Enforcing control policies in an information management system with two or more interactive enforcement points

US 9,497,219 B2
Filed: 10/30/2007
Issued: 11/15/2016
Est. Priority Date: 12/29/2005
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

providing an interceptor code component and a policy engine code component executing on a first computer, wherein the interceptor code component resides within an operating system layer executing on the first computer, and the policy engine code component is outside of the operating system layer;

using the policy engine code component, evaluating a document access operation on the first computer,wherein the evaluating step evaluates at least one rule pertaining to the document access operation,wherein the evaluating step monitors operations of a plurality of application programs on the first computer, and the application programs are outside of the operating system layer,wherein the document access operation is initiated by an application program and detected by the interceptor code component, and the interceptor code component transfers handling of the document access operation to the policy engine code component,wherein the at least one rule is among a plurality of rules stored on the first computer, andwherein the at least one rule contains at least one expression used by the evaluating step to control document access operation;

for a first application program on the first computer, performing the evaluating step for an operation of the first application program;

for a second application program on the first computer, performing the evaluating step for an operation of the second application program;

determining if the first computer contains a first piece of information required to evaluate the at least one rule;

if the first computer contains the first piece of information required to evaluate the at least one rule, determining that the first computer is capable of evaluating the at least one rule;

if the first computer does not contain the first piece of information required to evaluate the at least one rule, determining that the first computer is incapable of evaluating the at least one rule;

if the first computer is incapable of evaluating the at least one rule, determining a second computer connected over a network to the first computer, wherein the second computer has access to the first piece of information;

confirming on the first computer that the second computer has an ability to interact with the evaluating step;

determining first and second portions of the at least one rule, wherein evaluating the second portion of the at least one rule comprises accessing the first piece of information that causes the first computer to be incapable of evaluating the at least one rule;

designating the second portion of the at least one rule to be evaluated with the first piece of information accessible by the second computer;

accessing the first piece of information by the second computer;

evaluating the second portion of the at least one rule with the accessed first piece of information accessed by the second computer;

determining the first computer is capable of evaluating the first portion of the at least one rule by way of the first computer having access to a second piece of information required to evaluate the first portion of the at least one rule;

designating the first portion of the at least one rule to be evaluated with the second piece of information accessible by the first computer;

accessing the second piece of information by the first computer;

evaluating the first portion of the at least one rule with the accessed second piece of information accessed by the first computer;

based on the evaluated first portion of the at least one rule by the first computer and evaluated second portion of the least one rule by the second computer, determining whether to allow or deny the operation of the first application program;

when the first computer is incapable of evaluating the at least one rule, transmitting an indication from the first computer to a helper decision point, wherein the indication comprises a request and a list of events; and

based on the indication, determining at the helper decision point that the second computer has access to the first piece of information.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for controlling document access and application usage using centrally managed rules. The rules are stored and manipulated in a central rule database via a rule server. Policy enforcers are installed on client systems and/or on servers and perform document access and application usage control for both direct user document accesses and application usage, and application program document accesses by evaluating the rules sent to the policy enforcer. The rule server decides which rules are required by each policy enforcer. A policy enforcer can also perform obligation and remediation operations as a part of rule evaluation. Policy enforcers on client systems and servers can operate autonomously, evaluating policies that have been received, when communications have been discontinued with the rule server.

Citations

45 Claims

1. A method comprising:
- providing an interceptor code component and a policy engine code component executing on a first computer, wherein the interceptor code component resides within an operating system layer executing on the first computer, and the policy engine code component is outside of the operating system layer;
  
  using the policy engine code component, evaluating a document access operation on the first computer,wherein the evaluating step evaluates at least one rule pertaining to the document access operation,wherein the evaluating step monitors operations of a plurality of application programs on the first computer, and the application programs are outside of the operating system layer,wherein the document access operation is initiated by an application program and detected by the interceptor code component, and the interceptor code component transfers handling of the document access operation to the policy engine code component,wherein the at least one rule is among a plurality of rules stored on the first computer, andwherein the at least one rule contains at least one expression used by the evaluating step to control document access operation;
  
  for a first application program on the first computer, performing the evaluating step for an operation of the first application program;
  
  for a second application program on the first computer, performing the evaluating step for an operation of the second application program;
  
  determining if the first computer contains a first piece of information required to evaluate the at least one rule;
  
  if the first computer contains the first piece of information required to evaluate the at least one rule, determining that the first computer is capable of evaluating the at least one rule;
  
  if the first computer does not contain the first piece of information required to evaluate the at least one rule, determining that the first computer is incapable of evaluating the at least one rule;
  
  if the first computer is incapable of evaluating the at least one rule, determining a second computer connected over a network to the first computer, wherein the second computer has access to the first piece of information;
  
  confirming on the first computer that the second computer has an ability to interact with the evaluating step;
  
  determining first and second portions of the at least one rule, wherein evaluating the second portion of the at least one rule comprises accessing the first piece of information that causes the first computer to be incapable of evaluating the at least one rule;
  
  designating the second portion of the at least one rule to be evaluated with the first piece of information accessible by the second computer;
  
  accessing the first piece of information by the second computer;
  
  evaluating the second portion of the at least one rule with the accessed first piece of information accessed by the second computer;
  
  determining the first computer is capable of evaluating the first portion of the at least one rule by way of the first computer having access to a second piece of information required to evaluate the first portion of the at least one rule;
  
  designating the first portion of the at least one rule to be evaluated with the second piece of information accessible by the first computer;
  
  accessing the second piece of information by the first computer;
  
  evaluating the first portion of the at least one rule with the accessed second piece of information accessed by the first computer;
  
  based on the evaluated first portion of the at least one rule by the first computer and evaluated second portion of the least one rule by the second computer, determining whether to allow or deny the operation of the first application program;
  
  when the first computer is incapable of evaluating the at least one rule, transmitting an indication from the first computer to a helper decision point, wherein the indication comprises a request and a list of events; and
  
  based on the indication, determining at the helper decision point that the second computer has access to the first piece of information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 45)
- - 2. The method of claim 1 further comprising:
    - detecting document access operation within an application program.
  - 3. The method of claim 1 further comprising:
    - detecting document access operation within the first computer'"'"'s operating system.
  - 4. The method of claim 1 wherein the evaluating step evaluates rules using information based on any combination of:
    - type of document access operation, user, user group, role of a user, a user'"'"'s business function, host, type of computer, group of computers, application program, type of application program, application module, geographical location, access mechanism, connectivity, bandwidth, time of day, day of the week, file path, file name, document size, document time stamp, document owner, document properties, historical data from previous document access operations, document type, document format, document classification, document characteristics, document content, element in a database query, element in a database query result set, attribute of a database query result set, attribute of a database, or metadata.
  - 5. The method of claim 1 wherein a rule applies to at least one particular operation within an application program.
  - 6. The method of claim 1 wherein a rule applies to at least one particular operation within the first computer'"'"'s operating system.
  - 7. The method of claim 1 wherein the evaluating step monitors operations of an operating system on the first computer.
  - 8. The method of claim 1 wherein at least a subset of the plurality of rules stored on the first computer is preinstalled on the first computer.
  - 9. The method of claim 1 wherein at least a subset of the plurality of rules stored on the first computer is dynamically updated from a central database.
  - 10. The method of claim 1 wherein the communicating step further comprises wherein the indication is specified explicitly in the at least one rule using at least one of:
    - a keyword or directive.
  - 11. The method of claim 1 wherein the communicating step further comprises wherein the indication is specified implicitly by the at least one rule.
  - 12. The method of claim 1 wherein the second computer sends its rule evaluation capabilities to the first computer, and wherein the first computer verifies that the rule evaluation capabilities of the second computer meets requirements of the at least one rule.
  - 13. The method of claim 1 wherein the first computer queries the second computer whether the second computer can enforce a specific rule.
  - 14. The method of claim 1 wherein the first computer queries the second computer to verify that the second computer'"'"'s rule evaluation capabilities meets requirements of the at least one rule.
  - 15. The method of claim 1 wherein the evaluation step obtains information from the second computer in order to evaluate the at least one rule.
  - 16. The method of claim 1 wherein the evaluating step obtains information from a plurality of computers in order to evaluate the at least one rule.
  - 17. The method of claim 1 wherein the evaluating step delegates evaluation of a rule to the second computer.
  - 18. The method of claim 1 wherein the evaluating step delegates evaluation of a plurality of rules to the second computer.
  - 19. The method of claim 1 wherein the evaluating step instructs the second computer to perform an action as specified in a rule.
  - 20. The method of claim 19 wherein the evaluating step delegates evaluation of the plurality of rules to the second computer occurs after the rule has been evaluated.
  - 21. The method of claim 1 wherein the evaluating step instructs a plurality of computers to perform an action as specified in a rule.
  - 22. The method of claim 1 wherein the evaluating step posts an event to the second computer as specified in the evaluated at least one rule that causes the second computer to evaluate at least one rule.
  - 23. The method of claim 1 wherein the evaluating step posts an event to a plurality of computers as specified in the evaluated at least one rule that causes each computer to evaluate at least one rule.
  - 24. The method of claim 1 wherein the evaluating step posts an event to the second computer as specified in the evaluated at least one rule that causes the second computer to perform an action.
  - 25. The method of claim 1 wherein the confirming step further comprises:
    - transmitting, at the second computer, additional information to the first computer in a request of the document access operation; and
      
      obtaining, at the first computer, the additional information from the request and make the additional information available to the evaluating step.
  - 26. The method of claim 1 comprising:
    - processing on the second computer the at least one rule of the evaluating step;
      
      communicating to the first computer a consequence of the evaluating step, wherein the consequence of the evaluating step consists of a Boolean true or a Boolean false;
      
      at the first computer, allowing the document access operation when the consequence of the evaluating step is true; and
      
      at the first computer, prohibiting the document access operation when the consequence of the evaluating step is false.
  - 27. The method of claim 26 wherein the first piece of information is stored at the second computer.
  - 28. The method of claim 26 wherein the second computer does not include a policy enforcer.
  - 29. The method of claim 1 further comprising:
    - extracting from the at least one rule a first expression, wherein the first piece of information is required to evaluate the first expression, and the first expression comprises a conditional statement and a result when the conditional statement is satisfied;
      
      transferring the first expression to the second computer;
      
      at the second computer, processing the first expression to generate a consequence, wherein the consequence consists of a Boolean true or a Boolean false; and
      
      communicating the consequence of the first expression to the first computer.
  - 30. The method of claim 29, wherein the communicating the consequence of the first expression does not include the first piece of information.
  - 31. The method of claim 29 wherein the first expression is a command to execute a user-defined function on the second computer.
  - 32. The method of claim 29 comprising:
    - determining a third computer connected over a network to the first computer as indicated by the at least one rule, wherein the third computer has access to a second piece of information;
      
      extracting from the at least one rule a second expression, wherein the second piece of information is required to evaluate the second expression;
      
      transferring the second expression to the third computer;
      
      at the third computer, processing the second expression to generate a second consequence, wherein the second consequence consists of a Boolean true or a Boolean false; and
      
      communicating the consequence of the second expression to the first computer.
  - 33. The method of claim 1 wherein the at least one rule comprises an abstraction stored separately from the at least one rule.
  - 34. The method of claim 1 wherein the first piece of information comprises a result from a query to a lightweight directory access protocol (LDAP).
  - 35. The method of claim 1 wherein the determining the second computer connected over the network includes determining the at least one rule comprises an indication that the first piece of information is accessible at the second computer.
  - 36. The method of claim 1 wherein the determining the second computer connected over the network includes determining a configuration parameter, separate from the at least one rule, comprises an indication that the first piece of information is accessible at the second computer.
  - 37. The method of claim 1 comprising after evaluating the at least one rule, causing an obligation on a third computer to be executed.
  - 38. The method of claim 1 wherein the helper decision point executes on a third computer, separate from the first and second computers.
  - 45. The method of claim 1 further comprising:
    - transmitting an indication from the first computer to the second computer to access the first piece of information to evaluate the at least one rule.

39. A method comprising:
- providing an interceptor code component and a policy engine code component executing on a first computer, wherein the interceptor code component resides within an operating system layer executing on the first computer, and the policy engine code component is outside of the operating system layer;
  
  using the policy engine code component, evaluating a document access operation on a first computer,wherein the evaluating step evaluates at least one rule pertaining to the document access operation,wherein the evaluating step monitors operations of a plurality of application programs on the first computer, and the application programs are outside of the operating system layer,wherein the document access operation is initiated by an application program and detected by the interceptor code component, and the interceptor code component transfers handling of the document access operation to the policy engine code component,wherein the at least one rule is among a plurality of rules stored on the first computer, andwherein the at least one rule contains at least one expression used by the evaluating step to control document access operation;
  
  determining if the first computer has access to a first piece of information required to evaluate the at least one rule;
  
  if a first location contains the first piece of information required to evaluate the at least one rule, determining that the first computer is capable of evaluating the at least one rule;
  
  if the first location does not contain the first piece of information required to evaluate the at least one rule, determining that the first computer is incapable of evaluating the at least one rule;
  
  determining a portion of the at least one rule to be evaluated at a remote computer, accessible to the first computer over a network comprising;
  
  at the remote computer, determining first and second portions of the at least one rule, wherein evaluating the second portion of the at least one rule comprises accessing the first piece of information;
  
  designating the second portion of the at least one rule to be evaluated with the first piece of information accessible by a second computer, accessible to the first computer over a network;
  
  accessing the first piece of information by the second computer;
  
  transmitting information on the second portion of the at least one rule to the second computer;
  
  at the remote computer, evaluating the first portion of the at least one rule;
  
  at the remote computer, evaluating the second portion of the at least one rule with the accessed first piece of information by the second computer; and
  
  based on the evaluated first portion by the remote computer and the evaluated second portion by the second computer, determining at the remote computer whether to allow or deny the operation of the first application program;
  
  at the first computer, receiving from the remote computer through the network an evaluated result by the remote computer from the portion of the at least one rule;
  
  if the evaluated result by the remote computer is a Boolean true, permitting the document access operation on the first computer;
  
  if the evaluated result by the remote computer is a Boolean false, denying the document access operation on the first computer;
  
  when the first computer is incapable of evaluating the at least one rule, transmitting an indication from the first computer to a helper decision point, wherein the indication comprises a request and a list of events; and
  
  based on the indication, determining at the helper decision point that the second computer has access to the first piece of information.
- View Dependent Claims (40, 41, 42, 43, 44)
- - 40. The method of claim 39 wherein the document is stored at the first computer.
  - 41. The method of claim 40 wherein the document is stored at the second computer.
  - 42. The method of claim 39 wherein the first computer is a document server including a policy enforcer capable of deleting documents stored on the second computer,wherein the evaluating a document access operation at the first computer comprises a delete obligation on the document stored at the second computer, andwherein when the evaluating step evaluates to a Boolean true, the delete obligation to delete the document stored on the second computer is executed.
  - 43. The method of claim 42 wherein the access operation is performed on the document stored at the first computer, not the second computer.
  - 44. The method of claim 43 wherein when the delete obligation is executed, the document does not reside in memory of the first and second computers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nextlas Incorporated
Original Assignee
Nextlas Incorporated
Inventors
Lim, Keng
Primary Examiner(s)
Chang, Tom Y

Application Number

US11/928,550
Publication Number

US 20080083014A1
Time in Patent Office

3,304 Days
Field of Search

709/229
US Class Current

1/1
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/51   at application loading time...

G06F 21/554   involving event detection a...

G06F 21/6281   at program execution time, ...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 9/468   Specific access rights for ...

H04L 2463/101   applying security measures ...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/28   Restricting access to netwo...

H04L 63/00   Network architectures or ne...

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

H04L 63/30   for supporting lawful inter...

H04L 67/01   Protocols

Enforcing control policies in an information management system with two or more interactive enforcement points

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

45 Claims

Specification

Solutions

Use Cases

Quick Links

Enforcing control policies in an information management system with two or more interactive enforcement points

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

45 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links