Passive encryption of organization data

US 9,900,325 B2
Filed: 10/09/2015
Issued: 02/20/2018
Est. Priority Date: 10/09/2015
Status: Active Grant

First Claim

Patent Images

1. A method implemented in a computing device, the method comprising:

detecting whether a file on the computing device, created prior to implementation of a data protection policy of an organization, has been written to by a first program that is permitted to access data associated with the organization;

adding, based at least on detecting that the file has been written to by the first program, an identifier of the file to a file encryption queue;

determining whether any programs on the computing device are currently accessing the file;

initiating encryption of the file based at least on determining that no programs on the computing device are currently accessing the file;

determining whether access to the file is requested by a second program on the computing device during encryption of the file;

aborting encryption of the file based at least on determining that access to the file is requested by the second program during encryption of the file; and

allowing the second program to access the file.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A data protection policy is implemented on a computing device, the data protection policy indicating how organization data on the computing device is to be protected. Protection of the organization data includes encrypting the organization data, and allowing the organization data to be decrypted only by particular programs and/or under particular circumstances (as indicated by the data protection policy). When implementing a data protection policy, files already stored on the computing device are encrypted using a passive encryption technique. The passive encryption technique can include one or more of an encrypt on close technique, an encrypt on open technique, an encrypt without exclusive access technique, and an encrypt location technique.

230 Citations

20 Claims

1. A method implemented in a computing device, the method comprising:
- detecting whether a file on the computing device, created prior to implementation of a data protection policy of an organization, has been written to by a first program that is permitted to access data associated with the organization;
  
  adding, based at least on detecting that the file has been written to by the first program, an identifier of the file to a file encryption queue;
  
  determining whether any programs on the computing device are currently accessing the file;
  
  initiating encryption of the file based at least on determining that no programs on the computing device are currently accessing the file;
  
  determining whether access to the file is requested by a second program on the computing device during encryption of the file;
  
  aborting encryption of the file based at least on determining that access to the file is requested by the second program during encryption of the file; and
  
  allowing the second program to access the file.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising allowing the first program to open and read the file without adding the file to the file encryption queue.
  - 3. The method of claim 1, further comprising storing the file encryption queue in a nonvolatile memory that persists across reboots of the computing device.
  - 4. The method of claim 1, the identifier of the file comprising a file handle that uniquely identifies the file within the computing device independent of the location where the file is stored on the computing device.
  - 5. The method of claim 1, further comprising:
    - receiving a request to wipe organization data for the organization from the computing device;
      
      identifying one or more files in the file encryption queue that include the organization data for the organization; and
      
      deleting the identified one or more files from a data store of the computing device.
  - 6. The method of claim 1, further comprising removing the identifier of the file from the file encryption queue after the file is encrypted.
  - 7. The method of claim 1, wherein the implementation of the data protection policy is one of:
    - an initial establishment of the data protection policy or a change in the data protection policy.
  - 8. The method of claim 1, wherein initiating encryption of the file comprises writing data from the file to a temporary file, and aborting encryption of the file comprises deleting the temporary file.

9. A computing device comprising:
- one or more processors;
  
  a data store; and
  
  one or more computer-readable storage media having stored thereon multiple instructions that, based on execution by the one or more processors, implement an encryption and decryption system that includes an encryption module and an encryption determination module;
  
  the encryption module configured to encrypt a file in the data store, created prior to implementation of a data protection policy of an organization on the computing device, based at least on receiving a request from the encryption determination module to encrypt the file; and
  
  the encryption determination module configured to;
  
  detect whether the file in the data store is to be encrypted due to the data protection policy by determining whether the file has been written to by a first organization program,communicate to the encryption module to encrypt the file at an appropriate time,determine the appropriate time using an encrypt on close technique, an encrypt on open technique, an encrypt without exclusive access technique, and/or an encrypt location technique,initiate encryption of the file,determine whether access to the file is requested by a second organization program on the computing device during encryption of the file,abort encryption of the file based at least on determining that access to the file is requested by the second organization program during encryption of the file, andallow the second organization program to access the file.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The computing device of claim 9, the encrypt on close technique comprising a technique in which the file is encrypted based at least on a first condition and a second condition both being satisfied, the first condition being that data is written to the file after implementation of the data protection policy, and the second condition being that no program is currently accessing the file.
  - 11. The computing device of claim 10, the encryption determination module further configured to allow programs to open and read the file without communicating to the encryption module to encrypt the file.
  - 12. The computing device of claim 10, further comprising a nonvolatile memory that stores a file encryption queue, the file encryption queue including file identifiers of files that have been detected as to be encrypted due to the data protection policy and that have been written to after implementation of the data protection policy, the file encryption queue persisting file identifiers across reboots of the computing device.
  - 13. The computing device of claim 9, the encrypt on open technique comprising a technique in which the file is encrypted based at least on the file being opened by a program on the computing device.
  - 14. The computing device of claim 9, the encrypt without exclusive access technique comprising a technique in which the file is encrypted without requiring the encryption module to have exclusive access to the file.
  - 15. The computing device of claim 9, the encrypt location technique comprising a technique in which the file is encrypted based at least on the file being stored in a particular location of the data store.

16. A computing device comprising:
- one or more processors;
  
  a data store;
  
  a nonvolatile memory storing a file encryption queue; and
  
  one or more computer-readable storage media having stored thereon multiple instructions that, based on execution by the one or more processors, implement an encryption and decryption system that includes an encryption module and an encryption determination module;
  
  the encryption module configured to encrypt a file created prior to implementation of a data protection policy of an organization on the computing device, based at least on a request from the encryption determination module to encrypt the file;
  
  the encryption determination module configured to;
  
  detect whether the file has been written to by a first program that is permitted to access data associated with the organization,add, based at least on the file having been written to by the first program, an identifier of the file to the file encryption queue,determine whether any programs on the computing device are currently accessing the file,communicate the request to the encryption module to encrypt the file based at least on determining that no programs on the computing device are currently accessing the file,determine whether access to the file is requested by a second program during encryption of the file by the encryption module,abort encryption of the file based at least on determining that access to the file is requested by the second program during encryption of the file, andallow the second program to access the file.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The computing device of claim 16, the encryption determination module further configured to allow the first program to open and read the file without adding the file to the file encryption queue.
  - 18. The computing device of claim 16, the non-volatile memory persisting the file encryption queue across reboots of the computing device.
  - 19. The computing device of claim 16, the encryption determination module further configured to remove the identifier of the file from the file encryption queue after the file is encrypted.
  - 20. The computing device of claim 16, the encryption determination module further configured to:
    - receive a request to wipe organization data for the organization from the computing device;
      
      identify one or more files in the file encryption queue that include the organization data for the organization; and
      
      delete the identified one or more files from the data store of the computing device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Semenko, Alex M., Adam, Preston Derek, Basmov, Innokentiy, Acharya, Narendra S., Novotney, Peter J., Bhagurkar, Salil Arun, Mehta, Yogesh A.
Primary Examiner(s)
Pearson, David J

Application Number

US14/879,938
Publication Number

US 20170104768A1
Time in Patent Office

865 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/6209   to a single file or object,...

G06F 21/6218   to a system of files or obj...

G06F 2221/2107   File encryption

H04L 63/107   wherein the security polici...

H04L 63/1408   by monitoring network traff...

Passive encryption of organization data

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

230 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Passive encryption of organization data

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

230 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links