Protecting Information Using Policies and Encryption
First Claim
Patent Images
1. A method comprising:
- providing a document management system managing a plurality of documents wherein the document management system comprises clients and servers;
at a first client, executing a first policy enforcer program, wherein the first policy enforcer program comprises a interceptor code component and a policy engine code component, the interceptor code component resides within an operating system layer executing on the first client, and the policy engine code component is outside of the operating system layer;
at the first client, intercepting by the interceptor code component of the first policy enforcer program a request by an application that is attempting to transfer a selected document, managed by the document management system, to a second client;
after the interceptor code component intercepts the transfer request, not allowing the application to transfer the selected document to the second client, and using the policy engine code component of the first policy enforcer program, evaluating at least one policy associated with the selected document;
as a result of the evaluating, determining that the transfer request is allowed, and encrypting the selected document; and
allowing the application to transfer the encrypted selected document to the second client.
1 Assignment
0 Petitions
Accused Products
Abstract
A technique and system protects documents at rest and in motion using declarative policies and encryption. Encryption in the system is provided transparently and can work in conjunction with policy enforcers installed at a system. A system can protect information or documents from: (i) insider theft; (ii) ensure confidentiality; and (iii) prevent data loss, while enabling collaboration both inside and outside of a company.
7 Citations
20 Claims
-
1. A method comprising:
-
providing a document management system managing a plurality of documents wherein the document management system comprises clients and servers; at a first client, executing a first policy enforcer program, wherein the first policy enforcer program comprises a interceptor code component and a policy engine code component, the interceptor code component resides within an operating system layer executing on the first client, and the policy engine code component is outside of the operating system layer; at the first client, intercepting by the interceptor code component of the first policy enforcer program a request by an application that is attempting to transfer a selected document, managed by the document management system, to a second client; after the interceptor code component intercepts the transfer request, not allowing the application to transfer the selected document to the second client, and using the policy engine code component of the first policy enforcer program, evaluating at least one policy associated with the selected document; as a result of the evaluating, determining that the transfer request is allowed, and encrypting the selected document; and allowing the application to transfer the encrypted selected document to the second client. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method comprising:
-
providing a document management system managing a plurality of documents wherein the document management system comprises clients and servers; at a first client, executing a first policy enforcer program; at the first client, trapping by the first policy enforcer program a request by an application that will transfer a selected document, managed by the document management system, to a second client; after the first policy enforcer program intercepts the transfer request, not allowing the application to transfer the selected document to the second client, and evaluating at least one policy associated with the selected document; as a result of the evaluating, determining that the transfer request is allowed, and encrypting the selected document; allowing the application to transfer the encrypted selected document to the second client; sending a notification from a second policy enforcer regarding an attempt at the second client to open the encrypted document; determining that the encrypted document is encrypted; with the second policy enforcer program, requesting a key that will allow decryption of the encrypted document; and using the key to unencrypt the encrypted selected document to obtain an unencrypted version of the selected document. - View Dependent Claims (8)
-
-
9. A method comprising:
-
providing a document management system managing a plurality of documents wherein the document management system comprises clients and servers; at a first client, executing a first policy enforcer program, wherein the first policy enforcer program comprises a interceptor code component and a policy engine code component, the interceptor code component resides within an operating system layer executing on the first client, and the policy engine code component is outside of the operating system layer; at the first client, intercepting by the interceptor code component a request by an application that will transfer a selected document, managed by the document management system, to a second client; after the interceptor code component intercepts the transfer request, not allowing the application to transfer the selected document to the second client, and using the policy engine code component, evaluating at least one policy associated with the selected document; as a result of the evaluating, determining that the transfer request is allowed, and encrypting the selected document; allowing the application to transfer the encrypted selected document to the second client; sending a notification from a second policy enforcer regarding an attempt at the second client to open the encrypted document; determining that the encrypted document is encrypted; with the second policy enforcer program, requesting a key that will allow decryption of the encrypted document; and using the key to unencrypt the encrypted selected document to obtain an unencrypted version of the selected document. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification