WO2015198336A2 - Remotely managed data loss prevention/protection in electronic devices - Google Patents
Remotely managed data loss prevention/protection in electronic devices Download PDFInfo
- Publication number
- WO2015198336A2 WO2015198336A2 PCT/IN2014/000417 IN2014000417W WO2015198336A2 WO 2015198336 A2 WO2015198336 A2 WO 2015198336A2 IN 2014000417 W IN2014000417 W IN 2014000417W WO 2015198336 A2 WO2015198336 A2 WO 2015198336A2
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- data
- electronic device
- properties
- encrypted data
- logical container
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/02—Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/10—Integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/126—Anti-theft arrangements, e.g. protection against subscriber identity module [SIM] cloning
Definitions
- the embodiments herein relate to data loss protection/protection (DLP) and more particularly relates to remotely managing the DLP by containerizing the data on electronic devices.
- DLP data loss protection/protection
- MDM Mobile Device Management
- MAM Mobile App Management
- DLP data loss protection/protection
- apps three broad approaches are taken: containerize the whole device, containerize specific apps, or run the apps within separate virtual machines. Containerization of the whole device may raise issues related to privacy and individual rights, while, containerizing of the specific apps require special support and software/hardware to be purchased and deployed.
- the virtual machine approach may not be completely developed and may be an unproven technology. As these solutions mainly control the device properties, settings, and configurations, these solutions may not accurately containerize the data and address the DLP for the electronic devices. Additionally, existing approaches may not directly containerize the data and the data loss may still occur while exchanging data between the apps.
- FIG. 1 is a high level overview of a system used to remotely manage data loss prevention/protection (DLP), according to embodiments as disclosed herein;
- DLP data loss prevention/protection
- FIG. 2 expands features and functionalities of controller module as described in the FIG. 1 , according to embodiments as disclosed herein;
- FIG. 3 is a sequence diagram that illustrates various operations performed by the system, according to embodiments as disclosed herein;
- FIG. 4 shows an example illustration of containerizing the data, according to
- FIG. 5 is a flow diagram illustrating a method for remotely managing data loss protection/prevention, according to embodiments as disclosed herein;
- FIG. 6 illustrates a computing environment implementing the method and system according to embodiments as disclosed herein.
- Containerization Refers to a process of separating data belonging to separate entities into different logical containers, so that the data belonging to separate entities do not combine with each other or combines only in a way that is allowed.
- Logical container Can be a class, a data structure, a logical object or component, storing the data and controlling access to the data based on one or more parameters, such as to provide data loss prevention and protection.
- First electronic device Can be any electronic device capable of originating, providing, containerizing, maintaining, and managing data over a communication network.
- the first electronic device can also be any third-party that can containerize, maintain, and manage the data originated from any other electronic device over the communication network.
- Second electronic device Can be any electronic device accessing the data provided by the first electronic device over the communication network through the server.
- the second electronic device in some embodiments, can be the first electronic device capable of accessing the data over the communication network.
- Server One or more computers, or equivalent systems or modules along with sufficient software or firmware, which can containerize, maintain, manage, and store the data over the communication network, such as to provide data loss prevention and protection.
- User Can be an individual, a group, an organization, a department, or a combination thereof.
- the interests of an entity are a combination of the interests of all entities that make up the "user". Further, as the user could be composed of many entities, a specific user can have more than one electronic device.
- the embodiments herein achieve a method and system for remotely managing data loss prevention/protection (DLP).
- the method includes identifying the data on the first electronic device that needs to be containerized.
- the identified data can be encrypted and logically containerized into one or more logical containers based on one or more parameters.
- the logical containers described herein define access to the encrypted data in accordance to the parameters.
- the method includes copying the logical containers on a server over a communication network, such as to provide data loss prevention on the electronic device.
- the method includes controlling access to the data on second electronic device in accordance to the logical containers.
- the method and system disclosed herein is dynamic, robust, and reliable for providing the DLP.
- the managers can allow corporate data to remain encrypted as well as prevent unauthorized users from deleting, sending, copying, and modifying, the data.
- the system and method can be used to: separate work and personal mobile device details on a single device using secure logical containers. More importantly, the logical container can be used to prevent security from being compromised. Further, the system and method can be used to provide freedom to choose device types and operating systems, and provide increased privacy including restrictions on the ability of the users to access personal data and applications that reside on a networked device.
- the system and method allows an administrator to centrally control the data access by configuring policies based on users' different parameters to restrict malicious usage of the data content.
- FIGS. 1 through 6 where similar reference characters denote corresponding features consistently throughout the figures, there are shown preferred embodiments.
- FIG. 1 illustrates a high level overview of a system 1 00 used to remotely manage data loss prevention/protection (DLP), according to embodiments as disclosed herein.
- the system 100 includes a server 102, a first electronic device 104, and a second electronic device 106 communicating with each other over a communication network 108.
- the communication network 108 described herein can be for example, but not limited to, machine to machine (M2M) network, wireless network, wire line network, public network such as the Internet, a private network, a global system for mobile communication network (GSM), a general packet radio network (GPRS), a local area network (LAN), a wide area network (WAN), a metropolitan area network (MAN), a cellular network, public switched telephone network (PSTN), a personal area network, a combination thereof, or any other communication network.
- M2M machine to machine
- GSM global system for mobile communication network
- GPRS general packet radio network
- LAN local area network
- WAN wide area network
- MAN metropolitan area network
- PSTN public switched telephone network
- personal area network a combination thereof, or any other communication network.
- the first electronic device 104 and the second electronic device 1 06 described herein can be for example, but not limited to, a digital camera, a mobile phone, a smart phone, a tablet, a Personal Digital Assistant (PDA), smart navigation devices, a handheld gaming console, a portable and handheld media player, a smart pager, a laptop or any other electronic device.
- the first electronic device 104 described herein can include data such as for example but not limited to, files, folders, emails, contacts, address books, phone books, playlists, SMS, calendars, schedules, tasks, to-do lists, notes, bookmarks, application h istory, multimedia files, media libraries, settings, preferences, and the like.
- the data can be created from an application or by another application (for example, by copying, moving or sharing the data).
- the data may be created on the first electronic device 104, or the data may be received from the server 1 02, or from any other device like the second electronic device 106.
- the data can also be originated from a file server or network attached storage (not shown) and then sent to the electronic device 104.
- the FIG. 1 depicts two separate devices 104 and 106 to bring out the fact that the data to be containerized can originate from or belong to multiple devices and can be containerized in different ways or forms. These two devices can belong to separate users. For example, one of the devices can be a smart phone, while the other device can be a laptop belonging to the same person. In another example, the devices can also belong to different users and of different device types.
- the server 102 described herein can be any general purpose computer capable of containerizing, managing, and maintaining the data over the communication network 108. Further, in an embodiment, the system 100 includes a communication module 1 10, a controller module 1 12, and a storage module 1 14.
- the communication module 1 10 can be configured to allow the server 102 and the electronic device 104 to communicate with each other. Further, the communication module 1 10 includes sufficient interfaces to enable communication with various devices throughout the communication network 108.
- the controller module 1 12 can be configured to identify the data available on the first electronic device 104.
- the controller module 1 12 can be configured to encrypt and containerize the data based on one or more associated parameters.
- the parameters described herein can include for example, but not limited to, user information (for example: owner of data, title, manager, group, department or location of the user, and the like), properties of data (for example: name, folder, tags, type of content, and the like), properties of data content (for example:, words, phrases, sentences, patterns, and the like), properties of information gleaned or derived from the data (for example: with data mining, content analysis, and the like), properties of relationships of data (for example: links, application ownership, and the like) and properties of the electronic device at any given time (for example:, geo-location, network addresses, and the like), and the like.
- the logical container described herein defines the access to the data by various electronic devices. Further, the storage module 1 14 can be configured to store the logical containers of the data.
- FIG. 1 shows an example overview of the system 100 but, it is to be understood that another embodiment is not limited thereto.
- the system 100 can include different modules (not shown) communicating among each other along with other hardware or software components.
- the component can be, but not limited to, a process running in the electronic device, an executable process, a thread of execution, a program, and/or a computer.
- the component can be, but not limited to, a process running in the electronic device, an executable process, a thread of execution, a program, and/or a computer.
- FIG. 2 expands features and functionalities of the controller module 1 12 as described in the FIG. 1 , according to embodiments as disclosed herein.
- the controller module 1 12 can be configured to include a rule engine 202, a containerization module 204, a packaging module 206, and a dissemination module 208.
- the data available on the first electronic device 104 can be containerized using the parameters.
- the rule engine 202 can be configured to implement on or more rules using various combinations of the parameters to containerize the data.
- the containerization module 204 can be configured to implement the rules including the combination of parameters to containerize the data into logical containers. For example, administrator may select the data on which the containerization needs to be applied based on any or combination of the data properties like name, folder, owner, access rights, words, phrases or sentences in the content of the data information derived from the data using techniques like data mining, content analysis, access time, modified time, creation time of data, size of data, properties of the user of data like group, division, designation and location and the like.
- the logical container described herein defines the access to the electronic device based on the parameters associated with the data.
- the logical container controls the access to the data based on policies of the organization.
- the policy of the organization can be: always keeping the data encrypted on the electronic device, keeping each unit of data (for example, a file, a folder, categories) encrypted separately (that is, separate encryption key per unit), applying user or device specific encryption (for example, using a unique user or device identifier), not allowing the user of the electronic device to open the data in a third-party application, not allowing the user to modify the data, not allowing the user to copy or move the data, not allowing the user to copy, cut or paste content within data (for example, into different app), not allowing user to bring data from outside the apps, forcing the user to enter a password every time the app is launched or when data needs to be uploaded to or downloaded from the server, forcing the user to enter a password when opening specified data, not allowing the user to share data with other users or de
- the containerization of data can be performed on the server 102 or on the first electronic device 104.
- the packaging module 206 can be configured to bundle the logical containers into a package on the server 102 or on the first electronic device 104.
- the logical container can be packaged using techniques known in the art such as for example, but not limited to, a compression, an encryption, and the like.
- the server 102 bundles the information about containerization into a package and sends it to the appropriate electronic devices.
- the dissemination module 208 can be configured to distribute the logical container information in the form of a package to one or more electronic devices available within the communication network 108.
- the devices in the communication network 108 can also achieve this by periodically requesting the server 102 or the first electronic device 104 for any new information.
- the various operations performed by the system 100 are described in conjunction with the FIG. 3.
- FIG. 3 is a sequence diagram 300 that illustrates various operations performed by the system 100, according to embodiments as disclosed herein.
- the data available on the first electronic device 104 can be identified.
- the data described herein can include for example, but not limited to, files, folders, emails, contacts, address books, phone books, playlists, SMS, calendars, schedules, tasks, to-do lists, notes, bookmarks, application history, multimedia files, media libraries, settings, preferences, and the like.
- the first electronic device 104 can be configured to encrypt the identified data.
- the encryption of the data can be performed by using any encryption technique known in the art.
- the first electronic device 104 can be configured to copy the encrypted data on the server 102.
- a secure channel between the server 102 and the first electronic device 104 can be formed by copying the data on in the encrypted form.
- the data is remotely copied on the server 102 such as to allow the first electronic device 104 to enable data loss prevention.
- one or more parameters associated with the encrypted data can be identified.
- the parameters described herein can include for example, but not limited to, user information, properties of data, properties of data content, properties of information gleaned or derived from the data, properties of relationships of data, properties of the first electronic device 104 at any given time, and the like.
- the encrypted data can be containerized into one or more logical containers based on the identified parameters.
- the server 102 can be configured to implement one or more rules including the parameters to containerize the data.
- the data belonging to the same entity can be containerized into one logical container while the other data into another logical container.
- the logical container described herein defines the access to the data by various electronic devices.
- the logical container can be used to prevent security from being compromised.
- the administrator or the user may selects the data on which the containerization needs to be applied based on any or combination of the data properties.
- the data belonging to the employee can be containerized into one container while the belonging to the company's financial information can be containerized into another container.
- the logical container described herein defines the access to the data based on the parameters associated with the data.
- the logical container controls the access to the data based on policies of the organization.
- the server 102 can be configured to receive a request from the second electronic device 106 to access the data.
- the server 102 can be configured to provide the logical container in response to receiving the request.
- the logical container including the encrypted data request by the user can be identified and transferred to the second electronic device 106.
- the second electronic device 106 can be configured to decrypt the encrypted data associated with the logical container.
- the logical container controls the access to the data based on the parameters. For example, if the parameters of the user indicate that the user is a general user but the data is very important then the logical container may allow the user to access the data in read only mode.
- the logical container restrict the access to the portions of data until the user is in the location X.
- the parameters associated with the data can be constantly monitored, such as to automatically manage and containerize the data.
- the constant monitoring of the parameters can allow the system 100 to provide seamless, optimal, personalized, reliable, uninterrupted, and enhanced services to the user.
- the various operations are described with respect to different devices the two separate devices 104 and 106 indicates that the data to be containerized can originate from or belong to multiple devices and can be containerized in different ways or forms.
- the operations described with the respective devices are only for illustrative purpose, and does not limit the scope of the invention. Further, it is to be understood that the same or similar operation can also be performed interchangeably with the server 102, the first electronic device 104, and the second electronic device 106, without departing from the scope of the invention.
- FIG. 4 shows an example illustration 400 of containerizing the data, according . to the embodiments as disclosed herein.
- the controller module 1 12 can identify the data available on the server 102.
- the data may be created on the server 102 itself, or it could have been received from the any electronic device in encrypted form.
- the identified data is related to employee salary details, project time-sheets, company financial information, user device location, the user device specification, and the like.
- the controller module 1 in communication with the rule engine 202, can be configured to identify the parameters associated with the data.
- the parameters described herein can include for example, but not limited to, user information, properties of data, properties of data content, properties of information gleaned or derived from the data, properties of relationships of data, properties of the device at any given time, and the like.
- the rule engine 202 can be configured to implement on or more rules using various combinations of the parameters to containerize the data.
- the containerization module 204 can be configured to implement the rules including the combination of parameters to containerize the data into logical containers. For example, the containerization module 204 can containerize the data belonging to the employee salary and having location X into a logical container C I .
- the containerization module 204 can containerize the data belonging to the employee salary and having location Y into a logical container C2. Similarly, the containerization module 204 can containerize the data belonging to project time-sheets and company financial information into a logical container C3. Similarly, the containerization module 204 can containerize the data belonging to device specification and location X and Y into a logical container C4. Further, the logical container defines access to the data based on the parameters associated with the data. In an embodiment, the logical container controls the access to the data based on policies of the organization.
- FIG. 5 is a flow diagram illustrating a method 500 for remotely managing data loss protection/prevention, according to embodiments as disclosed herein.
- the various steps of the method 500 are summarized into individual blocks where some of the steps are performed using the server 102, the first electronic device 104, and the second electronic device 106.
- the method 500 and other description described herein provide a basis for a control program which can be readily implemented using a microcontroller, microprocessor, or an equivalent thereof.
- the method 500 includes identifying the data available on the first electronic device 104.
- the data available on the first electronic device 104 can be originated at the first electronic device 104 or may belong to multiple devices.
- the method 500 allows the controller module 1 12 to identify the data available at the first electronic device 104.
- the method 500 includes encrypting the identified data.
- the method 500 allows the controller module 1 12 to encrypt the identified data using any technique known in the art.
- the method 500 includes copying the encrypted data on the server 102.
- the method 500 allows the controller module 1 12 to copy the encrypted data on the server 102, such as to enable data loss prevention.
- the method 500 includes identifying the parameters associated with the encrypted data.
- the parameters described herein can include for example, but not limited to, user information, properties of data, properties of data content, properties of information gleaned or derived from the data, properties of relationships of data, properties of the first electronic device 104 at any given time, and the like.
- the method 500 includes containerizing the encrypted into logical containers based on the identified parameters. The method 500 allows the controller module 1 12 to implement one or more rules including the parameters to containerize the data. Into the logical containers. The data belonging to the same entity can be containerized into one logical container while the other data into another logical container. The logical container defines the access to the data by various electronic devices.
- the method 500 includes receiving a request from the second electronic device 106 to access the data.
- the method 500 includes providing the logical containers including the encrypted data request by the second electronic device 106.
- the method 500 allows the controller module 1 12 to identify and transfer the logical container including the encrypted data requested by the user to the second electronic device 106.
- the method 500 includes controlling access to the encrypted data associated with the logical container at the second electronic device 106.
- the logical container controls the access to the data based on the parameters.
- the method 500 allow the second electronic device 106 to decrypt the encrypted data whose access is controlled using the logical container based on various combinations of the parameters.
- the method 500 includes constantly monitoring the parameters associated with the data, such as to automatically manage and containerize the data.
- the constant monitoring of the parameters can allow the controller module 1 12 to provide seamless, optimal, personalized, reliable, uninterrupted, and enhanced services to the user.
- the method 500 includes determining whether any changes in the parameters. Any changes in the parameters can affect the performance, sensitivity, cost, and reliability of the system 100.
- the method 500 upon detecting any changes in the parameters, includes repeating the steps 508 through 520 such as to provide seamless and uninterrupted data services to the user.
- FIG. 6 illustrates a computing environment implementing the method of remotely managing data loss prevention, according to the embodiments as disclosed herein.
- the computing environment 601 comprises at least one processing unit 604 that is equipped with a control unit 602 and an Arithmetic Logic Unit (ALU) 603, a memory 605, a storage unit 606, plurality of networking devices 608 and a plurality Input output (I/O) devices 607.
- the processing unit 604 is responsible for processing the instructions of the algorithm.
- the processing unit 604 receives commands from the control unit in order to perform its processing. Further, any logical and arithmetic operations involved in the execution of the instructions are computed with the help of the ALU 603.
- the algorithm comprising of instructions and codes required for the implementation are stored in either the memory unit 605 or the storage 606 or both. At the time of execution, the instructions may be fetched from the corresponding memory 605 and/or storage 606, and executed by the processing unit 604.
- networking devices 608 or external I/O devices 607 may be connected to the computing environment to support the implementation through the networking unit and the I/O device unit.
- FIGS. 1 , 2, 5, 6 include blocks which can be at least one of a hardware device, or a combination of hardware device and software module.
Abstract
Description
Claims
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/IN2014/000417 WO2015198336A2 (en) | 2014-06-23 | 2014-06-23 | Remotely managed data loss prevention/protection in electronic devices |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/IN2014/000417 WO2015198336A2 (en) | 2014-06-23 | 2014-06-23 | Remotely managed data loss prevention/protection in electronic devices |
Publications (2)
Publication Number | Publication Date |
---|---|
WO2015198336A2 true WO2015198336A2 (en) | 2015-12-30 |
WO2015198336A3 WO2015198336A3 (en) | 2020-07-23 |
Family
ID=54938895
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/IN2014/000417 WO2015198336A2 (en) | 2014-06-23 | 2014-06-23 | Remotely managed data loss prevention/protection in electronic devices |
Country Status (1)
Country | Link |
---|---|
WO (1) | WO2015198336A2 (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP3686764A1 (en) * | 2019-01-25 | 2020-07-29 | Usecrypt S.A. | Electronic communications device and messaging application therefor |
US11210407B2 (en) | 2019-01-25 | 2021-12-28 | V440 Spó£Ka Akcyjna | Electronic communications device and messaging application therefor |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7421741B2 (en) * | 2003-10-20 | 2008-09-02 | Phillips Ii Eugene B | Securing digital content system and method |
US7383462B2 (en) * | 2004-07-02 | 2008-06-03 | Hitachi, Ltd. | Method and apparatus for encrypted remote copy for secure data backup and restoration |
US20140108793A1 (en) * | 2012-10-16 | 2014-04-17 | Citrix Systems, Inc. | Controlling mobile device access to secure data |
-
2014
- 2014-06-23 WO PCT/IN2014/000417 patent/WO2015198336A2/en active Application Filing
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP3686764A1 (en) * | 2019-01-25 | 2020-07-29 | Usecrypt S.A. | Electronic communications device and messaging application therefor |
US11210407B2 (en) | 2019-01-25 | 2021-12-28 | V440 Spó£Ka Akcyjna | Electronic communications device and messaging application therefor |
Also Published As
Publication number | Publication date |
---|---|
WO2015198336A3 (en) | 2020-07-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8423511B1 (en) | Systems and methods for securing data on mobile devices | |
EP3404948B1 (en) | Centralized selective application approval for mobile devices | |
US9037870B1 (en) | Method and system for providing a rotating key encrypted file system | |
US20150081644A1 (en) | Method and system for backing up and restoring a virtual file system | |
EP2448303B1 (en) | Method and system for securing data of a mobile communications device | |
US9246944B1 (en) | Systems and methods for enforcing data loss prevention policies on mobile devices | |
US9762722B2 (en) | Location-based and time-based mobile device security | |
US8572757B1 (en) | Seamless secure private collaboration across trust boundaries | |
US10440111B2 (en) | Application execution program, application execution method, and information processing terminal device that executes application | |
US10157290B1 (en) | Systems and methods for encrypting files | |
US20170005809A1 (en) | Intelligent Deletion of Revoked Data | |
US20130290733A1 (en) | Systems and methods for caching security information | |
CN104903861B (en) | Clipboard management | |
US20140096230A1 (en) | Method and system for sharing vpn connections between applications | |
US20130290734A1 (en) | Systems and methods for caching security information | |
CN101783801A (en) | Software protection method based on network, client side and server | |
CN112287372B (en) | Method and apparatus for protecting clipboard privacy | |
US9215251B2 (en) | Apparatus, systems, and methods for managing data security | |
EP3195123B1 (en) | Dynamic application containers | |
US10051045B2 (en) | Searching content associated with multiple applications | |
US20180136940A1 (en) | Operating system management | |
US20140281499A1 (en) | Method and system for enabling communications between unrelated applications | |
US9262646B1 (en) | Systems and methods for managing web browser histories | |
US20170244759A1 (en) | Policy-Managed Secure Code Execution and Messaging for Computing Devices and Computing Device Security. | |
US20180205762A1 (en) | Automatically securing data based on geolocation, network or device parameters |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 14895978 Country of ref document: EP Kind code of ref document: A2 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 14895978 Country of ref document: EP Kind code of ref document: A2 |
|
32PN | Ep: public notification in the ep bulletin as address of the adressee cannot be established |
Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 11.07.2017) |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 14895978 Country of ref document: EP Kind code of ref document: A2 |