System and method for dynamically enforcing security policies on electronic files
First Claim
Patent Images
1. A system for automatically enforcing security policies on an electronic file regardless of its physical or electronic location for an organization, comprising:
- a plurality of files, each file containing a data object and a policy for enforcing rules on one or more operations on the data object, whereby a plurality of policies are provided, wherein said policy is attached to each of said files;
a plurality of agents responsible for enforcing the policies and for independently determining whether an enforcement action is necessary according to the policy attached to each of said files, each agent being installed on a computational device and featuring at least one application component;
a policy builder console being responsible for generating the said policies; and
a policy distribution server for distributing the policies to the files;
wherein the policy builder console is operable to change one of the policies after it has been applied to one of the files, the policy distribution server is operable to distribute the changed policy to said one of the files, and the agents are operable to apply said changed policy to said one of the files in place of the policy previously applied to said one of the files, thereby providing dynamic policies;
further comprising a secure data wrapper (SDW) for securing said file, wherein said SDW comprises said policy and wherein said SDW prevents an unauthorized operation on said file; and
a key management server for distributing encryption/decryption keys to said agent;
wherein said encryption keys are used to encrypt and decrypt said SDW and said policy by said agent;
wherein said policy comprises limiting the access and usage based on one or more system attributes, wherein the said policy limits the access and usage of the file based on an environment in which said particular file is located, wherein said environment is determined according to a physical and/or electronic boundary of the organization.
7 Assignments
0 Petitions
Accused Products
Abstract
A system and method dynamically enforcing security policies on electronic files when the file is used. The system and method preferably delegates the file the ability to protect itself. The file automatically identifies its confidential information and applies them when needed.
109 Citations
16 Claims
-
1. A system for automatically enforcing security policies on an electronic file regardless of its physical or electronic location for an organization, comprising:
-
a plurality of files, each file containing a data object and a policy for enforcing rules on one or more operations on the data object, whereby a plurality of policies are provided, wherein said policy is attached to each of said files; a plurality of agents responsible for enforcing the policies and for independently determining whether an enforcement action is necessary according to the policy attached to each of said files, each agent being installed on a computational device and featuring at least one application component; a policy builder console being responsible for generating the said policies; and a policy distribution server for distributing the policies to the files; wherein the policy builder console is operable to change one of the policies after it has been applied to one of the files, the policy distribution server is operable to distribute the changed policy to said one of the files, and the agents are operable to apply said changed policy to said one of the files in place of the policy previously applied to said one of the files, thereby providing dynamic policies; further comprising a secure data wrapper (SDW) for securing said file, wherein said SDW comprises said policy and wherein said SDW prevents an unauthorized operation on said file; and
a key management server for distributing encryption/decryption keys to said agent;
wherein said encryption keys are used to encrypt and decrypt said SDW and said policy by said agent;wherein said policy comprises limiting the access and usage based on one or more system attributes, wherein the said policy limits the access and usage of the file based on an environment in which said particular file is located, wherein said environment is determined according to a physical and/or electronic boundary of the organization. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 14)
-
-
12. A method for automatically enforcing a security policy on an electronic file regardless of its physical or electronic location for an organization, the file comprising a data object, the policy enforcing rules on one or more operations on the data object, the method comprising:
-
providing a plurality of agents, each agent being installed on a computational device, each agent featuring at least one application component, each agent being responsible for enforcing said policy and for independently determining whether an enforcement action is necessary; generating a plurality of different policies for different files by a policy builder, wherein at least one policy is a default policy for maintaining at least a baseline type of policy implementation for an organization and wherein at least one policy is a non-default policy; if available, automatically assigning said non-default policy to the file, without the awareness and the intervention of user, by wrapping the file in a secure data wrapper (SDW) and attaching said non-default policy to the file through said SDW, wherein said wrapping the file in said SDW comprises encrypting said SDW and said non-default policy; otherwise applying said default policy to the file, by wrapping the file in said SDW and attaching said default policy to the file through said SDW, wherein said wrapping the file in said SDW comprises encrypting said SDW and said default policy; changing said non-default policy or said default policy to form a changed non-default policy or a changed default policy; applying said changed non-default policy or said changed default policy to the file by said agent in place of the policy previously applied to the file, thereby providing dynamic policies; decrypting said non-default policy or said default policy with said encryption keys; determining whether an operation on the data object is permitted according to said policy, wherein said policy limits the access and usage based on one or more system attributes, wherein said policy limits the access and usage of the file based on an environment in which said particular file is located, wherein said environment is determined according to a physical and/or electronic boundary of the organization; and if an operation on the data object is permitted according to said policy, decrypting said SDW with said decryption keys. - View Dependent Claims (13, 15)
-
-
16. A system for automatically enforcing security policies on an electronic file regardless of its physical or electronic location for an organization, comprising:
-
a plurality of files, each file containing a data object and a policy for enforcing rules on one or more operations on the data object, whereby a plurality of policies are provided; a plurality of agents responsible for enforcing the policies and for independently determining whether an enforcement action is necessary according to the policy attached to each of said files, each agent being installed on a computational device and featuring at least one application component; a policy builder console being responsible for generating the said policies; and a policy distribution server for distributing the policies to the files; wherein the policy builder console is operable to change one of the policies after it has been applied to one of the files, the policy distribution server is operable to distribute the changed policy to said one of the files, and the agents are operable to apply said changed policy to said one of the files in place of the policy previously applied to said one of the files, thereby providing dynamic policies; further comprising a key management server for distributing encryption/decryption keys to said agent; and
a secure data wrapper (SDW) for securing said file, wherein said SDW comprises said policy and said file;
wherein said plurality of agents are responsible for enforcing said policy and for independently determining whether an enforcement action is necessary according to said policy included in said SDW, and wherein said encryption keys are used to encrypt and decrypt said SDW and said policy by said agent;wherein said policy comprises limiting the access and usage based on one or more system attributes, wherein the said policy limits the access and usage of the file based on an environment in which said particular file is located, wherein said environment is determined according to a physical and/or electronic boundary of the organization.
-
Specification