METHOD AND TECHNIQUE FOR APPLICATION AND DEVICE CONTROL IN A VIRTUALIZED ENVIRONMENT

US 20140237537A1
Filed: 02/19/2013
Published: 08/21/2014
Est. Priority Date: 02/19/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

monitoring, by a dedicated security virtual machine (SVM) executing by a computing system, a file open event to access a file by a guest virtual machine (GVM) executing by the computing system;

identifying a source associated with the file open event, wherein the source is at least one of an application or a device being used by the GVM;

enforcing a first response rule associated with the GVM when the source associated with the file open event is a non-approved source per a source control policy; and

enforcing a second response rule associated with the GVM when the file violates a data loss prevention (DLP) policy.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A data loss prevention (DLP) manager running on a security virtual machine manages DLP policies for a plurality of guest virtual machines. The DLP manager identifies a source associated with a file open or create event. The source is at least one of an application or a device being used by a guest virtual machine (GVM). The DLP manager enforces a first response rule associated with the GVM when the source is a non-approved source per a source control policy. The DLP manager enforces a second response rule when the file violates a DLP policy.

105 Citations

View as Search Results

20 Claims

1. A method comprising:
- monitoring, by a dedicated security virtual machine (SVM) executing by a computing system, a file open event to access a file by a guest virtual machine (GVM) executing by the computing system;
  
  identifying a source associated with the file open event, wherein the source is at least one of an application or a device being used by the GVM;
  
  enforcing a first response rule associated with the GVM when the source associated with the file open event is a non-approved source per a source control policy; and
  
  enforcing a second response rule associated with the GVM when the file violates a data loss prevention (DLP) policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising:
    - determining whether the source control policy exists to restrict access to the identified source to determine if the DLP policy requires monitoring of the source; and
      
      monitoring the source for file system events associated with the file to determine if the file violates the DLP policy.
  - 3. The method of claim 2, wherein the monitoring comprises:
    - identifying a file close event associated with the file open event;
      
      analyzing data associated with the file close event to determine if the data violates the DLP policy; and
      
      executing the second response rule associated with the DLP policy if the data violates the DLP policy.
  - 4. The method of claim 3, further comprising reporting a DLP policy violation when the data violates the DLP policy.
  - 5. The method of claim 1, further comprising:
    - determining if the DLP policy requires monitoring of the source;
      
      storing a copy of the file; and
      
      restoring the copy of the file in the close event if the data violates the DLP policy.
  - 6. The method of claim 1, further comprising installing a DLP user interface in the guest virtual machine configured to notify a user of DLP violations.
  - 7. The method of claim 1, further comprising retrieving a DLP profile associated with the GVM from a profile repository, the DLP profile comprising the source control policy, DLP policy and the second response rule.
  - 8. The method of claim 1, wherein the source control policy is at least one of an application control policy or a device control policy, and wherein the identifying the source comprises determining whether the file open event originates from the application or the device.
  - 9. The method of claim 1, further comprising:
    - determining that the file does not violate the DLP policy; and
      
      caching a result of the determination when the file does not violate the DLP policy, wherein the result is not cached when at least one of the file violates the DLP policy or when the source is a non-approved source.

10. A non-transitory computer readable storage medium including instructions that, when executed by a processing device, cause the processing device to perform operations comprising:
- monitoring, by a dedicated security virtual machine (SVM) executing by a computing system, a file open event to access a file by a guest virtual machine (GVM) executing by the computing system;
  
  identifying a source associated with the file open event, wherein the source is at least one of an application or a device being used by the GVM;
  
  enforcing a first response rule associated with the GVM when the source associated with the file open event is a non-approved source per a source control policy; and
  
  enforcing a second response rule associated with the GVM when the file violates a data loss prevention (DLP) policy.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The computer readable storage medium of claim 10, wherein the operations further comprise:
    - determining whether the source control policy exists to restrict access to the identified source to determine if the DLP policy requires monitoring of the source; and
      
      monitoring the source for file system events associated with the file to determine if the file violates the DLP policy.
  - 12. The computer readable storage medium of claim 11, wherein the monitoring comprises:
    - identifying a file close event associated with the file open event;
      
      analyzing data associated with the file close event to determine if the data violates the DLP policy; and
      
      executing the second response rule associated with the DLP policy if the data violates the DLP policy.
  - 13. The computer readable storage medium of claim 12, wherein the operations further comprise reporting a DLP policy violation when the data violates the DLP policy.
  - 14. The computer readable storage medium of claim 10, wherein the operations further comprise:
    - determining that the file does not violate the DLP policy; and
      
      caching a result of the determination when the file does not violate the DLP policy, wherein the result is not cached when at least one of the file violates the DLP policy or when the source is a non-approved source.

15. A computing apparatus comprising:
- a memory to store instructions for providing a data loss prevention (DLP) manager; and
  
  a computing device, coupled to the memory, wherein the computing device is configured to execute the DLP manager;
  
  monitor, by the DLP manager, a file open event to access a file by a guest virtual machine (GVM) executing by the computing system;
  
  identify a source associated with the file open event, wherein the source is at least one of an application or a device being used by the GVM;
  
  enforce a first response rule associated with the GVM when the source associated with the file open event is a non-approved source per a source control policy; and
  
  enforce a second response rule associated with the GVM when the file violates a data loss prevention (DLP) policy.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computing apparatus of claim 15, wherein the DLP manager is further configured to:
    - determine whether the source control policy exists to restrict access to the identified source to determine if the DLP policy requires monitoring of the source; and
      
      monitor the source for file system events associated with the file to determine if the file violates the DLP policy.
  - 17. The computing apparatus of claim 15, wherein the DLP manager is further configured to:
    - identify a file close event associated with the file open event;
      
      analyze data associated with the file close event to determine if the data violates the DLP policy; and
      
      execute the second response rule associated with the DLP policy if the data violates the DLP policy.
  - 18. The computing apparatus of claim 15, wherein the DLP manager is further configured to retrieve a DLP profile associated with the GVM from a profile repository, the DLP profile comprising the source control policy, DLP policy and the response rule.
  - 19. The computing apparatus of claim 15, wherein the DLP manager is further configured to install a DLP user interface in the guest virtual machine configured to notify a user of DLP violations.
  - 20. The computing apparatus of claim 15, wherein the DLP manager is further configured to report a DLP policy violation when the data violates the DLP policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Manmohan, Sarin Sumit, Jaiswal, Sumesh

Granted Patent

US 9,165,150 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/6209   to a single file or object,...

G06F 21/6281   at program execution time, ...

METHOD AND TECHNIQUE FOR APPLICATION AND DEVICE CONTROL IN A VIRTUALIZED ENVIRONMENT

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

105 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND TECHNIQUE FOR APPLICATION AND DEVICE CONTROL IN A VIRTUALIZED ENVIRONMENT

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

105 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links