System and method to provide server control for access to mobile client data

US 9,594,921 B2
Filed: 07/23/2012
Issued: 03/14/2017
Est. Priority Date: 03/02/2012
Status: Active Grant

First Claim

Patent Images

1. A method for protecting a data item, comprising:

upon initiation of transfer of the data item from a server to a client device, determining a sensitivity score of the data item, a level of confidence that a user of a client device is an authorized user, and a current protection level of the data item, wherein the determining a level of confidence further comprises;

assigning a score to each authentication option;

determining an accumulated score by accumulating scores for two or more authentication options provided by the client device; and

comparing the accumulated score with a minimum score needed to access the protected data item;

applying a policy to determine an appropriate protection for the data item based upon the sensitivity score and the current protection level, wherein the sensitivity score is based on one or more of a value of the data item to a particular individual or organization, a cost of recreating the data item if destroyed or modified, andpotential losses caused directly or indirectly by the data item being made available to non-authorized individuals or organizations;

providing a protected data item to the client device by applying the appropriate protection to the data item, wherein a unique encryption key is employed for each application of a protection technique on each of one or more data items; and

in accordance with the level of confidence, providing access to the protected data item to the client device, wherein the providing access includes sending to the client device one or more of a decryption key and obfuscation inversion function corresponding to an appropriate level of redaction of the protected data item, wherein the appropriate level of redaction is based on the access history of the user of the client device and the context of the client device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for protecting a data item include, upon initiation of transfer of the data item from a server to a client device, determining a sensitivity score and a current protection level of the data item. A policy is applied to determine an appropriate protection for the data item based upon the sensitivity score and the current protection level. A protected data item is provided to the client device by applying the appropriate protection to the data item.

30 Citations

View as Search Results

23 Claims

1. A method for protecting a data item, comprising:
- upon initiation of transfer of the data item from a server to a client device, determining a sensitivity score of the data item, a level of confidence that a user of a client device is an authorized user, and a current protection level of the data item, wherein the determining a level of confidence further comprises;
  
  assigning a score to each authentication option;
  
  determining an accumulated score by accumulating scores for two or more authentication options provided by the client device; and
  
  comparing the accumulated score with a minimum score needed to access the protected data item;
  
  applying a policy to determine an appropriate protection for the data item based upon the sensitivity score and the current protection level, wherein the sensitivity score is based on one or more of a value of the data item to a particular individual or organization, a cost of recreating the data item if destroyed or modified, andpotential losses caused directly or indirectly by the data item being made available to non-authorized individuals or organizations;
  
  providing a protected data item to the client device by applying the appropriate protection to the data item, wherein a unique encryption key is employed for each application of a protection technique on each of one or more data items; and
  
  in accordance with the level of confidence, providing access to the protected data item to the client device, wherein the providing access includes sending to the client device one or more of a decryption key and obfuscation inversion function corresponding to an appropriate level of redaction of the protected data item, wherein the appropriate level of redaction is based on the access history of the user of the client device and the context of the client device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method as recited in claim 1, wherein determining the sensitivity score includes:
    - determining sensitivity scores for classes of data on the server;
      
      determining a class of the data item from the classes of data on the server; and
      
      assigning a sensitivity score corresponding to the class of the data item as the sensitivity score of the data item.
  - 3. The method as recited in claim 1, wherein applying the policy includes determining the appropriate protection based upon one or more of features of the data item and features of the client device.
  - 4. The method as recited in claim 3, wherein features of the data item include one or more of type, creator, and indicator of the data item.
  - 5. The method as recited in claim 3, wherein features of the client device include one or more of a history of compromises, an ownership status, an operating system, a version of the operating system, applications stored on the client device, a patch status, suspected malware, a status of a network connected to the client device, and an application of the client device used to access the data item.
  - 6. The method as recited in claim 1, wherein providing the protected data item includes providing a link referring to the protected data item.
  - 7. The method as recited in claim 1, wherein the initiation of transfer includes at least one of a request from the client device and a server initiated transfer of the data item.
  - 8. The method as recited in claim 7, wherein the request from the client device is due to at least one of a user request, a scheduled request, a signal received by a sensor of the client device, and an event external from the client device.
  - 9. The method as recited in claim 7, wherein the server initiated transfer is due to at least one of a request from the client device, a request from a second device, receiving data from the second device, and a scheduled transfer.
  - 10. The method as recited in claim 1, wherein applying the appropriate protection includes at least one of applying encryption, redaction, invertible obfuscation, and non-invertible obfuscation.
  - 11. The method as recited in claim 1, wherein the protected data item includes more than one copy of the data item, wherein at least two of the more than one copy of the data item are protected by different methods of protection.
  - 12. The method as recited in claim 1, wherein the client device is a mobile device.

13. A non-transitory computer readable storage medium comprising a computer readable program for transferring a data item, wherein the computer readable program when executed on a computer causes the computer to perform:
- upon initiation of transfer of the data item from a server to a client device, determining a sensitivity score of the data item, a level of confidence that a user of a client device is an authorized user, and a current protection level of the data item, wherein the determining a level of confidence further comprises;
  
  assigning a score to each authentication option;
  
  determining an accumulated score by accumulating scores for two or more authentication options provided by the client device; and
  
  comparing the accumulated score with a minimum score needed to access the protected data item;
  
  applying a policy to determine an appropriate protection for the data item based upon the sensitivity score and the current protection level, wherein the sensitivity score is based on one or more of a value of the data item to a particular individual or organization, a cost of recreating the data item if destroyed or modified, and potential losses caused directly or indirectly by the data item being made available to non-authorized individuals or organizations;
  
  providing a protected data item to the client device by applying the appropriate protection to the data item, wherein a unique encryption key is employed for each application of a protection technique on each of one or more data items; and
  
  in accordance with the level of confidence, providing access to the protected data item to the client device, wherein the providing access includes sending to the client device one or more of a decryption key and obfuscation inversion function corresponding to an appropriate level of redaction of the protected data item, wherein the appropriate level of redaction is based on the access history of the user of the client device and the context of the client device.

14. A method for protecting a data item, comprising:
- upon initiation of transfer of the data item from a server to a mobile device, determining a sensitivity score of the data item, a level of confidence that a user of a client device is an authorized user, and a current protection level of the data item using a data protection server, wherein the determining a level of confidence further comprises;
  
  assigning a score to each authentication option;
  
  determining an accumulated score by accumulating scores for two or more authentication options provided by the client device; and
  
  comparing the accumulated score with a minimum score needed to access the protected data item;
  
  applying a policy to determine an appropriate protection for the data item using the data protection server, wherein the appropriate protection is based upon the sensitivity score, the current protection level, and features of at least one of the data item and the mobile device, wherein the sensitivity score is based on one or more of a value of the data item to a particular individual or organization, a cost of recreating the data item if destroyed or modified, and potential losses caused directly or indirectly by the data item being made available to non-authorized individuals or organizations;
  
  providing a protected data item to the mobile device by applying the appropriate protection to the data item using the data protection server, wherein a unique encryption key is employed for each application of a protection technique on each of one or more data items; and
  
  in accordance with the level of confidence, providing access to the protected data item to the client device, wherein the providing access includes sending to the client device one or more of a decryption key and obfuscation inversion function corresponding to an appropriate level of redaction of the protected data item, wherein the appropriate level of redaction is based on the access history of the user of the client device and the context of the client device.

15. A method for accessing a protected data item, comprising:
- responsive to a request to access the protected data item, determining a level of confidence that a user of a client device is an authorized user of the client device to determine eligibility of the user to access the protected data item, wherein the level of confidence is based on a context of the client device, an authentication history of the client device, an access history of the user of the client device, and a confidence in a type of authentication method employed to access the protected data item, wherein the determining a level of confidence further comprises;
  
  assigning a score to each authentication option;
  
  determining an accumulated score by accumulating scores for two or more authentication options provided by the client device; and
  
  ,comparing the accumulated score with a minimum score needed to access the protected data item; and
  
  in accordance with the level of confidence, providing access to the protected data item to the client device such that a level of confidence needed to access the protected data item is based upon a sensitivity score of the protected data item, wherein the sensitivity score is based on one or more of a value of the data item to a particular individual or organization, a cost of recreating the data item if destroyed or modified, and potential losses caused directly or indirectly by the data item being made available to non-authorized individuals or organizations,wherein the providing access includes sending to the client device one or more of a decryption key and obfuscation inversion function corresponding to an appropriate level of redaction of the protected data item, wherein the appropriate level of redaction is based on the access history of the user of the client device and the context of the client device.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The method as recited in claim 15, wherein the context of the client device includes one or more of a current location, a location history, a history of compromises, an ownership status, an operating system, a version of the operating system, an application stored on the client device, a patch status, suspected malware, and a security status of a network connected to the client device.
  - 17. The method as recited in claim 15, wherein the level of confidence is based on a context of the user, wherein the context of the user includes one or more of a management status, a business role, an access history to sensitive data items, a history of device loss, and an access history of the user.
  - 18. The method as recited in claim 15, wherein determining the accumulated score includes modifying the score for one or more authentication options provided by the client device based on one or more of a context of the client device at a time of authentication, contexts of the client device since authentication, and an amount of time passed since authentication.
  - 19. The method as recited in claim 15, further comprising requesting additional authentication information from the user based on the level of confidence, wherein requesting additional authentication information includes:
    - providing a list of one or more additional authentication options to the client device such that a set of one or more of the additional authentication options will make the user eligible to access the protected data item; and
      
      receiving one or more additional authentication options.
  - 20. The method as recited in claim 15, further comprising sending authentication challenges to the client device in accordance with the level of confidence.
  - 21. The method as recited in claim 15, further comprising requesting additional authentication information by contacting a third party to verify an identity of the user.

22. A non-transitory computer readable storage medium comprising a computer readable program for transferring a data item, wherein the computer readable program when executed on a computer causes the computer to perform:
- responsive to a request to access the protected data item, determining a level of confidence that a user of a client device is an authorized user of the client device to determine eligibility of the user to access the protected data item, wherein the level of confidence is based on a context of the client device, an authentication history of the client device, an access history of the user of the client device, and a confidence in a type of authentication method employed to access the protected data item, wherein the determining a level of confidence further comprises;
  
  assigning a score to each authentication option;
  
  determining an accumulated score by accumulating scores for two or more authentication options provided by the client device; and
  
  comparing the accumulated score with a minimum score needed to access the protected data item; and
  
  in accordance with the level of confidence, providing access to the protected data item to the client device such that a level of confidence needed to access the protected data item is based upon a sensitivity score of the protected data item, wherein the sensitivity score is based on one or more of a value of the data item to a particular individual or organization, a cost of recreating the data item if destroyed or modified, and potential losses caused directly or indirectly by the data item being made available to non-authorized individuals or organizations,wherein the providing access includes sending to the client device one or more of a decryption key and obfuscation inversion function corresponding to an appropriate level of redaction of the protected data item, wherein the appropriate level of redaction is based on the access history of the user of the client device and the context of the client device.

23. A method for accessing a protected data item, comprising:
- responsive to a request to access the protected data item, determining a level of confidence that a user of a mobile device is an authorized user of the mobile device to determine eligibility of the user to access the protected data item using a data protection server, wherein the level of confidence is based on a context of the client device, an authentication history of the client device, an access history of the user of the client device, and a confidence in a type of authentication method employed to gain access the protected data item, wherein the determining a level of confidence further comprises;
  
  assigning a score to each authentication option;
  
  determining an accumulated score by accumulating scores for two or more authentication options provided by the client device; and
  
  comparing the accumulated score with a minimum score needed to access the protected data item; and
  
  in accordance with the level of confidence, providing access to the protected data item to the client device using the data protection system such that a level of confidence needed to access the protected data item is based upon a sensitivity score of the protected data item, wherein the sensitivity score is based on one or more of a value of the data item to a particular individual or organization, a cost of recreating the data item if destroyed or modified, and potential losses caused directly or indirectly by the data item being made available to non-authorized individuals or organizations,wherein the providing access includes sending to the client device one or more of a decryption key and obfuscation inversion function corresponding to an appropriate level of redaction of the protected data item, wherein the appropriate level of redaction is based on the access history of the user of the client device and the context of the client device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Cheng, Pau-Chen, Gates, Stephen C., Koved, Lawrence, Teiken, Wilfried
Primary Examiner(s)
Wang, Harris C

Application Number

US13/555,905
Publication Number

US 20130232542A1
Time in Patent Office

1,695 Days
Field of Search

726/1
US Class Current

1/1
CPC Class Codes

G06F 21/6218   to a system of files or obj...

H04L 2209/80   Wireless network architectu...

H04L 63/04   for providing a confidentia...

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/0861   using biometrical features,...

H04L 63/20   for managing network securi...

H04L 9/14   using a plurality of keys o...

H04W 12/06   Authentication

System and method to provide server control for access to mobile client data

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

30 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

System and method to provide server control for access to mobile client data

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

30 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links