Mitigation of data leakage in a multi-site computing infrastructure

US 9,928,375 B2
Filed: 06/13/2011
Issued: 03/27/2018
Est. Priority Date: 06/13/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

uploading, by an owning entity, a file to a file sharing environment including, a security label and a keyword associated with the file;

specifying a first tier of a mandatory access control policy to the file based on the security label, the mandatory access control policy limiting sharing scope of the file and placing a restriction on an ability of the owning entity to share the file within the file sharing environment including limiting an ability to grant a second entity outside the restricted maximum sharing scope access to the file;

generating a profile for an entity contact and storing the generated profile in memory, the profile including a collaboration vector comprising keywords representing collaboration topics between the owning entity and the entity contact, the keywords associated with a calculated weight;

calculating a contact score for each entity contact defining relevance matching between the file and the entity contact, the contact score calculated based upon the weight of each keyword in the profile of the entity contact and the keywords associated with the file;

interactively recommending a first entity contact within the limited sharing scope of the file to the owning entity as a candidate for file sharing based upon an associated contact score of the first entity contact;

periodically updating the profile of each entity contact and the collaboration vector of each entity contact using new collaboration information; and

interactively adjusting the recommendation for file sharing based on the updated contact profile, wherein the interactive adjustment includes an automated evaluation within the limited sharing scope of the file.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the invention relate to a method, system, and computer program product to dynamically mitigate data leakage in a file sharing environment. Mandatory access control policies are provided to address and maintain restrictions on file sharing both with respect to security rules of an organization and restrictions pertaining to discretionary sharing decisions. In addition, suggestions for potential recipients for file sharing are supported, as well as examination of abnormal recipients in response to the discretionary sharing decisions.

Citations

20 Claims

1. A method comprising:
- uploading, by an owning entity, a file to a file sharing environment including, a security label and a keyword associated with the file;
  
  specifying a first tier of a mandatory access control policy to the file based on the security label, the mandatory access control policy limiting sharing scope of the file and placing a restriction on an ability of the owning entity to share the file within the file sharing environment including limiting an ability to grant a second entity outside the restricted maximum sharing scope access to the file;
  
  generating a profile for an entity contact and storing the generated profile in memory, the profile including a collaboration vector comprising keywords representing collaboration topics between the owning entity and the entity contact, the keywords associated with a calculated weight;
  
  calculating a contact score for each entity contact defining relevance matching between the file and the entity contact, the contact score calculated based upon the weight of each keyword in the profile of the entity contact and the keywords associated with the file;
  
  interactively recommending a first entity contact within the limited sharing scope of the file to the owning entity as a candidate for file sharing based upon an associated contact score of the first entity contact;
  
  periodically updating the profile of each entity contact and the collaboration vector of each entity contact using new collaboration information; and
  
  interactively adjusting the recommendation for file sharing based on the updated contact profile, wherein the interactive adjustment includes an automated evaluation within the limited sharing scope of the file.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein the first tier of the mandatory access control policy may be defined by an affiliated organization of the entity, wherein the mandatory access control policy limits unauthorized sharing of one or more files by one or more entities.
  - 3. The method of claim 1, further comprising a second tier of an access control policy to the file, the second tier including a first category applicable to each file shared by each entity, a second category applicable to sharing with respect to a specific file, and a third category applicable to re-sharing of the specific file.
  - 4. The method of claim 1, further comprising:
    - calculating a likelihood score between the keyword associated with the file and each contact;
      
      combining the likelihood score and the contact score for each contact including generating a priority score for each contact;
      
      prioritizing the priority scores; and
      
      wherein interactively recommending a contact of the entity as a recipient for file sharing is based upon the prioritized priority score.
  - 5. The method of claim 1, wherein interactively recommending the first entity contact to the owning entity includes computing a connection strength between a candidate contact and each recipient that has already been chosen by the owner to share the file.
  - 6. The method of claim 1, wherein the step of periodically updating the profile of each entity contact includes dynamically tracking user history, including updating user history based on file sharing decisions.
  - 7. The method of claim 1, further comprising detecting a decision error, based on an error selected from the group consisting of:
    - a security policy violation, and relevance between a contact profile and the keyword for the file to be shared.
  - 8. The method of claim 1, further comprising generating a monitoring report to prevent future sharing errors.
  - 9. The method of claim 1, wherein the collaboration vector comprises a real-number weight of a keyword, the collaboration vector differentiating a current activity from a past activity.

10. A computer program product comprising a computer readable hardware storage device having computer readable program code embodied therewith, the program code when executed on a processor causes the computer to:
- upload, by a first entity, a file to the file sharing environment including, a security label and a keyword associated with the file;
  
  specify a first tier of a mandatory access control policy to the file in the file sharing environment based on the security label, the mandatory access control policies to restrict a maximum sharing scope of the file and to place a security boundary on an ability of the first entity to share the file within the file sharing environment including, to limit an ability to grant a second entity outside the restricted maximum sharing scope access to the file;
  
  generate a profile for an entity contact, the profile including a collaboration vector comprising a keyword representing a collaboration topic between the first entity and the entity contact, the keyword associated with a calculated weight;
  
  calculate a contact score for each entity contact defining relevance matching between the file and the first entity contact, the contact score calculated based upon the weight of the keyword in the profile of the entity contact and the keywords associated with the file;
  
  recommend a first entity contact within the restricted maximum sharing scope to the first entity as a candidate to share the file, wherein the recommendation is based upon the contact score of the first entity contact;
  
  periodically update the profile and the collaboration vector of each of the entity contact associated with the first entity using new collaboration information; and
  
  interactively adjust the recommendation for file sharing based on the updated contact profile, wherein the interactive adjustment includes an automated evaluation within the restricted maximum sharing scope.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The computer program product of claim 10, further comprising program code to specify a second tier of access control policies to the data, the second tier including:
    - a first category applicable to all the files shared by each entity, a second category applicable to sharing with respect to a specific file, and a third category applicable to re-sharing of the specific file.
  - 12. The computer program product of claim 10, wherein the program code to periodically update the profile includes instructions to dynamically track user history and employ the history to interactively recommend a recipient for file sharing.
  - 13. The computer program product of claim 10, further comprising program code to detect a decision error, including issuance of a warning for an abnormal recipient selection.
  - 14. The computer program product of claim 10, further comprising computer readable program code to generate a monitoring report to prevent a future sharing error.

15. A system comprising:
- a file uploaded to a file sharing environment by a first entity, including a security label and a keyword associated with the file;
  
  an access manager that is in communication with the file sharing environment, the access manager to specify a first tier of a mandatory access control policy to the file in the file sharing environment based on the security label, the mandatory access control policy to restrict maximum sharing scope of the file and to place a security boundary on an ability of the first entity to share the file within the file sharing environment including, to limit the ability to grant a second entity outside the restricted maximum sharing scope access to the file;
  
  a profile manager in communication with the access manager, the profile manager to create an attribute profile for an entity contact, the profile including a collaboration vector comprising a keyword representing collaboration topics between the first entity and the entity contact, the keyword associated with a calculated weight;
  
  a history manager in communication with the profile manager, the history manager to mine a past collaboration activity between the first entity and the entity contact;
  
  a recommendation manager to calculate a contact score defining relevance matching between the file and the entity contact, the contact score calculated based upon the weight of the keyword in the profile of the entity contact and the keyword associated with the file, and to recommend a first entity contact within the restricted maximum sharing scope to the first entity as a candidate to share the file, wherein a recommendation is based upon the contact score of the first entity contact;
  
  an update manager that is in communication with the history manager, the update manager to periodically update the profile of each entity contact and the collaboration vector of each entity contact, including using new collaboration information; and
  
  an adjustment manager in communication with the update manager, the adjustment manager to interactively adjust the recommendation for file sharing based on the updated contact profile, wherein the interactive adjustment includes an automated evaluation within the restricted maximum sharing scope.
- View Dependent Claims (16, 17, 18)
- - 16. The system of claim 15, further comprising the access manager to specify a second tier of the mandatory access control policy to the file, the second tier including:
    - a first category within the second tier applicable to all files shared by the users within the file sharing environment, a second category within the second tier that is applicable to sharing with respect to a specific file, and a third category within the second tier that is applicable to re-sharing of a specific file.
  - 17. The system of claim 15, further comprising the update manager to dynamically track user history and to employ the history to interactively recommend a recipient for file sharing.
  - 18. The system of claim 15, further comprising the adjustment manager to detect a user decision error, including issuance of a warning for an abnormal recipient selection.

19. A method to support collaboration in an entity owning file sharing environment, the method comprising:
- uploading, by a first entity, a file to a file sharing environment including, a security label and a keyword associated with the file;
  
  specifying a first tier of a mandatory access control policy to the file based on the security label, the mandatory access control policy restricting a maximum sharing scope of the file and placing a restriction on an ability of the first entity to share the file including, to limit an ability to grant a second entity outside the restricted maximum sharing scope access to the file;
  
  creating an attribute profile for an entity contact and storing the created attribute profile in memory, including mining a past collaboration activity, the profile including a collaboration vector comprising a keyword representing a collaboration topic between the first entity and the entity contact, the keyword associated with a calculated weight;
  
  calculating a contact score for each entity contact defining relevance matching between the file and the entity contact, the contact score calculated based upon the weight of the keyword in the profile of the entity contact and the keyword associated with the file;
  
  interactively recommending a first entity contact within the restricted maximum sharing scope to the first entity as a candidate for file sharing based upon an associated contact score;
  
  updating a contact profile and the collaboration vector of each entity contact using new collaboration information on a periodic basis; and
  
  interactively adjusting the recommendation for file sharing based on the updated contact profile, wherein the interactive adjustment includes an automated evaluation within the restricted maximum sharing scope.
- View Dependent Claims (20)
- - 20. The method of claim 19, further comprising dynamically tracking a past collaborative activity in a shared pool of resources, and based upon the past activity recommending a recipient for a current collaborative activity in the shared pool.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Jin, Hongxia, Wang, Qihua
Primary Examiner(s)
TORGRIMSON, TYLER J

Application Number

US13/158,893
Publication Number

US 20120317135A1
Time in Patent Office

2,479 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/176 Support for shared access t...

G06F 21/6218 to a system of files or obj...

Mitigation of data leakage in a multi-site computing infrastructure

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Mitigation of data leakage in a multi-site computing infrastructure

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links