Enterprise level security system

US 8,607,325 B2
Filed: 02/18/2011
Issued: 12/10/2013
Est. Priority Date: 02/22/2010
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving, by a node in an enterprise network, at least one of a request to send a selected communication and/or content to a nonsubscriber and provide the nonsubscriber with access to the selected communication and/or content, the selected communication and/or content comprising sensitive information to an enterprise corresponding to the enterprise network;

determining, by the node, that the nonsubscriber is a member of a trusted group, the trusted group comprising, as members, at least one subscriber and at least one nonsubscriber and each member of the trusted group being trusted by the enterprise; and

in response to the nonsubscriber being a member of the trusted group, the node at least one of sending the selected communication and/or content and providing the nonsubscriber access to the selected communication and/or content, wherein the trusted group is no longer recognized after at least one of (a) occurrence of a predetermined event adversely impacting a degree of trust between the enterprise and nonsubscriber and (b) passage of a determined period of time, and wherein at least one of the following is true;

at least one of the subscriber and nonsubscriber is a member of multiple trusted groups recognized by the enterprise network and wherein at least two of the trusted groups have differing levels of authorization to access differing bodies of enterprise sensitive information; and

a policy measure is implemented, wherein the policy measure comprises at least one of;

preventing the subscriber from selecting, by dragging and dropping, selected content from the selected communication and/or content into a communication;

setting a hop restriction on the selected communication and/or content whereby, when the hop restriction is met or exceeded and/or a hop counter is incremented or decremented to a selected value, the selected communication and/or content is dropped or otherwise prohibited from delivery to an intended recipient; and

tearing down a communication channel before transmission of the selected communication and/or content.

View all claims

16 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method are provided to monitor and prevent potential enterprise policy and/or rule violations by subscribers. A node filters requests to send a selected communication and/or content and/or provide a nonsubscriber with access to the selected communication and/or content against plurality trusted groupings to determine if the nonsubscriber is a member of a trusted group. The nonsubscriber is provided with the selected communication and/or content when he or she is a trusted group member and restricted from receiving and/or accessing the at least a portion of the selected communication and/or content when he or she is not in a trusted group or is in a trusted group not privileged to receive the information. The nonsubscriber can be a member of multiple trusted groups, based on the nature of the relationship of the nonsubscriber with the enterprise.

Citations

17 Claims

1. A method, comprising:
- receiving, by a node in an enterprise network, at least one of a request to send a selected communication and/or content to a nonsubscriber and provide the nonsubscriber with access to the selected communication and/or content, the selected communication and/or content comprising sensitive information to an enterprise corresponding to the enterprise network;
  
  determining, by the node, that the nonsubscriber is a member of a trusted group, the trusted group comprising, as members, at least one subscriber and at least one nonsubscriber and each member of the trusted group being trusted by the enterprise; and
  
  in response to the nonsubscriber being a member of the trusted group, the node at least one of sending the selected communication and/or content and providing the nonsubscriber access to the selected communication and/or content, wherein the trusted group is no longer recognized after at least one of (a) occurrence of a predetermined event adversely impacting a degree of trust between the enterprise and nonsubscriber and (b) passage of a determined period of time, and wherein at least one of the following is true;
  
  at least one of the subscriber and nonsubscriber is a member of multiple trusted groups recognized by the enterprise network and wherein at least two of the trusted groups have differing levels of authorization to access differing bodies of enterprise sensitive information; and
  
  a policy measure is implemented, wherein the policy measure comprises at least one of;
  
  preventing the subscriber from selecting, by dragging and dropping, selected content from the selected communication and/or content into a communication;
  
  setting a hop restriction on the selected communication and/or content whereby, when the hop restriction is met or exceeded and/or a hop counter is incremented or decremented to a selected value, the selected communication and/or content is dropped or otherwise prohibited from delivery to an intended recipient; and
  
  tearing down a communication channel before transmission of the selected communication and/or content.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein a computational component in the enterprise network forms trusted groups based on one or more of authoritative and/or trusted input from a firewall, authoritative and/or trusted input from a gateway, a virtual private network definition and/or configuration, an electronic directory for phone numbers, an electronic directory for email, an electronic enterprise directory, authoritative and/or trusted input from a back office application, an enterprise personnel record, an enterprise payroll system, a security credential from an internal and/or enterprise network source, an identity server, a white list, a black list, an access control list, and an administrative setting.
  - 3. The method of claim 1, wherein the trusted group corresponds to one or more of a business organization, a project team, a board, a panel, a task group, a business team, and a business group and wherein each member of the trusted group has a respective degree of trust rating defined by the enterprise and wherein at least two members of the trusted group have differing respective degree of trust ratings.
  - 4. The method of claim 1, wherein a selected member of the trusted group other than the subscriber and nonsubscriber is not privileged to receive and/or access at least a portion of the selected communication and/or content and further comprising:
    - restricting the selected member of the trusted group from receiving and/or accessing the at least a portion of the selected communication and/or content.
  - 5. The method of claim 1, further comprising:
    - analyzing, by a policy agent corresponding to a first node of the enterprise network and first subscriber, at least one of the selected communication and/or content to identify a behavioral instance potentially relevant to a policy and/or rule;
      
      notifying, by the policy agent, a policy enforcement server of the identified determined behavioral instance; and
      
      receiving, by the policy agent and from the policy enforcement server, the policy measure to be implemented; and
      
      implementing, by the policy agent, the received policy measure.
  - 6. The method of claim 5, wherein the policy measure to be implemented further comprises one or more of the following:
    - modification of an existing security measure for the one or more of the selected communication and/or content,implementation of a new and/or additional security measure for the one or more of the selected communication and/or content,use of a different network path and/or channel than currently chosen to effect transmission or transfer of the one or more of the selected communication and/or content,implementation of an action to remedy a prior policy or rule violation,block, delay, and/or buffer the one or more of the selected communication and/or content,mark or delete a portion of the one or more of the selected communication and/or content prior to access by one or more other parties,send a notice of policy and/or rule violation to one or more selected destinations,embed a flag indicating an area of redundant and processor intensive encryption or security transcoding,prevent access of the one or more of the selected communication and/or content by the one or more selected parties,provide read-only access to the one or more of the selected communication and/or content,redirect the one or more of the selected communication and/or content to a different destination, anddisplay different portions of the one or more of the selected communication and/or content to different ones of the one or more of the selected parties based on a respective degree of trust or privilege of each party.
  - 7. A non-transitory computer readable medium comprising processor executable instructions to perform the steps of claim 1.

8. A system, comprising:
- a policy agent, in an enterprise network, operable to;
  
  receive at least one of a request to send a selected communication and/or content to a nonsubscriber and provide the nonsubscriber with access to the selected communication and/or content, the selected communication and/or content comprising sensitive information to an enterprise corresponding to the enterprise network;
  
  determine that the nonsubscriber is a member of a trusted group, the trusted group comprising, as members, at least one subscriber and at least one nonsubscriber and each member of the trusted group being trusted by the enterprise; and
  
  in response to the nonsubscriber being a member of the trusted group, at least one of send the selected communication and/or content and provide the nonsubscriber access to the selected communication and/or content and wherein the trusted group is no longer recognized after at least one of (a) occurrence of a predetermined event adversely impacting a degree of trust between the enterprise and nonsubscriber and (b) passage of a determined period of time, and wherein at least one of the following is true;
  
  at least one of the subscriber and nonsubscriber is a member of multiple trusted groups recognized by the enterprise network and wherein at least two of the trusted groups have differing levels of authorization to access differing bodies of enterprise sensitive information; and
  
  a policy measure that is received by the policy agent is implemented, wherein the policy measure comprises at least one of;
  
  preventing the subscriber from selecting, by dragging and dropping, selected content from the selected communication and/or content into a communication;
  
  setting a hop restriction on the selected communication and/or content whereby, when the hop restriction is met or exceeded and/or a hop counter is incremented or decremented to a selected value, the selected communication and/or content is dropped or otherwise prohibited from delivery to an intended recipient; and
  
  tearing down a communication channel before transmission of the selected communication and/or content.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein a computational component in the enterprise network forms trusted groups based on one or more of authoritative and/or trusted input from a firewall, authoritative and/or trusted input from a gateway, a virtual private network definition and/or configuration, an electronic directory for phone numbers, an electronic directory for email, an electronic enterprise directory, authoritative and/or trusted input from a back office application, an enterprise personnel record, an enterprise payroll system, a security credential from an internal and/or enterprise network source, an identity server, a white list, a black list, an access control list, and an administrative setting.
  - 10. The system of claim 8, wherein each member of the trusted group has a respective degree of trust rating defined by the enterprise and wherein at least two members of the trusted group have differing respective degree of trust ratings and wherein the trusted group corresponds to one or more of a business organization, a project team, a board, a panel, a task group, a business team, and a business group.
  - 11. The system of claim 8, wherein a selected member of the trusted group other than the subscriber and nonsubscriber is not privileged to receive and/or access at least a portion of the selected communication and/or content and further comprising the operation:
    - restrict the selected member of the trusted group from receiving and/or accessing the at least a portion of the selected communication and/or content.
  - 12. The system of claim 8, wherein a security mechanism is at least one of deleted, disabled, and denied permission to execute in response to the at least one of occurrence of a predetermined event and passage of a determined period of time.
  - 13. The system of claim 8, further comprising a policy agent, in a node of the enterprise network, operable to:
    - analyze at least one of the selected communication and/or content to identify a behavioral instance potentially relevant to a policy and/or rule;
      
      notify a policy enforcement server of the identified determined behavioral instance; and
      
      receive, from the policy enforcement server, the policy measure to be implemented; and
      
      implement the received policy measure.
  - 14. The system of claim 13, wherein the policy measure to be implemented further comprises one or more of the following:
    - modification of an existing security measure for the one or more of the selected communication and/or content,implementation of a new and/or additional security measure for the one or more of the selected communication and/or content,use of a different network path and/or channel than currently chosen to effect transmission or transfer of the one or more of the selected communication and/or content,implementation of an action to remedy a prior policy or rule violation,block, delay, and/or buffer the one or more of the selected communication and/or content,mark or delete a portion of the one or more of the selected communication and/or content prior to access by one or more other parties,send a notice of policy and/or rule violation to one or more selected destinations,embed a flag indicating an area of redundant and processor intensive encryption or security transcoding,prevent access of the one or more of the selected communication and/or content by the one or more selected parties,provide read-only access to the one or more of the selected communication and/or content,redirect the one or more of the selected communication and/or content to a different destination, anddisplay different portions of the one or more of the selected communication and/or content to different ones of the one or more of the selected parties based on a respective degree of trust or privilege of each party.

15. A method, comprising:
- determining, by at least one of a policy agent and policy enforcement server, that a selected stimulus has occurred, the stimulus being one or more of a passage of a selected time interval and an event relevant to a degree of trust between an enterprise and a nonsubscriber, the degree of trust controlling whether the nonsubscriber has access to a selected communication and/or content, the selected communication and/or content comprising sensitive information to an enterprise corresponding to the enterprise network; and
  
  in response to determining that the selected stimulus has occured, changing, by the at least one of the policy agent and the policy enforcement server, the degree of trust of such that the nonsubscriber at least one of (i) the nonsubscriber, as a result of the changed degree of trust, is authorized to access the selected communication and/or content and (ii) the nonsubscriber, as a result of the changed degree of trust, is not authorized to access the selected communication and/or content, and wherein at least one of the following is true;
  
  at least one of the subscriber and nonsubscriber is a member of multiple trusted groups recognized by the enterprise network and wherein at least two of the trusted groups have differing levels of authorization to access differing bodies of enterprise sensitive information; and
  
  a policy measure that is received by the policy agent is implemented, wherein the policy measure comprises at least one of;
  
  preventing the subscriber from selecting, by dragging and dropping, selected content from the selected communication and/or content into a communication;
  
  setting a hop restriction on the selected communication and/or content whereby, when the hop restriction is met or exceeded and/or a hop counter is incremented or decremented to a selected value, the selected communication and/or content is dropped or otherwise prohibited from delivery to an intended recipient; and
  
  tearing down a communication channel before transmission of the selected communication and/or content.
- View Dependent Claims (16, 17)
- - 16. The method of claim 15, wherein the policy agent inspects a plurality of emails, instant messages, live voice communications, voice messages, electronic documents, and Web browsing sessions and wherein the policy agent generates a policy tag associated with the at least one of a selected communication and content, the policy tag comprising information relevant to a potential policy and/or rule violation.
  - 17. The node of claim 16, wherein the policy agent further implements the policy measure to address an actual or potential policy or rule violation and wherein the policy measure further comprises at least one of the following:
    - modification of an existing security measure for the one or more of the selected communication and/or content,implementation of a new and/or additional security measure for the one or more of the selected communication and/or content,use of a different network path and/or channel than currently chosen to effect transmission or transfer of the one or more of the selected communication and/or content,block, delay, and/or buffer the one or more of the selected communication and/or content,embed a flag indicating an area of redundant and processor intensive encryption or security transcoding,prevent access of the one or more of the selected communication and/or content by one or more selected parties,prevent a subscriber from selecting the one or more of the selected content into a communication,provide read-only access to the one or more of the selected communication and/or content,redirect the one or more of the selected communication and/or content to a different destination, anddisplay different portions of the one or more of the selected communication and/or content to different selected parties based on a respective degree of trust or privilege of each party.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avaya Incorporated
Original Assignee
Avaya Incorporated
Inventors
Kennedy, Kevin J.
Primary Examiner(s)
GOODCHILD, WILLIAM J

Application Number

US13/030,561
Publication Number

US 20110209195A1
Time in Patent Office

1,026 Days
Field of Search

None
US Class Current

726/12
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/121   Restricting unauthorised ex...

G06F 21/44   Program or device authentic...

G06F 21/55   Detecting local intrusion o...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/60   Protecting data

G06Q 30/02   Marketing; Price estimation...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

H04L 67/02   based on web technology, e....

Enterprise level security system

First Claim

16 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Enterprise level security system

First Claim

16 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links