Differential encryption utilizing trust modes

US 8,769,272 B2
Filed: 06/15/2012
Issued: 07/01/2014
Est. Priority Date: 04/02/2008
Status: Active Grant

First Claim

Patent Images

1. A method for implementing data security comprising:

generating a plurality of trust modes, each trust mode associated with data stored at a security device and associated with a set of access requirements, wherein each data access requirement associated with a trust mode must be satisfied before the data associated with the trust mode can be accessed, wherein at least one access requirement associated with a trust mode comprises a requirement that a user possess one or more encryption keys used to encrypt data stored at the security device;

receiving, from a user device associated with a user, a request to access the data stored at the security device;

responsive to the request, determining whether the user device is communicatively coupled to the security device;

responsive to a determination that the user device is communicatively coupled to the security device, implementing a first trust mode associated with a first set of access requirements that must be satisfied by either the user or the user device before the request to access the data stored at the security device is granted;

responsive to a determination that the user device is not communicatively coupled to the security device, implementing a second trust mode associated with a second set of access requirements that must be satisfied by either the user or the user device before the request to access the data stored at the security device is granted, wherein the second set of access requirements is greater than the first set of access requirements;

for each data access requirement defined by the implemented trust mode, determining whether the user or the user device satisfies each of the set of data access requirements associated with the implemented trust mode; and

granting the user permission to access to the requested data via the user device responsive to a determination that the user or the user device satisfies each of the set of access requirements associated with the implemented trust mode.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are provided for data protection across connected, disconnected, attended, and unattended environments. Embodiments of the inventions may include differential encryption based on network connectivity, attended/unattended status, or a combination thereof. Additional embodiments of the invention incorporate “trust windows” that provide granular and flexible data access as function of the parameters under which sensitive data is accessed. Further embodiments refine the trust windows concept by incorporating dynamic intrusion detection techniques.

65 Citations

View as Search Results

18 Claims

1. A method for implementing data security comprising:
- generating a plurality of trust modes, each trust mode associated with data stored at a security device and associated with a set of access requirements, wherein each data access requirement associated with a trust mode must be satisfied before the data associated with the trust mode can be accessed, wherein at least one access requirement associated with a trust mode comprises a requirement that a user possess one or more encryption keys used to encrypt data stored at the security device;
  
  receiving, from a user device associated with a user, a request to access the data stored at the security device;
  
  responsive to the request, determining whether the user device is communicatively coupled to the security device;
  
  responsive to a determination that the user device is communicatively coupled to the security device, implementing a first trust mode associated with a first set of access requirements that must be satisfied by either the user or the user device before the request to access the data stored at the security device is granted;
  
  responsive to a determination that the user device is not communicatively coupled to the security device, implementing a second trust mode associated with a second set of access requirements that must be satisfied by either the user or the user device before the request to access the data stored at the security device is granted, wherein the second set of access requirements is greater than the first set of access requirements;
  
  for each data access requirement defined by the implemented trust mode, determining whether the user or the user device satisfies each of the set of data access requirements associated with the implemented trust mode; and
  
  granting the user permission to access to the requested data via the user device responsive to a determination that the user or the user device satisfies each of the set of access requirements associated with the implemented trust mode.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the data stored at a security device comprises one of:
    - one or more files, one or more directories, one or more servers, and an entire file system at the security device.
  - 3. The method of claim 1, further comprising:
    - determining whether the user has one or more security violations associated with access to the security device;
      
      responsive to the user having one or more security violations associated with access to the security device, implementing a third trust mode associated with a third set of data access requirements; and
      
      responsive to the user not having one or more security violations associated with access to the security device, implementing a fourth trust mode associated with a fourth set of data access requirements, wherein the fourth set of data access requirements is greater than the third set of data access requirements.
  - 4. The method of claim 1, further comprising implementing a trust mode based on the identity of the user.
  - 5. The method of claim 1, wherein at least one access requirement associated with a trust mode comprises a requirement that a user use one or more encryption keys to encrypt accessed data for subsequent storage at the security device.
  - 6. The method of claim 1, wherein at least one access requirement associated with a trust mode comprises a limitation on a maximum volume of data that can accessed by a user, and wherein implementing the trust mode comprises limiting the volume of the data accessed by a user to the defined maximum volume.
  - 7. The method of claim 1, wherein at least one access requirement associated with a trust mode comprises a limitation on a maximum data access rate for a user, and wherein implementing the trust mode comprises limiting a user'"'"'s data access rate to the defined maximum data access rate.
  - 8. The method of claim 1, wherein each of a plurality of subsets of the data stored at the security device are marked to identify one or more trust modes that must be implemented with respect to the subset of data before the subset of data can be accessed.
  - 9. The method of claim 8, wherein the subsets of data are marked using one of:
    - file attribute flags, naming convections, or a list or database listing marked subsets of data.
  - 10. The method of claim 1, further comprising:
    - marking one or more subsets of the data stored at the security device determined to be sensitive; and
      
      responsive to an attempt to access a marked subset of the data, automatically performing an intrusion detection to determined if an attempted intrusion is taking place.

11. A non-transitory computer-readable storage medium having executable computer program instructions embodied therein for implementing data security, the computer program instructions configured to, when executed, cause a computer to:
- generate a plurality of trust modes, each trust mode associated with data stored at a security device and associated with a set of access requirements, wherein each data access requirement associated with a trust mode must be satisfied before the data associated with the trust mode can be accessed, wherein at least one access requirement associated with a trust mode comprises a requirement that a user possess one or more encryption keys used to encrypt data stored at the security device;
  
  receive, from a user device associated with a user, a request to access the data stored at the security device;
  
  responsive to the request, determine whether the user device is communicatively coupled to the security device;
  
  responsive to a determination that the user device is communicatively coupled to the security device, implement a first trust mode associated with a first set of access requirements that must be satisfied by either the user or the user device before the request to access the data stored at the security device is granted;
  
  responsive to a determination that the user device is not communicatively coupled to the security device, implement a second trust mode associated with a second set of access requirements that must be satisfied by either the user or the user device before the request to access the data stored at the security device is granted, wherein the second set of access requirements is greater than the first set of access requirements;
  
  for each data access requirement defined by the implemented trust mode, determine whether the user or the user device satisfies each of the set of data access requirements associated with the implemented trust mode; and
  
  grant the user permission to access to the requested data via the user device responsive to a determination that the user or the user device satisfies each of the set of access requirements associated with the implemented trust mode.
- View Dependent Claims (12, 13, 14)
- - 12. The non-transitory computer-readable storage medium of claim 11, wherein each of a plurality of subsets of the data stored at the security device are marked to identify one or more trust modes that must be implemented with respect to the subset of data before the subset data can be accessed.
  - 13. The non-transitory computer-readable storage medium of claim 12, wherein the subsets of data are marked using one of:
    - file attribute flags, naming convections, or a list or database listing marked subsets of data.
  - 14. The non-transitory computer-readable storage medium of claim 11, wherein the computer program instructions, when executed, further cause the computer to:
    - mark one or more subsets of the data stored at the security device determined to be sensitive; and
      
      responsive to an attempt to access a marked subset of the data, automatically perform an intrusion detection to determined if an attempted intrusion is taking place.

15. A computer system for implementing data security, the system comprising:
- a computer processor; and
  
  a non-transitory computer-readable storage medium storing executable computer program instructions configured to, when executed by the processor, cause the computer system to;
  
  generate a plurality of trust modes, each trust mode associated with data stored at a security device and associated with a set of access requirements, wherein each data access requirement associated with a trust mode must be satisfied before the data associated with the trust mode can be accessed, wherein at least one access requirement associated with a trust mode comprises a requirement that a user possess one or more encryption keys used to encrypt data stored at the security device;
  
  receive, from a user device associated with a user, a request to access the data stored at the security device;
  
  responsive to the request, determine whether the user device is communicatively coupled to the security device;
  
  responsive to a determination that the user device is communicatively coupled to the security device, implement a first trust mode associated with a first set of access requirements that must be satisfied by either the user or the user device before the request to access the data stored at the security device is granted;
  
  responsive to a determination that the user device is not communicatively coupled to the security device, implement a second trust mode associated with a second set of access requirements that must be satisfied by either the user or the user device before the request to access the data stored at the security device is granted, wherein the second set of access requirements is greater than the first set of access requirements;
  
  for each data access requirement defined by the implemented trust mode whether the user or the user device satisfies each of the set of data access requirements associated with the implemented trust mode; and
  
  grant the user permission to access to the requested data via the user device responsive to a determination that the user or the user device satisfies each of the set of access requirements associated with the implemented trust mode.
- View Dependent Claims (16, 17, 18)
- - 16. The computer system of claim 15, wherein each of a plurality of subsets of the data stored at the security device are marked to identify one or more trust modes that must be implemented with respect to the subset of data before the subset data can be accessed.
  - 17. The computer system of claim 16, wherein the subsets of data are marked using one of:
    - file attribute flags, naming convections, or a list or database listing marked subsets of data.
  - 18. The computer system of claim 15, wherein the computer program instructions, when executed, further cause the computer system to:
    - mark one or more subsets of the data stored at the security device determined to be sensitive; and
      
      responsive to an attempt to access a marked subset of the data, automatically perform an intrusion detection to determined if an attempted intrusion is taking place.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Protegrity USA, Inc. (Xcelera Inc.)
Original Assignee
Protegrity USA, Inc. (Xcelera Inc.)
Inventors
Mattsson, Ulf
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
JHAVERI, JAYESH M

Application Number

US13/524,874
Publication Number

US 20120266218A1
Time in Patent Office

746 Days
Field of Search

713165-167, 726 26- 30
US Class Current

713/165
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/62   Protecting access to data v...

G06F 21/6218   to a system of files or obj...

G06F 2221/2107   File encryption

G06Q 20/3674   involving authentication

G06Q 20/382   insuring higher security of...

G06Q 20/3821   Electronic credentials

G06Q 20/3829   involving key management

G06Q 20/4012   Verifying personal identifi...

H04L 63/10   for controlling access to d...

H04L 63/105   Multiple levels of security

H04L 9/00   Cryptographic mechanisms or...

H04L 9/32   including means for verifyi...

Differential encryption utilizing trust modes

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

65 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Differential encryption utilizing trust modes

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

65 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links