DISTRIBUTED BIG DATA SECURITY ARCHITECTURE

US 20170091477A1
Filed: 09/26/2016
Published: 03/30/2017
Est. Priority Date: 09/25/2015
Status: Active Grant

First Claim

Patent Images

1. A system of a resource management platform, comprising:

one or more processors;

memory coupled to the one or more processors, the memory including one or more modules that are executable by the one or more processors to;

receive a message that includes a request from a subject to access a set of data items associated with a secure data container;

identify a set of permissions associated with the subject based at least in part on the message, the message including a set of access permissions that authorize the subject to access the set of data items having a first data sensitivity rating;

determine that the subject is authorized to access the secure data container based on a comparison of the set of access permissions and a second data sensitivity rating associated with the secure data container; and

establish a secure data corridor between the subject and the secure data container, the secure data corridor having a third data sensitivity rating that is based at least in part on the first data sensitivity rating and the second data sensitivity rating.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This disclosure describes techniques for defining security measures of a secure data corridor that enables data feeds to transmit from an ingress point to an egress point, while maintaining a desired security protection. This disclosure further describes techniques to quantify the desired security protection by determining and further associating a data sensitivity rating with individual data feeds in transmit through the secure data corridor. In some examples, the data sensitivity rating of the secure data corridor may be locked at a default rating that is commensurate with access permissions of a subject or a data sensitivity rating of an adjoining secure data container. Alternatively, the data sensitivity rating may be dynamically set based on data feeds transmitting through the secure data corridor or set based on the data sensitivity rating of data feeds at an ingress point or egress point of the secure data corridor.

22 Citations

View as Search Results

20 Claims

1. A system of a resource management platform, comprising:
- one or more processors;
  
  memory coupled to the one or more processors, the memory including one or more modules that are executable by the one or more processors to;
  
  receive a message that includes a request from a subject to access a set of data items associated with a secure data container;
  
  identify a set of permissions associated with the subject based at least in part on the message, the message including a set of access permissions that authorize the subject to access the set of data items having a first data sensitivity rating;
  
  determine that the subject is authorized to access the secure data container based on a comparison of the set of access permissions and a second data sensitivity rating associated with the secure data container; and
  
  establish a secure data corridor between the subject and the secure data container, the secure data corridor having a third data sensitivity rating that is based at least in part on the first data sensitivity rating and the second data sensitivity rating.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The system of claim 1, wherein the secure data corridor corresponds to a link layer, a network layer, a transport layer, or an application layer of a transmission control protocol (TCP) and internet protocol (IP).
  - 3. The system of claim 1, wherein the secure data container corresponds to a first secure data container, and wherein the subject corresponds to a second secure data container.
  - 4. The system of claim 1, wherein the first data sensitivity rating is more sensitive than the second data sensitivity rating, and wherein the second data sensitivity rating is a minimum threshold of data sensitivity to authorize the subject to access the set of data items.
  - 5. The system of claim 1, wherein to establish the secure data corridor between the subject and the secure data container is performed by a scheduler that provides a policy access control point for transmitting the set of data items between an ingress point and an egress point.
  - 6. The system of claim 1, wherein the set of data items is a first set of data items and the message is a first message, wherein the first message further includes a request for ingress of a second set of data items into the secure data container, and wherein the one or more modules are further executable by the one or more processors to:
    - determine an additional data sensitivity rating associated with the second set of data items;
      
      determine that the additional data sensitivity rating is more sensitive in comparison to the second data sensitivity rating of the secure data container, the second data sensitivity rating being a maximum threshold of sensitivity for ingress of the second set of data items into the secure data container; and
      
      dynamically set the third data sensitivity rating of the secure data corridor to be substantially equivalent to the additional data sensitivity rating.
  - 7. The system of claim 1, wherein the set of data items is a first set of data items and the message is a first message, wherein the first message further includes a request for ingress of a second set of data items into the secure data container, and wherein the one or more modules are further executable by the one or more processors to:
    - determine an additional data sensitivity rating associated with the second set of data items;
      
      determine that the additional data sensitivity rating is more sensitive in comparison to the second data sensitivity rating of the secure data container, the second data sensitivity rating being a maximum threshold of sensitivity for ingress of the second set of data items into the secure data container;
      
      determine that the third data sensitivity rating of the secure data corridor is locked; and
      
      transmit a second message to the subject indicating that the second set of data items cannot securely transmit through the secure data corridor.
  - 8. The system of claim 1, wherein the second data sensitivity rating associated with the secure data corridor is dynamically set to be at least substantially similar to the first data sensitivity rating associated with the secure data container.
  - 9. The system of claim 1, wherein the second data sensitivity rating associated with the secure data corridor is based at least in part on individual control parameters associated with individual data feeds at an ingress point or an egress point of the secure data corridor, the individual control parameters including at least one of an explicit read provision, an explicit write provision, an explicit import provision, or explicit export provision.
  - 10. The system of claim 9, wherein the individual control parameters are initially assigned to one or more data objects, wherein individual data objects of the one or more data objects are linked to one or more data elements, and the one or more data elements being further linked to the individual data feeds via a diagraph of connectivity.
  - 11. The system of claim 1, wherein the set of data items is a first set of data items, and wherein the one or more modules are further executable by the one or more processors to:
    - determine that the first data sensitivity rating associated with the subject is less sensitive in comparison to the second data sensitivity rating associated with the secure data container;
      
      determine that the subject is unauthorized to read data items within the secure data container, based at least in part on the first data sensitivity rating and the second data sensitivity rating; and
      
      configure the secure data corridor to prevent the secure data corridor from transmitting the first set of data items from the secure data container to the subject.
  - 12. The system of claim 1, wherein the set of data items is a first set of data items and the message is a first message, wherein the first message further includes a request for ingress of a second set of data items to the secure data container, and wherein the one or more modules are further executable by the one or more processors to:
    - determine that the first data sensitivity rating associated with the subject is less sensitive in comparison to the second data sensitivity rating associated with the secure data container;
      
      determine that the subject is authorized to write data items to the secure data container, based at least in part on comparing the first data sensitivity rating and the second data sensitivity rating; and
      
      configure the secure data corridor to transmit the second set of data items from the subject to the secure data corridor.

13. A computer-implemented method, comprising:
- under control of one or more processors;
  
  receiving a request to from a subject to access a set of data items associated with a use case, the use case being associated with a secure data container;
  
  determining that the subject is authorized to access the set of data items, based at least in part on access privileges of the subject and a first data sensitivity rating associated with the use case; and
  
  establishing a secure data corridor between the subject and the secure data container, the secure data corridor having a second data sensitivity rating that is at least substantially similar to the first data sensitivity rating.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The computer-implemented method of claim 13, further comprising:
    - determining, via a scheduling algorithm, the second data sensitivity rating based at least in part on the first data sensitivity rating associated with the use case;
      
      identifying control parameters associated with individual data items of the set of data items;
      
      determining individual data sensitivity ratings for the individual data items, based at least in part on the control parameters;
      
      determining that the individual data sensitivity ratings of a portion of the individual data items are at least substantially similar to the second data sensitivity rating of the secure data corridor, based at least in part on the control parameters associated with the portion of the individual data items; and
      
      causing, the portion of the individual data items to transmit through the secure data corridor based at least in part on the individual data sensitivity ratings.
  - 15. The computer-implemented method of claim 14, wherein the portion of the individual data items is a first portion of the individual data items, and further comprising:
    - determining that the individual data sensitivity ratings of a second portion of the individual data items are greater than the second data sensitivity rating of the secure data corridor; and
      
      dynamically setting the second data sensitivity rating of the secure data corridor to be at least substantially similar to the individual data sensitivity ratings of the second portion of the individual data items.
  - 16. The computer-implemented method of claim 14, wherein the portion of the individual data items is a first portion of the individual data items, and further comprising:
    - determining that the individual data sensitivity ratings of a second portion of the individual data items is more sensitive than the second data sensitivity rating of the secure data corridor, the second data sensitivity rating being a maximum threshold of sensitivity for transmission of data items through the secure data corridor; and
      
      transmitting an indication to the subject indicating that content of the second portion of the individual data items cannot be securely transmitted through the secure data corridor.
  - 17. The computer-implemented method of claim 13, wherein the second data sensitivity rating associated with the secure data corridor is locked.

18. One or more non-transitory computer-readable media storing computer-executable instructions, that when executed on one or more processors, causes the one or more processors to perform acts comprising:
- receiving a request from a subject to access data feeds associated with a use case, the use case having a first data sensitivity rating;
  
  determining that the subject is authorized to access data items associated with the use case; and
  
  establishing, via a scheduling algorithm, a secure data corridor between the subject and a secure data container associated with the use case, the secure data corridor having a second data sensitivity rating that is greater than or equal to the first data sensitivity rating.
- View Dependent Claims (19, 20)
- - 19. The one or more non-transitory computer-readable media of claim 18, further comprising:
    - generating a security label for individual data feeds that associate the individual data feeds with corresponding data elements, corresponding data objects, and assigned control parameters;
      
      generating a linkage map-set of the individual data feeds that include a plurality of entries, wherein individual entries of the plurality of entries correspond to the security labels of the individual data feeds; and
      
      auditing a data sensitivity of the individual data feeds being transmitted through the secure data corridor, the data sensitivity being based at least in part on security labels within the linkage map-set.
  - 20. The one or more non-transitory computer-readable media of claim 19, wherein an assigned control parameter of the assigned control parameters corresponds to a particular data sensitivity rating, the assigned control parameter further comprising of a permission lattice of an explicit read provision, an explicit write provision, an explicit import provision, and an explicit export provision that corresponds to the particular data sensitivity rating relative to other data sensitivity ratings.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
T-Mobile USA, Inc. (Deutsche Telekom AG)
Original Assignee
T-Mobile USA, Inc. (Deutsche Telekom AG)
Inventors
Peppe, Brett C., Reith, Gregory C.

Granted Patent

US 10,747,895 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/6209   to a single file or object,...

G06F 21/6218   to a system of files or obj...

G06F 21/6245   Protecting personal data, e...

G06F 2221/2113   Multi-level security, e.g. ...

H04L 63/102   Entity profiles

DISTRIBUTED BIG DATA SECURITY ARCHITECTURE

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

22 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

DISTRIBUTED BIG DATA SECURITY ARCHITECTURE

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links