Method and system for protecting content of sensitive web applications

US 8,950,005 B1
Filed: 11/04/2011
Issued: 02/03/2015
Est. Priority Date: 11/04/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

detecting, by a client computing device running a local application, that the local application has accessed a web application hosted by a remote server and received data from the web application, wherein the detecting comprises intercepting universal resource identifiers (URIs) or universal resource locators (URLs) used by the local application to detect that the local application has accessed the web application;

determining, by the client computing device, whether the web application is a sensitive web application identified by a data loss prevention (DLP) policy, wherein the sensitive web application has access to sensitive information identified by and protected by the DLP policy, wherein the DLP policy comprises a set of identifiers of a set of web applications to protect and a set of one or more operations to restrict for the set of web applications, wherein the determining comprises;

comparing the URIs or URLs against the set of identifiers specified in the DLP policy; and

identifying the web application as a sensitive web application when the respective URI or URL matches one of the set of identifiers specified in the DLP policy; and

in response to determining that the web application is a sensitive web application identified by the DLP policy, restricting a capability of at least one of the local application or the client computing device to perform the set of one or more operations on the data received from the web application.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A web page running on a client computing device accesses a web application hosted by a remote server. The local application receives data from the web application. The client computing device uses a data loss prevention (DLP) policy to determine whether the web application is a sensitive web application. In response to determining that the web application is a sensitive web application, the client computing device restricts a capability of at least one of the local application or the client computing device to perform one or more operations associated with the data received from the web application.

34 Citations

View as Search Results

18 Claims

1. A method comprising:
- detecting, by a client computing device running a local application, that the local application has accessed a web application hosted by a remote server and received data from the web application, wherein the detecting comprises intercepting universal resource identifiers (URIs) or universal resource locators (URLs) used by the local application to detect that the local application has accessed the web application;
  
  determining, by the client computing device, whether the web application is a sensitive web application identified by a data loss prevention (DLP) policy, wherein the sensitive web application has access to sensitive information identified by and protected by the DLP policy, wherein the DLP policy comprises a set of identifiers of a set of web applications to protect and a set of one or more operations to restrict for the set of web applications, wherein the determining comprises;
  
  comparing the URIs or URLs against the set of identifiers specified in the DLP policy; and
  
  identifying the web application as a sensitive web application when the respective URI or URL matches one of the set of identifiers specified in the DLP policy; and
  
  in response to determining that the web application is a sensitive web application identified by the DLP policy, restricting a capability of at least one of the local application or the client computing device to perform the set of one or more operations on the data received from the web application.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the set of one or more operations comprise at least one of a copy to clipboard operation, a print operation, a print screen operation, a save web page operation or a save image operation.
  - 3. The method of claim 1, wherein the local application is a web browser and the received data comprises at least one of a plurality of cache files or a cookie associated with the web application, the method further comprising:
    - restricting access to a temporary location that includes at least one of the plurality of cache files or the cookie while the web application is being accessed; and
      
      deleting at least one of the plurality of cache files or the cookie associated with the web application after the local application terminates access to the web application.
  - 4. The method of claim 1, further comprising:
    - marking the received data as sensitive data;
      
      launching an additional local application on the client computing device;
      
      loading the received data using the additional local application; and
      
      restricting a capability of the additional local application to perform the set of one or more operations.
  - 5. The method of claim 1, wherein determining whether the web application is the sensitive application further comprises determining whether the web application has a domain name, an internet protocol address or a universal resource locator that is identified in the set of identifiers of the DLP policy.
  - 6. The method of claim 1, wherein determining whether the web application is the sensitive application further comprises:
    - identifying a network address of the web application; and
      
      determining whether the network address satisfies a string matching rule included in the DLP policy.

7. An endpoint device comprising:
- a memory to store instructions for a data loss prevention (DLP) policy; and
  
  a processing device coupled with the memory, wherein the processing device is configured to;
  
  access a web application, hosted by a remote server, using a local application that uses a universal resource identifier (URI) or universal resource locator (URL) to access the web application;
  
  receive data from the web application using the local application;
  
  determine whether the web application is a sensitive web application identified by the DLP policy, wherein the sensitive web application has access to sensitive information identified by and protected by the DLP policy, wherein the DLP policy comprises a set of identifiers of a set of web applications to protect and a set of one or more operations to restrict for the set of web applications, wherein the processing device is further configured to;
  
  compare the URI or URL against the set of identifiers specified in the DLP policy; and
  
  identify the web application as a sensitive web application when the URI or URL matches one of the set of identifiers specified in the DLP policy; and
  
  in response to determining that the web application is a sensitive web application identified by the DLP policy, restrict a capability of at least one of the local application or the endpoint device to perform the set of one or more operations on the data received from the web application.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The endpoint device of claim 7, wherein the set of one or more operations comprise at least one of a copy to clipboard operation, a print operation, a print screen operation, a save web page operation or a save image operation.
  - 9. The endpoint device of claim 7, wherein the local application is a web browser and the received data comprises at least one of a plurality of cache files or a cookie associated with the web application, and wherein the processing device is further configured to:
    - restrict access to a temporary location that includes at least one of the plurality of cache files or the cookie while the web application is being accessed; and
      
      delete at least one of the plurality of cache files or the cookie associated with the web application after the local application terminates access to the web application.
  - 10. The endpoint device of claim 7, wherein the processing device is further configured to:
    - mark the received data as sensitive data;
      
      launch an additional local application on the client computing device;
      
      load the received data using the additional local application; and
      
      restrict a capability of the additional local application to perform the set of one or more operations.
  - 11. The endpoint device of claim 7, wherein determining whether the web application is the sensitive application further comprises determining whether the web application has a domain name, an internet protocol address or a universal resource locator that is identified in the set of identifiers of the DLP policy.
  - 12. The endpoint device of claim 7, wherein determining whether the web application is the sensitive application further comprises:
    - identifying a network address of the web application; and
      
      determining whether the network address satisfies a string matching rule included in the DLP policy.

13. A non-transitory computer readable storage medium including instructions that, when executed by a processing device, cause the processing device to perform operations comprising:
- detecting, by a client computing device running a local application, that the local application has accessed a web application hosted by a remote server and received data from the web application, wherein the detecting comprises intercepting universal resource identifiers (URIs) or universal resource locators (URLs) used by the local application to detect that the local application has accessed the web application;
  
  determining, by the client computing device, whether the web application is a sensitive web application identified by a data loss prevention (DLP) policy, wherein the sensitive web application has access to sensitive information identified by and protected by the DLP wherein the DLP policy comprises a set of identifiers of a set of web applications to protect and a set of one or more operations to restrict for the set of web applications, wherein the determining comprises;
  
  comparing the URIs or URLs against the set of identifiers specified in the DLP policy; and
  
  identifying the web application as a sensitive web application when the respective URI or URL matches one of the set of identifiers specified in the DLP policy; and
  
  in response to determining that the web application is a sensitive web application identified by the DLP policy, restricting a capability of at least one of the local application or the client computing device to perform the set of one or more operations on the data received from the web application.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The non-transitory computer readable storage medium of claim 13, wherein the set of one or more operations comprise at least one of a copy to clipboard operation, a print operation, a print screen operation, a save web page operation or a save image operation.
  - 15. The non-transitory computer readable storage medium of claim 13, wherein the local application is a web browser and the received data comprises at least one of a plurality of cache files or a cookie associated with the web application, the operations further comprising:
    - restricting access to a temporary location that includes at least one of the plurality of cache files or the cookie while the web application is being accessed; and
      
      deleting at least one of the plurality of cache files or the cookie associated with the web application after the local application terminates access to the web application.
  - 16. The non-transitory computer readable storage medium of claim 13, the operations further comprising:
    - marking the received data as sensitive data;
      
      launching an additional local application on the client computing device;
      
      loading the received data using the additional local application; and
      
      restricting a capability of the additional local application to perform the set of one or more operations.
  - 17. The non-transitory computer readable storage medium of claim 13, wherein determining whether the web application is the sensitive application further comprises determining whether the web application has a domain name, an internet protocol address or a universal resource locator that is identified in the set of identifiers of the DLP policy.
  - 18. The non-transitory computer readable storage medium of claim 13, and wherein determining whether the web application is the sensitive application further comprises:
    - identifying a network address of the web application; and
      
      determining whether the network address satisfies a string matching rule included in the DLP policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Torney, Milind
Primary Examiner(s)
Davis, Zachary A

Application Number

US13/289,998
Time in Patent Office

1,187 Days
Field of Search

726/1, 726/26, 726/27, 726/29, 726/30, 713/189, 713/193, 709/229
US Class Current

726/29
CPC Class Codes

G06F 21/629   to features or functions of...

H04L 63/101   Access control lists [ACL]

H04L 63/20   for managing network securi...

Method and system for protecting content of sensitive web applications

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

34 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for protecting content of sensitive web applications

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links