1. Field of the Invention
This invention relates generally to data security management, and particularly to a method, system, and computer program product for data security policy enforcement.
2. Description of Background
Data security management, for example, of data that is stored on a computer server or storage device, is important in many applications. For example, corporate or government entities may store data on computer servers that needs various levels of security to limit access to the data by potential users. A popular approach to managing such data security is the use of a virtual “firewall,” which is usually accomplished with a computer program that prohibits unauthorized access to all or some portion of a server, network, etc. where secure data is stored.
An improved approach to data security management has emerged in which a policy-based, data-centric security structure is used by attaching a security guideline or “policy” to data when it is created. The security policy can be modified in response to changing security needs for the data and stays with the data until it is securely destroyed or placed in long-term secure storage (e.g., an encrypted archive). Enforcement of a security policy based on this data-centric approach is usually accomplished through one or more point solutions (e.g., each addressing a specific policy requirement) that are compatible with a particular type of server or other device (e.g., a particular hardware and/or software “platform”), and the security policy is usually non-selectively enforced on all incoming data to the device, but not outgoing data (e.g., all incoming data is encrypted, but outgoing data is not considered). However, it is desirable for a security policy to be enforceable through a multipurpose solution that is compatible across various platforms (e.g., for enforcement on various types of servers), and for the security policy to be selectively enforceable on incoming and outgoing data on the device.