Selective encryption of outgoing data

US 9,917,817 B1
Filed: 06/10/2013
Issued: 03/13/2018
Est. Priority Date: 06/10/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

monitoring a set of outgoing data generated by a first user via a user computing device, wherein said monitoring is carried out, prior to transmission of the set of outgoing data from the user computing device, by a data monitoring agent executing in the background of operations of the user computing device;

identifying one or more items of sensitive information from the set of outgoing data, wherein said identifying is carried out, prior to transmission of the set of outgoing data from the user computing device, by a data policy enforcement agent executing in the background of operations of the user computing device, and wherein said identifying comprises;

implementing, via one or more content blades, one or more data loss prevention policies against the set of outgoing data, wherein the data loss prevention policies define items of sensitive information, and wherein the one or more content blades encapsulate one or more detection rules and one or more contextual rules related to identifying items of sensitive information, wherein;

the detection rules comprise (i) one or more inclusion rules, which describe items of information that should be contained in outgoing data, and (ii) one or more exclusion rules, which describe items of information that should not be contained in outgoing data, wherein said implementing the one or more data loss prevention policies comprises;

comparing (i) the number of matches between the one or more exclusion rules and the outgoing data and (ii) the number of matches between the one or more inclusion rules and the outgoing data;

determining, based on said comparing, the outgoing data to be a false positive match with the detection rules upon a determination that the number of matches between the one or more exclusion rules and the outgoing data exceeds the number of matches between the one or more inclusion rules and the outgoing data; and

precluding use of one or more of the content blades upon a determination that the outgoing data is a false positive match with the detection rules; and

the contextual rules describe proximity parameters for defined items of sensitive information with respect to one or more predetermined categories of information items;

selectively encrypting a sub-set of the set of outgoing data, wherein the sub-set consists of the one or more identified items of sensitive information, to produce one or more items of encrypted sensitive information, wherein said encrypting is carried out, prior to transmission of the set of outgoing data from the user computing device, by an encryption agent executing in the background of operations of the user computing device; and

replacing the one or more items of sensitive information with the one or more items of encrypted sensitive information in the set of outgoing data to produce a version of the set of outgoing data that comprises (i) the encrypted sub-set of the outgoing data and (ii) one or more unencrypted sub-sets of the outgoing data, wherein said replacing is carried out, prior to transmission of the set of outgoing data from the user computing device, by the encryption agent executing in the background of operations of the user computing device.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, apparatus and articles of manufacture for selective encryption of outgoing data are provided herein. A method includes monitoring a set of outgoing data from a first user, identifying one or more items of sensitive information from the set of outgoing data, encrypting the one or more items of sensitive information to produce one or more items of encrypted sensitive information, and replacing the one or more items of sensitive information with the one or more items of encrypted sensitive information in the set of outgoing data.

Citations

20 Claims

1. A method comprising:
- monitoring a set of outgoing data generated by a first user via a user computing device, wherein said monitoring is carried out, prior to transmission of the set of outgoing data from the user computing device, by a data monitoring agent executing in the background of operations of the user computing device;
  
  identifying one or more items of sensitive information from the set of outgoing data, wherein said identifying is carried out, prior to transmission of the set of outgoing data from the user computing device, by a data policy enforcement agent executing in the background of operations of the user computing device, and wherein said identifying comprises;
  
  implementing, via one or more content blades, one or more data loss prevention policies against the set of outgoing data, wherein the data loss prevention policies define items of sensitive information, and wherein the one or more content blades encapsulate one or more detection rules and one or more contextual rules related to identifying items of sensitive information, wherein;
  
  the detection rules comprise (i) one or more inclusion rules, which describe items of information that should be contained in outgoing data, and (ii) one or more exclusion rules, which describe items of information that should not be contained in outgoing data, wherein said implementing the one or more data loss prevention policies comprises;
  
  comparing (i) the number of matches between the one or more exclusion rules and the outgoing data and (ii) the number of matches between the one or more inclusion rules and the outgoing data;
  
  determining, based on said comparing, the outgoing data to be a false positive match with the detection rules upon a determination that the number of matches between the one or more exclusion rules and the outgoing data exceeds the number of matches between the one or more inclusion rules and the outgoing data; and
  
  precluding use of one or more of the content blades upon a determination that the outgoing data is a false positive match with the detection rules; and
  
  the contextual rules describe proximity parameters for defined items of sensitive information with respect to one or more predetermined categories of information items;
  
  selectively encrypting a sub-set of the set of outgoing data, wherein the sub-set consists of the one or more identified items of sensitive information, to produce one or more items of encrypted sensitive information, wherein said encrypting is carried out, prior to transmission of the set of outgoing data from the user computing device, by an encryption agent executing in the background of operations of the user computing device; and
  
  replacing the one or more items of sensitive information with the one or more items of encrypted sensitive information in the set of outgoing data to produce a version of the set of outgoing data that comprises (i) the encrypted sub-set of the outgoing data and (ii) one or more unencrypted sub-sets of the outgoing data, wherein said replacing is carried out, prior to transmission of the set of outgoing data from the user computing device, by the encryption agent executing in the background of operations of the user computing device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein said one or more items of sensitive information comprises at least one of a credit card number, a social security number, an account number, user-defined data, an internal internet protocol address, a log-in user-name, and a password.
  - 3. The method of claim 1, wherein said selectively encrypting comprises implementing a data protection manager agent.
  - 4. The method of claim 1, wherein said selectively encrypting comprises implementing a symmetric key encryption algorithm.
  - 5. The method of claim 1, wherein said replacing comprises replacing the one or more items of sensitive information with the one or more items of encrypted sensitive information in the set of outgoing data before the set of outgoing data is stored in a third party storage system.
  - 6. The method of claim 1, wherein said replacing comprises replacing the one or more items of sensitive information with the one or more items of encrypted sensitive information in the set of outgoing data before the set of outgoing data is transmitted to an intended target.
  - 7. The method of claim 1, comprising:
    - authenticating a second user to retrieve the one or more items of encrypted sensitive information.
  - 8. The method of claim 7, wherein said authenticating comprises using a username and password combination.
  - 9. The method of claim 7, wherein said authenticating comprises using username, password and passcode combination.
  - 10. The method of claim 7, wherein said authenticating comprises confirming a presence of the second user in a particular authorized user group.
  - 11. The method of claim 7, comprising:
    - decrypting the one or more items of encrypted sensitive information.
  - 12. The method of claim 7, comprising:
    - providing the one or more items of decrypted sensitive information to the second user.
  - 13. An article of manufacture comprising a non-transitory processor-readable storage medium having processor-readable instructions tangibly embodied thereon which, when implemented, cause a processor to carry out the steps of the method of claim 1.

14. An apparatus comprising:
- a memory; and
  
  at least one processor coupled to the memory and configured to;
  
  monitor a set of outgoing data generated by a first user prior to transmission of the set of outgoing data;
  
  identify one or more items of sensitive information from the set of outgoing data prior to transmission of the set of outgoing data, wherein said identifying comprises;
  
  implementing, via one or more content blades, one or more data loss prevention policies against the set of outgoing data, wherein the data loss prevention policies define items of sensitive information, and wherein the one or more content blades encapsulate one or more detection rules and one or more contextual rules related to identifying items of sensitive information, wherein;
  
  the detection rules comprise (i) one or more inclusion rules, which describe items of information that should be contained in outgoing data, and (ii) one or more exclusion rules, which describe items of information that should not be contained in outgoing data, wherein said implementing the one or more data loss prevention policies comprises;
  
  comparing (i) the number of matches between the one or more exclusion rules and the outgoing data and (ii) the number of matches between the one or more inclusion rules and the outgoing data;
  
  determining, based on said comparing, the outgoing data to be a false positive match with the detection rules upon a determination that the number of matches between the one or more exclusion rules and the outgoing data exceeds the number of matches between the one or more inclusion rules and the outgoing data; and
  
  precluding use of one or more of the content blades upon a determination that the outgoing data is a false positive match with the detection rules; and
  
  the contextual rules describe proximity parameters for defined items of sensitive information with respect to one or more predetermined categories of information items;
  
  selectively encrypt a sub-set of the set of outgoing data, wherein the sub-set consists of the one or more identified items of sensitive information, to produce one or more items of encrypted sensitive information prior to transmission of the set of outgoing data; and
  
  replace the one or more items of sensitive information with the one or more items of encrypted sensitive information in the set of outgoing data, prior to transmission of the set of outgoing data, to produce a version of the set of outgoing data that comprises (i) the encrypted sub-set of the outgoing data and (ii) one or more unencrypted sub-sets of the outgoing data.
- View Dependent Claims (15, 16, 17)
- - 15. The apparatus of claim 14, wherein said replacing comprises replacing the one or more items of sensitive information with the one or more items of encrypted sensitive information in the set of outgoing data before the set of outgoing data is stored in a third party storage system.
  - 16. The apparatus of claim 14, wherein the at least one processor is further configured to:
    - authenticate a second user to retrieve the one or more items of encrypted sensitive information.
  - 17. The apparatus of claim 14, wherein the at least one processor is further configured to:
    - decrypt the one or more items of encrypted sensitive information.

18. A method comprising:
- identifying one or more items of sensitive information from a set of outgoing data generated by a first user via a first computing device, wherein said identifying is carried out, prior to transmission of the set of outgoing data from the first computing device, by a data policy enforcement agent executing in the background of operations of the first computing device, and wherein said identifying comprises;
  
  implementing, via one or more content blades, one or more data loss prevention policies against the set of outgoing data, wherein the data loss prevention policies define items of sensitive information, and wherein the one or more content blades encapsulate one or more detection rules and one or more contextual rules related to identifying items of sensitive information, wherein;
  
  the detection rules comprise (i) one or more inclusion rules, which describe items of information that should be contained in outgoing data, and (ii) one or more exclusion rules, which describe items of information that should not be contained in outgoing data, wherein said implementing the one or more data loss prevention policies comprises;
  
  comparing (i) the number of matches between the one or more exclusion rules and the outgoing data and (ii) the number of matches between the one or more inclusion rules and the outgoing data;
  
  determining, based on said comparing, the outgoing data to be a false positive match with the detection rules upon a determination that the number of matches between the one or more exclusion rules and the outgoing data exceeds the number of matches between the one or more inclusion rules and the outgoing data; and
  
  precluding use of one or more of the content blades upon a determination that the outgoing data is a false positive match with the detection rules; and
  
  the contextual rules describe proximity parameters for defined items of sensitive information with respect to one or more predetermined categories of information items;
  
  selectively encrypting a sub-set of the set of outgoing data, wherein the sub-set consists of the one or more identified items of sensitive information, to produce one or more items of encrypted sensitive information, wherein said encrypting is carried out, prior to transmission of the set of outgoing data from the first computing device, by an encryption agent executing in the background of operations of the first computing device;
  
  replacing the one or more items of sensitive information with the one or more items of encrypted sensitive information in the set of outgoing data to produce an updated version of the set of outgoing data that comprises (i) the encrypted sub-set of the outgoing data and (ii) one or more unencrypted sub-sets of the outgoing data, wherein said replacing is carried out, prior to transmission of the set of outgoing data from the first computing device, by the encryption agent executing in the background of operations of the first computing device;
  
  decrypting the one or more items of encrypted sensitive information from the updated version of the set of outgoing data, wherein said decrypting is carried out by an decryption component executing within a second computing device; and
  
  providing the one or more items of decrypted sensitive information to an authorized second user, wherein said providing is carried out by a component executing within the second computing device.
- View Dependent Claims (19, 20)
- - 19. The method of claim 18, comprising:
    - authenticating the second user to retrieve the one or more items of encrypted sensitive information.
  - 20. The method of claim 19, wherein said authenticating comprises at least one of (i) using a username and password combination, and (ii) confirming a presence of the second user in a particular authorized user group.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Inventors
Lad, Aditya, Madhukar, Anadi, Pendurthy, Rajendra
Primary Examiner(s)
Dinh, Minh

Application Number

US13/913,696
Time in Patent Office

1,737 Days
Field of Search

713153
US Class Current
CPC Class Codes

H04L 63/0428 wherein the data content is...

H04L 63/105 Multiple levels of security

Selective encryption of outgoing data

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Selective encryption of outgoing data

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links