Differential Encryption Utilizing Trust Modes

US 20120266218A1
Filed: 06/15/2012
Published: 10/18/2012
Est. Priority Date: 04/02/2008
Status: Active Grant

First Claim

Patent Images

1. A method of data security comprising:

generating a plurality of trust modes, each trust mode associated with data stored at a security device and defining one or more data access requirements to access data stored at the security device, wherein each data access requirement is specific to at least one of a user or a user device;

receiving a request from a user device to access data stored at the security device;

implementing at the security device one or more of the trust modes based on the data access request;

for each data access requirement defined by the implemented one or more trust modes, determining whether the user or the user device satisfies the data access requirement; and

granting the user permission to access to the requested data via the user device responsive to a determination that the user or the user device satisfies each of the access requirements.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are provided for data protection across connected, disconnected, attended, and unattended environments. Embodiments of the inventions may include differential encryption based on network connectivity, attended/unattended status, or a combination thereof. Additional embodiments of the invention incorporate “trust windows” that provide granular and flexible data access as function of the parameters under which sensitive data is accessed. Further embodiments refine the trust windows concept by incorporating dynamic intrusion detection techniques.

65 Citations

View as Search Results

21 Claims

1. A method of data security comprising:
- generating a plurality of trust modes, each trust mode associated with data stored at a security device and defining one or more data access requirements to access data stored at the security device, wherein each data access requirement is specific to at least one of a user or a user device;
  
  receiving a request from a user device to access data stored at the security device;
  
  implementing at the security device one or more of the trust modes based on the data access request;
  
  for each data access requirement defined by the implemented one or more trust modes, determining whether the user or the user device satisfies the data access requirement; and
  
  granting the user permission to access to the requested data via the user device responsive to a determination that the user or the user device satisfies each of the access requirements.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the data stored at a security device comprises one of:
    - one or more files, one or more directories, one or more servers, and an entire file system at the security device.
  - 3. The method of claim 1, wherein at least one trust mode is implemented based on a network connection status between the user and the security device.
  - 4. The method of claim 3, wherein implementing one or more of the trust modes at the security device further comprises:
    - responsive to the user being connected to the security device, implementing a first trust mode having first data access requirements;
      
      responsive to the user not being connected to the security device, implementing a second trust mode having second data access requirements, wherein the second data access requirements are more restrictive than the first data access requirements.
  - 5. The method of claim 1, wherein implementing one or more of the trust modes at the security device further comprises:
    - determining whether the user has one or more security violations associated with access to the security device;
      
      responsive to the user having one or more security violations associated with access to the security device, implementing a first trust mode having first data access requirements; and
      
      responsive to the user not having one or more security violations associated with access to the security device, implementing a second trust mode having second data access requirements, wherein the second data access requirements are more restrictive than the first data access requirements.
  - 6. The method of claim 1, wherein at least one trust mode is implemented based on the identity of the user.
  - 7. The method of claim 1, wherein at least one data access requirement defined by a trust mode comprises a requirement that a user possess one or more encryption keys used to encrypt data stored at the security device.
  - 8. The method of claim 1, wherein at least one data access requirement defined by a trust mode comprises a requirement that a user use one or more encryption keys to encrypt accessed data for subsequent storage at the security device.
  - 9. The method of claim 1, wherein at least one data access requirement defined by a trust mode comprises a limitation on a maximum volume of data that can accessed by a user, and wherein implementing the trust mode comprises limiting the volume of the data accessed by a user to the defined maximum volume.
  - 10. The method of claim 1, wherein at least one data access requirement defined by a trust mode comprises a limitation on a maximum data access rate for a user, and wherein implementing the trust mode comprises limiting a user'"'"'s data access rate to the defined maximum data access rate.
  - 11. The method of claim 1, wherein each of a plurality of subsets of the data stored at the security device are marked to identify one or more trust modes that must be implemented with respect to the subset of data before the subset of data can be accessed.
  - 12. The method of claim 11, wherein the subsets of data are marked using one of:
    - file attribute flags, naming convections, or a list or database listing marked subsets of data.
  - 13. The method of claim 1, further comprising:
    - marking one or more subsets of the data stored at the security device determined to be sensitive; and
      
      responsive to an attempt to access a marked subset of the data, automatically performing an intrusion detection to determined if an attempted intrusion is taking place.

14. A non-transitory computer-readable storage medium having executable computer program instructions embodied therein for data security, the computer program instructions configured to, when executed, cause a computer to:
- generate a plurality of trust modes, each trust mode associated with data stored at a security device and defining one or more data access requirements to access data stored at the security device, wherein each data access requirement is specific to at least one of a user or a user device;
  
  receive a request from a user device to access data stored at the security device;
  
  implement at the security device one or more of the trust modes based on the data access request;
  
  for each data access requirement defined by the implemented one or more trust modes, determine whether the user or the user device satisfies the data access requirement; and
  
  grant the user permission to access to the requested data via the user device responsive to a determination that the user or the user device satisfies each of the access requirements.
- View Dependent Claims (15, 16, 17)
- - 15. The non-transitory computer-readable storage medium of claim 14, wherein each of a plurality of subsets of the data stored at the security device are marked to identify one or more trust modes that must be implemented with respect to the subset of data before the subset data can be accessed.
  - 16. The non-transitory computer-readable storage medium of claim 15, wherein the subsets of data are marked using one of:
    - file attribute flags, naming convections, or a list or database listing marked subsets of data.
  - 17. The non-transitory computer-readable storage medium of claim 14, wherein the computer program instructions, when executed, further cause the computer to:
    - mark one or more subsets of the data stored at the security device determined to be sensitive; and
      
      responsive to an attempt to access a marked subset of the data, automatically perform an intrusion detection to determined if an attempted intrusion is taking place.

18. A computer system for data security, the system comprising:
- a computer processor; and
  
  a non-transitory computer-readable storage medium storing executable computer program instructions configured to, when executed by the processor, cause the computer system to;
  
  generate a plurality of trust modes, each trust mode associated with data stored at a security device and defining one or more data access requirements to access data stored at the security device, wherein each data access requirement is specific to at least one of a user or a user device;
  
  receive a request from a user device to access data stored at the security device;
  
  implement at the security device one or more of the trust modes based on the data access request;
  
  for each data access requirement defined by the implemented one or more trust modes, determine whether the user or the user device satisfies the data access requirement; and
  
  grant the user permission to access to the requested data via the user device responsive to a determination that the user or the user device satisfies each of the access requirements.
- View Dependent Claims (19, 20, 21)
- - 19. The computer system of claim 18, wherein each of a plurality of subsets of the data stored at the security device are marked to identify one or more trust modes that must be implemented with respect to the subset of data before the subset data can be accessed.
  - 20. The computer system of claim 19, wherein the subsets of data are marked using one of:
    - file attribute flags, naming convections, or a list or database listing marked subsets of data.
  - 21. The computer system of claim 18, wherein the computer program instructions, when executed, further cause the computer system to:
    - mark one or more subsets of the data stored at the security device determined to be sensitive; and
      
      responsive to an attempt to access a marked subset of the data, automatically perform an intrusion detection to determined if an attempted intrusion is taking place.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Protegrity USA, Inc. (Xcelera Inc.)
Original Assignee
Protegrity USA, Inc. (Xcelera Inc.)
Inventors
Mattsson, Ulf

Granted Patent

US 8,769,272 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/62   Protecting access to data v...

G06F 21/6218   to a system of files or obj...

G06F 2221/2107   File encryption

G06Q 20/3674   involving authentication

G06Q 20/382   insuring higher security of...

G06Q 20/3821   Electronic credentials

G06Q 20/3829   involving key management

G06Q 20/4012   Verifying personal identifi...

H04L 63/10   for controlling access to d...

H04L 63/105   Multiple levels of security

H04L 9/00   Cryptographic mechanisms or...

H04L 9/32   including means for verifyi...

Differential Encryption Utilizing Trust Modes

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

65 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Differential Encryption Utilizing Trust Modes

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

65 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links