Entity authentication for pre-authenticated links
US-2024396898-A1 · Nov 28, 2024 · US
Intelligent Deletion of Revoked Data
US2017005809A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2017005809-A1 |
| Application number | US-201514788377-A |
| Country | US |
| Kind code | A1 |
| Filing date | Jun 30, 2015 |
| Priority date | Jun 30, 2015 |
| Publication date | Jan 5, 2017 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A program on a device communicates with services of an organization and obtains data associated with the organization (also referred to as organization data). The organization data is optionally encrypted using one or more encryption keys, in which case the program has access to one or more decryption keys allowing the organization data to be decrypted and used at the device. Situations can arise in which the organization data stored on the device is to no longer be accessible to a user and/or the device, which is also referred to as the data being revoked. In response to organization data being revoked at the device, various techniques are used to intelligently delete the data, which refers to determining, based on the revocation that occurred and the nature of the data on the device, which data on the device is to be deleted from the device.
First claim
Opening claim text (preview).
What is claimed is: 1 . A method implemented in a computing device, the method comprising: determining whether access to first organization data on the computing device has been revoked, the first organization data comprising data that is associated with an organization; selecting, in response to the access being revoked and based at least on a nature of the first organization data, second organization data on the computing device, the second organization data comprising a subset of the first organization data; and deleting the second organization data from the computing device. 2 . The method as recited in claim 1 , the first organization data including one or more files on the computing device and/or one or more database entries on the computing device. 3 . The method as recited in claim 1 , the first organization data including metadata regarding other of the first organization data. 4 . The method as recited in claim 1 , the second organization data comprising data that is associated with revoked user credentials. 5 . The method as recited in claim 1 , further comprising prioritizing the second organization data so that second organization data that is more sensitive has a higher priority than second organization data that is less sensitive, and the deleting comprising deleting the higher priority second organization data before deleting lower priority second organization data. 6 . The method as recited in claim 1 , further comprising synchronizing the first organization data with one or more additional computing devices that are managed by a same organization as the computing device. 7 . The method as recited in claim 6 , further comprising: determining, for a data deletion at the computing device, whether the second organization data is being deleted in response to a revocation event; synchronizing the data deletion with the one or more additional computing devices in response to the second organization data being deleted other than in response to the revocation event; and not synchronizing the data deletion with the one or more additional computing devices in response to the second organization data being deleted in response to the revocation event. 8 . The method as recited in claim 1 , further comprising: maintaining a record that access to the first organization data on the computing device has been revoked; and performing the selecting and deleting for second organization data stored on a removable storage device in response to the removable storage device being connected to the computing device. 9 . The method as recited in claim 1 , the selecting the second organization data further comprising excluding, from the second organization data, first organization data that is still associated on the computing device with at least one valid credential, the valid credential corresponding to a user that is associated with the first organization data or an organization that is associated with the data. 10 . The method as recited in claim 1 , further comprising notifying one or more programs on the computing device that access to the first organization data on the computing device has been revoked to allow the one or more programs to take an appropriate responsive action. 11 . The method as recited in claim 1 , the second organization data including data for which the storage and retrieval is managed by a program that communicates with an organization service of the organization, as well as data for which the storage and retrieval is not managed by the program. 12 . The method as recited in claim 1 , further comprising: determining a portion of the second organization data that can be decrypted rather than deleted; and decrypting and saving the portion of the second organization data rather than deleting the portion of the second organization data. 13 . A computing device comprising: a storage device configured to store first organization data that is associated with an organization; a revocation detection module configured to determine whether access to the first organization data on the computing device has been revoked; a data selection module configured to receive an indication from the revocation detection module that access to the first organization data has been revoked, and to select, in response to the access being revoked and based at least on a nature of the first organization data, second organization data on the computing device that is to be deleted, the second organization data comprising at least a portion of the first organization data; and a data deletion module configured to receive an indication from the data selection module with respect to the second organization data and to delete from the computing device the second organization data. 14 . The computing device as recited in claim 13 , the second organization data including one or more files on the computing device and/or one or more database entries on the computing device. 15 . The computing device as recited in claim 13 , the second organization data including metadata regarding other of the second organization data. 16 . The computing device as recited in claim 13 , the computing device further comprising a synchronization module to synchronize the first organization data with one or more additional computing devices that are managed by a same organization as the computing device, the data selection module being further to: determine, for a data deletion at the computing device, whether the second organization data is being deleted in response to a revocation event; synchronize the data deletion with the one or more additional computing devices in response to the second organization data being deleted other than in response to the revocation event; and not synchronize the data deletion with the one or more additional computing devices in response to the second organization data being deleted in response to the revocation event. 17 . The computing device as recited in claim 13 , the data selection module being further configured to: maintain a record that access to the first organization data on the computing device has been revoked; and select, and indicate to the data deletion module to delete, the second organization data on a removable device connected to the computing device in response to the removable device being connected to the computing device. 18 . A computing device comprising: a storage device configured to store first organization data that is associated with an organization; a data selection module configured to select second organization data for deletion from the computing device in response to access to the first organization data on the computing device having been revoked, the second organization data comprising a subset of the first organization data, the selection of the second organization data comprising excluding from the second organization data any of the first organization data that is still associated with at least one valid credential, the at least one valid credential corresponding to one or more users that are associated with the organization data or an organization that is associated with the data; and a data deletion module configured to receive an indication from the data selection module of the second organization data and delete from the computing device the second organization data. 19 . The computing device as recited in claim 18 , the data selection module being further configured to determine a portion of the second organization data that can be decrypted rat
Assignees
Inventors
Classifications
- G06F21/6218Primary
to a system of files or objects, e.g. local or distributed file system or database · CPC title
Clearing memory, e.g. to prevent the data from being stolen · CPC title
- H04L9/3268Primary
using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL] · CPC title
Office automation; Time management · CPC title
using certificates (cryptographic mechanisms or cryptographic arrangements for entity authentication involving certificates H04L9/3263) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2017005809A1 cover?
- A program on a device communicates with services of an organization and obtains data associated with the organization (also referred to as organization data). The organization data is optionally encrypted using one or more encryption keys, in which case the program has access to one or more decryption keys allowing the organization data to be decrypted and used at the device. Situations can ari…
- Who is the assignee on this patent?
- Microsoft Technology Licensing Llc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/6218. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Thu Jan 05 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).