Data Protection For Organizations On Computing Devices

US 20140344570A1
Filed: 05/20/2013
Published: 11/20/2014
Est. Priority Date: 05/20/2013
Status: Abandoned Application

First Claim

Patent Images

1. A method comprising:

receiving, at one or more modules of a computing device, a request to protect data associated with an organization, the request including both an indication of the organization and an indication of the data associated with the organization;

encrypting the data using an encryption key associated with both the computing device and the organization;

returning the encrypted data;

receiving, at the computing device after encrypting the data, a command to revoke the data associated with the organization; and

revoking, in response to the command, the data associated with the organization by deleting a decryption key used to decrypt the encrypted data.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An application on a device can communicate with organization services. The application accesses a protection system on the device, which encrypts data obtained by the application from an organization service using an encryption key, and includes with the data an indication of a decryption key usable to decrypt the encrypted data. The protection system maintains a record of the encryption and decryption keys associated with the organization. The data can be stored in various locations on at least the device, and can be read by various applications on at least the device. If the organization determines that data of the organization stored on a device is to no longer be accessible on the device (e.g., is to be revoked from the device), a command is communicated to the device to revoke data associated with the organization. In response to this command, the protection system deletes the decryption key.

Citations

20 Claims

1. A method comprising:
- receiving, at one or more modules of a computing device, a request to protect data associated with an organization, the request including both an indication of the organization and an indication of the data associated with the organization;
  
  encrypting the data using an encryption key associated with both the computing device and the organization;
  
  returning the encrypted data;
  
  receiving, at the computing device after encrypting the data, a command to revoke the data associated with the organization; and
  
  revoking, in response to the command, the data associated with the organization by deleting a decryption key used to decrypt the encrypted data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. A method as recited in claim 1, the returning the encrypted data comprising returning the encrypted data to an application from which both the indication of the organization and the indication of the data associated with the organization were received.
  - 3. A method as recited in claim 1, the data associated with the organization comprising a file.
  - 4. A method as recited in claim 1, the receiving the request comprising receiving the request from an application running on the computing device, the encrypting comprising encrypting the data by the computing device, and the method further comprising maintaining on the computing device an association of the encryption key with the organization.
  - 5. A method as recited in claim 1, further comprising including a file descriptor in metadata associated with the data, the file descriptor identifying the decryption key.
  - 6. A method as recited in claim 1, the encrypting comprising encrypting the data using an encryption key associated with both the computing device and the organization as well as with a user of the computing device, and the revoking comprising deleting the decryption key associated with both the computing device and the organization as well as with the user of the computing device while leaving on the computing device a decryption key associated with both the computing device and organization but a different user of the computing device.
  - 7. A method as recited in claim 1, the encrypting comprising encrypting the data using an encryption key associated with both the computing device and the organization as well as with an application of the computing device, and the revoking comprising deleting the decryption key associated with both the computing device and the organization as well as with the application of the computing device while leaving on the computing device a decryption key associated with both the computing device and organization but a different application of the computing device.
  - 8. A method as recited in claim 7, further comprising:
    - receiving the request from an application running on the computing device; and
      
      revoking the data only in response to a command to revoke the data being provided by the application or by another application to which the ability to revoke data associated with the application has been delegated.
  - 9. A method as recited in claim 1, further comprising receiving the request from an application running on the computing device, and the returning comprising returning the encrypted data in the absence of restrictions on where the application can store the encrypted data.
  - 10. A method as recited in claim 1, the encryption key being associated with a particular one of multiple subsets of data associated with the organization, different subsets of data associated with the organization being encrypted with different encryption keys, the command identifying which one of the multiple subsets of data associated with the organization is to be revoked, and the revoking comprising revoking only the one of the multiple subsets identified by the command.
  - 11. A method as recited in claim 1, further comprising obtaining, after deleting the decryption key, the decryption key from a key generation service that is separate from the computing device.

12. A method comprising:
- receiving, at a computing device, an indication that particular organization data is to no longer be accessible on the computing device, the particular organization data including data having been previously encrypted on the computing device in response to a request from an application on the computing device and in the absence of restrictions on where the application can store the particular organization data;
  
  identifying one or more keys on the computing device that are associated with the particular organization data; and
  
  deleting the identified one or more keys.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. A method as recited in claim 12, the particular organization data comprising organization data associated with a particular user of the computing device.
  - 14. A method as recited in claim 13, the particular organization data further comprising organization data associated with both the particular user of the computing device and the application on the computing device.
  - 15. A method as recited in claim 12, further comprising deleting, after deleting the identified one or more keys and in response to a determination of light system usage in the computing device, the particular organization data.
  - 16. A method as recited in claim 12, the particular organization data comprising all organization data on the computing device.
  - 17. A method as recited in claim 12, the receiving comprising receiving the indication in response to the computing device logging off a network of the organization.
  - 18. A method as recited in claim 12, the organization data including multiple subsets of organization data each being associated with a different one or more keys, the particular organization data being one subset of the multiple subsets of organization data, and the deleting comprising deleting the one or more keys associated with the one subset.
  - 19. A method as recited in claim 12, the particular organization data further including data encrypted on an additional computing device and copied to the computing device, copies of the particular organization data on the additional computing device being also deleted in response to the indication.

20. A computing device comprising:
- an application;
  
  a data store; and
  
  an organization data protection system configured to;
  
  receive a request to protect a file associated with an organization, the request including both an indication of the organization and an indication of the file associated with the organization,encrypt the file using an encryption key associated with both the computing device and the organization, the encryption key being associated with a decryption key that can be used to decrypt the encrypted data,return the encrypted file to the application for storage in the data store, the encrypted file including metadata identifying the decryption key,receive, after encrypting the file, a command to revoke files associated with the organization, andrevoke, in response to the command to revoke files associated with the organization, the file associated with the organization by deleting the decryption key only if the command to revoke the file is received from the application or another application to which the ability to revoke data associated with the application has been delegated.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Adam, Preston Derek, Novotney, Peter J., Ide, Nathan J., Basmov, Innokentiy, Ureche, Octavian T., Kannan, Gopinathan, Macaulay, Christopher R., Acharya, Narendra S., Sinha, Saurav, Grass, Michael J.

Application Number

US13/898,368
Publication Number

US 20140344570A1
Time in Patent Office

Days
Field of Search
US Class Current

713/165
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2143   Clearing memory, e.g. to pr...

H04L 63/0428   wherein the data content is...

Data Protection For Organizations On Computing Devices

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Data Protection For Organizations On Computing Devices

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links