Preventing secure data from leaving the network perimeter

US 8,316,442 B2
Filed: 01/15/2008
Issued: 11/20/2012
Est. Priority Date: 01/15/2008
Status: Active Grant

First Claim

Patent Images

1. A method for preventing secure data from leaving a perimeter of an enterprise network, wherein an edge device couples the enterprise network to an external network, and the edge device has access to all traffic that flows inbound and outbound between the enterprise network and the external network, the method comprising the steps of:

computing a plurality of hashes for a data file to uniquely identify the data file as a secure data being subject to restrictions on leaving the enterprise network perimeter;

sending the plurality of hashes to the edge device;

storing the plurality of hashes at the edge device;

in response to a user of a host downloading the secure data from the enterprise network, a client agent running on a host machine, tracking any modification made to the secure data by the user;

when the secure data is modified by the user on the host machine, computing a hash for the modified secure data;

sending the hash for the modified secure data to the edge device;

monitoring, by the edge device, outbound data that is being sent out across the enterprise network;

computing, by the edge device, a hash of the outbound data;

comparing, by the edge device, the hash of the outbound data to each of the plurality of stored hashes, the stored hashes being associated with respective data files that are each designated by an administrator or authorized user of the enterprise network;

blocking, by the edge device, the outbound data from leaving the perimeter if the hash of the outbound data matches one of the stored hashes;

providing data from the edge device to the administrator or authorized user of the enterprise network, including an identity of secure data, an identity of who accessed the secure data, and when the secure data was accessed; and

providing an indication, from the edge device to the administrator or authorized user of the enterprise network, of actions taken by the edge device in response to results of the comparing step.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Secure data is prevented from leaving the perimeter of a network such as an enterprise network or corporate network (“corpnet”) by an arrangement in which a hash of the secure data is periodically computed, and the hashes are pushed out to an edge device on the network such as a firewall where they are stored for later access. The edge device is configured so that it has access to all traffic that flows between the enterprise network and an external network, such as the Internet, that is located outside the enterprise network perimeter. Whenever a user attempts to send data to the external network, a process running on the edge device computes a hash for the outbound data and compares it against the stored hashes associated with the secure data. If a match is made between the hash for the outbound data and a stored hash for secure data, then the edge device blocks the outbound data from leaving the network perimeter.

Citations

18 Claims

1. A method for preventing secure data from leaving a perimeter of an enterprise network, wherein an edge device couples the enterprise network to an external network, and the edge device has access to all traffic that flows inbound and outbound between the enterprise network and the external network, the method comprising the steps of:
- computing a plurality of hashes for a data file to uniquely identify the data file as a secure data being subject to restrictions on leaving the enterprise network perimeter;
  
  sending the plurality of hashes to the edge device;
  
  storing the plurality of hashes at the edge device;
  
  in response to a user of a host downloading the secure data from the enterprise network, a client agent running on a host machine, tracking any modification made to the secure data by the user;
  
  when the secure data is modified by the user on the host machine, computing a hash for the modified secure data;
  
  sending the hash for the modified secure data to the edge device;
  
  monitoring, by the edge device, outbound data that is being sent out across the enterprise network;
  
  computing, by the edge device, a hash of the outbound data;
  
  comparing, by the edge device, the hash of the outbound data to each of the plurality of stored hashes, the stored hashes being associated with respective data files that are each designated by an administrator or authorized user of the enterprise network;
  
  blocking, by the edge device, the outbound data from leaving the perimeter if the hash of the outbound data matches one of the stored hashes;
  
  providing data from the edge device to the administrator or authorized user of the enterprise network, including an identity of secure data, an identity of who accessed the secure data, and when the secure data was accessed; and
  
  providing an indication, from the edge device to the administrator or authorized user of the enterprise network, of actions taken by the edge device in response to results of the comparing step.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 in which the edge device is further configured to function as a gateway to an external network and the outbound data is intended to be received by an address on the external network.
  - 3. The method of claim 2 in which the edge device is further configured to provide edge security including a firewall functionality, and network optimization selected from one of caching, HTTP compression, or QoS policy enforcement.
  - 4. The method of claim 3 including the further steps of receiving a hash that is computed for data that is designated as secure, and storing the received hash with the plurality of stored hashes, the received hash functioning to uniquely identify the designated secure data.
  - 5. The method of claim 4 in which the stored hashes are stored on a persistent basis in a repository that is disposed in an external device that is capable of being operatively coupled to the edge device.
  - 6. The method of claim 5 including a further step of sending a notification to an administrator management function in the enterprise network when the outbound data is blocked from leaving the perimeter.
  - 7. The method of claim 6 including a further step of receiving a manual override from a network administrator in response to the notification, the manual override indicating that the outbound data is permitted to leave the network perimeter.
  - 8. The method of claim 7 in which the administrator management function includes features selected from one of configuration management, monitoring, reporting, or auditing.
  - 9. The method of claim 8 in which the administrator management function is configured to enable selection among a plurality of different hashing algorithms.

10. A method for identifying data in an enterprise network as being secure, the method comprising the steps of:
- receiving a designation from an administrator or authorized user of the enterprise network that a data file is secure data, wherein the administrator or authorized user of the enterprise network tracks the identity of the secure data, an identity of who accessed the secure data, and when the secure data was accessed;
  
  computing a hash for the data file to uniquely identify the data file as secure data, the secure data being subject to restrictions on leaving the enterprise network perimeter;
  
  in response to a user of a host downloading the secure data from the enterprise network, a client agent running on a host machine, tracking any modification made to the secure data by the user;
  
  when the secure data is modified by the user on the host machine, computing a hash for the modified secure data;
  
  sending the hash to an edge device that is positioned on the enterprise network perimeter, the edge device being arranged to block secure data that is outbound from the enterprise network;
  
  storing the hash at the edge device,computing a hash of the outbound data;
  
  comparing the hash of outbound data to stored hashes for the secure data;
  
  blocking the outbound data from leaving the perimeter when the hash of the outbound data matches one of the stored hashes;
  
  providing data from the edge device to the administrator or authorized user of the enterprise network, including an identity of secure data, an identity of who accessed the secure data, and when the secure data was accessed; and
  
  providing an indication, from the edge device to the administrator or authorized user of the enterprise network, of actions taken by the edge device in response to results of the comparing step.
- View Dependent Claims (11, 12, 13)
- - 11. The method of claim 10 including a further step of computing a hash for other data that is designated secure so that the edge device is kept updated with identities of currently secure data in the enterprise network.
  - 12. The method of claim 11 in which the computing is performed at predetermined intervals.
  - 13. The method of claim 12 including a further step of setting the predetermined intervals using an administrator console that is arranged to manage configuration of devices in the enterprise network.

14. A method for identifying data that has been modified at a host in an enterprise network as being secure, secure data being subject to restrictions on leaving the enterprise network perimeter, the method comprising the steps of:
- monitoring, by a client agent, activity at the host to identity whether secure data that has been downloaded from a source in the enterprise network has been modified, wherein an edge device provides data to an administrator or authorized user of the enterprise network, including an identity of the secure data, an identity of who accessed the secure data, and when the secure data was accessed;
  
  when the secure data is modified on the host, computing a hash for the modified secure data as being secure data;
  
  sending, by a client agent, the hash to the edge device that is positioned on the enterprise network perimeter, the edge device being arranged to block secure data that is outbound from the enterprise network;
  
  storing the hash at the edge device,computing a hash of the outbound data;
  
  comparing the hash of outbound data to stored hashes for the secure data;
  
  blocking the outbound data from leaving the perimeter when the hash of the outbound data matches one of the stored hashes;
  
  providing data from the edge device to the administrator or authorized user of the enterprise network, including an identity of secure data, an identity of who accessed the secure data, and when the secure data was accessed; and
  
  wherein the edge device provides, to the administrator or authorized user of the enterprise network, actions taken by the edge device in response to results of the comparing step.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The method of claim 14 in which the edge device is selected from one of firewall, router, proxy server, switch, or gateway.
  - 16. The method of claim 15 in which the host is a computing device being selected from one of desktop, laptop, or workstation, the computing device being coupled to the source, the source being a server.
  - 17. The method of claim 16 in which the hash is computing using an algorithm selected from one of LM, MD4, MD5, CRC16, CRC32, SHA-0/1, SHA-0, SHA-1, SHA-2, Tiger, or RIPEMD.
  - 18. The method of claim 17 in which the monitoring, computing, and sending are performed by a client-side agent disposed in a host machine in the enterprise network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Prahalad, Prashanth
Primary Examiner(s)
Gelagay, Shewaye

Application Number

US12/014,099
Publication Number

US 20090183257A1
Time in Patent Office

1,771 Days
Field of Search

None
US Class Current

726/22
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2101   Auditing as a secondary aspect

H04L 63/0209   Architectural arrangements,...

H04L 63/0227   Filtering policies mail mes...

Preventing secure data from leaving the network perimeter

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Preventing secure data from leaving the network perimeter

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links