Securing data in a networked environment
First Claim
Patent Images
1. Apparatus for securing data comprising:
- a computing device having stored thereon instructions that upon execution cause;
a secure environment definer to be configured to define a secure environment within an existing user environment, said definer configured to define a boundary about said environment across which data cannot pass and a channel out of said secure environment, the secure environment definer further being configured to define a filter associated with said channel out of said secure environment, said filter being definable to control passage of data out of said secure environment; and
an environment selector configured to detect an attempt to perform an operation on a data unit, to classify a type of the data unit, and to select a selected processing environment among a plurality of processing environments that includes the secure environment based on the classification, and to restrict the performance of the operation to the selected processing environment according to a predefined policy.
3 Assignments
0 Petitions
Accused Products
Abstract
Apparatus for securing data, comprising: an isolated processing environment having a boundary across which data cannot cross and a channel for allowing data to cross the boundary. A filter restricts data passage across the channel. Protected data is initially located in a secure area and is only released to such a secure processing environment so that access for authorized users to the secure data is available, but subsequent release of the secure data by the authorized users to the outside world is controlled.
21 Citations
21 Claims
-
1. Apparatus for securing data comprising:
-
a computing device having stored thereon instructions that upon execution cause; a secure environment definer to be configured to define a secure environment within an existing user environment, said definer configured to define a boundary about said environment across which data cannot pass and a channel out of said secure environment, the secure environment definer further being configured to define a filter associated with said channel out of said secure environment, said filter being definable to control passage of data out of said secure environment; and an environment selector configured to detect an attempt to perform an operation on a data unit, to classify a type of the data unit, and to select a selected processing environment among a plurality of processing environments that includes the secure environment based on the classification, and to restrict the performance of the operation to the selected processing environment according to a predefined policy. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. Apparatus for securing data, comprising:
-
an isolated processing environment, associated with a predefined classified area of data sources, having a boundary across which data cannot pass and a channel for passage of data across said boundary, the isolated processing environment being operable to receive a data unit from the classified area, wherein said isolated processing environment is installed on an endpoint computer; a data classifier, associated with said isolated processing environment, and configured to classify the data unit, according to a predefined policy, and to select a selected processing environment among a plurality of processing environments that includes the secure environment based on the classification, and to restrict the performance of the operation to the selected processing environment; an output restrictor, associated with said channel and configured to restrict the outputting of the data unit across said channel, according to said classification; and an output data modifier associated with said output restrictor and configured to modify the output data unit, according to said classification.
-
-
17. Apparatus for securing data, comprising:
-
an isolated processing environment, associated with a predefined classified area of data sources, wherein said isolated processing environment is installed on an endpoint computer, said isolated processing environment comprising a boundary across which data cannot pass and a channel for allowing data to pass across said boundary; a data classifier, associated with said isolated processing environment, and configured to classify the data unit, according to a predefined policy, and to select a selected processing environment among a plurality of processing environments that includes the secure environment based on the classification, and to restrict the performance of the operation to the selected processing environment; an input restrictor, associated with said channel, and configured to restrict input of a data unit into said isolated processing environment; and an input data modifier, associated with said input restrictor and configured to modify said input data unit according to a predefined policy; and
wherein said isolated processing environment is further operable to forward the input data unit to the classified area. - View Dependent Claims (18)
-
-
19. System for securing data, comprising:
-
a first and a second isolated processing environments, each environment comprising a boundary across which data cannot pass and a channel through which data may cross said boundary, each environment operatively associated with a respective predefined classified area of data sources thereby to receive a data unit from the classified area, and installed on an endpoint computer, the first and second isolated processing environments each being configured to perform the operation on data having of a same type; a data classifier, associated with said first and second processing environments, and configured to classify the data unit, according to a predefined policy, and to select a selected processing environment from the first and second processing environments that includes the secure environment based on the classification, and to restrict the performance of the operation to the selected processing environment; and at least two output restrictors, each output restrictor associated with a channel of a respective one of said isolating processing environments and configured to control outputting of the received data unit from the isolated processing environment.
-
-
20. A computer program on a computer readable medium, for providing when run on a computer:
-
an isolated processing environment definer, operable to define an isolated processing environment comprising a boundary across which data may not pass and a channel through which data may cross said boundary, the environment being associatable with a predefined classified area of data sources on an endpoint computer; a data classifier, associated with said isolated processing environment, and configured to classify the data unit, according to a predefined policy, and to select a selected processing environment among a plurality of processing environments that includes the secure environment based on the classification, and to restrict the performance of the operation to the selected processing environment; an output restrictor, installable on the endpoint computer, and configured to restrict outputting of the data unit through said channel; and an output data modifier associated with said output restrictor and configured to modify the output data unit. - View Dependent Claims (21)
-
Specification