Data protection for organizations on computing devices

US 9,430,664 B2
Filed: 07/02/2013
Issued: 08/30/2016
Est. Priority Date: 05/20/2013
Status: Active Grant

First Claim

Patent Images

1. A method in a device, the method comprising:

exposing, by an organization data protection system on the device, an application programming interface (API) to protect data associated with an organization;

exposing, as part of the API, a first method that an application on the device can invoke to pass to the organization data protection system an identifier of data to be protected and to have the organization data protection system encrypt the data to be protected with an encryption key associated with the organization, the organization data protection system determining a data status for the data prior to the first method being invoked, the data status indicating whether the data can be protected for the organization based on one or more protection statuses contained in metadata associated with the data; and

exposing, as part of the API, a second method that the application on the device can invoke to pass to the organization data protection system an identifier of the organization and to have the organization data protection system delete a decryption key that is associated with the organization and that is used to decrypt the data to be protected.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An application on a device can communicate with organization services. The application accesses a protection system on the device, which encrypts data obtained by the application from an organization service using an encryption key, and includes with the data an indication of a decryption key usable to decrypt the encrypted data. The protection system maintains a record of the encryption and decryption keys associated with the organization. The data can be stored in various locations on at least the device, and can be read by various applications on at least the device. If the organization determines that data of the organization stored on a device is to no longer be accessible on the device (e.g., is to be revoked from the device), a command is communicated to the device to revoke data associated with the organization. In response to this command, the protection system deletes the decryption key.

190 Citations

20 Claims

1. A method in a device, the method comprising:
- exposing, by an organization data protection system on the device, an application programming interface (API) to protect data associated with an organization;
  
  exposing, as part of the API, a first method that an application on the device can invoke to pass to the organization data protection system an identifier of data to be protected and to have the organization data protection system encrypt the data to be protected with an encryption key associated with the organization, the organization data protection system determining a data status for the data prior to the first method being invoked, the data status indicating whether the data can be protected for the organization based on one or more protection statuses contained in metadata associated with the data; and
  
  exposing, as part of the API, a second method that the application on the device can invoke to pass to the organization data protection system an identifier of the organization and to have the organization data protection system delete a decryption key that is associated with the organization and that is used to decrypt the data to be protected.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. A method as recited in claim 1, the data to be protected comprising a file, and the first method having a storage item parameter that takes as an input an identifier of the file.
  - 3. A method as recited in claim 1, the first method having an organization identifier parameter that takes as an input an identifier of the organization.
  - 4. A method as recited in claim 1, the second method having an organization identifier parameter that takes as an input the identifier of the organization.
  - 5. A method as recited in claim 1, further comprising exposing, as part of the API, a third method that the application on the device can invoke to have the organization data protection system return an indication of whether particular data has been revoked, the particular data having been revoked indicating that the particular data has been protected in the past and that a decryption key to decrypt the particular data is unavailable.
  - 6. A method as recited in claim 5, the particular data comprising a file, and the third method having a storage item parameter that takes as an input an identifier of the file.
  - 7. A method as recited in claim 1, further comprising exposing, as part of the API, a third method that the application on the device can invoke to request that first data to be protected be encrypted with a key associated with an organization with which second data to be protected is encrypted.
  - 8. A method as recited in claim 7, the third method having a target data parameter that takes as an input an identifier of the first data to be protected.
  - 9. A method as recited in claim 7, the third method having a source data parameter that takes as an input an identifier of the second data to be protected.
  - 10. A method as recited in claim 7, the first data to be protected comprising a first file, the second data to be protected comprising a second file, the third method having a target data parameter that takes as an input an identifier of the first file, and a source data parameter that takes as an input an identifier of the second file.

11. A method in a device, the method comprising:
- invoking, by an application on the device, a first application programming interface (API) method exposed by an organization data protection system on the device to pass to the organization data protection system an identifier of data to be protected and to have the organization data protection system encrypt the data to be protected with an encryption key associated with an organization, the organization data protection system determining a data status for the data prior to the first API method being invoked, the data status indicating whether the data can be protected for the organization based on one or more protection statuses contained in metadata associated with the data; and
  
  invoking, by the application, a second API method exposed by the organization data protection system to pass to the organization data protection system an identifier of the organization and to have the organization data protection system delete a decryption key that is associated with the organization and that is used to decrypt the data to be protected.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. A method as recited in claim 11, the data to be protected comprising a file, and the invoking the first API method including providing an identifier of the file as a storage item parameter of the first API method.
  - 13. A method as recited in claim 11, the invoking the first API method including providing an identifier of the organization as an organization identifier parameter of the first API method.
  - 14. A method as recited in claim 11, the invoking the second API method including providing the identifier of the organization as an organization identifier parameter of the second API method.
  - 15. A method as recited in claim 11, further comprising invoking, by the application, a third API method exposed by the organization data protection system to have the organization data protection system return an indication of whether particular data has been revoked, the particular data having been revoked indicating that the particular data has been protected in the past and that a decryption key to decrypt the particular data is unavailable.
  - 16. A method as recited in claim 15, the particular data comprising a file, and invoking the third API method including providing an identifier of the file as a storage item parameter of the third API method.
  - 17. A method as recited in claim 11, further comprising invoking, by the application, a third API method exposed by the organization data protection system to request that first data to be protected be encrypted with a key associated with an organization with which second data to be protected is encrypted.
  - 18. A method as recited in claim 17, the invoking the third API method including providing an identifier of the first data to be protected as a target data parameter of the third API method.
  - 19. A method as recited in claim 18, the invoking the third API method further including providing an identifier of the second data to be protected as a source data parameter of the third API method.

20. A computing device comprising:
- an application; and
  
  an organization data protection system configured to;
  
  expose an application programming interface (API) to protect data associated with an organization;
  
  expose, as part of the API, a first method that the application can invoke to pass to the organization data protection system an identifier of data to be protected and to have the organization data protection system encrypt the data to be protected with an encryption key associated with the organization, the organization data protection system determining a data status for the data prior to the first method being invoked, the data status indicating whether the data can be protected for the organization based on one or more protection statuses contained in metadata associated with the data;
  
  expose, as part of the API, a second method that the application can invoke to pass to the organization data protection system an identifier of the organization and to have the organization data protection system delete a decryption key that is associated with the organization and that is used to decrypt the data to be protected, the organization data protection system determining whether the metadata associated with the data includes a file descriptor identifying the decryption key that is associated with the organization;
  
  expose, as part of the API, a third method that the application can invoke to request that first data to be protected be encrypted with a key associated with an organization with which second data to be protected is encrypted; and
  
  expose, as part of the API, a fourth method that the application can invoke to have the organization data protection system return an indication of whether particular data has been revoked, the particular data having been revoked indicating that the particular data has been protected in the past and that a decryption key to decrypt the particular data is unavailable.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Adam, Preston Derek, Novotney, Peter J., Ide, Nathan J., Basmov, Innokentiy, Acharya, Narendra S., Ureche, Octavian T., Sinha, Saurav, Kannan, Gopinathan, Macaulay, Christopher R., Grass, Michael J.
Primary Examiner(s)
Smithers, Matthew

Application Number

US13/933,928
Publication Number

US 20140344571A1
Time in Patent Office

1,155 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2143   Clearing memory, e.g. to pr...

H04L 63/0428   wherein the data content is...

Data protection for organizations on computing devices

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

190 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Data protection for organizations on computing devices

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

190 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links