System and method for dynamically enforcing security policies on electronic files

US 8,769,605 B2
Filed: 03/27/2009
Issued: 07/01/2014
Est. Priority Date: 03/27/2008
Status: Active Grant

First Claim

Patent Images

1. A system for automatically enforcing security policies on an electronic file regardless of its physical or electronic location for an organization, comprising:

a plurality of files, each file containing a data object and a policy for enforcing rules on one or more operations on the data object, whereby a plurality of policies are provided, wherein said policy is attached to each of said files;

a plurality of agents responsible for enforcing the policies and for independently determining whether an enforcement action is necessary according to the policy attached to each of said files, each agent being installed on a computational device and featuring at least one application component;

a policy builder console being responsible for generating the said policies; and

a policy distribution server for distributing the policies to the files;

wherein the policy builder console is operable to change one of the policies after it has been applied to one of the files, the policy distribution server is operable to distribute the changed policy to said one of the files, and the agents are operable to apply said changed policy to said one of the files in place of the policy previously applied to said one of the files, thereby providing dynamic policies;

further comprising a secure data wrapper (SDW) for securing said file, wherein said SDW comprises said policy and wherein said SDW prevents an unauthorized operation on said file; and

a key management server for distributing encryption/decryption keys to said agent;

wherein said encryption keys are used to encrypt and decrypt said SDW and said policy by said agent;

wherein said policy comprises limiting the access and usage based on one or more system attributes, wherein the said policy limits the access and usage of the file based on an environment in which said particular file is located, wherein said environment is determined according to a physical and/or electronic boundary of the organization.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method dynamically enforcing security policies on electronic files when the file is used. The system and method preferably delegates the file the ability to protect itself. The file automatically identifies its confidential information and applies them when needed.

109 Citations

View as Search Results

16 Claims

1. A system for automatically enforcing security policies on an electronic file regardless of its physical or electronic location for an organization, comprising:
- a plurality of files, each file containing a data object and a policy for enforcing rules on one or more operations on the data object, whereby a plurality of policies are provided, wherein said policy is attached to each of said files;
  
  a plurality of agents responsible for enforcing the policies and for independently determining whether an enforcement action is necessary according to the policy attached to each of said files, each agent being installed on a computational device and featuring at least one application component;
  
  a policy builder console being responsible for generating the said policies; and
  
  a policy distribution server for distributing the policies to the files;
  
  wherein the policy builder console is operable to change one of the policies after it has been applied to one of the files, the policy distribution server is operable to distribute the changed policy to said one of the files, and the agents are operable to apply said changed policy to said one of the files in place of the policy previously applied to said one of the files, thereby providing dynamic policies;
  
  further comprising a secure data wrapper (SDW) for securing said file, wherein said SDW comprises said policy and wherein said SDW prevents an unauthorized operation on said file; and
  
  a key management server for distributing encryption/decryption keys to said agent;
  
  wherein said encryption keys are used to encrypt and decrypt said SDW and said policy by said agent;
  
  wherein said policy comprises limiting the access and usage based on one or more system attributes, wherein the said policy limits the access and usage of the file based on an environment in which said particular file is located, wherein said environment is determined according to a physical and/or electronic boundary of the organization.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 14)
- - 2. The system of claim 1, wherein each agent monitors operations performed on each file, the system further comprising:
    - a logging and auditing server for collecting data from all the said agents into a repository.
  - 3. The system of claim 2, wherein data regarding said operations performed on each file is reported by said logging and auditing server.
  - 4. The system of claim 3, wherein an overall level of risk is determined for said operations.
  - 5. The system of claim 1, further comprising:
    - a classification server for classifying the content of files.
  - 6. The system of claim 1, wherein at least one file is inaccessible by said computational device if said agent is not present on said computational device.
  - 7. The system of claim 1 wherein said policy determines a number of times that a particular file can be accessed.
  - 8. The system of claim 7 wherein said policy comprises managing a concurrent license for said particular file.
  - 9. The system of claim 8 wherein said policy comprises customization to reflect the special requirements of the organization to which said particular file belongs.
  - 10. The system of claim 9 wherein said policy comprises multifactor authentication within said particular file.
  - 11. The system of claim 1 wherein said policy can automatically remove protection of a file of said plurality of files after a predefined period.
  - 14. The system of claim 1, wherein for a particular file, said agent requests a changed policy from said policy distribution server upon an occurrence of one or more of a change in time, a change in file environment or a change in an external condition to said file, and wherein said agent determines said occurrence of said one or more changes according to said policy of said file.

12. A method for automatically enforcing a security policy on an electronic file regardless of its physical or electronic location for an organization, the file comprising a data object, the policy enforcing rules on one or more operations on the data object, the method comprising:
- providing a plurality of agents, each agent being installed on a computational device, each agent featuring at least one application component, each agent being responsible for enforcing said policy and for independently determining whether an enforcement action is necessary;
  
  generating a plurality of different policies for different files by a policy builder, wherein at least one policy is a default policy for maintaining at least a baseline type of policy implementation for an organization and wherein at least one policy is a non-default policy;
  
  if available, automatically assigning said non-default policy to the file, without the awareness and the intervention of user, by wrapping the file in a secure data wrapper (SDW) and attaching said non-default policy to the file through said SDW, wherein said wrapping the file in said SDW comprises encrypting said SDW and said non-default policy;
  
  otherwise applying said default policy to the file, by wrapping the file in said SDW and attaching said default policy to the file through said SDW, wherein said wrapping the file in said SDW comprises encrypting said SDW and said default policy;
  
  changing said non-default policy or said default policy to form a changed non-default policy or a changed default policy;
  
  applying said changed non-default policy or said changed default policy to the file by said agent in place of the policy previously applied to the file, thereby providing dynamic policies;
  
  decrypting said non-default policy or said default policy with said encryption keys;
  
  determining whether an operation on the data object is permitted according to said policy, wherein said policy limits the access and usage based on one or more system attributes, wherein said policy limits the access and usage of the file based on an environment in which said particular file is located, wherein said environment is determined according to a physical and/or electronic boundary of the organization; and
  
  if an operation on the data object is permitted according to said policy, decrypting said SDW with said decryption keys.
- View Dependent Claims (13, 15)
- - 13. The method of claim 12, wherein said non-default policy is selected for a file according to one or more of content analysis, file attribute, group classification, status parameter, access control, location control, email recipient/sender, application file creator or user.
  - 15. The method of claim 12, wherein said operation comprises a user operation, wherein decrypting said SDW is performed only if said policy grants permission for said user operation, further comprising performing said user operation on said file.

16. A system for automatically enforcing security policies on an electronic file regardless of its physical or electronic location for an organization, comprising:
- a plurality of files, each file containing a data object and a policy for enforcing rules on one or more operations on the data object, whereby a plurality of policies are provided;
  
  a plurality of agents responsible for enforcing the policies and for independently determining whether an enforcement action is necessary according to the policy attached to each of said files, each agent being installed on a computational device and featuring at least one application component;
  
  a policy builder console being responsible for generating the said policies; and
  
  a policy distribution server for distributing the policies to the files;
  
  wherein the policy builder console is operable to change one of the policies after it has been applied to one of the files, the policy distribution server is operable to distribute the changed policy to said one of the files, and the agents are operable to apply said changed policy to said one of the files in place of the policy previously applied to said one of the files, thereby providing dynamic policies;
  
  further comprising a key management server for distributing encryption/decryption keys to said agent; and
  
  a secure data wrapper (SDW) for securing said file, wherein said SDW comprises said policy and said file;
  
  wherein said plurality of agents are responsible for enforcing said policy and for independently determining whether an enforcement action is necessary according to said policy included in said SDW, and wherein said encryption keys are used to encrypt and decrypt said SDW and said policy by said agent;
  
  wherein said policy comprises limiting the access and usage based on one or more system attributes, wherein the said policy limits the access and usage of the file based on an environment in which said particular file is located, wherein said environment is determined according to a physical and/or electronic boundary of the organization.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
Covertix Ltd.
Inventors
Kaufmann, Tzach, Samia, Alon
Primary Examiner(s)
DADA, BEEMNET W

Application Number

US12/412,399
Publication Number

US 20090300712A1
Time in Patent Office

1,922 Days
Field of Search

726/1, 726/4, 726/17, 726/27, 726/30
US Class Current

726/1
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/335   for accessing specific reso...

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2105   Dual mode as a secondary as...

G06F 2221/2111   Location-sensitive, e.g. ge...

System and method for dynamically enforcing security policies on electronic files

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

109 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for dynamically enforcing security policies on electronic files

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

109 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links