Classification of security sensitive information and application of customizable security policies

US 8,561,127 B1
Filed: 03/01/2006
Issued: 10/15/2013
Est. Priority Date: 03/01/2006
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

performing, by one or more computers;

classifying information as security sensitive at an application level of an application, the security sensitive information being associated with a security sensitive category, wherein the security sensitive information is either user-specified as security sensitive or system-specified as security sensitive;

in response to an attempt to send data over a network to a domain via the application, determining at the application level whether the data includes any information classified as security sensitive information;

in response to determining that the data includes security sensitive information, determining at the application level a security policy for the security sensitive information;

applying the security policy at the application level to the security sensitive information, wherein applying the security policy comprises;

determining, at the application level, whether the security sensitive information is to be sent over a secure transport layer and whether the domain is trusted; and

in response to determining that the security sensitive information is not to be sent over the secure transport layer, encrypting the security sensitive information at the application level; and

in response to determining at the application level that the domain is trusted, sending the encrypted security sensitive information to that domain, wherein the encrypted security sensitive information is not sent to the domain if the domain is not determined at the application level to be trusted.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Classification of security sensitive information and application of customizable security policies are described, including classifying information as security sensitive information at an application level, the security sensitive information being associated with a security sensitive category, determining a security policy for the security sensitive information, the security policy being configured to secure the security sensitive information, and applying the security policy to the security sensitive information at the application level, the policy being based on the security sensitive category.

Citations

22 Claims

1. A method, comprising:
- performing, by one or more computers;
  
  classifying information as security sensitive at an application level of an application, the security sensitive information being associated with a security sensitive category, wherein the security sensitive information is either user-specified as security sensitive or system-specified as security sensitive;
  
  in response to an attempt to send data over a network to a domain via the application, determining at the application level whether the data includes any information classified as security sensitive information;
  
  in response to determining that the data includes security sensitive information, determining at the application level a security policy for the security sensitive information;
  
  applying the security policy at the application level to the security sensitive information, wherein applying the security policy comprises;
  
  determining, at the application level, whether the security sensitive information is to be sent over a secure transport layer and whether the domain is trusted; and
  
  in response to determining that the security sensitive information is not to be sent over the secure transport layer, encrypting the security sensitive information at the application level; and
  
  in response to determining at the application level that the domain is trusted, sending the encrypted security sensitive information to that domain, wherein the encrypted security sensitive information is not sent to the domain if the domain is not determined at the application level to be trusted.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method recited in claim 1, wherein classifying the information at the application level further comprises evaluating the information to determine whether said information is user-specified as security sensitive.
  - 3. The method recited in claim 1, wherein classifying the information at the application level further comprises evaluating the information to determine whether said information is system-specified as security sensitive.
  - 4. The method recited in claim 1, wherein classifying the information at the application level further comprises evaluating the information to determine whether a default setting indicates the information is security sensitive.
  - 5. The method recited in claim 1, wherein classifying the information at the application level further comprises evaluating the information to determine whether a keyword indicates the information is security sensitive.
  - 6. The method recited in claim 1, wherein classifying the information at the application level further comprises applying a heuristic algorithm to the portion of information to determine whether the information is security sensitive.
  - 7. The method recited in claim 1, wherein classifying the information at the application level further comprises identifying the information as security sensitive information based on a message.
  - 8. The method recited in claim 1, wherein classifying the information at the application level further comprises identifying the information as security sensitive information based on a transaction.
  - 9. The method recited in claim 1, wherein determining that the security sensitive information is not to be sent over the secure transport layer comprises determining that the security sensitive information is not to be sent over a secure transport layer.
  - 10. The method recited in claim 1, wherein applying the policy to said information at the application level further comprises issuing a warning.
  - 11. The method recited in claim 1, wherein the method comprises aborting the sending of the encrypted security sensitive information after said sending is initiated.
  - 12. The method recited in claim 1, wherein the method comprises aborting the sending of the encrypted security sensitive information if it is determined that the security policy was not applied correctly.
  - 13. The method recited in claim 1, wherein the method comprises sending said encrypted security sensitive information to a particular intended recipient within said domain after the security policy has been applied.
  - 14. The method recited in claim 1, wherein applying the policy to the security sensitive information at the application level further comprises evaluating said information to determine whether an intended recipient of said information is associated with an untrusted domain.
  - 15. The method recited in claim 1, wherein applying the policy to the security sensitive information at the application level further comprises aborting sending said information if the intended recipient is associated with an untrusted domain.

16. A system, comprising:
- a memory storing executable instructions;
  
  a processor configured to execute the instructions to;
  
  classify information as security sensitive at an application level of an application, the security sensitive information being associated with a security sensitive category, wherein the security sensitive information is either user-specified as security sensitive or system-specified as security sensitive;
  
  in response to an attempt to send data over a network to a domain via the application, determining at the application level whether the data includes any information classified as security sensitive information;
  
  in response to determining that the data includes security sensitive information, determine at the application level a security policy for the security sensitive information;
  
  apply the security policy at the application level to the security sensitive information, wherein to apply the security policy the instructions are executable by the processor to;
  
  determine, at the application level, whether the security sensitive information is to be sent over a secure transport layer and whether the domain is trusted;
  
  in response to determining that the security sensitive information is not to be sent over the secure transport layer, encrypting the security sensitive information at the application level; and
  
  in response to determining at the application level that the domain is trusted, sending the encrypted security sensitive information to that domain, wherein the encrypted security sensitive information is not sent to the domain if the domain is not determined at the application level to be trusted.

17. A method, comprising:
- performing by one or more computers;
  
  classifying information as security sensitive at an application level of an application, the security sensitive information being associated with a security sensitive category, wherein the security sensitive information is either user-specified as security sensitive or system-specified as security sensitive;
  
  in response to an attempt to send data over a network to a domain via the application, determining at the application level whether the data includes any information classified as security sensitive information;
  
  in response to determining that the data includes security sensitive information, determining at the application level a security policy specifying public key encryption for the security sensitive information;
  
  applying the security policy at the application level to the security sensitive information, wherein applying the security policy comprises;
  
  determining, at the application level, whether the security sensitive information is to be sent over a secure transport layer and whether the domain is trusted;
  
  in response to determining that the security sensitive information is not to be sent over the secure transport layer, encrypting the security sensitive information at the application level according to the public key encryption specified by the security policy; and
  
  in response to determining at the application level that the domain is trusted, sending the encrypted security sensitive information to that domain, wherein the encrypted security sensitive information is not sent to the domain if the domain is not determined at the application level to be trusted.
- View Dependent Claims (18, 19)
- - 18. The method recited in claim 17, wherein said sending comprises sending said security sensitive information to a particular intended recipient within the domain after the security policy has been applied.
  - 19. The method recited in claim 17, further comprising aborting the sending of the security sensitive information to the intended recipient if it is determined that the security policy is not applied correctly.

20. A system, comprising:
- one or more computers, comprising;
  
  a classification module executable on said one or more computers, the classification module configured to classify information as security sensitive at an application level of an application, the security sensitive information being associated with a security sensitive category, and wherein the security sensitive information is either user-specified as security sensitive or system-specified as security sensitive;
  
  wherein the classification module is further configured to, in response to an attempt to send data over a network to a domain via the application, determining at the application level whether the data includes any information classified as security sensitive informationwherein the classification module is further configured to, in response to determining that the data includes security sensitive information, determining at the application level a security policy specifying public key encryption for the security sensitive information;
  
  a policy application module executable on said one or more computers, the policy application module configured to apply the security policy at the application level to the security sensitive information, wherein to apply the security policy the policy application module is further configured to;
  
  determine, at the application level, whether the security sensitive information is to be sent over a secure transport layer and whether the domain is trusted;
  
  in response to determining that the security sensitive information is not to be sent over the secure transport layer, encrypt the security sensitive information at the application level according to the public key encryption specified by the security policy; and
  
  an application interface module executable on said one or more computers to, in response to a determination at the application level that the domain is trusted, send said encrypted security sensitive information to that domain, wherein the encrypted security sensitive information is not sent to the domain if the domain is not determined at the application level to be trusted.

21. A non-transitory computer readable storage medium storing computer instructions that when executed by a computer implement:
- classifying information as security sensitive at an application level of an application, the security sensitive information being associated with a security sensitive category, wherein the security sensitive information is either user-specified as security sensitive or system-specified as security sensitive;
  
  in response to an attempt to send data over a network to a domain via the application, determining at the application level whether the data includes any information classified as security sensitive information;
  
  in response to determining that the data includes security sensitive information, determining at the application level a security policy for the security sensitive information;
  
  applying the security policy at the application level to the security sensitive information, wherein applying the security policy comprises;
  
  determining, at the application level, whether the security sensitive information is to be sent over a secure transport layer and whether the domain is trusted;
  
  in response to determining that the security sensitive information is not to be sent over the secure transport layer, encrypting the security sensitive information at the application level; and
  
  in response to determining at the application level that the domain is trusted, sending the encrypted security sensitive information to that domain, wherein the encrypted security sensitive information is not sent to the domain if the domain is not determined at the application level to be trusted.

22. A non-transitory computer readable storage medium storing computer instructions that when executed by a computer implement:
- classifying information as security sensitive at an application level of an application, the security sensitive information being associated with a security sensitive category, wherein the security sensitive information is either user-specified as security sensitive or system-specified as security sensitive;
  
  in response to an attempt to send data over a network to a domain via the application, determining at the application level whether the data includes any information classified as security sensitive information;
  
  in response to determining that the data includes security sensitive information, determining at the application level a security policy specifying public key encryption security sensitive information;
  
  applying the security policy at the application level to the security sensitive information wherein applying the security policy comprises;
  
  determining, at the application level, whether the security sensitive information is to be sent over a secure transport layer and whether the domain is trusted;
  
  in response to determining that the security sensitive information is not to be sent over the secure transport layer, encrypting the security sensitive information at the application level according to the public key encryption specified by the security policy; and
  
  in response to determining at the application level that the domain is trusted, sending the encrypted security sensitive information to that domain, wherein the encrypted security sensitive information is not sent to the domain if the domain is not determined at the application level to be trusted.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Adobe Inc.
Original Assignee
Adobe Systems Incorporated (Adobe Inc.)
Inventors
Agrawal, Sunil, Hebbar, Vivek
Primary Examiner(s)
Shiferaw, Eleni
Assistant Examiner(s)
Branske, Hilary

Application Number

US11/365,030
Time in Patent Office

2,785 Days
Field of Search

713/151, 713/152, 713/166, 713/150, 713/153, 713/154, 713/164, 713/165, 713/167, 713/193, 726/11, 726/12, 726/14, 726/1, 726/22, 726/26, 726/13, 707/754, 707/755, 707/756, 707/757, 707/783, 707/786
US Class Current

726/1
CPC Class Codes

G06F 21/62   Protecting access to data v...

H04L 63/04   for providing a confidentia...

H04L 63/105   Multiple levels of security

Classification of security sensitive information and application of customizable security policies

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Classification of security sensitive information and application of customizable security policies

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links