GB2555487A - A method of controlling the transfer of data in a managed data transfer system - Google Patents

A method of controlling the transfer of data in a managed data transfer system Download PDF

Info

Publication number
GB2555487A
GB2555487A GB1618427.7A GB201618427A GB2555487A GB 2555487 A GB2555487 A GB 2555487A GB 201618427 A GB201618427 A GB 201618427A GB 2555487 A GB2555487 A GB 2555487A
Authority
GB
United Kingdom
Prior art keywords
data
transfer
user
host
managed
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB1618427.7A
Other versions
GB201618427D0 (en
Inventor
Cussen Danielle
O'Keeffe Shane
Tracy Michael
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Iconx Solutions Ltd
Original Assignee
Iconx Solutions Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Iconx Solutions Ltd filed Critical Iconx Solutions Ltd
Priority to GB1618427.7A priority Critical patent/GB2555487A/en
Publication of GB201618427D0 publication Critical patent/GB201618427D0/en
Publication of GB2555487A publication Critical patent/GB2555487A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/107Network architectures or network communication protocols for network security for controlling access to devices or network resources wherein the security policies are location-dependent, e.g. entities privileges depend on current location or allowing specific operations only from locally connected terminals
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/2866Architectures; Arrangements
    • H04L67/30Profiles
    • H04L67/306User profiles

Abstract

A method of controlling the transfer of data in a managed data transfer or managed file transfer (MFT) system 23 operable to transfer data between a plurality of host connectors, users, clients, servers, locations or recipients 5(a)-5(k) over a communications network. Comprising grouping two or more of the host connectors into at least one zone, group, class, category, set or family 25(a)-25(c) and creating a user profile, account, policy or rule settings for a user of the system. The user profile specifies one or more zones that the user may transfer data from and transfer data to. Prior to the establishment of a transfer link, the user profile is checked and it is determined if the first host is in a zone that the user may transfer data from, if the second host is in a zone that the user may transfer data to, and whether the user is permitted to transfer data between the hosts. There may also be provided a graphical user interface (GUI) with a menu of source and destination locations where, depending on the item selected, the items listed in the menus may change. This secure method reduces user error and malicious attacks.

Description

(54) Title ofthe Invention: A method of controlling the transfer of data in a managed data transfer system
Abstract Title: Controlling the transfer of data between hosts in a managed data transfer system by grouping hosts in to zones and creating user profiles (57) A method of controlling the transfer of data in a managed data transfer or managed file transfer (MFT) system 23 operable to transfer data between a plurality of host connectors, users, clients, servers, locations or recipients 5 (a)-5(k) over a communications network. Comprising grouping two or more ofthe host connectors into at least one zone, group, class, category, set or family 25(a)-25(c) and creating a user profile, account, policy or rule settings for a user of the system. The user profile specifies one or more zones that the user may transfer data from and transfer data to. Prior to the establishment of a transfer link, the user profile is checked and it is determined if the first host is in a zone that the user may transfer data from, if the second host is in a zone that the user may transfer data to, and whether the user is permitted to transfer data between the hosts. There may also be provided a graphical user interface (GUI) with a menu of source and destination locations where, depending on the item selected, the items listed in the menus may change. This secure method reduces user error and malicious attacks.
Figure GB2555487A_D0001
25(b)
1/6
Data Warehouse sm
CRM
5(e)
Data Store
Billing
51gl
7(f) 7(g)
sj
; [_ /
<7(i)
Data Repository 5(h)
Printer
5(1)
SWITCH
5iai
Marketing
Siei
Engineering
7(a)
5(b)
Roaming
r (. ’ Siil
7(j)
Government
5(k)
Prior Art
FigJ,
2/6
25(c)
Figure GB2555487A_D0002
25(b)
Fi&2
3/6
25(c) r
Figure GB2555487A_D0003
Fig^
4/6
Figure GB2555487A_D0004
Fi&4
5/6
Figure GB2555487A_D0005
Flg^5
Figure GB2555487A_D0006
Figure GB2555487A_D0007
Module 2
6/6
Figure GB2555487A_D0008
Figure GB2555487A_D0009
Application No. GB1618427.7
RTM
Date :7 April 2017
Intellectual
Property
Office
The following terms are registered trade marks and should be read as such wherever they occur in this document:
Linux (Page 1)
Unix (Page 1)
Memory Stick (page 12)
Intellectual Property Office is an operating name of the Patent Office www.gov.uk/ipo
- 1 “A method of controlling the transfer of data in a managed data transfer system”
Introduction
This invention relates to a computer implemented method of controlling the transfer of data in a managed data transfer system and a managed data transfer system.
It is common for organisations, particularly large organisations, to move data from one location to another location for storage, processing and/or analysis of the data. For example, it is not uncommon for one company department to send data to another company department or for one company to send data to another company. The company departments may be situated in the same or in different locations. Indeed, the company departments or the companies, in the case of a company to company transfer, may be located in the same or in different jurisdictions. The data that is transferred from one location to another may be in the form of files or database content. The data may be in plain text, binary code, ASCII or other format. The locations, hereinafter referred to as host connectors, may be, for example, servers such as but not limited to HTTP, HTTPs, FTP, FTPS, sFTP, Windows ®, Linux or Unix servers or databases such as, but not limited to, Oracle ® Database, Microsoft ® SQL, IBM ® DB2, SAP ® ASE.
Take for example a large telecommunications company. The telecommunications company captures a large amount of call data relating to customer’s calls at a switch. This call data, or a subset thereof, may have to be transferred to a number of different departments for further processing. For example, the call data must be transferred from the switch to the billing department in order to allow the billing department determine what calls were made by which customer so that the customers can be correctly billed for their calls. Thereafter, one or more customer account records may need to be transferred onwards from the billing department to a printing department or to a separate third party company for printing and postage of those bills. It may also be desirable to send call data from the switch to the marketing department and to the engineering department to allow the data to be analysed to facilitate a more targeted marketing strategy and better management of the available network resources. Finally, it may be necessary to transfer some of the call data from the switch to a third party clearing house to reconcile accounts with other telecommunications operators.
-2The transfer of data represents a material and significant risk for any organisation. Whenever moving data, even in an intracompany transfer, there is a risk that the data may be sent to the wrong destination or that the data may be intercepted en route and copied, redirected or modified. Alternatively, or in addition to this, whenever moving data, there is a risk that data that is not relevant or appropriate for the target location is transferred along with other appropriate data. For example, it would not be appropriate to transfer a customer’s billing information along with their call information to the engineering department.
It is clear that there are substantial risks when moving customer’s credit card details and/or personally identifiable information (PH) from one location to another. Organisations have a duty of care to their customers to ensure that their data is not inadvertently released and there are heavy penalties and serious consequences for breaches of this duty of care. For example, the EU General Data Protection Regulation, due to come into force in May 2018, has proposed fines of up to €20,000,000 or 4% of global company turnover, whichever is the larger, for wilful negligence in the case of inadvertent release of customer data. Furthermore, many companies have already found how detrimental a serious breach of customer data can be for their business, both reputationally and financially, in many cases resulting in the closure of the business.
Heretofore, data could be transferred by individual IT personnel in the different companies and different departments writing scripts to transfer batches of data from one location to another. This was highly undesirable as it was haphazard, had little or no oversight or control, was highly vulnerable to an error or a malicious attack by an employee, and there was little or no accountability or traceability of errors. Managed File Transfer (MFT) products were developed, in part, in an effort to address the chaotic nature of scripts as a means of transferring files from one location to another. The MFT products provide a more structured environment for the transfer of files and provide greater security, accountability and are arguably less susceptible to operator error. There are however problems with the known MFTs in that there is still little oversight or control, and they are still prone to operator error and malicious attacks by a disgruntled employee. Given the seriousness of the consequences of a data breach, these risks are not acceptable.
- 3It is an object of the present invention to provide a computer implemented method of controlling the transfer of data in a managed data transfer system and a managed data transfer system that overcomes at least some of the problems with the existing systems and methods. It is a further object of the present invention to provide a method and system that is more secure, less prone to a malicious attack or operator error and that provides greater visibility and oversight to management. Finally, it is an object of the present invention to provide a useful choice to the consumer.
Statements of Invention
According to the invention there is provided a computer implemented method of controlling the transfer of data in a managed data transfer system operable to transfer data between a plurality of host connectors over a communications network, the method comprising the steps of:
grouping two or more of the host connectors into at least one zone;
for a user of the managed data transfer system, creating a user profile, the user profile specifying one or more zones that the user may transfer data from and specifying one or more zones that the user may transfer data to; and prior to the establishment of a managed data transfer link by a user to transfer data from a first host connector to a second host connector, the method comprising the step of checking the user profile and determining if the first host connector is in a zone that the user may transfer data from, if the second host connector is in a zone that the user may transfer data to, and whether the user is permitted to transfer data between the first and second host connectors.
By having such a method, the opportunity for an operator error or a malicious attack is significantly reduced. Furthermore, the security of the method is greatly improved and the management of the transfer of data is greatly simplified. Heretofore, with scripts or MFTs, there was little control over what data users with access to the systems could transfer from one location to another and there was little control over those users. By
-4implementing the method according to the invention, it is possible to carefully control the data that the users have access to and also where that data may be sent by the users. It is not possible for a user to unwittingly transfer data to a host connector that is not in a zone that they are not permitted to send data to. Furthermore, by grouping multiple host connectors together in zones, it is possible to more efficiently and effectively control the access to data by several users.
In one embodiment of the invention there is provided a method of controlling the transfer of data in which the user profile specifies a pair of zones that data cannot be transferred from one of those zones to another of those zones. This is seen as a preferred embodiment of the present invention. For example, the first zone may contain host locations that in turn contain highly sensitive data relating to a person’s medical history whereas the second zone may comprise host locations that are in third party companies or locations that are outside of the company’s scope of control. It would be potentially highly damaging for such sensitive information to be sent to a location where it is not under the control of the company and therefore the present invention provides a safeguard against this happening.
In one embodiment of the invention there is provided a method of controlling the transfer of data in which if it is determined that the user is not permitted to establish a managed data transfer link between the first host connector and the second host connector, a managed data transfer establishment request is transmitted to a supervisor. In this way, it is possible to set up the managed data transfer link and have it approved by a supervisor before the link is established, i.e. before it is active and capable of being used to transfer data.
In one embodiment of the invention there is provided a method of controlling the transfer of data comprising providing a user interface with a menu of host connectors that a user may transfer data from, and populating the menu in accordance with the user profile, so that the user may select a first host connector from the menu. This is seen as a useful embodiment of the invention. In this way, only those zones that the user has access to will be presented to them on a menu and the user will not have access or even sight of other zones and host locations that are in those zones that they are not authorized to access.
- 5In one embodiment of the invention there is provided a method of controlling the transfer of data comprising providing a menu of host connectors that a user may transfer data to, and populating that menu in accordance with the user profile, so that the user may select a second host connector from that menu. Again, in this way, the menu of host connectors that the user may transfer data to is limited to those host connectors that the user is permitted to send data to.
In one embodiment of the invention there is provided a method of controlling the transfer of data in which the menu of host connectors that a user may transfer data to is populated subsequent to the user selecting a host connector that they wish to transfer data from. It is envisaged that the host connectors that the user may transfer data to may be dependent on the host connector that they are sending data from. For example, if the data is highly sensitive, the number of locations that the data can be sent to may be limited whereas if the data has a low sensitivity rating, the data can potentially be sent to a larger number of host connectors.
In one embodiment of the invention there is provided a method of controlling the transfer of data in which the menu of host connectors that a user may transfer data from is populated subsequent to the user selecting a host connector that they wish to transfer data to.
In one embodiment of the invention there is provided a method of controlling the transfer of data in which the user profile specifies the data that may be transferred from a host connector by that user. Again, this is seen as a useful embodiment of the invention. In this way, it is possible to determine and control the data that a user may be able to transfer from a host connector. This will help to prevent sensitive data being inadvertently or maliciously released to third parties.
In one embodiment of the invention there is provided a managed data transfer system for transferring data between a first host connector of a plurality of host connectors and a second host connector of the plurality of host connectors over a communications network, the managed data transfer system comprising:
-6a memory having a plurality of user profiles stored therein, each user profile specifying one or more zones, each zone having one or more host connectors therein, that the user may transfer data from and specifying one or more zones that the user may transfer data to; and a managed data transfer link establishment module, the managed data transfer link establishment module comprising a managed data transfer link creation module and a managed data transfer link authorization module, the managed data transfer link creation module being operable to permit a user to specify a first host connector that they wish to transfer data from and a second host connector that they wish to transfer data to, the managed data transfer link authorization module being operable to check the user profile and determine if the first host connector is in a zone that the user may transfer data from, if the second host connector is in a zone that the user may transfer data to, and whether the user is permitted to transfer data between the first and second host connectors prior to permitting the establishment of the managed data transfer link.
By having such a system, the transfer of data will be handled in a more secure manner than was heretofore the case and there will be greater control and oversight over the data that can be transferred between host connectors. The system will be less prone to operator error or a malicious attack causing data to be released without the permission and approval of the organisation operating the managed data transfer system.
In one embodiment of the invention there is provided a managed data transfer system in which the user profile specifies a pair of zones that data cannot be transferred from one of those zones to another of those zones.
In one embodiment of the invention there is provided a managed data transfer system in which the managed data transfer link authorization module, on detecting that the user is not permitted to transfer data between the first and the second host connectors, is operable to generate and transmit a managed data transfer establishment request to a supervisor.
- 7In one embodiment of the invention there is provided a managed data transfer system in which there is provided a user interface with a menu of host connectors that a user may transfer data from, populated in accordance with the user profile, that the user may select a first host connector from.
In one embodiment of the invention there is provided a managed data transfer system in which there is provided a menu of host connectors that a user may transfer data to, populated in accordance with the user profile, that the user may select a second host connector from.
In one embodiment of the invention there is provided a managed data transfer system in which the menu of host connectors that a user may transfer data to is populated subsequent to the user selecting a host connector that they wish to transfer data from.
In one embodiment of the invention there is provided a managed data transfer system in which the menu of host connectors that a user may transfer data from is populated subsequent to the user selecting a host connector that they wish to transfer data to.
In one embodiment of the invention there is provided a managed data transfer system in which the user profile specifies the data that may be transferred from a host connector by that user.
In one embodiment of the invention there is provided a managed data transfer system in which the managed data transfer system is a managed file transfer system.
In one embodiment of the invention there is provided a computer program product having program instructions that when run on a computer is operable to cause the computer to perform the method of any of the method claims.
Detailed Description of the Invention
The invention will now be more clearly understood from the following description of some embodiments thereof given by way of example only with reference to the accompanying drawings, in which:- 8Figure 1 is a diagrammatic representation of a managed file transfer system operable to facilitate transfer of data between a plurality of host connectors known in the art;
Figure 2 is a diagrammatic representation of a managed data transfer system according to the present invention;
Figure 3 is a view similar to Figure 2 of the managed data transfer system according to an alternative configuration;
Figure 4 is a view similar to Figure 3 of the managed data transfer system according to an alternative configuration;
Figure 5 is a diagrammatic representation of a user interface of the managed data transfer system; and
Figure 6 is a diagrammatic representation of the user interface of the managed data transfer system with the drop down menus exploded;
Figure 7 is a block diagram of the components of the managed data transfer system; and
Figure 8 is a diagrammatic representation of the user interface of the managed data transfer system.
Referring to Figure 1, there is shown a diagrammatic representation of a system, indicated generally by the reference numeral 1, incorporating a managed file transfer system 3 that is known in the art. The system 1 comprises a plurality of host connectors 5(a)-5(k) that are accessible to the managed file transfer system over communication links 7(a)-7)(k) respectively of a communication network (not shown). The communication network may comprise one or more communication networks including, but not limited to the internet, an intranet, a wired cable, a wireless link and the like.
- 9It can be seen from Figure 1 that the managed file transfer system 3 has access to each of the host connectors 5(a)-5(k). The managed file transfer system 3 is used to retrieve files from one or more of the host connectors and transfer that data onwards to one or more other host connectors. Some of the host connectors 5(a)-5(k) will permit transfer of data in one direction (i.e. to or from the host connector 5(a)-5(k)) whereas other host connectors 5(a)-5(k) will permit transfer of data in two directions. The host connectors 5(a) to 5(k) comprise a switch 5(a), an engineering department 5(b), a marketing department 5(c), a data store 5(d), a customer relationship management (CRM) department 5(e), a data warehouse 5(f), a Billing department 5(g), a remote data repository 5(h), a third party printer 5(i), a clearing house 5(j) and a Government agency 5(k). It will be understood that these host connectors are provided for illustrative purposes only and the number and nature of the host connectors may vary from application to application. Although reference is made to a department or an agency and the like, it will be understood that what is being referred to is a data resource in the host connector such as a server or a database.
Referring now to Figures 2 to 4 inclusive, there are shown diagrammatic representations of a system, indicated generally by the reference numerals 21,31 and 41 respectively, in which the managed data transfer system 23 according to the present invention is incorporated. Referring specifically to Figure 2, there are a number of zones, 25(a)-25(c) designated by dashed lines, each containing at least one host connector that the user (not shown) may transfer data either to or from. For example, zone 25(a) comprises switch 5(a) and data store 5(d). The user is able to retrieve data from these host connectors in this zone. Zone 25(b) comprises the engineering and marketing departments 5(b), 5(c) whereas zone 25(c) comprises the data repository 5(h), the data warehouse 5(f) and the billing department 5(g). The user is only able to access the content in these host locations, designated by zones.
Referring specifically to Figure 3, there is shown a system 31 in which there is provided a different configuration of zones. In addition to zones 25(a), 25(b) and 25(c), the user is also able to access the CRM department 5(e) as part of zone 25(c) and in addition there is another zone, 25(d) that incorporates third party entities. It is envisaged that the users that have access to this zone 25(d) will be highly restricted.
- 10Referring specifically to Figure 4, there is shown a system, indicated generally by the reference numeral 41 in which there is provided a different configuration of zones. Zone 25(a) comprises switch 5(a) and data store 5(d). The user is able to retrieve data from these host connectors in this zone. Zone 25(b) comprises the engineering and marketing departments 5(b), 5(c). However, in addition to these host connectors, zone 25(b) also now includes host connector 5(a), the switch. Accordingly, the host connector 5(a) is present in both Zone 25(a) and Zone 25(b). Zone 25(c) comprises the data repository 5(h), the data warehouse 5(f) and the billing department 5(g). Zone 25(d) comprises the third party entities including the third party printer 5(i), the clearing house 5(j) and the Government agency 5(k). In the embodiment shown, there is a further zone, Zone 25(e), which comprises only the CRM 5(e).
It will be understood that there may be one or more zones with only one or multiple host connectors therein. If a zone has multiple host connectors therein, a user with permission to access that zone may be able to transfer data from one of the host connectors in that zone to another of the host connectors in that same zone and it is not necessary that the data must be passed from one zone to a different zone. Furthermore, one or more host connectors may be included in one or more zones. This allows greater flexibility when administering access to the different host connectors amongst the various users.
Referring now to Figures 5 and 6, there is shown part of a user interface 51 with a menu 53 of the source host locations, i.e. the list of (first) host locations that a user may send data from and a menu 55 of the destination host locations, i.e. the list of (second) host locations that a user may send data to. In Figure 5, the menus are shown in unexploded form and in Figure 6, the menus have been exploded. The content of the menus is dictated at least in part by the user profiles stored in system memory. It will be understood that depending on the item selected from the menu 53, the items listed in the menu 55 may change. Similarly, if an item in menu 55 is selected first, the list of items in menu 53 may change accordingly.
Referring now to Figure 7, there is shown a block diagram of a managed data transfer system 23 according to the present invention. The managed data transfer system 23 comprises a managed data transfer link establishment module 71. The managed data
- 11 transfer link establishment module in turn comprises a managed data transfer link creation module 73 and a managed data transfer link authorization module 75. The managed data transfer system 23 further comprises a memory 77 having a plurality of user profiles stored therein, each user profile specifying one or more zones. Each of the zones has at least one host connector therein that the user may transfer data to or from. In use, the managed data transfer link creation module 73 is operable to permit a user to specify a first host connector (not shown) that they wish to transfer data from and a second host connector (not shown) that they wish to transfer data to. The managed data transfer link authorization module 75 is operable to check the user profile and determine if the first host connector is in a zone that the user may transfer data from, if the second host connector is in a zone that the user may transfer data to, and whether the user is permitted to transfer data between the first and second host connectors prior to permitting the establishment of the managed data transfer link.
Referring now to Figure 8, there is shown an alternative user interface, indicated generally by the reference numeral 81, used for the creation and subsequent management of a zone. The user interface comprises an electronic form with a plurality of fields that may be populated including a zone name field 82, a permission groups field 83, a host connectors field 84, a target zones field 85 and a description field 86. A save button 87 and a cancel button 88 are also provided.
In use, when creating a zone, a system administrator (not shown) will name the zone in zone name field 82. When creating or modifying a zone, the system administrator will enter the host connectors that form part of that zone in host connectors field 84. In the embodiment shown, there are four host connectors indicated in the host connectors field 84 however more or less host connectors could be provided if desired. The system administrator will also, if they wish, insert a description of the zone into the description field 86. This description may include the purpose of the zone, whether the zone provides access to highly sensitive information, whether certain users should or should not have access to the zone and the like.
The system administrator will insert into the permission groups field 83 a list of the groups of users that may initiate transfers from this zone. This illustrates another feature of the present invention in that it is possible to combine a plurality of users into a group
- 12that has access to a particular zone as well as listing the users of the zone individually. For example, it may be desirable to ensure that all members of an engineering department have access to the switch host connector 5(a) and the engineering department 5(b) resource and therefore all of the engineers in the engineering department may be combined into a group “engineering staff” and that group may collectively be given access to a zone containing both the switch host connector 5(a) and the engineering department host connector 5(b). As outlined above, the users or additional users may be listed individually or in other groups.
In target zones field 85, the system administrator will insert the zone(s) that transfers originating from within this zone (that is currently being created or modified) can be sent to. In the embodiment shown, it is not necessary to list terminating host connectors here in the target zones, simply the name(s) of one or more zones as appropriate that those host connectors are in. In the embodiment shown, it is implied that transfers between host connectors in the zone are allowed however if preferred, the individual host connectors or the zone itself could be marked in the target zones field 85. When the system administrator has finished creating or modifying the zone, they may save their changes by pressing the save button 87 or discard the changes by pressing the cancel button 88 in the known way.
It will be understood that various parts of the present invention are performed in hardware and other parts of the invention may be performed either in hardware and/or software. It will be understood that the method steps and various components of the present invention will be performed largely in software and therefore the present invention extends also to computer programs, on or in a carrier, comprising program instructions for causing a computer or a processor to carry out steps of the method or provide functional components for carrying out those steps. The computer program may be in source code format, object code format or a format intermediate source code and object code. The computer program may be stored on or in a carrier, in other words a computer program product, including any computer readable medium, including but not limited to a floppy disc, a CD, a DVD, a memory stick, a tape, a RAM, a ROM, a PROM, an EPROM or a hardware circuit. In certain circumstances, a transmissible carrier such as a carrier signal when transmitted either wirelessly and/or through wire and/or cable
- 13could carry the computer program in which cases the wire and/or cable constitute the carrier.
It will be further understood that the present invention may be performed on two, three or 5 more devices with certain parts of the invention being performed by one device and other parts of the invention being performed by another device. The devices may be connected together over a communications network. The present invention and claims are intended to also cover those instances where the system is operated across two or more devices or pieces of apparatus located in one or more locations.
In this specification, the terms “comprise, comprises, comprised and comprising” and the terms “include, includes, included and including” are all deemed totally interchangeable and should be afforded the widest possible interpretation.
The invention is in no way limited to the embodiments hereinbefore described but may be varied in both construction and detail within the scope of the appended claims.

Claims (21)

  1. Claims:
    (1) A computer implemented method of controlling the transfer of data in a managed data transfer system operable to transfer data between a plurality of host connectors over a communications network, the method comprising the steps of:
    grouping two or more of the host connectors into at least one zone;
    for a user of the managed data transfer system, creating a user profile, the user profile specifying one or more zones that the user may transfer data from and specifying one or more zones that the user may transfer data to; and prior to the establishment of a managed data transfer link by a user to transfer data from a first host connector to a second host connector, the method comprising the step of checking the user profile and determining if the first host connector is in a zone that the user may transfer data from, if the second host connector is in a zone that the user may transfer data to, and whether the user is permitted to transfer data between the first and second host connectors.
  2. (2) A method of controlling the transfer of data as claimed in claim 1 in which the user profile specifies a pair of zones that data cannot be transferred from one of those zones to another of those zones.
  3. (3) A method of controlling the transfer of data as claimed in claim 1 or 2 in which if it is determined that the user is not permitted to establish a managed data transfer link between the first host connector and the second host connector, a managed data transfer establishment request is transmitted to a supervisor.
  4. (4) A method of controlling the transfer of data as claimed in claim 1 or 2 comprising providing a user interface with a menu of host connectors that a user may transfer data from, and populating the menu in accordance with the user profile, so that the user may select a first host connector from the menu.
    - 15(
  5. 5) A method of controlling the transfer of data as claimed in claim 4 comprising providing a menu of host connectors that a user may transfer data to, and populating that menu in accordance with the user profile, so that the user may
    5 select a second host connector from that menu.
  6. (6) A method of controlling the transfer of data as claimed in claim 5 in which the menu of host connectors that a user may transfer data to is populated subsequent to the user selecting a host connector that they wish to transfer data
    10 from.
  7. (7) A method of controlling the transfer of data as claimed in claim 5 in which the menu of host connectors that a user may transfer data from is populated subsequent to the user selecting a host connector that they wish to transfer data
    15 to.
  8. (8) A method of controlling the transfer of data as claimed in claims 1 to 7 in which the user profile specifies the data that may be transferred from a host connector by that user.
  9. (9) A managed data transfer system for transferring data between a first host connector of a plurality of host connectors and a second host connector of the plurality of host connectors over a communications network, the managed data transfer system comprising:
    a memory having a plurality of user profiles stored therein, each user profile specifying one or more zones, each zone having one or more host connectors therein, that the user may transfer data from and specifying one or more zones that the user may transfer data to; and a managed data transfer link establishment module, the managed data transfer link establishment module comprising a managed data transfer link creation module and a managed data transfer link authorization module, the managed data transfer link creation module being operable to permit a
    - 16user to specify a first host connector that they wish to transfer data from and a second host connector that they wish to transfer data to, the managed data transfer link authorization module being operable to check the user profile and determine if the first host connector is in a zone that the user may transfer data from, if the second host connector is in a zone that the user may transfer data to, and whether the user is permitted to transfer data between the first and second host connectors prior to permitting the establishment of the managed data transfer link.
  10. (10) A managed data transfer system as claimed in claim 9 in which the user profile specifies a pair of zones that data cannot be transferred from one of those zones to another of those zones.
  11. (11) A managed data transfer system as claimed in claim 9 or 10 in which the managed data transfer link authorization module, on detecting that the user is not permitted to transfer data between the first and the second host connectors, is operable to generate and transmit a managed data transfer establishment request to a supervisor.
  12. (12) A managed data transfer system as claimed in claims 9 to 11 in which there is provided a user interface with a menu of host connectors that a user may transfer data from, populated in accordance with the user profile, that the user may select a first host connector from.
  13. (13) A managed data transfer system as claimed in claim 12 in which there is provided a menu of host connectors that a user may transfer data to, populated in accordance with the user profile, that the user may select a second host connector from.
  14. (14) A managed data transfer system as claimed in claim 13 in which the menu of host connectors that a user may transfer data to is populated subsequent to the user selecting a host connector that they wish to transfer data from.
    - 17(
  15. 15) A managed data transfer system as claimed in claim 13 in which the menu of host connectors that a user may transfer data from is populated subsequent to the user selecting a host connector that they wish to transfer data to.
  16. (16) A managed data transfer system as claimed in claims 9 to 15 in which the user profile specifies the data that may be transferred from a host connector by that user.
  17. (17) A managed data transfer system as claimed in claims 9 to 16 in which the managed data transfer system is a managed file transfer system.
  18. (18) A computer program product having program instructions that when run on a computer is operable to cause the computer to perform the method of any of claims 1 to 8 inclusive.
  19. (19) A computer implemented method of controlling the transfer of data in a managed data transfer system substantially as hereinbefore described with reference to and as illustrated in the accompanying drawings.
  20. (20) A managed data transfer system substantially as hereinbefore described with reference to and as illustrated in the accompanying drawings.
  21. (21) A computer program product substantially as hereinbefore described with reference to and as illustrated in the accompanying drawings.
    Intellectual
    Property
    Office
    Application No: Claims searched:
GB1618427.7A 2016-11-01 2016-11-01 A method of controlling the transfer of data in a managed data transfer system Withdrawn GB2555487A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB1618427.7A GB2555487A (en) 2016-11-01 2016-11-01 A method of controlling the transfer of data in a managed data transfer system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB1618427.7A GB2555487A (en) 2016-11-01 2016-11-01 A method of controlling the transfer of data in a managed data transfer system

Publications (2)

Publication Number Publication Date
GB201618427D0 GB201618427D0 (en) 2016-12-14
GB2555487A true GB2555487A (en) 2018-05-02

Family

ID=57963657

Family Applications (1)

Application Number Title Priority Date Filing Date
GB1618427.7A Withdrawn GB2555487A (en) 2016-11-01 2016-11-01 A method of controlling the transfer of data in a managed data transfer system

Country Status (1)

Country Link
GB (1) GB2555487A (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5692141A (en) * 1991-06-25 1997-11-25 Fuji Xerox Co., Ltd. Groupware system providing facilitated data transfer among common and individual work areas
WO2002019653A2 (en) * 2000-09-01 2002-03-07 Ikimbo, Inc. System and method for transferring files
GB2425623A (en) * 2005-04-27 2006-11-01 Clearswift Ltd Tracking marked documents
WO2007022107A2 (en) * 2005-08-12 2007-02-22 Corporation For National Research Initiatives Managing and using shared digital information on a network
EP1770980A1 (en) * 2005-09-30 2007-04-04 Canon Kabushiki Kaisha Data transmission apparatus, control method therefor, and image input/output apparatus
WO2008112365A1 (en) * 2007-03-09 2008-09-18 Nbc Universal, Inc. Media content distribution system and method
US20130246557A1 (en) * 2007-04-11 2013-09-19 Sudeep Das System, method, and computer program product for conditionally preventing the transfer of data based on a location thereof
US20150019689A1 (en) * 2013-07-12 2015-01-15 Clearwire Ip Holdings Llc Managed file transfer system, method and apparatus
US9384337B1 (en) * 2015-04-27 2016-07-05 Microsoft Technology Licensing, Llc Item sharing based on information boundary and access control list settings

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5692141A (en) * 1991-06-25 1997-11-25 Fuji Xerox Co., Ltd. Groupware system providing facilitated data transfer among common and individual work areas
WO2002019653A2 (en) * 2000-09-01 2002-03-07 Ikimbo, Inc. System and method for transferring files
GB2425623A (en) * 2005-04-27 2006-11-01 Clearswift Ltd Tracking marked documents
WO2007022107A2 (en) * 2005-08-12 2007-02-22 Corporation For National Research Initiatives Managing and using shared digital information on a network
EP1770980A1 (en) * 2005-09-30 2007-04-04 Canon Kabushiki Kaisha Data transmission apparatus, control method therefor, and image input/output apparatus
WO2008112365A1 (en) * 2007-03-09 2008-09-18 Nbc Universal, Inc. Media content distribution system and method
US20130246557A1 (en) * 2007-04-11 2013-09-19 Sudeep Das System, method, and computer program product for conditionally preventing the transfer of data based on a location thereof
US20150019689A1 (en) * 2013-07-12 2015-01-15 Clearwire Ip Holdings Llc Managed file transfer system, method and apparatus
US9384337B1 (en) * 2015-04-27 2016-07-05 Microsoft Technology Licensing, Llc Item sharing based on information boundary and access control list settings

Also Published As

Publication number Publication date
GB201618427D0 (en) 2016-12-14

Similar Documents

Publication Publication Date Title
US10938850B2 (en) Method and apparatus for reducing security risk in a networked computer system architecture
US10917439B2 (en) Contextual security behavior management and change execution
US10511632B2 (en) Incremental security policy development for an enterprise network
US20200279139A1 (en) Systems and methods for data protection
US9392013B1 (en) Defending against a cyber attack via asset overlay mapping
US10643007B2 (en) System and method for auditing file access to secure media by nodes of a protected system
CN103617381B (en) The authority configuring method and authority configuration system of equipment
US10445514B1 (en) Request processing in a compromised account
Chung Why employees matter in the fight against ransomware
EP3738064B1 (en) System and method for implementing secure media exchange on a single board computer
Williams et al. Future scenarios and challenges for security and privacy
US20210272473A1 (en) Arrangement For Providing At Least One User With Tailored Cybersecurity Training
KR101320515B1 (en) System and method for managing security policies to protect personal information in saas based services
Page Exploring organizational culture for information security in healthcare organizations: A literature review
US8276200B2 (en) Systems and methods for securely processing sensitive streams in a mixed infrastructure
US20230068946A1 (en) Integrated cybersecurity threat management
US10938849B2 (en) Auditing databases for security vulnerabilities
GB2555487A (en) A method of controlling the transfer of data in a managed data transfer system
US10594698B2 (en) Methods and systems for controlling the exchange of files between an enterprise and a network
Abaimov et al. Selected issues of cyber security practices in CBRNeCy critical infrastructure
GB2561241A (en) A managed file transfer system and method
KR20040011863A (en) Real Time Information Security Risk Management System and Method
Ounza et al. Emerging Security Challenges due to Bring Your Own Device Adoption: A Survey of Universities in Kenya
Shivakumara et al. Review Paper on Dynamic Mechanisms of Data Leakage Detection and Prevention
Aldhizer III The insider threat: automated identity and access controls can help organizations mitigate risks to important data

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)