Controlling access to sensitive data based on changes in information classification

US 8,800,031 B2
Filed: 02/03/2011
Issued: 08/05/2014
Est. Priority Date: 02/03/2011
Status: Active Grant

First Claim

Patent Images

1. A method for detecting changes to security classifications of artifacts in a data loss prevention (DLP) system, the DLP system including a DLP policy that identifies one or more classifications and an enforcement rule associated with a classification, comprising:

configuring, according to the DLP policy, an artifact state machine that defines a set of artifact security classification states and associated transitions among the artifact security classification states;

classifying content of an artifact into a security classification identified in the DLP policy;

determining, in association with a DLP component executing on a hardware element and using the set of artifact security classification states and their associated transitions as defined in the artifact state machine, whether a change in the security classification of the artifact has occurred, the change indicative of an attempt to subvert the enforcement rule defined by the DLP policy; and

if a change in the classification of the artifact has occurred, generating a notification of the change in the security classification.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A Data Loss Prevention (DLP) system includes an automated method for tracking changes to a security classification (e.g., content category) associated with an artifact to determine whether an attempt is being made to subvert a DLP policy. The method exploits the basic principle that, depending on context, the classification of a particular artifact, or a change to an existing classification, may indicate an attempt to subvert the policy. According to the method, an artifact classification state machine is implemented within a DLP system. For each policy-defined content category on each artifact, the machine identifies a content category change that may be of interest, as defined by policy. When a change in a classification has occurred, an artifact notification event (or, more generally, a notification of the change in classification) is issued.

20 Citations

View as Search Results

16 Claims

1. A method for detecting changes to security classifications of artifacts in a data loss prevention (DLP) system, the DLP system including a DLP policy that identifies one or more classifications and an enforcement rule associated with a classification, comprising:
- configuring, according to the DLP policy, an artifact state machine that defines a set of artifact security classification states and associated transitions among the artifact security classification states;
  
  classifying content of an artifact into a security classification identified in the DLP policy;
  
  determining, in association with a DLP component executing on a hardware element and using the set of artifact security classification states and their associated transitions as defined in the artifact state machine, whether a change in the security classification of the artifact has occurred, the change indicative of an attempt to subvert the enforcement rule defined by the DLP policy; and
  
  if a change in the classification of the artifact has occurred, generating a notification of the change in the security classification.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method as described in claim 1 wherein, with respect to a given artifact, the set of artifact security classification states include an unknown state wherein no attempt has been made to classify the given artifact, an unclassified state wherein a security classification for the given artifact has been attempted but no match has been identified, a declassified state wherein a security classification for the given artifact has existed but no longer matches, and a classified state wherein a security classification has been attempted and a match has been identified.
  - 3. The method as described in claim 2 wherein a transition to the classified state generates a classification event.
  - 4. The method as described in claim 2 wherein a transition from the classified state to the declassified state generates a declassification event.
  - 5. The method as described in claim 2 wherein a transition to the unclassified state as defined by the policy generates an action as defined in the policy.
  - 6. The method as described in claim 1 wherein the method is carried out in an automated manner for each classification in the policy for each of a set of artifacts.
  - 7. The method as described in claim 6 further includes generating a classification rate event if a given number of transitions to a classified state occur for the set of artifacts.

8. Apparatus for detecting changes to security classifications of artifacts in a data loss prevention (DLP) system, the DLP system including a DLP policy that identifies one or more classifications and an enforcement rule associated with a classification, comprising:
- a processor;
  
  computer memory holding computer program instructions that when executed by the processor perform a method comprising;
  
  configuring, according to the DLP policy, an artifact state machine that defines a set of artifact security classification states and their associated transitions among the artifact security classification states;
  
  classifying content of an artifact into a security classification identified in the policy;
  
  determining, using the set of artifact security classification states and their associated transitions as defined in the artifact state machine, whether a change in the security classification of the artifact has occurred, the change indicative of an attempt to subvert the enforcement rule defined by the DLP policy; and
  
  if a change in the security classification of the artifact has occurred, generating a notification of the change in the classification.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The apparatus as described in claim 8 wherein, with respect to a given artifact, the set of artifact security classification states include an unknown state wherein no attempt has been made to classify the given artifact, an unclassified state wherein a security classification for the given artifact has been attempted but no match has been identified, a declassified state wherein a security classification for the given artifact has existed but no longer matches, and a classified state wherein a security classification has been attempted and a match has been identified.
  - 10. The apparatus as described in claim 9 wherein a transition to the classified state generates a classification event.
  - 11. The apparatus as described in claim 9 wherein a transition from the classified state to the declassified state generates a declassification event.
  - 12. The apparatus as described in claim 9 wherein a transition to the unclassified state as defined by the policy generates an action as defined in the policy.
  - 13. The apparatus as described in claim 8 wherein the method is carried out in an automated manner for each classification in the policy for each of a set of artifacts.

14. A computer program product in a non-transitory computer readable medium for detecting changes to security classifications of artifacts in a data loss prevention (DLP) system, the DLP system having a DLP policy that identifies one or more classifications and an enforcement rule associated with a classification, the computer program product holding computer program instructions which, when executed by the data processing system, perform an automated method comprising:
- configuring, according to the DLP policy, an artifact state machine that defines a set of artifact security classification states and associated transitions among the artifact security classification states;
  
  for each security classification in the DLP policy, for each of a set of artifacts;
  
  classifying content of the artifact into a security classification as identified in the DLP policy;
  
  determining, using the set of artifact security classification states and their associated transitions as defined in the artifact state machine, whether a change in the security classification of the artifact has occurred, the change indicative of an attempt to subvert the enforcement rule defined by the DLP policy; and
  
  if a change in the security classification of the artifact has occurred, generating a notification of the change in the classification.
- View Dependent Claims (15, 16)
- - 15. The computer program product as described in claim 14 wherein, with respect to a given artifact, the set of artifact security classification states include an unknown state wherein no attempt has been made to classify the given artifact, an unclassified state wherein a security classification for the given artifact has been attempted but no match has been identified, a declassified state wherein a security classification for the given artifact has existed but no longer matches, and a classified state wherein a security classification has been attempted and a match has been identified.
  - 16. The computer program product as described in claim 14 wherein the security classification is a DLP content category.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SailPoint Technologies Holdings, Inc.
Original Assignee
International Business Machines Corporation
Inventors
Cecil, David Scott, Cogill, Peter Terence, Taylor, Daniel McKenzie
Primary Examiner(s)
Abrishamkar, Kaveh
Assistant Examiner(s)
Kusyk, Janusz

Application Number

US13/020,589
Publication Number

US 20120204260A1
Time in Patent Office

1,279 Days
Field of Search

None
US Class Current

726/22
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 2221/034   Test or assess a computer o...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

Controlling access to sensitive data based on changes in information classification

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

20 Citations

16 Claims

Specification

Use Cases

Quick Links

Others

Controlling access to sensitive data based on changes in information classification

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

16 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others