SYSTEM AND METHODS FOR POLICY-BASED ACTIVE DATA LOSS PREVENTION
First Claim
1. A system for active Data Loss Prevention (DLP) comprising:
- One or more policy servers having a set of policy rules or conditions that determine whether a software executable or subroutine, hereafter referred to as an “
agent”
, is governed by DLP policy and to adjudicate access by the agent to specific data objects; and
One or more policy enforcement points that detect attempts by an agent to access, create, modify, or distribute data objects, and that query a policy server to determine allowance or denial of such attempts in accordance with policy rules enforced by the policy server.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method for policy-based active Data Loss Prevention (DLP) using a two-step process to first determine if an attempt to access a data object is governed by DLP policy, and if so, then applying the DLP policy to either allow or deny access. Attempts by an agent to access, create, modify, or distribute a data object are trapped by a policy execution point. A first query determines if DLP policies govern that access request. If they do, then the metadata is decrypted to form a second query to a policy decision point to adjudicate the access request. If the access request is allowed, then a second key is provided to decrypt the data object for further processing. The system further provides for the encryption of unencrypted data objects to protect them for all future access queries.
16 Citations
13 Claims
-
1. A system for active Data Loss Prevention (DLP) comprising:
-
One or more policy servers having a set of policy rules or conditions that determine whether a software executable or subroutine, hereafter referred to as an “
agent”
, is governed by DLP policy and to adjudicate access by the agent to specific data objects; andOne or more policy enforcement points that detect attempts by an agent to access, create, modify, or distribute data objects, and that query a policy server to determine allowance or denial of such attempts in accordance with policy rules enforced by the policy server. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method for active Data Loss Prevention (DLP) comprising the steps of:
-
intercepting attempts by and agent to access, create, modify or distribute data objects; Querying a policy server to determine if that data object is governed by DLP policy; Adjudicating allowance or denial of access by the agent to the data object for data objects that are governed by DLP policy. - View Dependent Claims (10, 11, 12, 13)
-
Specification