Method of detecting data loss using multiple references to a file in a deduplication backup system

US 9,116,848 B1
Filed: 07/15/2009
Issued: 08/25/2015
Est. Priority Date: 07/15/2009
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

receiving, by a processing device, a plurality of references associated with a file from a deduplication backup system storing a backup copy of the file, the plurality of references indicating location information of a plurality of instances of the file that are stored at different locations on a network;

determining, in view of the plurality of references, whether at least one instance of the plurality of instances of the file is stored outside a storage domain specified by a policy; and

detecting a violation of the policy if the plurality of references indicate that the at least one instance of the plurality of instances of the file is stored outside of the specified storage domain.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for improving data loss prevention (DLP) using multiple references to a file in a deduplication backup system is described. In one embodiment, a deduplication backup system generates multiple references to a file. A detection system, operating in the deduplication system or in a data loss prevention (DLP) system coupled to the deduplication system, detects the multiple references, generated by the deduplication system, determines whether the file of at least one of the multiple references is stored outside a domain as specified by a DLP policy, and detects a violation of the DLP policy when the file is stored at a location outside of the specified domain.

Citations

19 Claims

1. A computer-implemented method, comprising:
- receiving, by a processing device, a plurality of references associated with a file from a deduplication backup system storing a backup copy of the file, the plurality of references indicating location information of a plurality of instances of the file that are stored at different locations on a network;
  
  determining, in view of the plurality of references, whether at least one instance of the plurality of instances of the file is stored outside a storage domain specified by a policy; and
  
  detecting a violation of the policy if the plurality of references indicate that the at least one instance of the plurality of instances of the file is stored outside of the specified storage domain.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein said detecting the violation of the policy comprises creating a report of the violation, wherein the report identifies, for each detected incident, at least a location of an instance of the plurality of instances of the file that caused the policy violation.
  - 3. The method of claim 1, further comprising:
    - calculating a file fingerprint for each of a plurality of files scanned during the backup operation performed by the deduplication backup system;
      
      using the file fingerprints, determining whether each of the plurality of files is unique;
      
      storing a unique copy of each of the plurality of files, each indexed according to the corresponding file fingerprint;
      
      generating a reference for each instance of each file of the plurality of files, wherein the reference comprises a pointer to the unique copy in the deduplication backup system and a location of the stored instance of the scanned file; and
      
      determining that the file has more than one reference to the corresponding unique copy.
  - 4. The method of claim 1, wherein determining whether at least one instance of the plurality of instances of the file is stored outside the storage domain comprises:
    - defining the policy to identify the specified domain; and
      
      for each of the plurality of references to the file,determining a domain in which an instance of the file is stored, andcomparing the domain in which the instance of the file is stored against the specified domain, wherein detecting the violation of the policy comprises detecting the violation when the domains do not match, and indicating that the instance of the file is stored outside the specified domain.
  - 5. The method of claim 1, further comprising determining whether the file for which the violation is detected comprises sensitive data.
  - 6. The method of claim 5, wherein the sensitive data comprises at least one of personal information pertaining to employees of an organization, personal information pertaining to customers of the organization, information pertaining to business processes of the organization, and information pertaining to intellectual property of the organization.
  - 7. The method of claim 5, wherein determining whether the file comprises sensitive data comprises comparing objects of the file against DLP fingerprints of protected data that are protected by a DLP policy.
  - 8. The method of claim 5, further comprising tagging the file as having sensitive data when the file comprises sensitive data, and wherein detecting the violation of the policy further comprises:
    - if the file is tagged, creating a report of the violation, wherein the report identifies, for each detected incident, at least a location of the instance of the file that caused the policy violation; and
      
      if the file is not tagged, ignoring the violation.
  - 9. The method of claim 3, further comprising:
    - updating a reference count for each reference generated for the each of the plurality of files; and
      
      determining which of the plurality of files have the reference count greater than one;
      
      for each of the files having the reference count greater than one,determining domains in which instances of the particular file are stored, andcomparing the domains in which the instance of the particular file is stored against the specified domain, wherein detecting the violation of the policy comprises detecting one or more violations when the domains do not match, indicating that the one or more of the plurality of instances of the file are stored outside the specified domain.

10. A computing system, comprising:
- a deduplication backup system comprising one or more computing devices coupled to an organization network having one or more electronic devices storing a plurality of files, the deduplication backup system to;
  
  perform a backup operation to scan a file of the plurality of files stored within the organization network, wherein the backup operation stores a backup copy of a the file in a deduplication data store, andgenerate a plurality of references associated with the file indicating location information of a plurality of instances of the file that are stored at different locations on the network; and
  
  a detection system comprising one or more computing devices coupled to the deduplication backup system, the detection system to;
  
  receive, from the deduplication backup system, the plurality of references associated with the file,determine, in view of the plurality of references, whether at least one instance of the plurality of instances of the file is stored outside a storage domain specified by a policy, anddetect a violation of the policy if the plurality of references indicate that at least one instance of the plurality of instances of the file is stored outside of the specified storage domain.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The system of claim 10, wherein the detection system is further configured to:
    - update a reference count for each reference generated for the file;
      
      determine if the reference count is greater than one; and
      
      if the reference count greater than one, determine when the file is stored in a domain outside of the storage domain specified by the policy to detect the violation of the policy.
  - 12. The system of claim 10, wherein the deduplication system is a hosted deduplication backup system coupled to a plurality of organization networks via a private or public network, wherein the hosted deduplication system is to perform the backup operation on each of the plurality of organization networks to scan files stored within each of the plurality of organization networks, wherein the detection system resides in the hosted deduplication backup system to determine which of the scanned files have a reference count greater than one, and for each of the scanned files having the reference count greater than one, determining whether domains, in which instances of the particular file are stored, match the storage domain as specified by the policy.
  - 13. The system of claim 12, wherein the detection system receives the scanned files that violate the policy for being stored outside the specified storage domain and determines whether the scanned files comprises sensitive data.
  - 14. The system of claim 10, wherein the specified storage domain is defined by the policy as being at least one of the following:
    - at least a portion of a domain name of one of the plurality of organization networks;
      
      at least a portion of a domain name of a network of one or more devices within one of the plurality of organization networks;
      
      a hostname of one or more devices within one of the plurality of organization networks; and
      
      one or more network addresses of one of the plurality of organization networks.
  - 15. The system of claim 13, wherein the sensitive data comprises at least one of personal information pertaining to employees of an organization, personal information pertaining to customers of the organization, information pertaining to business processes of the organization, and information pertaining to intellectual property of the organization.

16. A non-transitory computer readable storage medium that provides instructions, which when executed on a processing device, cause the processing device to perform a method comprising:
- receiving, by the processing device, a plurality of references associated with a file from a deduplication backup system storing a backup copy of a file, the plurality of references indicating location information of a plurality of instances of the file that are stored at different locations on a network;
  
  determining, in view of the plurality of references, whether at least one instance of the plurality of instances of the file is stored outside a storage domain specified by a policy; and
  
  detecting the violation of the policy if the plurality of references indicate that at least one instance of the plurality of instances of the file is stored outside of the specified storage domain.
- View Dependent Claims (17, 18, 19)
- - 17. The computer readable storage medium of claim 16, further comprising:
    - calculating a file fingerprint for each of a plurality of files scanned during the backup operation performed by the deduplication backup system;
      
      using the file fingerprints, determining whether each of the plurality of files is unique;
      
      storing a unique copy of each of the plurality of files, each indexed according to the corresponding file fingerprint;
      
      generating a reference for each instance of each file of the plurality of files, wherein the reference comprises a pointer to the unique copy in the deduplication backup system and a location of the instance of the scanned file; and
      
      determining that the file has more than one reference to the corresponding unique copy.
  - 18. The computer readable storage medium of claim 16, wherein determining whether at least one instance of the plurality of instances of the file is stored outside the specified storage domain comprises:
    - defining the policy to identify the specified storage domain; and
      
      for each of the plurality of references to the file,determining a domain in which an instance of the file is stored, andcomparing the domain in which the instance of the file is stored against the specified domain, wherein detecting the violation of the policy comprises detecting the violation when the domains do not match, and indicating that the instance of the file is stored outside the specified storage domain.
  - 19. The computer readable storage medium of claim 16, further comprising determining whether the file for which the violation was detected comprises sensitive data, the sensitive data comprising at least one of personal information pertaining to employees of an organization, personal information pertaining to customers of the organization, information pertaining to business processes of the organization, and information pertaining to intellectual property of the organization.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Jordan, Kevin Elliott, Vranyes, Steven Albert
Primary Examiner(s)
Nigh, James D

Application Number

US12/503,713
Time in Patent Office

2,232 Days
Field of Search

707/664, 707/692, 726/1, 726/26, 726/27, 705/50
US Class Current

1/1
CPC Class Codes

G06F 11/1453   using de-duplication of the...

G06F 2201/83   the solution involving sign...

G06F 2212/1032   Reliability improvement, da...

Method of detecting data loss using multiple references to a file in a deduplication backup system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Method of detecting data loss using multiple references to a file in a deduplication backup system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links