Passive encryption of organization data
First Claim
1. A method implemented in a computing device, the method comprising:
- detecting whether a file on the computing device, created prior to implementation of a data protection policy of an organization, has been written to by a first program that is permitted to access data associated with the organization;
adding, based at least on detecting that the file has been written to by the first program, an identifier of the file to a file encryption queue;
determining whether any programs on the computing device are currently accessing the file;
initiating encryption of the file based at least on determining that no programs on the computing device are currently accessing the file;
determining whether access to the file is requested by a second program on the computing device during encryption of the file;
aborting encryption of the file based at least on determining that access to the file is requested by the second program during encryption of the file; and
allowing the second program to access the file.
1 Assignment
0 Petitions
Accused Products
Abstract
A data protection policy is implemented on a computing device, the data protection policy indicating how organization data on the computing device is to be protected. Protection of the organization data includes encrypting the organization data, and allowing the organization data to be decrypted only by particular programs and/or under particular circumstances (as indicated by the data protection policy). When implementing a data protection policy, files already stored on the computing device are encrypted using a passive encryption technique. The passive encryption technique can include one or more of an encrypt on close technique, an encrypt on open technique, an encrypt without exclusive access technique, and an encrypt location technique.
230 Citations
20 Claims
-
1. A method implemented in a computing device, the method comprising:
-
detecting whether a file on the computing device, created prior to implementation of a data protection policy of an organization, has been written to by a first program that is permitted to access data associated with the organization; adding, based at least on detecting that the file has been written to by the first program, an identifier of the file to a file encryption queue; determining whether any programs on the computing device are currently accessing the file; initiating encryption of the file based at least on determining that no programs on the computing device are currently accessing the file; determining whether access to the file is requested by a second program on the computing device during encryption of the file; aborting encryption of the file based at least on determining that access to the file is requested by the second program during encryption of the file; and allowing the second program to access the file. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computing device comprising:
-
one or more processors; a data store; and one or more computer-readable storage media having stored thereon multiple instructions that, based on execution by the one or more processors, implement an encryption and decryption system that includes an encryption module and an encryption determination module; the encryption module configured to encrypt a file in the data store, created prior to implementation of a data protection policy of an organization on the computing device, based at least on receiving a request from the encryption determination module to encrypt the file; and the encryption determination module configured to; detect whether the file in the data store is to be encrypted due to the data protection policy by determining whether the file has been written to by a first organization program, communicate to the encryption module to encrypt the file at an appropriate time, determine the appropriate time using an encrypt on close technique, an encrypt on open technique, an encrypt without exclusive access technique, and/or an encrypt location technique, initiate encryption of the file, determine whether access to the file is requested by a second organization program on the computing device during encryption of the file, abort encryption of the file based at least on determining that access to the file is requested by the second organization program during encryption of the file, and allow the second organization program to access the file. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A computing device comprising:
-
one or more processors; a data store; a nonvolatile memory storing a file encryption queue; and one or more computer-readable storage media having stored thereon multiple instructions that, based on execution by the one or more processors, implement an encryption and decryption system that includes an encryption module and an encryption determination module; the encryption module configured to encrypt a file created prior to implementation of a data protection policy of an organization on the computing device, based at least on a request from the encryption determination module to encrypt the file; the encryption determination module configured to; detect whether the file has been written to by a first program that is permitted to access data associated with the organization, add, based at least on the file having been written to by the first program, an identifier of the file to the file encryption queue, determine whether any programs on the computing device are currently accessing the file, communicate the request to the encryption module to encrypt the file based at least on determining that no programs on the computing device are currently accessing the file, determine whether access to the file is requested by a second program during encryption of the file by the encryption module, abort encryption of the file based at least on determining that access to the file is requested by the second program during encryption of the file, and allow the second program to access the file. - View Dependent Claims (17, 18, 19, 20)
-
Specification