Data protection for organizations on computing devices
First Claim
1. A method in a device, the method comprising:
- exposing, by an organization data protection system on the device, an application programming interface (API) to protect data associated with an organization;
exposing, as part of the API, a first method that an application on the device can invoke to pass to the organization data protection system an identifier of data to be protected and to have the organization data protection system encrypt the data to be protected with an encryption key associated with the organization, the organization data protection system determining a data status for the data prior to the first method being invoked, the data status indicating whether the data can be protected for the organization based on one or more protection statuses contained in metadata associated with the data; and
exposing, as part of the API, a second method that the application on the device can invoke to pass to the organization data protection system an identifier of the organization and to have the organization data protection system delete a decryption key that is associated with the organization and that is used to decrypt the data to be protected.
2 Assignments
0 Petitions
Accused Products
Abstract
An application on a device can communicate with organization services. The application accesses a protection system on the device, which encrypts data obtained by the application from an organization service using an encryption key, and includes with the data an indication of a decryption key usable to decrypt the encrypted data. The protection system maintains a record of the encryption and decryption keys associated with the organization. The data can be stored in various locations on at least the device, and can be read by various applications on at least the device. If the organization determines that data of the organization stored on a device is to no longer be accessible on the device (e.g., is to be revoked from the device), a command is communicated to the device to revoke data associated with the organization. In response to this command, the protection system deletes the decryption key.
190 Citations
20 Claims
-
1. A method in a device, the method comprising:
-
exposing, by an organization data protection system on the device, an application programming interface (API) to protect data associated with an organization; exposing, as part of the API, a first method that an application on the device can invoke to pass to the organization data protection system an identifier of data to be protected and to have the organization data protection system encrypt the data to be protected with an encryption key associated with the organization, the organization data protection system determining a data status for the data prior to the first method being invoked, the data status indicating whether the data can be protected for the organization based on one or more protection statuses contained in metadata associated with the data; and exposing, as part of the API, a second method that the application on the device can invoke to pass to the organization data protection system an identifier of the organization and to have the organization data protection system delete a decryption key that is associated with the organization and that is used to decrypt the data to be protected. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method in a device, the method comprising:
-
invoking, by an application on the device, a first application programming interface (API) method exposed by an organization data protection system on the device to pass to the organization data protection system an identifier of data to be protected and to have the organization data protection system encrypt the data to be protected with an encryption key associated with an organization, the organization data protection system determining a data status for the data prior to the first API method being invoked, the data status indicating whether the data can be protected for the organization based on one or more protection statuses contained in metadata associated with the data; and invoking, by the application, a second API method exposed by the organization data protection system to pass to the organization data protection system an identifier of the organization and to have the organization data protection system delete a decryption key that is associated with the organization and that is used to decrypt the data to be protected. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A computing device comprising:
-
an application; and an organization data protection system configured to; expose an application programming interface (API) to protect data associated with an organization; expose, as part of the API, a first method that the application can invoke to pass to the organization data protection system an identifier of data to be protected and to have the organization data protection system encrypt the data to be protected with an encryption key associated with the organization, the organization data protection system determining a data status for the data prior to the first method being invoked, the data status indicating whether the data can be protected for the organization based on one or more protection statuses contained in metadata associated with the data; expose, as part of the API, a second method that the application can invoke to pass to the organization data protection system an identifier of the organization and to have the organization data protection system delete a decryption key that is associated with the organization and that is used to decrypt the data to be protected, the organization data protection system determining whether the metadata associated with the data includes a file descriptor identifying the decryption key that is associated with the organization; expose, as part of the API, a third method that the application can invoke to request that first data to be protected be encrypted with a key associated with an organization with which second data to be protected is encrypted; and expose, as part of the API, a fourth method that the application can invoke to have the organization data protection system return an indication of whether particular data has been revoked, the particular data having been revoked indicating that the particular data has been protected in the past and that a decryption key to decrypt the particular data is unavailable.
-
Specification