WO2022019861A1 - A data sharing and control module - Google Patents

A data sharing and control module Download PDF

Info

Publication number
WO2022019861A1
WO2022019861A1 PCT/TR2021/050497 TR2021050497W WO2022019861A1 WO 2022019861 A1 WO2022019861 A1 WO 2022019861A1 TR 2021050497 W TR2021050497 W TR 2021050497W WO 2022019861 A1 WO2022019861 A1 WO 2022019861A1
Authority
WO
WIPO (PCT)
Prior art keywords
sharing
module
data
control
enterprise
Prior art date
Application number
PCT/TR2021/050497
Other languages
French (fr)
Inventor
Emre DEMİRAY
Original Assignee
Deytek Bi̇li̇şi̇m Mühendi̇sli̇k Sanayi̇ Ve Ti̇caret Li̇mi̇ted Şi̇rketi̇
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Deytek Bi̇li̇şi̇m Mühendi̇sli̇k Sanayi̇ Ve Ti̇caret Li̇mi̇ted Şi̇rketi̇ filed Critical Deytek Bi̇li̇şi̇m Mühendi̇sli̇k Sanayi̇ Ve Ti̇caret Li̇mi̇ted Şi̇rketi̇
Publication of WO2022019861A1 publication Critical patent/WO2022019861A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems

Definitions

  • the data sharing and control modules used in the state of art store the files under their control indefinitely. In this case, there is no space left in the storage area and the existing storage areas are not used efficiently.
  • the data control and sharing modules are integrated with DLP (Data Loss Protection) and also contain a specialized data analysis system. Since DLP is a limited resource, it must be managed with a smart system. Since this is not applied in the state of art, sudden traffic may occur on the system and damage the system.
  • Another purpose of the invention is to introduce a new data sharing and control module, where the signature of the file is kept with it during the download and upload operations, and thus the content changes of the file can be easily followed.
  • the security breach reporting module (20) integrated into the data sharing and control module (10) instantly captures abnormal activities.
  • the security breach reporting module (20) also reports the activities that should not be performed other than the system anomaly but that are automatically captured by the system. As an example, if a user tries to extract a file in different ways and is always caught in a system block, this can be detected as a security violation and reported.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Automation & Control Theory (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention is related to the controlling and sharing the documents in the enterprise data warehouse (1), where the documents of the enterprise and their customers on the enterprise server and increasing security, facilitating access, and innovations adapted to new generation technology is concerned with the data control and sharing module (10).

Description

A DATA SHARING AND CONTROL MODULE
Technological Area:
The invention relates to a data sharing and control module adapted to the new generation technology to increase security, facilitate access, and to be used in the control and sharing of documents in enterprises.
State of the Art:
Nowadays, studies and methods are applied in almost every sector to protect the data and documents owned by the enterprises. In almost every sector, documents and the data in documents are now available electronically. Documents in electronic environment are also used under the auspices of control and sharing systems in electronic environments. The invention subject to the description is related to a data sharing and control module that includes various improvements to increase security, facilitate usage, and keep up with today's technology and needs.
In the state of art, integration of more than one active directory cannot be made in data sharing and control modules. This situation may cause usage difficulties in the enterprise where the data sharing and control module is used, as well as access and security vulnerabilities.
In the state of art, in data sharing and control modules, the files produced in the module or to module are recorded in the memory area of the module. In this case, problems such as insufficient space left in the module memory unit may be encountered. In the state of art, in data sharing and control modules, links are created during file sharing and these links are shared with the people who want to be shared via e-mail and similar means. No approval is received during the creation of these links.
There are no studies aimed at preventing unwanted harmful access encountered in data sharing and control systems used in the state of art. In this case, problems may be encountered in all servers where data sharing and control system is located.
The data sharing and control modules used in the state of art store the files under their control indefinitely. In this case, there is no space left in the storage area and the existing storage areas are not used efficiently. The data control and sharing modules are integrated with DLP (Data Loss Protection) and also contain a specialized data analysis system. Since DLP is a limited resource, it must be managed with a smart system. Since this is not applied in the state of art, sudden traffic may occur on the system and damage the system.
In the state of art, entry times to the system cannot be determined in data sharing and control modules. In this case, attacks can be made to the system outside of working hours. In the literature search, patent document numbered TR2015/16751 and named "Security system for digital data systems" was encountered. In the document, a device for the secure transfer of digital data and the operating algorithms of the device are given, and a data control and sharing system as in our invention is not described.
As a result, there is a need for a data sharing and control module where the state of the art is exceeded and its disadvantages are eliminated. Brief Description of the Invention:
The invention is a data sharing and control module, where the state of the art is exceeded, its disadvantages are eliminated, and includes additional features.
The invention relates to a data sharing and control module adapted to the new generation technology to increase security, facilitate access, and to be used in the control and sharing of documents in enterprises. Another aim of the invention is to present a data sharing and control module in which more than one active directory can be integrated.
Another aim of the invention is to introduce a data sharing and control module that integrates the files it produces to be the source of the computer, enabling them to perform transactions quickly and perform backup and authorization to remote servers when necessary.
Another purpose of the invention is to provide a data sharing and control module that subjects the link creation to approval before sharing files on the link.
Another purpose of the invention is to introduce a data sharing and control module that allows denial of file/folder shares that are assigned incorrectly or unnecessarily, and lose their functionality.
Another aim of the invention is to introduce a new data sharing and control module that automatically prevents unwanted harmful access by integrating systems such as DLP, sandbox, anti malware, zero day with ICAP (Internet Content Adaptation Protocol) integration. Another purpose of the invention is to introduce a new data sharing and control module that prevents storage problems by aging the files under its control over certain parameters. Another purpose of the invention is to introduce a new data sharing and control module that queues the files to be sent to DLP (Data Loss Protection) with the DLP management module in order to prevent sudden traffic on the system.
Another purpose of the invention is to introduce a new data sharing and control module that determines the access times to the system in order to prevent attack attacks and use system resources optimally and does not allow access to the system outside these hours.
Another purpose of the invention is to present a data sharing and control module, which includes a reporting module in which operations other than the regular activities of the users are captured (anomaly), reported, and prevented.
Another purpose of the invention is to introduce a new data sharing and control module, where the signature of the file is kept with it during the download and upload operations, and thus the content changes of the file can be easily followed.
Description of the Figures: The invention will be explained by making references to the enclosed figures, therefore the characteristics of the invention will be understood more clearly. However, the purpose of this is not to limit the invention with particular embodiments. On the contrary, it is intended to cover all alternatives, modifications and equivalents which may be included within the field in which the invention is defined by the enclosed requests. It should be understood that the details shown habe been provided to ensure the demonstration of preferred embodiments of the present invention and shaping of the methods and to provide the most useful and understandable definition of the rules and conceptual features of the invention. In these figures:
Figure - 1 is the schematic view of the data sharing and control module which is the subject of the invention.
The figures that will help understand this invention are numbered as specified in the enclosed image and given below along with their names. Description of the References:
I. Enterprise data warehouse
10. Data control and sharing module
II. Integration Module 12. Smart File Server Management Module
13.Link Management Module 1 ^Authorization Management Module 15. Smart Search Module 16.ICAP Integration Module 17. File Aging Module
18.DLP Management Module
19. Firewall Management Module
20. Security Violation Management Module
21. Flash Reporting Module
Description of the Invention:
In this detailed description, the sharing system which is the subject of the invention is demonstrated with examples without any limiting effect for better understanding of the subject. In the description, a data sharing and control system adapted to the new generation technology to increase security, to facilitate access and to be used in the control and sharing of documents in enterprises is described.
In Figure 1, the view of the inventive data control and sharing system system is given. Accordingly, the data control and sharing system has an enterprise data warehouse (1) where the documents belonging to the enterprise and the customers of it are located on the enterprise server, and the control and sharing of the documents in this data warehouse (1) is provided by the data control and sharing module (10). Accordingly, the data control and sharing module (10) includes at least one integration module (11), smart file server management module (12), link management module (13), authorization management module (14), smart search module (15), ICAP integration module (16), file aging module (17), DLP management module (18) firewall management module (19), security breach management module (20) and hash reporting module (21).
In the data sharing and control module (10), users can access all documents (including public folders) from one screen. All file environments of enterprises can be managed from one place. Other integration of specified users and groups can be achieved without the need to create or manage users. Users can log in with their current username and password. Even with Windows Authentication, you can log into the system via the web, client, Outlook Office add in without the need for a password. One of the most significant innovations provided by the integration module (11) is that more than one Active Directory can be integrated into the system. All trusted and untrusted domains can be added as active directory.
Any file or folder in the data sharing and control module (10) can be given to another person or group, optionally, with an authorization of access. With this process, common working areas are created. It is possible to share a file or folder with another person through sharing authorization. In this way, a new generation file server can be obtained with self-service authorization management where units can manage their own authorizations. It is also possible to mount these files produced in the data sharing and control module (10) to the computer. Thus, file servers can be adapted to new generation needs in a way that will least affect user habits. With the support of the data sharing module (10) and the smart file server management module (12), external resources are shown as the user's own server resource, enabling faster file reading/writing and similar operations, while at the same time, data sharing and control (10), security analysis, reporting, malware scans, transaction records (log) and content analysis are enabled. In this way, the disk resource capacity of the user server can be increased, it can be backed up to remote servers, and an additional alternative to permanent hardware costs is provided with an additional resource that can also authorize.
Via the data sharing and control module (10), existing files can be sent via the link to be shared with internal and external users. Thanks to the transfer via the link, users eliminate file size limits that cause problems in e-mails. The files to be sent are converted into a link and only one link is sent to the other party. Since these links will enable external file sharing, link production can be subjected to the approval flow with the link management module (13) for security reasons. Links to which users will be sent after they have been submitted to the approval of which users can be managed through the panel. The links subjected to the approval flow by the link management module (13) integrated to the data sharing and control module (10) are not allowed to share files outside unless the authorized person approves. The links created subject to the approval flow are notified to the approvers and the approver is allowed to check the content of the link and approve or reject it.
In the data sharing and control module (10), internal file sharing can be performed over the system. Sharing with different authorizations such as reading, writing, reading-writing, full control and so on is possible. All activity notifications related to a shared file or folder are started to be notified to the shared person after the sharing occurs. Although this is very functional from time to time, it could lead to extra notifications in cases such as project completion, change of department, change of authority, creation of interface supervisors. File/folder shares received by the authorization management module (14) are left to the initiative of the user, enabling the users to deny the authorization received with the files.
It is possible to make detailed searches for the documents contained in the data sharing and control module (10). With the smart search module (15) integrated into the data sharing module (10), it is also possible to provide a document as an input instead of a keyword or phrase-based search and request it to fetch similar files. For instance, it is possible to provide a file and find similar ones. In this way, it is ensured that the same files with different names or slightly modified files are found, allowing analysis on the system for security reasons.
Data sharing and control module (10) integrates systems such as DLP, sandbox, anti-malware, zero-day into the processes, and prevents unwanted harmful access automatically with ICAP (Internet Content Adaptation Protocol) integration module (16). In the process, each newly added documents pass through these analyzes respectively. (DLP, sandbox, malware, zeroday). In this way, several security layers are provided for data and sharing decisions are made by passing through these layers in order in a data-controlled manner.
In the data sharing and control module (10), files older than the number of exceeding days defined according to the date of creation, last editing and last reading are automatically aged and cleaned periodically by the file aging module (17). While making this decision, additional decisions can be made depending on whose file environment the file is in. For instance, the number of exceeding days of the creation and final arrangement date for human resources departments can be determined as 1 year, while the number of exceeding days for the accounting department can be determined as 10 years. As a different example, certain areas can be exempted from aging. For instance, while files in the common area are not subject to aging, aging of other areas may be requested. This decision can also be made on the basis of the owner of the file. Different aging decisions can be applied for files owned by some users.
In the data sharing and control module (10), the files to be sent to the DLP are queued by the DLP management module (18) in order not to create traffic on the system. The maximum number of activities that can wait in the queue and which data will pass through the DLP layer on an IP basis can be managed through the management panel. Depending on the user interface type (web application, link service, api service, Outlook add-in), DLP restriction can be added on the basis of activity (download, upload, view). For instance, while adding the rule that downloads in the web application go to DLP, it can be enabled that they do not go to DLP in the preview process. By adding IP restriction, it can be determined which IPs will be subjected to the DLP layer. As an example, accesses via VPN can be arranged to go to the DLP layer.
The data sharing and control module (10) can manage its own firewall layer. However, rule-based definitions can be made with the firewall management module (19) integrated into the data control module (10). The use of service resources can be managed by determining which users can enter the system at what time interval. Access restrictions can be user, IP and group based. Rules can be added on the basis of file extension and activity type. Rules can be defined on the basis of IP filter, time filter, user, size and request source. Through the time filter, it is possible to select at what time the system will be used or not. For instance, thanks to the firewall module (19), it is possible to define working hours, preventing access outside of working hours and possible attacks.
Every user and admin action made through the data sharing and control module (10) is reported for all file environments. Hundreds of different activities can be reported separately. These reports can be detailed regarding the user IP address, location, operating system, who they interact with, also be integrated into SIEM systems and downloaded as reports. In the data sharing module (10), there is a security violation reporting module (20), in which activities other than the regular ones of the users are captured (anomaly), reported and activities are blocked. Security violation rules are defined on the system based on rules. Automatically, activities that comply with these rules are instantly captured, reported to the relevant users, and the necessary actions are taken (reporting, blocking transaction, etc). For instance, while a user shares an average of 5 links per day, 20 links shared in a day are defined as an anomaly and the necessary activity flow is initiated. While most systems report them once a day, the security breach reporting module (20) integrated into the data sharing and control module (10) instantly captures abnormal activities. The security breach reporting module (20) also reports the activities that should not be performed other than the system anomaly but that are automatically captured by the system. As an example, if a user tries to extract a file in different ways and is always caught in a system block, this can be detected as a security violation and reported.
In the data sharing and control module (10), the file name downloaded and the final version of the file in general reporting are specified. For instance, if data to be violated in a file is added, downloaded and then its content is changed, the data from the file cannot be captured. The signature (hash) of the file is also kept with the hash reporting module (21) integrated into the data sharing and control module (10) in download and upload activities. In this way, file content changes can be easily followed.

Claims

1- The invention is a data sharing and control system adapted to a new generation technology to increase security, facilitate access, and to be used in the control and sharing of documents in the enterprise data warehouse (1) on enterprise servers and its features are as follows;
❖ o including an integration module (11) that contains all trusted and untrusted domains as active directory, enabling integration of more than one Active Directory, o including the smart search module (15) where a document can be given as an input instead of a keyword or phrase-based search and the files related to this document are presented to the user, o including the ICAP integration module (16) through systems such as DLP, sandbox, anti malware, zero day that can be integrated into the processes and unwanted malicious access can be prevented automatically, o including a file aging module (17) in which files older than the number of days of exceeding defined according to the last edit and last read date are automatically aged by the system, periodically cleaned, and the files can be given aging commands based on independent rules, o including a DLP management module (18) that queues the files to be sent to DLP in order not to create traffic on the system, o including the hash reporting module (21) that also keeps the signature (hash) of the file in download and upload activities so that the file content changes can be easily followed,
❖ and being characterized in that it includes at least one data control and sharing module (10) integrated into the enterprise data warehouse (1) located on the enterprise server.
2- It is a data sharing and control system that is in accordance with Claim 1 and its features are as follows; including a smart file server management module (12) that allows you to back up to remote servers and increase your disk resource capacity and that is able to mount the files produced in the data sharing and control module (10) to the computer in order to adapt the file server to the new generation needs by least affecting the user habits of the data control and sharing module (10) integrated into the enterprise data warehouse (1) on the enterprise server. In this way, external sources can be displayed as the user's server's own resource, enabling faster file reading/writing and similar activities, and at the same time, security analysis, reporting, malware scans, transaction records, thanks to the features on the data sharing and control module of external fields ( log) and content analysis.
3- It is a data sharing and control system that is in accordance with Claim 1 and its features are as follows; including a link management module (13) that prevents the sharing of links without/before submitting the links to an authority or manager for approval during file sharing over the link which is included in data control and sharing module (10) integrated into the business data warehouse (1) on the business server.
4- It is a data sharing and control system that is in accordance with Claim 1 and its features are as follows; including an authorization management module
(14) that enables individuals to reject the authorizations arbitrarily, in order to prevent the authorities assigned to the shared person during document sharing from causing unnecessary notification which is included in the data control and sharing module (10) integrated into the enterprise data warehouse (1) on the enterprise server.
5- It is a data sharing and control system that is in accordance with Claim 1 and its features are as follows; including a DLP management module (18) which is included in the data control and sharing module (10) integrated into the enterprise data warehouse (1) on the enterprise server that manages the maximum number of operations that can wait in the queue and which IP based data will pass through the DLP layer or not over the management panel, adding DLP restrictions for the user interface type (web application, link service, api service, Outlook add-in).
6- It is a data sharing and control system that is in accordance with Claim 1 and its features are as follows; including a firewall management module (19) where the use of service resources can be managed by determining which users can enter the system at which time interval which is included in the data control and sharing module (10) integrated into the enterprise data warehouse (1 ) on the enterprise server.
7- It is a data sharing and control system that is in accordance with Claim 1 and its features are as follows; including a security breach reporting module (20), in which activities other than the regular ones are captured (anomaly), reported, and blocked which is included in the data control and sharing module (10) integrated into the enterprise data warehouse (1 ) on the enterprise server.
PCT/TR2021/050497 2020-07-21 2021-05-26 A data sharing and control module WO2022019861A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
TR2020/11560 2020-07-21
TR2020/11560A TR202011560A2 (en) 2020-07-21 2020-07-21 A DATA SHARING AND CONTROL MODULE

Publications (1)

Publication Number Publication Date
WO2022019861A1 true WO2022019861A1 (en) 2022-01-27

Family

ID=76503328

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/TR2021/050497 WO2022019861A1 (en) 2020-07-21 2021-05-26 A data sharing and control module

Country Status (2)

Country Link
TR (1) TR202011560A2 (en)
WO (1) WO2022019861A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116992496A (en) * 2023-09-28 2023-11-03 武汉彤新科技有限公司 Data resource safety supervision system for enterprise service management

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116991619B (en) * 2023-08-02 2024-03-12 中国舰船研究设计中心 Integrated management system and method for digital model of ship information system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140053252A1 (en) * 2012-08-14 2014-02-20 Opera Solutions, Llc System and Method for Secure Document Distribution
US20150278541A1 (en) * 2012-11-30 2015-10-01 nCrypted Cloud LLC Multi-identity graphical user interface for secure file sharing
US20150310188A1 (en) * 2014-04-23 2015-10-29 Intralinks, Inc. Systems and methods of secure data exchange

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140053252A1 (en) * 2012-08-14 2014-02-20 Opera Solutions, Llc System and Method for Secure Document Distribution
US20150278541A1 (en) * 2012-11-30 2015-10-01 nCrypted Cloud LLC Multi-identity graphical user interface for secure file sharing
US20150310188A1 (en) * 2014-04-23 2015-10-29 Intralinks, Inc. Systems and methods of secure data exchange

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116992496A (en) * 2023-09-28 2023-11-03 武汉彤新科技有限公司 Data resource safety supervision system for enterprise service management
CN116992496B (en) * 2023-09-28 2023-12-29 武汉彤新科技有限公司 Data resource safety supervision system for enterprise service management

Also Published As

Publication number Publication date
TR202011560A2 (en) 2021-04-21

Similar Documents

Publication Publication Date Title
US8769605B2 (en) System and method for dynamically enforcing security policies on electronic files
JP4667359B2 (en) Digital asset usage accountability by journalizing events
US11431757B2 (en) Access control using impersonization
EP2235878B1 (en) Preventing secure data from leaving a network perimeter
US7814021B2 (en) Managed distribution of digital assets
JP6622196B2 (en) Virtual service provider zone
US11907366B2 (en) Introspection driven by incidents for controlling infiltration
US9852309B2 (en) System and method for securing personal data elements
US20100005509A1 (en) System, method and apparatus for electronically protecting data and digital content
CN102394894A (en) Network virtual disk file safety management method based on cloud computing
Kumar et al. A novel approach for security in cloud computing using hidden markov model and clustering
US10445514B1 (en) Request processing in a compromised account
WO2022019861A1 (en) A data sharing and control module
US8892877B2 (en) Method and device for accessing files of a secure file server
US20230141909A1 (en) Secure data backup and recovery from cyberattacks
Data Georgia
US20230090611A1 (en) Storing, reading, and encrypting personal identifiable information
US20230412642A1 (en) Dynamic updates to cloud access policies
Ulf Mattsson Doing More With Less: A Risk-Based, Cost-Effective Approach to Holistic Security–Global Security Mag Online
Efe et al. SECURITY CONTROLS AGAINST MOBILE APPLICATION THREATS
Beley et al. A Management of Keys of Data Sheet in Data Warehouse
Rao et al. A Detailed Review on Focus Areas of Cyber Security
Mattsson Doing More with Less-A Risk-Based, Cost-Effective Approach to Holistic Security

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21847424

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21847424

Country of ref document: EP

Kind code of ref document: A1