Data loss prevention (DLP) methods and architectures by a cloud service

US 9,237,170 B2
Filed: 07/17/2013
Issued: 01/12/2016
Est. Priority Date: 07/19/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by one or more processors of a cloud-based collaboration platform, a request to upload a file to the cloud-based collaboration platform,wherein the request is initiated by one of multiple collaborators of the cloud-based collaboration platform;

responsive to receiving the request, placing, by the one or more processors, the file in a limited administrative access state,wherein the limited administrative access state suppresses notifications to the multiple collaborators regarding the upload of the file and restricts access to the file to system administrators;

identifying, by the one or more processors, a client associated with the file;

determining, by the one or more processors, a data loss prevention policy corresponding to the client,wherein the data loss prevention policy includes various data loss prevention rules;

comparing, by the one or more processors, contents of the file with the data loss prevention rules;

determining that at least one of the data loss prevention rules is triggered based on a portion of the contents in the file;

performing a responsive action associated with the at least one of the data loss prevention rules,wherein the data loss prevention rules are set of rules preconfigured by the client;

providing the one of the multiple collaborators with an opportunity to modify the portion of the contents in the files causing the at least one of the data loss prevention rules to be triggered; and

responsive to the modification of the portion of the contents in the file, remove the file from the limited administrative access state.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the present disclosure include data loss prevention (DLP) methods and architectures by a cloud-based service. The disclosed techniques of the cloud-based platform (e.g., collaboration platform in an enterprise environment) can detect (and may optionally prevent) violations to, e.g., corporate policies, which can be configurable by a corporate administrator, for example regarding the use, storage, or transmission of sensitive information. The types of sensitive information can include, for example, financial information—credit card and bank account numbers, Personally Identifiable Information (PII)—Social Security Number (SSN), health/healthcare information, Intellectual Property—earnings forecasts, sales pipeline, trade secrets, source code, etc.

482 Citations

26 Claims

1. A method comprising:
- receiving, by one or more processors of a cloud-based collaboration platform, a request to upload a file to the cloud-based collaboration platform,wherein the request is initiated by one of multiple collaborators of the cloud-based collaboration platform;
  
  responsive to receiving the request, placing, by the one or more processors, the file in a limited administrative access state,wherein the limited administrative access state suppresses notifications to the multiple collaborators regarding the upload of the file and restricts access to the file to system administrators;
  
  identifying, by the one or more processors, a client associated with the file;
  
  determining, by the one or more processors, a data loss prevention policy corresponding to the client,wherein the data loss prevention policy includes various data loss prevention rules;
  
  comparing, by the one or more processors, contents of the file with the data loss prevention rules;
  
  determining that at least one of the data loss prevention rules is triggered based on a portion of the contents in the file;
  
  performing a responsive action associated with the at least one of the data loss prevention rules,wherein the data loss prevention rules are set of rules preconfigured by the client;
  
  providing the one of the multiple collaborators with an opportunity to modify the portion of the contents in the files causing the at least one of the data loss prevention rules to be triggered; and
  
  responsive to the modification of the portion of the contents in the file, remove the file from the limited administrative access state.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the at least one of the data loss prevention rules comprises a character-based search for a particular information type.
  - 3. The method of claim 2, wherein the information type comprises one of a social security number, a tax identification number, a medical services identification number, or a user-specified textual string.
  - 4. The method of claim 3, wherein the textual string comprises a product-specific name.
  - 5. The method of claim 1, wherein the responsive action comprises an action associated with various of the data loss prevention rules.
  - 6. The method of claim 1, wherein the responsive action comprises notifying an administrator of an upload of the file.
  - 7. The method of claim 1, wherein the limited administrative access state prevents one or more of the multiple collaborators from modifying, deleting, or sharing the file.
  - 8. The method of claim 1, further comprising modifying a service level agreement in response to the determination that at least one of the data loss prevention rules is triggered.

9. A system which hosts a cloud-based collaboration service having data loss prevention capabilities, the system, comprising:
- one or more processors;
  
  a storage medium having instructions stored thereon, which when executed by the one or more processors, cause the system to;
  
  responsive to receiving a request initiated by a collaborator of multiple collaborators to upload a file to a cloud-based collaboration platform,place the file in a limited administrative access state,wherein the limited administrative access state suppresses notifications to the multiple collaborators regarding the upload of the file and restricts access to the file to system administrators;
  
  identify an enterprise client associated with the file;
  
  determine a data loss prevention policy corresponding to the enterprise client,wherein the data loss prevention policy includes various data loss prevention rules;
  
  compare contents of the file with the set of data loss prevention rules;
  
  determine that one of the set rules is triggered based on a portion of the contents in the file;
  
  perform a responsive action associated with the rules,wherein the data loss prevention rules are a set of rules preconfigured by the enterprise client;
  
  provide the one of multiple collaborators with an opportunity to modify the portion of the contents in the file causing the at least one of the data loss prevention rules to be triggered; and
  
  responsive to the modification of the portion of the contents in the file, remove the file from the limited administrative access state.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The system of claim 9, wherein the at least one of the set of rules comprises a character-based search for a particular information type.
  - 11. The system of claim 10, wherein the information type comprises one of a social security number, a tax identification number, and a medical services identification number.
  - 12. The system of claim 10, wherein the information type comprises a user-specified textual string.
  - 13. The system of claim 12, wherein the textual string comprises a product-specific name.
  - 14. The system of claim 9, wherein the responsive action comprises one of a responsive actions associated with the set of rules.
  - 15. The system of claim 9, wherein the responsive action comprises notifying an administrator of the upload of the file.
  - 16. The system of claim 9, wherein the responsive action comprises preventing one or more of the multiple collaborators from modifying, deleting, or sharing the file for upload.
  - 17. The system of claim 9, wherein the instructions, when executed by the one or more processors, further causes the system to:
    - modify a service level agreement associated with the enterprise client in response to the determination that one of the set of rules is violated or triggered.

18. A non-transitory computer readable storage medium having instructions stored thereon, which when executed by one or more processors, cause the one or more processors to:
- responsive to receiving a request initiated by a collaborator of multiple collaborators to upload a file to a cloud-based collaboration platform, place the file in a limited administrative access state,wherein the limited administrative access state suppresses notifications to the multiple collaborators regarding the upload of the file and restricts access to the file to system administrators;
  
  identify an enterprise client associated with the file;
  
  determine a data loss prevention policy corresponding to the enterprise client,wherein the data loss prevention policy includes various data loss prevention rules;
  
  compare contents of the file with the set of data loss prevention rules;
  
  determine that one of the set rules is triggered based on a portion of the contents in the file;
  
  perform a responsive action associated with the rules,wherein the data loss prevention rules are a set of rules preconfigured by the enterprise client;
  
  provide the one of multiple collaborators with an opportunity to modify the portion of the contents in the file causing the at least one of the data loss prevention rules to be triggered; and
  
  responsive to the modification of the portion of the contents in the file, remove the file from the limited administrative access state.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26)
- - 19. The non-transitory computer readable medium of claim 18, wherein the at least one of the set of rules comprises a character-based search for a particular information type.
  - 20. The non-transitory computer readable medium of claim 19, wherein the information type comprises one of a social security number, a tax identification number, and a medical services identification number.
  - 21. The non-transitory computer readable medium of claim 19, wherein the information type comprises a user-specified textual string.
  - 22. The non-transitory computer readable medium of claim 21, wherein the textual string comprises a product-specific name.
  - 23. The non-transitory computer readable medium of claim 18, wherein the responsive action comprises one of a responsive actions associated with the set of rules.
  - 24. The non-transitory computer readable medium of claim 18, wherein the responsive action comprises notifying an administrator of the upload of the file.
  - 25. The non-transitory computer readable medium of claim 18, wherein the responsive action comprises preventing one or more of the multiple collaborators from modifying, deleting, or sharing the file for upload.
  - 26. The non-transitory computer readable medium of claim 18, wherein the instructions, when executed by the one or more processors, further causes the system to:
    - modify a service level agreement associated with the enterprise client in response to the determination that one of the set of rules is violated or triggered.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Box Incorporated
Original Assignee
Box Incorporated
Inventors
Kiang, Andy, Bailon, Joel
Primary Examiner(s)
ZAIDI, SYED A

Application Number

US13/944,184
Publication Number

US 20140026181A1
Time in Patent Office

909 Days
Field of Search

726/26
US Class Current

1/1
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/60   Protecting data

G06F 2221/2123   Dummy operation

G06Q 10/103   Workflow collaboration or p...

H04L 63/20   for managing network securi...

Data loss prevention (DLP) methods and architectures by a cloud service

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

482 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Data loss prevention (DLP) methods and architectures by a cloud service

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

482 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links