The embodiments herein relate to managing data present in a network and, more particularly, to managing copies of data in a network.
Currently, sharing data by users present in a network with other users of the network, as well as with users outside the network is challenging from the perspective of users as well as an administrator of the network. The network can be an enterprise network, a network present in an organization, a personal network, a LAN (Local Area Network), a WAN (Wide Area Network), a VPN (Virtual Private Network) and so on. The users want it to be seamless and intuitive, while the administrator wants to make sure that confidential data does not fall in wrong hands and all the access is tracked.
Examples of methods of sharing data with at least one other user are sending data via email, copying, sharing a link through a message (such as email, IM (Instant Message), messaging services and so on, sharing access to data present in a server, sharing access to data present in the cloud and so on. However, current methods are unable to track who is accessing the data, when the data is being accessed, and from where (the location, the device and so on) the data is being accessed.
If an enterprise wants to find out where all the copies (or similar information) of the data reside for e-discovery or compliance reasons, it becomes difficult because the data might have been residing on the devices over which organizations have no control (such as a device belonging to the user). Consider a scenario where some confidential information was leaked and that file was shared with an external user. It could have been downloaded on a device not managed by the enterprise and passed on to another user. If the enterprise wants to wipe all the copies of the data, then the enterprise should have a way to know where the data and copies of the data are present.
The embodiments herein will be better understood from the following detailed description with reference to the drawings, in which:
The embodiments herein and the various features and advantageous details thereof are explained more fully with reference to the non-limiting embodiments that are illustrated in the accompanying drawings and detailed in the following description. Descriptions of well-known components and processing techniques are omitted so as to not unnecessarily obscure the embodiments herein. The examples used herein are intended merely to facilitate an understanding of ways in which the embodiments herein may be practiced and to further enable those of skill in the art to practice the embodiments herein. Accordingly, the examples should not be construed as limiting the scope of the embodiments herein.
The embodiments herein disclose methods and systems for managing copies of data present within a network. Referring now to the drawings, and more particularly to
The database 104 can comprise of at least one database. The database 104 can be a memory storage location, wherein the database 104 can be a pure database, a memory store, an electronic storage location and so on. The database 104 can be located locally with the data management module 101. The database 104 can be located remotely from the data management module 101, wherein the data management module 101 can communicate with the database 104 using a suitable means such as LAN (Local Area Network), a private network, a WAN (Wide Area Network), the Internet, Wi-Fi and so on. The database 104 can comprise of policy rule(s) (as set by the administrator), default policy rule(s), metadata and so on, related to the data.
The data management module 101 can be connected to at least one device 102. The device 102 can be at least one of a mobile phone, a tablet, a personal computing device, a computer, desktop computer, server, an IoT device, a wearable computing device, and so on. The device 102 can be connected to the data management module 101 using a suitable connection means such as a LAN, a private network, a WAN, the Internet, Wi-Fi and so on. The device 102 can comprise of at least one managed device 102a and at least one unmanaged device 102b. The managed device 102a is a device, to which the enterprise has access. The managed device 102a can be a laptop, a computer, a mobile device, an IoT device, a wearable computing device, and so on, issued by the enterprise, or approved for use by a user by the enterprise. The unmanaged device 102a is a device not associated with the enterprise and which the enterprise does not have any control over. It can belong to an employee/contractor of the enterprise and not approved for use by the enterprise. It can belong to a client/service provider of the enterprise and so on.
The data management module 101 can check for copies of data in a plurality of devices by comparing a block of the data with a block of data (already available with the data management module 101). The block of data can be a portion of the overall data. On finding at least one copy of the data, the data management module 101 can perform at least one task such as encrypting the data, deleting the data, wiping the data, DRM-protect the data and so on, related to the copies and depending on at least one policy defined by an authorized person and/or entity (hereinafter referred to as an administrator).
The data management module 101 can also enable application of DRM (Digital Rights Management) policies, in relation to the data and the copies of the data.
The data blocker module 202 can split the data into a plurality of data blocks. The administrator can configure the size of the data blocks. In an embodiment herein, the size of the data blocks can range from a few KB (Kilobytes) to a few MB (Megabytes). The data blocker module 202 can use a suitable variable/fixed size-chunking algorithm for splitting the data in to data blocks. The data blocker module 202 can store the data blocks or fingerprints (such as signatures or hashes) of the data blocks in a suitable location such as the database 104. In an embodiment herein, the data blocker module 202 can store the requested information in a dedicated database (hereinafter referred to as a data block database). In an embodiment herein, the data block database can be integrated into the database 104. In an embodiment herein, the data block database can be a dedicated database, separate from the database 104.
The data manager 203 can receive incoming requests for access from the user and/or the device 102. The data manager 203 can check whether the user and/or the device 102 have the requisite permissions to access the data. If the user and/or the device 102 have the requisite permissions to access the data, the data manager 203 can enable the user and/or the device 102 to access the data. The data manager 203 can further manage the access of data, along with sharing of the data among a plurality of user and/or devices. If the device is a managed device 102a, the data manger 203 can enable access to the original data or the DRM data, based on the permissions associated with the data. If the device is an unmanaged device 102b, the data manger 203 can enable access only to the DRM data. The data manager 203 can ensure that access permissions with respect to the data, policies and so on are enforced, with the DRM module 205. The data manager 203 can ensure that permissions with respect to sharing of the data, policies and so on are enforced, with the DRM module 205.
The DRM module 205 can encrypt the data and associate at least one right with the data. The DRM module 205 can encrypt the data in real time (on receiving a request for the data or the data being shared and so on). The DRM module 205 can encrypt the data and store the data in a suitable location such as the database 104. The at least one right to be associated with the data can be provided by the administrator. In an embodiment herein, the DRM module 205 can enable the user to access the data using a dedicated application, wherein the dedicated application can assist in enforcing the rights. In case of an unmanaged device 102b, the DRM module 205 can monitor the data.
The tracking module 201 can keep track of requests received from a device 102, wherein the request can be for access to copies of data. The tracking module 201 can capture the identification means of the user and/or the device 102, who made the request. The identification means for the user can comprise of name of the user, the credentials of the user (if applicable), and so on. The identification means for the device 102 can comprise of whether the device 102 is a managed device 102a or an unmanaged device 102b, a unique identification means of the device 102 (such as a MAC address, and so on), the location of the device 102, the IP (Internet Protocol) address of the device 102, and so on. The tracking module 201 can also collect any other information related to the request, such as the date and time of the request, the type of data requested, extent of access to the data requested and so on. The tracking module 201 can store the requested and information in a suitable location such as the database 104. In an embodiment herein, the tracking module 201 can store the requested information in a dedicated database (hereinafter referred to as a tracking database). In an embodiment herein, the tracking database can be integrated into the database 104. In an embodiment herein, the tracking database can be a dedicated database, separate from the database 104.
The copy manager 204 can check for copies of data across devices, accessible to the data management module 101. The copy manager 204 can check for copies at periodic intervals, as configured by the administrator. The copy manager 204 can check for copies at specific time(s), as configured by the administrator. The copy manager 204 can check for copies on at least one event occurring, such as data being copied, data being accessed and so on. The administrator can configure the event(s). The copy manager 204 can check for copies on all devices accessible to the data management module 101. The copy manager 204 can check for copies on one or more device(s). The copy manager 204 can check for copies of data by comparing at least one original data with the data present on the devices. The copy manager 204 can perform the comparison by comparing the blocks of data, wherein the blocks of data are as split by the data blocker module 202. The copy manager 204 can perform the comparison by comparing the fingerprints of the data blocks. On finding same or similar data, the copy manager 204 can send an indication to the data manager 203. The indication can comprise of the devices on which the copies have been found (including a unique identification means for the device such as MAC address, IP address, user name, domain, user identity and so on) (as provided by the tracking module 201), the data of which the copies have been found and so on.
The data manager 203, on receiving an indication from the copy manager 204 that copies of the data are present. The data manager 203 checks if action(s) need to be taken with respect to the copies, as defined by at least one policy (as defined by the administrator). In an example, if the copies are not authorized to be present on the device, the data manager 203 can block access to the data using a suitable means such as wiping the data, locking the data, encrypting the data, DRM-protecting the data and so on.
On the user accessing the data, the monitoring module 201 can monitor the data and action(s) (if any), performed by the user related to the data. The monitoring module 201, in conjunction, with the data management module 101 can enforce at least one right on the data, being accessed by the user. The monitoring module 201 can raise an alert to the data management module 101, on detecting at least one pre-defined action, such as making copies of the data, sharing the data with at least one user and/or device and so on. The monitoring module 201 can further perform at least one action on the data, on receiving instructions from the data management module 101. The action can comprise of wiping the data, locking the data, encrypting the data and so on.
The embodiment disclosed herein specifies a method and system for managing copies of data present within a network. Therefore, it is understood that the scope of the protection is extended to such a program and in addition to a computer readable means having a message therein, such computer readable storage means contain program code means for implementation of one or more steps of the method, when the program runs on a server or mobile device or any suitable programmable device. The method is implemented in a preferred embodiment through or together with a software program written in e.g. Very high-speed integrated circuit Hardware Description Language (VHDL) another programming language, or implemented by one or more VHDL or several software modules being executed on at least one hardware device. The hardware device can be any kind of device which can be programmed including e.g. any kind of computer like a server or a personal computer, or the like, or any combination thereof, e.g. one processor and two FPGAs. The device may also include means which could be e.g. hardware means like e.g. an ASIC, or a combination of hardware and software means, e.g. an ASIC and an FPGA, or at least one microprocessor and at least one memory with software modules located therein. Thus, the means are at least one hardware means and/or at least one software means. The method embodiments described herein could be implemented in pure hardware or partly in hardware and partly in software. The device may also include only software means. Alternatively, the invention may be implemented on different hardware devices, e.g. using a plurality of CPUs.
The foregoing description of the specific embodiments will so fully reveal the general nature of the embodiments herein that others can, by applying current knowledge, readily modify and/or adapt for various applications such specific embodiments without departing from the generic concept, and, therefore, such adaptations and modifications should and are intended to be comprehended within the meaning and range of equivalents of the disclosed embodiments. It is to be understood that the phraseology or terminology employed herein is for the purpose of description and not of limitation. Therefore, while the embodiments herein have been described in terms of preferred embodiments, those skilled in the art will recognize that the embodiments herein can be practiced with modification within the spirit and scope of the claims as described herein.