Secure, policy-based communications security and file sharing across mixed media, mixed-communications modalities and extensible to cloud computing such as SOA

US 9,215,236 B2
Filed: 02/18/2011
Issued: 12/15/2015
Est. Priority Date: 02/22/2010
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving, by a policy enforcement server, a notification of a determined behavioral instance that corresponds to a policy or rule, wherein the first policy agent monitors or tracks behavior of the first subscriber; and

applying, by the policy enforcement server, a policy or rule to the determined behavioral instance in an enterprise network, to implement a policy measure, wherein the behavioral instance is the first subscriber intending to make a selected communication and a restricted content in the selected communication accessible, via the enterprise network, to one or more selected parties and wherein the implemented policy measure comprises;

setting a hop restriction on the restricted content in the selected communication wherein, when the hop restriction is met or exceeded or a hop counter is incremented or decremented to a selected value, the selected communication or the restricted content in the selected communication is dropped or otherwise prohibited from delivery to an intended recipient of the one or more selected parties.

View all claims

18 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method are provided to monitor and prevent potential enterprise policy and/or rule violations by subscribers.

Citations

20 Claims

1. A method, comprising:
- receiving, by a policy enforcement server, a notification of a determined behavioral instance that corresponds to a policy or rule, wherein the first policy agent monitors or tracks behavior of the first subscriber; and
  
  applying, by the policy enforcement server, a policy or rule to the determined behavioral instance in an enterprise network, to implement a policy measure, wherein the behavioral instance is the first subscriber intending to make a selected communication and a restricted content in the selected communication accessible, via the enterprise network, to one or more selected parties and wherein the implemented policy measure comprises;
  
  setting a hop restriction on the restricted content in the selected communication wherein, when the hop restriction is met or exceeded or a hop counter is incremented or decremented to a selected value, the selected communication or the restricted content in the selected communication is dropped or otherwise prohibited from delivery to an intended recipient of the one or more selected parties.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 18, 19)
- - 2. The method of claim 1, wherein the policy enforcement server receives the notification from a first policy agent that corresponds to a first node and a first subscriber and wherein applying the policy or rule to the determined behavioral instance in the enterprise network to implement the policy measure comprises:
    - receiving, by the policy enforcement server, a policy tag respecting the selected communication and the restricted content in the selected communication and wherein the policy tag comprises one or more of the following;
      
      a persona or role of the first subscriber,a persona or role of the one or more selected parties,a degree of trust of the enterprise network with the first subscriber or one or more selected parties,a capability, provisioning, or preference of a communication device of the first subscriber or the one or more selected parties,a context of the first subscriber or the one or more selected parties,a context of the communication device of the first subscriber or the one or more selected parties,an existing policy compliance measure selected by the first subscriber for the selected communication and the restricted content in the selected communication,a venue for the selected communication and the restricted content in the selected communication to be made accessible to the one or more selected parties,a description of the selected communication and the restricted content in the selected communication,a context of the selected communication or the restricted content in the selected communication, andthe policy or rule corresponding to the selected communication and the restricted content in the selected communication; and
      
      determining, by the policy enforcement server and based on the policy tag, an applicable policy or rule; and
      
      determining, by the policy enforcement server and based on the applicable policy or rule, the policy measure to be implemented.
  - 3. The method of claim 2, wherein the first node is a first communication device, wherein the policy agent is in a class driver, wherein the policy tag comprises one or more of a persona or role of the one or more selected parties and a persona or role of the first subscriber, and wherein the persona or role is defined by one or more of the following:
    - employer name, user level, user organization, the subscriber'"'"'s business-related electronic addresses, satellite-based physical location coordinates associated with a business location, Web browsed URL'"'"'s corresponding with business interests, times-of-day associated with business time, days-of-week associated with business time, contact lists of business associates, client, supplier, customer, family member name, the first subscriber'"'"'s personal electronic addresses, satellite-based physical location coordinates associated with personal location, Web browsed URL'"'"'s corresponding with personal interests, times-of-day associated with personal time, days-of-week associated with personal time, contact list of friends, hobby supplier, charitable organization, and other volunteer activity.
  - 4. The method of claim 2, wherein the first node is a first communication device, wherein the policy agent is in a class driver, and wherein the policy tag comprises one or more of a context of the first subscriber or the one or more selected parties and a context of the first communication device of the first subscriber or a communication device of the one or more selected parties.
  - 5. The method of claim 2, wherein the first node is a first communication device, wherein the policy agent is in a class driver, and wherein the policy tag comprises one or more of a capability, provisioning, or preference of the first communication device of the first subscriber or a communication device of the one or more selected parties and an existing policy compliance measure selected by the first subscriber for the selected communication and the restricted content in the selected communication.
  - 6. The method of claim 2, wherein the first node is a first communication device, wherein the policy agent is in a class driver, wherein the policy tag comprises a venue for the selected communication and the restricted content in the selected communication to be made accessible to the one or more selected parties, and wherein the venue comprises one of a blog, micro-blog, Really Simple Syndication (“
    - RSS”
      
      ) feed, chat room, social network posting, and news aggregator.
  - 7. The method of claim 2, wherein the policy measure to be implemented further comprises one or more of the following:
    - mark or delete a portion of the selected communication or the restricted content in the selected communication prior to access by one or more other parties,prevent the first subscriber from selecting, by dragging and dropping, selected content into a communication,provide read-only access to the selected communication or the restricted content in the selected communication,tear down a communication channel before transmission of the selected communication and/or the restricted content in the selected communication, anddisplay different portions of the selected communication or the restricted content in the selected communication to different ones of the one or more of the selected parties based on a respective degree of trust or privilege of each party.
  - 18. The method of claim 7, wherein the implemented policy measure comprises the tearing down of the communication channel before the transmission of the selected communication or the restricted content in the selected communication.
  - 19. The method of claim 1, wherein the policy measure to be implemented further comprises embedding a flag indicating an area of redundant and processor intensive encryption.

8. A system, comprising:
- a policy enforcement server that receives a notification of a determined behavioral instance corresponding to a policy or rule and applies a policy or rule to the determined behavioral instance in an enterprise network, to implement a policy measure, wherein the first policy agent monitors or tracks behavior of the first subscriber and wherein the behavioral instance is the first subscriber intending to make a selected communication and a restricted content in the selected communication accessible, via the enterprise network to one or more selected parties and wherein the implemented policy measure comprises;
  
  setting a hop restriction on the restricted content in the selected communication, wherein, when the hop restriction is met or exceeded or a hop counter is incremented or decremented to a selected value, the selected communication or the restricted content in the selected communication is dropped or otherwise prohibited from delivery to an intended recipient of the one or more selected parties.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 20)
- - 9. The system of claim 8, wherein the policy enforcement server receives the notification from a first policy agent that corresponds to a first node and a first subscriber and wherein the applying operation comprises the sub-operations:
    - receiving a policy tag respecting the selected communication and the restricted content in the selected communication and wherein the policy tag comprises one or more of the following;
      
      a persona or role of the first subscriber,a persona or role of the one or more selected parties,a degree of trust of the enterprise network with the first subscriber or one or more selected parties,a capability, provisioning, and/or preference of a communication device of the first subscriber or the one or more selected parties,a context of the first subscriber or the one or more selected parties,a context of the communication device of the first subscriber or the one or more selected parties,an existing policy compliance measure selected by the first subscriber for the one or more of the selected communication and the restricted content in the selected communication,a venue for the selected communication and the restricted content in the selected communication to be made accessible to the one or more selected parties,a description of the selected communication and the restricted content in the selected communication,a context of the selected communication or the restricted content in the selected communication, andthe policy or rule corresponding to the selected communication and the restricted content in the selected communication; and
      
      determine, based on the policy tag, an applicable policy or rule; and
      
      determine, based on the applicable policy or rule, the policy measure to be implemented.
  - 10. The system of claim 9, wherein the first node is a first communication device, wherein the policy agent is in a class driver, wherein the policy tag comprises one or more of a persona or role of the one or more selected parties and a persona or role of the first subscriber, and wherein the persona or role is defined by one or more of the following:
    - employer name, user level, user organization, the subscriber'"'"'s business-related electronic addresses, satellite-based physical location coordinates associated with a business location, Web browsed URL'"'"'s corresponding with business interests, times-of-day associated with business time, days-of-week associated with business time, contact lists of business associates, client, supplier, customer, family member name, the first subscriber'"'"'s personal electronic addresses, satellite-based physical location coordinates associated with personal location, Web browsed URL'"'"'s corresponding with personal interests, times-of-day associated with personal time, days-of-week associated with personal time, contact list of friends, hobby supplier, charitable organization, and other volunteer activity.
  - 11. The system of claim 9, wherein the first node is a first communication device, wherein the policy tag comprises a degree of trust of the enterprise network with the one or more selected parties, and wherein the one or more selected parties is no longer trusted upon occurrence of a determined event or passage of determined time.
  - 12. The system of claim 9, wherein the first node is a first communication device, wherein the policy agent is in a class driver, and wherein the policy tag comprises one or more of a capability, provisioning, or preference of the first communication device of the first subscriber or a communication device of the one or more selected parties and an existing policy compliance measure selected by the first subscriber for the selected communication and the restricted content in the selected communication.
  - 13. The system of claim 9, wherein the first node is a first communication device, wherein the policy agent is in a class driver, wherein the policy tag comprises a venue for the selected communication and the restricted content in the selected communication to be made accessible to the one or more selected parties, and wherein the venue comprises one of a blog, micro-blog, Really Simple Syndication (“
    - RSS”
      
      ) feed, chat room, social network posting, and news aggregator.
  - 14. The system of claim 9, wherein the policy measure to be implemented further comprises one or more of the following:
    - mark or delete a portion of the selected communication or the restricted content prior in the selected communication to access by one or more other parties,prevent the first subscriber from selecting, by dragging and dropping, selected content into a communication,provide read-only access to the selected communication or the restricted content in the selected communication,tear down a communication channel before transmission of the selected communication or the restricted content in the selected communication, anddisplay different portions of the selected communication or restricted content in the selected communication to different ones of the one or more of the selected parties based on a respective degree of trust or privilege of each party.
  - 20. The system of claim 8, wherein the policy measure to be implemented further comprises embedding a flag indicating an area of redundant and processor intensive encryption.

15. A tangible and non-transient computer readable medium, comprising:
- instructions to read a policy tag related to an actual or potential violation of a rule or policy by a subscriber of an enterprise network, comprising one or more of the following fields;
  
  a subscriber or role persona field defining a persona or role of the subscriber at a time of the actual or potential violation;
  
  a nonsubscriber or role persona field defining a persona or role of a nonsubscriber involved in and at the time of the actual or potential violation;
  
  a degree of trust field defining a degree of trust of the enterprise network or the subscriber with a person or computational entity having or to have access to a selected communication and a restricted content in the selected communication associated with the actual or potential violation, the person or computational entity being involved in the actual or potential rule violation;
  
  an existing policy or rule compliance measure field describing a measure currently in place to comply with the actually or potentially violated rule or policy, wherein the existing policy or rule is based on the subscriber intending to make the selected communication and the restricted content in the selected communication accessible to one or more selected parties;
  
  a venue field defining a degree of public exposure or security of an intended recipient of the selected communication or content, the intended recipient being involved in the actual or potential violation;
  
  a context field describing a context of the subscriber or other entity having access to the selected communication or the restricted content in the selected communication;
  
  a content description field describing the selected communication or the restricted content in the selected communication, the content description describing the content in terms of the rule or policy actually or potentially violated;
  
  a policy or rule field identifying the policy or rule actually or potentially violated;
  
  ora recommendation or decision field indicating a recommended action to be taken in response to the actual or potential violation; and
  
  instructions to apply the rule or policy to a determined behavioral instance, wherein a policy measure is implemented, wherein a behavioral instance is a first subscriber intending to make a selected communication and the restricted content in the selected communication accessible, via the enterprise network, to the one or more selected parties, and wherein an implemented policy measure comprises;
  
  instructions to set a hop restriction on the restricted content in the selected communication wherein, when the hop restriction is met or exceeded or a hop counter is incremented or decremented to a selected value, the selected communication or the restricted content in the selected communication is dropped or otherwise prohibited from delivery to an intended recipient of the one or more selected parties.
- View Dependent Claims (16, 17)
- - 16. The medium of claim 15, wherein the policy tag comprises the degree of trust field, wherein the degree of trust is associated with a defined group of entities, and wherein the group members comprise entities that are not subscribers to or otherwise part of the enterprise network.
  - 17. The medium of claim 15, wherein the policy tag comprises one or more of the existing policy or rule compliance measure and recommendation or decision fields and wherein the one or more of the existing policy or rule compliance measure and recommendation or decision fields comprises one or more of the following actions:
    - mark or delete a portion of the selected communication or the restricted content in the selected communication prior to access by one or more other parties,prevent the first subscriber from selecting, by dragging and dropping, selected content into a communication,provide read-only access to the selected communication or the restricted content in the selected communication,tear down a communication channel before transmission of the selected communication and/or the restricted content in the selected communication, anddisplay different portions of the selected communication or the restricted content in the selected communication to different ones of the one or more of the selected parties based on a respective degree of trust or privilege of each party.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avaya Incorporated
Original Assignee
Avaya Incorporated
Inventors
Kennedy, Kevin J.
Primary Examiner(s)
BROWN, ANTHONY D

Application Number

US13/030,500
Publication Number

US 20110209193A1
Time in Patent Office

1,761 Days
Field of Search

726/1, 726/26, 709/224, 709/220
US Class Current

1/1
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/121   Restricting unauthorised ex...

G06F 21/44   Program or device authentic...

G06F 21/55   Detecting local intrusion o...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/60   Protecting data

G06Q 30/02   Marketing; Price estimation...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

H04L 67/02   based on web technology, e....

Secure, policy-based communications security and file sharing across mixed media, mixed-communications modalities and extensible to cloud computing such as SOA

First Claim

18 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Secure, policy-based communications security and file sharing across mixed media, mixed-communications modalities and extensible to cloud computing such as SOA

First Claim

18 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links