[go: up one dir, main page]

WO2006104810A2 - Security policy driven data redaction - Google Patents

Security policy driven data redaction Download PDF

Info

Publication number
WO2006104810A2
WO2006104810A2 PCT/US2006/010451 US2006010451W WO2006104810A2 WO 2006104810 A2 WO2006104810 A2 WO 2006104810A2 US 2006010451 W US2006010451 W US 2006010451W WO 2006104810 A2 WO2006104810 A2 WO 2006104810A2
Authority
WO
WIPO (PCT)
Prior art keywords
access
requestor
result set
permitted
service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/US2006/010451
Other languages
French (fr)
Other versions
WO2006104810A3 (en
Inventor
Paul Patrick
Naveen Gupta
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
BEA Systems Inc
Original Assignee
BEA Systems Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US11/341,836 external-priority patent/US8086615B2/en
Priority claimed from US11/341,236 external-priority patent/US20060218149A1/en
Application filed by BEA Systems Inc filed Critical BEA Systems Inc
Publication of WO2006104810A2 publication Critical patent/WO2006104810A2/en
Anticipated expiration legal-status Critical
Publication of WO2006104810A3 publication Critical patent/WO2006104810A3/en
Ceased legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes

Definitions

  • the current invention relates generally to securing access to data, and more particularly to a mechanism for security policy driven data redaction.
  • IT Information Technology
  • SOA Service Oriented Architecture
  • One problem that arises is controlling access to data by different individuals.
  • One conventional approach includes controlling individual's access to data storage constructs, i.e., files, databases and so forth, using a scheme of access permissions. For example, a user may be granted some combination of read, write, modify and delete authority for a particular file, database or other data storage construct. Such conventional approaches, however, require the user to be cleared for the entire content of the data storage construct.
  • Another conventional approach includes controlling access to the services by individuals.
  • a problem with such approaches arises from the coarseness of the approaches' granularity - an individual is either permitted to use the service or denied access to the service.
  • Some implementations have sought to ameliorate this drawback by establishing classes of access, i.e., user, administrator and so forth, each class having access to a specific set of functions in the service.
  • Each of these conventional approaches suffers the same limitation - an individual granted access to the service, or the data storage construct, has access to the entirety of the data.
  • FIGURES 1A - 1 B are functional block diagrams illustrating an example computing environment in which techniques for data redaction may be implemented in one embodiment.
  • FIGURES 2A - 2E are operational flow diagrams illustrating a high level overview of techniques for securing access to data of one embodiment of the present invention.
  • FIGURES 3A - 3B are operational flow diagrams illustrating a high level overview of examples of data redaction techniques in various embodiments of the present invention.
  • FIGURES 4A - 4B are diagrams illustrating a high level overview of example service output data corresponding to the examples illustrated in FIGURES 3A - 3B.
  • FIGURE 5 is a hardware block diagram of an example computer system, which may be used to embody one or more components of an embodiment of the present invention.
  • redaction is based upon access policies associated with a requestor.
  • Requestors may be users, proxies or automated entities.
  • Access policies may change because of changes made to the policy by an IT administrator, for example, or change in state due to a change in external factors, such as a changed security level or the like.
  • redaction is based upon access policies associated with a security level, which may be a hierarchical arrangement of security classifications or categories.
  • a method for securing access to data includes accessing at least one service on behalf of a requestor. A result set is received from the at least one service.
  • a Liquid Data framework can map the portion of the result set provided to the requestor to a view associated with the requestor.
  • the result set received from the service or services may be redacted in accordance with access policies, if the policy permits the requestor to access only a portion of the result set, or can be provided in its entirety if the policy permits the requestor to access all of the result set or may be blocked entirely if the policy does not permit the requestor to access any of the result set.
  • the method includes accessing at least one service on behalf of a requestor.
  • a result set is received from the at least one service.
  • a determination that an access policy has been changed is received.
  • a subset of the result set, which the requestor is permitted to access is determined based at least in part on the now current access policy.
  • the requestor can be provided only that portion of the result set that the requestor is permitted to access under the now current access policy.
  • the information provided to the requestor is the result set received from the service(s) redacted in accordance with the now current access policy if the now current access policy permits the requestor to access only a portion of the result set.
  • determining that an access policy has been changed to a now current access policy can include one or more of determining that an external security level has changed, i.e., a change in condition of the external world has been detected; and determining that a change has been made to an access policy.
  • embodiments of the present invention are broadly applicable to a wide variety of situations in which control over information dissemination is desirable.
  • various embodiments can provide: less personal information about juvenile offenders than adults; less detailed information about each trade when market trading volume increases; more detailed weather information when the weather is hazardous to travel; more special product offerings to members having premium status with shopping clubs than regular members; more detailed criminal record information for suspected felons than for individuals with less serious infractions in their criminal record; and so forth.
  • the term service is intended to be broadly construed to include any application, program or process resident on one or more computing devices capable of providing services to a requestor or other recipient, including without limitation network based applications, web based server resident applications, web portals, search engines, photographic, audio or video information storage applications, e-Commerce applications, backup or other storage applications, sales/revenue planning, marketing, forecasting, accounting, inventory management applications and other business applications and other contemplated computer implemented services.
  • the term result set is intended to be broadly construed to include any result provided by one or more services. Result sets may include multiple entries into a single document, file, communication or other data construct.
  • the term view is intended to be broadly construed to include any mechanism that provides a presentation of data and/or services in a format suited for a particular application, service, client or process.
  • the presentation may be virtualized, filtered, molded, or shaped.
  • data returned by services to a particular application can be mapped to a view associated with that application (or service).
  • Embodiments can provide multiple views of available services to enable organizations to compartmentalize or streamline access to services, increasing the security of the organization's IT infrastructure.
  • Access policies dynamically identify resources (e.g., J2EE resources, an XML document, a section of an XML document, services, information returned by services, etc.) for which access is controlled, entities allowed to access each resource, and constraints that apply to each requestor or group of requestors that attempt to access the resource.
  • a policy can be based on role(s) such that it determines which role(s) are permitted to access a resource under certain conditions.
  • roles can be defined to dynamically associate users and/or groups of users based on some criteria. For example, a system administrator role might include all users having a certain skill level and only during certain times of day (e.g., after 5:00 pm)).
  • a policy can be specified as follows (wherein items in square brackets indicate alternatives; italic font indicates optional items):
  • Action is the name of a resource or resource attribute to grant or deny access to
  • Resource is the name of the resource that this policy will be associated with
  • Subject is the name of one or more users, groups and/or roles that are granted/denied the action. A special subject called any denotes that any user, group and role is potentially a subject;
  • IF (constraint condition) is one or more optional conditions placed on the action.
  • Conditions can include one or more arithmetic and logical functions and expressions involving attributes of resources or other entities in the system, such as requestor attributes, group membership, dynamic attributes (e.g., time, date, location), and other suitable information.
  • FIGS. 1A - 1 B are functional block diagrams illustrating an example computing environment in which techniques for data redaction may be implemented in one embodiment.
  • a liquid data framework 104 is used to provide a mechanism by which a set of applications, or application portals 94, 96, 98, 100 and 102, can integrate with, or otherwise access in a tightly couple manner, a plurality of services.
  • Such services may include a Materials Requirements and Planning (MRP) system 112, a purchasing system 114, a third-party relational database system 116, a sales forecast system 118 and a variety of other data-related services 120.
  • MRP Materials Requirements and Planning
  • one or more of the services may interact with one or more other services through the liquid data framework 104 as well.
  • the liquid data framework 104 employs a liquid data integration engine 110 to process requests from the set of portals to the services.
  • the liquid data integration engine 110 allows access to a wide variety of services, including data storage services, server-based or peer-based applications, Web services and other services capable of being delivered by one or more computational devices are contemplated in various embodiments.
  • a services model 108 provides a structured view of the available services to the application portals 94, 96, 98, 100 and 102.
  • the services model 108 provides a plurality of views 106 that may be filtered, molded, or shaped views of data and/or services into a format specifically suited for each portal application 94, 96, 98, 100 and 102.
  • data returned by services to a particular application is mapped to the view 106 associated with that application (or service) by liquid data framework 104.
  • Embodiments providing multiple views of available services can enable organizations to compartmentalize or streamline access to services, thereby increasing the security of the organization's IT infrastructure.
  • services model 108 may be stored in a repository 122 of service models.
  • Embodiments providing multiple services models can enable organizations to increase the flexibility in changing or adapting the organization's IT infrastructure by lessening dependence on service implementations.
  • FIG. 1 B is a high level schematic of a liquid data integration engine 110 illustrated in FIG. 1A with reference to one example embodiment.
  • the liquid data integration engine 110 includes an interface processing layer 140, a query compilation layer 150 and a query execution layer 160.
  • the interface layer 140 includes a request processor 142, which takes the request 10 and processes this request into an XML query 50.
  • Interface layer 140 also includes access control mechanism 144, which determines based upon a plurality of policies 20 whether the client, portal application, service or other process making the request 10 is authorized to access the resources and services required to satisfy the request.
  • the interface layer sends the XML query 50 to the query compilation layer 150.
  • the query rewrite optimizer 154 determines whether the query can be rewritten in order to improve performance of servicing the query based upon one or more of execution time, resource use, efficiency or other performance criteria.
  • the query rewrite optimizer 154 may rewrite or reformat the query based upon input from one or more of a source description 40 and a function description 30 if it is determined that performance may be enhanced by doing so.
  • a runtime query plan generator 156 generates a query plan for the query provided by the query rewrite optimizer 154 based upon input from one or more of the source description 40 and the function description 30.
  • the query compilation layer 150 passes the query plan output from the runtime query plan generator 156 to a runtime query engine 162 in the query execution layer 160.
  • the runtime query engine 162 is coupled with one or more functions 70 that may be used in conjunction with formulating queries and fetch requests to sources 52, which are passed on to the appropriate service(s).
  • the service responds to the queries and fetch requests 52 with results from sources 54.
  • the runtime query engine 162 of the query execution layer 160 translates the results into a format usable by the client or portal application, such as without limitation XML, in order to form the XML query results 56.
  • a query result filter 170 in the interface layer 140 determines based upon filter parameters 90 what portion of the results will be passed back to the client or portal application, forming a filtered query response 58.
  • filter parameters 90 may accompany service request 10 in one embodiment.
  • query result filter 170 also determines based upon access policies implementing security levels 80 what portions of the filtered query response 58 a requestor is permitted to access and may redact the filtered query response accordingly.
  • access policies implementing security levels 80 may be stored with policies 20 in one embodiment.
  • FIG. 2A is an operational flow diagram illustrating a high level overview of a technique for securing access to data of one embodiment of the present invention.
  • the technique for securing access to data shown in FIG. 2A is operable with an application sending data, such as Materials Requirements and Planning (MRP) system 112, an purchasing system 114, a third-party relational database system 116, sales forecast system 118, or a variety of other data-related services 120 of FIG. 1A, for example.
  • MRP Materials Requirements and Planning
  • a result set is received from one or more services (block 204). Only that portion of the result set that the requestor is permitted to access is provided to the requestor (block 206).
  • Liquid data framework 104 can map the portion of the result set provided to the requestor to a view associated with the requestor.
  • the method illustrated by blocks 202 - 206 may be advantageously disposed in the interface processing layer 140, query compilation layer 150 and query execution layer 160 of FIG. 1 B.
  • FIG. 2B is an operational flow diagram illustrating a high level overview of a technique for receiving data under a secured environment of one embodiment of the present invention.
  • the technique for receiving data under a secured environment shown in FIG. 2B is operable with an application sending data, such as applications 94, 96, 98, 100 and 102 of FIG. 1A, for example or a service, such as Materials Requirements and Planning (MRP) system 112, an purchasing system 114, a third-party relational database system 116, sales forecast system 118, or a variety of other data-related services 120 of FIG. 1A.
  • MRP Materials Requirements and Planning
  • a request to access one or more services is sent to a server (block 212).
  • FIG. 2C is an operational flow diagram of an example redaction based technique for securing data, which may be used in conjunction with the technique illustrated in FIG. 2A. As shown in FIG. 2C, whether the requestor has a policy has a policy associated with it that permits access to all of the result set is determined (block 222). If not, then the result set received from the service is redacted in accordance with access policies associated with the requestor (block 224). In any event, the result set is then provided in accordance with the access policies associated with the requestor (block 226).
  • FIG. 2D is an operational flow diagram illustrating a high level overview of a technique for controlling access to data of one embodiment of the present invention.
  • the technique for controlling access to data shown in FIG. 2D is operable with an application sending data, such as Materials Requirements and Planning (MRP) system 112, an purchasing system 114, a third-party relational database system 116, sales forecast system 118, or a variety of other data-related services 120 of FIG. 1A, for example.
  • MRP Materials Requirements and Planning
  • FIG. 2D at least one service is accessed on behalf of a requestor (block 232).
  • a result set is received from the at least one service (block 234).
  • a determination that an access policy has been changed is received (block 236).
  • a subset of the result set, which the requestor is permitted to access, is determined (block 238) based at least in part on the now current access policy.
  • determining that an access policy has been changed to a now current access policy can include one or more of determining that an externa! security level 80 has changed; and determining that a change has been made to an access policy 20.
  • the method illustrated by blocks 232 - 238 may be advantageously disposed in the interface processing layer 140, query compilation layer 150 and query execution layer 160 of FIG. 1 B.
  • FlG. 2E is an operational flow diagram illustrating a high level overview of a technique for receiving data under a controlled environment of one embodiment of the present invention.
  • the technique for receiving data under a secured environment shown in FIG. 2E is operable with an application sending data, such as applications application 94, 96, 98, 100 and 102 of FIG. 1A, for example or a service, such as Materials Requirements and Planning (MRP) system 112, an purchasing system 114, a third-party relational database system 116, sales forecast system 118, or a variety of other data-related services 120 of FIG. 1A.
  • MRP Materials Requirements and Planning
  • a request to access a service is sent to a server (block 242).
  • a portion of a result set of the service is received (block 244) from the server.
  • the server has prepared the portion of the result set of the service according to the server's determination, based at least in part on a now current access policy, a subset of the result set which is permitted to be provided responsive to the request.
  • FIGS. 3A - 3B are operational flow diagrams illustrating some example embodiments implementing example applications.
  • FIGS. 4A - 4B are diagrams illustrating example service output data corresponding to the examples illustrated in FIGS. 3A - 3B. The reader will appreciate that these examples are for illustrative purposes only and not intended to be limiting.
  • an embodiment employing processing illustrated by FIG. 3A controls access to information based upon a policy by comparing a security level associated with the information and a requestor's permitted access.
  • example service output information illustrated by FIG. 4A which is the input to the processing of FIG. 3A
  • the embodiment illustrated by FIG. 3A enables access to more sensitive information about suspected violators to be restricted to requestors granted greater authority by access policies.
  • data is accessed from the result set received from one or more services (block 302). If the security level associated with the data is greater than the requestor's permitted access (block 304), then the data is redacted (block 306) from the result set. Otherwise, the data remains in the result set. If more data is to be processed (block 308), more data is accessed (block 302).
  • the result set 400a output by a service includes an indication of security level 402.
  • the security level indication 402 indicates that the information following the indicator is accessible to a requestor having access under a policy that includes at least "green" level information.
  • result set 400a includes data for various suspects, including data corresponding to a first suspect, "John Doe.”
  • the data for the first suspect includes information about the suspect beginning with a name and address 404. Since the security level was set to "green" by security level indication 402, the suspect name and address 404 are accessible to requestors permitted by an access policy to access at least "green” level information.
  • a conviction record 406 is also available to requestors permitted access to at least "green” level by an access policy.
  • a second security level indication 408 indicates that subsequent information requires an access policy permitting access to at least "yellow”.
  • the arrests data 410 requires requestors to be permitted by access policies to access at least "yellow” level information in order to view this information.
  • a third security level indication 412 indicates that subsequent information requires an access policy permitting access to at least "red”, requiring even further permission to access the juvenile record data block 414.
  • a fourth security level indication 416 returns the security level back to "green".
  • information that is restricted by court order and information that is highly prejudicial to a suspect may be included in the same document 400a with information suitable for general access. In this manner, access policies permitting greater access permissions may be required in order to view more sensitive information even though the information is included in the same document 400a in the illustrated embodiment. While colors are used as indicators to demonstrate the functioning of this embodiment, the present invention is not limited to using colors as security level indicators.
  • the security level associated with each data 404, 406, 410 and 414 is compared to the requestor's permitted access policy security level (block 304), and redacted (block 306) from the result set if the requestor does not have sufficient access for that particular data. Accordingly, in the foregoing example, as the requestor's access level increases, the amount of information available to the requestor also increases. In the next example, a reduction in the amount of information available to the requestor as market activity increases is effected using policies keyed to market activity.
  • an embodiment employing processing illustrated by FIG. 3B controls access to information based upon a policy by comparing a market activity level associated with the information and a present market activity.
  • example service output information illustrated by FIG. 4B which is the input to the processing of FIG. 3B
  • the embodiment illustrated by FIG. 3B enables access to less information about a stock to as the trading activity level of the market increases.
  • data is accessed from the result set received from one or more services (block 312). If the present market activity level is less than or equal to the market activity level associated with the data (block 314), then no further action is taken and the data remains in the result set. Otherwise, the data is redacted (block 316) from the result set. If more data is to be processed (block 318), then more data is accessed (block 312).
  • the result set 400b includes an indication of market activity level 422.
  • the market activity level 422 indicates that the information is accessible to any requestor even when the market activity is "high”.
  • result set 400b includes data for various stocks, such as data corresponding to a first stock.
  • the data for the first stock includes information about the stock beginning with a name and "ticker" symbol 424. Since the market activity level is set to "high" by market activity level indication 422, the name and symbol 424 are accessible to users even when the market activity level is high.
  • a last trade price 426 is also available to users at any time.
  • a second market activity level indication 428 indicates that subsequent information requires a market activity of at least "med” to be redacted.
  • the high and low price data block 430 will be shown if the market activity level is less than "med”.
  • a third market activity level indication 432 indicates that subsequent information about trading volume is included (i.e., not redacted) if market activity is less than "low", requiring an even slower trading day for the contents of volume data block 434 to be displayed. In this manner, successively greater amounts of information may be omitted when trading volume increases even though the information is included in the same document 400b in the illustrated embodiment.
  • the market activity level associated with each data 424, 426, 430 and 434 is compared to the present market activity level (block 314), and redacted (block 316) from the result set if the market activity level equals or exceeds the indicated maximum market activity level for that data. Accordingly, in the foregoing example, as the market's activity level increases, the amount of information available to the requestor decreases.
  • the invention encompasses in some embodiments, computer apparatus, computing systems and machine-readable media configured to carry out the foregoing methods.
  • the present invention may be conveniently implemented using a conventional general purpose or a specialized digital computer or microprocessor programmed according to the teachings of the present disclosure, as will be apparent to those skilled in the computer art.
  • the present invention includes a computer program product which is a storage medium (media) having instructions stored thereon/in which can be used to program a computer to perform any of the processes of the present invention.
  • the storage medium can include, but is not limited to, any type of rotating media including floppy disks, optical discs, DVD, CD-ROMs, microdrive, and magneto-optical disks, and magnetic or optical cards, nanosystems (including molecular memory ICs), or any type of media or device suitable for storing instructions and/or data.
  • the present invention includes software for controlling both the hardware of the general purpose/specialized computer or microprocessor, and for enabling the computer or microprocessor to interact with a human user or other mechanism utilizing the results of the present invention.
  • software may include, but is not limited to, device drivers, operating systems, and user applications.
  • Included in the programming (software) of the general/specialized computer or microprocessor are software modules for implementing the teachings of the present invention, including, but not limited to providing mechanisms and methods for securing data as discussed herein.
  • FIG. 5 illustrates an exemplary processing system 500, which can comprise one or more of the elements of FIGS. 1A and 1B.
  • an exemplary computing system is illustrated that may comprise one or more of the components of FIGS. 1 A and 1 B. While other alternatives might be utilized, it will be presumed for clarity sake that components of the systems of FIGS. 1A and 1 B are implemented in hardware, software or some combination by one or more computing systems consistent therewith, unless otherwise indicated.
  • Computing system 500 comprises components coupled via one or more communication channels (e.g., bus 501 ) including one or more general or special purpose processors 502, such as a Pentium®, Centrino®, Power PC®, digital signal processor (“DSP”), and so on.
  • communication channels e.g., bus 501
  • general or special purpose processors 502 such as a Pentium®, Centrino®, Power PC®, digital signal processor (“DSP”), and so on.
  • DSP digital signal processor
  • System 500 components also include one or more input devices 503 (such as a mouse, keyboard, microphone, pen, and so on), and one or more output devices 504, such as a suitable display, speakers, actuators, and so on, in accordance with a particular application.
  • input devices 503 such as a mouse, keyboard, microphone, pen, and so on
  • output devices 504 such as a suitable display, speakers, actuators, and so on, in accordance with a particular application.
  • input or output devices can also similarly include more specialized devices or hardware/software device enhancements suitable for use by the mentally or physically challenged.
  • System 500 also includes a computer readable storage media reader 505 coupled to a computer readable storage medium 506, such as a storage/memory device or hard or removable storage/memory media; such devices or media are further indicated separately as storage 508 and memory 509, which may include hard disk variants, floppy/compact disk variants, digital versatile disk (“DVD”) variants, smart cards, read only memory, random access memory, cache memory, and so on, in accordance with the requirements of a particular application.
  • a computer readable storage media reader 505 coupled to a computer readable storage medium 506, such as a storage/memory device or hard or removable storage/memory media; such devices or media are further indicated separately as storage 508 and memory 509, which may include hard disk variants, floppy/compact disk variants, digital versatile disk (“DVD”) variants, smart cards, read only memory, random access memory, cache memory, and so on, in accordance with the requirements of a particular application.
  • DVD digital versatile disk
  • One or more suitable communication interfaces 507 may also be included, such as a modem, DSL, infrared, RF or other suitable transceiver, and so on for providing inter-device communication directly or via one or more suitable private or public networks or other components that may include but are not limited to those already discussed.
  • Working memory 510 further includes operating system ("OS") 511 elements and other programs 512, such as one or more of application programs, mobile code, data, and so on for implementing system 500 components that might be stored or loaded therein during use.
  • OS operating system
  • the particular OS or OSs may vary in accordance with a particular device, features or other aspects in accordance with a particular application (e.g.
  • ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇
  • a learning integration system or other component When implemented in software (e.g. as an application program, object, agent, downloadable, servlet, and so on in whole or part), a learning integration system or other component may be communicated transitionally or more persistently from local or remote storage to memory (SRAM, cache memory, etc.) for execution, or another suitable mechanism can be utilized, and components may be implemented in compiled or interpretive form. Input, intermediate or resulting data or functional elements may further reside more transitionally or more persistently in a storage media, cache or other volatile or non-volatile memory, (e.g., storage device 508 or memory 509) in accordance with a particular application.
  • SRAM static random access memory
  • cache memory cache memory

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Medical Informatics (AREA)
  • Storage Device Security (AREA)

Abstract

In accordance with one embodiment of the present invention, there are provided mechanisms and methods for securing access to data. These mechanisms and methods for securing access to data make it possible for systems to have improved control over accesses to information by redacting responses made by services based upon access policies. Requestors may be users, proxies or automated entities. This ability of a system to redact responses to queries or requests for services in accordance with access policies makes it possible to attain improved security in computing systems over conventional access control mechanisms that control based upon privileges for accessing a file, an account, a storage device or a machine upon which the information is stored.

Description

SECURITY POLICY DRIVEN DATA REDACTION
CLAIM OF PRIORITY United States Provisional Patent Application No. 60/665,696, entitled "SECURITY
DATA REDACTION", by Naveen Gupta, et a/., filed March 28, 2005 (Attorney Docket No. BEAS-01753US3);
United States Provisional Patent Application No. 60/665,667 entitled "DATA REDACTION POLICIES", by Paul B. Patrick, filed March 28, 2005 (Attorney Docket No. BEAS-01753US4);
United States Patent Application No. 11/341,836 entitled "SECURITY DATA REDACTION", by Paul B. Patrick, et ai, filed January 27, 2006 (Attorney Docket No. BEAS- 01753USB); and
United States Patent Application No. 11/341,236 entitled "DATA REDACTION POLICIES", by Paul B. Patrick, filed January 27, 2006 (Attorney Docket No. BEAS- 01753USC).
COPYRIGHT NOTICE
A portion of the disclosure of this patent document contains material that is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure, as it appears in the Patent and
Trademark Office patent file or records, but otherwise reserves all copyright rights whatsoever.
FIELD OF THE INVENTION
The current invention relates generally to securing access to data, and more particularly to a mechanism for security policy driven data redaction.
BACKGROUND Increasingly, enterprises are looking for ways to simplify access and organization of
Information Technology (IT) services. One mechanism for providing such IT simplification is Service Oriented Architecture (SOA). Application of SOA principles promises faster development cycles, increased reusability and better change tolerance for software components.
Unfortunately, enterprises that implement SOA often find that the start-up complexities of SOA delays, if not derails, the expected return on investment. While SOA simplifies the complexity of an IT environment, organizations lack sufficient experience with SOA technology required for a quick, trouble-free implementation. Compounding this experience gap, graphical tools for implementing SOA are not readily available, so that data services for use in SOA environments often must be hand-coded. For enterprise-class portal and Web applications, for example, a majority of application development time can be spent on managing data access. A number of factors make data programming difficult and time-consuming, including data access control. Accordingly, there exists a continued need for improved mechanisms for security data redaction in implementing SOA type initiatives.
One problem that arises is controlling access to data by different individuals. One conventional approach includes controlling individual's access to data storage constructs, i.e., files, databases and so forth, using a scheme of access permissions. For example, a user may be granted some combination of read, write, modify and delete authority for a particular file, database or other data storage construct. Such conventional approaches, however, require the user to be cleared for the entire content of the data storage construct.
Another conventional approach includes controlling access to the services by individuals. A problem with such approaches, however, arises from the coarseness of the approaches' granularity - an individual is either permitted to use the service or denied access to the service. Some implementations have sought to ameliorate this drawback by establishing classes of access, i.e., user, administrator and so forth, each class having access to a specific set of functions in the service. Each of these conventional approaches, however, suffers the same limitation - an individual granted access to the service, or the data storage construct, has access to the entirety of the data.
BRIEF DESCRIPTION OF THE DRAWINGS
FIGURES 1A - 1 B are functional block diagrams illustrating an example computing environment in which techniques for data redaction may be implemented in one embodiment. FIGURES 2A - 2E are operational flow diagrams illustrating a high level overview of techniques for securing access to data of one embodiment of the present invention.
FIGURES 3A - 3B are operational flow diagrams illustrating a high level overview of examples of data redaction techniques in various embodiments of the present invention. FIGURES 4A - 4B are diagrams illustrating a high level overview of example service output data corresponding to the examples illustrated in FIGURES 3A - 3B.
FIGURE 5 is a hardware block diagram of an example computer system, which may be used to embody one or more components of an embodiment of the present invention.
DETAILED DESCRIPTION
In accordance with embodiments of the present invention, there are provided mechanisms and methods for securing access to data. These mechanisms and methods for securing access to data make it possible for systems to have improved control over accesses to information by redacting responses made by services. In an example embodiment, redaction is based upon access policies associated with a requestor. Requestors may be users, proxies or automated entities. Access policies may change because of changes made to the policy by an IT administrator, for example, or change in state due to a change in external factors, such as a changed security level or the like. In an example embodiment, redaction is based upon access policies associated with a security level, which may be a hierarchical arrangement of security classifications or categories. This ability of a system to redact responses to queries or requests from services in accordance with access policies or the like makes it possible to attain improved security in computing systems over conventional access control mechanisms that control based upon privileges to access a file, an account, a storage device or a machine upon which the information is stored. In other example embodiments, access to information may be controlled in accordance with access policies based upon any quantity, indication or other detectable state with which dissemination of information can be coordinated, including without limitation, market activity, severity of weather, seriousness of infractions on a criminal record, member status in a shopping club and the like. In one embodiment, a method for securing access to data is provided. The method includes accessing at least one service on behalf of a requestor. A result set is received from the at least one service. Only that portion of the result set that the requestor is permitted to access is provided to the requestor. A Liquid Data framework, for example, can map the portion of the result set provided to the requestor to a view associated with the requestor. The result set received from the service or services may be redacted in accordance with access policies, if the policy permits the requestor to access only a portion of the result set, or can be provided in its entirety if the policy permits the requestor to access all of the result set or may be blocked entirely if the policy does not permit the requestor to access any of the result set.
In another embodiment, the method includes accessing at least one service on behalf of a requestor. A result set is received from the at least one service. A determination that an access policy has been changed is received. A subset of the result set, which the requestor is permitted to access, is determined based at least in part on the now current access policy. The requestor can be provided only that portion of the result set that the requestor is permitted to access under the now current access policy. In one embodiment, the information provided to the requestor is the result set received from the service(s) redacted in accordance with the now current access policy if the now current access policy permits the requestor to access only a portion of the result set. In one embodiment, determining that an access policy has been changed to a now current access policy can include one or more of determining that an external security level has changed, i.e., a change in condition of the external world has been detected; and determining that a change has been made to an access policy.
While the present invention is described herein with reference to example embodiments for controlling access to data using data redaction based upon access policies associated with the requestor, the present invention is not so limited, and in fact, the access control techniques provided by embodiments of the present invention are broadly applicable to a wide variety of situations in which control over information dissemination is desirable. By way of example, and not intended to be limiting, various embodiments can provide: less personal information about juvenile offenders than adults; less detailed information about each trade when market trading volume increases; more detailed weather information when the weather is hazardous to travel; more special product offerings to members having premium status with shopping clubs than regular members; more detailed criminal record information for suspected felons than for individuals with less serious infractions in their criminal record; and so forth. As used herein, the term service is intended to be broadly construed to include any application, program or process resident on one or more computing devices capable of providing services to a requestor or other recipient, including without limitation network based applications, web based server resident applications, web portals, search engines, photographic, audio or video information storage applications, e-Commerce applications, backup or other storage applications, sales/revenue planning, marketing, forecasting, accounting, inventory management applications and other business applications and other contemplated computer implemented services. The term result set is intended to be broadly construed to include any result provided by one or more services. Result sets may include multiple entries into a single document, file, communication or other data construct. As used herein, the term view is intended to be broadly construed to include any mechanism that provides a presentation of data and/or services in a format suited for a particular application, service, client or process. The presentation may be virtualized, filtered, molded, or shaped. For example, data returned by services to a particular application (or other service acting as a requestor or client) can be mapped to a view associated with that application (or service). Embodiments can provide multiple views of available services to enable organizations to compartmentalize or streamline access to services, increasing the security of the organization's IT infrastructure.
Access policies (or "authorization policies", "security policies" or "policies") dynamically identify resources (e.g., J2EE resources, an XML document, a section of an XML document, services, information returned by services, etc.) for which access is controlled, entities allowed to access each resource, and constraints that apply to each requestor or group of requestors that attempt to access the resource. A policy can be based on role(s) such that it determines which role(s) are permitted to access a resource under certain conditions. (In various embodiments, roles can be defined to dynamically associate users and/or groups of users based on some criteria. For example, a system administrator role might include all users having a certain skill level and only during certain times of day (e.g., after 5:00 pm)).
In one embodiment, a policy can be specified as follows (wherein items in square brackets indicate alternatives; italic font indicates optional items):
[GRANT, DENY] (action, resource, subject) IF (constraint condition)1 ... IF (constraint condition) N; where:
• GRANT permits a specified action. DENY revokes it;
• Action is the name of a resource or resource attribute to grant or deny access to;
• Resource is the name of the resource that this policy will be associated with; • Subject is the name of one or more users, groups and/or roles that are granted/denied the action. A special subject called any denotes that any user, group and role is potentially a subject; and
• IF (constraint condition) is one or more optional conditions placed on the action. Conditions can include one or more arithmetic and logical functions and expressions involving attributes of resources or other entities in the system, such as requestor attributes, group membership, dynamic attributes (e.g., time, date, location), and other suitable information.
FIGS. 1A - 1 B are functional block diagrams illustrating an example computing environment in which techniques for data redaction may be implemented in one embodiment. As shown in FIG. 1A, a liquid data framework 104 is used to provide a mechanism by which a set of applications, or application portals 94, 96, 98, 100 and 102, can integrate with, or otherwise access in a tightly couple manner, a plurality of services. Such services may include a Materials Requirements and Planning (MRP) system 112, a purchasing system 114, a third-party relational database system 116, a sales forecast system 118 and a variety of other data-related services 120. Although not shown in FIG. 1A for clarity, in one embodiment, one or more of the services may interact with one or more other services through the liquid data framework 104 as well.
Internally, the liquid data framework 104 employs a liquid data integration engine 110 to process requests from the set of portals to the services. The liquid data integration engine 110 allows access to a wide variety of services, including data storage services, server-based or peer-based applications, Web services and other services capable of being delivered by one or more computational devices are contemplated in various embodiments. A services model 108 provides a structured view of the available services to the application portals 94, 96, 98, 100 and 102. In one embodiment, the services model 108 provides a plurality of views 106 that may be filtered, molded, or shaped views of data and/or services into a format specifically suited for each portal application 94, 96, 98, 100 and 102. In one embodiment, data returned by services to a particular application (or other service acting as a requestor or client) is mapped to the view 106 associated with that application (or service) by liquid data framework 104. Embodiments providing multiple views of available services can enable organizations to compartmentalize or streamline access to services, thereby increasing the security of the organization's IT infrastructure. In one embodiment, services model 108 may be stored in a repository 122 of service models. Embodiments providing multiple services models can enable organizations to increase the flexibility in changing or adapting the organization's IT infrastructure by lessening dependence on service implementations.
FIG. 1 B is a high level schematic of a liquid data integration engine 110 illustrated in FIG. 1A with reference to one example embodiment. As shown in FIG. 1 B, the liquid data integration engine 110 includes an interface processing layer 140, a query compilation layer 150 and a query execution layer 160. The interface layer 140 includes a request processor 142, which takes the request 10 and processes this request into an XML query 50. Interface layer 140 also includes access control mechanism 144, which determines based upon a plurality of policies 20 whether the client, portal application, service or other process making the request 10 is authorized to access the resources and services required to satisfy the request. Provided that the client, application, service or other process is authorized to make the request 10, the interface layer sends the XML query 50 to the query compilation layer 150. Within the query compilation layer 150, a query parsing and analysis mechanism
152 receives the query 50 from the client applications, parses the query and sends the results of the parsing to a query rewrite optimizer 154. The query rewrite optimizer 154 determines whether the query can be rewritten in order to improve performance of servicing the query based upon one or more of execution time, resource use, efficiency or other performance criteria. The query rewrite optimizer 154 may rewrite or reformat the query based upon input from one or more of a source description 40 and a function description 30 if it is determined that performance may be enhanced by doing so. A runtime query plan generator 156 generates a query plan for the query provided by the query rewrite optimizer 154 based upon input from one or more of the source description 40 and the function description 30.
The query compilation layer 150 passes the query plan output from the runtime query plan generator 156 to a runtime query engine 162 in the query execution layer 160. The runtime query engine 162 is coupled with one or more functions 70 that may be used in conjunction with formulating queries and fetch requests to sources 52, which are passed on to the appropriate service(s). The service responds to the queries and fetch requests 52 with results from sources 54. The runtime query engine 162 of the query execution layer 160 translates the results into a format usable by the client or portal application, such as without limitation XML, in order to form the XML query results 56.
Before responses or results 56 are passed back to the client or portal application making the request, a query result filter 170 in the interface layer 140 determines based upon filter parameters 90 what portion of the results will be passed back to the client or portal application, forming a filtered query response 58. Although not shown in FIG. 1B for clarity, filter parameters 90 may accompany service request 10 in one embodiment. Further, query result filter 170 also determines based upon access policies implementing security levels 80 what portions of the filtered query response 58 a requestor is permitted to access and may redact the filtered query response accordingly. Although not shown in FIG. 1 B for clarity, access policies implementing security levels 80 may be stored with policies 20 in one embodiment. Techniques for providing a requestor with only that portion of the information that the requestor is permitted access based upon a policy implemented by query result filter 170 will be described below in greater detail with reference to FIGS. 2A - 2E. When properly formed, the response is returned to the calling client or portal application.
FIG. 2A is an operational flow diagram illustrating a high level overview of a technique for securing access to data of one embodiment of the present invention. The technique for securing access to data shown in FIG. 2A is operable with an application sending data, such as Materials Requirements and Planning (MRP) system 112, an purchasing system 114, a third-party relational database system 116, sales forecast system 118, or a variety of other data-related services 120 of FIG. 1A, for example. As shown in FIG. 2A, at least one service is accessed on behalf of a requestor (block 202). A result set is received from one or more services (block 204). Only that portion of the result set that the requestor is permitted to access is provided to the requestor (block 206). Liquid data framework 104 can map the portion of the result set provided to the requestor to a view associated with the requestor. In one embodiment, the method illustrated by blocks 202 - 206 may be advantageously disposed in the interface processing layer 140, query compilation layer 150 and query execution layer 160 of FIG. 1 B.
FIG. 2B is an operational flow diagram illustrating a high level overview of a technique for receiving data under a secured environment of one embodiment of the present invention. The technique for receiving data under a secured environment shown in FIG. 2B is operable with an application sending data, such as applications 94, 96, 98, 100 and 102 of FIG. 1A, for example or a service, such as Materials Requirements and Planning (MRP) system 112, an purchasing system 114, a third-party relational database system 116, sales forecast system 118, or a variety of other data-related services 120 of FIG. 1A. As shown in FIG. 2B, a request to access one or more services is sent to a server (block 212). A portion of a result set of the service(s) is received (block 214) from the server. The server has prepared the portion of the result set of the service(s) according to the server's determination of a subset of the result set that is permitted to be provided responsive to the request. FIG. 2C is an operational flow diagram of an example redaction based technique for securing data, which may be used in conjunction with the technique illustrated in FIG. 2A. As shown in FIG. 2C, whether the requestor has a policy has a policy associated with it that permits access to all of the result set is determined (block 222). If not, then the result set received from the service is redacted in accordance with access policies associated with the requestor (block 224). In any event, the result set is then provided in accordance with the access policies associated with the requestor (block 226).
FIG. 2D is an operational flow diagram illustrating a high level overview of a technique for controlling access to data of one embodiment of the present invention. The technique for controlling access to data shown in FIG. 2D is operable with an application sending data, such as Materials Requirements and Planning (MRP) system 112, an purchasing system 114, a third-party relational database system 116, sales forecast system 118, or a variety of other data-related services 120 of FIG. 1A, for example. As shown in FIG. 2D, at least one service is accessed on behalf of a requestor (block 232). A result set is received from the at least one service (block 234). A determination that an access policy has been changed is received (block 236). A subset of the result set, which the requestor is permitted to access, is determined (block 238) based at least in part on the now current access policy. In one embodiment, determining that an access policy has been changed to a now current access policy can include one or more of determining that an externa! security level 80 has changed; and determining that a change has been made to an access policy 20. The method illustrated by blocks 232 - 238 may be advantageously disposed in the interface processing layer 140, query compilation layer 150 and query execution layer 160 of FIG. 1 B.
FlG. 2E is an operational flow diagram illustrating a high level overview of a technique for receiving data under a controlled environment of one embodiment of the present invention. The technique for receiving data under a secured environment shown in FIG. 2E is operable with an application sending data, such as applications application 94, 96, 98, 100 and 102 of FIG. 1A, for example or a service, such as Materials Requirements and Planning (MRP) system 112, an purchasing system 114, a third-party relational database system 116, sales forecast system 118, or a variety of other data-related services 120 of FIG. 1A. As shown in FIG. 2E, a request to access a service is sent to a server (block 242). A portion of a result set of the service is received (block 244) from the server. The server has prepared the portion of the result set of the service according to the server's determination, based at least in part on a now current access policy, a subset of the result set which is permitted to be provided responsive to the request.
Some of the features and benefits of the present invention will be illustrated with reference to FIGS. 3A - 3B, which are operational flow diagrams illustrating some example embodiments implementing example applications. FIGS. 4A - 4B are diagrams illustrating example service output data corresponding to the examples illustrated in FIGS. 3A - 3B. The reader will appreciate that these examples are for illustrative purposes only and not intended to be limiting.
In a first example, an embodiment employing processing illustrated by FIG. 3A controls access to information based upon a policy by comparing a security level associated with the information and a requestor's permitted access. When used in conjunction with example service output information illustrated by FIG. 4A, which is the input to the processing of FIG. 3A, the embodiment illustrated by FIG. 3A enables access to more sensitive information about suspected violators to be restricted to requestors granted greater authority by access policies. As shown in FIG. 3A, data is accessed from the result set received from one or more services (block 302). If the security level associated with the data is greater than the requestor's permitted access (block 304), then the data is redacted (block 306) from the result set. Otherwise, the data remains in the result set. If more data is to be processed (block 308), more data is accessed (block 302).
In the example service output data illustrated by FIG. 4A, the result set 400a output by a service includes an indication of security level 402. The security level indication 402 indicates that the information following the indicator is accessible to a requestor having access under a policy that includes at least "green" level information. As shown in FIG. 4A, result set 400a includes data for various suspects, including data corresponding to a first suspect, "John Doe." The data for the first suspect includes information about the suspect beginning with a name and address 404. Since the security level was set to "green" by security level indication 402, the suspect name and address 404 are accessible to requestors permitted by an access policy to access at least "green" level information. A conviction record 406 is also available to requestors permitted access to at least "green" level by an access policy.
A second security level indication 408 indicates that subsequent information requires an access policy permitting access to at least "yellow". Thus, the arrests data 410 requires requestors to be permitted by access policies to access at least "yellow" level information in order to view this information. A third security level indication 412 indicates that subsequent information requires an access policy permitting access to at least "red", requiring even further permission to access the juvenile record data block 414. A fourth security level indication 416 returns the security level back to "green". Thus, information that is restricted by court order and information that is highly prejudicial to a suspect may be included in the same document 400a with information suitable for general access. In this manner, access policies permitting greater access permissions may be required in order to view more sensitive information even though the information is included in the same document 400a in the illustrated embodiment. While colors are used as indicators to demonstrate the functioning of this embodiment, the present invention is not limited to using colors as security level indicators.
Turning again to FIG. 3A, the security level associated with each data 404, 406, 410 and 414 is compared to the requestor's permitted access policy security level (block 304), and redacted (block 306) from the result set if the requestor does not have sufficient access for that particular data. Accordingly, in the foregoing example, as the requestor's access level increases, the amount of information available to the requestor also increases. In the next example, a reduction in the amount of information available to the requestor as market activity increases is effected using policies keyed to market activity.
In a second example, an embodiment employing processing illustrated by FIG. 3B controls access to information based upon a policy by comparing a market activity level associated with the information and a present market activity. When used in conjunction with example service output information illustrated by FIG. 4B, which is the input to the processing of FIG. 3B, the embodiment illustrated by FIG. 3B enables access to less information about a stock to as the trading activity level of the market increases. As shown in FIG. 3B, data is accessed from the result set received from one or more services (block 312). If the present market activity level is less than or equal to the market activity level associated with the data (block 314), then no further action is taken and the data remains in the result set. Otherwise, the data is redacted (block 316) from the result set. If more data is to be processed (block 318), then more data is accessed (block 312).
In the example output data illustrated by FIG. 4B, the result set 400b includes an indication of market activity level 422. The market activity level 422 indicates that the information is accessible to any requestor even when the market activity is "high". As shown in FIG. 4B, result set 400b includes data for various stocks, such as data corresponding to a first stock. The data for the first stock includes information about the stock beginning with a name and "ticker" symbol 424. Since the market activity level is set to "high" by market activity level indication 422, the name and symbol 424 are accessible to users even when the market activity level is high. A last trade price 426 is also available to users at any time. A second market activity level indication 428 indicates that subsequent information requires a market activity of at least "med" to be redacted. Thus, the high and low price data block 430 will be shown if the market activity level is less than "med". A third market activity level indication 432 indicates that subsequent information about trading volume is included (i.e., not redacted) if market activity is less than "low", requiring an even slower trading day for the contents of volume data block 434 to be displayed. In this manner, successively greater amounts of information may be omitted when trading volume increases even though the information is included in the same document 400b in the illustrated embodiment.
Turning again to FIG. 3B, the market activity level associated with each data 424, 426, 430 and 434 is compared to the present market activity level (block 314), and redacted (block 316) from the result set if the market activity level equals or exceeds the indicated maximum market activity level for that data. Accordingly, in the foregoing example, as the market's activity level increases, the amount of information available to the requestor decreases. In other aspects, the invention encompasses in some embodiments, computer apparatus, computing systems and machine-readable media configured to carry out the foregoing methods. In addition to an embodiment consisting of specifically designed integrated circuits or other electronics, the present invention may be conveniently implemented using a conventional general purpose or a specialized digital computer or microprocessor programmed according to the teachings of the present disclosure, as will be apparent to those skilled in the computer art.
Appropriate software coding can readily be prepared by skilled programmers based on the teachings of the present disclosure, as will be apparent to those skilled in the software art. The invention may also be implemented by the preparation of application specific integrated circuits or by interconnecting an appropriate network of conventional component circuits, as will be readily apparent to those skilled in the art.
The present invention includes a computer program product which is a storage medium (media) having instructions stored thereon/in which can be used to program a computer to perform any of the processes of the present invention. The storage medium can include, but is not limited to, any type of rotating media including floppy disks, optical discs, DVD, CD-ROMs, microdrive, and magneto-optical disks, and magnetic or optical cards, nanosystems (including molecular memory ICs), or any type of media or device suitable for storing instructions and/or data.
Stored on any one of the computer readable medium (media), the present invention includes software for controlling both the hardware of the general purpose/specialized computer or microprocessor, and for enabling the computer or microprocessor to interact with a human user or other mechanism utilizing the results of the present invention. Such software may include, but is not limited to, device drivers, operating systems, and user applications. Included in the programming (software) of the general/specialized computer or microprocessor are software modules for implementing the teachings of the present invention, including, but not limited to providing mechanisms and methods for securing data as discussed herein.
FIG. 5 illustrates an exemplary processing system 500, which can comprise one or more of the elements of FIGS. 1A and 1B. Turning now to FIG. 5, an exemplary computing system is illustrated that may comprise one or more of the components of FIGS. 1 A and 1 B. While other alternatives might be utilized, it will be presumed for clarity sake that components of the systems of FIGS. 1A and 1 B are implemented in hardware, software or some combination by one or more computing systems consistent therewith, unless otherwise indicated. Computing system 500 comprises components coupled via one or more communication channels (e.g., bus 501 ) including one or more general or special purpose processors 502, such as a Pentium®, Centrino®, Power PC®, digital signal processor ("DSP"), and so on. System 500 components also include one or more input devices 503 (such as a mouse, keyboard, microphone, pen, and so on), and one or more output devices 504, such as a suitable display, speakers, actuators, and so on, in accordance with a particular application. (It will be appreciated that input or output devices can also similarly include more specialized devices or hardware/software device enhancements suitable for use by the mentally or physically challenged.)
System 500 also includes a computer readable storage media reader 505 coupled to a computer readable storage medium 506, such as a storage/memory device or hard or removable storage/memory media; such devices or media are further indicated separately as storage 508 and memory 509, which may include hard disk variants, floppy/compact disk variants, digital versatile disk ("DVD") variants, smart cards, read only memory, random access memory, cache memory, and so on, in accordance with the requirements of a particular application. One or more suitable communication interfaces 507 may also be included, such as a modem, DSL, infrared, RF or other suitable transceiver, and so on for providing inter-device communication directly or via one or more suitable private or public networks or other components that may include but are not limited to those already discussed. Working memory 510 further includes operating system ("OS") 511 elements and other programs 512, such as one or more of application programs, mobile code, data, and so on for implementing system 500 components that might be stored or loaded therein during use. The particular OS or OSs may vary in accordance with a particular device, features or other aspects in accordance with a particular application (e.g. Windows, WindowsCE, Mac, Linux, Unix or Palm OS variants, a cell phone OS, a proprietary OS, Symbian, and so on). Various programming languages or other tools can also be utilized, such as those compatible with C variants (e.g., C++, C#), the Java 2 Platform, Enterprise Edition ("J2EE") or other programming languages in accordance with the requirements of a particular application. Other programs 512 may further, for example, include one or more of activity systems, education managers, education integrators, or interface, security, other synchronization, other browser or groupware code, and so on, including but not limited to those discussed elsewhere herein.
When implemented in software (e.g. as an application program, object, agent, downloadable, servlet, and so on in whole or part), a learning integration system or other component may be communicated transitionally or more persistently from local or remote storage to memory (SRAM, cache memory, etc.) for execution, or another suitable mechanism can be utilized, and components may be implemented in compiled or interpretive form. Input, intermediate or resulting data or functional elements may further reside more transitionally or more persistently in a storage media, cache or other volatile or non-volatile memory, (e.g., storage device 508 or memory 509) in accordance with a particular application. Other features, aspects and objects of the invention can be obtained from a review of the figures and the claims. It is to be understood that other embodiments of the invention can be developed and fall within the spirit and scope of the invention and claims. The foregoing description of preferred embodiments of the present invention has been provided for the purposes of illustration and description. It is not intended to be exhaustive or to limit the invention to the precise forms disclosed. Many modifications and variations will be apparent to the practitioner skilled in the art. The embodiments were chosen and described in order to best explain the principles of the invention and its practical application, thereby enabling others skilled in the art to understand the invention for various embodiments and with various modifications that are suited to the particular use contemplated. It is intended that the scope of the invention be defined by the following claims and their equivalence.

Claims

In the Claims:
1. A method for securing access to data, the method comprising: accessing at least one service on behalf of a requestor; receiving a result set including results from accessing the at least one service; and providing to the requestor only that portion of the result set that the requestor is permitted to access; wherein the portion of the result set provided to the requestor is mapped to a view of the data associated with the requestor.
2. The method of claim 1 , further comprising: determining that an access policy has been changed to a now current access policy; and determining, based at least in part on the now current access policy, a subset of the result set which the requestor is permitted to access.
3. The method of claim 2, wherein determining, based at least in part on the now current access policy, a subset of the result set which the requestor is permitted to access further comprises: determining that the requestor is to be given a larger portion of the result set as a result of an increase in security.
4. The method of claim 2, wherein determining, based at least in part on the now current access policy, a subset of the result set which the requestor is permitted to access further comprises: determining that the requestor is to be given a smaller portion of the result set as a result of an increase in security.
5. The method of claim 2, wherein determining, based at least in part on the now current access policy, a subset of the result set which the requestor is permitted to access further comprises: determining that the requestor is to be given a smaller portion of the result set as a result of a reduction in security.
6. The method of claim 2, wherein determining, based at least in part on the now current access policy, a subset of the result set which the requestor is permitted to access further comprises: determining that the requestor is to be given a larger portion of the result set as a result of a reduction in security.
7. The method of claim 2, further comprising: receiving, from the requestor, a request to access a service.
8. The method of claim 2, wherein determining that an access policy has been changed to a now current access policy further comprises at least one of: determining that an external security level as changed; and determining that a change has been made to an access policy.
9. The method of claim 1 , wherein providing to the requestor only that portion of the result set that the requestor is permitted to access further comprises: redacting the result set according to access policies if the requestor is permitted by the access policies to access only a portion of the result set.
10. The method of claim 1 , wherein providing to the requestor only that portion of the result set that the requestor is permitted to access further comprises: providing the result set according to access policies if the requestor is permitted by the access policies to access only a portion of the result set.
11. The method of claim 1 , wherein providing to the requestor only that portion of the result set that the requestor is permitted to access further comprises: providing an empty result set according to access policies if the requestor is not permitted by the access policies to access any of the result set.
12. The method of claim 1 , wherein accessing a service on behalf of a requestor further comprises: accessing the at least one service according to a request received from the requestor.
13. The method of claim 1 , further comprising: determining whether the requestor is making an authorized request to access the at least one service.
14. The method of claim 1 , further comprising: determining whether the requestor is making an authorized request to access datasets that the at least one service accesses.
15. The method of claim 1 , wherein service includes at least one of a network based application, a web server resident application, a web portal, a search engine, a photographic, audio or video information storage application, an e-Commerce application, a backup application, a storage application, a sales/revenue planning, marketing, forecasting, accounting, inventory management application.
16. A computer-readable medium carrying one or more sequences of instructions for securing access to data, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps recited by claims 1 - 15.
17. An apparatus for securing access to data, the apparatus comprising: a processor; and one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of: accessing at least one service on behalf of a requestor; receiving a result set including results from accessing the at least one service; and providing to the requestor only that portion of the result set that the requestor is permitted to access; wherein the portion of the result set provided to the requestor is mapped to a view of the data associated with the requestor.
PCT/US2006/010451 2005-03-28 2006-03-23 Security policy driven data redaction Ceased WO2006104810A2 (en)

Applications Claiming Priority (8)

Application Number Priority Date Filing Date Title
US66569605P 2005-03-28 2005-03-28
US66566705P 2005-03-28 2005-03-28
US60/665,696 2005-03-28
US60/665,667 2005-03-28
US11/341,836 US8086615B2 (en) 2005-03-28 2006-01-27 Security data redaction
US11/341,236 US20060218149A1 (en) 2005-03-28 2006-01-27 Data redaction policies
US11/341,836 2006-01-27
US11/341,236 2006-01-27

Publications (2)

Publication Number Publication Date
WO2006104810A2 true WO2006104810A2 (en) 2006-10-05
WO2006104810A3 WO2006104810A3 (en) 2007-12-13

Family

ID=37053913

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2006/010451 Ceased WO2006104810A2 (en) 2005-03-28 2006-03-23 Security policy driven data redaction

Country Status (1)

Country Link
WO (1) WO2006104810A2 (en)

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008040800A3 (en) * 2006-10-06 2009-03-19 Ibm System and method for selecting records from a list with privacy protections
FR2939932A1 (en) * 2008-12-11 2010-06-18 Oberthur Technologies Handheld electronic entity e.g. non-volatile memory card, for use in e.g. personal computer, has authorizing or prohibiting unit authorizing or prohibiting access of station to function in response to analysis of received information
WO2010097118A1 (en) * 2009-02-27 2010-09-02 Nec Europe Ltd. Controlled discovery of grid services based on the semantic annotation of access control policies using ontologies and semantic rules
US7913167B2 (en) * 2007-12-19 2011-03-22 Microsoft Corporation Selective document redaction
WO2011032833A1 (en) * 2009-09-15 2011-03-24 International Business Machines Corporation Search engine with privacy protection
WO2013091807A1 (en) * 2011-12-22 2013-06-27 Roche Diagnostics Gmbh Customer support account with restricted patient data access
US8719945B2 (en) 2011-12-22 2014-05-06 Roche Diagnostics Operations, Inc. Customer error screen capture
WO2014098662A1 (en) * 2012-12-19 2014-06-26 Telefonaktiebolaget L M Ericsson (Publ) Exposing data to query generating applications using usage profiles
EP2819058A1 (en) * 2013-06-27 2014-12-31 Siemens Aktiengesellschaft Accessing data of a database in a MES system
US9195853B2 (en) 2012-01-15 2015-11-24 International Business Machines Corporation Automated document redaction
EP3001347A1 (en) * 2014-09-29 2016-03-30 Wipro Limited Systems and methods for providing recommendations to obfuscate an entity context
US20160246994A1 (en) * 2015-02-19 2016-08-25 Fujitsu Limited Information collection apparatus and method
US9490976B2 (en) 2014-09-29 2016-11-08 Wipro Limited Systems and methods for providing recommendations to obfuscate an entity context
US9600134B2 (en) 2009-12-29 2017-03-21 International Business Machines Corporation Selecting portions of computer-accessible documents for post-selection processing
US20170185085A1 (en) * 2015-12-23 2017-06-29 Lior Storfer Navigating semi-autonomous mobile robots
US9870484B2 (en) * 2015-01-30 2018-01-16 Konica Minolta Laboratory U.S.A., Inc. Document redaction
US9892278B2 (en) 2012-11-14 2018-02-13 International Business Machines Corporation Focused personal identifying information redaction
EP3373184A1 (en) * 2017-03-08 2018-09-12 BlackBerry Limited Indirect indications for applying display privacy filters
US10169599B2 (en) 2009-08-26 2019-01-01 International Business Machines Corporation Data access control with flexible data disclosure

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040153451A1 (en) * 2002-11-15 2004-08-05 John Phillips Methods and systems for sharing data

Cited By (32)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008040800A3 (en) * 2006-10-06 2009-03-19 Ibm System and method for selecting records from a list with privacy protections
US7644068B2 (en) 2006-10-06 2010-01-05 International Business Machines Corporation Selecting records from a list with privacy protections
US7913167B2 (en) * 2007-12-19 2011-03-22 Microsoft Corporation Selective document redaction
FR2939932A1 (en) * 2008-12-11 2010-06-18 Oberthur Technologies Handheld electronic entity e.g. non-volatile memory card, for use in e.g. personal computer, has authorizing or prohibiting unit authorizing or prohibiting access of station to function in response to analysis of received information
WO2010097118A1 (en) * 2009-02-27 2010-09-02 Nec Europe Ltd. Controlled discovery of grid services based on the semantic annotation of access control policies using ontologies and semantic rules
US10169599B2 (en) 2009-08-26 2019-01-01 International Business Machines Corporation Data access control with flexible data disclosure
US9224007B2 (en) 2009-09-15 2015-12-29 International Business Machines Corporation Search engine with privacy protection
WO2011032833A1 (en) * 2009-09-15 2011-03-24 International Business Machines Corporation Search engine with privacy protection
US10454932B2 (en) 2009-09-15 2019-10-22 International Business Machines Corporation Search engine with privacy protection
US9886159B2 (en) 2009-12-29 2018-02-06 International Business Machines Corporation Selecting portions of computer-accessible documents for post-selection processing
US9600134B2 (en) 2009-12-29 2017-03-21 International Business Machines Corporation Selecting portions of computer-accessible documents for post-selection processing
WO2013091807A1 (en) * 2011-12-22 2013-06-27 Roche Diagnostics Gmbh Customer support account with restricted patient data access
US8819849B2 (en) 2011-12-22 2014-08-26 Roche Diagnostics Operations, Inc. Customer support account with restricted patient data access
US8719945B2 (en) 2011-12-22 2014-05-06 Roche Diagnostics Operations, Inc. Customer error screen capture
US9195853B2 (en) 2012-01-15 2015-11-24 International Business Machines Corporation Automated document redaction
US9904798B2 (en) 2012-11-14 2018-02-27 International Business Machines Corporation Focused personal identifying information redaction
US9892278B2 (en) 2012-11-14 2018-02-13 International Business Machines Corporation Focused personal identifying information redaction
WO2014098662A1 (en) * 2012-12-19 2014-06-26 Telefonaktiebolaget L M Ericsson (Publ) Exposing data to query generating applications using usage profiles
US10140347B2 (en) 2012-12-19 2018-11-27 Telefonaktiebolaget L M Ericsson ( Publ) Exposing data to query generating applications using usage profiles
US9916467B2 (en) 2013-06-27 2018-03-13 Siemens Aktiengesellschaft Method, system and computer product for accessing data of a database in a MES system
EP2819058A1 (en) * 2013-06-27 2014-12-31 Siemens Aktiengesellschaft Accessing data of a database in a MES system
EP3001347A1 (en) * 2014-09-29 2016-03-30 Wipro Limited Systems and methods for providing recommendations to obfuscate an entity context
US9490976B2 (en) 2014-09-29 2016-11-08 Wipro Limited Systems and methods for providing recommendations to obfuscate an entity context
US9870484B2 (en) * 2015-01-30 2018-01-16 Konica Minolta Laboratory U.S.A., Inc. Document redaction
US20160246994A1 (en) * 2015-02-19 2016-08-25 Fujitsu Limited Information collection apparatus and method
US20170185085A1 (en) * 2015-12-23 2017-06-29 Lior Storfer Navigating semi-autonomous mobile robots
US9740207B2 (en) * 2015-12-23 2017-08-22 Intel Corporation Navigating semi-autonomous mobile robots
US10642274B2 (en) 2015-12-23 2020-05-05 Intel Corporation Navigating semi-autonomous mobile robots
US11940797B2 (en) 2015-12-23 2024-03-26 Intel Corporation Navigating semi-autonomous mobile robots
EP3373184A1 (en) * 2017-03-08 2018-09-12 BlackBerry Limited Indirect indications for applying display privacy filters
CN108573166A (en) * 2017-03-08 2018-09-25 黑莓有限公司 Using the indirect instruction of display privacy filter
US10387675B2 (en) 2017-03-08 2019-08-20 Blackberry Limited Indirect indications for applying display privacy filters

Also Published As

Publication number Publication date
WO2006104810A3 (en) 2007-12-13

Similar Documents

Publication Publication Date Title
US8086615B2 (en) Security data redaction
US20060218149A1 (en) Data redaction policies
WO2006104810A2 (en) Security policy driven data redaction
US7748027B2 (en) System and method for dynamic data redaction
Ni et al. Privacy-aware role-based access control
EP2502144B1 (en) Controlling resource access based on resource properties
EP1593024B1 (en) System and method for hierarchical role-based entitlements
US9455990B2 (en) System and method for role based access control in a content management system
US7383263B2 (en) Controlling access to electronic documents
Pan et al. Semantic access control for information interoperation
US20070266006A1 (en) System and method for enforcing role membership removal requirements
WO2003015342A1 (en) Dynamic rules-based secure data access system for business computer platforms
AU2022341301A1 (en) Data management and governance systems and methods
Ni et al. Privacy-aware role-based access control
US20090012987A1 (en) Method and system for delivering role-appropriate policies
US20060259977A1 (en) System and method for data redaction client
US7774601B2 (en) Method for delegated administration
Park Usage control: A unified framework for next generation access control
US20060224628A1 (en) Modeling for data services
US8732847B2 (en) Access control model of function privileges for enterprise-wide applications
US7778998B2 (en) Liquid data services
WO2015005765A2 (en) Security model switching for database management system
Warner et al. A citizen privacy protection model for e-government mashup services
US20060224556A1 (en) SQL interface for services
Decker Requirements for a location-based access control model

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

NENP Non-entry into the national phase

Ref country code: RU

122 Ep: pct application non-entry in european phase

Ref document number: 06748563

Country of ref document: EP

Kind code of ref document: A2