Flexible security requirements in an enterprise network

US 8,434,128 B2
Filed: 02/18/2011
Issued: 04/30/2013
Est. Priority Date: 02/22/2010
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

determining, by at least one of a policy agent and a policy enforcement server in an enterprise network, that a selected stimulus has occurred, the stimulus being one or more of a passage of a selected time interval, an an occurrence of an event relevant to a degree of sensitivity of a selected communication, and/or content, to an enterprise corresponding to the enterprise network;

in response to the determined stimulus, changing, by at least one of the policy agent and the policy enforcement server, a security requirement associated with the selected communication and/or content;

determining, by the policy agent, that a nonsubscriber of the enterprise network is a member of a trusted group, the trusted group comprising, as members, at least one subscriber of the enterprise network and at least one nonsubscriber and each member of the trusted group being trusted by the enterprise; and

in response to the nonsubscriber being a member of the trusted group, the policy agent at least one of (a) sending the selected communication and/or content and (b) providing the nonsubscriber access to the selected communication and/or content, wherein the trusted group is no longer recognized after at least one of (a) occurrence of a predetermined event adversely impacting a degree of trust between the enterprise and nonsub scriber and (b) passage of a determined period of time and wherein a security mechanism is at least one of deleted, disabled, and denied permission to execute in response to the at least one of (a) occurrence of a predetermined event and (b) passage of a determined period of time.

View all claims

18 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method are provided to monitor and prevent potential enterprise policy and/or rule violations by subscribers.

Citations

15 Claims

1. A method, comprising:
- determining, by at least one of a policy agent and a policy enforcement server in an enterprise network, that a selected stimulus has occurred, the stimulus being one or more of a passage of a selected time interval, an an occurrence of an event relevant to a degree of sensitivity of a selected communication, and/or content, to an enterprise corresponding to the enterprise network;
  
  in response to the determined stimulus, changing, by at least one of the policy agent and the policy enforcement server, a security requirement associated with the selected communication and/or content;
  
  determining, by the policy agent, that a nonsubscriber of the enterprise network is a member of a trusted group, the trusted group comprising, as members, at least one subscriber of the enterprise network and at least one nonsubscriber and each member of the trusted group being trusted by the enterprise; and
  
  in response to the nonsubscriber being a member of the trusted group, the policy agent at least one of (a) sending the selected communication and/or content and (b) providing the nonsubscriber access to the selected communication and/or content, wherein the trusted group is no longer recognized after at least one of (a) occurrence of a predetermined event adversely impacting a degree of trust between the enterprise and nonsub scriber and (b) passage of a determined period of time and wherein a security mechanism is at least one of deleted, disabled, and denied permission to execute in response to the at least one of (a) occurrence of a predetermined event and (b) passage of a determined period of time.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the stimulus is the passage of the selected time interval.
  - 3. The method of claim 1, wherein the stimulus is the occurrence of the event relevant to the degree of sensitivity of the selected communication and/or content.
  - 4. The method of claim 1, wherein the security requirement is one or more of an authentication requirement to access the selected communication and/or content, a limitation on potential recipients of the selected communication and/or content, and a cryptography requirement.
  - 5. The method of claim 1, further comprising:
    - analyzing, by the policy agent corresponding to a first node of the enterprise network and a subscriber of the enterprise network, the selected communication and/or content to identify a behavioral instance potentially relevant to a policy and/or rule;
      
      notifying, by the policy agent, a policy enforcement server of the identified determined behavioral instance;
      
      receiving, by the policy agent and from the policy enforcement server, a policy measure to be implemented; and
      
      implementing, by the policy agent, the received policy measure.
  - 6. The method of claim 5, wherein the policy measure to be implemented comprises one or more of the following:
    - modification of an existing security measure for the one or more of the selected communication and/or content,implementation of a new and/or additional security measure for the one or more of the selected communication and/or content,use of a different network path and/or channel than currently chosen to effect transmission or transfer of the one or more of the selected communication and/or content,implementation of an action to remedy a prior policy or rule violation,block, delay, and/or buffer the one or more of the selected communication and/or content,mark or delete a portion of the one or more of the selected communication and/or content prior to access by one or more other parties,send a notice of policy and/or rule violation to one or more selected destinations,embed a flag indicating an area of redundant and processor intensive encryption or security transcoding,prevent access of the one or more of the selected communication and/or content by the one or more selected parties,prevent the subscriber from selecting, by dragging and dropping, selected content into a communication,provide read-only access to the one or more of the selected communication and/or content,set a hop restriction on the one or more of the selected communication and/or content whereby, when the hop restriction is met or exceeded and/or a hop counter is incremented or decremented to a selected value, the one or more of the selected communication and/or content is dropped or otherwise prohibited from delivery to an intended recipient,tear down a communication channel before transmission of the one or more of the selected communication and/or content,redirect the one or more of the selected communication and/or content to a different destination, anddisplay different portions of the one or more of the selected communication and/or content to different ones of the one or more of the selected parties based on a respective degree of trust or privilege of each party.
  - 7. The method of claim 1, wherein the security requirement is one or more of:
    - whether authentication is required;
      
      what degree and/or type(s) of authentication is required;
      
      whether a black list is to be used;
      
      what black list is to be used;
      
      whether a white list is to be used;
      
      what white list is to be used;
      
      whether an access control list is to be used;
      
      what access control list is to be used;
      
      whether encryption is to be used;
      
      an encryption level and/or strength to be used;
      
      what encryption algorithm is to be used;
      
      a communication medium to be used;
      
      a communication path to be used; and
      
      a communication modality to be used.
  - 8. A non-transitory computer readable medium comprising processor executable instructions to perform the determining, notifying and applying steps of claim 1.

9. A system, comprising:
- at least one of a policy agent and a policy enforcement server, in an enterprise network, operable to;
  
  determine that a selected stimulus has occurred, the stimulus being one or more of a passage of a selected time interval, and an occurrence of an event relevant to a degree of sensitivity, to an enterprise corresponding to the enterprise networks, of a selected communication, and/or content;
  
  in response to the determined stimulus, change a security requirement associated with the selected communication and/or content;
  
  wherein the policy agent is operable to;
  
  determine that a nonsubscriber of the enterprise network is a member of a trusted group, the trusted group comprising, as members, at least one subscriber of the enterprise network and at least one nonsubscriber and each member of the trusted group being trusted by the enterprise; and
  
  in response to the nonsubscriber being a member of the trusted group, at least one of (a) send the selected communication and/or content and (b) provide the nonsubscriber access to the selected communication and/or content, wherein the trusted group is no longer recognized after at least one of (a) occurrence of a predetermined event adversely impacting a degree of trust between the enterprise and nonsubscriber and (b) passage of a determined period of time and wherein a security mechanism is at least one of deleted, disabled, and denied permission to execute in response to the at least one of (a) occurrence of a predetermined event and (b) passage of a determined period of time.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The system of claim 9, wherein the stimulus is the passage of the selected time interval.
  - 11. The system of claim 9, wherein the stimulus is the occurrence of the event relevant to the degree of sensitivity of the selected communication and/or content.
  - 12. The system of claim 9, wherein the security requirement is one or more of an authentication requirement to access the selected communication and/or content, a limitation on potential recipients of the selected communication and/or content, and a cryptography requirement.
  - 13. The system of claim 9, wherein the policy agent is operable to:
    - analyze the selected communication and/or content to identify a behavioral instance potentially relevant to a policy and/or rule;
      
      notify a policy enforcement server of the identified determined behavioral instance;
      
      receive, from the policy enforcement server, a policy measure to be implemented; and
      
      implement the received policy measure.
  - 14. The system of claim 13, wherein the policy measure to be implemented comprises one or more of the following:
    - modification of an existing security measure for the one or more of the selected communication and/or content,implementation of a new and/or additional security measure for the one or more of the selected communication and/or content,use of a different network path and/or channel than currently chosen to effect transmission or transfer of the one or more of the selected communication and/or content,implementation of an action to remedy a prior policy or rule violation,block, delay, and/or buffer the one or more of the selected communication and/or content,mark or delete a portion of the one or more of the selected communication and/or content prior to access by one or more other parties,send a notice of policy and/or rule violation to one or more selected destinations,embed a flag indicating an area of redundant and processor intensive encryption or security transcoding,prevent access of the one or more of the selected communication and/or content by the one or more selected parties,prevent the subscriber from selecting, by dragging and dropping, selected content into a communication,provide read-only access to the one or more of the selected communication and/or content,set a hop restriction on the one or more of the selected communication and/or content whereby, when the hop restriction is met or exceeded and/or a hop counter is incremented or decremented to a selected value, the one or more of the selected communication and/or content is dropped or otherwise prohibited from delivery to an intended recipient,tear down a communication channel before transmission of the one or more of the selected communication and/or content,redirect the one or more of the selected communication and/or content to a different destination, anddisplay different portions of the one or more of the selected communication and/or content to different ones of the one or more of the selected parties based on a respective degree of trust or privilege of each party.
  - 15. The system of claim 9, wherein the security requirement is at least one of:
    - whether authentication is required;
      
      what degree and/or type(s) of authentication is required;
      
      whether a black list is to be used;
      
      what black list is to be used;
      
      whether a white list is to be used;
      
      what white list is to be used;
      
      whether an access control list is to be used;
      
      what access control list is to be used;
      
      whether encryption is to be used;
      
      an encryption level and/or strength to be used;
      
      what encryption algorithm is to be used;
      
      a communication medium to be used;
      
      a communication path to be used; and
      
      a communication modality to be used.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avaya Incorporated
Original Assignee
Avaya Incorporated
Inventors
Kennedy, Kevin J.
Primary Examiner(s)
Laforgia, Christian

Application Number

US13/030,593
Publication Number

US 20110209196A1
Time in Patent Office

802 Days
Field of Search

726/1, 726/27, 705/319
US Class Current

726/1
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/121   Restricting unauthorised ex...

G06F 21/44   Program or device authentic...

G06F 21/55   Detecting local intrusion o...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/60   Protecting data

G06Q 30/02   Marketing; Price estimation...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

H04L 67/02   based on web technology, e....

Flexible security requirements in an enterprise network

First Claim

18 Assignments

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Flexible security requirements in an enterprise network

First Claim

18 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links