Memory access control method and system
US-2018067848-A1 · Mar 8, 2018 · US
Method, first device, second device and system for managing access to data
US10963167B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10963167-B2 |
| Application number | US-201715858882-A |
| Country | US |
| Kind code | B2 |
| Filing date | Dec 29, 2017 |
| Priority date | Dec 29, 2017 |
| Publication date | Mar 30, 2021 |
| Grant date | Mar 30, 2021 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
The invention relates to a method for managing data access. The method includes receiving at least one request for accessing data; capturing data relating to at least one current context signal during each data access request; comparing, as a current authorization step, the data relating to at least one captured current context signal to predetermined reference data relating to at least one corresponding context signal according to at least one corresponding predetermined authorization policy; determining, based upon the current authorization result and at least one predetermined dynamic data access policy, whether the data access is or is not authorized, as a data access decision; and issuing the data access decision. The invention also relates to corresponding first device, second device and system.
First claim
Opening claim text (preview).
The invention claimed is: 1. A method for managing access to data stored in a computer environment, comprising: receiving, by a first device, at least one request for accessing data; capturing, by the first device, data relating to at least one current context signal during each and every data access request, wherein each and every data access request is distinct from an original login data access request; selecting, by the first device, at least one piece of the captured data relating to the at least one current context signal based on at least one corresponding predetermined authorization policy, wherein the selection of at least one piece of the captured data relating to the at least one current context signal is carried out in response to each and every data access request; comparing, as a current authorization step, by the first device or a second device connected or coupled to the first device, the selected data relating to at least one captured current context signal to predetermined reference data relating to at least one corresponding context signal according to the at least one corresponding authorization policy, wherein the comparison of respective selected data relating to the at least one captured context signal and respective reference data relating to the at least one corresponding context signal is carried out in response to each and every data access request; determining, by the first or second device, based upon (a) whether the selected data relating to the at least one captured current context signal matches the reference data relating to the at least one corresponding context signal according to the at least one corresponding authorization policy and (b) at least one predetermined dynamic data access policy, whether the data access is or is not authorized, as a dynamic data access decision; and issuing, by the first or second device, the dynamic data access decision, the dynamic data access decision being either a data access authorization or a data access deny. 2. Method according to claim 1 , wherein, if the data access is authorized, then the data is accessed according to the at least one dynamic data access policy, the at least one dynamic data access policy including at least one element of a group comprising: a data reading entitlement, a data sharing entitlement, a data creation entitlement, a data removal entitlement, a data update entitlement, a data writing entitlement and a metadata update entitlement, the metadata being associated with the concerned data. 3. Method according to claim 1 , wherein, if the data access is authorized, then the at least one dynamic data access policy includes at least one element of a group comprising, as at least one additional condition to be satisfied: requesting to further authenticate the requester prior to granting access to data; carrying out at least one action prior to granting access to data; carrying out at least one action after granting access to data; sending at least one predetermined alert message to at least one predetermined addressee. 4. Method according to claim 1 , wherein, if the data access is not authorized, then the data is not accessed according to the at least one dynamic data access policy. 5. Method according to claim 4 , wherein, when the data access is not authorized, the at least one dynamic data access policy includes at least one element of a group comprising: sending at least one predetermined alert message to at least one predetermined addressee; sending a data access request response refusal; sending a data access request response refusal accompanied with at least one reason; requesting to further authenticate the requester; carrying out at least one action; and disconnecting the open requester session. 6. Method according to claim 1 , wherein the method further comprises at least one anomaly detection, the at least one anomaly detection comprising detecting a change of at least one of the at least one captured current context signal with respect to at least one corresponding captured previous context signal, the at least one dynamic data access policy being able to change when at least one of the at least one anomaly detection occurs. 7. Method according to claim 1 , wherein at least one of the at least one dynamic data access policy changes when at least one of the at least one captured current context signal has changed with respect to a corresponding captured previous context signal or a corresponding reference context signal. 8. Method according to claim 1 , wherein the original login data access request is valid for one and the same user; and wherein each and every data access request of a plurality of data access requests is valid for the user. 9. A first device for managing access to data stored in a computer environment, wherein the first device includes at least one processor and is configured to: receive at least one request for accessing data; capture data relating to at least one current context signal during each and every data access request, wherein each and every data access request is distinct from an original login data access request; select at least one piece of the captured data relating to the at least one current context signal based on at least one corresponding predetermined authorization policy, wherein the selection of at least one piece of the captured data relating to the at least one current context signal is carried out in response to each and every data access request; compare, as a current authorization, the selected data relating to at least one captured current context signal to reference data relating to at least one corresponding context signal according to the at least one corresponding predetermined authorization policy, wherein the comparison of respective selected data relating to the at least one captured context signal and respective reference data relating to the at least one corresponding context signal is carried out in response to each and every data access request; determine, based upon (a) whether the selected data relating to the at least one captured current context signal matches the reference data relating to the at least one corresponding context signal according to the at least one corresponding authorization policy and (b) at least one predetermined dynamic data access policy, whether the data access is or is not authorized, as a dynamic data access decision; and issue the dynamic data access decision, the dynamic data access decision being either a data access authorization or a data access deny. 10. A second device for managing access to data stored in a computer environment, wherein the second device includes at least one processor and is configured to: receive data relating to at least one captured current context signal during each and every data access request, wherein each and every data access request is distinct from an original login data access request; select at least one piece of the captured data relating to the at least one current context signal based on at least one corresponding predetermined authorization policy, wherein the selection of at least one piece of the captured data relating to the at least one current context signal is carried out in response to each and every data access request; compare, as a current authorization, the selected data relating to at least one captured current context signal to predetermined reference data relating to at least one corresponding context signal according to the at least one corresponding authorization policy, wherein the comparison of respective selected data relating to the at least one captured context signal and respective reference data relating to the at least one
Assignees
Inventors
Classifications
- G06F21/31Primary
User authentication · CPC title
Permissions · CPC title
- G06F3/0622Primary
in relation to access · CPC title
for authentication of entities (cryptographic mechanisms or cryptographic arrangements for entity authentication H04L9/32) · CPC title
for controlling access to devices or network resources · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10963167B2 cover?
- The invention relates to a method for managing data access. The method includes receiving at least one request for accessing data; capturing data relating to at least one current context signal during each data access request; comparing, as a current authorization step, the data relating to at least one captured current context signal to predetermined reference data relating to at least one cor…
- Who is the assignee on this patent?
- Gemalto Sa, Safenet Inc, Thales Dis France Sa, and 1 more
- What technology area does this patent fall under?
- Primary CPC classification G06F21/31. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Mar 30 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 4 related publications on this page (citations in our corpus or others sharing the same primary CPC).