System and method for providing data security
First Claim
Patent Images
1. A method for maintaining data security comprising:
- creating a package associated with a vault, the package comprising data bundled together with one or more permissions for regulating use of the data, the one or more permissions comprising one or more usage rule sets; and
providing a receiver for processing the package and storing the data in the vault, the vault being dedicated hard drive space whose existence and contents are invisible to a user, wherein the existence and contents of the hard drive space are invisible to the user by an assignment of false file names and locations as seen by the user.
11 Assignments
0 Petitions
Accused Products
Abstract
A system and method protects security of data. The data is packaged together with one or more permissions that designate what actions are allowed with respect to the data. The package can be opened when there is approval for doing so and the allowed permissions are maintained. The data is stored within a vault and there are a number of available security procedures that prevent the unauthorized access of the data.
235 Citations
137 Claims
-
1. A method for maintaining data security comprising:
-
creating a package associated with a vault, the package comprising data bundled together with one or more permissions for regulating use of the data, the one or more permissions comprising one or more usage rule sets; and providing a receiver for processing the package and storing the data in the vault, the vault being dedicated hard drive space whose existence and contents are invisible to a user, wherein the existence and contents of the hard drive space are invisible to the user by an assignment of false file names and locations as seen by the user. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94)
-
-
95. A system for maintaining data security comprising:
-
a receiver for processing a package associated with a vault, with the package comprising data; the vault located within the receiver for storing the data, the vault being dedicated hard drive space whose existence and contents are invisible to a user, wherein the existence and contents of the hard drive space are invisible to the user by an assignment of false file names and locations as seen by the user; and internal security for protecting the data stored in the vault, wherein the internal security comprises one or more selected from the group consisting of; a) a tag file corresponding to the data, and a virtual table mapping the tag file against the data by using an actual file name for the data and a tag name for the tag file, wherein the virtual table and data are stored in the vault; b) an anchor address corresponding to an original location for at least one of the vault, a driver used for reading of the package and a database storing one or more permissions associated with the package, combining the addresses together to provide a key for regulating system operation and identifying when the key will not operate; c) a registry monitoring system comprising; a handle for a registry key to a calling process; a registry key value for the handle; a process ID and registry key; security clearance to complete the requests; wherein the process is secured by checking a secured process list; if the process is secured, determining whether the registry key is on a rejection list; if the registry key is on the rejection list, denying the process access to the registry key; and if the process is not on the secured list or if the registry key name is not on the rejection list, completing the request; d) a shared memory system comprising; a call to reserve a memory page for a requesting process; the reserve call filtered according to whether the page can be shared; a call to commit the memory page for the requesting process or for a subsequent process; the commit call filtered according to whether the page can be shared and whether the process can be secured; e) a vault system for segregating vault data from other system data; and a file system security driver which intercepts file system calls, and for each specific one of said intercepted file system calls, determining whether said specific one of said intercepted file system calls is from a process accessing said vault data, and, if said specific one of said intercepted file system calls is from a process accessing said vault data, permitting the file system call to create or modify data only within said vault system; f) a system for monitoring a system clock of a computer to prevent unauthorized access to data comprising; reading a first time value from the system clock; determining whether a permissions database having one or more clock-related permission field each field comprising one or more clock-related permissions, and a stored time value field comprising; a stored time value, is initialized on the computer system; if the permissions database is initialized, comparing the first time value to the stored time value and, if the first time value is later than the stored time value, storing the first time value in the stored time value field, if the first time value is earlier than the stored time value, disabling the one or more clock-related permissions, whereby disabling the clock-related permissions prevents access to the data; and if the permissions database is not initialized, storing the first time value in the stored time value field; g) detecting an I/O request to said first device driver; determining whether said first device driver is functionally uppermost in the layered plurality of device drivers; if said first device driver is functionally uppermost in the layered plurality of device drivers, performing the I/O request in said first device driver; and if said first device driver is not functionally uppermost in the layered plurality of device drivers, denying the I/O request in said first device driver, and allowing the I/O request to be performed by a next lower-level device driver in the layered plurality of device drivers; h) a port request detection step of detecting a port request for use of a port sent by a process; a process identification step of determining the identity of said requesting process; a process check step of determining if said process should be permitted to access said port; and a step of allowing said port request to be fulfilled if said process should be permitted to access said port and denying said port request if said process should not be permitted to access said port; i) a port request detection step of detecting a port request for use of a port sent by a process; an open port process identification step of, if said port request is an open port request, determining the identity of said requesting process; an open port process check step of, if said port request is an open port request, determining if said process should be permitted to open said port; an open port step of, if said port request is an open port request, allowing said open port request to be fulfilled and tracking said open port request if said process should be permitted to open said port and denying said port request if said process should not be permitted to open said port; a close port process completion step of, if said port request is a close port request, completing said port request; and
aclose port logging step of logging the closing of said port; and j) a network request detection step of detecting a network request for use of a network sent by a process; a process identification step of determining the identity of said requesting process; a process check step of determining if said process should be permitted to access said network; and
astep of allowing said network request to be fulfilled if said process should be permitted to access said network and denying said network request if said process should not be permitted to access said network. - View Dependent Claims (96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116)
-
-
117. A computer program product for monitoring data security embodied in a computer-readable memory medium that when read out directs a system to perform at least one of:
-
creating a package associated with a vault, the package comprising data bundled together with one or more permissions for regulating use of the data, the one or more permissions comprising one or more usage rule sets; and opening the package and storing the data in the vault for restricted access of the data, the vault being dedicated hard drive space whose existence and contents are invisible to a user, wherein the existence and contents of the hard drive space are invisible to the user by an assignment of false file names and locations as seen by the user. - View Dependent Claims (118, 119, 120, 121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135)
-
-
136. A system for maintaining security during transmission of data between at least two computers comprising:
-
a first computer having a system for creating a package associated with a vault, the package comprising data bundled together with one or more permissions selected from a list of available permissions for regulating use of the data, the one or more permissions comprising one or more usage rule sets; and a second computer having a system for receiving the package from the first computer, opening the package upon verification and storing the data in the vault, the vault being dedicated hard drive space whose existence and contents are invisible to a user, wherein the existence and contents of the hard drive space are invisible to the user by an assignment of false file names and locations as seen by the user. - View Dependent Claims (137)
-
Specification