Preserving data protection with policy
First Claim
1. A method implemented in a computing device, the method comprising:
- identifying an entity-trusted application on the computing device, the entity-trusted application configured to access data that is associated with an identifier of an entity that sets a data protection policy controlling access to the data;
associating a first process that is a running instance of the entity-trusted application with the identifier of the entity associated with the data; and
enforcing, by an operating system of the computing device, the data protection policy of the entity, the enforcing including;
automatically encrypting, by the operating system in accordance with the data protection policy, data saved by the first process;
associating the data saved by the first process with the identifier of the entity; and
preventing, by the operating system in accordance with the data protection policy, a second process that is a running instance of an entity-untrusted application from accessing the encrypted data associated with the identifier of the entity.
2 Assignments
0 Petitions
Accused Products
Abstract
Data files are encrypted based on a key associated with an entity that sets a data protection policy controlling access to the data files. The data protection policy identifies various restrictions on how the plaintext data of the encrypted data in the data files can be used. The data files have corresponding metadata identifying the entity that sets the data protection policy, and processes that are running instances of applications that are allowed to access the plaintext data are also associated with the identifier of the entity. These identifiers of the entity, as well as the data protection policy, are used by an operating system of a computing device to protect the data in accordance with the data protection policy, including having the protection be transferred to other devices with the protected data, or preventing the protected data from being transferred to other devices.
-
Citations
20 Claims
-
1. A method implemented in a computing device, the method comprising:
-
identifying an entity-trusted application on the computing device, the entity-trusted application configured to access data that is associated with an identifier of an entity that sets a data protection policy controlling access to the data; associating a first process that is a running instance of the entity-trusted application with the identifier of the entity associated with the data; and enforcing, by an operating system of the computing device, the data protection policy of the entity, the enforcing including; automatically encrypting, by the operating system in accordance with the data protection policy, data saved by the first process; associating the data saved by the first process with the identifier of the entity; and preventing, by the operating system in accordance with the data protection policy, a second process that is a running instance of an entity-untrusted application from accessing the encrypted data associated with the identifier of the entity. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A computing device comprising:
-
a processing system comprising one or more processors; and one or more computer-readable storage media having stored thereon multiple instructions that, when executed by the processing system, cause the processing system to perform acts comprising; identifying an entity-trusted application on the computing device, the entity-trusted application configured to access data that is associated with an identifier of an entity that sets a data protection policy controlling access to the data; associating a first process that is a running instance of the entity-trusted application with the identifier of the entity; and enforcing, by an operating system of the computing device, the data protection policy of the entity, the enforcing including; automatically encrypting, by the operating system in accordance with the data protection policy, data saved by the first process; associating the data saved by the first process with the identifier of the entity; and preventing, by the operating system in accordance with the data protection policy, a second process that is a running instance of an entity-untrusted application from accessing the encrypted data associated with the identifier of the entity. - View Dependent Claims (15, 16, 17, 18, 19)
-
-
20. A method implemented on a computing device, the method comprising:
-
identifying an entity-trusted application on the computing device, the entity-trusted application configured to access data that is associated with an entity that sets a data protection policy controlling access to the data; associating a first process that is a running instance of the entity-trusted application with an identifier of the entity; enforcing, by an operating system of the computing device, the data protection policy of the entity, the enforcing including; automatically encrypting, by the operating system in accordance with the data protection policy, data saved by the first process; and preventing, by the operating system in accordance with the data protection policy, a second process that is a running instance of an entity-untrusted application from accessing the encrypted data; and treating the entity-trusted application as being an untrusted application for at least part of the data protection policy in response to a request from the first process for the operating system to treat the entity-trusted application as an entity-untrusted application.
-
Specification