WO2021021064A1 - A data sharing system - Google Patents

A data sharing system Download PDF

Info

Publication number
WO2021021064A1
WO2021021064A1 PCT/TR2020/050679 TR2020050679W WO2021021064A1 WO 2021021064 A1 WO2021021064 A1 WO 2021021064A1 TR 2020050679 W TR2020050679 W TR 2020050679W WO 2021021064 A1 WO2021021064 A1 WO 2021021064A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
internal
user equipment
control module
external
Prior art date
Application number
PCT/TR2020/050679
Other languages
French (fr)
Inventor
Emre DEMİRAY
Original Assignee
Deytek Bi̇li̇şi̇m Mühendi̇sli̇k Sanayi̇ Ve Ti̇caret Li̇mi̇ted Şi̇rketi̇
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Deytek Bi̇li̇şi̇m Mühendi̇sli̇k Sanayi̇ Ve Ti̇caret Li̇mi̇ted Şi̇rketi̇ filed Critical Deytek Bi̇li̇şi̇m Mühendi̇sli̇k Sanayi̇ Ve Ti̇caret Li̇mi̇ted Şi̇rketi̇
Publication of WO2021021064A1 publication Critical patent/WO2021021064A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles

Definitions

  • the present invention relates to a system that allows tracking and managing sharing processes of data such as internal and/or external files and folders and making these processes more secure and preventing data leakage in these processes.
  • the Patent Application No. TR2009/09917 describes user equipment that is compatible with informatics and multimedia devices, a control device used for informatics and multimedia purposes, wherein such device allows to operate the user equipment and files kept on remote memory, and a system equipped with a host machine with the capability of locating and remote memory; said remote memory enabling file creation with digital content.
  • Said system enables secure communication between information and multimedia devices and secure data sharing between these devices.
  • the data- sharing processes in the relevant system include differences from the present invention.
  • the security mechanisms used in the relevant system are highly insufficient compared to the present invention.
  • the present invention is inspired by the present situation and an object of this invention is to overcome the above-mentioned drawbacks.
  • An object of the present invention is to ensure that the sharing processes of data such as internal and/or external files and folders are tracked and managed, to secure these processes and to prevent data leakage in these processes.
  • Figure 1 is a schematic representation of the system according to the invention. Reference List
  • UE User equipment
  • the present invention relates to a system (1) allowing tracking and managing sharing processes of data (A) such as internal and/or external files and folders, making these processes more secure and preventing data (A) leakage in these processes.
  • A data
  • A data
  • the system shown in Figure 1 comprises of (1):
  • multiple user equipment such as computers, smart devices and similar that allow sending or receiving data (A) such as files and folders belonging to users (B) who are recipients and/or senders and/or users (B) in groups of multiple recipients via its web interface and/or application and/or Outlook Add-in (2),
  • o at least one control module that communicates with user equipment (2) through an internal network or external network such as the Internet, o identifies username and password so that users (B) with user equipment (2) can use the system (1), o enables users (B) logging into the system (1) with their username and password to send data (A) via attachment (internal/external) and/or link (internal/external) and/or direct sharing (internal), o enables secure transfer of data (A) via attachment (internal/external) and/or link (internal/external) and/or direct sharing (internal), o enables users (B) to perform authorizations for data (A) in transfers of data (A) via attachment (internal/external) and/or link (internal/external) and/or direct sharing (internal), o creates authorization maps for the authorization processes, o provides the control of the content of the data (A) sent and received during the transfers of data (A) via attachment (internal
  • (B) o cooperates with internal departments, department managers and managers of the system (1) and ensures that decisions are implemented, o transfers data (A) in an approved and/or unapproved manner between user equipment (2), and o reports all transactions to users (B)
  • the user (B) logs into the system (1) with his username and password using the user equipment (2).
  • the user (B) logging into the system (1) can share and receive data (A) via attachment (internal/external) and/or link (internal/external) and/or direct sharing (internal).
  • the user (B) who sends data (A) will be referred to as the sender and the user (B) who receives data (A) will be referred to as the recipient and multiple users (B) will be referred to as the group.
  • Group users (B) preferably consist of internal staff.
  • Senders and recipients are internal and/or external users (B).
  • the user (B) uses user equipment (2) and determines data (A) to be shared and the type of sharing of data (A) in transfers of data (A) via direct sharing (internal).
  • Type of share may be in the form of view (view only), read (download document), read & write (download + edit), full control (download + edit + view + write), full control & share (download + edit + view + write + share).
  • the full control & share authority is a special authority.
  • the recipient with full control & share authority can share files/folders using the user equipment (2).
  • the user (B) uses user equipment (2) and determines data (A) to be shared and the type of sharing of data (A) in transfers of data (A) via a link (internal/external). Type of sharing may be in the form of viewing, uploading, and downloading. The user (B) can select these authorizations individually or in multiple using the user equipment (2).
  • the user (B) can reorganize authorizations by using the user equipment (2) at any time after the transfer of data (A) through direct sharing (internal) and/or link (internal/external).
  • the user (B) determines the data (A) to be shared in the form of link (internal/external) and/or attachment (internal/external) and/or direct sharing (internal) using the user equipment (2), he will determine the period for sharing such data (A). For example, when sharing is performed within the scope of a project and according to any particular deadline, the recipients will no longer access to these files at the end of the project. Data (A) security is thus protected. In addition, some documents must be kept for a certain period of time in HR and accounting processes or shared with other departments. In such cases, when the period for sharing is adjusted at the beginning, legal risks will also be prevented. This feature is also very functional for submissions with limited time such as proposals.
  • control module (3) allows user equipment (2) to access data (A).
  • the control module (3) communicates with the user equipment (2) and analyzes the authorization for data (A) to be transmitted by the direct sharing (internal) method.
  • the control module (3) blends the authorizations granted by the user equipment (2) with the authorizations granted in their internal mechanisms and creates new sharing authorization that will not revoke any other authorization. For example, if the user equipment (2) defines the sharing authority of the recipient as full control & share, and the sharing authority of the same recipient is restricted to reading in the internal mechanisms, the control module (3) regulates the authority of the recipient to reading.
  • the user equipment (2) can set a static or instant password to data (A) it sends as an attachment (internal/external) and/or link (internal/external) and/or direct sharing (internal).
  • a static password is the type of password that the sender manually enters.
  • An instant password is a password mechanism in which the password is generated and sent to the recipient at the exact moment that the data (A) are accessed.
  • User equipment (2) can add IP restrictions to data (A) it transmits as attachment (internal/external) and/or link (internal/external) and/or direct sharing (internal). Thus, data (A) transmitted can only be accessed via the user equipment (2) which has one of the specified IPs.
  • the user equipment (2) can also create an approved or unapproved IP list (also the country block) and incorporate it to data (A) it transmits.
  • the user equipment (2) can send the data (A) it creates as an attachment (internal/external) and/or link (internal/external) and/or direct sharing (internal) to the e- mail addresses of the recipients.
  • the user equipment (2) provides a unique transfer of data (A) to each e-mail address added.
  • the control module (3) can monitor accesses by recipients to data (A) on the basis of each recipient.
  • the user equipment (2) can create and send static or live links.
  • a static link ensures that data (A) are shared with the recipient in the form they are sent.
  • a live link allows data (A) to be shared when the recipient accesses to the data (A). In the live link, if the sender makes modifications in the data (A), such data (A) will be immediately reflected to the recipient. Namely, modifications made by the sender can be observed by the recipient instantly.
  • the user equipment (2) When the user equipment (2) wants to share data (A) in the form of attachment and if the size of such data (A) exceeds a particular memory storage space, the user equipment (2) automatically converts these data (A) into a link. Data (A) that are converted into a link are sent via the user equipment (2) to the recipient's e-mail address.
  • the control module (3) reports the shared authorizations and presents these reports to the users (B) in the form of graphs to be displayed by the user equipment (2).
  • the control module (3) displays to the users (B) via a tree structure all shares made by the senders, changes made by the recipients on these shares, and re-shares by the recipients.
  • the control module (3) tracks data (A) sharing, captures, and reports the out-of-the-box actions and in such cases, prevents data (A) sharing. For example, if massive data (A) are shared between two users (B) for the first time or unexpected external file-sharing traffic occurs with a different user (B) or any similar situation is encountered, the control module (3) handles this as risky data (A) sharing.
  • the control module (3) blocks such data (A) sharing and provides security by blocking the risky data (A) sharing.
  • the control module (3) can assign an admin role to the representative of every department within the organization. With the help of the representatives of departments, the control module (3) analyzes errors in the authorizations of users (B) and ensures that these authorizations are corrected as necessary. For example, if any user (B) working in department A is transferred to the department B, the control module (3) will determine whether this user (B) who has been transferred to the department B can still access to files related to the department A. In such a case, the control module (3), in consultation with the representative of the relevant department, makes a new authorization arrangement for the user (B) and thus, improves security.
  • the control module (3) allows users (B) who are the recipient and the sender to work jointly on the same data (A). Thus, for example, when the recipient is reading the data (A), the sender can simultaneously make modifications to the data (A). The control module (3) ensures that such modifications are instantly viewed by the recipient and the sender.
  • the control module (3) enables the recipient to view the shared data (A) without download via the user equipment (2) and, if desired, modify the data (A) within the limits of his authorization.
  • the sender can select the folder and files in that folder as data (A) using the user equipment (2).
  • the control module (3) can allow the recipient to add or delete files from the folder, apart from the files within the folder, based on the authorizations.
  • the control module (3) can allow the same user (B) to use different user equipment (2).
  • the user (B) can send data (A) into the user equipment (2) he uses at work within the limits of his authorization through the user equipment (2) he uses when he is not at work, edit the data (A) in the user equipment (2) used at work or delete the data (A) in the user equipment (2) used at work.
  • the user (B) can perform all processes while he is not at work.
  • Shared data (A) are often not externally accessible for security reasons.
  • the control module (3) can use the DMZ layer installed by the IT department.
  • the control module (3) manages which users (B) can pass the DMZ (Demilitarized Zone) layer and share the data (A) with the outside.
  • the control module (3) scans all data (A) in the system (1) and analyzes the structure of the data (A) with the support of machine learning. Even if the extension of data (A) is changed, the control module (3) captures and quarantines data (A) and blocks data (A) sharing with potentially malicious software. If the control module (3) detects any malicious code snippet with at least 25% probability while analyzing the data (A), it captures and quarantines data (A) and blocks data (A) sharing.
  • the control module (3) scans all data (A) for malware. If data (A) contain malicious content, the control module (3) captures and quarantines said data (A) and blocks data (A) sharing.
  • the control module (3) filters data (A) that enters into the system (1) or exit from the system (1) through DLP (Data Loss Protection) ruleset. If the control module (3) detects data (A) that is against its rule structure, it captures, quarantines the data (A), and blocks data (A) sharing.
  • the control module (3) can detect, for example, four numbers, each with four digits and space between them, in the data (A). Thus, sharing of any possible credit card number can be prevented. Or the control module (3) can identify identification numbers in the data (A). Thus, the sharing of this confidential identity number is blocked.
  • the control module (3) can regulate which operations users (B) can perform on data (A) within the limits of their authorization and the environment of user equipment (2) in which these operations can be performed. For example, users (B) can read data (A) in private network folders, while these users (B) can be prevented from reading relevant data in the public network folder. Or for example, users can change folders (B) in a public network environment but only read them in the private network folder.
  • the control module (3) can present the data (A) sharing between the users (B) to the approval of the authorized person in the module.
  • the authorized person can deny the sharing process between the users (B) and block it.
  • the control module (3) notifies the authorized person in the module of the quarantined data (A) and ensures that the data (A) are shared or deleted as per the decision of this person.
  • the control module (3) can adjust the speed of data transfer (upload/download speed) for specific time intervals, operations, or users (B).
  • the control module (3) enables users (B) to make root word-based searches among their data (A) using their user equipment (2). Users (B) can thus access data (A) with the specified root word and all words with prefixes and suffixes. For example, if any user (B) makes a search in the form of 'my addresses', he will access data (A) with all words containing address as the root word such as an address, its address, my address, and addresses, etc.
  • the control module (3) provides the sender with information on all operations such as data (A) accessed, read, modified, or downloaded by the recipients or IP address used and the time of such operations, etc.
  • the control module (3) enables the senders to block any access to data (A) or change the privileges of the recipients at any time after the transfers of data (A).
  • the control module (3) allows senders to put a watermark on data (A) they send.
  • the relevant watermark contains information such as the sender, the time of data (A) transmission, the recipient, and IP address. Thus, only recipients who are authorized to read are prevented from photographing data (A) and sharing such data (A) illegally. If the recipients share these data (A), the sender to whom such data (A) actually belong can be conveniently determined by the watermark.
  • the control module (3) can enable the print feature to be deactivated for data (A) sent by the senders. Thus, recipients are prevented from printing the relevant data (A) illegally.
  • the control module (3) will first send a confirmation to the user equipment (2) of the recipient. If this confirmation is accepted, the control module (3) grants access to data (A) to the user equipment (2) of the recipient. If the sender does not adjust confirmation requirements prior to the transmission of data (A) using the user equipment (2), the control module (3) ensures that the user equipment (2) of the recipient has direct access to data (A).
  • the system (1) of the present invention enables safer, faster, and easier management of media without carrying the existing file media used today.
  • the system (1) collects all the file media that the users (B) access on a single screen and provides easy file access to the users (B).

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Information Transfer Between Computers (AREA)
  • Storage Device Security (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The present invention relates to a system (1) allowing tracking and managing sharing processes of data (A) such as internal and/or external files and folders, making these processes more secure and preventing data (A) leakage in these processes. The system (1) of the present invention enables safer, faster, and easier management of media without carrying the existing file media used today. The system (1) collects all the file media that the users (B) access on a single screen and provides easy file access to the users (B).

Description

A DATA SHARING SYSTEM
Technical Field
The present invention relates to a system that allows tracking and managing sharing processes of data such as internal and/or external files and folders and making these processes more secure and preventing data leakage in these processes.
Background Art
In current systems, sharing data such as internal files and/or folders is realized over public network folders. Only an organization's IT department can regulate and manage the individuals who are authorized to handle such data. The people who share data cannot directly view who has the right to access the data they share. Thus, for example, when any staff member is transferred to another department, unauthorized or erroneous access attempts cannot be tracked. This will put your data security at risk.
In current data sharing processes, systems can be easily exploited by modifying the extensions of the shared data. By changing the extension of malicious data, these data can be shown as harmless and these data are allowed to pass through the security layers. This causes serious damage to systems. In existing systems, the extension of data is controlled only through Mime Type (Multipurpose Internet Mail Extensions Type) or directly through the extension name. Such controls cannot prevent systems against exploitation.
Today, data can also be shared on the link. Today, configurations where such traffic is tracked, and data security is monitored are not available.
The Patent Application No. TR2009/09917 describes user equipment that is compatible with informatics and multimedia devices, a control device used for informatics and multimedia purposes, wherein such device allows to operate the user equipment and files kept on remote memory, and a system equipped with a host machine with the capability of locating and remote memory; said remote memory enabling file creation with digital content. Said system enables secure communication between information and multimedia devices and secure data sharing between these devices. The data- sharing processes in the relevant system include differences from the present invention. In addition, the security mechanisms used in the relevant system are highly insufficient compared to the present invention.
As a result, further development is needed in the technical field due to the above- mentioned drawbacks and the inadequacy of the existing solutions.
Object of Invention
The present invention is inspired by the present situation and an object of this invention is to overcome the above-mentioned drawbacks.
An object of the present invention is to ensure that the sharing processes of data such as internal and/or external files and folders are tracked and managed, to secure these processes and to prevent data leakage in these processes.
The structural features and characteristics and all advantages of the present invention will now be described in more detail with reference to the accompanying figures and the following specification.
Brief Description of Figures
Figure 1 is a schematic representation of the system according to the invention. Reference List
1. System
2. User equipment (UE)
3. Control module
A. Data
B. User
Detailed Description of the Invention
In this detailed description, the preferred embodiments of the system (1) are described to provide a better understanding of the invention. The present invention relates to a system (1) allowing tracking and managing sharing processes of data (A) such as internal and/or external files and folders, making these processes more secure and preventing data (A) leakage in these processes.
The system shown in Figure 1 comprises of (1):
❖ multiple user equipment such as computers, smart devices and similar that allow sending or receiving data (A) such as files and folders belonging to users (B) who are recipients and/or senders and/or users (B) in groups of multiple recipients via its web interface and/or application and/or Outlook Add-in (2),
o at least one control module that communicates with user equipment (2) through an internal network or external network such as the Internet, o identifies username and password so that users (B) with user equipment (2) can use the system (1), o enables users (B) logging into the system (1) with their username and password to send data (A) via attachment (internal/external) and/or link (internal/external) and/or direct sharing (internal), o enables secure transfer of data (A) via attachment (internal/external) and/or link (internal/external) and/or direct sharing (internal), o enables users (B) to perform authorizations for data (A) in transfers of data (A) via attachment (internal/external) and/or link (internal/external) and/or direct sharing (internal), o creates authorization maps for the authorization processes, o provides the control of the content of the data (A) sent and received during the transfers of data (A) via attachment (internal/external) and/or link (internal/external) and/or direct sharing (internal) and realizing or blocking transfers based on such control, o enables access of users (B) who log into the system (1) through the web interface and/or application and/or Outlook Add-in to data (A) that they own or add to any public and private network or send via attachment (internal/external) and/or link (internal/external) and/or through direct sharing (internal) or receive from other users (B) via attachment (internal/external) and/or link (internal/external) and/or direct sharing (internal) and delete, o allows users (B) to make a search in order to find data (A) in their accounts, o ensures that notifications of all transactions are forwarded to users
(B), o cooperates with internal departments, department managers and managers of the system (1) and ensures that decisions are implemented, o transfers data (A) in an approved and/or unapproved manner between user equipment (2), and o reports all transactions to users (B)
The user (B) logs into the system (1) with his username and password using the user equipment (2). The user (B) logging into the system (1) can share and receive data (A) via attachment (internal/external) and/or link (internal/external) and/or direct sharing (internal).
In the following sections of this description, the user (B) who sends data (A) will be referred to as the sender and the user (B) who receives data (A) will be referred to as the recipient and multiple users (B) will be referred to as the group. Group users (B) preferably consist of internal staff. Senders and recipients are internal and/or external users (B). The user (B) uses user equipment (2) and determines data (A) to be shared and the type of sharing of data (A) in transfers of data (A) via direct sharing (internal). Type of share may be in the form of view (view only), read (download document), read & write (download + edit), full control (download + edit + view + write), full control & share (download + edit + view + write + share). The full control & share authority is a special authority. The recipient with full control & share authority can share files/folders using the user equipment (2).
The user (B) uses user equipment (2) and determines data (A) to be shared and the type of sharing of data (A) in transfers of data (A) via a link (internal/external). Type of sharing may be in the form of viewing, uploading, and downloading. The user (B) can select these authorizations individually or in multiple using the user equipment (2).
The user (B) can reorganize authorizations by using the user equipment (2) at any time after the transfer of data (A) through direct sharing (internal) and/or link (internal/external).
After the user (B) determines the data (A) to be shared in the form of link (internal/external) and/or attachment (internal/external) and/or direct sharing (internal) using the user equipment (2), he will determine the period for sharing such data (A). For example, when sharing is performed within the scope of a project and according to any particular deadline, the recipients will no longer access to these files at the end of the project. Data (A) security is thus protected. In addition, some documents must be kept for a certain period of time in HR and accounting processes or shared with other departments. In such cases, when the period for sharing is adjusted at the beginning, legal risks will also be prevented. This feature is also very functional for submissions with limited time such as proposals. When data (A) shared within the scope of a project is created to be valid only during the project, unauthorized access can be prevented when the project is completed. If the date allowing access to data (A) is prior to the specified date, the control module (3) allows user equipment (2) to access data (A).
After the user (B) determines the data (A) to be shared via attachment (internal/external) and/or link (internal/external) using the user equipment (2), he will determine which recipient(s) will receive these data (A). After the user (B) determines data (A) to be shared by direct sharing (internal) using the user equipment (2), he will determine which recipient(s) or groups will receive such data (A).
The control module (3) communicates with the user equipment (2) and analyzes the authorization for data (A) to be transmitted by the direct sharing (internal) method. The control module (3) blends the authorizations granted by the user equipment (2) with the authorizations granted in their internal mechanisms and creates new sharing authorization that will not revoke any other authorization. For example, if the user equipment (2) defines the sharing authority of the recipient as full control & share, and the sharing authority of the same recipient is restricted to reading in the internal mechanisms, the control module (3) regulates the authority of the recipient to reading.
The user equipment (2) can set a static or instant password to data (A) it sends as an attachment (internal/external) and/or link (internal/external) and/or direct sharing (internal). A static password is the type of password that the sender manually enters. An instant password is a password mechanism in which the password is generated and sent to the recipient at the exact moment that the data (A) are accessed.
User equipment (2) can add IP restrictions to data (A) it transmits as attachment (internal/external) and/or link (internal/external) and/or direct sharing (internal). Thus, data (A) transmitted can only be accessed via the user equipment (2) which has one of the specified IPs. The user equipment (2) can also create an approved or unapproved IP list (also the country block) and incorporate it to data (A) it transmits.
The user equipment (2) can send the data (A) it creates as an attachment (internal/external) and/or link (internal/external) and/or direct sharing (internal) to the e- mail addresses of the recipients. The user equipment (2) provides a unique transfer of data (A) to each e-mail address added. Thus, the control module (3) can monitor accesses by recipients to data (A) on the basis of each recipient.
The user equipment (2) can create and send static or live links. A static link ensures that data (A) are shared with the recipient in the form they are sent. A live link allows data (A) to be shared when the recipient accesses to the data (A). In the live link, if the sender makes modifications in the data (A), such data (A) will be immediately reflected to the recipient. Namely, modifications made by the sender can be observed by the recipient instantly.
When the user equipment (2) wants to share data (A) in the form of attachment and if the size of such data (A) exceeds a particular memory storage space, the user equipment (2) automatically converts these data (A) into a link. Data (A) that are converted into a link are sent via the user equipment (2) to the recipient's e-mail address.
The control module (3) reports the shared authorizations and presents these reports to the users (B) in the form of graphs to be displayed by the user equipment (2). The control module (3) displays to the users (B) via a tree structure all shares made by the senders, changes made by the recipients on these shares, and re-shares by the recipients. These processes allow reporting in detail which user (B) has the right to access to data (A) and when and which user (B) has made changes on which data (A). Thus, users (B) can access previous versions of data (A) whenever they need them. In addition, which users (B) are involved in the transfer of data (A) is easily analyzed and represented by the tree structure, and if necessary, authorizations granted to improper users (B) can be easily observed. In this case, authorizations can be revoked or changed when necessary.
The control module (3) tracks data (A) sharing, captures, and reports the out-of-the-box actions and in such cases, prevents data (A) sharing. For example, if massive data (A) are shared between two users (B) for the first time or unexpected external file-sharing traffic occurs with a different user (B) or any similar situation is encountered, the control module (3) handles this as risky data (A) sharing. The control module (3) blocks such data (A) sharing and provides security by blocking the risky data (A) sharing.
The control module (3) can assign an admin role to the representative of every department within the organization. With the help of the representatives of departments, the control module (3) analyzes errors in the authorizations of users (B) and ensures that these authorizations are corrected as necessary. For example, if any user (B) working in department A is transferred to the department B, the control module (3) will determine whether this user (B) who has been transferred to the department B can still access to files related to the department A. In such a case, the control module (3), in consultation with the representative of the relevant department, makes a new authorization arrangement for the user (B) and thus, improves security.
The control module (3) allows users (B) who are the recipient and the sender to work jointly on the same data (A). Thus, for example, when the recipient is reading the data (A), the sender can simultaneously make modifications to the data (A). The control module (3) ensures that such modifications are instantly viewed by the recipient and the sender.
The control module (3) enables the recipient to view the shared data (A) without download via the user equipment (2) and, if desired, modify the data (A) within the limits of his authorization.
The sender can select the folder and files in that folder as data (A) using the user equipment (2). After this selection, the control module (3) can allow the recipient to add or delete files from the folder, apart from the files within the folder, based on the authorizations.
The control module (3) can allow the same user (B) to use different user equipment (2). Thus, the user (B) can send data (A) into the user equipment (2) he uses at work within the limits of his authorization through the user equipment (2) he uses when he is not at work, edit the data (A) in the user equipment (2) used at work or delete the data (A) in the user equipment (2) used at work. Namely, the user (B) can perform all processes while he is not at work.
Shared data (A) are often not externally accessible for security reasons. When data (A) are to be sent from the internal network to an external network, the control module (3) can use the DMZ layer installed by the IT department. The control module (3) manages which users (B) can pass the DMZ (Demilitarized Zone) layer and share the data (A) with the outside.
The control module (3) scans all data (A) in the system (1) and analyzes the structure of the data (A) with the support of machine learning. Even if the extension of data (A) is changed, the control module (3) captures and quarantines data (A) and blocks data (A) sharing with potentially malicious software. If the control module (3) detects any malicious code snippet with at least 25% probability while analyzing the data (A), it captures and quarantines data (A) and blocks data (A) sharing.
The control module (3) scans all data (A) for malware. If data (A) contain malicious content, the control module (3) captures and quarantines said data (A) and blocks data (A) sharing.
The control module (3) filters data (A) that enters into the system (1) or exit from the system (1) through DLP (Data Loss Protection) ruleset. If the control module (3) detects data (A) that is against its rule structure, it captures, quarantines the data (A), and blocks data (A) sharing. The control module (3) can detect, for example, four numbers, each with four digits and space between them, in the data (A). Thus, sharing of any possible credit card number can be prevented. Or the control module (3) can identify identification numbers in the data (A). Thus, the sharing of this confidential identity number is blocked.
The control module (3) can regulate which operations users (B) can perform on data (A) within the limits of their authorization and the environment of user equipment (2) in which these operations can be performed. For example, users (B) can read data (A) in private network folders, while these users (B) can be prevented from reading relevant data in the public network folder. Or for example, users can change folders (B) in a public network environment but only read them in the private network folder.
The control module (3) can present the data (A) sharing between the users (B) to the approval of the authorized person in the module. Thus, the authorized person can deny the sharing process between the users (B) and block it.
The control module (3) notifies the authorized person in the module of the quarantined data (A) and ensures that the data (A) are shared or deleted as per the decision of this person.
The control module (3) can adjust the speed of data transfer (upload/download speed) for specific time intervals, operations, or users (B). Thus, for example, during the operation hours of the system (1), the upload and download speeds are reduced to hinder any slowdown of devices connected to the internal network. The control module (3) enables users (B) to make root word-based searches among their data (A) using their user equipment (2). Users (B) can thus access data (A) with the specified root word and all words with prefixes and suffixes. For example, if any user (B) makes a search in the form of 'my addresses', he will access data (A) with all words containing address as the root word such as an address, its address, my address, and addresses, etc.
The control module (3) provides the sender with information on all operations such as data (A) accessed, read, modified, or downloaded by the recipients or IP address used and the time of such operations, etc.
The control module (3) enables the senders to block any access to data (A) or change the privileges of the recipients at any time after the transfers of data (A).
The control module (3) allows senders to put a watermark on data (A) they send. The relevant watermark contains information such as the sender, the time of data (A) transmission, the recipient, and IP address. Thus, only recipients who are authorized to read are prevented from photographing data (A) and sharing such data (A) illegally. If the recipients share these data (A), the sender to whom such data (A) actually belong can be conveniently determined by the watermark.
The control module (3) can enable the print feature to be deactivated for data (A) sent by the senders. Thus, recipients are prevented from printing the relevant data (A) illegally.
If the sender adjusts confirmation requirement before the transmission of data (A) using the user equipment (2), the control module (3) will first send a confirmation to the user equipment (2) of the recipient. If this confirmation is accepted, the control module (3) grants access to data (A) to the user equipment (2) of the recipient. If the sender does not adjust confirmation requirements prior to the transmission of data (A) using the user equipment (2), the control module (3) ensures that the user equipment (2) of the recipient has direct access to data (A).
The system (1) of the present invention enables safer, faster, and easier management of media without carrying the existing file media used today. The system (1) collects all the file media that the users (B) access on a single screen and provides easy file access to the users (B).

Claims

1.
❖ A system that allows tracking and managing sharing processes of data (A) such as internal and/or external files and folder; making these processes more secure and preventing data (A) leakage in these processes; said system comprising of: multiple user equipment (2) such as computers, smart devices and similar that allow sending or receiving data (A) such as files and folders belonging to users (B) who are recipients and/or senders and/or users (B) in groups of multiple recipients via its web interface and/or application and/or Outlook Add-in, characterized in that said system contains:
o at least one control module that communicates with user equipment (2) through an internal network or external network such as the Internet, o identifies username and password so that users (B) with user equipment (2) can use the system (1), o enables users (B) logging into the system (1) with their username and password to send data (A) via attachment (internal/external) and/or link (internal/external) and/or direct sharing (internal), o enables secure transfer of data (A) via attachment (internal/external) and/or link (internal/external) and/or direct sharing (internal), o enables users (B) to perform authorizations for data (A) in transfers of data (A) via attachment (internal/external) and/or link (internal/external) and/or direct sharing (internal), o creates authorization maps for the authorization processes, o provides the control of the content of the data (A) sent and received during the transfers of data (A) via attachment (internal/external) and/or link (internal/external) and/or direct sharing (internal) and realizing or blocking transfers based on such control, o enables access of users (B) who log into the system (1) through the web interface and/or application and/or Outlook Add-in to data (A) that they own or add to any public and private network or send via attachment (internal/external) and/or link (internal/external) and/or through direct sharing (internal) or receive from other users (B) via attachment (internal/external) and/or link (internal/external) and/or direct sharing (internal) and delete, o allows users (B) to make a search in order to find data (A) in their accounts, o ensures that notifications of all transactions are forwarded to users
(B), o cooperates with internal departments, department managers and managers of the system (1) and ensures that decisions are implemented, o transfers data (A) in an approved and/or unapproved manner between user equipment (2), and o - reports all transactions to users (B)
2. A system (1) according to Claim 1 , characterized in that said system (1) includes user equipment (2) allowing the user (B) to log into the system (1) with his username and password and to share and receive data (A) via attachment (internal/external) and/or link (internal/external) and/or direct sharing (internal).
3. A system (1) according to Claim 1 or Claim 2, characterized in that said system (1) includes user equipment (2) enabling the user (B) to determine data (A) to be shared and type of sharing of data (A) in the form of view (view only), read (download document), read & write (download + edit), full control (download + edit + view + write) and full control & share (download + edit + view + write + share) during data (A) transfers via direct sharing (internal).
4. A system (1) according to any one of the preceding claims, characterized in that said system (1) includes user equipment (2) enabling the user to determine data (A) to be shared and type of sharing for these data (A) such as view, upload or download authorizations separately or multiply during data (A) transfers via a link (internal/external).
5. A system (1) according to any one of the preceding claims, characterized in that said system (1) includes user equipment (2) allowing the user (B) to rearrange the authorizations previously made at any time after the transfer of data (A) via direct sharing (internal) and/or link (internal/external).
6. A system (1) according to any one of the preceding claims, characterized in that said system (1) includes user equipment (2) allowing the user (B) to determine data (A) to be shared via attachment (internal/external) and/or link (internal/external) and/or direct sharing (internal) and period for sharing these data (A).
7. A system (1) according to any one of the preceding claims, characterized in that said system (1) includes user equipment (2) allowing the user (B) to determine data (A) to be shared via attachment (internal/external) and/or link (internal/external) and to which recipient(s) or groups these data (A) will be sent.
8. A system (1) according to any one of the preceding claims, characterized in that said system (1) includes user equipment (2) allowing the user (B) to determine data (A) to be shared via direct sharing (internal) and to which recipient(s) or groups these data (A) will be sent.
9. A system (1) according to any one of the preceding claims, characterized in that said system (1) includes a control module (3), wherein said control module (3) communicates with the user equipment (2), analyzes the authorizations of data (A) to be transmitted via direct sharing (internal) method, blends the authorizations granted by user equipment (2) with internal mechanisms and creates a new sharing authorization without revoking any other authorization.
10. A system (1) according to any one of the preceding claims, characterized in that said system (1) includes user equipment (2) generating a static password, i.e. type of password that the sender manually enters or an instant password, i.e. type of password generated and sent to the recipient at the exact moment that the data (A) are accessed for data (A) transmitted as an attachment (internal/external) and/or link (internal/external) and/or direct sharing (internal).
11. A system (1) according to any one of the preceding claims, characterized in that said system (1) includes user equipment (2) adding IP restriction to data (A) transmitted via attachment (internal/external) and/or link (internal/external) and/or direct sharing (internal).
12. A system (1) according to any one of the preceding claims, characterized in that said system (1) includes user equipment (2) sending data (A) via attachment (internal/external) and/or link (internal/external) and/or direct sharing (internal) to the e-mail address of the recipients, providing a unique transfer of data (A) for each e- mail address added and thus, monitoring by means of the control module (3) accesses by recipients to data (A) on the basis of each recipient.
13. A system (1) according to any one of the preceding claims, characterized in that said system (1) includes user equipment (2) generating a static link, sending data (A) via attachment (internal/external) and/or link ensuring that data (A) is shared with the recipient in the form they are sent or a live link allowing data (A) to be shared when the recipient accesses to data (A) and data (A) is immediately reflected to the recipient if the sender makes modifications in the data (A).
14. A system (1) according to any one of the preceding claims, characterized in that said system (1) includes user equipment (2) automatically converting data (A) into a link when data (A) is to be shared in the form of attachment and the size of such data (A) exceeds a particular memory storage space and sending the data (A) converted into a link to the recipient's e-mail address.
15. A system (1) according to any one of the preceding claims, characterized in that said system (1) includes a control module (3) reporting the shared authorizations and presenting these reports to users (B) in the form of graphs to be displayed by the user equipment (2).
16. A system (1) according to any one of the preceding claims, characterized in that said system (1) includes a control module (3) displaying to users (B) via a tree structure all shares made by the senders, changes made by the recipients on these shares and re-shares by the recipients.
17. A system (1) according to any one of the preceding claims, characterized in that said system (1) includes a control module (3) reporting in detail which user (B) has the right to access to data (A) and when and which user (B) has made changes on which data (A).
18. A system (1) according to any one of the preceding claims, characterized in that said system (1) includes a control module (3) enabling users (B) to access to previous versions of data (A).
19. A system (1) according to any one of the preceding claims, characterized in that said system (1) includes a control module (3) tracking data (A) sharing; capturing and reporting the out-of-the-box actions and in such cases, preventing data (A) sharing.
20. A system (1) according to any one of the preceding claims, characterized in that said system (1) includes a control module (3) assigning an admin role to the representative of every department within the organization, analyzing errors in the authorizations of users (B) with the help of the representatives of departments and ensuring that these authorizations are corrected as necessary.
21. A system (1) according to any one of the preceding claims, characterized in that said system (1) includes a control module (3) allowing users (B) who are the recipient and the sender to work jointly on the same data (A) and ensuring that modifications are instantly viewed by the recipient and the sender.
22. A system (1) according to any one of the preceding claims, characterized in that said system (1) includes a control module (3) enabling the recipient to view the shared data (A) without download via the user equipment (2) and, if desired, modify the data (A) within the limits of his authorization.
23. A system (1) according to any one of the preceding claims, characterized in that said system (1) includes a control module (3) enabling the user to select the folder and files in that folder as data (A) using the user equipment (2) and after this selection, allowing the recipient to add or delete files from the folder, apart from the files within the folder, based on the authorizations.
24. A system (1) according to any one of the preceding claims, characterized in that said system (1) includes a control module (3) allowing the same user (B) to use different user equipment (2) and thus, enabling the user (B) to send data (A) into the user equipment (2) he uses at work within the limits of his authorization through the user equipment (2) he uses when he is not at work; edit the data (A) in the user equipment (2) used at work or delete the data (A) in the user equipment (2) used at work.
25. A system (1) according to any one of the preceding claims, characterized in that said system (1) includes a control module (3) using the DMZ layer installed by the IT department when data (A) are to be sent from internal network to external network and managing which users (B) can pass the DMZ (Demilitarized Zone) layer and share the data (A) with the outside.
26. A system (1) according to any one of the preceding claims, characterized in that said system (1) includes a control module (3) scanning all data (A) in the system (1), analyzing the structure of the data (A) with the support of machine learning, capturing and quarantining data (A) and blocking data (A) sharing with potentially malicious software.
27. A system (1) according to any one of the preceding claims, characterized in that said system (1) includes a control module (3) scanning all data (A) for malware.
28. A system (1) according to any one of the preceding claims, characterized in that said system (1) includes a control module (3) filtering data (A) that enter into the system (1) or exit from the system (1) through DLP (Data Loss Protection) ruleset and capturing and quarantining said data (A) and blocking data (A) sharing if data
(A) are against its rule structure.
29. A system (1) according to any one of the preceding claims, characterized in that said system (1) includes a control module (3) regulating which operations (such as view, modification, etc.) users (B) can perform on data (A) within the limits of their authorization and the environment (private network folder, public network folder) of user equipment (2) in which these operations can be performed.
30. A system (1) according to any one of the preceding claims, characterized in that said system (1) includes a control module (3) presenting the data (A) sharing between the users (B) to the approval of the authorized person in the module and thus, enabling the authorized person to deny the sharing process between the users
(B) and block it.
31. A system (1) according to any one of the preceding claims, characterized in that said system (1) includes a control module (3) notifies the authorized person in the module of the quarantined data (A) and ensures that the data (A) are shared or deleted as per the decision of this person.
32. A system (1) according to any one of the preceding claims, characterized in that said system (1) includes a control module (3) adjusting the speed of data transfer (upload/download speed) for specific time intervals, operations or users (B).
33. A system (1) according to any one of the preceding claims, characterized in that said system (1) includes a control module (3) enabling users (B) to make root word- based searches among their data (A) using their user equipment (2) and thus, accessing data (A) with the specified root word and all words with prefixes and suffixes.
34. A system (1) according to any one of the preceding claims, characterized in that said system (1) includes a control module (3) providing information to the sender on all processes such as view, modification, download of data (A), IP address used for access to data and the time.
35. A system (1) according to any one of the preceding claims, characterized in that said system (1) includes a control module (3) allowing the senders to block access to data (A) or change the authorization of the recipients at any time after the transfers of data (A).
36. A system (1) according to any one of the preceding claims, characterized in that said system (1) includes a control module (3) allowing the senders to place a watermark on data (A) they send, wherein the watermark includes information such as the sender, the time of data (A) transmission, the recipient and IP address, whereby only the recipients with the authorization to read can take photographs of data (A) and thus, the recipients are prevented from sharing data (A) illegally.
37. A system (1) according to any one of the preceding claims, characterized in that it includes the control module (3) enabling the deactivation of the print feature for data (A) sent by the senders and thus, preventing the receivers from printing the relevant data (A) illegally.
38. A system (1) according to any one of the preceding claims, characterized in that said system (1) includes a control module (3) sending a confirmation to the user equipment (2) of the recipient if the sender adjusts confirmation requirement before the transmission of data (A) using the user equipment (2) and granting access to data (A) to the user equipment (2) of the recipient if this confirmation is accepted and ensuring that the user equipment (2) of the recipient has direct access to data (A) if the sender does not adjust confirmation requirement prior to the transmission of data (A).
PCT/TR2020/050679 2019-08-01 2020-07-30 A data sharing system WO2021021064A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
TR2019/11701A TR201911701A2 (en) 2019-08-01 2019-08-01 A DATA SHARING SYSTEM
TR2019/11701 2019-08-01

Publications (1)

Publication Number Publication Date
WO2021021064A1 true WO2021021064A1 (en) 2021-02-04

Family

ID=74229773

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/TR2020/050679 WO2021021064A1 (en) 2019-08-01 2020-07-30 A data sharing system

Country Status (2)

Country Link
TR (1) TR201911701A2 (en)
WO (1) WO2021021064A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003040869A2 (en) * 2001-10-16 2003-05-15 Smarte Solutions, Inc. User/product authentication and piracy management system
WO2008065343A1 (en) * 2006-12-01 2008-06-05 David Irvine Shared access to private files
US20150006895A1 (en) * 2009-06-01 2015-01-01 Maidsafe Foundation Distributed network system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003040869A2 (en) * 2001-10-16 2003-05-15 Smarte Solutions, Inc. User/product authentication and piracy management system
WO2008065343A1 (en) * 2006-12-01 2008-06-05 David Irvine Shared access to private files
US20150006895A1 (en) * 2009-06-01 2015-01-01 Maidsafe Foundation Distributed network system

Also Published As

Publication number Publication date
TR201911701A2 (en) 2021-02-22

Similar Documents

Publication Publication Date Title
US11240251B2 (en) Methods and systems for virtual file storage and encryption
US11880437B2 (en) Method and system for remote data access
USRE46916E1 (en) System and method for secure management of mobile user access to enterprise network resources
US7409547B2 (en) Adaptive transparent encryption
US8798579B2 (en) System and method for secure management of mobile user access to network resources
US8976008B2 (en) Cross-domain collaborative systems and methods
US20070016771A1 (en) Maintaining security for file copy operations
US20090063869A1 (en) Securing Data in a Networked Environment
US20140053252A1 (en) System and Method for Secure Document Distribution
US8805741B2 (en) Classification-based digital rights management
US20200382474A1 (en) System And Method For Encryption, Storage And Transmission Of Digital Information
US8826457B2 (en) System for enterprise digital rights management
WO2008104965A2 (en) A system and method for automatic data protection in a computer network
US20200134221A1 (en) System and method for blockchain document access and distribution control
JPWO2013118280A1 (en) Apparatus and method for preventing leakage of confidential data
US11222126B2 (en) Community governed end to end encrypted multi-tenancy system to perform tactical and permanent database and communication operations
US20200125750A1 (en) System and Method of Providing a Secure Inter-Domain Data Management Using Blockchain Technology
WO2021021064A1 (en) A data sharing system
US7752657B2 (en) Data processing system and method
JP6042104B2 (en) E-mail transmission device and e-mail transmission method
GB2420061A (en) Secure email communication using a central server

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20846950

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20846950

Country of ref document: EP

Kind code of ref document: A1