Search

US-12627635-B2 - System and method for automatic document protection using information rights management

US12627635B2US 12627635 B2US12627635 B2US 12627635B2US-12627635-B2

Abstract

System and method for automatically protecting sensitive information downloaded as documents from enterprise web applications using Information Rights Management. The system includes technologies capable of intercepting and modifying HTTP traffic, software/program to detect and extract the sensitive information out of the HTTP traffic, and an IRM Server. The HTTP request and response are inspected and any sensitive information found is extracted and protected using the IRM Server. The IRM protected version of the sensitive information is then sent to an HTTP client.

Inventors

  • Darashan Singh Yadav
  • Hiranyakumar Anilkumar Patel

Assignees

  • Seclore Technology Pvt Ltd.

Dates

Publication Date
20260512
Application Date
20220330

Claims (20)

  1. 1 . A method for automatically protecting documents using Information Rights Management (IRM), the method comprising: intercepting, via a traffic interceptor, a request for downloading information from a client device; forwarding, via the traffic interceptor, the request to a traffic protector; inspecting, via the traffic protector, the request and extracting metadata comprising a URL pattern and request parameters from the request to determine, before the response is generated by the enterprise application, whether the response will contain sensitive information requiring IRM protection; sending, via the traffic protector, the request back to the traffic interceptor; forwarding, via the traffic interceptor, the request for the response to an enterprise application running on an application server; sending, via the enterprise application, the requested information in a response to the traffic interceptor; forwarding, via the traffic interceptor, the response to the traffic protector; inspecting, via the traffic protector, the response and extracting sensitive information, protecting, via the traffic protector, the sensitive information using an encryption key; replacing the sensitive information in the response with the IRM protected version of the sensitive information, wherein the IRM protected version is generated by applying specific permissions based on the user identity and the type of information requested; forwarding the response with IRM protected sensitive information to the traffic interceptor; and sending the response with the IRM protected information to the client device.
  2. 2 . The method of claim 1 , wherein protecting the sensitive information includes determining what permissions are to be applied to the protected sensitive information.
  3. 3 . The method of claim 1 , wherein the encryption key is fetched from an IRM server.
  4. 4 . The method of claim 1 , wherein the sensitive information is in a document downloaded from the enterprise application running an HTTP protocol.
  5. 5 . The method of claim 1 , wherein the traffic interceptor is installed between the application server running the enterprise application and the client device in order to intercept HTTP requests and modify HTTP responses between the application server and client device.
  6. 6 . The method of claim 1 , wherein the traffic protector is connected to the traffic interceptor in order to inspect and detect sensitive information in an HTTP response forwarded by the traffic interceptor.
  7. 7 . The method of claim 1 , wherein the IRM server is connected to the traffic protector.
  8. 8 . A system for automatically protecting documents using Information Rights Management (IRM), the system comprising: a processor; and memory, the memory storing instructions to execute a method, the method comprising: intercepting, via a traffic interceptor, a request for downloading information from a client device; forwarding, via the traffic interceptor, the request to a traffic protector; inspecting, via the traffic protector, the request and extracting metadata comprising a URL pattern and request parameters from the request to determine, before the response is generated by the enterprise application, whether the response will contain sensitive information requiring IRM protection; sending, via the traffic protector, the request back to the traffic interceptor; forwarding, via the traffic interceptor, the request for the response to an enterprise application running on an application server; sending, via the enterprise application, the requested information in a response to the traffic interceptor; forwarding, via the traffic interceptor, the response to the traffic protector; inspecting, via the traffic protector, the response and extracting sensitive information, protecting, via the traffic protector, the sensitive information using an encryption key; replacing the sensitive information in the response with the IRM protected version of the sensitive information; forwarding the response with IRM protected sensitive information to the traffic interceptor; and sending the response with the IRM protected information to the client device.
  9. 9 . The system of claim 8 , wherein protecting the sensitive information includes determining what permissions are to be applied to the protected sensitive information.
  10. 10 . The system of claim 8 , wherein the encryption key is fetched from an IRM server.
  11. 11 . The system of claim 8 , wherein the sensitive information is in a document downloaded from an enterprise application running an HTTP protocol.
  12. 12 . The system of claim 8 , wherein the traffic interceptor is installed between an application server running the enterprise application and a client device in order to intercept HTTP requests and modify HTTP responses between the application server and client device.
  13. 13 . The system of claim 8 , wherein the traffic protector is connected to the traffic interceptor in order to inspect and detect sensitive information in an HTTP response forwarded by the traffic interceptor.
  14. 14 . The system of claim 8 , wherein the IRM server is connected to the traffic protector.
  15. 15 . A non-transitory computer readable medium storing instructions to cause a processor to execute a method, the method comprising: intercepting, via a traffic interceptor, a request for downloading information from a client device; forwarding, via the traffic interceptor, the request to a traffic protector; inspecting, via the traffic protector, the request and extracting metadata comprising a URL pattern and request parameters from the request to determine, before the response is generated by the enterprise application, whether the response will contain sensitive information requiring IRM protection; sending, via the traffic protector, the request back to the traffic interceptor; forwarding, via the traffic interceptor, the request for the response to an enterprise application running on an application server; sending, via the enterprise application, the requested information in a response to the traffic interceptor; forwarding, via the traffic interceptor, the response to the traffic protector; inspecting, via the traffic protector, the response and extracting sensitive information, protecting, via the traffic protector, the sensitive information using an encryption key; replacing the sensitive information in the response with the IRM protected version of the sensitive information; forwarding the response with IRM protected sensitive information to the traffic interceptor; and sending the response with the IRM protected information to the client device.
  16. 16 . The non-transitory computer readable medium of claim 15 , wherein protecting the sensitive information includes determining what permissions are to be applied to the protected sensitive information.
  17. 17 . The non-transitory computer readable medium of claim 15 , wherein the encryption key is fetched from an IRM server.
  18. 18 . The non-transitory computer readable medium of claim 15 , wherein the sensitive information is in a document downloaded from the enterprise application running an HTTP protocol.
  19. 19 . The non-transitory computer readable medium of claim 15 , wherein the traffic interceptor is installed between the application server running the enterprise application and the client device in order to intercept HTTP requests and modify HTTP responses between the application server and client device.
  20. 20 . The non-transitory computer readable medium of claim 15 , wherein the traffic protector is connected to the traffic interceptor in order to inspect and detect sensitive information in an HTTP response forwarded by the traffic interceptor.

Description

TECHNICAL FIELD The present disclosure relates to computer systems, and specifically to Information Rights Management of documents. BACKGROUND Almost all medium and large enterprises depend on transactional systems, such as line of business applications, for their day-to-day operations. Line of business applications are vital for running an enterprise. Lines of business applications are usually large programs that contain a number of integrated capabilities and tie into storage systems. These applications collect and/or generate large amount of sensitive information and allow a user of these applications to extract sensitive information in the form of documents. The sensitive information stored/generated by the applications should be protected from the unauthorized access once extracted from the application. Information access within the application is usually controlled via access rights logic to ensure that users access only information they are authorized to access. However, the information extracted or downloaded from an application is no longer controlled by that application. The information may have been downloaded by the authorized user but can be shared with anybody without any limitations once it is outside the application. Thus, all information downloaded from applications is a potential source of information leakage. Access rights logic within the application may be sufficient to protect the information when it is accessed within the boundaries of the application, but it cannot control the information once it is extracted outside the application. Information Rights Management (IRM) can be integrated with the application to protect the information being downloaded or extracted before it is made available to the authorized user. However, the integration of the IRM with enterprise applications poses some challenges to enterprises. For example, IRM integration usually requires modification of source code of the enterprise application. These modifications are often time consuming and cost intensive and require skilled human resources. In addition, source code for enterprise applications is not always publicly available. Consequently, IRM integration into enterprise applications is often times not feasible from commercial standpoint. Thus, there is a need for system that can apply IRM protections to documents downloaded from enterprise applications without the need to integrate the IRM with the enterprise applications themselves. SUMMARY The following presents a simplified summary of the disclosure in order to provide a basic understanding of certain embodiments of the present disclosure. This summary is not an extensive overview of the disclosure and it does not identify key/critical elements of the present disclosure or delineate the scope of the present disclosure. Its sole purpose is to present some concepts disclosed herein in a simplified form as a prelude to the more detailed description that is presented later. One aspect of the present disclosure relates to a method, system, and computer readable medium storing instructions for automatically protecting documents using Information Rights Management (IRM). The method begins with intercepting, via traffic interceptor, a request for downloading information from a client device. Next, the method includes forwarding, via the traffic interceptor, the request to a traffic protector. Then, the method includes inspecting, via the traffic protector, the request and extracting metadata from the request. Next, the method includes sending, via the traffic protector, the request back to the traffic interceptor. The method also includes forwarding, via the traffic interceptor, the request for a response to an enterprise application running on an application server. Then, the method includes sending, via the enterprise application, the requested information in a response to the traffic interceptor. The method then includes forwarding, via the traffic interceptor, the response to the traffic protector. Next, the method includes inspecting, via the traffic protector, the response and extracting sensitive information. After, the method includes protecting, via the traffic protector, the sensitive information using an encryption key. The method also includes replacing the sensitive information in the response with the IRM protected version of the sensitive information. Then, the method includes forwarding the response with IRM protected sensitive information to the traffic interceptor. Last, the method includes sending the response with the IRM protected information to the client device. In some embodiments, protecting the sensitive information includes determining what permissions are to be applied to the protected sensitive information. In some embodiments, the HTTP traffic includes an HTTP request from a client device. In some embodiments, the sensitive information is in a document downloaded from an enterprise application running an HTTP protocol. In some embo