Data security in a disconnected environment

US 9,705,670 B2
Filed: 07/25/2014
Issued: 07/11/2017
Est. Priority Date: 08/25/2006
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for data protection comprising:

receiving a request at a client device from a user for access to a set of one or more data records encrypted with an encryption key and stored in a database comprising at least a plurality of data records;

accessing by the client device a maintained count associated with the encryption key, the maintained count comprising a sum of database data records encrypted with the encryption key accessed by the user while the client device is not communicatively coupled to a security system, wherein the security system is external to the client device;

responsive to a determination that a sum of the maintained count and a number of records in the requested set of records does not exceed a threshold stored at the client device, the threshold representing a number of records encrypted with the encryption key that the user is authorized to access while the client device is not communicatively coupled to the security system;

decrypting the set of data records;

providing the set of decrypted data records to the user; and

incrementing the maintained count responsive to providing the set of decrypted data records to the user by a number equal to a number of records included in the provided set of decrypted data records; and

responsive to a determination that the sum of the maintained count and the number of records in the requested set of records exceeds the threshold, denying the received request for access to the set of data records.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are provided for the detection and prevention of intrusions in data at rest systems such as file systems and web servers. The systems and methods regulate access to sensitive data with minimal dependency on a communications network. Data access is quantitatively limited to minimize the data breaches resulting from, e.g., a stolen laptop or hard drive.

43 Citations

19 Claims

1. A computer-implemented method for data protection comprising:
- receiving a request at a client device from a user for access to a set of one or more data records encrypted with an encryption key and stored in a database comprising at least a plurality of data records;
  
  accessing by the client device a maintained count associated with the encryption key, the maintained count comprising a sum of database data records encrypted with the encryption key accessed by the user while the client device is not communicatively coupled to a security system, wherein the security system is external to the client device;
  
  responsive to a determination that a sum of the maintained count and a number of records in the requested set of records does not exceed a threshold stored at the client device, the threshold representing a number of records encrypted with the encryption key that the user is authorized to access while the client device is not communicatively coupled to the security system;
  
  decrypting the set of data records;
  
  providing the set of decrypted data records to the user; and
  
  incrementing the maintained count responsive to providing the set of decrypted data records to the user by a number equal to a number of records included in the provided set of decrypted data records; and
  
  responsive to a determination that the sum of the maintained count and the number of records in the requested set of records exceeds the threshold, denying the received request for access to the set of data records.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein denying the received request comprises prompting the user to connect the client device to the security system.
  - 3. The method of claim 2, further comprising:
    - receiving instructions from the security system to reset the maintained count in response to the establishment of a connection between the client device and the security system; and
      
      resetting the maintained count in response to the received instructions.
  - 4. The method of claim 2, further comprising:
    - receiving instructions from the security system to modify the threshold in response to the establishment of a connection between the client device and the security system; and
      
      modifying the threshold in response to the received instructions.
  - 5. The method of claim 4, wherein the request is received via a network layer, and wherein the threshold is modified only for further requests received via the network layer.
  - 6. The method of claim 1, further comprising:
    - receiving a request from the user to perform a number of operations on the provided data records;
      
      accessing by the client device a second maintained count comprising a number of operations the user has performed on accessed data records while the client device is not communicatively coupled to the security system;
      
      responsive to a determination that the sum of the second maintained count and the number of requested operations does not exceed a second threshold stored at the client device representing a number of operations the user is authorized to perform on provided data records while the client device is not communicatively coupled to the security system;
      
      performing the requested operations on the provided data records; and
      
      incrementing the second maintained count response to performing the operations on the provided data records by a number equal to the number of operations performed on the provided data records; and
      
      responsive to a determination that the sum of the second maintained count and the number of requested operations exceeds the second threshold, denying the request to perform operations on the provided data records.

7. A non-transitory computer-readable storage medium storing computer-executable instructions for data protection, the instructions comprising instructions for:
- receiving a request at a client device from a user for access to a set of one or more data records encrypted with an encryption key and stored in a database comprising at least a plurality of data records;
  
  accessing by the client device a maintained count associated with the encryption key, the maintained count comprising a sum of database data records encrypted with the encryption key accessed by the user while the client device is not communicatively coupled to a security system, wherein the security system is external to the client device;
  
  responsive to a determination that a sum of the maintained count and a number of records in the requested set of records does not exceed a threshold stored at the client device, the threshold representing a number of records encrypted with the encryption key that the user is authorized to access while the client device is not communicatively coupled to the security system;
  
  decrypting the set of data records;
  
  providing the set of decrypted data records to the user; and
  
  incrementing the maintained count responsive to providing the set of decrypted data records to the user by a number equal to a number of records included in the provided set of decrypted data records; and
  
  responsive to a determination that the sum of the maintained count and the number of records in the requested set of records exceeds the threshold, denying the received request for access to the set of data records.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The non-transitory computer-readable storage medium of claim 7, wherein denying the received request comprises prompting the user to connect the client device to the security system.
  - 9. The non-transitory computer-readable storage medium of claim 8, further comprising instructions for:
    - receiving instructions from the security system to reset the maintained count in response to the establishment of a connection between the client device and the security system; and
      
      resetting the maintained count in response to the received instructions.
  - 10. The non-transitory computer-readable storage medium of claim 8, further comprising instructions for:
    - receiving instructions from the security system to modify the threshold in response to the establishment of a connection between the client device and the security system; and
      
      modifying the threshold in response to the received instructions.
  - 11. The non-transitory computer-readable storage medium of claim 10, wherein the request is received via a network layer, and wherein the threshold is modified only for further requests received via the network layer.
  - 12. The non-transitory computer-readable storage medium of claim 7, further comprising instructions for:
    - receiving a request from the user to perform a number of operations on the provided data records;
      
      accessing by the client device a second maintained count comprising a number of operations the user has performed on accessed data records while the client device is not communicatively coupled to the security system;
      
      responsive to a determination that the sum of the second maintained count and the number of requested operations does not exceed a second threshold stored at the client device representing a number of operations the user is authorized to perform on provided data records while the client device is not communicatively coupled to the security system;
      
      performing the requested operations on the provided data records; and
      
      incrementing the second maintained count response to performing the operations on the provided data records by a number equal to the number of operations performed on the provided data records; and
      
      responsive to a determination that the sum of the second maintained count and the number of requested operations exceeds the second threshold, denying the request to perform operations on the provided data records.

13. A system for data protection comprising:
- a non-transitory computer-readable storage medium storing executable computer instructions for;
  
  receiving a request at a client device from a user for access to a set of one or more data records encrypted with an encryption key and stored in a database comprising at least a plurality of data records;
  
  accessing by the client device a maintained count associated with the encryption key, the maintained count comprising a sum of database data records encrypted with the encryption key accessed by the user while the client device is not communicatively coupled to a security system, wherein the security system is external to the client device;
  
  responsive to a determination that a sum of the maintained count and a number of records in the requested set of records does not exceed a threshold stored at the client device, the threshold representing a number of records encrypted with the encryption key that the user is authorized to access while the client device is not communicatively coupled to the security system;
  
  decrypting the set of data records;
  
  providing the set of decrypted data records to the user; and
  
  incrementing the maintained count responsive to providing the set of decrypted data records to the user by a number equal to a number of records included in the provided set of decrypted data records; and
  
  responsive to a determination that the sum of the maintained count and the number of records in the requested set of records exceeds the threshold, denying the received request for access to the set of data records; and
  
  a processor configured to execute the instructions.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The system of claim 13, wherein denying the received request comprises prompting the user to connect the client device to the security system.
  - 15. The system of claim 14, the instructions further comprising instructions for:
    - receiving instructions from the security system to reset the maintained count in response to the establishment of a connection between the client device and the security system; and
      
      resetting the maintained count in response to the received instructions.
  - 16. The system of claim 14, the instructions further comprising instructions for:
    - receiving instructions from the security system to modify the threshold in response to the establishment of a connection between the client device and the security system; and
      
      modifying the threshold in response to the received instructions.
  - 17. The system of claim 16, wherein the request is received via a network layer, and wherein the threshold is modified only for further requests received via the network layer.
  - 18. The system of claim 13, the instructions further comprising instructions for:
    - receiving a request from the user to perform a number of operations on the provided data records;
      
      accessing by the client device a second maintained count comprising a number of operations the user has performed on accessed data records while the client device is not communicatively coupled to the security system;
      
      responsive to a determination that the sum of the second maintained count and the number of requested operations does not exceed a second threshold stored at the client device representing a number of operations the user is authorized to perform on provided data records while the client device is not communicatively coupled to the security system;
      
      performing the requested operations on the provided data records; and
      
      incrementing the second maintained count response to performing the operations on the provided data records by a number equal to the number of operations performed on the provided data records; and
      
      responsive to a determination that the sum of the second maintained count and the number of requested operations exceeds the second threshold, denying the request to perform operations on the provided data records.

19. A computer-implemented method for data protection comprising:
- receiving a request at a client device from a user for access to a set of one or more protected data records stored in a database comprising at least a plurality of data records, the set of protected data records comprising encoded data records;
  
  accessing by the client device a maintained count associated with the user, the maintained count comprising a sum of protected database data records accessed by the user while the client device is not communicatively coupled to a security system, wherein the security system is external to the client device;
  
  responsive to a determination that a sum of the maintained count and a number of records in the requested set of records does not exceed a threshold stored at the client device, the threshold representing a number of protected records that the user is authorized to access while the client device is not communicatively coupled to the security system;
  
  decoding the set of data records;
  
  providing the set of decoded data records to the user; and
  
  incrementing the maintained count responsive to providing the set of decoded data records to the user by a number equal to a number of records included in the provided set of decoded data records; and
  
  responsive to a determination that the sum of the maintained count and the number of records in the requested set of records exceeds the threshold, denying the received request for access to the set of data records.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Protegrity USA, Inc. (Xcelera Inc.)
Original Assignee
Protegrity USA, Inc. (Xcelera Inc.)
Inventors
Mattsson, Ulf
Primary Examiner(s)
Abyaneh, Ali

Application Number

US14/340,870
Publication Number

US 20140337623A1
Time in Patent Office

1,082 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/31   User authentication

G06F 21/6227   where protection concerns t...

G06F 21/6236   between heterogeneous systems

G06F 21/88   Detecting or preventing the...

G06F 2221/2107   File encryption

G06F 2221/2135   Metering

H04L 2209/24   Key scheduling, i.e. genera...

H04L 9/0816   Key establishment, i.e. cry...

Data security in a disconnected environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

43 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Data security in a disconnected environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

43 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links