Application and device control in a virtualized environment

US 9,165,150 B2
Filed: 02/19/2013
Issued: 10/20/2015
Est. Priority Date: 02/19/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

monitoring, by a dedicated security virtual machine (SVM) executing by a computing system, a file open event to access a file by a guest virtual machine (GVM) executing by the computing system;

identifying a source associated with the file open event, wherein the source is an application or a device being used by the GVM;

determining when a data loss prevention (DLP) policy requires monitoring of the source in view of a source control policy;

monitoring the source for file system events associated with the file when the DLP policy requires monitoring;

determining when the file violates the DLP policy in view of the source of the file system events;

enforcing a first response rule associated with the GVM when the source associated with the file open event is a non-approved source per the source control policy; and

enforcing a second response rule associated with the GVM when the file violates the DLP policy.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A data loss prevention (DLP) manager running on a security virtual machine manages DLP policies for a plurality of guest virtual machines. The DLP manager identifies a source associated with a file open or create event. The source is at least one of an application or a device being used by a guest virtual machine (GVM). The DLP manager enforces a first response rule associated with the GVM when the source is a non-approved source per a source control policy. The DLP manager enforces a second response rule when the file violates a DLP policy.

17 Citations

View as Search Results

20 Claims

1. A method comprising:
- monitoring, by a dedicated security virtual machine (SVM) executing by a computing system, a file open event to access a file by a guest virtual machine (GVM) executing by the computing system;
  
  identifying a source associated with the file open event, wherein the source is an application or a device being used by the GVM;
  
  determining when a data loss prevention (DLP) policy requires monitoring of the source in view of a source control policy;
  
  monitoring the source for file system events associated with the file when the DLP policy requires monitoring;
  
  determining when the file violates the DLP policy in view of the source of the file system events;
  
  enforcing a first response rule associated with the GVM when the source associated with the file open event is a non-approved source per the source control policy; and
  
  enforcing a second response rule associated with the GVM when the file violates the DLP policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprisingdetermining that the source control policy exists to restrict access to the identified source.
  - 3. The method of claim 2, wherein the monitoring comprises:
    - identifying a file close event associated with the file open event;
      
      analyzing data associated with the file close event to determine when the data violates the DLP policy; and
      
      enforcing the second response rule associated with the DLP policy when the data violates the DLP policy.
  - 4. The method of claim 3, further comprising reporting a DLP policy violation when the data violates the DLP policy.
  - 5. The method of claim 1, further comprising:
    - determining when the DLP policy requires monitoring of the source;
      
      storing a copy of the file; and
      
      restoring the copy of the file at a close event when the data violates the DLP policy.
  - 6. The method of claim 1, further comprising installing a DLP user interface at the guest virtual machine that is to notify a user of a DLP violation.
  - 7. The method of claim 1, further comprising retrieving a DLP profile associated with the GVM from a profile repository, wherein the DLP profile comprises the source control policy, the DLP policy, and the second response rule.
  - 8. The method of claim 1, wherein:
    - the source control policy is an application control policy or a device control policy, andidentifying the source comprises determining whether the file open event originates from the application or the device.
  - 9. The method of claim 1, further comprising:
    - determining that the file does not violate the DLP policy; and
      
      caching a result of the determination when the file does not violate the DLP policy and the source is an approved source.

10. A non-transitory computer readable storage medium including instructions that, when executed by a processing device, cause the processing device to perform operations comprising:
- monitoring, by a dedicated security virtual machine (SVM) executing by a computing system, a file open event to access a file by a guest virtual machine (GVM) executing by the computing system;
  
  identifying a source associated with the file open event, wherein the source is an application or a device being used by the GVM;
  
  determining when a data loss prevention (DLP) policy requires monitoring of the source in view of a source control policy;
  
  monitoring the source for file system events associated with the file when the DLP policy requires monitoring;
  
  determining when the file violates the DLP policy in view of the source of the file system events;
  
  enforcing a first response rule associated with the GVM when the source associated with the file open event is a non-approved source per the source control policy; and
  
  enforcing a second response rule associated with the GVM when the file violates the DLP policy.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The computer readable storage medium of claim 10, wherein the operations further comprisedetermining that the source control policy exists to restrict access to the identified source.
  - 12. The computer readable storage medium of claim 11, wherein the monitoring comprises:
    - identifying a file close event associated with the file open event;
      
      analyzing data associated with the file close event to determine when the data violates the DLP policy; and
      
      enforcing the second response rule associated with the DLP policy when the data violates the DLP policy.
  - 13. The computer readable storage medium of claim 12, wherein the operations further comprise reporting a DLP policy violation when the data violates the DLP policy.
  - 14. The computer readable storage medium of claim 10, wherein the operations further comprise:
    - determining that the file does not violate the DLP policy; and
      
      caching a result of the determination when the file does not violate the DLP policy and when the source is an approved source.

15. A computing apparatus comprising:
- a memory to store instructions for a data loss prevention (DLP) manager; and
  
  a processor, coupled to the memory, wherein the processor is to execute the DLP manager;
  
  monitor, by the DLP manager, a file open event to access a file by a guest virtual machine (GVM) executed by a computing system;
  
  identify, by the processor, a source associated with the file open event, wherein the source is an application or a device being used by the GVM;
  
  determine when a DLP policy requires monitoring of the source in view of a source control policy;
  
  monitor the source for file system events associated with the file when the DLP policy require monitoring;
  
  determine when the file violates the DLP policy in view of the source of the file system events;
  
  enforce a first response rule associated with the GVM when the source associated with the file open event is a non-approved source per the source control policy; and
  
  enforce a second response rule associated with the GVM when the file violates the DLP policy.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computing apparatus of claim 15, wherein the DLP manager is further configured todetermine that the source control policy exists to restrict access to the identified source.
  - 17. The computing apparatus of claim 15, wherein the DLP manager is further configured to:
    - identify a file close event associated with the file open event;
      
      analyze data associated with the file close event to determine when the data violates the DLP policy; and
      
      execute the second response rule associated with the DLP policy when the data violates the DLP policy.
  - 18. The computing apparatus of claim 15, wherein the DLP manager is further configured to retrieve a DLP profile associated with the GVM from a profile repository, wherein the DLP profile comprises the source control policy, the DLP policy, and the response rule.
  - 19. The computing apparatus of claim 15, wherein the DLP manager is further configured to install a DLP user interface in the guest virtual machine that is to notify a user of DLP violations.
  - 20. The computing apparatus of claim 15, wherein the DLP manager is further to report a DLP policy violation when the data violates the DLP policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Manmohan, Sarin Sumit, Jaiswal, Sumesh
Primary Examiner(s)
Dinh, Minh

Application Number

US13/770,032
Publication Number

US 20140237537A1
Time in Patent Office

973 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/6209   to a single file or object,...

G06F 21/6281   at program execution time, ...

Application and device control in a virtualized environment

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

17 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Application and device control in a virtualized environment

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others