Controlling access to sensitive data based on changes in information classification
First Claim
1. A method for detecting changes to security classifications of artifacts in a data loss prevention (DLP) system, the DLP system including a DLP policy that identifies one or more classifications and an enforcement rule associated with a classification, comprising:
- configuring, according to the DLP policy, an artifact state machine that defines a set of artifact security classification states and associated transitions among the artifact security classification states;
classifying content of an artifact into a security classification identified in the DLP policy;
determining, in association with a DLP component executing on a hardware element and using the set of artifact security classification states and their associated transitions as defined in the artifact state machine, whether a change in the security classification of the artifact has occurred, the change indicative of an attempt to subvert the enforcement rule defined by the DLP policy; and
if a change in the classification of the artifact has occurred, generating a notification of the change in the security classification.
5 Assignments
0 Petitions
Accused Products
Abstract
A Data Loss Prevention (DLP) system includes an automated method for tracking changes to a security classification (e.g., content category) associated with an artifact to determine whether an attempt is being made to subvert a DLP policy. The method exploits the basic principle that, depending on context, the classification of a particular artifact, or a change to an existing classification, may indicate an attempt to subvert the policy. According to the method, an artifact classification state machine is implemented within a DLP system. For each policy-defined content category on each artifact, the machine identifies a content category change that may be of interest, as defined by policy. When a change in a classification has occurred, an artifact notification event (or, more generally, a notification of the change in classification) is issued.
20 Citations
16 Claims
-
1. A method for detecting changes to security classifications of artifacts in a data loss prevention (DLP) system, the DLP system including a DLP policy that identifies one or more classifications and an enforcement rule associated with a classification, comprising:
-
configuring, according to the DLP policy, an artifact state machine that defines a set of artifact security classification states and associated transitions among the artifact security classification states; classifying content of an artifact into a security classification identified in the DLP policy; determining, in association with a DLP component executing on a hardware element and using the set of artifact security classification states and their associated transitions as defined in the artifact state machine, whether a change in the security classification of the artifact has occurred, the change indicative of an attempt to subvert the enforcement rule defined by the DLP policy; and if a change in the classification of the artifact has occurred, generating a notification of the change in the security classification. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. Apparatus for detecting changes to security classifications of artifacts in a data loss prevention (DLP) system, the DLP system including a DLP policy that identifies one or more classifications and an enforcement rule associated with a classification, comprising:
-
a processor; computer memory holding computer program instructions that when executed by the processor perform a method comprising; configuring, according to the DLP policy, an artifact state machine that defines a set of artifact security classification states and their associated transitions among the artifact security classification states; classifying content of an artifact into a security classification identified in the policy; determining, using the set of artifact security classification states and their associated transitions as defined in the artifact state machine, whether a change in the security classification of the artifact has occurred, the change indicative of an attempt to subvert the enforcement rule defined by the DLP policy; and if a change in the security classification of the artifact has occurred, generating a notification of the change in the classification. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A computer program product in a non-transitory computer readable medium for detecting changes to security classifications of artifacts in a data loss prevention (DLP) system, the DLP system having a DLP policy that identifies one or more classifications and an enforcement rule associated with a classification, the computer program product holding computer program instructions which, when executed by the data processing system, perform an automated method comprising:
-
configuring, according to the DLP policy, an artifact state machine that defines a set of artifact security classification states and associated transitions among the artifact security classification states; for each security classification in the DLP policy, for each of a set of artifacts; classifying content of the artifact into a security classification as identified in the DLP policy; determining, using the set of artifact security classification states and their associated transitions as defined in the artifact state machine, whether a change in the security classification of the artifact has occurred, the change indicative of an attempt to subvert the enforcement rule defined by the DLP policy; and if a change in the security classification of the artifact has occurred, generating a notification of the change in the classification. - View Dependent Claims (15, 16)
-
Specification