Data Protection For Organizations On Computing Devices
Abstract
An application on a device can communicate with organization services. The application accesses a protection system on the device, which encrypts data obtained by the application from an organization service using an encryption key, and includes with the data an indication of a decryption key usable to decrypt the encrypted data. The protection system maintains a record of the encryption and decryption keys associated with the organization. The data can be stored in various locations on at least the device, and can be read by various applications on at least the device. If the organization determines that data of the organization stored on a device is to no longer be accessible on the device (e.g., is to be revoked from the device), a command is communicated to the device to revoke data associated with the organization. In response to this command, the protection system deletes the decryption key.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A method comprising:
receiving, at one or more modules of a computing device, a request to protect data associated with an organization, the request including both an indication of the organization and an indication of the data associated with the organization; encrypting the data using an encryption key associated with both the computing device and the organization; returning the encrypted data; receiving, at the computing device after encrypting the data, a command to revoke the data associated with the organization; and revoking, in response to the command, the data associated with the organization by deleting a decryption key used to decrypt the encrypted data.
2 . A method as recited in claim 1 , the returning the encrypted data comprising returning the encrypted data to an application from which both the indication of the organization and the indication of the data associated with the organization were received.
3 . A method as recited in claim 1 , the data associated with the organization comprising a file.
4 . A method as recited in claim 1 , the receiving the request comprising receiving the request from an application running on the computing device, the encrypting comprising encrypting the data by the computing device, and the method further comprising maintaining on the computing device an association of the encryption key with the organization.
5 . A method as recited in claim 1 , further comprising including a file descriptor in metadata associated with the data, the file descriptor identifying the decryption key.
6 . A method as recited in claim 1 , the encrypting comprising encrypting the data using an encryption key associated with both the computing device and the organization as well as with a user of the computing device, and the revoking comprising deleting the decryption key associated with both the computing device and the organization as well as with the user of the computing device while leaving on the computing device a decryption key associated with both the computing device and organization but a different user of the computing device.
7 . A method as recited in claim 1 , the encrypting comprising encrypting the data using an encryption key associated with both the computing device and the organization as well as with an application of the computing device, and the revoking comprising deleting the decryption key associated with both the computing device and the organization as well as with the application of the computing device while leaving on the computing device a decryption key associated with both the computing device and organization but a different application of the computing device.
8 . A method as recited in claim 7 , further comprising:
receiving the request from an application running on the computing device; and revoking the data only in response to a command to revoke the data being provided by the application or by another application to which the ability to revoke data associated with the application has been delegated.
9 . A method as recited in claim 1 , further comprising receiving the request from an application running on the computing device, and the returning comprising returning the encrypted data in the absence of restrictions on where the application can store the encrypted data.
10 . A method as recited in claim 1 , the encryption key being associated with a particular one of multiple subsets of data associated with the organization, different subsets of data associated with the organization being encrypted with different encryption keys, the command identifying which one of the multiple subsets of data associated with the organization is to be revoked, and the revoking comprising revoking only the one of the multiple subsets identified by the command.
11 . A method as recited in claim 1 , further comprising obtaining, after deleting the decryption key, the decryption key from a key generation service that is separate from the computing device.
12 . A method comprising:
receiving, at a computing device, an indication that particular organization data is to no longer be accessible on the computing device, the particular organization data including data having been previously encrypted on the computing device in response to a request from an application on the computing device and in the absence of restrictions on where the application can store the particular organization data; identifying one or more keys on the computing device that are associated with the particular organization data; and deleting the identified one or more keys.
13 . A method as recited in claim 12 , the particular organization data comprising organization data associated with a particular user of the computing device.
14 . A method as recited in claim 13 , the particular organization data further comprising organization data associated with both the particular user of the computing device and the application on the computing device.
15 . A method as recited in claim 12 , further comprising deleting, after deleting the identified one or more keys and in response to a determination of light system usage in the computing device, the particular organization data.
16 . A method as recited in claim 12 , the particular organization data comprising all organization data on the computing device.
17 . A method as recited in claim 12 , the receiving comprising receiving the indication in response to the computing device logging off a network of the organization.
18 . A method as recited in claim 12 , the organization data including multiple subsets of organization data each being associated with a different one or more keys, the particular organization data being one subset of the multiple subsets of organization data, and the deleting comprising deleting the one or more keys associated with the one subset.
19 . A method as recited in claim 12 , the particular organization data further including data encrypted on an additional computing device and copied to the computing device, copies of the particular organization data on the additional computing device being also deleted in response to the indication.
20 . A computing device comprising:
an application; a data store; and an organization data protection system configured to:
receive a request to protect a file associated with an organization, the request including both an indication of the organization and an indication of the file associated with the organization,
encrypt the file using an encryption key associated with both the computing device and the organization, the encryption key being associated with a decryption key that can be used to decrypt the encrypted data,
return the encrypted file to the application for storage in the data store, the encrypted file including metadata identifying the decryption key,
receive, after encrypting the file, a command to revoke files associated with the organization, and
revoke, in response to the command to revoke files associated with the organization, the file associated with the organization by deleting the decryption key only if the command to revoke the file is received from the application or another application to which the ability to revoke data associated with the application has been delegated.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.