Data source based application sandboxing

US 9,225,727 B2
Filed: 03/29/2011
Issued: 12/29/2015
Est. Priority Date: 11/15/2010
Status: Active Grant

First Claim

Patent Images

1. A method to control access to data stored on a data store of a computing device, the method comprising:

receiving a request for data from a requesting component;

identifying an assigned access domain of the requesting component;

identifying an assigned data domain of the requested data, the data domain having been assigned to the requested data based on a comparison of one or more data characteristics of the requested data with one or more data classifications defined in a security policy;

determining whether the requesting component is authorized to access the requested data by comparing one or more permissions specified in the security policy with each of the assigned access domain and the assigned data domain; and

,if the assigned access domain is authorized to access the assigned data domain, providing access to the requested data.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computing device and a method for a computing device to control access to data stored on a data store of the device. An access component of the device having control over access to the data. The access component being operative to receive a request for data from a requesting component, identify an assigned access domain of the requesting component and an assigned data domain of the requested data and determine whether the requesting component is authorized to access the data by comparing the assigned access domain and the data domain with permissions specified in a security policy. If the assigned access domain is authorized to access the data domain, the access component may provide access to the requested data.

109 Citations

35 Claims

1. A method to control access to data stored on a data store of a computing device, the method comprising:
- receiving a request for data from a requesting component;
  
  identifying an assigned access domain of the requesting component;
  
  identifying an assigned data domain of the requested data, the data domain having been assigned to the requested data based on a comparison of one or more data characteristics of the requested data with one or more data classifications defined in a security policy;
  
  determining whether the requesting component is authorized to access the requested data by comparing one or more permissions specified in the security policy with each of the assigned access domain and the assigned data domain; and
  
  ,if the assigned access domain is authorized to access the assigned data domain, providing access to the requested data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 2. The method of claim 1 wherein the identifying the assigned data domain of the requested data comprises evaluating one or more data characteristics of the requested data and identifying the assigned data domain based on the one or more data characteristics and the security policy.
  - 3. The method of claim 2 wherein the one or more data characteristics comprises a data domain identifier associated with the requested data, and the evaluating comprises retrieving the data domain identifier and matching the retrieved data domain identifier with a corresponding assigned data domain specified in the security policy.
  - 4. The method of claim 2 wherein the requested data comprises a data object, and wherein the evaluating one or more data characteristics comprises accessing the data object and analysing the data object to evaluate a content of the data object and comparing the content with data classifications defined in the security policy to identify the assigned data domain.
  - 5. The method of claim 1 wherein the identifying the assigned access domain of the requesting component comprises receiving an access domain identifier from the requesting component and matching the received access domain identifier with a corresponding assigned access domain specified in the security policy to identify the assigned access domain.
  - 6. The method of claim 1 wherein before receiving the request, classifying the requested data to assign a data domain by:
    - evaluating data characteristics of the requested data;
      
      comparing the data characteristics with data classifications defined in the security policy to assign a data domain; and
      
      ,storing the requested data in the data store associated with the data domain.
  - 7. The method of claim 6 wherein the identifying the assigned data domain comprises evaluating the data domain stored in association with the requested data, and comparing the data domain with data classifications defined in the security policy to identify the assigned data domain.
  - 8. The method of claim 1 further comprising:
    - the computing device receiving an updated security policy from a server over a network connection and the computing device replacing the security policy with the updated security policy such that operations on the computing device that were based on the security policy become based upon the updated security policy.
  - 17. The method of claim 1, wherein the one or more data characteristics of the requested data comprise an identity of a device from which the requested data originated.
  - 18. The method of claim 1, wherein the one or more data characteristics of the requested data comprise a source of the requested data.
  - 19. The method of claim 1, wherein the requested data comprises a data object, and wherein the one or more data characteristics of the requested data comprise an author or recipient of the data object.
  - 20. The method of claim 1, wherein the one or more data characteristics of the requested data comprise at least one of a time the requested data was generated, a time the requested data was captured, or a location of the computing device.
  - 21. The method of claim 8, wherein a new data domain is associated to the requested data byevaluating one or more data characteristics of the requested data,comparing the one or more data characteristics with data classifications defined in the updated security policy to assign the data domain to the requested data, andstoring the requested data, with the data domain assigned to the data, in the data store.
  - 22. The method of claim 1, wherein the one or more data classifications specify a source of the requested data.
  - 23. The method of claim 1, wherein the one or more data classifications specify a data type of the requested data.
  - 24. The method of claim 1, wherein the one or more data classifications specify a user classification.
  - 25. The method of claim 1, wherein the one or more data classifications are associated with keywords specified in a content of the requested data.

9. A computing device operative to control access to data stored on a data store of the device, the computing device comprising:
- a processing unit in communication with the data store;
  
  a requesting component operative on the device to request data stored in the data store;
  
  an access component operative on the device to;
  
  control access to data stored in the data store;
  
  receive one or more requests for data from the requesting component;
  
  identify an assigned access domain of the requesting component;
  
  identify an assigned data domain of the requested data, the data domain having been assigned to the requested data based on a comparison of one or more data characteristics of the requested data with one or more data classifications defined in a security policy;
  
  determine whether the requesting component is authorized to access the requested data by comparing one or more permissions specified in the security policy with each of the assigned access domain and the assigned data domain; and
  
  ,provide access to the requested data if the assigned access domain is authorized to access the assigned data domain.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 10. The computing device of claim 9 wherein the access component is operative to identify the assigned data domain of the requested data by evaluating one or more data characteristics of the requested data and identifying the assigned data domain based on the one or more data characteristics and the security policy.
  - 11. The computing device of claim 10 wherein the one or more data characteristics comprises a data domain identifier associated with the requested data, and the access component is operative to evaluate by retrieving the data domain identifier and matching the retrieved data domain identifier with a corresponding assigned data domain specified in the security policy.
  - 12. The computing device of claim 10 wherein the requested data comprises a data object and wherein the access component is operative to access the data object accessible to the access component and to evaluate the one or more data characteristics by accessing the data object and analysing the data object to evaluate a content of the data object and compare the content with data classifications defined in the security policy to identify the assigned data domain.
  - 13. The computing device of claim 9 wherein the access component is operative to identify the assigned access domain of the requesting component when the access component receives an access domain identifier from the requesting component by matching the received access domain identifier with a corresponding assigned access domain specified in the security policy to identify the assigned access domain.
  - 14. The computing device of claim 9 wherein the access component is operative to classify the requested data to assign a data domain before the access component receives the request, by:
    - evaluating data characteristics of the requested data;
      
      comparing the data characteristics with data classifications specified in the security policy to assign a data domain; and
      
      ,storing the requested data in the data store associated with the data domain.
  - 15. The computing device of claim 14 wherein the access component is operative to identify the assigned data domain by evaluating the data domain stored in association with the requested data, and comparing the data domain with data classifications defined in the security policy to identify the assigned data domain.
  - 16. The computing device of claim 9 further comprising a network communications subsystem, the computing device operative to receive an updated security policy from a server through the network communications subsystem, and the access component is further operative to replace the security policy with the updated security policy such that operations of the access component that were based on the security policy become based upon the updated security policy.
  - 26. The computing device of claim 9, wherein the one or more data characteristics of the requested data comprise an identity of a device from which the requested data originated.
  - 27. The computing device of claim 9, wherein the one or more data characteristics of the requested data comprise a source of the requested data.
  - 28. The computing device of claim 9, wherein the requested data comprises a data object, and wherein the data characteristics of the requested data comprise an author or recipient of the data object.
  - 29. The computing device of claim 9, wherein the one or more data characteristics of the requested data comprise at least one of a time the requested data was generated, a time the requested data was captured, or a location of the computing device.
  - 30. The computing device of claim 16, wherein a new data domain is associated to the requested data byevaluating one or more data characteristics of the requested data,comparing the one or more data characteristics with data classifications defined in the updated security policy to assign the data domain to the requested data, andstoring the requested data, with the data domain assigned to the data, in the data store.
  - 31. The computing device of claim 9, wherein the one or more data classifications specify a source of the requested data.
  - 32. The computing device of claim 9, wherein the one or more data classifications specify a data type of the requested data.
  - 33. The computing device of claim 9, wherein the one or more data classifications specify a user classification.
  - 34. The computing device of claim 9, wherein the one or more data classifications are associated with keywords specified in a content of the requested data.

35. A computer-readable medium comprising instructions, which when executed by a processor of a computing device cause the processor to perform instructions for controlling access to data stored on a data store of a computing device, the instructions comprising instructions for:
- receiving a request for data from a requesting component;
  
  identifying an assigned access domain of the requesting component;
  
  identifying an assigned data domain of the requested data, the data domain having been assigned to the requested data based on a comparison of one or more data characteristics of the requested data with one or more data classifications defined in a security policy;
  
  determining whether the requesting component is authorized to access the requested data by comparing one or more permissions specified in the security policy with each of the assigned access domain and the assigned data domain; and
  
  ,if the assigned access domain is authorized to access the assigned data domain, providing access to the requested data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Malikie Innovations Limited (Key Patent Innovations Limited)
Original Assignee
Blackberry Limited
Inventors
Bender, Christopher Lyle, Tu, Van Quy, Major, Daniel Jonas, Cardy, Jonathan Raymond
Primary Examiner(s)
Nguyen, Dustin

Application Number

US13/074,136
Publication Number

US 20120124640A1
Time in Patent Office

1,736 Days
Field of Search

345/156, 358/1.15, 713/155, 713/156, 709/999.009, 709/229, 709/226, 709/217, 726/1, 726/24, 726/2, 726/9, 726/27, 707/8, 707/783
US Class Current

1/1
CPC Class Codes

G06F 21/6218   to a system of files or obj...

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

Data source based application sandboxing

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

109 Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

Data source based application sandboxing

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

109 Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links