METHOD AND SYSTEM FOR DIGITAL PRIVACY MANAGEMENT

US 20170272472A1
Filed: 03/17/2017
Published: 09/21/2017
Est. Priority Date: 03/21/2016
Status: Active Grant

First Claim

Patent Images

1. A system for managing data privacy, comprising:

a processor; and

a memory, the memory having stored therein;

at least one security module for provision of at least one data privacy measure for protection of data;

a security risk controller for dynamically modifying security policies, which, when executed by the processor, performs operations of;

receiving context data from said at least one security module;

determining, in real time, at least one internal security risk factor from the context data; and

responsive to said determining, modifying, in real time, a security policy for the at least one data privacy measure;

the memory having further stored therein;

a fraud predictor for identifying and reporting users at risk for engaging in malicious behavior, which when executed by the processor performs operations of;

receiving a plurality of inputs regarding user behavior; and

analyzing the inputs to identify authorized users/applicationsdisplaying anomalous behavior that indicates a malicious propensity;

wherein role-based, need-to-know access is granted only to specific users or groups of users or applications for ensuring data protection; and

wherein the system is capable of managing the at least one data privacy measure without requiring code changes and without requiring users to modify their computing behavior.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Data Privacy Manager (DPM) solution includes a number of different components performing data security procedures (encryption, masking, tokenization, Anonymization, etc.) at the folder, file, email, application, database and column levels. These include components such as Key Manager, File Manager, File Agent, Email Agent, Database Manager, Database Connector, the Token Manager, Security Risk Controller and Fraud Predictor. All these components can be managed through a management console.

Citations

20 Claims

1. A system for managing data privacy, comprising:
- a processor; and
  
  a memory, the memory having stored therein;
  
  at least one security module for provision of at least one data privacy measure for protection of data;
  
  a security risk controller for dynamically modifying security policies, which, when executed by the processor, performs operations of;
  
  receiving context data from said at least one security module;
  
  determining, in real time, at least one internal security risk factor from the context data; and
  
  responsive to said determining, modifying, in real time, a security policy for the at least one data privacy measure;
  
  the memory having further stored therein;
  
  a fraud predictor for identifying and reporting users at risk for engaging in malicious behavior, which when executed by the processor performs operations of;
  
  receiving a plurality of inputs regarding user behavior; and
  
  analyzing the inputs to identify authorized users/applicationsdisplaying anomalous behavior that indicates a malicious propensity;
  
  wherein role-based, need-to-know access is granted only to specific users or groups of users or applications for ensuring data protection; and
  
  wherein the system is capable of managing the at least one data privacy measure without requiring code changes and without requiring users to modify their computing behavior.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The system of claim 1, wherein the at least one internal security risk factor comprises a User Security Risk Factor (USRF), the USRF comprising a numeric value algorithmically computed using internal and external data sources and manually-entered data.
  - 3. The system of claim 1, wherein the environmental information comprises information internal to said system, the internal information being received from said at least one at least one security module for provision of at least one data privacy measure for protection of data and comprising data regarding any of:
    - users or applications, operations initiated by the users or applications and the object or objects of each operation, including any of ;
      
      authorized user activity logs which include details that includes any of;
      
      user ID, date, time, location, activity duration, number of files encrypted, number of files with ACL policy, activity type, IP address, off-line/online status, Strict-online, encryption key, encryption key length, application white list, encryption level, activity of tokenization/detokenization, number of clients and performance, errors.
  - 4. The system of claim 2, further comprising at least one enforcement agent configured for dynamically changing policies based on the USRF according to risk level expectations.
  - 5. The system of claim 2, wherein the operation of determining, in real time, at least one internal security risk factor from the context data comprises:
    - computing a baseline USRF based on environmental information and at least one of configured policies and data classification;
      
      storing the baseline USRF;
      
      collecting input data from external and/or internal sources and/or from management input;
      
      computing a current USRF; and
      
      storing the current USRF.
  - 6. The system of claim 5, wherein the operation of determining, in real time, at least one internal security risk factor from the context data further comprises:
    - determining an action to be taken if a current USRF value changes from a previous USRF value;
      
      computing a new policy based on the change in the USRF value;
      
      sending notification to relevant entities of the changed USRF value and the new policy.
  - 7. The system of claim 5, wherein the operation of determining, in real time, at least one internal security risk factor from the context data further comprises:
    - separately computing a separate USRF value for each device under management.
  - 8. The system of claim 1, wherein said fraud predictor further performs operations of:
    - setting, for each user, a baseline level for initial configurations for each system and each policy in all system components;
      
      receiving inputs from any of external sources, internal sources and management input regarding a user'"'"'s behavior; and
      
      computing a current fraud risk level for each user in each target system.
  - 9. The system of claim 1, wherein the fraud predictor performs additional operations of:
    - providing real-time alerts based on trigger points;
      
      providing regular pre-configured reports of possible rogue users requiring further monitoring so as to explicitly identify imminent fraud;
      
      providing feedback to the SRC for automating prevention by dynamically changing policies.
  - 10. The system of claim 1, wherein said at least one security module comprises at least one of:
    - a token manager;
      
      a file manager;
      
      a key manager;
      
      a database manager; and
      
      a multi-tenancy manager;
      
      wherein said at least one security module interfaces to external 3rd party security components and software and internal security components to receive environment information.
  - 11. The system of claim 10, wherein the external security components include any of :
    - at least one intrusion prevention system;
      
      at least one firewall ;
      
      at least one router;
      
      one or more device activity logs;
      
      one or more operating system logs;
      
      one or more database activity logs,one or more application activity logs; and
      
      output from at least one behavior analytics module;
      
      wherein the security risk controller, based on the audit data input by the external security components, output one or more “
      
      what if”
      
      scenarios.
  - 12. The system of claim 11, wherein the token manager is configured for providing an interface for external applications to tokenize/detokenize or encrypt/decrypt data;
    - and wherein said token manager performs operations of;
      
      replacing data with tokens, the tokens comprising surrogate values mapped to the original data;
      
      responsive to a de-tokenization request, returning the data mapped to the surrogate values;
      
      format-conserving tokenization and format-conserving encryption, wherein a token value or cipher text has the same size as the original data; and
      
      non-format conserving tokenization and non-format conserving encryption.
  - 13. The system of claim 10, wherein the token manager performs operations of:
    - providing an individual user the ability of scrambling his/her personal identifying information to produce multiple fictitious identities that are each tokens of the original personal identifying information, mapping to the original true identify information; and
      
      allowing the individual user to easily manage the fictitious identities.
  - 14. The system of claim 10, wherein said file manager performs operations of:
    - implementing fine-gained access control mechanisms to protect files stored within the enterprise network;
      
      whitelisting and blacklisting applications;
      
      encrypting and decrypting files, folders and full databases; and
      
      simplifying management of file access rights configurations.
  - 15. The system of claim 10, wherein said database manager performs operations of:
    - masking column-level data with no application code changes;
      
      integrating with Token manager for tokenization, standard encryption, format preserving encryption and anonymization;
      
      dynamic tokenization, anonymization and masking rules;
      
      dynamically enforcing security policy enforcement by the Security Risk Controller;
      
      identifying authorized and unauthorized users'"'"' activities for the Fraud Predictor;
      
      integrating with 3rd party Data Classification systems for structured data to automatically enforce policies according to an enterprise classification policy; and
      
      integrating with 3rd party sensitive data identification systems for structured data s to automatically enforce DPM policies per enterprise wide sensitive data location policies.
  - 16. The system of claim 10, wherein said multi-tenancy manager simplifies management of multiple instances of said system in multi-tenant hosting environments and wherein said multi-tenancy manager performs operations of:
    - logically separating customer data stored in independent virtual machine instances of the system and database;
      
      logically separating customer data stored in one share database instance or one shared system instance or a shared system/database;
      
      enabling configuration flexibility for end users and different tenant types from a single platform;
      
      mapping tenant locations and status.
  - 17. The system of claim 10, wherein said key manager provides a central place to manage encryption keys and wherein said key manager performs operations of:
    - managing the entire key and certificate lifecycle management;
      
      supporting KMIP (Key Management Interoperability Protocol) for integration with client applications;
      
      integrating with file manager and token manager to provide key management;
      
      creating, enforcing and monitoring policies for key generation, access control and auditing;
      
      integrating with an external key manager, SSM or HSM, QRNG and BYOE;
      
      serving as a policy engine for enterprise-wide key and certificate policy management for DPM and 3rd party applications and systems;
      
      dynamically enforcing of key and certificate policies based on Security Risk Controller; and
      
      providing user access and audit information to the Fraud Predictor for identification of authorized user and associated key and certificate turning from “
      
      good”
      
      user to ‘
      
      rogue.’
  - 18. The system of claim 10, wherein at least one of the key manager and the file manager perform at least one of:
    - storing and executing key manager application secrets in CPU hardware security-assisted vaults on same platform in which DPM applications are running; and
      
      enforcing confidentiality and integrity even in compromised systems of privileged malware at the operating system (OS) and BIOS (basic input/output system) of physical and virtualized computers by means of hardware-assisted containerization

19. A computer-implemented method for managing data privacy without requiring code changes and without requiring users to modify their computing behavior comprising:
- at least one security module collecting context data regarding at least one privacy measure for protection of data;
  
  a security risk controller receiving said context data responsive to transmission thereto by said at least one security module;
  
  the security risk controller determining, in real time, at least one internal security risk factor from the context data; and
  
  responsive to said determining, modifying, in real time, a security policy for the at least one data privacy measure;
  
  a fraud predictor receiving a plurality of inputs regarding user behavior;
  
  analyzing the inputs to identify authorized users/applications displaying anomalous behavior that indicates a malicious propensity;
  
  identifying and reporting users at risk for engaging in malicious behavior; and
  
  granting access only to specific users or groups of users or applications for ensuring data protection based on said internal risk factor and output of said fraud predictor.

20. A non-transitory computer-readable medium storing instructions, wherein the instructions, when executed by a computer system, cause the computer system to perform a method, the method comprising:
- at least one security module collecting context data regarding at least one privacy measure for protection of data;
  
  a security risk controller receiving said context data responsive to transmission thereto by said at least one security module;
  
  the security risk controller determining, in real time, at least one internal security risk factor from the context data; and
  
  responsive to said determining, modifying, in real time, a security policy for the at least one data privacy measure;
  
  a fraud predictor receiving a plurality of inputs regarding user behavior;
  
  analyzing the inputs to identify authorized users/applications displaying anomalous behavior that indicates a malicious propensity;
  
  identifying and reporting users at risk for engaging in malicious behavior; and
  
  granting access only to specific users or groups of users or applications for ensuring data protection based on said internal risk factor and output of said fraud predictor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vireshwar K. Adhar
Original Assignee
Vireshwar K. Adhar
Inventors
Adhar, Vireshwar K.

Granted Patent

US 10,498,772 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/316   by observing the pattern of...

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

G06F 21/6245   Protecting personal data, e...

G06F 2221/2125   Just-in-time application of...

H04L 63/0428   wherein the data content is...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/105   Multiple levels of security

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

METHOD AND SYSTEM FOR DIGITAL PRIVACY MANAGEMENT

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND SYSTEM FOR DIGITAL PRIVACY MANAGEMENT

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links