TREA

TECHNIQUES AND SYSTEM TO MANAGE ACCESS OF INFORMATION USING POLICIES

Follow

Information

  • Patent Application
  • 20070156694
  • Publication Number
    20070156694
  • Date Filed
    December 22, 2006
    18 years ago
  • Date Published
    July 05, 2007
    17 years ago
Information
Abstract
An information management system approves or denies user requests to access information of the system. The information includes all types of information including documents and e-mail. The information management system is driven using a policy language having policies and policy abstractions. The information management system may approve or deny many different types of requests including opening a document or file, copying a file, printing a file, sending an e-mail, reading an e-mail, cut and paste of a portion of a document, saving a document, executing an application on a file, and many others.
Description

BRIEF DESCRIPTION OF THE DRAWINGS


FIG. 1 shows a diagram of distributed computing network connecting a server and clients.



FIG. 2 shows a more detailed diagram of a computer system which may be a client or server.



FIG. 3 shows a system block diagram of a computer system.



FIG. 4 shows a block diagram of a policy server that centrally manages policies that are used by workstations and servers according to a specific implementation of the invention.



FIG. 5 shows a block diagram of a number of workstations and document servers with policy enforcers installed and coexist within a system according to a specific implementation of the invention.



FIG. 6 shows a block diagram of minimal embodiments that utilize a number of workstations each with policy enforcers installed or a number of document servers each with policy enforcers installed according to a specific implementation of the invention.



FIG. 7 shows a block diagram of internal components of a policy server according to a specific implementation of the invention.



FIG. 8 shows a block diagram of the internal components of an intelligence server according to a specific implementation of the invention.



FIG. 9 shows a block diagram of an interceptor and a consequence applicator in a policy enforcement point (PEP) module according to a specific implementation of the invention.



FIG. 10 shows a block diagram of a policy enforcer that implements interception and enforcement functions using a PEP plug-in architecture according to a specific implementation of the invention.



FIG. 11 shows a block diagram of a policy enforcer installed on a workstation that controls access to files on the workstation according to the invention.



FIG. 12 shows a block diagram of a policy enforcer on a workstation enforcing access control to a nonfile system object according to the invention.



FIG. 13 shows a layer description of an implementation of a policy language system of the invention.



FIG. 14 shows the functional modes of an information system of the invention.



FIG. 15 shows an example of interactions between multiple policies and multiples policy abstractions and their interaction.



FIG. 16 shows an example of one policy and multiple policy abstractions, where one policy abstractions references other policy abstractions.



FIG. 17 shows accessing confidential document, seeking approval, with centralized decision.



FIG. 18 shows accessing confidential document, seeking approval, with distributed decision.



FIG. 19 shows blocking sending of a confidential document outside the company.



FIG. 20 shows encrypting a confidential document when copying to a removable device.



FIG. 21 shows sending of a confidential document between users who should observe separation of duties.



FIG. 22 shows an example of a deployment operation to a workstation of an information management system.



FIG. 23 shows an example of a deployment operation of rules associated with a user.



FIG. 24 shows an example of a push operation, pushing one set of rules to a workstation and another set of rules to a server.



FIGS. 25-50 show syntax diagrams for a specific implementation of a policy language, the Compliant Enterprise Active Control Policy Language (ACPL).



FIG. 51 provides a legend explaining the nodes used in FIGS. 25-50.


Claims
  • 1. A method of managing information comprising: providing an organization having an information management system comprising a policy server comprising one or more rules and policy abstractions to manage information of the organization, wherein a rule comprises an expression having a policy abstraction;within the organization, providing a user and a confidential document managed by the information management system;when the user attempts to access the confidential document, seeking approval from the policy server;if approved, permitting the user to access the confidential document; andif not approved, blocking the user from accessing the confidential document.
  • 2. A method of managing information comprising: providing an organization having an information management system comprising a policy server comprising one or more rules comprising a context expression to manage information of the organization;within the organization, providing a user and a confidential document managed by the information management system;when the user attempts to access the confidential document, seeking approval from the policy server;if approved, permitting the user to access the confidential document; andif not approved, blocking the user from accessing the confidential document.
  • 3. A method of managing information comprising: providing an organization having an information management system comprising a policy server comprising one or more rules to manage information of the organization;within the organization, providing a user logged onto a device and a confidential document managed by the information management system;storing a subset of the one or more rules of the policy server on the device, wherein the subset of the one or more rules are not embedded in the confidential document;when the user attempts to access the confidential document, evaluating on the device whether to approve access to the confidential document;if approved, permitting the user to access the confidential document; andif not approved, blocking the user from accessing the confidential document.
  • 4. The method of claims 1, 2, or 3 wherein when the access comprises the user attempting to send the confidential document to a recipient outside the organization, approval to access the confidential document will not be given.
  • 5. The method of claims 1, 2, or 3 wherein when the access comprises the user attempting to send the confidential document to a recipient inside the organization, approval to access the confidential document will be given, while when the access comprises the user attempting to send the confidential document to a recipient outside the organization, approval to access the confidential document will not be given.
  • 6. The method of claim 1 wherein a policy abstraction defines a variable of the plurality of rules, a first variable is found in two or more of the rules, and when modifying the first variable, access to the confidential document of the information management system is based on the two or more of the rules having the modified first variable.
  • 7. The method of claims 2 or 3 wherein the policy server comprises: a plurality of rules, each rule comprising an expression having at least one variable; anda plurality of abstractions, each abstraction is separate from the rules, an abstraction defining at least one variable of the plurality of rules,wherein a first variable is found in two or more of the rules, and when modifying the first variable, access to the confidential document of the information management system is based on the two or more of the rules having the modified first variable.
  • 8. The method of claims 1, 2, or 3 wherein when the access comprises the user attempting to write the confidential document to at least one of a floppy drive, CD-ROM, DVD-ROM, Flash storage drive, Flash memory device, removable hard drive, ATA device, USB device, Firewire device, Bluetooth device, personal digital assistant device, or telephony device, approval to access the confidential document will not be given.
  • 9. The method of claims 1, 2, or 3 wherein when the access comprises the user attempting to transfer the confidential document to a server outside the organization, approval to access the confidential document will not be given.
  • 10. The method of claims 1, 2, or 3 wherein when the access comprises the user attempting to transfer the confidential document to at least one of an FTP server, web server, HTTP server, WebDAV server, mail server, content management server, document management server, or portal server outside the organization, approval to access the confidential document will not be given.
  • 11. The method of claims 1, 2, or 3 wherein the policy server identifies a document as a confidential document based on at least one of contents of the document or document attributes.
  • 12. The method of claim 11 wherein the document attributes comprises at least one of subject line of an e-mail, file attributes, e-mail attributes, or document properties.
  • 13. The method of claims 1, 2, or 3 wherein the policy server identifies a document as a confidential document when the contents of the document comprise at least one of personal identifiable information, personal health information, company financial information, personal financial information, product design data, export controlled information, or company trade secret.
  • 14. The method of claim 2 wherein based on the context expression of a rule, approval to access the confidential document will be given only during a particular time period.
  • 15. The method of claim 2 wherein based on the context expression of a rule, approval to access the confidential document will be given outside a particular time period.
  • 16. The method of claim 2 wherein based on the context expression of a rule, approval to access the confidential document will be given only when the user is in a particular location.
  • 17. The method of claim 2 wherein based on the context expression of a rule, approval to access the confidential document will be given only when the user is not in a particular location.
  • 18. The method of claim 2 wherein based on the context expression of a rule, approval to access the confidential document will be given only when the user has a particular connectivity type.
  • 19. The method of claim 2 wherein based on the context expression of a rule, approval to access the confidential document will be given only when the user does not have a particular connectivity type.
  • 20. The method of claim 2 wherein based on the context expression of a rule, approval to access the confidential document will be given only when the device used to access the confidential document is a specific device type.
  • 21. The method of claim 2 wherein based on the context expression of a rule, approval to access the confidential document will be given only when the device used to access the confidential document is not a specific device type.
  • 22. A method of managing information comprising: providing an organization having an information management system comprising one or more rules and policy abstractions to manage information of the organization, wherein a rule comprises an expression having a policy abstraction;within the organization, providing a user and a confidential document managed by the information management system; andwhen the user attempts to perform an operation on the confidential document, evaluating the one or more rules to determine whether to store information regarding the attempted operation in a storage location.
  • 23. The method of claim 22 wherein the when the user attempts to perform an operation on the confidential document, evaluating the one or more rules to determine whether to store information regarding the attempted operation in a storage location is replaced by when the user performs an operation on the confidential document, storing information regarding the operation in a storage location based on the one or more rules to manage information of the organization.
  • 24. A method of managing information comprising: providing an organization having an information management system comprising one or more rules comprising a context expression to manage information of the organization;within the organization, providing a user and a confidential document managed by the information management system; andwhen the user attempts to perform an operation on the confidential document, evaluating the one or more rules to determine whether to store information regarding the attempted operation in a storage location.
  • 25. The method of claim 24 wherein the when the user attempts to perform an operation on the confidential document, evaluating the one or more rules to determine whether to store information regarding the attempted operation in a storage location is replaced by when the user performs an operation on the confidential document, storing information regarding the operation in a storage location based on the one or more rules to manage information of the organization.
  • 26. A method of managing information comprising: providing an organization having an information management system comprising a policy server comprising one or more rules to manage information of the organization;within the organization, providing a user logged onto a device and a confidential document managed by the information management system;storing a subset of the one or more rules of the policy server on the device; andwhen the user attempts to perform an operation on the confidential document, evaluating the one or more rules to determine whether to store information regarding the attempted operation in a storage location.
  • 27. The method of claim 26 wherein the when the user attempts to perform an operation on the confidential document, evaluating the one or more rules to determine whether to store information regarding the attempted operation in a storage location is replaced by when the user performs an operation on the confidential document, storing information regarding the operation in a storage location based on the one or more rules to manage information of the organization.
  • 28. The method of claims 22 or 24 wherein the when the user attempts to perform an operation on the confidential document, evaluating the one or more rules to determine whether to store information regarding the attempted operation in a storage location is replaced by when the user performs an operation on the confidential document, evaluating the one or more rules to determine whether to store information regarding the operation in a storage location.
  • 29. The method of claims 22 or 24 wherein the attempted operation comprises at least one of sending the confidential document via e-mail, sending the confidential document to a recipient outside the organization, attaching a confidential document to an e-mail message, opening the confidential document using an application program, printing the confidential document, copying the confidential document, embedding a confidential document into another document, or storing the confidential document to a removable media.
  • 30. The method of claims 22 or 24 wherein the one or more rules to determine whether to store information regarding the attempted operation in a storage location is replaced by one or more rules to determine whether to encrypt the confidential document.
  • 31. The method of claims 22 or 24 wherein the one or more rules to determine whether to store information regarding the attempted operation in a storage location is replaced by one or more rules to determine whether to block the attempted operation on the confidential document.
  • 32. The method of claims 22 or 24 wherein the one or more rules to determine whether to store information regarding the attempted operation in a storage location is replaced by one or more rules to determine whether to send a notification to at least one recipient within the organization regarding the attempted operation on the confidential document.
  • 33. The method of claims 22 or 24 wherein the one or more rules to determine whether to store information regarding the attempted operation in a storage location is replaced by one or more rules to determine whether to send a notification to at least one machine within the organization regarding the attempted operation on the confidential document.
  • 34. The method of claims 22 or 24 wherein the one or more rules to determine whether to store information regarding the attempted operation in a storage location is replaced by one or more rules to determine whether to send a message to the user regarding the attempted operation on the confidential document.
  • 35. The method of claim 33 wherein the message is a pop-up message on the user's screen.
  • 36. The method of claims 22 or 24 wherein when the user attempts to perform an operation on the confidential document, the one or more rules further determine whether to block the attempted operation on the confidential document.
  • 37. The method of claims 22 or 24 wherein when the user attempts to perform an operation on the confidential document, the one or more rules further determine whether to encrypt the confidential document.
  • 38. The method of claims 22 or 24 wherein when the user attempts to perform an operation on the confidential document, the one or more rules further determine whether to send a notification to at least one recipient within the organization regarding the attempted operation on the confidential document.
  • 39. The method of claims 22 or 24 wherein when the user attempts to perform an operation on the confidential document, the one or more rules further determine whether to send a message to the user regarding the attempted operation on the confidential document.
  • 40. The method of claim 24 wherein based on the context expression of a rule, approving the attempted operation will occur only during a particular time period.
  • 41. The method of claim 24 wherein based on the context expression of a rule, approval the attempted operation will not occur only during a particular time period.
  • 42. The method of claim 24 wherein based on the context expression of a rule, approving the attempted operation will occur only when the user is in a particular location.
  • 43. The method of claim 24 wherein based on the context expression of a rule, approval the attempted operation will occur only when the user is not in a particular location.
  • 44. The method of claim 24 wherein based on the context expression of a rule, approving the attempted operation will occur only when the user has a particular connectivity type.
  • 45. The method of claim 24 wherein based on the context expression of a rule, approval the attempted operation will occur only when the user does not have a particular connectivity type.
  • 46. The method of claim 24 wherein based on the context expression of a rule, approving the attempted operation will occur only when the device used to access the confidential document is a specific device type.
  • 47. The method of claim 24 wherein based on the context expression of a rule, approval the attempted operation will occur only when the device used to access the confidential document is not a specific device type.
Provisional Applications (5)
Number Date Country
60755019 Dec 2005 US
60766036 Dec 2005 US
60743121 Jan 2006 US
60821050 Aug 2006 US
60870195 Dec 2006 US
Continuation in Parts (3)
Number Date Country
Parent 11383159 May 2006 US
Child 11615604 US
Parent 11383161 May 2006 US
Child 11383159 US
Parent 11383164 May 2006 US
Child 11383161 US