US20110137947A1 - Dynamic access control for documents in electronic communications within a cloud computing environment - Google Patents
Dynamic access control for documents in electronic communications within a cloud computing environment Download PDFInfo
- Publication number
- US20110137947A1 US20110137947A1 US12/630,121 US63012109A US2011137947A1 US 20110137947 A1 US20110137947 A1 US 20110137947A1 US 63012109 A US63012109 A US 63012109A US 2011137947 A1 US2011137947 A1 US 2011137947A1
- Authority
- US
- United States
- Prior art keywords
- document
- access control
- electronic communication
- electronic
- control list
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6209—Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L51/00—User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
- H04L51/07—User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail characterised by the inclusion of specific contents
- H04L51/18—Commands or executable codes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L51/00—User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
- H04L51/21—Monitoring or handling of messages
- H04L51/214—Monitoring or handling of messages using selective forwarding
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L51/00—User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
- H04L51/06—Message adaptation to terminal or network requirements
- H04L51/066—Format adaptation, e.g. format conversion or compression
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
Definitions
- the present invention generally relates to access control. Specifically, the present invention relates to dynamic access control for documents in electronic communications (e.g., email) within a Cloud computing environment.
- electronic communications e.g., email
- the present invention provides a solution to manage and control document transmission and electronic communication. Specifically, the present invention solves the problem of having control over data (documents, image files, and attachments hereafter referenced as “documents”) that are associated with multiple types of data communication. Along these lines, the present invention provides a hub and spoke communication model in order to achieve multiple benefits in terms of effectiveness, efficiency, flexibility, and control. This type of granular control is critical for information sharing within a Cloud computing environment. This approach is also useful for collaboration tools and can be augmented by the creation and management of access control lists for the hub-spoke system. To this extent, this present invention solves the problem of being able to automatically update Access control lists as documents are being forwarded or otherwise communicated between multiple people. These ACL's are kept up to date through the analysis of to whom (and where) a document has been sent.
- a first aspect of the present invention provides a method for providing dynamic access control to documents in electronic communications within a Cloud computing environment, comprising: receiving an electronic communication within the Cloud computing environment, the electronic communication having a document; removing the document from the electronic communication; storing the document in a document database; generating an access control list for the document as stored, the access control list identifying a sender and a set of initial recipients of the electronic communication; and controlling access to the document in the document database based upon the access control list.
- a second aspect of the present invention provides a Cloud computer system for providing dynamic access control to documents in electronic communications, comprising: a memory medium comprising instructions; a bus coupled to the memory medium; and a processor coupled to the bus that when executing the instructions causes the Cloud computer system to: receive an electronic communication within the Cloud computing environment, the electronic communication having a document; remove the document from the electronic communication; store the document in a document database; generate an access control list for the document as stored, the access control list identifying a sender and a set of initial recipients of the electronic communication; and control access to the document in the document database based upon the access control list.
- a third aspect of the present invention provides a computer readable medium comprising: a program for providing dynamic access control to documents in electronic communications within a Cloud computing environment, the computer readable medium comprising program code for causing a Cloud computer system to: receive an electronic communication within the Cloud computing environment, the electronic communication having a document; remove the document from the electronic communication; store the document in a document database; generate an access control list for the document as stored, the access control list identifying a sender and a set of initial recipients of the electronic communication; and control access to the document in the document database based upon the access control list.
- a fourth aspect of the present invention provides a method for deploying a Cloud service for providing dynamic access control to documents in electronic communications within a Cloud computing environment, comprising: providing a Cloud computer infrastructure being operable to: receive an electronic communication within the Cloud computing environment, the electronic communication having a document; remove the document from the electronic communication; store the document in a document database; generate an access control list for the document as stored, the access control list identifying a sender and a set of initial recipients of the electronic communication; and control access to the document in the document database based upon the access control list.
- FIG. 1 shows a Cloud system node according to the present invention.
- FIG. 2 shows a Cloud computing environment according to the present invention.
- FIG. 3 shows Cloud abstraction model layers according to the present invention.
- FIG. 4 shows an illustrative architectural diagram according to the present invention.
- FIG. 5 shows a flow diagram of a method according the present invention.
- Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
- This cloud model promotes availability and is comprised of at least five characteristics, at least three service models, and at least four deployment models.
- On-demand self-service A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service's provider.
- Capabilities are available over a network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs).
- heterogeneous thin or thick client platforms e.g., mobile phones, laptops, and PDAs.
- Resource pooling The provider's computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, network bandwidth, and virtual machines.
- Rapid elasticity Capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time.
- Measured service Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported providing transparency for both the provider and consumer of the utilized service.
- level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts).
- SaaS Cloud Software as a Service
- the capability provided to the consumer is to use the provider's applications running on a cloud infrastructure.
- the applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based e-mail).
- a web browser e.g., web-based e-mail
- the consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.
- PaaS Cloud Platform as a Service
- the capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider.
- the consumer does not manage or control the underlying cloud infrastructure including networks, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations.
- IaaS Cloud Infrastructure as a Service
- the capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications.
- the consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls).
- Private cloud The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on-premises or off-premises.
- Public cloud The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.
- Hybrid cloud The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds).
- a cloud computing environment is service oriented with a focus on statelessness, low coupling, modularity, and semantic interoperability.
- the present invention provides a solution to manage and control document transmission and electronic communication. Specifically, the present invention solves the problem of having control over data (documents, image files, and attachments)—hereafter referenced as “Documents” that are associated with multiple types of data communication.
- the present invention provides a hub and spoke communication model in order to achieve multiple benefits in terms of effectiveness, efficiency, flexibility, and control.
- This type of granular control is critical for information sharing within a Cloud computing environment.
- This approach is also useful for collaboration tools and can be augmented by the creation and management of access control lists (ACL) for the hub-spoke system.
- ACL access control lists
- this present invention solves the problem of being able to automatically update ACL's as documents are being forwarded or otherwise communicated between multiple people. These ACL's are kept up to date through the analysis of to whom (and where) a document has been sent.
- Cloud computing node 10 is only one example of a suitable cloud computing node and is not intended to suggest any limitation as to the scope of use or functionality of the invention described herein. Regardless, cloud computing node 10 is capable of being implemented and/or performing any of the functions set forth in section I above.
- cloud computing node 10 there is a computer system/server 12 , which is operational with numerous other general purpose or special purpose computing system environments or configurations.
- Examples of well-known computing systems, environments, and/or configurations that may be suitable for use with computer system/server 12 include, but are not limited to, personal computer systems, server computer systems, thin clients, thick clients, hand-held or laptop devices, multiprocessor systems, microprocessor-based systems, set top boxes, programmable consumer electronics, network PCs, minicomputer systems, mainframe computer systems, and distributed cloud computing environments that include any of the above systems or devices, and the like.
- Computer system/server 12 may be described in the general context of computer system-executable instructions, such as program modules, being executed by a computer system.
- program modules include routines, programs, objects, components, logic, data structures, and so on that perform particular tasks or implement particular abstract data types.
- the exemplary computer system/server 12 may be practiced in distributed cloud computing environments where tasks are performed by remote processing devices that are linked through a communications network.
- program modules may be located in both local and remote computer system storage media including memory storage devices.
- computer system/server 12 in cloud computing node 10 is shown in the form of a general-purpose computing device.
- the components of computer system/server 12 may include, but are not limited to, one or more processors or processing units 16 , a system memory 28 , and a bus 18 that couples various system components including system memory 28 to processor 16 .
- Bus 18 represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures.
- bus architectures include Industry Standard Architecture (ISA) bus, Micro Channel Architecture (MCA) bus, Enhanced ISA (EISA) bus, Video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnects (PCI) bus.
- Computer system/server 12 typically includes a variety of computer system readable media. Such media may be any available media that is accessible by computer system/server 12 , and it includes both volatile and non-volatile media, removable and non-removable media.
- System memory 28 can include computer system readable media in the form of volatile memory, such as random access memory (RAM) 30 and/or cache memory 32 .
- Computer system/server 12 may further include other removable/non-removable, volatile/non-volatile computer system storage media.
- a hard disk drive 34 can be provided for reading from and writing to a non-removable, non-volatile magnetic media (not shown and typically called a “hard drive”).
- memory 28 may include at least one program product having a set (e.g., at least one) of program modules that are configured to carry out the functions of the invention.
- Program/utility 40 having a set (at least one) of program modules 42 may be stored in memory 28 by way of example, and not limitation, as well as an operating system, one or more application programs, other program modules, and program data. Each of the operating system, one or more application programs, other program modules, and program data or some combination thereof, may include an implementation of a networking environment.
- Program modules 42 generally carry out the functions and/or methodologies of the invention as described herein.
- Computer system/server 12 may also communicate with one or more external devices 14 such as a keyboard, a pointing device, a display 24 , etc.; one or more devices that enable a user to interact with computer system/server 12 ; and/or any devices (e.g., network card, modem, etc.) that enable computer system/server 12 to communicate with one or more other computing devices. Such communication can occur via I/O interfaces 22 . Still yet, computer system/server 12 can communicate with one or more networks such as a local area network (LAN), a general wide area network (WAN), and/or a public network (e.g., the Internet) via network adapter 20 . As depicted, network adapter 20 communicates with the other components of computer system/server 12 via bus 18 .
- LAN local area network
- WAN wide area network
- public network e.g., the Internet
- cloud computing environment 50 comprises one or more cloud computing nodes 10 with which computing devices such as, for example, personal digital assistant (PDA) or cellular telephone 54 A, desktop computer 54 B, laptop computer 54 C, and/or automobile computer system 54 N communicate.
- PDA personal digital assistant
- This allows for infrastructure, platforms and/or software to be offered as services (as described above in Section I) from cloud computing environment 50 so as to not require each client to separately maintain such resources.
- the types of computing devices 54 A-N shown in FIG. 2 are intended to be illustrative only and that cloud computing environment 50 can communicate with any type of computerized device over any type of network and/or network/addressable connection (e.g., using a web browser).
- FIG. 3 a set of functional abstraction layers provided by cloud computing environment 50 ( FIG. 2 ) is shown. It should be understood in advance that the components, layers, and functions shown in FIG. 3 are intended to be illustrative only and the invention is not limited thereto. As depicted, the following layers and corresponding functions are provided:
- Hardware and software layer 60 includes hardware and software components.
- hardware components include mainframes, in one example IBM® zSeries® systems; RISC (Reduced Instruction Set Computer) architecture based servers, in one example IBM pSeries® systems; IBM xSeries® systems; IBM BladeCenter® systems; storage devices; networks and networking components.
- software components include network application server software, in one example IBM WebSphere® application server software; and database software, in one example IBM DB2® database software.
- IBM, zSeries, pSeries, xSeries, BladeCenter, WebSphere, and DB2 are trademarks of International Business Machines Corporation in the United States, other countries, or both.
- Virtualization layer 62 provides an abstraction layer from which the following exemplary virtual entities may be provided: virtual servers; virtual storage; virtual networks, including virtual private networks; virtual applications; and virtual clients.
- Management layer 64 provides the exemplary functions described below.
- Resource provisioning provides dynamic procurement of computing resources and other resources that are utilized to perform tasks within the cloud computing environment.
- Metering and Pricing provide cost tracking as resources are utilized within the cloud computing environment, and billing or invoicing for consumption of these resources. In one example, these resources may comprise application software licenses.
- Security provides identity verification for users and tasks, as well as protection for data and other resources.
- User portal provides access to the cloud computing environment for both users and system administrators.
- Service level management provides cloud computing resource allocation and management such that required service levels are met.
- Service Level Agreement (SLA) planning and fulfillment provides pre-arrangement for, and procurement of, cloud computing resources for which a future requirement is anticipated in accordance with an SLA.
- SLA Service Level Agreement
- Workloads layer 66 provides functionality for which the cloud computing environment is utilized. Examples of workloads and functions which may be provided from this layer include: mapping and navigation; software development and lifecycle management; virtual classroom education delivery; data analytics processing; transaction processing; and dynamic access control.
- dynamic access control functionality of workloads layer 66 implements the functions of the present invention as discussed herein in conjunction with FIGS. 4-5 .
- the present invention provides a system that extracts documents from peer to peer (one-to-one or one-to-many) communication mediums (such as Cloud computing), and stores the documents in a centralized and widely accessible electronic repository.
- This invention may replace the document with a link to that centralized document store, send that link to both the originator/sender and recipient and, most importantly, create an access control list to the now secured document that is based on the addresses of the recipients and originator/sender to ensure a proper means of authorization for the message and/or attached document.
- the originator/sender then has the capability to manage the access control list for the document—no matter where the document has been sent to.
- Recipient may authenticate to the store that may be based on their address (or any other unique identifier such a private key, passcode, etc).
- the central repository would automatically generate a password that would be sent as a separate communication. Users who are authenticated to the document store would have central access to all documents that are sent to them.
- the process enables central repositories of documents to be created to improve revision control and retention.
- This invention may be implemented through the use of an agent or other code that performs automatic ACL updates and document to metadata conversion.
- a service is created which provides database management functionality (entry creation, deletion, and editing) and access control management functionality including creation of user IDs, password management, user and password verification, password management (creation, reset and change).
- An agent intercepts communications and removes documents from the communication replacing with a pointer to an entry in the service.
- An electronic mail is sent containing a document.
- the server agent processes the electronic mail, creates an entry on the service with an access control list based on the recipient and originator/sender. The agent then removes out each document and replaces the message with a hyperlink to each associated entry in the service.
- the mail size is reduced by removeping out any attachments and network traffic is reduced outside of the client/server communication based on the document being stored in a central repository.
- the originator/sender of the document has control over recipients of the document in order to provide authentication and authorization services offered by the ACL.
- This invention results in a more efficient and effective use of storage and bandwidth, increased document security and the document can be dynamically changed by the Owner and recipients of the document have access to the most recent version.
- the processing engine is shifted to the server agent to provide the necessary control of the document.
- the agent determines that the electronic mail contains a pointer to an entry in the service and automatically updates the access control list of the entry to include the recipient of the electronic mail.
- the additions to the access control list of the entry are manageable by the owner of the entry and the originator/sender of this electronic mail.
- Mail size is reduced, network traffic is reduced, the owner of the entry may monitor to whom the document has been sent, the originator/sender of the forwarded email can manage subsequent access to the document for the subset of users that were forwarded to.
- the document may not require being stored locally, network bandwidth may be saved as only recipients with a need to view the material need access the entry.
- the access control lists of the document may enable the owner of the entry to determine who has access based on the access control lists. Version control of the document would remain current through the use of a central repository.
- the owner of the entry is able to edit the contents of the entry.
- the database may store a change history of the document changes in the entry based on a unique identifier, enabling the most recent version of the document to be available to those in the access control list.
- the access control list and effective time-stamping may still be able to view previous versions (referred to in specific communications) of the document.
- the server agent may be able to create additional copies of the file based on the unique identifier. This may allow additional users to make changes to the original file and based on a certain set of parameters that the original file was sent under. Based on certain criteria, the original file may be restricted for editing or modification based on how closely the file resembles its original contents. Once the file has been updated or edited in any way, the server agent can then send out another electronic message to all of the recipients notifying them of the new change.
- server agent may insert a piece of metadata into the file or file name to readily identify the changes and enforce version control of the file. This may allow better change control and collaboration between team members who may need access to the same document. The change control may need to be enforced based on the system that is being used between all parties such as the same forms of electronic communication, instant messaging, or peer-to-peer file sharing.
- the centralized ACL services need to ensure that the central repository only allows access to the file or changes to the file based on a certain time criteria. This may have to include sensitivity to different time zones, work schedules, and intelligence to monitor for manipulation of timestamps to ensure that the system is not being taken advantage of.
- the need to manage the security and the sharing of documents is of utmost importance based on the relative lack of transparency on where the documents may be sent based on the availability of the Cloud infrastructure.
- the central repository for managing these documents could mediate any lack of security within the Cloud as long as the centralized ACL or set of security services is aware of the different endpoints and clients do not need to be secured as part of the document management system.
- This system is based on at least two parts:
- a client or server-based agent automatically creates an access control list and entry in a database.
- the agent may run on a client mail or messaging system or on a mail or message server.
- a service which provides display of entries in a database to users and the ability to manage user IDs, passwords, access control lists, and content of Entries.
- the access control list for the entry on the service can be updated per the process described above.
- a new mail or communication referencing the pointer to the entry on the service can be sent separately to multiple recipients without the requirement for forwarding the initial communication mechanism (mail or instant message) and independent of the automatic generation of user IDs and access control lists.
- User ID registration and the ability to password manage that user ID is open.
- User ID management would include the ability to register a “destination” or “origination” address, usually an electronic mail address, and create a user ID which is the same as this address.
- the owner of the entry on the service can edit the entire access control list of the Entry and add and remove user IDs from the access control list of the entry.
- Access control lists can be set to be “secured” to contain only the user IDs created for the entry and for user IDs added or modified by the owner of the entry. If an entry is distributed by a member of the access control list, that member can manage the subset of the user IDs referenced in that distribution. The subset can also be managed by the owner of the entry.
- the owner of the entry on the service can edit the entry on the service, providing an updated document.
- the service would create a change log of the different versions of the document to enable users to determine which version of the document was referred to in a specific communication.
- step S 1 an electronic communication having a document (e.g., attached) is received.
- step S 2 the document is removed from the electronic communication.
- step S 3 the document is stored in a document database and a reference thereto is provided.
- step S 4 an access control list is generated for the attached document as stored, the access control list identifying a sender and a set of initial recipients of the electronic communication.
- step S 5 it is determined whether a user attempting to access the document is authorized (based on the access control list). If not, access is denied in step S 6 . If so, access is allowed in step S 7 via an electronic reference such as a link.
- the invention provides a computer-readable/useable medium that includes computer program code to enable a computer infrastructure to provide dynamic access control functionality as discussed herein.
- the computer-readable/useable medium includes program code that implements each of the various processes of the invention. It is understood that the terms computer-readable medium or computer-useable medium comprises one or more of any type of physical embodiment of the program code.
- the computer-readable/useable medium can comprise program code embodied on one or more portable storage articles of manufacture (e.g., a compact disc, a magnetic disk, a tape, etc.), on one or more data storage portions of a computing device, such as memory 28 ( FIG. 1 ) and/or storage system 34 ( FIG. 1 ) (e.g., a fixed disk, a read-only memory, a random access memory, a cache memory, etc.), and/or as a data signal (e.g., a propagated signal) traveling over a network (e.g., during a wired/wireless electronic distribution of the program code).
- portable storage articles of manufacture e.g., a compact disc, a magnetic disk, a tape, etc.
- data storage portions of a computing device such as memory 28 ( FIG. 1 ) and/or storage system 34 ( FIG. 1 ) (e.g., a fixed disk, a read-only memory, a random access memory, a cache memory, etc.), and
- the invention provides a method that performs the process of the invention on a subscription, advertising, and/or fee basis. That is, a service provider, such as a solution Integrator, could offer to provide dynamic access control.
- the service provider can create, maintain, support, etc., a computer infrastructure, such as computer system 12 ( FIG. 1 ) that performs the process of the invention for one or more customers.
- the service provider can receive payment from the customer(s) under a subscription and/or fee agreement and/or the service provider can receive payment from the sale of advertising content to one or more third parties.
- the invention provides a computer-implemented method for providing dynamic access control functionality.
- a computer infrastructure such as computer system 12 ( FIG. 1 )
- one or more systems for performing the process of the invention can be obtained (e.g., created, purchased, used, modified, etc.) and deployed to the computer infrastructure.
- the deployment of a system can comprise one or more of: (1) installing program code on a computing device, such as computer system 12 ( FIG. 1 ), from a computer-readable medium; (2) adding one or more computing devices to the computer infrastructure; and (3) incorporating and/or modifying one or more existing systems of the computer infrastructure to enable the computer infrastructure to perform the process of the invention.
- program code and “computer program code” are synonymous and mean any expression, in any language, code, or notation, of a set of instructions intended to cause a computing device having an information processing capability to perform a particular function either directly, or after either or both of the following: (a) conversion to another language, code, or notation; and/or (b) reproduction in a different material form.
- program code can be embodied as one or more of: an application/software program, component software/a library of functions, an operating system, a basic device system/driver for a particular computing device, and the like.
- a data processing system suitable for storing and/or executing program code can be provided hereunder and can include at least one processor communicatively coupled, directly or indirectly, to memory element(s) through a system bus.
- the memory elements can include, but are not limited to, local memory employed during actual execution of the program code, bulk storage, and cache memories that provide temporary storage of at least some program code in order to reduce the number of times code must be retrieved from bulk storage during execution.
- Input/output or device devices can be coupled to the system either directly or through intervening device controllers.
- Network adapters also may be coupled to the system to enable the data processing system to become coupled to other data processing systems, remote printers, storage devices, and/or the like, through any combination of intervening private or public networks.
- Illustrative network adapters include, but are not limited to, modems, cable modems, and Ethernet cards.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Automation & Control Theory (AREA)
- Information Transfer Between Computers (AREA)
- Document Processing Apparatus (AREA)
Abstract
Description
- The present invention generally relates to access control. Specifically, the present invention relates to dynamic access control for documents in electronic communications (e.g., email) within a Cloud computing environment.
- As electronic communications (e.g., email, instant messaging, etc.) continue to become the standard of business and personal communications, the need for access control to such communications grows. Consider, for example, email, where the originator/sender has no control over where the email message and/or a document attached thereto may be sent (and resent) and who can access the content once it is distributed. Storing multiple documents in multiple places (for example, different email in-boxes) may put undue processing and storage capacity on both servers and networks. Existing solutions concentrate on sending the metadata associated with documents rather than providing access control. Moreover, under existing solutions, once a person has sent a document to another person, the only way an originator/sender may restrict who receives the document (by multiple forwarding) is through ‘prevent copying’ or other such feature that prohibits the resending of the document in its original form. Such an approach is very restrictive and places the burden on the electronic mail desktop client.
- The present invention provides a solution to manage and control document transmission and electronic communication. Specifically, the present invention solves the problem of having control over data (documents, image files, and attachments hereafter referenced as “documents”) that are associated with multiple types of data communication. Along these lines, the present invention provides a hub and spoke communication model in order to achieve multiple benefits in terms of effectiveness, efficiency, flexibility, and control. This type of granular control is critical for information sharing within a Cloud computing environment. This approach is also useful for collaboration tools and can be augmented by the creation and management of access control lists for the hub-spoke system. To this extent, this present invention solves the problem of being able to automatically update Access control lists as documents are being forwarded or otherwise communicated between multiple people. These ACL's are kept up to date through the analysis of to whom (and where) a document has been sent.
- A first aspect of the present invention provides a method for providing dynamic access control to documents in electronic communications within a Cloud computing environment, comprising: receiving an electronic communication within the Cloud computing environment, the electronic communication having a document; removing the document from the electronic communication; storing the document in a document database; generating an access control list for the document as stored, the access control list identifying a sender and a set of initial recipients of the electronic communication; and controlling access to the document in the document database based upon the access control list.
- A second aspect of the present invention provides a Cloud computer system for providing dynamic access control to documents in electronic communications, comprising: a memory medium comprising instructions; a bus coupled to the memory medium; and a processor coupled to the bus that when executing the instructions causes the Cloud computer system to: receive an electronic communication within the Cloud computing environment, the electronic communication having a document; remove the document from the electronic communication; store the document in a document database; generate an access control list for the document as stored, the access control list identifying a sender and a set of initial recipients of the electronic communication; and control access to the document in the document database based upon the access control list.
- A third aspect of the present invention provides a computer readable medium comprising: a program for providing dynamic access control to documents in electronic communications within a Cloud computing environment, the computer readable medium comprising program code for causing a Cloud computer system to: receive an electronic communication within the Cloud computing environment, the electronic communication having a document; remove the document from the electronic communication; store the document in a document database; generate an access control list for the document as stored, the access control list identifying a sender and a set of initial recipients of the electronic communication; and control access to the document in the document database based upon the access control list.
- A fourth aspect of the present invention provides a method for deploying a Cloud service for providing dynamic access control to documents in electronic communications within a Cloud computing environment, comprising: providing a Cloud computer infrastructure being operable to: receive an electronic communication within the Cloud computing environment, the electronic communication having a document; remove the document from the electronic communication; store the document in a document database; generate an access control list for the document as stored, the access control list identifying a sender and a set of initial recipients of the electronic communication; and control access to the document in the document database based upon the access control list.
- These and other features of this invention will be more readily understood from the following detailed description of the various aspects of the invention taken in conjunction with the accompanying drawings in which:
-
FIG. 1 shows a Cloud system node according to the present invention. -
FIG. 2 shows a Cloud computing environment according to the present invention. -
FIG. 3 shows Cloud abstraction model layers according to the present invention. -
FIG. 4 shows an illustrative architectural diagram according to the present invention. -
FIG. 5 shows a flow diagram of a method according the present invention. - The drawings are not necessarily to scale. The drawings are merely schematic representations, not intended to portray specific parameters of the invention. The drawings are intended to depict only typical embodiments of the invention, and therefore should not be considered as limiting the scope of the invention. In the drawings, like numbering represents like elements.
- For convenience, the Detailed Description of the Invention has the following sections:
- I. Cloud Computing Definitions
- II. Detailed Implementation of the Invention
- The following definitions have been derived from from the “Draft NIST Working Definition of Cloud Computing” by Peter Mell and Tim Grance, dated Oct. 7, 2009, which is cited on an IDS filed herewith, and a copy of which is attached thereto.
- Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is comprised of at least five characteristics, at least three service models, and at least four deployment models.
- Characteristics are as follows:
- On-demand self-service: A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service's provider.
- Broad network access: Capabilities are available over a network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs).
- Resource pooling: The provider's computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, network bandwidth, and virtual machines.
- Rapid elasticity: Capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time.
- Measured service: Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported providing transparency for both the provider and consumer of the utilized service.
- Service Models are as follows: Cloud Software as a Service (SaaS): The capability provided to the consumer is to use the provider's applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based e-mail). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.
- Cloud Platform as a Service (PaaS): The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including networks, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations.
- Cloud Infrastructure as a Service (IaaS): The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls).
- Deployment Models are as follows:
- Private cloud: The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on-premises or off-premises.
- Community cloud: The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on-premises or off-premises.
- Public cloud: The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.
- Hybrid cloud: The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds).
- A cloud computing environment is service oriented with a focus on statelessness, low coupling, modularity, and semantic interoperability.
- The present invention provides a solution to manage and control document transmission and electronic communication. Specifically, the present invention solves the problem of having control over data (documents, image files, and attachments)—hereafter referenced as “Documents” that are associated with multiple types of data communication.
- Along these lines, the present invention provides a hub and spoke communication model in order to achieve multiple benefits in terms of effectiveness, efficiency, flexibility, and control. This type of granular control is critical for information sharing within a Cloud computing environment. This approach is also useful for collaboration tools and can be augmented by the creation and management of access control lists (ACL) for the hub-spoke system. To this extent, this present invention solves the problem of being able to automatically update ACL's as documents are being forwarded or otherwise communicated between multiple people. These ACL's are kept up to date through the analysis of to whom (and where) a document has been sent.
- Referring now to
FIG. 1 , a schematic of an exemplary cloud computing node is shown.Cloud computing node 10 is only one example of a suitable cloud computing node and is not intended to suggest any limitation as to the scope of use or functionality of the invention described herein. Regardless,cloud computing node 10 is capable of being implemented and/or performing any of the functions set forth in section I above. - In
cloud computing node 10 there is a computer system/server 12, which is operational with numerous other general purpose or special purpose computing system environments or configurations. Examples of well-known computing systems, environments, and/or configurations that may be suitable for use with computer system/server 12 include, but are not limited to, personal computer systems, server computer systems, thin clients, thick clients, hand-held or laptop devices, multiprocessor systems, microprocessor-based systems, set top boxes, programmable consumer electronics, network PCs, minicomputer systems, mainframe computer systems, and distributed cloud computing environments that include any of the above systems or devices, and the like. - Computer system/
server 12 may be described in the general context of computer system-executable instructions, such as program modules, being executed by a computer system. Generally, program modules include routines, programs, objects, components, logic, data structures, and so on that perform particular tasks or implement particular abstract data types. The exemplary computer system/server 12 may be practiced in distributed cloud computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed cloud computing environment, program modules may be located in both local and remote computer system storage media including memory storage devices. - As shown in
FIG. 1 , computer system/server 12 incloud computing node 10 is shown in the form of a general-purpose computing device. The components of computer system/server 12 may include, but are not limited to, one or more processors orprocessing units 16, asystem memory 28, and abus 18 that couples various system components includingsystem memory 28 toprocessor 16. -
Bus 18 represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures. By way of example, and not limitation, such architectures include Industry Standard Architecture (ISA) bus, Micro Channel Architecture (MCA) bus, Enhanced ISA (EISA) bus, Video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnects (PCI) bus. - Computer system/
server 12 typically includes a variety of computer system readable media. Such media may be any available media that is accessible by computer system/server 12, and it includes both volatile and non-volatile media, removable and non-removable media. -
System memory 28 can include computer system readable media in the form of volatile memory, such as random access memory (RAM) 30 and/orcache memory 32. Computer system/server 12 may further include other removable/non-removable, volatile/non-volatile computer system storage media. By way of example only, ahard disk drive 34 can be provided for reading from and writing to a non-removable, non-volatile magnetic media (not shown and typically called a “hard drive”). Although not shown a magnetic disk drive for reading from and writing to a removable, non-volatile magnetic disk (e.g., a “floppy disk”), and an optical disk drive for reading from or writing to a removable, non-volatile optical disk such as a CD-ROM, DVD-ROM or other optical media can be provided. In such instances, each can be connected tobus 18 by one or more data media interfaces. As will be further depicted and described below,memory 28 may include at least one program product having a set (e.g., at least one) of program modules that are configured to carry out the functions of the invention. - Program/
utility 40 having a set (at least one) ofprogram modules 42 may be stored inmemory 28 by way of example, and not limitation, as well as an operating system, one or more application programs, other program modules, and program data. Each of the operating system, one or more application programs, other program modules, and program data or some combination thereof, may include an implementation of a networking environment.Program modules 42 generally carry out the functions and/or methodologies of the invention as described herein. - Computer system/
server 12 may also communicate with one or moreexternal devices 14 such as a keyboard, a pointing device, adisplay 24, etc.; one or more devices that enable a user to interact with computer system/server 12; and/or any devices (e.g., network card, modem, etc.) that enable computer system/server 12 to communicate with one or more other computing devices. Such communication can occur via I/O interfaces 22. Still yet, computer system/server 12 can communicate with one or more networks such as a local area network (LAN), a general wide area network (WAN), and/or a public network (e.g., the Internet) vianetwork adapter 20. As depicted,network adapter 20 communicates with the other components of computer system/server 12 viabus 18. It should be understood that although not shown, other hardware and/or software components could be used in conjunction with computer system/server 12. Examples, include, but are not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data archival storage systems, etc. - Referring now to
FIG. 2 , illustrativecloud computing environment 50 is depicted. As shown,cloud computing environment 50 comprises one or morecloud computing nodes 10 with which computing devices such as, for example, personal digital assistant (PDA) orcellular telephone 54A,desktop computer 54B,laptop computer 54C, and/orautomobile computer system 54N communicate. This allows for infrastructure, platforms and/or software to be offered as services (as described above in Section I) fromcloud computing environment 50 so as to not require each client to separately maintain such resources. It is understood that the types ofcomputing devices 54A-N shown inFIG. 2 are intended to be illustrative only and thatcloud computing environment 50 can communicate with any type of computerized device over any type of network and/or network/addressable connection (e.g., using a web browser). - Referring now to
FIG. 3 , a set of functional abstraction layers provided by cloud computing environment 50 (FIG. 2 ) is shown. It should be understood in advance that the components, layers, and functions shown inFIG. 3 are intended to be illustrative only and the invention is not limited thereto. As depicted, the following layers and corresponding functions are provided: - Hardware and
software layer 60 includes hardware and software components. Examples of hardware components include mainframes, in one example IBM® zSeries® systems; RISC (Reduced Instruction Set Computer) architecture based servers, in one example IBM pSeries® systems; IBM xSeries® systems; IBM BladeCenter® systems; storage devices; networks and networking components. Examples of software components include network application server software, in one example IBM WebSphere® application server software; and database software, in one example IBM DB2® database software. (IBM, zSeries, pSeries, xSeries, BladeCenter, WebSphere, and DB2 are trademarks of International Business Machines Corporation in the United States, other countries, or both.) -
Virtualization layer 62 provides an abstraction layer from which the following exemplary virtual entities may be provided: virtual servers; virtual storage; virtual networks, including virtual private networks; virtual applications; and virtual clients. -
Management layer 64 provides the exemplary functions described below. Resource provisioning provides dynamic procurement of computing resources and other resources that are utilized to perform tasks within the cloud computing environment. Metering and Pricing provide cost tracking as resources are utilized within the cloud computing environment, and billing or invoicing for consumption of these resources. In one example, these resources may comprise application software licenses. Security provides identity verification for users and tasks, as well as protection for data and other resources. User portal provides access to the cloud computing environment for both users and system administrators. Service level management provides cloud computing resource allocation and management such that required service levels are met. Service Level Agreement (SLA) planning and fulfillment provides pre-arrangement for, and procurement of, cloud computing resources for which a future requirement is anticipated in accordance with an SLA. -
Workloads layer 66 provides functionality for which the cloud computing environment is utilized. Examples of workloads and functions which may be provided from this layer include: mapping and navigation; software development and lifecycle management; virtual classroom education delivery; data analytics processing; transaction processing; and dynamic access control. - In general, dynamic access control functionality of
workloads layer 66 implements the functions of the present invention as discussed herein in conjunction withFIGS. 4-5 . As mentioned above, the present invention provides a system that extracts documents from peer to peer (one-to-one or one-to-many) communication mediums (such as Cloud computing), and stores the documents in a centralized and widely accessible electronic repository. This invention may replace the document with a link to that centralized document store, send that link to both the originator/sender and recipient and, most importantly, create an access control list to the now secured document that is based on the addresses of the recipients and originator/sender to ensure a proper means of authorization for the message and/or attached document. The originator/sender then has the capability to manage the access control list for the document—no matter where the document has been sent to. Recipient may authenticate to the store that may be based on their address (or any other unique identifier such a private key, passcode, etc). - If one of the individuals on the recipient list has never used the system before, the central repository would automatically generate a password that would be sent as a separate communication. Users who are authenticated to the document store would have central access to all documents that are sent to them. In addition, the process enables central repositories of documents to be created to improve revision control and retention.
- This invention may be implemented through the use of an agent or other code that performs automatic ACL updates and document to metadata conversion.
- Use Cases
- In accordance with these concepts, the following illustrative use cases can be implemented hereunder:
- A service is created which provides database management functionality (entry creation, deletion, and editing) and access control management functionality including creation of user IDs, password management, user and password verification, password management (creation, reset and change). An agent intercepts communications and removes documents from the communication replacing with a pointer to an entry in the service.
- (1) Send Mail with Imbedded Document to Multiple Recipients
- An electronic mail is sent containing a document. The server agent processes the electronic mail, creates an entry on the service with an access control list based on the recipient and originator/sender. The agent then removes out each document and replaces the message with a hyperlink to each associated entry in the service.
- The mail size is reduced by removeping out any attachments and network traffic is reduced outside of the client/server communication based on the document being stored in a central repository. The originator/sender of the document has control over recipients of the document in order to provide authentication and authorization services offered by the ACL.
- This invention results in a more efficient and effective use of storage and bandwidth, increased document security and the document can be dynamically changed by the Owner and recipients of the document have access to the most recent version. The processing engine is shifted to the server agent to provide the necessary control of the document.
- (2) Forward Mail Which has Gone Through the Process to Multiple Different Recipients
- The agent determines that the electronic mail contains a pointer to an entry in the service and automatically updates the access control list of the entry to include the recipient of the electronic mail. The additions to the access control list of the entry are manageable by the owner of the entry and the originator/sender of this electronic mail.
- Mail size is reduced, network traffic is reduced, the owner of the entry may monitor to whom the document has been sent, the originator/sender of the forwarded email can manage subsequent access to the document for the subset of users that were forwarded to.
- (3) Instant Message Document to Recipient
- As instant messaging as a form of electronic communication may become richer, and there may be a desire and need to share documents through this medium. The application of this invention may allow documents to be distributed effectively and efficiently to members of an instant messaging community.
- The document may not require being stored locally, network bandwidth may be saved as only recipients with a need to view the material need access the entry. The access control lists of the document may enable the owner of the entry to determine who has access based on the access control lists. Version control of the document would remain current through the use of a central repository.
- (4) Version Control of Distributed Documents
- The owner of the entry is able to edit the contents of the entry. The database may store a change history of the document changes in the entry based on a unique identifier, enabling the most recent version of the document to be available to those in the access control list. The access control list and effective time-stamping may still be able to view previous versions (referred to in specific communications) of the document.
- In the event that the recipient may need to update the document, the server agent may be able to create additional copies of the file based on the unique identifier. This may allow additional users to make changes to the original file and based on a certain set of parameters that the original file was sent under. Based on certain criteria, the original file may be restricted for editing or modification based on how closely the file resembles its original contents. Once the file has been updated or edited in any way, the server agent can then send out another electronic message to all of the recipients notifying them of the new change.
- Another option is for the server agent to insert a piece of metadata into the file or file name to readily identify the changes and enforce version control of the file. This may allow better change control and collaboration between team members who may need access to the same document. The change control may need to be enforced based on the system that is being used between all parties such as the same forms of electronic communication, instant messaging, or peer-to-peer file sharing.
- (5) Time Sensitivity
- To manage the issue of time sensitivity and the sharing of documents, the centralized ACL services need to ensure that the central repository only allows access to the file or changes to the file based on a certain time criteria. This may have to include sensitivity to different time zones, work schedules, and intelligence to monitor for manipulation of timestamps to ensure that the system is not being taken advantage of.
- (6) Cloud Computing
- With a relative anonymity of Cloud computing, the need to manage the security and the sharing of documents is of utmost importance based on the relative lack of transparency on where the documents may be sent based on the availability of the Cloud infrastructure. Using the centralized ACL service or potentially a dedicated service, specifically for fine-grained authorization and access to specific documents, the central repository for managing these documents could mediate any lack of security within the Cloud as long as the centralized ACL or set of security services is aware of the different endpoints and clients do not need to be secured as part of the document management system.
- This system is based on at least two parts:
- 1. A client or server-based agent automatically creates an access control list and entry in a database. The agent may run on a client mail or messaging system or on a mail or message server.
- 2. A service which provides display of entries in a database to users and the ability to manage user IDs, passwords, access control lists, and content of Entries.
- Referring to
FIG. 4 , a logical/process flow diagram will be used to better describe the functions recited hereunder. - Agent and Service Function when Document is Found in Communication Process Flow:
-
-
Agent 70 intercepts an electronic communication (for example, a mail or instant message, hereafter referred to as “communication”) containing a document (e.g., attached document). - An entry (Entry) 72 is created on the service for each document contained within the communication for storage in
entry database 76. Ownership of the entry and theaccess control list 74 to the entry is assigned to the originator/sender of the communication. - An
access control list 74 containing user IDs is created for theEntry 72 based upon the list of recipient destination addresses, and the originator/sender address is stored in anaccess control database 78. The user IDs are the recipient destination and originator/sender source addresses. - User IDs are either (1) verified (for user IDs recognized) or (2) created (“new” user ID) on the Service. For created user IDs:
- An automatic password is created for these “new” electronic mail addresses.
- Each “new” user ID on the access control list is sent a communication containing the user ID and automatically generated password, as well as details of how to change this password and verify the account and user ID for future access on the server. In any case, user IDs are stored and/or retrieved from
user database 80.
- The document contained within the communication is removed/extracted out, stored in
document database 82, and replaced by a reference pointer (e.g., an electronic link) created on the service. This electronic link “points” to the location of document withindocument database 82 and/orentry 72 inentry database 76. - Recipients of the communication can access the document by referring to this pointer, validating their membership of the access control list by entering their user ID and password on the service.
-
- Agent and Service Function when Pointer to Service is Found in Communication Process:
-
- Mail is forwarded to a new set of recipients which contains a pointer to an
entry 72 on the service. - The recipients of this new mail are added to the
access control list 74 of theentry 72 on the Server, if theentry 72 on the server (e.g., computer system/server 12 ofFIG. 1 ) is not “secured”. - User ID validation and creation happens as per process outlined in above.
- The owner of the
entry 72 on the server is notified of a change to the access control list by electronic mail. - The owner of the
entry 72 on the server can manage the access control list of the entry on the server per process described below. - The originator/sender of the forwarded mail can manage the subset of this additional
access control list 74 per process described below.
In accordance with these concepts the following functionality can be provided:
- Mail is forwarded to a new set of recipients which contains a pointer to an
- Sharing an Entry Created by the Process with Others
- The access control list for the entry on the service can be updated per the process described above. A new mail or communication referencing the pointer to the entry on the service can be sent separately to multiple recipients without the requirement for forwarding the initial communication mechanism (mail or instant message) and independent of the automatic generation of user IDs and access control lists.
- Managing User IDs on the Service
- User ID registration and the ability to password manage that user ID is open. User ID management would include the ability to register a “destination” or “origination” address, usually an electronic mail address, and create a user ID which is the same as this address.
- Password management is available for the user ID:
-
- Creation of a password for new user IDs on the service.
- Resetting of a password for a user ID on the Service by transmitting an automatically generated password to the address.
- Change of a password for a user ID by entry of existing password and new password.
- Managing the Access Control List to the Entry on the Service
- The owner of the entry on the service can edit the entire access control list of the Entry and add and remove user IDs from the access control list of the entry. Access control lists can be set to be “secured” to contain only the user IDs created for the entry and for user IDs added or modified by the owner of the entry. If an entry is distributed by a member of the access control list, that member can manage the subset of the user IDs referenced in that distribution. The subset can also be managed by the owner of the entry.
- Managing the Content of the Entry on the Server
- The owner of the entry on the service can edit the entry on the service, providing an updated document. The service would create a change log of the different versions of the document to enable users to determine which version of the document was referred to in a specific communication.
- Referring now to
FIG. 5 , a method flow diagram according to the present invention is shown. In step S1, an electronic communication having a document (e.g., attached) is received. In step S2, the document is removed from the electronic communication. In step S3, the document is stored in a document database and a reference thereto is provided. In step S4, an access control list is generated for the attached document as stored, the access control list identifying a sender and a set of initial recipients of the electronic communication. In step S5, it is determined whether a user attempting to access the document is authorized (based on the access control list). If not, access is denied in step S6. If so, access is allowed in step S7 via an electronic reference such as a link. - While shown and described herein as a dynamic access control solution, it is understood that the invention further provides various alternative embodiments. For example, in one embodiment, the invention provides a computer-readable/useable medium that includes computer program code to enable a computer infrastructure to provide dynamic access control functionality as discussed herein. To this extent, the computer-readable/useable medium includes program code that implements each of the various processes of the invention. It is understood that the terms computer-readable medium or computer-useable medium comprises one or more of any type of physical embodiment of the program code. In particular, the computer-readable/useable medium can comprise program code embodied on one or more portable storage articles of manufacture (e.g., a compact disc, a magnetic disk, a tape, etc.), on one or more data storage portions of a computing device, such as memory 28 (
FIG. 1 ) and/or storage system 34 (FIG. 1 ) (e.g., a fixed disk, a read-only memory, a random access memory, a cache memory, etc.), and/or as a data signal (e.g., a propagated signal) traveling over a network (e.g., during a wired/wireless electronic distribution of the program code). - In another embodiment, the invention provides a method that performs the process of the invention on a subscription, advertising, and/or fee basis. That is, a service provider, such as a solution Integrator, could offer to provide dynamic access control. In this case, the service provider can create, maintain, support, etc., a computer infrastructure, such as computer system 12 (
FIG. 1 ) that performs the process of the invention for one or more customers. In return, the service provider can receive payment from the customer(s) under a subscription and/or fee agreement and/or the service provider can receive payment from the sale of advertising content to one or more third parties. - In still another embodiment, the invention provides a computer-implemented method for providing dynamic access control functionality. In this case, a computer infrastructure, such as computer system 12 (
FIG. 1 ), can be provided and one or more systems for performing the process of the invention can be obtained (e.g., created, purchased, used, modified, etc.) and deployed to the computer infrastructure. To this extent, the deployment of a system can comprise one or more of: (1) installing program code on a computing device, such as computer system 12 (FIG. 1 ), from a computer-readable medium; (2) adding one or more computing devices to the computer infrastructure; and (3) incorporating and/or modifying one or more existing systems of the computer infrastructure to enable the computer infrastructure to perform the process of the invention. - As used herein, it is understood that the terms “program code” and “computer program code” are synonymous and mean any expression, in any language, code, or notation, of a set of instructions intended to cause a computing device having an information processing capability to perform a particular function either directly, or after either or both of the following: (a) conversion to another language, code, or notation; and/or (b) reproduction in a different material form. To this extent, program code can be embodied as one or more of: an application/software program, component software/a library of functions, an operating system, a basic device system/driver for a particular computing device, and the like.
- A data processing system suitable for storing and/or executing program code can be provided hereunder and can include at least one processor communicatively coupled, directly or indirectly, to memory element(s) through a system bus. The memory elements can include, but are not limited to, local memory employed during actual execution of the program code, bulk storage, and cache memories that provide temporary storage of at least some program code in order to reduce the number of times code must be retrieved from bulk storage during execution. Input/output or device devices (including, but not limited to, keyboards, displays, pointing devices, etc.) can be coupled to the system either directly or through intervening device controllers.
- Network adapters also may be coupled to the system to enable the data processing system to become coupled to other data processing systems, remote printers, storage devices, and/or the like, through any combination of intervening private or public networks. Illustrative network adapters include, but are not limited to, modems, cable modems, and Ethernet cards.
- The foregoing description of various aspects of the invention has been presented for purposes of illustration and description. It is not intended to be exhaustive or to limit the invention to the precise form disclosed and, obviously, many modifications and variations are possible. Such modifications and variations that may be apparent to a person skilled in the art are intended to be included within the scope of the invention as defined by the accompanying claims.
Claims (20)
Priority Applications (6)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US12/630,121 US20110137947A1 (en) | 2009-12-03 | 2009-12-03 | Dynamic access control for documents in electronic communications within a cloud computing environment |
CN201080054526.8A CN102640162B (en) | 2009-12-03 | 2010-11-15 | Dynamic access control to the document in electronic communication in cloud computing environment |
GB1204644.7A GB2488676B (en) | 2009-12-03 | 2010-11-15 | Dynamic access control for documents in electronic communications within a cloud computing environment |
PCT/EP2010/067509 WO2011067101A1 (en) | 2009-12-03 | 2010-11-15 | Dynamic access control for documents in electronic communications within a cloud computing environment |
DE112010004651T DE112010004651T8 (en) | 2009-12-03 | 2010-11-15 | Dynamic access control for documents in electronic data transfer operations in a cloud computing environment |
US13/178,642 US9514318B2 (en) | 2009-12-03 | 2011-07-08 | Dynamic access control for documents in electronic communications within a networked computing environment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US12/630,121 US20110137947A1 (en) | 2009-12-03 | 2009-12-03 | Dynamic access control for documents in electronic communications within a cloud computing environment |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/178,642 Continuation US9514318B2 (en) | 2009-12-03 | 2011-07-08 | Dynamic access control for documents in electronic communications within a networked computing environment |
Publications (1)
Publication Number | Publication Date |
---|---|
US20110137947A1 true US20110137947A1 (en) | 2011-06-09 |
Family
ID=43531099
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US12/630,121 Abandoned US20110137947A1 (en) | 2009-12-03 | 2009-12-03 | Dynamic access control for documents in electronic communications within a cloud computing environment |
US13/178,642 Active US9514318B2 (en) | 2009-12-03 | 2011-07-08 | Dynamic access control for documents in electronic communications within a networked computing environment |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/178,642 Active US9514318B2 (en) | 2009-12-03 | 2011-07-08 | Dynamic access control for documents in electronic communications within a networked computing environment |
Country Status (5)
Country | Link |
---|---|
US (2) | US20110137947A1 (en) |
CN (1) | CN102640162B (en) |
DE (1) | DE112010004651T8 (en) |
GB (1) | GB2488676B (en) |
WO (1) | WO2011067101A1 (en) |
Cited By (38)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100137534A1 (en) * | 2007-01-29 | 2010-06-03 | Arkema France | Method for preparing microgel particles by controlled radical polymerization in an aqueous dispersion using nitroxide control agents |
US20110047381A1 (en) * | 2009-08-21 | 2011-02-24 | Board Of Regents, The University Of Texas System | Safemashups cloud trust broker |
US20110295998A1 (en) * | 2010-05-28 | 2011-12-01 | James Michael Ferris | Systems and methods for cross-cloud vendor mapping service in a dynamic cloud marketplace |
US20110302315A1 (en) * | 2010-06-03 | 2011-12-08 | Microsoft Corporation | Distributed services authorization management |
WO2012023050A2 (en) | 2010-08-20 | 2012-02-23 | Overtis Group Limited | Secure cloud computing system and method |
US20120084665A1 (en) * | 2004-06-29 | 2012-04-05 | Blake Bookstaff | Method and system for intelligent processing of electronic information with cloud computing |
US20120117142A1 (en) * | 2010-11-05 | 2012-05-10 | Inventec Corporation | Cloud computing system and data accessing method thereof |
US20120179708A1 (en) * | 2011-01-10 | 2012-07-12 | International Business Machines Corporation | Verifying file versions in a networked computing environment |
CN102821000A (en) * | 2012-09-14 | 2012-12-12 | 乐视网信息技术(北京)股份有限公司 | Method for improving usability of PaaS platform |
US20130185773A1 (en) * | 2012-01-13 | 2013-07-18 | Ubiterra Corporation | Apparatus, system, and method for managing, sharing, and storing seismic data |
US20130226977A1 (en) * | 2012-02-27 | 2013-08-29 | Fuji Xerox Co., Ltd. | Document management server, document management device, document management system, non-transitory computer readable medium storing document management program, and document management method |
US8752138B1 (en) * | 2011-08-31 | 2014-06-10 | Google Inc. | Securing user contact information in collaboration session |
US8805971B1 (en) | 2012-06-15 | 2014-08-12 | Amazon Technologies, Inc. | Client-specified schema extensions in cloud computing environments |
US8813225B1 (en) | 2012-06-15 | 2014-08-19 | Amazon Technologies, Inc. | Provider-arbitrated mandatory access control policies in cloud computing environments |
US8856077B1 (en) | 2012-06-15 | 2014-10-07 | Amazon Technologies, Inc. | Account cloning service for cloud computing environments |
US20140304324A1 (en) * | 2013-04-05 | 2014-10-09 | Canon Kabushiki Kaisha | Content management apparatus, content management method, and program |
US8868710B2 (en) | 2011-11-18 | 2014-10-21 | Amazon Technologies, Inc. | Virtual network interface objects |
WO2015057431A1 (en) * | 2013-10-14 | 2015-04-23 | Microsoft Corporation | Granting permissions to an object when adding people to a conversation |
US9075788B1 (en) | 2012-06-15 | 2015-07-07 | Amazon Technologies, Inc. | Account state simulation service for cloud computing environments |
US9210178B1 (en) | 2012-06-15 | 2015-12-08 | Amazon Technologies, Inc. | Mixed-mode authorization metadata manager for cloud computing environments |
EP2891278A4 (en) * | 2012-08-29 | 2016-04-13 | Rideshark Corp | Methods and systems for delayed notifications in communications networks |
US9348802B2 (en) | 2012-03-19 | 2016-05-24 | Litéra Corporation | System and method for synchronizing bi-directional document management |
US9407641B2 (en) | 2012-04-27 | 2016-08-02 | Hewlett-Packard Development Company, L.P. | Service access control |
US9460300B1 (en) * | 2012-09-10 | 2016-10-04 | Google Inc. | Utilizing multiple access control objects to manage access control |
US9514318B2 (en) | 2009-12-03 | 2016-12-06 | International Business Machines Corporation | Dynamic access control for documents in electronic communications within a networked computing environment |
US9747460B1 (en) * | 2014-01-17 | 2017-08-29 | Jpmorgan Chase Bank, N.A. | Systems and methods for data sharing and transaction processing for high security documents |
US9787499B2 (en) | 2014-09-19 | 2017-10-10 | Amazon Technologies, Inc. | Private alias endpoints for isolated virtual networks |
US9916545B1 (en) | 2012-02-29 | 2018-03-13 | Amazon Technologies, Inc. | Portable network interfaces for authentication and license enforcement |
US10021196B1 (en) | 2015-06-22 | 2018-07-10 | Amazon Technologies, Inc. | Private service endpoints in isolated virtual networks |
US10025782B2 (en) | 2013-06-18 | 2018-07-17 | Litera Corporation | Systems and methods for multiple document version collaboration and management |
US10244001B2 (en) * | 2015-06-09 | 2019-03-26 | Intel Corporation | System, apparatus and method for access control list processing in a constrained environment |
US10469330B1 (en) | 2012-06-15 | 2019-11-05 | Amazon Technologies, Inc. | Client account versioning metadata manager for cloud computing environments |
US10567481B2 (en) * | 2013-05-31 | 2020-02-18 | International Business Machines Corporation | Work environment for information sharing and collaboration |
US11290446B2 (en) * | 2011-06-08 | 2022-03-29 | Servicenow, Inc. | Access to data stored in a cloud |
US11308039B2 (en) * | 2019-12-31 | 2022-04-19 | Dropbox, Inc. | Binding local device folders to a content management system for synchronization |
US11790098B2 (en) | 2021-08-05 | 2023-10-17 | Bank Of America Corporation | Digital document repository access control using encoded graphical codes |
US11822683B2 (en) * | 2018-11-30 | 2023-11-21 | Seclore Technology Private Limited | System for automatic permission management in different collaboration systems |
US11880479B2 (en) | 2021-08-05 | 2024-01-23 | Bank Of America Corporation | Access control for updating documents in a digital document repository |
Families Citing this family (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8996350B1 (en) | 2011-11-02 | 2015-03-31 | Dub Software Group, Inc. | System and method for automatic document management |
US9917736B2 (en) | 2012-01-30 | 2018-03-13 | Microsoft Technology Licensing, Llc | Automated standalone bootstrapping of hardware inventory |
US9367360B2 (en) * | 2012-01-30 | 2016-06-14 | Microsoft Technology Licensing, Llc | Deploying a hardware inventory as a cloud-computing stamp |
US9361473B2 (en) * | 2012-09-14 | 2016-06-07 | Google Inc. | Correcting access rights of files in electronic communications |
CA2898909C (en) * | 2013-01-22 | 2017-09-05 | Amazon Technologies, Inc. | Use of freeform metadata for access control |
US9880984B2 (en) | 2013-10-18 | 2018-01-30 | International Business Machines Corporation | Revision of a portion of a document via social media |
EP3436935A1 (en) * | 2016-03-28 | 2019-02-06 | Oracle International Corporation | Pre-formed instructions for a mobile cloud service |
US10691643B2 (en) * | 2017-11-20 | 2020-06-23 | International Business Machines Corporation | Deduplication for files in cloud computing storage and communication tools |
Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6505236B1 (en) * | 1999-04-30 | 2003-01-07 | Thinmail, Inc. | Network-based mail attachment storage system and method |
US7054905B1 (en) * | 2000-03-30 | 2006-05-30 | Sun Microsystems, Inc. | Replacing an email attachment with an address specifying where the attachment is stored |
US20070005595A1 (en) * | 2005-06-30 | 2007-01-04 | Neal Gafter | Document access control |
US20080091613A1 (en) * | 2006-09-28 | 2008-04-17 | Microsoft Corporation | Rights management in a cloud |
US20080104393A1 (en) * | 2006-09-28 | 2008-05-01 | Microsoft Corporation | Cloud-based access control list |
US20080147679A1 (en) * | 2003-07-10 | 2008-06-19 | International Business Machines Corporation | Apparatus and method for autonomic email access control |
US7434048B1 (en) * | 2003-09-09 | 2008-10-07 | Adobe Systems Incorporated | Controlling access to electronic documents |
US20090228950A1 (en) * | 2008-03-05 | 2009-09-10 | Microsoft Corporation | Self-describing authorization policy for accessing cloud-based resources |
US20090235087A1 (en) * | 2004-06-24 | 2009-09-17 | Geoffrey David Bird | Security for Computer Software |
US20090257596A1 (en) * | 2008-04-15 | 2009-10-15 | International Business Machines Corporation | Managing Document Access |
US20100131604A1 (en) * | 2008-11-26 | 2010-05-27 | International Business Machines Corporation | System, method and program product for distribution of content contained in an electronic mail message |
Family Cites Families (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7986806B2 (en) * | 1994-11-16 | 2011-07-26 | Digimarc Corporation | Paper products and physical objects as means to access and control a computer or to navigate over or act as a portal on a network |
TW400487B (en) * | 1996-10-24 | 2000-08-01 | Tumbleweed Software Corp | Electronic document delivery system |
US6275850B1 (en) | 1998-07-24 | 2001-08-14 | Siemens Information And Communication Networks, Inc. | Method and system for management of message attachments |
US20020016818A1 (en) | 2000-05-11 | 2002-02-07 | Shekhar Kirani | System and methodology for optimizing delivery of email attachments for disparate devices |
US7454459B1 (en) * | 2001-09-04 | 2008-11-18 | Jarna, Inc. | Method and apparatus for implementing a real-time event management platform |
US7912971B1 (en) * | 2002-02-27 | 2011-03-22 | Microsoft Corporation | System and method for user-centric authorization to access user-specific information |
US7076558B1 (en) * | 2002-02-27 | 2006-07-11 | Microsoft Corporation | User-centric consent management system and method |
US7130474B2 (en) | 2002-09-27 | 2006-10-31 | Eastman Kodak Company | Method and system for generating digital image files for a limited display |
US7409425B2 (en) | 2003-11-13 | 2008-08-05 | International Business Machines Corporation | Selective transmission of an email attachment |
US8539604B2 (en) * | 2005-08-03 | 2013-09-17 | International Business Machines Corporation | Method, system and program product for versioning access control settings |
US20070143851A1 (en) * | 2005-12-21 | 2007-06-21 | Fiberlink | Method and systems for controlling access to computing resources based on known security vulnerabilities |
US20070143827A1 (en) * | 2005-12-21 | 2007-06-21 | Fiberlink | Methods and systems for intelligently controlling access to computing resources |
US7958562B2 (en) * | 2006-04-27 | 2011-06-07 | Xerox Corporation | Document access management system |
JP4832994B2 (en) * | 2006-08-07 | 2011-12-07 | 富士通株式会社 | Document management program, document management system, and access right setting method |
CA2765957C (en) * | 2009-06-19 | 2015-08-04 | Research In Motion Limited | Methods and apparatus to forward documents in a communication network |
WO2010148328A1 (en) * | 2009-06-19 | 2010-12-23 | Research In Motion Limited | Methods and apparatus to forward documents in communication network |
US20110137947A1 (en) | 2009-12-03 | 2011-06-09 | International Business Machines Corporation | Dynamic access control for documents in electronic communications within a cloud computing environment |
-
2009
- 2009-12-03 US US12/630,121 patent/US20110137947A1/en not_active Abandoned
-
2010
- 2010-11-15 DE DE112010004651T patent/DE112010004651T8/en active Active
- 2010-11-15 WO PCT/EP2010/067509 patent/WO2011067101A1/en active Application Filing
- 2010-11-15 GB GB1204644.7A patent/GB2488676B/en active Active
- 2010-11-15 CN CN201080054526.8A patent/CN102640162B/en active Active
-
2011
- 2011-07-08 US US13/178,642 patent/US9514318B2/en active Active
Patent Citations (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6505236B1 (en) * | 1999-04-30 | 2003-01-07 | Thinmail, Inc. | Network-based mail attachment storage system and method |
US7054905B1 (en) * | 2000-03-30 | 2006-05-30 | Sun Microsystems, Inc. | Replacing an email attachment with an address specifying where the attachment is stored |
US20080147679A1 (en) * | 2003-07-10 | 2008-06-19 | International Business Machines Corporation | Apparatus and method for autonomic email access control |
US7434048B1 (en) * | 2003-09-09 | 2008-10-07 | Adobe Systems Incorporated | Controlling access to electronic documents |
US20090235087A1 (en) * | 2004-06-24 | 2009-09-17 | Geoffrey David Bird | Security for Computer Software |
US20070005595A1 (en) * | 2005-06-30 | 2007-01-04 | Neal Gafter | Document access control |
US20080091613A1 (en) * | 2006-09-28 | 2008-04-17 | Microsoft Corporation | Rights management in a cloud |
US20080104393A1 (en) * | 2006-09-28 | 2008-05-01 | Microsoft Corporation | Cloud-based access control list |
US20090228950A1 (en) * | 2008-03-05 | 2009-09-10 | Microsoft Corporation | Self-describing authorization policy for accessing cloud-based resources |
US20090257596A1 (en) * | 2008-04-15 | 2009-10-15 | International Business Machines Corporation | Managing Document Access |
US20100131604A1 (en) * | 2008-11-26 | 2010-05-27 | International Business Machines Corporation | System, method and program product for distribution of content contained in an electronic mail message |
US7877451B2 (en) * | 2008-11-26 | 2011-01-25 | International Business Machines Corporation | System, method and program product for distribution of content contained in an electronic mail message |
Cited By (65)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20120084665A1 (en) * | 2004-06-29 | 2012-04-05 | Blake Bookstaff | Method and system for intelligent processing of electronic information with cloud computing |
US9792633B2 (en) * | 2004-06-29 | 2017-10-17 | Blake Bookstaff | Method and system for intelligent processing of electronic information with cloud computing |
US20100137534A1 (en) * | 2007-01-29 | 2010-06-03 | Arkema France | Method for preparing microgel particles by controlled radical polymerization in an aqueous dispersion using nitroxide control agents |
US20110047381A1 (en) * | 2009-08-21 | 2011-02-24 | Board Of Regents, The University Of Texas System | Safemashups cloud trust broker |
US9514318B2 (en) | 2009-12-03 | 2016-12-06 | International Business Machines Corporation | Dynamic access control for documents in electronic communications within a networked computing environment |
US9306868B2 (en) * | 2010-05-28 | 2016-04-05 | Red Hat, Inc. | Cross-cloud computing resource usage tracking |
US20110295998A1 (en) * | 2010-05-28 | 2011-12-01 | James Michael Ferris | Systems and methods for cross-cloud vendor mapping service in a dynamic cloud marketplace |
US8954564B2 (en) * | 2010-05-28 | 2015-02-10 | Red Hat, Inc. | Cross-cloud vendor mapping service in cloud marketplace |
US20150120920A1 (en) * | 2010-05-28 | 2015-04-30 | Red Hat, Inc. | Cross-cloud computing resource usage tracking |
US20110302315A1 (en) * | 2010-06-03 | 2011-12-08 | Microsoft Corporation | Distributed services authorization management |
US8898318B2 (en) * | 2010-06-03 | 2014-11-25 | Microsoft Corporation | Distributed services authorization management |
WO2012023050A2 (en) | 2010-08-20 | 2012-02-23 | Overtis Group Limited | Secure cloud computing system and method |
US20120117142A1 (en) * | 2010-11-05 | 2012-05-10 | Inventec Corporation | Cloud computing system and data accessing method thereof |
US20120179708A1 (en) * | 2011-01-10 | 2012-07-12 | International Business Machines Corporation | Verifying file versions in a networked computing environment |
US9037597B2 (en) * | 2011-01-10 | 2015-05-19 | International Business Machines Corporation | Verifying file versions in a networked computing environment |
US11290446B2 (en) * | 2011-06-08 | 2022-03-29 | Servicenow, Inc. | Access to data stored in a cloud |
US8752138B1 (en) * | 2011-08-31 | 2014-06-10 | Google Inc. | Securing user contact information in collaboration session |
US11218420B2 (en) | 2011-11-18 | 2022-01-04 | Amazon Technologies, Inc. | Virtual network interface objects |
US8868710B2 (en) | 2011-11-18 | 2014-10-21 | Amazon Technologies, Inc. | Virtual network interface objects |
US9369403B2 (en) | 2011-11-18 | 2016-06-14 | Amazon Technologies, Inc. | Virtual network interface objects |
US10367753B2 (en) | 2011-11-18 | 2019-07-30 | Amazon Technologies, Inc. | Virtual network interface records |
US10848431B2 (en) | 2011-11-18 | 2020-11-24 | Amazon Technologies, Inc. | Virtual network interface objects |
US20130185773A1 (en) * | 2012-01-13 | 2013-07-18 | Ubiterra Corporation | Apparatus, system, and method for managing, sharing, and storing seismic data |
CN103294739A (en) * | 2012-02-27 | 2013-09-11 | 富士施乐株式会社 | Document management server, document management device, document management system, and document management method |
US20130226977A1 (en) * | 2012-02-27 | 2013-08-29 | Fuji Xerox Co., Ltd. | Document management server, document management device, document management system, non-transitory computer readable medium storing document management program, and document management method |
US9916545B1 (en) | 2012-02-29 | 2018-03-13 | Amazon Technologies, Inc. | Portable network interfaces for authentication and license enforcement |
US11295246B2 (en) | 2012-02-29 | 2022-04-05 | Amazon Technologies, Inc. | Portable network interfaces for authentication and license enforcement |
US9348802B2 (en) | 2012-03-19 | 2016-05-24 | Litéra Corporation | System and method for synchronizing bi-directional document management |
US11256854B2 (en) | 2012-03-19 | 2022-02-22 | Litera Corporation | Methods and systems for integrating multiple document versions |
US9407641B2 (en) | 2012-04-27 | 2016-08-02 | Hewlett-Packard Development Company, L.P. | Service access control |
US9565260B2 (en) | 2012-06-15 | 2017-02-07 | Amazon Technologies, Inc. | Account state simulation service for cloud computing environments |
US8805971B1 (en) | 2012-06-15 | 2014-08-12 | Amazon Technologies, Inc. | Client-specified schema extensions in cloud computing environments |
US9210178B1 (en) | 2012-06-15 | 2015-12-08 | Amazon Technologies, Inc. | Mixed-mode authorization metadata manager for cloud computing environments |
US9075788B1 (en) | 2012-06-15 | 2015-07-07 | Amazon Technologies, Inc. | Account state simulation service for cloud computing environments |
US8813225B1 (en) | 2012-06-15 | 2014-08-19 | Amazon Technologies, Inc. | Provider-arbitrated mandatory access control policies in cloud computing environments |
US8856077B1 (en) | 2012-06-15 | 2014-10-07 | Amazon Technologies, Inc. | Account cloning service for cloud computing environments |
US10469330B1 (en) | 2012-06-15 | 2019-11-05 | Amazon Technologies, Inc. | Client account versioning metadata manager for cloud computing environments |
US10419371B2 (en) | 2012-08-29 | 2019-09-17 | Rideshark Corporation | Methods and systems for delayed notifications in communications networks |
EP2891278A4 (en) * | 2012-08-29 | 2016-04-13 | Rideshark Corp | Methods and systems for delayed notifications in communications networks |
US9460300B1 (en) * | 2012-09-10 | 2016-10-04 | Google Inc. | Utilizing multiple access control objects to manage access control |
CN102821000A (en) * | 2012-09-14 | 2012-12-12 | 乐视网信息技术(北京)股份有限公司 | Method for improving usability of PaaS platform |
US20140304324A1 (en) * | 2013-04-05 | 2014-10-09 | Canon Kabushiki Kaisha | Content management apparatus, content management method, and program |
US10567481B2 (en) * | 2013-05-31 | 2020-02-18 | International Business Machines Corporation | Work environment for information sharing and collaboration |
US10025782B2 (en) | 2013-06-18 | 2018-07-17 | Litera Corporation | Systems and methods for multiple document version collaboration and management |
US9491177B2 (en) | 2013-10-14 | 2016-11-08 | Microsoft Technology Licensing, Llc | Granting permissions to an object when adding people to a conversation |
WO2015057431A1 (en) * | 2013-10-14 | 2015-04-23 | Microsoft Corporation | Granting permissions to an object when adding people to a conversation |
US10325104B1 (en) | 2014-01-17 | 2019-06-18 | Jpmorgan Chase Bank, N.A. | Systems and methods for data sharing and transaction processing for high security documents |
US11023603B2 (en) | 2014-01-17 | 2021-06-01 | Jpmorgan Chase Bank, N.A. | Systems and methods for data sharing and transaction processing for high security documents |
US9747460B1 (en) * | 2014-01-17 | 2017-08-29 | Jpmorgan Chase Bank, N.A. | Systems and methods for data sharing and transaction processing for high security documents |
US9787499B2 (en) | 2014-09-19 | 2017-10-10 | Amazon Technologies, Inc. | Private alias endpoints for isolated virtual networks |
US11792041B2 (en) | 2014-09-19 | 2023-10-17 | Amazon Technologies, Inc. | Private alias endpoints for isolated virtual networks |
US10256993B2 (en) | 2014-09-19 | 2019-04-09 | Amazon Technologies, Inc. | Private alias endpoints for isolated virtual networks |
US10848346B2 (en) | 2014-09-19 | 2020-11-24 | Amazon Technologies, Inc. | Private alias endpoints for isolated virtual networks |
US10244001B2 (en) * | 2015-06-09 | 2019-03-26 | Intel Corporation | System, apparatus and method for access control list processing in a constrained environment |
US10021196B1 (en) | 2015-06-22 | 2018-07-10 | Amazon Technologies, Inc. | Private service endpoints in isolated virtual networks |
US11172032B2 (en) | 2015-06-22 | 2021-11-09 | Amazon Technologies, Inc. | Private service endpoints in isolated virtual networks |
US11637906B2 (en) | 2015-06-22 | 2023-04-25 | Amazon Technologies, Inc. | Private service endpoints in isolated virtual networks |
US10397344B2 (en) | 2015-06-22 | 2019-08-27 | Amazon Technologies, Inc. | Private service endpoints in isolated virtual networks |
US12047462B2 (en) | 2015-06-22 | 2024-07-23 | Amazon Technologies, Inc. | Private service endpoints in isolated virtual networks |
US11822683B2 (en) * | 2018-11-30 | 2023-11-21 | Seclore Technology Private Limited | System for automatic permission management in different collaboration systems |
US11308039B2 (en) * | 2019-12-31 | 2022-04-19 | Dropbox, Inc. | Binding local device folders to a content management system for synchronization |
US11748315B2 (en) | 2019-12-31 | 2023-09-05 | Dropbox, Inc. | Binding local device folders to a content management system for synchronization |
US12061576B2 (en) | 2019-12-31 | 2024-08-13 | Dropbox, Inc. | Binding local device folders to a content management system for synchronization |
US11790098B2 (en) | 2021-08-05 | 2023-10-17 | Bank Of America Corporation | Digital document repository access control using encoded graphical codes |
US11880479B2 (en) | 2021-08-05 | 2024-01-23 | Bank Of America Corporation | Access control for updating documents in a digital document repository |
Also Published As
Publication number | Publication date |
---|---|
DE112010004651T5 (en) | 2012-10-31 |
CN102640162A (en) | 2012-08-15 |
CN102640162B (en) | 2015-08-12 |
WO2011067101A1 (en) | 2011-06-09 |
GB2488676B (en) | 2016-10-12 |
GB201204644D0 (en) | 2012-05-02 |
DE112010004651T8 (en) | 2013-01-10 |
US20110258234A1 (en) | 2011-10-20 |
GB2488676A (en) | 2012-09-05 |
US9514318B2 (en) | 2016-12-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9514318B2 (en) | Dynamic access control for documents in electronic communications within a networked computing environment | |
US9787697B2 (en) | Providing security services within a cloud computing environment | |
US11119986B2 (en) | Intelligent data routing and storage provisioning | |
US8826001B2 (en) | Securing information within a cloud computing environment | |
US8881244B2 (en) | Authorizing computing resource access based on calendar events in a networked computing environment | |
US9720915B2 (en) | Presenting metadata from multiple perimeters | |
US10205601B2 (en) | Message broadcasting in a clustered computing environment | |
US10944560B2 (en) | Privacy-preserving identity asset exchange | |
JP6314236B2 (en) | Entity handle registry to support traffic policy enforcement | |
US20120246740A1 (en) | Strong rights management for computing application functionality | |
US8839399B2 (en) | Tenant driven security in a storage cloud | |
US9148426B2 (en) | Securely identifying host systems | |
US9246920B2 (en) | Cloud resource cloning based on collaborative content | |
US12041160B2 (en) | Redactable blockchain | |
WO2023098433A1 (en) | Secure policy distribution in a cloud environment | |
US9563419B2 (en) | Managing deployment of application pattern based applications on runtime platforms | |
US10250440B2 (en) | Managing a generation and delivery of digital identity documents |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: INTERNATIONAL BUSINESS MACHINES CORPORATION, NEW Y Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:DAWSON, CHRISTOPHER J.;KENDZIERSKI, MICHAEL D.;MCMILLAN, STEPHEN;SIGNING DATES FROM 20091124 TO 20091201;REEL/FRAME:023653/0444 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |
|
AS | Assignment |
Owner name: KYNDRYL, INC., NEW YORK Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:INTERNATIONAL BUSINESS MACHINES CORPORATION;REEL/FRAME:058213/0912 Effective date: 20211118 |