System, method and apparatus for electronically protecting data and digital content

US 7,937,579 B2
Filed: 03/16/2006
Issued: 05/03/2011
Est. Priority Date: 03/16/2005
Status: Active Grant

First Claim

Patent Images

1. A system for protecting sensitive data comprising:

one or more clients, each client having a data storage and a content manager, wherein two or more items of sensitive data are stored within a file on the data storage and the content manager extracts the sensitive data items from the file on the data storage, sends the extracted data items to a server for storage, receives a pointer for each extracted data item indicating where the extracted data item has been stored and replaces the extracted items of sensitive data stored in the file on the data storage with the pointers;

the server communicably coupled to the one or more clients, wherein the server receives the extracted data items from the client, stores the extracted data items to a secure storage, generates the pointer for each extracted data item and sends the pointers to the client; and

wherein the content manager and the server protect the sensitive data items within the file by restricting subsequent access to and use of the sensitive data items via the pointers based on one or more rules by;

receiving a first request from one or more applications for data stored in the file on the data storage,determining whether the requested data includes one or more of the sensitive data items,providing the requested data to the one or more applications whenever the requested data does not include any of the sensitive data items, andperforming the following steps whenever the requested data includes one or more of the sensitive data items;

sending a second request containing the pointer for each sensitive data item included in the requested data to the server that authenticates the second request,denying the first request whenever the authentication fails, andreceiving and providing the requested sensitive data items to the one or more applications whenever the authentication succeeds.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method and apparatus are described for protecting sensitive data by extracting the sensitive data from a data storage on a client, sending the extracted data to a server for storage, receiving a pointer indicating where the extracted data has been stored and replacing the sensitive data on the data storage on the client with the pointer. The pointer may include random data that is of a same data type as the sensitive data. Furthermore, the pointer is subsequently used to access the sensitive data after proper authentication.

61 Citations

View as Search Results

39 Claims

1. A system for protecting sensitive data comprising:
- one or more clients, each client having a data storage and a content manager, wherein two or more items of sensitive data are stored within a file on the data storage and the content manager extracts the sensitive data items from the file on the data storage, sends the extracted data items to a server for storage, receives a pointer for each extracted data item indicating where the extracted data item has been stored and replaces the extracted items of sensitive data stored in the file on the data storage with the pointers;
  
  the server communicably coupled to the one or more clients, wherein the server receives the extracted data items from the client, stores the extracted data items to a secure storage, generates the pointer for each extracted data item and sends the pointers to the client; and
  
  wherein the content manager and the server protect the sensitive data items within the file by restricting subsequent access to and use of the sensitive data items via the pointers based on one or more rules by;
  
  receiving a first request from one or more applications for data stored in the file on the data storage,determining whether the requested data includes one or more of the sensitive data items,providing the requested data to the one or more applications whenever the requested data does not include any of the sensitive data items, andperforming the following steps whenever the requested data includes one or more of the sensitive data items;
  
  sending a second request containing the pointer for each sensitive data item included in the requested data to the server that authenticates the second request,denying the first request whenever the authentication fails, andreceiving and providing the requested sensitive data items to the one or more applications whenever the authentication succeeds.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 19, 20, 21)
- - 2. The system as recited in claim 1, wherein:
    - the client comprises a computer, a laptop computer, a handheld computer, a desktop computer, a workstation, a data terminal, a phone, a mobile phone, a personal data assistant, a media player, a gaming console, a security device, a surveillance device or a combination thereof; and
      
      the server is communicably coupled to the one or more clients via a computer network, a telecommunications network, a wireless communications link, a physical connection, a landline, a satellite communications link, an optical communications link, a cellular network or a combination thereof.
  - 3. The system as recited in claim 1, wherein the communications between the server and the client are encrypted.
  - 4. The system as recited in claim 1, wherein the server further comprises:
    - an application program interface layer;
      
      an authentication layer coupled to the application program interface layer;
      
      a plug-in layer coupled to the authentication layer;
      
      a data layer coupled to the plug-in layer; and
      
      an events layer coupled to the data layer, the plug-in layer and the authentication layer.
  - 5. The system as recited in claim 1, wherein the pointer comprises random data that is of a same data type as the sensitive data.
  - 6. The system as recited in claim 1, wherein the pointer is subsequently used to access the sensitive data item after proper authentication.
  - 7. The system as recited in claim 1, wherein storage of the sensitive data items is governed by the one or more rules.
  - 19. The system as recited in claim 1, wherein the received sensitive data items can only be viewed or used in an application.
  - 20. The system as recited in claim 1, wherein the received sensitive data items cannot be further transferred or stored.
  - 21. The system as recited in claim 1, wherein the sensitive data items comprises personal data, financial data, corporate data, legal data, government data, police data, immigration data, military data, intelligence data, security data, surveillance data, technical data, copyrighted content or a combination thereof.

8. An apparatus for protecting sensitive data comprising:
- a data storage comprising a file having two or more items of sensitive data stored therein;
  
  one or more applications;
  
  a communications interface to a remote server having a secure storage;
  
  a content manager communicably coupled to the data storage, the one or more applications and the communications interface, wherein the content manager controls access to the data storage, extracts the sensitive data items from the file on the data storage, sends the extracted data items to the remote server for storage via the communications interface, receives a pointer for each extracted data item indicating where the extracted data item has been stored and replaces the extracted items of sensitive data stored in the file on the data storage with the pointers; and
  
  wherein the content manager and the remote server protect the sensitive data items within the file by restricting subsequent access to and use of the sensitive data items via the pointers based on one or more rules by;
  
  receiving a first request from the one or more applications for data stored in the file on the data storage,determining whether the requested data includes one or more of the sensitive data items,providing the requested data to the one or more applications whenever the requested data does not include any of the sensitive data items, andperforming the following steps whenever the requested data includes one or more of the sensitive data items;
  
  sending a second request containing the pointer for each sensitive data item included in the requested data to the remote server that authenticates the second request,denying the first request whenever the authentication fails, andreceiving and providing the requested sensitive data items to the one or more applications whenever the authentication succeeds.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29)
- - 22. The apparatus as recited in claim 8, wherein:
    - the apparatus comprises a computer, a laptop computer, a handheld computer, a desktop computer, a workstation, a data terminal, a phone, a mobile phone, a personal data assistant, a media player, a gaming console, a security device, a surveillance device or a combination thereof; and
      
      the server is communicably coupled to the one or more clients via a computer network, a telecommunications network, a wireless communications link, a physical connection, a landline, a satellite communications link, an optical communications link, a cellular network or a combination thereof.
  - 23. The apparatus as recited in claim 8, wherein the communications between the server and the client are encrypted.
  - 24. The apparatus as recited in claim 8, wherein the received sensitive data items can only be viewed or used in an application.
  - 25. The apparatus as recited in claim 8, wherein the received sensitive data items cannot be further transferred or stored.
  - 26. The apparatus as recited in claim 8, wherein the pointer comprises random data that is of a same data type as the sensitive data.
  - 27. The apparatus as recited in claim 8, wherein the pointer is subsequently used to access the sensitive data item after proper authentication.
  - 28. The apparatus as recited in claim 8, wherein storage of the sensitive data items is governed by the one or more rules.
  - 29. The apparatus as recited in claim 8, wherein the sensitive data items comprises personal data, financial data, corporate data, legal data, government data, police data, immigration data, military data, intelligence data, security data, surveillance data, technical data, copyrighted content or a combination thereof.

9. A method for protecting sensitive data comprising the steps of:
- extracting each item of the sensitive data from a file on a data storage on a client;
  
  sending the extracted data items to a server for storage;
  
  receiving a pointer for each extracted data item indicating where the extracted data item has been stored;
  
  replacing each item of the sensitive data stored in the file on the data storage on the client with the pointer; and
  
  protecting the sensitive data items by restricting subsequent access to and use of the sensitive data items via the pointers based on one or more rules by;
  
  receiving a first request for data stored in the file on the data storage;
  
  determining whether the requested data includes any of the sensitive data items;
  
  providing the requested data whenever the requested data does not include any of the sensitive data items; and
  
  performing the following steps whenever the requested data includes any of the sensitive data items;
  
  sending a second request containing the pointer for each sensitive data item included in the requested data to the server, authenticating the second request, denying the second request whenever the authentication fails, retrieving the requested sensitive data items using the pointers and sending the sensitive data items whenever the authentication succeeds.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 30, 31)
- - 10. The method as recited in claim 9, further comprising the steps of:
    - receiving the extracted data items from the client;
      
      storing the extracted data items to a secure storage on the server;
      
      generating the pointer for each extracted data item; and
      
      sending the pointer for each extracted data item to the client.
  - 11. The method as recited in claim 9, wherein the received sensitive data items can only be viewed or used in an application.
  - 12. The method as recited in claim 9, wherein the received sensitive data items cannot be further transferred or stored.
  - 13. The method as recited in claim 9, wherein the pointer comprises random data that is of a same data type as the sensitive data item.
  - 14. The method as recited in claim 9, wherein the pointer is subsequently used to access the sensitive data item after proper authentication.
  - 15. The method as recited in claim 9, wherein storage of the sensitive data items is governed by the one or more rules.
  - 16. The method as recited in claim 9, wherein the sensitive data items comprises personal data, financial data, corporate data, legal data, government data, police data, immigration data, military data, intelligence data, security data, surveillance data, technical data, copyrighted content or a combination thereof.
  - 30. The method as recited in claim 9, wherein:
    - the client comprises a computer, a laptop computer, a handheld computer, a desktop computer, a workstation, a data terminal, a phone, a mobile phone, a personal data assistant, a media player, a gaming console, a security device, a surveillance device or a combination thereof; and
      
      the server is communicably coupled to the one or more clients via a computer network, a telecommunications network, a wireless communications link, a physical connection, a landline, a satellite communications link, an optical communications link, a cellular network or a combination thereof.
  - 31. The method as recited in claim 9, wherein the communications between the server and the client are encrypted.

17. A non-transitory computer readable storage medium for protecting sensitive data comprising program instructions when executed by a client causes the client device to perform the steps of:
- extracting each item of the sensitive data from a file on a data storage on the client;
  
  sending the extracted data items to a server for storage;
  
  receiving a pointer for each extracted data item indicating where the extracted data item has been stored;
  
  replacing each item of the sensitive data stored in the file on the data storage on the client with the pointer; and
  
  protecting the sensitive data items by restricting subsequent access to and use of the sensitive data items via the pointers based on one or more rules by;
  
  receives a first request from one or more applications for data stored in the file on the data storage,determines whether the requested data includes one or more of the sensitive data items,provides the requested data to the one or more applications whenever the requested data does not include any of the sensitive data items, andperforms the following steps whenever the requested data includes one or more of the sensitive data items;
  
  sends a second request containing the pointer for each sensitive data item included in the requested data to the server that authenticates the second request,denies the first request whenever the authentication fails, andreceives and provides the requested sensitive data items to the one or more applications whenever the authentication succeeds.
- View Dependent Claims (18, 32, 33, 34, 35, 36, 37, 38, 39)
- - 18. The non-transitory computer readable storage medium as recited in claim 17, further comprising the steps of:
    - receiving the extracted data items from the client;
      
      storing the extracted data items to a secure storage on the server;
      
      generating the pointer for each extracted data item; and
      
      sending the pointer for each extracted data item to the client.
  - 32. The computer readable storage medium as recited in claim 17, wherein:
    - the client comprises a computer, a laptop computer, a handheld computer, a desktop computer, a workstation, a data terminal, a phone, a mobile phone, a personal data assistant, a media player, a gaming console, a security device, a surveillance device or a combination thereof; and
      
      the server is communicably coupled to the one or more clients via a computer network, a telecommunications network, a wireless communications link, a physical connection, a landline, a satellite communications link, an optical communications link, a cellular network or a combination thereof.
  - 33. The computer readable storage medium as recited in claim 17, wherein the communications between the server and the client are encrypted.
  - 34. The computer readable storage medium as recited in claim 17, wherein the received sensitive data items can only be viewed or used in an application.
  - 35. The computer readable storage medium as recited in claim 17, wherein the received sensitive data items cannot be further transferred or stored.
  - 36. The computer readable storage medium as recited in claim 17, wherein the pointer comprises random data that is of a same data type as the sensitive data item.
  - 37. The computer readable storage medium as recited in claim 17, wherein the pointer is subsequently used to access the sensitive data item after proper authentication.
  - 38. The computer readable storage medium as recited in claim 17, wherein storage of the sensitive data items is governed by the one or more rules.
  - 39. The computer readable storage medium as recited in claim 17, wherein the sensitive data items comprises personal data, financial data, corporate data, legal data, government data, police data, immigration data, military data, intelligence data, security data, surveillance data, technical data, copyrighted content or a combination thereof.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kloke LLC
Original Assignee
DT Labs LLC
Inventors
Peckover, Douglas
Primary Examiner(s)
Lanier; Benjamin E
Assistant Examiner(s)
ARMOUCHE, HADI S

Application Number

US11/378,549
Publication Number

US 20060212698A1
Time in Patent Office

1,874 Days
Field of Search

713/163, 713/151, 726/3, 726/15, 726/27, 380/37, 380/277, 707/783
US Class Current

713/151
CPC Class Codes

G06F 21/10   Protecting distributed prog...

H04L 63/0281   Proxies

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

System, method and apparatus for electronically protecting data and digital content

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

61 Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

System, method and apparatus for electronically protecting data and digital content

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

61 Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links