Due to recent technological advances, individuals and organizations may quickly and easily share, access, and disseminate high volumes of digital information. For many individuals and organizations, the ease with which information may be electronically disseminated is empowering. However, the ubiquity of high-speed Internet access, smart mobile devices, and portable storage devices may pose unique challenges for individuals and organizations concerned with preventing the loss and/or exposure of sensitive data. Individuals and organizations are therefore increasingly looking to data-loss-prevention (DLP) systems to protect their sensitive data.
Conventional DLP systems may protect sensitive data by (1) identifying sensitive data (e.g., through the use of keywords, expressions, patterns, or file types), (2) identifying applications whose access to the sensitive data should be allowed, blocked, or restricted in accordance with a DLP policy, (3) monitoring attempts by the identified applications to access the sensitive data, and (4) when an attempt by an application to access sensitive data is detected, applying a DLP policy associated with the application by either allowing, blocking, or restricting access to the sensitive data in accordance with the DLP policy.
Typically, a DLP system identifies an application using an executable file of the application. Once an application is identified, the DLP system may monitor attempts by the application to access sensitive data by monitoring attempts to access sensitive data made by a process created when the executable file is launched. Unfortunately, monitoring only those attempts to access sensitive data made by this process may cause a DLP system to improperly apply DLP policies to certain types of applications.
For example, the execution of some applications (e.g., multiple-process applications) may generate multiple processes, some of which being created when a certain feature of the application is used rather than when the application is launched. In these instances, a DLP system that monitors only those attempts to access sensitive data made by a process created when an application is launched may be unable to apply DLP policies associated with the application to all processes related to the application. This may in turn result in attempts by these related processes to access sensitive data being improperly allowed, blocked, or restricted. In addition, a DLP administrator may be required to manually identify any additional processes created by the execution of the application in order to have DLP policies applied to these additional processes.
Furthermore, the execution of certain applications (e.g., hosted applications) may be performed by a host process that may simultaneously host other applications. In these instances, a DLP system that monitors attempts to access sensitive data made by the host process created when this type of application is launched may inadvertently apply DLP policies associated with the host process to attempts to access sensitive data made by applications hosted by the host process. This in turn may result in attempts to access sensitive data by these other applications being improperly allowed, blocked, or restricted. Accordingly, the instant disclosure addresses a need for additional and improved systems and methods for applying data-loss-prevention policies.