Application control
Abstract
A method for controlling application operations on data elements includes identifying an activity by an instance of an application running on a host to perform an operation associated with a data element. The method further includes obtaining an application label which includes information regarding the instance of the application, and obtaining a data element label which includes information regarding the data element. Then, based on a combined analysis of the data element label and the application label, an operational policy governing the operation of the instance of the application with respect to the data element is determined. A control action is applied to the operation, according to the operational policy, so as to control the operation by the instance of the application with respect to the data element.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A method for controlling application operations on data elements, comprising:
executing, by at least one hardware processor, program instructions to:
identify an activity by an instance of an application running on a host to perform an operation associated with a data element;
obtain an application label comprising information regarding said instance of said application;
obtain a data element label comprising information regarding said data element;
determine an operational policy based on a combined analysis of at least said application label and said data element label, said operational policy governing the operation of said instance of said application with respect to said data element; and
apply a control action to said operation according to said operational policy, so as to control said operation by said instance of said application with respect to said data element.
2 . A method according to claim 1 , wherein said identifying said activity by said instance of said running application comprises intercepting an attempt by said instance of said application to access said data element.
3 . A method according to claim 1 , wherein said obtaining an application label comprises:
communicating with a resource associated with said instance of said application; receiving information about said instance of said application from said resource; and defining said application label based on said received information.
4 . A method according to claim 1 , wherein said applying said control action comprises restricting an ability of said instance of said application to perform said operation on said data element.
5 . A method according to claim 1 , wherein said applying said control action comprises controlling access by said instance of said application to said data element.
6 . A method according to claim 1 , wherein said applying said control action comprises dynamically monitoring operations performed by said instance of said application on said data element to identify violations of said operational policy.
7 . A method according to claim 1 , wherein said applying said control action comprises collecting audit data for operations performed by said instance of said application on said data element.
8 . A method according to claim 1 , wherein said applying said control action comprises at least one of:
isolating said host from accessing a network; and isolating said host from being accessible over a network.
9 . A method according to claim 1 , further comprising:
upon determining that credentials are required for performing said operation, obtaining, based on said operational policy, corresponding credentials for performing said operation; and providing said corresponding credentials to said instance of said application.
10 . A method according to claim 1 , wherein said data element label comprises an aggregation of information regarding a plurality of data elements.
11 . A method according to claim 1 , wherein said application label comprises an aggregation of at least one of: information regarding a plurality of applications and information regarding a plurality of instances of said application.
12 . A method according to claim 1 , wherein said obtaining of said application label is performed before said obtaining of said data element label.
13 . A method according to claim 1 , wherein said obtaining of said application label is performed simultaneously with said obtaining of said data element label.
14 . A system configured for controlling application operations on data elements, comprising:
at least one non-transitory computer readable storage medium storing instructions; and at least one processor configured to execute said instructions to:
identify an activity by an instance of an application running on a host to perform an operation associated with a data element;
obtain an application label comprising information regarding said application;
obtain a data element label comprising information regarding said data element;
determine, based on a combined analysis of at least said data element label and said application label, an operational policy governing the operation of said instance of said application with respect to said data element; and
apply, according to said operational policy, a control action to said operation, so as to control said operation by said instance of said application on said data element.
15 . A system according to claim 14 , wherein said at least one processor is further configured to execute instructions to dynamically update at least one of said data element label and said application label.
16 . A system according to claim 14 , wherein said at least one processor is further configured to execute instructions to label other data elements associated with said application.
17 . A system according to claim 14 , wherein said system resides on one of:
said host; an endpoint machine; a plurality of endpoint machines; a local server accessible via a local network; a remote server accessible via an external network; at least one cloud-based asset.
18 . A system according to claim 14 , wherein said data element resides in one of:
a local memory of said host; a local storage unit accessible via a local network; and a remote storage unit accessible via a remote network.
19 . A system according to claim 14 , wherein said at least one processor is further configured to execute instructions to:
upon determining that credentials are required for performing said operation, obtain, based on said operational policy, corresponding credentials for performing said operation; and provide said corresponding credentials to said instance of said application.
20 . A system according to claim 14 , wherein said data element label comprises an aggregation of information regarding a plurality of data elements.
21 . A system according to claim 14 , wherein said application label comprises an aggregation of information regarding a plurality of applications.
22 . A system according to claim 14 , wherein said at least one processor is further configured to execute instructions to control, according to said operational policy, at least one member from the group consisting of: subsequent operations of said instance of said application and operations of at least one other instance of said application.
23 . A method for controlling untrusted applications in a system environment, comprising:
executing, by at least one hardware processor, program instructions to:
identify an activity by an instance of an application running on a host to perform an operation associated with a server;
obtain an application label comprising information regarding said instance of said application;
determine an operational policy based a combined analysis of at least said application label and information pertaining to said server, said operational policy governing the use and operation of said instance of said application with respect to said server; and
apply a control action to said operation according to said operational policy, so as to control said operation by said instance of said application with respect to said server.
24 . A method according to claim 23 , wherein said identifying said activity by said instance of said running application comprises intercepting an attempt by said instance of said running application to access said server.
25 . A method according to claim 23 , wherein said obtaining an application label comprises:
communicating with a resource associated with said instance of said application; receiving information about said instance of said application from said resource; and defining said application label based on said received information.
26 . A method according to claim 23 , wherein said applying said control action comprises restricting an ability of said instance of said application to perform said operation on said server.
27 . A method according to claim 23 , wherein said applying said control action comprises controlling communication between said instance of said application and said server.
28 . A method according to claim 23 , wherein said applying said control action comprises dynamically monitoring operations performed by said instance of said application with respect to said server to identify violations of said operational policy.
29 . A method according to claim 23 , wherein said applying said control action comprises collecting audit data for operations performed by said instance of said application with respect to said server.
30 . A method according to claim 23 , wherein said information pertaining to said server comprises at least one of:
an Internet Protocol (IP) address associated with said server; a Uniform Resource Locator (URL) address associated with said server; a port associated with said server; a host name associated with said server; and a communication protocol associated with said server.
31 . A method according to claim 23 , further comprising:
upon determining that credentials are required for performing said operation, obtaining, based on said operational policy, corresponding credentials for performing said operation; and providing said corresponding credentials to said instance of said application.
32 . A method according to claim 23 , wherein said application label comprises an aggregation of at least one of: information regarding a plurality of applications, and information regarding a plurality of instances of said application.
33 . A method according to claim 23 , further comprising creating a server label comprising at least some of said information pertaining to said server, and wherein said determining an operational policy comprises a combined analysis of at least said application label and said server label.
34 . A system configured for controlling untrusted applications in a system environment, comprising:
at least one non-transitory computer readable storage medium storing instructions; and at least one processor configured to execute said instructions to:
identify an activity by an instance of an application running on a host to perform an operation associated with a server;
obtain an application label comprising information regarding said instance of said application;
determine an operational policy based a combined analysis of at least said application label and information pertaining to said server, said operational policy governing the operation of said instance of said application with respect to said server; and
apply a control action to said operation according to said operational policy, so as to control said operation by said instance of said application with respect to said server.
35 . A system according to claim 34 , wherein said at least one processor is further configured to execute instructions to dynamically update at least one of said information pertaining to said server and said application label.
36 . A system according to claim 34 , wherein said at least one processor is further configured to execute instructions to:
upon determining that credentials are required for performing said operation, obtain, based on said operational policy, corresponding credentials for performing said operation; and provide said corresponding credentials to said instance of said application.
37 . A system according to claim 34 , wherein said application label comprises an aggregation of at least one of: information regarding a plurality of applications, and information regarding a plurality of instances of said application.
38 . A system according to claim 34 , wherein said at least one processor is further configured to execute instructions to control, according to said operational policy, at least one member from the group consisting of: subsequent operations of said instance of said application and operations of at least one other instance of said application.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.