Preserving data protection with policy

US 9,825,945 B2
Filed: 09/09/2014
Issued: 11/21/2017
Est. Priority Date: 09/09/2014
Status: Active Grant

First Claim

Patent Images

1. A method implemented in a computing device, the method comprising:

identifying an entity-trusted application on the computing device, the entity-trusted application configured to access data that is associated with an identifier of an entity that sets a data protection policy controlling access to the data;

associating a first process that is a running instance of the entity-trusted application with the identifier of the entity associated with the data; and

enforcing, by an operating system of the computing device, the data protection policy of the entity, the enforcing including;

automatically encrypting, by the operating system in accordance with the data protection policy, data saved by the first process;

associating the data saved by the first process with the identifier of the entity; and

preventing, by the operating system in accordance with the data protection policy, a second process that is a running instance of an entity-untrusted application from accessing the encrypted data associated with the identifier of the entity.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Data files are encrypted based on a key associated with an entity that sets a data protection policy controlling access to the data files. The data protection policy identifies various restrictions on how the plaintext data of the encrypted data in the data files can be used. The data files have corresponding metadata identifying the entity that sets the data protection policy, and processes that are running instances of applications that are allowed to access the plaintext data are also associated with the identifier of the entity. These identifiers of the entity, as well as the data protection policy, are used by an operating system of a computing device to protect the data in accordance with the data protection policy, including having the protection be transferred to other devices with the protected data, or preventing the protected data from being transferred to other devices.

Citations

20 Claims

1. A method implemented in a computing device, the method comprising:
- identifying an entity-trusted application on the computing device, the entity-trusted application configured to access data that is associated with an identifier of an entity that sets a data protection policy controlling access to the data;
  
  associating a first process that is a running instance of the entity-trusted application with the identifier of the entity associated with the data; and
  
  enforcing, by an operating system of the computing device, the data protection policy of the entity, the enforcing including;
  
  automatically encrypting, by the operating system in accordance with the data protection policy, data saved by the first process;
  
  associating the data saved by the first process with the identifier of the entity; and
  
  preventing, by the operating system in accordance with the data protection policy, a second process that is a running instance of an entity-untrusted application from accessing the encrypted data associated with the identifier of the entity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method as recited in claim 1, the enforcing further including:
    - decrypting, by the operating system, data read by the first process; and
      
      providing the decrypted data to the first process.
  - 3. The method as recited in claim 1, the entity-trusted application being an enlightened application, and enforcing the data protection policy includes enforcing the data protection policy in response to a request from the first process for the operating system to treat the enlightened application as an unenlightened application.
  - 4. The method as recited in claim 3, the first process including multiple threads, and the enforcing the data protection policy includes enforcing the data protection policy for a first set of one or more of the multiple threads but not for a second set of one or more of the multiple threads.
  - 5. The method as recited in claim 1, further comprising treating the entity-trusted application as being an untrusted application for at least part of the data protection policy in response to a request from the first process for the operating system to treat the entity-trusted application as an entity-untrusted application.
  - 6. The method as recited in claim 1, the first process having multiple threads, and the first process requesting that the operating system treat a first set of one or more of the multiple threads, but not a second set of one or more of the multiple threads, as untrusted to obtain different policy enforcement behavior for the first set of one or more threads than for the second set of one or more threads.
  - 7. The method as recited in claim 1, the enforcing further including protecting the data when communicating the data to another device via a network.
  - 8. The method as recited in claim 1, the enforcing further including protecting the data during buffer read operations and buffer write operations.
  - 9. The method as recited in claim 1, the enforcing further including protecting the data during clipboard read operations and clipboard write operations.
  - 10. The method as recited in claim 1, the enforcing further including saving the encrypted data in a container file that includes both metadata and the encrypted data, the metadata including the identifier of the entity.
  - 11. The method as recited in claim 10, the enforcing further including allowing the entity-untrusted application to operate on the container file but not decrypting the encrypted data for the entity-untrusted application.
  - 12. The method as recited in claim 1, the automatically encrypting comprising encrypting first data written by the entity-trusted application but not encrypting second data written by the entity-trusted application.
  - 13. The method as recited in claim 1, further comprising performing the enforcing in the absence of logical or visual isolation of:
    - the entity-trusted application and the entity-untrusted application in separate application containers; and
      
      a user of the computing device logging into different user accounts.

14. A computing device comprising:
- a processing system comprising one or more processors; and
  
  one or more computer-readable storage media having stored thereon multiple instructions that, when executed by the processing system, cause the processing system to perform acts comprising;
  
  identifying an entity-trusted application on the computing device, the entity-trusted application configured to access data that is associated with an identifier of an entity that sets a data protection policy controlling access to the data;
  
  associating a first process that is a running instance of the entity-trusted application with the identifier of the entity; and
  
  enforcing, by an operating system of the computing device, the data protection policy of the entity, the enforcing including;
  
  automatically encrypting, by the operating system in accordance with the data protection policy, data saved by the first process;
  
  associating the data saved by the first process with the identifier of the entity; and
  
  preventing, by the operating system in accordance with the data protection policy, a second process that is a running instance of an entity-untrusted application from accessing the encrypted data associated with the identifier of the entity.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The computing device as recited in claim 14, the enforcing further including:
    - decrypting, by the operating system, data read by the first process; and
      
      providing the decrypted data to the first process.
  - 16. The computing device as recited in claim 14, the entity-trusted application being an enlightened application, and enforcing the data protection policy includes enforcing the data protection policy in response to a request from the first process for the operating system to treat the enlightened application as an unenlightened application.
  - 17. The computing device as recited in claim 14, the acts further comprising treating the entity-trusted application as being an untrusted application for at least part of the data protection policy in response to a request from the first process for the operating system to treat the entity-trusted application as an entity-untrusted application.
  - 18. The computing device as recited in claim 14, the enforcing further including protecting the data when communicating the data to another device via a network.
  - 19. The computing device as recited in claim 14, the enforcing further including saving the encrypted data in a container file that includes both metadata and the encrypted data, the metadata including the identifier of the entity.

20. A method implemented on a computing device, the method comprising:
- identifying an entity-trusted application on the computing device, the entity-trusted application configured to access data that is associated with an entity that sets a data protection policy controlling access to the data;
  
  associating a first process that is a running instance of the entity-trusted application with an identifier of the entity;
  
  enforcing, by an operating system of the computing device, the data protection policy of the entity, the enforcing including;
  
  automatically encrypting, by the operating system in accordance with the data protection policy, data saved by the first process; and
  
  preventing, by the operating system in accordance with the data protection policy, a second process that is a running instance of an entity-untrusted application from accessing the encrypted data; and
  
  treating the entity-trusted application as being an untrusted application for at least part of the data protection policy in response to a request from the first process for the operating system to treat the entity-trusted application as an entity-untrusted application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Adam, Preston Derek, Acharya, Narendra S., Basmov, Innokentiy, Ureche, Octavian T., Mehta, Yogesh A., Semenko, Alex M.
Primary Examiner(s)
Paliwal, Yogesh

Application Number

US14/481,672
Publication Number

US 20160072796A1
Time in Patent Office

1,169 Days
Field of Search

713159
US Class Current
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/6281   at program execution time, ...

G06F 2221/2107   File encryption

H04L 63/0853   using an additional device,...

H04L 63/20   for managing network securi...

Preserving data protection with policy

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Preserving data protection with policy

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links