The proliferation of mobile devices has created new problems associated with data loss that are addressed in this invention. Mobile computing devices such as mobile telephones or “handsets” with extensive computing, communication, and input and interaction capabilities (“smart phones”) plus a growing array of other mobile computing devices such as touchscreen tablets, “netbooks”, electronic document readers, and laptops in a wide range of sizes and with wireless and wired communication capabilities all have access to networks and private data that must be secured, yet the mobile nature of these devices creates opportunities for data leakage that did not exist previously.
The success and popularity of mobile devices has been accompanied by complementary advances in long range wireless broadband technologies such as 3G and 4G, as well as commonplace deployment of short range wireless technologies such as the 802.11 series of wireless standards and the “Bluetooth” short range wireless standard, all with considerable bandwidth. These technologies span multiple radio frequency bands and protocols. This allows mobile devices the capability of accessing and transmitting data of almost any size, thus raising the potential for breach.
Alongside the radio transceivers for such communications capabilities, many of these devices also contain an array of onboard sensors such as cameras, microphones, and GPS receivers plus other locating technologies, as well as considerable fixed-onboard and removable memory for information and multimedia storage. Furthermore, smartphones and similar devices are typically capable of running a wide variety of software applications such as browsers, e-mail clients, media players, and other applications, which in some cases may be installed by the user.
Along with the profusion of smartphones and other mobile, wireless-capable devices, there has also been a dramatic increase in the use of social networks and related technologies for information sharing for consumer as well as for professional uses. Because social network applications on mobile devices tend to use an extensive array of sensors and features, access to the applications and services has heightened concerns about individual, government, and corporate information security, and about possibilities for privacy violations and other unintended and undesirable information sharing. Furthermore, the possible professional and personal use of any given handset presents a complex set of usage contexts under which rules for device capability usage and information access need to be considered.
Beyond local concerns regarding the security of these devices for their individual users, many mobile devices are used on corporate networks or are otherwise used in corporate settings or in other cases where they may access or store sensitive corporate documents or other information. The acronym BYOD (Bring Your Own Device) is commonly used to describe the use of personal mobile devices brought in by users in business settings. One result of such BYOD activity and other mobile device usage in organizations has been a heightened awareness of the potential for leakage or other undesired exposure of sensitive, confidential, or proprietary data of the organization or other entity owning that data to parties not authorized to view or access that data. Such undesired access is referred to as “data loss”. Such access incidents may even involve modification of the data by unauthorized parties, thereby compromising the integrity as well as the confidentiality of the data. As a result, the subject of Data Loss Prevention (DLP) is of increasing importance in the business world and in other areas such as government and healthcare where confidentiality of information is critical.
Such sophisticated and capable smartphones and similar devices, along with the vast amounts of information that they can contain and access, present a large set of potential security vulnerabilities (a large “attack surface”) that might allow information to be accessed by malicious parties or allow undesirable use and exploitation of device capabilities for malicious purposes such as “phishing” fraud, other online fraud, or inclusion in botnets for spam transmission, denial-of-service attacks, malicious code distribution, and other undesirable activities.
Data loss need not only be malicious in nature. A corporate user may unwittingly post sensitive information to a social network, not understanding its sensitivity. Data loss may also be accidental, for example, where a user places data on a cloud service not realizing it is publicly accessible. Furthermore, compared with conventional desktop personal computers, smartphone handsets by nature are small and portable and thus more easily stolen. Portability also means that the devices will encounter security contexts that cannot be foreseen, and which may never occur again.
All of these issues indicate that privacy threats and concerns about those threats have grown significantly given the network capabilities of the devices as well as in some cases the presence of cameras, microphones, and other sensors that may capture sensitive information. While threats related to data loss can be intentional (malicious or naïve), or accidental, the damage associated with such a loss can be devastating. The mobile threat landscape is complex and presents a vast set of extant and emergent security and privacy concerns.
Existing basic DLP techniques start with firewall protections. By creating a global barrier between protected data and the outside network, data loss problems can be reduced. However, the problem with these techniques is that they focus only on preventing malicious intrusion. They do not address insider threats or accidental data leaks. More advanced techniques use learning algorithms to determine what data should and should not be released and under what conditions. The drawback is that most security contexts are complex. That complexity causes these algorithms to compute false negatives that then release data erroneously. For many industries, this is unacceptable. Finally, data loss designation techniques manually tag data that is private or ensure that only specific people are allowed to access that data. These techniques can be too restrictive and inflexible. This falls under the security paradox of too little security leads to breaches, too much security harms productivity.
There is, therefore, a growing need to improve upon not only the degree of protection provided by components and systems that enhance the security of mobile devices, but also to improve on the security of such security-related components and systems themselves, so that they and the devices and the information that they protect are more robust and are better able to withstand attempts to thwart or otherwise compromise them.
This document presents specific DLP innovations that address these issues. Specifically, what is described is a system and methods for active data loss prevention that are more robust than both the basic and advanced current best techniques but that are also far more dynamic and flexible than current designation techniques. Certain aspects of related, complementary topics to DLP such as data encryption and digital signing of data are also presented.