METHODS AND SYSTEMS FOR PROVIDING ACCESS CONTROL TO SECURED DATA

US 20140201850A1
Filed: 03/18/2014
Published: 07/17/2014
Est. Priority Date: 12/12/2001
Status: Active Grant

First Claim

Patent Images

1. A storage device, comprising:

a memory storing a secured file; and

a processor configured to execute modules comprising;

a verification module configured to send a file access request to an access control management module and receive a response to the file access request from the access control management module, the file access request being based on a request to access the secured file; and

a document securing module configured to decrypt the secured file when the response indicates that the access control management module grants access to the secured file, wherein the access grant to the secured file is based on permissions for a user associated with the request to access the secured file,wherein the processor is further configured to provide the decrypted file in response to the file access request.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a system for providing access control management to electronic data, techniques to secure the electronic data and keep the electronic data secured at all times are disclosed. According to one embodiment, a secured file or secured document includes two parts: an attachment, referred to as a header, and an encrypted document or data portion. The header includes security information that points to or includes the access rules and a file key. The access rules facilitate restrictive access to the secured document and essentially determine who/when/how/where the secured document can be accessed. The file key is used to encrypt/decrypt the encrypted data portion. Only those who have the proper access privileges are permitted to retrieve the file key to encrypt/decrypt the encrypted data portion.

26 Citations

View as Search Results

28 Claims

1. A storage device, comprising:
- a memory storing a secured file; and
  
  a processor configured to execute modules comprising;
  
  a verification module configured to send a file access request to an access control management module and receive a response to the file access request from the access control management module, the file access request being based on a request to access the secured file; and
  
  a document securing module configured to decrypt the secured file when the response indicates that the access control management module grants access to the secured file, wherein the access grant to the secured file is based on permissions for a user associated with the request to access the secured file,wherein the processor is further configured to provide the decrypted file in response to the file access request.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The storage device of claim 1, wherein the verification module is further configured to send a file access request for each secured file from among a plurality of secured files.
  - 3. The storage device of claim 1, wherein:
    - the response comprises a user key, the storage device further comprising a key management module configured to store the user key; and
      
      the document securing module is further configured to access the stored user key to access a plurality of secured files.
  - 4. The storage device of claim 1, wherein the storage device is integrated within a client computing device operated by the user.
  - 5. The storage device of claim 1, wherein the storage device is located with a computing device that is physically separate from the client computing device operated by the user.
  - 6. The storage device of claim 1, wherein:
    - the secured file comprises an encrypted file;
      
      the response comprises a file key; and
      
      the document securing module is further configured to decrypt the encrypted file using the file key.
  - 7. The storage device of claim 1, wherein:
    - the document securing module is further configured to separate a header of the secured file and transmit the header to the verification module; and
      
      the file access request comprises the header.

8. An access control management module, comprising:
- a key management module configured to store a file key that enables access to a secured file stored in a storage device;
  
  a network interface configured to receive a file access request from the storage device to access the secured file;
  
  a rules management module configured to retrieve an access rule corresponding to the secured file, wherein the access rule is based upon the secured file and a user that caused the file access request; and
  
  a processor configured to determine whether to permit the file access request based upon the access rule and transmit the determination, wherein the processor is further configured to execute the key management module.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The access control management module of claim 8, wherein:
    - the file access request comprises a header of the secured file, the header comprising security information of the secured file;
      
      the key management module is further configured to decrypt the security information; and
      
      the processor is further configured to compare the decrypted security information with the access rule to determine whether to permit the file access request.
  - 10. The access control management module of claim 9, wherein:
    - the processor is further configured to retrieve the file key from the key management module upon determining to permit access; and
      
      the network interface is further configured to transmit the file key to the storage device.
  - 11. The access control management module of claim 8, wherein the file access request is generated based on a user request from the user to access the secured file stored in a memory of the storage device, the user being previously authenticated on a network connecting the storage device and the access control management module.
  - 12. The access control management module of claim 8, wherein the file access request is generated based on a user request from the user to access the secured file stored in a memory of the storage device, the user not being previously authenticated on a network connecting the storage device and the access control management module.
  - 13. The access control management module of claim 12, further comprising:
    - a database configured to store a user credential and a computing device credential for a computing device from which the user is generating the user request; and
      
      a user monitoring module configured to;
      
      request authentication information from the user and an address of the computing device;
      
      compare the authentication information with the user credential and the address with the computing device credential; and
      
      authenticate the user and the computing device when both comparisons result in matches;
      
      wherein the processor is further configured to execute the user monitoring module, and wherein the user is authenticated before the file access request may be permitted.
  - 14. The access control management module of claim 8, wherein the access rule comprises one or more of a plurality of access levels in a hierarchy, wherein each access level permits a different level of access to secured documents stored in the storage device.

15. A computer-readable storage medium having control logic recorded thereon that, when executed by a processor in an access control management module, causes the processor to perform a method, comprising:
- receiving a file access request from a storage device to access a secured file stored in the storage device;
  
  retrieving an access rule corresponding to the secured file, the access rule being based upon the secured file and a user that caused the file access request;
  
  determining whether to permit the file access request based upon the access rule; and
  
  transmitting the determination to the storage device.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer-readable storage medium of claim 15, the method further comprising:
    - receiving a header of the secured file, the header contained within the file access request; and
      
      decrypting security information comprised within the header,wherein the determining further comprises comparing the decrypted security information with the access rule to determine whether to permit the file access request.
  - 17. The computer-readable storage medium of claim 16, the method further comprising:
    - retrieving a file key from a key management module, the file key enabling access to the secured file; and
      
      transmitting the file key to the storage device based upon determining to permit the file access request.
  - 18. The computer-readable storage medium of claim 15, the method further comprising:
    - permitting access to the secured file when an access level of the secured file is within a permitted level of the access rule, the access rule comprising one or more of a plurality of access levels in a hierarchy, wherein each access level permits a different level of access to secured documents stored in the storage device.
  - 19. The computer-readable storage medium of claim 15, the method further comprising:
    - permitting access to the secured file based upon a time of day of the file access request falling within an allowed time period of the access rule.
  - 20. The computer-readable storage medium of claim 15, the method further comprising:
    - generating an error message when the access control management module determines that the file access request should be denied; and
      
      transmitting the error message to the storage device.

21. A storage system, comprising:
- a server configured to send a file access request to a central access control server and receive a response to the file access request from the central access control server, the file access request being based on a request to access a secured file; and
  
  a document securing module, in the server, configured to decrypt the secured file when the response indicates that the central access control server grants access to the secured file,wherein the access grant to the secured file is based on permissions for a requestor associated with the request to access the secured file, andwherein the server is further configured to provide the decrypted file in response to the file access request.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28)
- - 22. The storage system of claim 21, wherein the server is configured to provide the decrypted file to the requestor.
  - 23. The storage system of claim 21, wherein the requestor comprises a user.
  - 24. The storage system of claim 21, wherein the requestor comprises an application.
  - 25. The storage system of claim 21, wherein the requestor comprises a combination of a user and an application.
  - 26. The storage system of claim 21, wherein:
    - the access grant comprises a user key, the server further comprising a key management module configured to store the user key; and
      
      the document securing module is further configured to access the stored user key to access a plurality of secured files.
  - 27. The storage system of claim 21, wherein:
    - the secured file comprises an encrypted file;
      
      the access grant comprises a file key; and
      
      the document securing module is further configured to decrypt the encrypted file using the file key.
  - 28. The storage system of claim 21, wherein:
    - the document securing module is further configured to separate a header of the secured file and transmit the header to the central access control server; and
      
      the file access request comprises the header.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intellectual Ventures I LLC (Intellectual Ventures LLC)
Original Assignee
Intellectual Ventures I LLC (Intellectual Ventures LLC)
Inventors
GARCIA, Denis Jacques Paul, Ouye, Michael Michio, Rossmann, Alain, Crocker, Steven Toye, Gilbertson, Eric, Huang, Weiqing, Humpich, Serge, Vainstein, Klimenty, Ryan, Nicholas Michael

Granted Patent

US 9,129,120 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/28
CPC Class Codes

G06F 21/60   Protecting data

G06F 21/6209   to a single file or object,...

G06F 21/6218   to a system of files or obj...

G06F 21/6227   where protection concerns t...

G06F 2221/2107   File encryption

G06F 2221/2111   Location-sensitive, e.g. ge...

G06F 2221/2113   Multi-level security, e.g. ...

G06F 2221/2137   Time limited access, e.g. t...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/04   for providing a confidentia...

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/12   Applying verification of th...

H04L 63/20   for managing network securi...

H04L 67/01   Protocols

H04L 9/0891   Revocation or update of sec...

H04L 9/0894   Escrow, recovery or storing...

METHODS AND SYSTEMS FOR PROVIDING ACCESS CONTROL TO SECURED DATA

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

26 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

METHODS AND SYSTEMS FOR PROVIDING ACCESS CONTROL TO SECURED DATA

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links