Protecting Information Using Policies and Encryption

US 20170142092A1
Filed: 01/31/2017
Published: 05/18/2017
Est. Priority Date: 04/04/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

providing a document management system managing a plurality of documents wherein the document management system comprises clients and servers;

at a first client, executing a first policy enforcer program, wherein the first policy enforcer program comprises a interceptor code component and a policy engine code component, the interceptor code component resides within an operating system layer executing on the first client, and the policy engine code component is outside of the operating system layer;

at the first client, intercepting by the interceptor code component of the first policy enforcer program a request by an application that is attempting to transfer a selected document, managed by the document management system, to a second client;

after the interceptor code component intercepts the transfer request, not allowing the application to transfer the selected document to the second client, and using the policy engine code component of the first policy enforcer program, evaluating at least one policy associated with the selected document;

as a result of the evaluating, determining that the transfer request is allowed, and encrypting the selected document; and

allowing the application to transfer the encrypted selected document to the second client.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique and system protects documents at rest and in motion using declarative policies and encryption. Encryption in the system is provided transparently and can work in conjunction with policy enforcers installed at a system. A system can protect information or documents from: (i) insider theft; (ii) ensure confidentiality; and (iii) prevent data loss, while enabling collaboration both inside and outside of a company.

7 Citations

20 Claims

1. A method comprising:
- providing a document management system managing a plurality of documents wherein the document management system comprises clients and servers;
  
  at a first client, executing a first policy enforcer program, wherein the first policy enforcer program comprises a interceptor code component and a policy engine code component, the interceptor code component resides within an operating system layer executing on the first client, and the policy engine code component is outside of the operating system layer;
  
  at the first client, intercepting by the interceptor code component of the first policy enforcer program a request by an application that is attempting to transfer a selected document, managed by the document management system, to a second client;
  
  after the interceptor code component intercepts the transfer request, not allowing the application to transfer the selected document to the second client, and using the policy engine code component of the first policy enforcer program, evaluating at least one policy associated with the selected document;
  
  as a result of the evaluating, determining that the transfer request is allowed, and encrypting the selected document; and
  
  allowing the application to transfer the encrypted selected document to the second client.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 comprising:
    - sending a notification from a second policy enforcer regarding an attempt at the second client to open the encrypted document;
      
      determining that the encrypted document is encrypted;
      
      with the second policy enforcer program, requesting a key that will allow decryption of the encrypted document.
  - 3. The method of claim 2 comprising:
    - using the key to unencrypt the encrypted selected document to obtain an unencrypted version of the selected document.
  - 4. The method of claim 1 wherein the selected document is unencrypted.
  - 5. The method of claim 1 wherein the at least one policy associated with selected document is stored at the first client.
  - 6. The method of claim 1 wherein the selected document is encrypted by an encryption module executing on the first client, the encryption module is separate from the policy enforcer program.

7. A method comprising:
- providing a document management system managing a plurality of documents wherein the document management system comprises clients and servers;
  
  at a first client, executing a first policy enforcer program;
  
  at the first client, trapping by the first policy enforcer program a request by an application that will transfer a selected document, managed by the document management system, to a second client;
  
  after the first policy enforcer program intercepts the transfer request, not allowing the application to transfer the selected document to the second client, and evaluating at least one policy associated with the selected document;
  
  as a result of the evaluating, determining that the transfer request is allowed, and encrypting the selected document;
  
  allowing the application to transfer the encrypted selected document to the second client;
  
  sending a notification from a second policy enforcer regarding an attempt at the second client to open the encrypted document;
  
  determining that the encrypted document is encrypted;
  
  with the second policy enforcer program, requesting a key that will allow decryption of the encrypted document; and
  
  using the key to unencrypt the encrypted selected document to obtain an unencrypted version of the selected document.
- View Dependent Claims (8)
- - 8. The method of claim 7 comprising:
    - sending a notification from a second policy enforcer regarding an attempt at the second client to open the encrypted document;
      
      determining the attempt at the second client is not allowed according to a first policy; and
      
      at the second client, disallowing the second client from opening the encrypted document.

9. A method comprising:
- providing a document management system managing a plurality of documents wherein the document management system comprises clients and servers;
  
  at a first client, executing a first policy enforcer program, wherein the first policy enforcer program comprises a interceptor code component and a policy engine code component, the interceptor code component resides within an operating system layer executing on the first client, and the policy engine code component is outside of the operating system layer;
  
  at the first client, intercepting by the interceptor code component a request by an application that will transfer a selected document, managed by the document management system, to a second client;
  
  after the interceptor code component intercepts the transfer request, not allowing the application to transfer the selected document to the second client, and using the policy engine code component, evaluating at least one policy associated with the selected document;
  
  as a result of the evaluating, determining that the transfer request is allowed, and encrypting the selected document;
  
  allowing the application to transfer the encrypted selected document to the second client;
  
  sending a notification from a second policy enforcer regarding an attempt at the second client to open the encrypted document;
  
  determining that the encrypted document is encrypted;
  
  with the second policy enforcer program, requesting a key that will allow decryption of the encrypted document; and
  
  using the key to unencrypt the encrypted selected document to obtain an unencrypted version of the selected document.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 10. The method of claim 9 wherein the selected document is unencrypted.
  - 11. The method of claim 9 wherein the at least one policy associated with selected document is stored at the first client.
  - 12. The method of claim 9 wherein the selected document is encrypted by an encryption module executing on the first client, the encryption module is separate from the policy enforcer program.
  - 13. The method of claim 9 wherein the encrypting the selected document comprises:
    - accessing a shared encryption key ring at the first policy enforcer program, wherein the first shared key ring is accessible to the second policy enforcer program;
      
      selecting a first encryption key of the shared encryption key ring; and
      
      encrypting the selected document with the first encryption key.
  - 14. The method of claim 13 wherein the shared encryption key ring is stored at a key management server.
  - 15. The method of claim 14 wherein the evaluated at least one policy at the second policy enforcer program comprises a key ring identifier.
  - 16. The method of claim 15 wherein the at least one policy at the first client is stored separately from the key management server.
  - 17. The method of claim 9 wherein the at least one policy at the second client comprises an encryption key identifier.
  - 18. The method of claim 11 wherein the determining that the transfer request is allowed, but before allowing the transfer request, encrypting the selected document further comprises:
    - substituting the selected document with the encrypted document.
  - 19. The method of claim 11 wherein the at least one policy evaluated at the second policy enforcer is different than the at least one policy evaluated at the first policy enforcer.
  - 20. The method of claim 11 wherein the selected document is associated with a first file extension and the encrypted document is associated with a second document extension, different than the first document extension.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nextlabs
Original Assignee
Nextlabs
Inventors
Lim, Keng

Granted Patent

US 10,110,597 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/60   Protecting data

G06F 21/602   Providing cryptographic fac...

H04L 51/08   Annexed information, e.g. a...

H04L 63/0245   Filtering by information in...

H04L 63/0471   applying encryption by an i...

H04L 63/06   for supporting key manageme...

H04L 63/083   using passwords cryptograph...

H04L 63/12   Applying verification of th...

H04L 63/20   for managing network securi...

H04L 9/00   Cryptographic mechanisms or...

Protecting Information Using Policies and Encryption

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

7 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Protecting Information Using Policies and Encryption

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

7 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links