Access blocking for data loss prevention in collaborative environments

US 9,697,349 B2
Filed: 02/24/2015
Issued: 07/04/2017
Est. Priority Date: 10/26/2014
Status: Active Grant

First Claim

Patent Images

1. A computing device to provide access blocking as part of data loss prevention (DLP) within a collaborative service environment, the computing device comprising:

a memory configured to store instructions; and

a processor coupled to the memory, wherein the processor is configured to;

detect an action associated with content processed by a collaborative service;

determine if the action matches access blocking criteria defined by one or more DLP policy rules;

in response to a determination that the action matches at least one access blocking criterion defined by the one or more DLP policy rules, activate a block access tag associated with the content, ignore previously defined permissions associated with the content, and restrict access to the content to users; and

in response to a determination that the action does not match at least one of the access blocking criterion,provide a notification to the users through a user experience of the collaborative service, wherein the notification includes a link to a DLP policy document that includes the one or more DLP policy rules, a link to a location of the content, and control elements associated with one or more actions; and

enable one or more of the users to execute one or more of the control elements to deactivate the block access tag, reinstate the previously defined permissions associated with the content, and revoke the restricted access to the content.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Data loss prevention (DLP) systems may be implemented with collaborative services that may be integrated with or work in coordination with productivity services. Administrators may be enabled to configure DLP policies in the collaborative service to mitigate their organization'"'"'s information disclosure risks, along with the detection and remediation of sensitive information. Access blocking may be a feature of the DLP system, where provision of access blocking may include determining if a detected action associated with content processed by the collaborative service matches access blocking criteria defined by DIP policy rules. In response to the determination that the action matches at least one access blocking criterion defined by the DLP policy rules, a block access tag associated with the content may be activated, previously defined permissions associated with the content may be ignored or altered, and access to the content may be restricted to a number of predefined users.

Citations

18 Claims

1. A computing device to provide access blocking as part of data loss prevention (DLP) within a collaborative service environment, the computing device comprising:
- a memory configured to store instructions; and
  
  a processor coupled to the memory, wherein the processor is configured to;
  
  detect an action associated with content processed by a collaborative service;
  
  determine if the action matches access blocking criteria defined by one or more DLP policy rules;
  
  in response to a determination that the action matches at least one access blocking criterion defined by the one or more DLP policy rules, activate a block access tag associated with the content, ignore previously defined permissions associated with the content, and restrict access to the content to users; and
  
  in response to a determination that the action does not match at least one of the access blocking criterion,provide a notification to the users through a user experience of the collaborative service, wherein the notification includes a link to a DLP policy document that includes the one or more DLP policy rules, a link to a location of the content, and control elements associated with one or more actions; and
  
  enable one or more of the users to execute one or more of the control elements to deactivate the block access tag, reinstate the previously defined permissions associated with the content, and revoke the restricted access to the content.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computing device of claim 1, wherein the users include one or more of an owner, an administrator, and a last modifier.
  - 3. The computing device of claim 1, wherein the restricted access to the content includes one or more of read, edit, and share permissions.
  - 4. The computing device of claim 1, wherein the action includes an insertion of sensitive information into the content.
  - 5. The computing device of claim 1, wherein the action is detected as a part of an evaluation of the content in response to one of:
    - an opening of the content, an editing of the content, a sharing of the content, a copying of the content, a moving of the content, a publishing of the content, a saving of the content, a printing of the content, an uploading of the content, a downloading of the content, and an expiration of a predefined time interval.
  - 6. The computing device of claim 1, wherein another notification is provided to the users through the user experience of the collaborative service to indicate the restricted access to the content.
  - 7. The computing device of claim 1,wherein the computing device is associated with a client, andwherein the processor is configured to execute one or more of a classification engine and a policy engine to perform the action.

8. A system to provide access blocking as part of data loss prevention (DLP) within a collaborative service environment, the system comprising:
- a first computing device comprising a memory and a hardware processor, wherein the hardware processor is configured to provide access to one or more applications within the collaborative service; and
  
  a second computing device comprising another memory and another hardware processor, wherein the second computing device is configured to manage the DLP within the collaborative service, and wherein the other hardware processor is configured to execute an access blocking module configured to;
  
  detect an action associated with content processed by the collaborative service;
  
  determine if the action matches access blocking criteria defined by one or more DLP policy rules;
  
  in response to a determination that the action matches at least one access blocking criterion defined by the one or more DLP policy rules, activate a block access tag associated with the content, ignore previously defined permissions associated with the content, and restrict access to the content to users; and
  
  in response to a determination that the action does not match at least one of the access blocking criterion,provide a notification to the users through a user experience of the collaborative service, wherein the notification includes a link to a DLP policy document that includes the one or more DLP policy rules, a link to a location of the content, and control elements associated with one or more actions; and
  
  enable one or more of the users to execute one or more of the control elements to deactivate the block access tag, reinstate the previously defined permissions associated with the content, and revoke the restricted access to the content.
- View Dependent Claims (9)
- - 9. The system of claim 8, wherein the other processor is further configured to enable the users to one or more of:
    - remove information corresponding to the at least one access blocking criterion from the content,remove offending users with access to the content,override the restricted access to the content and provide a business justification for the override,report a false positive associated with the information corresponding to the at least one access blocking criterion from the content, andrequest one of a policy check and a reclassification through the user experience of the collaborative service.

10. A method to provide access blocking as part of data loss prevention (DLP) within a collaborative service environment, the method comprising:
- detecting sensitive information within content processed by the collaborative service;
  
  determining if the sensitive information matches access blocking criteria defined by one or more DLP policy rules;
  
  in response to a determination that the sensitive information matches at least one access blocking criterion defined by the one or more DLP policy rules, activating a block access tag associated with the content, ignoring previously defined permissions associated with the content, and restricting access to the content to users; and
  
  in response to a determination that the action does not match at least one of the access blocking criterion,providing a notification to the users through a user experience of the collaborative service, wherein the notification includes a link to a DLP policy document that includes the one or more DLP policy rules, a link to a location of the content, and control elements associated with one or more actions; and
  
  enabling one or more of the users to execute one or more of the control elements to deactivate the block access tag, reinstate the previously defined permissions associated with the content, and revoke the restricted access to the content.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The method of claim 10, further comprising:
    - enabling the users to override the restricted access to the content through the user experience of the collaborative service.
  - 12. The method of claim 10, further comprising:
    - enabling the users to report a false positive associated with the sensitive information through the user experience of the collaborative service.
  - 13. The method of claim 10, further comprising:
    - enabling the users to share the content through the user experience of the collaborative service.
  - 14. The method of claim 10, further comprising:
    - one or more of detecting removal of the information, detecting removal of offending users with access to the content, and detecting one of an override of the restricted access to the content and a reported false positive associated with the sensitive information by the users.
  - 15. The method of claim 10, further comprising:
    - employing at least one from a set of;
      
      a textual scheme, a graphical scheme, an audio scheme, an animation scheme, a coloring scheme, a highlighting scheme, and a shading scheme in the user experience of the collaborative service to indicate the content with restricted access.
  - 16. The method of claim 10, further comprising:
    - persisting the block access tag associated with the content to an index of the collaborative service.
  - 17. The method of claim 10, further comprising:
    - recording one or more of the match, the restricted access to the content, an override of the restricted access to the content, and a reported false positive associated with the sensitive information within a log associated with the collaborative service.
  - 18. The method of claim 10, further comprising:
    - generating an entry within one or more of an audit log and a server log to indicate one or more of the access to the content is restricted, the restricted access to the content is revoked, and if the restricted access to the content is overridden or the sensitive information is reported as a false positive by the users.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Li, Yu, Jones, Willard Bruce, Wilhelm, Ryan, Holley, Richard Wesley
Primary Examiner(s)
DOAN, TRANG T

Application Number

US14/630,435
Publication Number

US 20160117495A1
Time in Patent Office

861 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/31   User authentication

G06F 21/44   Program or device authentic...

G06F 21/6209   to a single file or object,...

G06F 40/103   Formatting, i.e. changing o...

G06Q 10/103   Workflow collaboration or p...

H04L 63/105   Multiple levels of security

H04L 67/10   in which an application is ...

Access blocking for data loss prevention in collaborative environments

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Access blocking for data loss prevention in collaborative environments

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links