Data Protection For Organizations On Computing Devices
First Claim
1. A method comprising:
- receiving, at one or more modules of a computing device, a request to protect data associated with an organization, the request including both an indication of the organization and an indication of the data associated with the organization;
encrypting the data using an encryption key associated with both the computing device and the organization;
returning the encrypted data;
receiving, at the computing device after encrypting the data, a command to revoke the data associated with the organization; and
revoking, in response to the command, the data associated with the organization by deleting a decryption key used to decrypt the encrypted data.
3 Assignments
0 Petitions
Accused Products
Abstract
An application on a device can communicate with organization services. The application accesses a protection system on the device, which encrypts data obtained by the application from an organization service using an encryption key, and includes with the data an indication of a decryption key usable to decrypt the encrypted data. The protection system maintains a record of the encryption and decryption keys associated with the organization. The data can be stored in various locations on at least the device, and can be read by various applications on at least the device. If the organization determines that data of the organization stored on a device is to no longer be accessible on the device (e.g., is to be revoked from the device), a command is communicated to the device to revoke data associated with the organization. In response to this command, the protection system deletes the decryption key.
-
Citations
20 Claims
-
1. A method comprising:
-
receiving, at one or more modules of a computing device, a request to protect data associated with an organization, the request including both an indication of the organization and an indication of the data associated with the organization; encrypting the data using an encryption key associated with both the computing device and the organization; returning the encrypted data; receiving, at the computing device after encrypting the data, a command to revoke the data associated with the organization; and revoking, in response to the command, the data associated with the organization by deleting a decryption key used to decrypt the encrypted data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A method comprising:
-
receiving, at a computing device, an indication that particular organization data is to no longer be accessible on the computing device, the particular organization data including data having been previously encrypted on the computing device in response to a request from an application on the computing device and in the absence of restrictions on where the application can store the particular organization data; identifying one or more keys on the computing device that are associated with the particular organization data; and deleting the identified one or more keys. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
-
-
20. A computing device comprising:
-
an application; a data store; and an organization data protection system configured to; receive a request to protect a file associated with an organization, the request including both an indication of the organization and an indication of the file associated with the organization, encrypt the file using an encryption key associated with both the computing device and the organization, the encryption key being associated with a decryption key that can be used to decrypt the encrypted data, return the encrypted file to the application for storage in the data store, the encrypted file including metadata identifying the decryption key, receive, after encrypting the file, a command to revoke files associated with the organization, and revoke, in response to the command to revoke files associated with the organization, the file associated with the organization by deleting the decryption key only if the command to revoke the file is received from the application or another application to which the ability to revoke data associated with the application has been delegated.
-
Specification