US2017039376A1PendingUtilityA1

Systems and methods for providing secure data

50
Assignee: DELL PRODUCTS LPPriority: Aug 5, 2015Filed: Aug 5, 2015Published: Feb 9, 2017
Est. expiryAug 5, 2035(~9.1 yrs left)· nominal 20-yr term from priority
G06F 21/604H04L 63/20G06F 21/6209H04L 63/10
50
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

Aspects of the present invention provide the ability to enforce access methods on data based upon a policy or policies identified within the metadata of a file. The data is self-protected by including or being wrapped with policies/rules that act as a form of body armor to the data when in transit or in different situations. In embodiments, access is only granted upon successful authentication and compliance with the identified policy or policies. In embodiments, depending upon the conditions and policies, varying level access may be granted. In embodiments, depending upon the conditions and policies, the system may take one or more mitigations or remedial access levels, such as containerizing, sandboxing, granting limited access, or erasing the data.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A computer-implemented method for accessing content of a protected file on a computing device, the method comprising:
 receiving a protected file comprising an encrypted payload and metadata, the metadata comprising information regarding at least one of: (a) contextual metadata of the protected file and (b) one or more policies related to contextual conditions under which access to a user-accessible format of the content of the encrypted payload may be granted;   responsive to receiving an access request from a user to access the content of the encrypted payload, performing the steps comprising:
 obtaining from a memory one or more policies related to contextual conditions under which access to a user-accessible format of the content of the encrypted payload may be granted; 
 collecting contextual data using the computing device, the contextual data being relevant to the contextual conditions of the one or more policies; 
 applying the collected contextual data to the one or more policies to identify one or more access levels to a user-accessible format of the content of the encrypted payload; and 
 granting, via the computing device, an access level from the one or more access levels to the user. 
   
     
     
         2 . The computer-implemented method of  claim 1  wherein the information in the metadata regarding one or more policies related to contextual conditions under which access to a user-accessible format of the content of the encrypted payload may be granted comprises:
 the one or more policies or one or more identifiers for accessing the one or more policies from a policy dataset. 
 
     
     
         3 . The computer-implemented method of  claim 2  wherein the step of obtaining from a memory one or more policies related to contextual conditions under which access to a user-accessible format of the content of the encrypted payload may be granted comprises:
 obtaining the one or more policies from the metadata of the protected file, from a policy dataset, or both. 
 
     
     
         4 . The computer-implemented method of  claim 3  wherein the policy dataset is obtained from at least one of:
 a policy module on the computing device; and 
 a secure data access system management server that is communicatively coupled to the computing device. 
 
     
     
         5 . The computer-implemented method of  claim 1  wherein:
 the step of applying the collected contextual data to the one or more policies to identify one or more access levels to a user-accessible format of the content of the encrypted payload comprises determining that no access is appropriate given the collected contextual data and the one or more policies associated with the protected file; and 
 the step of granting, via the computing device, an access level from the one or more access levels to the user comprises not granting any access to a user-accessible format of the content of the encrypted payload. 
 
     
     
         6 . The computer-implemented method of  claim 1  further comprising:
 taking one or more actions to affect one or more conditions of the computing device related to at least part of the contextual data prior to granting an access level from the one or more access levels for accessing the content of the encrypted payload in a user-accessible format. 
 
     
     
         7 . The computer-implemented method of  claim 6  wherein the step of taking one or more actions comprises at least one of:
 alerting the user to configure the device to a specified setting; and 
 implementing one or more security features of the computing device. 
 
     
     
         8 . The computer-implemented method of  claim 1  wherein the step of collecting contextual data using the computing device comprises:
 collecting one or more contextual data as indicated by the one or more rules, the contextual data comprising at least some of clock data, location data, BIOS data, operating system data, file system data, network data, connectivity data, security features data, user data, authentication data, user privileges data, software data of the computing device, and hardware data of the computing device. 
 
     
     
         9 . The computer-implemented method of  claim 1  further comprising:
 decrypting the encrypted payload; and 
 responsive to the decrypted payload comprising encoded data, repeating at least the decryption process until a user-accessible format of the content is achieved. 
 
     
     
         10 . The computer-implemented method of  claim 9  further comprising:
 responsive to the decrypted payload comprising additional metadata identifying one or more additional policies related to contextual conditions under which access to a user-accessible format of the content of the encrypted payload may be granted, analyzing the one or more additional policies, and, if needed:
 collecting contextual data relevant to the contextual conditions of the one or more additional policies; and 
 applying the collected contextual data to the one or more additional policies to identify one or more access levels to a user-accessible format of the content of the encrypted payload. 
 
 
     
     
         11 . A system for enforcing one or more policies associated with a protected filed, the system comprising:
 a memory for storing the protected file comprising an encrypted payload and metadata, the metadata comprising information regarding at least one of contextual metadata of the protected file and one or more policies related to contextual conditions under which access to a user-accessible format of the encrypted payload may be granted;   a secure data format processor that coordinates system components to determine what level or levels of access rights to a user-accessible format of the encrypted payload may be granted to a user of the system based, at least in part, upon applying a set of contextual data to the one or more policies;   an access control engine that is communicatively coupled to the secure data format processor and analyzes specific protection policies or rules and evaluates current situational characteristics;   one or more extensible content transformation modules, communicatively coupled to the secure data format processor via a security services component, that provides one or more transformative capabilities to the secure data format processor by adding one or more trusted program modules, the one or more transformative capabilities comprising decoding the encrypted payload into a user-accessible format;   a security service component, communicatively coupled to the secure data format processor and to the one or more extensible content transformation components, that provides operational and data management related to security operations;   a policy/rules module, communicatively coupled a secure data access system management server and to the access control engine, that acquires and caches one or more policies related to contextual conditions under which access to a user-accessible format of the encrypted payload may be granted;   a system instrumentation module, communicatively coupled to the access control engine and to one or more instrumentation components, that collects contextual data relevant to the contextual conditions of the one or more policies and that provides at least some of the collected contextual data to the access control engine; and   an access environmental controls module, communicatively coupled to the access control engine, that executes one or more access control directives related to determined appropriate by the access control engine.   
     
     
         12 . The system of  claim 11  further comprising:
 an authentication/authorization module, communicatively coupled to the access control engine, that authenticates a user of the system. 
 
     
     
         13 . The system of  claim 11  wherein the access rights comprises one or more of:
 decoding at least part of the encrypted payload; and 
 providing an alternative access means allowed by the one or more policies based upon the collected contextual data. 
 
     
     
         14 . The system of  claim 11  wherein the access control engine also receives from the access environmental controls module information about available access controls on the system. 
     
     
         15 . The system of  claim 11  further comprising:
 an audit services module, communicatively coupled to the secure data format process, that provides one or more audit alerts related to access operations. 
 
     
     
         16 . The system of  claim 15  further comprising:
 an intelligence management module, communicatively coupled to the audit services module, that aggregates and correlate alerts to produce predictive conditions measurements to provide possible insight into future behaviors. 
 
     
     
         17 . The system of  claim 11  further comprising:
 a trusted supply chain component, communicatively coupled to the security module, that provides run-time instrumentation and root-of-trust implementation platform. 
 
     
     
         18 . A computer-implemented method for protecting a data file regarding of contextual conditions in which the data file resides, enforcing one or more policies associated with a protected filed, the system comprising:
 encrypting the data file using one or more encryption modules;   forming one or more rules related to situational conditions under which access to the data file may be granted to a user requesting via a computing device to access the data file; and   generating a protected data file comprising the encrypted data file and metadata comprising information regarding the one or more rules related to situational conditions under which access to the data file may be granted.   
     
     
         19 . A computer-implemented method of  claim 18  wherein the information in the metadata regarding the one or more rules comprises:
 the one or more rules or one or more identifiers for accessing the one or more rules from a secure rules dataset. 
 
     
     
         20 . A computer-implemented method of  claim 18  wherein the one or more rules identify a mitigation level or levels of access to the data file responsive, at least in part, to data collected using the user's system that represents situational conditions under which the user's request was made.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.