Recent advances in document creation and management technologies include collaborative creation and editing of documents, automatic repurposing tools, document-centric workflows, and online document sharing. Cloud computing and mobility have merged secure intranets and an insecure Internet making it become more simple for a participant to drag-and-drop protected data into a publicly accessible document, possibly even without realizing it. Thus, document access control based on information about a document alone (document level metadata) may be insufficient to prevent leakage of, or provide for adequate management of, sensitive data. Such document level metadata could fail to transfer to or properly describe such a newly created or modified document.
For this reason, context-aware policies have been developed for document management and access control. Such context-aware policies take into account the actual (run-time) document contents at the moment a document action is about to be executed. Policy conditions of context-aware policies may include document keywords, data patterns, regular expressions, or any combination thereof, or any other condition verifiable on a document and at the same time inherent to a particular type of sensitive data. For example, a document to be exported may be analyzed in light of the context-aware policies, and if a condition of a policy is satisfied, then protective action defined by the policy may be triggered. In this manner, an inadvertent leak of sensitive data may be avoided.
A policy may consist of specification of an action to which it is applicable, a policy condition, and possible policy exceptions. For example, an action to which it is applicable may include transferring a document transferring to a Universal Serial Bus (USB), or sending by e-mail. A single policy may be applicable to more than one action, or a more than one policy may be applicable to the same action. A policy condition may include several conditions combined by operations such as AND, OR, or NOT. Policy exceptions may specify when a policy does not apply. For example, a policy could forbid sending an e-mail containing confidential information to all addresses except internal (e.g. within a company or organization) e-mail addresses.
It is expected that documents that issue from a single source (e.g. a single business or a single template) will have common content, relating to the same subjects and topics. Yet, only some of the documents may contain sensitive content that may be distinguished by conditions of policies. In addition, a natural language may include many ways to express a single concept or subject. Thus, a policy may be made to be sufficiently flexible so as to accommodate potential variations as well as language inflections or spelling errors. Context-aware policy conditions may therefore, incorporate alternatives, negations, and variants.