer readable medium for policy management in a data loss prevention (DLP) system, the computer program product holding computer program instructions which, when executed by the data processing system, perform a method comprising:
- defining a policy model that associates a user with one or more endpoints, the user being associated with at least one role or group;
  
  determining a set of policies for an endpoint in the DLP system using an identity of the user that is associated with the endpoint and a list of roles or groups for the user; and
  
  determining a set of endpoints to which a policy is to be distributed.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The computer program product as described in claim 15 wherein the set of policies for the endpoint reference each role or group to which the user is associated.
  - 17. The computer program product as described in claim 16 wherein the step of determining the set of policies for the endpoint includes:
    - identifying the user owning or responsible for the endpoint;
      
      retrieving a list of roles or groups for that user; and
      
      defining the set of policies as the policies that reference each role or group to which the user is associated.
  - 18. The computer program product as described in claim 15 wherein the step of determining the set of endpoints to which the policy is to be distributed generates an endpoint set.
  - 19. The computer program product as described in claim 18 wherein the endpoint set for the policy is generated by the following sub-steps:
    - for each role or group that is a target of the policy, identifying each user associated with the role or group;
      
      for each user associated with the role or group, identifying a list of one or more endpoints with which the user is associated; and
      
      adding the one or more endpoints from the list into the endpoint set.
  - 20. The computer program product as described in claim 19 wherein the method further includes generating a policy distribution list that includes the endpoint set associated with one or more policies to be distributed to the endpoints.
  - 21. The computer program product as described in claim 20 wherein the method further includes distributing each policy included in the distribution list to the endpoints identified in its associated endpoint set.

22. A method of policy management in a data loss prevention (DLP) system, comprising:
- in response to creation or modification of a policy, determining which subset of a set of endpoints should receive the policy by the following sub-steps;
  
  for each role or group that is a target of the policy, identifying each user associated with the role or group; and
  
  for each user associated with the role or group, identifying one or more endpoints with which the user is associated; and
  
  distributing the policy to the subset of the set of endpoints identified by the determining step.
- View Dependent Claims (23, 24)
- - 23. The method as described in claim 22 wherein the DLP system includes a policy model that associates a user with one or more endpoints, the user being associated with at least one role or group.
  - 24. The method as described in claim 23 further including determining a set of policies for an endpoint using an identity of the user that is associated with the endpoint and a list of roles or groups for the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SailPoint Technologies Holdings, Inc.
Original Assignee
International Business Machines Corporation
Inventors
Readshaw, Neil Ian, Ramanathan, Jayashree, Bray, Gavin George

Granted Patent

US 9,311,495 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

H04L 63/104   Grouping of entities

H04L 63/20   for managing network securi...

Method and apparatus for associating data loss protection (DLP) policies with endpoints

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for associating data loss protection (DLP) policies with endpoints

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links