+

EP3864560A1 - Methods for securing and accessing a digital document - Google Patents

Methods for securing and accessing a digital document

Info

Publication number
EP3864560A1
EP3864560A1 EP19795397.9A EP19795397A EP3864560A1 EP 3864560 A1 EP3864560 A1 EP 3864560A1 EP 19795397 A EP19795397 A EP 19795397A EP 3864560 A1 EP3864560 A1 EP 3864560A1
Authority
EP
European Patent Office
Prior art keywords
target data
digital document
data
value
version
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
EP19795397.9A
Other languages
German (de)
French (fr)
Inventor
Christopher Holland
Russell EGAN
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Thales DIS CPL USA Inc
Original Assignee
Thales DIS CPL USA Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US16/156,353 external-priority patent/US10970408B2/en
Priority claimed from US16/156,349 external-priority patent/US11625496B2/en
Priority claimed from US16/166,770 external-priority patent/US10956590B2/en
Application filed by Thales DIS CPL USA Inc filed Critical Thales DIS CPL USA Inc
Publication of EP3864560A1 publication Critical patent/EP3864560A1/en
Ceased legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F40/00Handling natural language data
    • G06F40/10Text processing
    • G06F40/12Use of codes for handling textual entities
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself

Definitions

  • the present invention relates to methods for securing digital documents. It relates particularly to methods of securing access to digital documents comprising at least two types of data requiring different security 1eve1 manage ents .
  • the invention aims at solving the above mentioned technical problem.
  • An object of the present invention is a computer- implemented method for securing a digital document . , an initial version of the digital document containing a set of data.
  • the method comprises:
  • the link value allocating said link value to a target data belonging to said set and storing an entry comprising said target data in a secure storage unit, said target data being reachable in the secure storage unit through the link value, the secure storage unit being configured to use access rules for authorizing or denying a request initiated by a user and aiming at accessing the target data comprised in said entry,
  • a display value may be inserted in place of the target data in the updated version of the digital document .
  • the display value may be a random value or a meaningless token.
  • the display value and the target data may have a similar format .
  • the link value may be generated by applying the preset function to the display value .
  • Another obj ect of the present invention is a computer-implemented method for securely accessing a digital document containing a set of data by a user.
  • the method comprises:
  • the current version may comprise a display value in place of the target data.
  • the user may be provided with the set of data through a first software application and the target data through a second software application separate from the first software application.
  • Another object of the present invention is a system for securing a digital document, an initial version of the digital document containing a set of data.
  • the system comprises a hardware processor, a secure storage unit and a generator including instructions that, 'when executed by the processor, cause said generator to identify a target data belonging to said set, to generate a link value by applying a preset function to a subset of said set and to store an entry comprising said target data in the secure storage unit, said target data being reachable in the secure storage unit through said link value.
  • the secure storage is adapted to use access rules for authorizing or denying a request initiated by a user and aiming at accessing the target data comprised in the entry.
  • Said instructions when executed by the processor, cause said generator to generate an updated version of the digital document by removing the target data from the initial version of the digital document.
  • the generator may be configured to insert a display value in place of the target data in the updated version of the digital document.
  • the generator may be configured to set the display value with a random value or a meaningless token.
  • the generator may be configured to generate the link value by applying the preset function to the display value.
  • Another obj ect of the present invention is a system for securely accessing a digital document containing a set of data.
  • the system comprises a hardware processor and an accessor agent including instructions that, when executed by the processor, cause said accessor agent to:
  • the system is adapted to generate a request by using the link value for retrieving the target data from a secure storage unit and to forward the retrieved target data to a display device for rendering to a user .
  • the current version may comprise a display value in place of the target data and the accessor agent may be adapted to generate the link value by applying the preset function to the display value .
  • Figure 1 shows an example of architecture of a system for generating a protected digital document and a system for securely accessing data belonging to the protected digital document according to the invention
  • Figure 2 depicts a flow chart for securing access to a digital document according to an example of the invention.
  • Figure 3 depicts a flow chart for securely accessing a digital document according to an example of the invention.
  • the invention may apply to any type of digital document comprising several types of data that need to be managed according to different security policies. It is well-suited for managing structured documents comprising sensitive data. It applies to any digital document like a text file or a spreadsheet document, regardless of their format .
  • Figure 1 shows an example of architecture of a securing system 10 for generating a protected digital document and an accessing system 90 for securely accessing data belonging to the protected digital document according to the invention.
  • system 10 is deployed in cloud environment .
  • the system 10 comprises a generator 50 and a secure storage unit 60.
  • an initial version 20 of a digital document contains a set of data including at least two type of data.
  • the initial version 20 can contain both a non-sensitive data 21 and a sensitive data 22.
  • the automated system 10 is designed to take as input data both the initial version 20 of the document and a list 40 of data of the second type (e.g. sensitive data) contained in the initial version 20 of the document.
  • the list 40 may be built by a so-called automated Data Discovery and Classification
  • data of the second type may be financial reports, medical information, personally identifiable information (PIT) or confidential data.
  • PIT personally identifiable information
  • the system 10 can be adapted to automatically identify the sensitive data contained in the initial version 20 of the document.
  • the generator includes a hardware processor and a first set of instructions that, when executed by the processor, causes said generator to generate a link value 35 by applying a preset function to a subset of said set of data, to allocate said link value to a target data (of the second type) belonging to said set of data and to record an entry 61 comprising the target data 22 in the secure storage unit 60.
  • the target data 22 is reachable in the secure storage unit through the link value 35.
  • the generator has both the ability to identify the relevant input parameter ( s ) for the preset function and to apply the preset function to the identified input parameter (s) .
  • the generator can build the link value 35 by using a combination of unique and unvarying elements of the content, such as the page' s URL and the form field' s name .
  • the generator can build the link value 35 by using that document identifier and the coordinates of the spreadsheet cell containing the sensitive data (r.e, sheet number, column, and row) .
  • the link value may be generated by concatenating a preset string with the built value. Assuming that the preset string is https : //wxyz . com/app/ , the generated link value may be https : //wxyz . com/app/BFIJLPSTVZ .
  • the link value may be generated as a Uniform Resource Locator (URL) .
  • identifying the relevant input parameter ( s ) and the preset function can be applied to digital documents structured by record or by lines.
  • the (non-sensitive) content of all odd lines preceding the line comprising the target data can be taken as input parameter (s) and the preset function can be a Hash function.
  • link value can be generated from metadata of the digital document, data contained in the document or a combination of both.
  • the generator includes a second set of instructions that, when executed by the processor, cause said generator to generate an updated version 30 of the digital document by removing the target data from the initial version of the digital document. It is to be noted that the data of the first type (e.g. non sensitive data) remain present in the updated version 30 of the digital document.
  • the data of the first type e.g. non sensitive data
  • the subset of data used as input parameter ( s ) of the preset function must be kept in the updated version 30 of the digital document.
  • the generator can be configured to generate a display value (noted 33 at Fig. 1) and to insert this display value in place of the target data (noted 22 at Fig. 1 ) in the updated version 30 of the digital document .
  • the generator can be adapted to generate a display value having a random value .
  • the generator can be adapted to generate a display value that gives an indication to the user (reader) .
  • the user may have the choice to click on the display value (in the updated version of the document) to trigger the retrieving of the corresponding target data.
  • the generator can be adapted to select a display value among a predefined list of strings or to use a unique predefined string for all target data to be replaced.
  • the generator can be designed to insert either a meaningful or meaningless display value.
  • the generator can be designed to set the display value with a non-textual information like an icon or a button .
  • the generator creates a display value having a format similar to those of the initial target data.
  • the display value can be: 000-11-2222 or XXX-XX-6789.
  • the format of the inserted data replacing the original data is kept unchanged .
  • the generator can be adapted to generate the link value by applying a preset function to the display value.
  • the generator can use both the display value and a subset of the data of the initial version 20 for generating the link value.
  • the generated link value can be https : //wxyz . com/app/BFIJLPSTVZ/xxxxx57.
  • only one target data 22 is represented at Figure 1.
  • the initial version of the document may comprise several target data which are removed and associated to as many link values by the generator.
  • the initial version of the document may also comprise data of more than two types and the generator may apply different preset functions (and policy to select the input parameter) according to each type of data.
  • the secure storage unit 60 can include a database (or a file system) , a set of access rules and a controller engine 65 able to check whether a request trying to access a record stored in the secure storage unit complies with the access rules .
  • the controller engine is able to authorize or deny the request according to predefined access rules .
  • the controller engine may check user' ' s credentials like a passphrase, a biometric data, a One-Time password or a cryptographic value computed from a secret key allocated to the user for example.
  • Each entry stored in the secure storage unit 60 can comprise several fields .
  • an entry may have the following structure: where Index has a unique value allowing to identity the entry among the others,
  • URI is the link value
  • Snort Code is the display value
  • Metadata may contain various data like the entry creation/update date, author, country origin, file name of the updated version of the document, and where Information is a target (e,g, sensitive) data removed from the document.
  • the access rules can be defined according to the profile of the users. For instance, a user accredited at level 2 is authorized to access all types of data while a user accredited at level 1 can only access data of first type.
  • the access rules can be defined according to both the profile of the user and the type of data . For instance, a financial data can be accessed only by Finance employees.
  • the access rules can be defined so as to take into account the type of user' s device (e.g. a Personal computer may be assumed to be more secure than a smart phone) .
  • the access rules can be defined to take into account the user's location.
  • access to a target data type can be restricted to users located in the company office only for instance .
  • the access rules can define access rights which are set with an expiration date.
  • the system can be configured to log any attempt to access data of the second type from the updated version of the digital document. Hence repeated unauthorized attempts may be detected and trigger appropriate security measures. Such log may also be used to monitor and size the system 10.
  • the system 10 described at Figure 1 manages two types of data, it may manage a large number of types of data.
  • the updated version 30 of the document can be made available to a user 80.
  • the user may be an individual, a software application or a computer machine.
  • the system 90 for securely accessing data belonging to the updated version 30 of the digital document can be deployed on client side. For instance, it may be hosted in a laptop or a smartphone.
  • the system 90 comprises a processor and an accessor agent 75 including a first set of instructions that, when executed by the processor, cause said accessor agent to detect, from the current version 30 (e.g. updated version) of the digital document, the existence of a target data belonging to a previous version of the digital document and missing from the current version of the digital document.
  • the current version 30 e.g. updated version
  • the accessor agent 75 can be adapted to detect the presence of a predefined list of fields in the current version 30 for deducing the existence of a target data belonging to a previous version of the digital document.
  • the accessor agent 75 can be configured to detect a field named "secret key”, "passport number” or "Amount” and to deduce that a corresponding sensitive data should be retrieved from the secure storaue unit.
  • the accessor agent 75 can be adapted to detect the presence of a predefined 1ist of patterns (or tokens) which are assumed to be display values inserted by the system 10.
  • the accessor agent 75 can be adapted to detect the existence of a target data belonging to a previous version of the digital document by applying a predefined function to a part of the current version of the document. For instance by applying a hash function to the first 5 lines (or records or cells) and comparing the result with a list of pre-stored reference hashes.
  • Another option would be using the unique identifier of the enclosing document to look up the list of all sensitive data removed from the original , then using information from the meta data stored with each entry in that list to know which fields in the document are reolacements.
  • a list of replacements can be retrieved from a specific document, then see that the list includes a data located at cell E5 in the document .
  • the accessor agent 75 includes a second set of instructions that, when executed by the processor, cause said accessor agent to build a link value 35 allocated to the target data by applying a preset function to a subset of the data found in the current version 30.
  • the accessor agent is adapted to re-compute the link value which has been created and allocated to the target data by the system 10.
  • the accessor agent is designed to perform selection and computation operations similar to those made by the generator 5 500 ooff tthhee system 10,
  • the system 90 is configured to generate a request by using the link value for retrieving the target data from the secure storage unit 60 and to forward the retrieved target data to a display device 72 for rendering to a user.
  • the accessor agent directly sends the request (comprising the computed link value) aiming at retrieving the target data from the secure storage unit 60, receives the target data and provides the display device 72 with the target data.
  • the non- sensitive data can be displayed to the user through another display device 71.
  • the non-sensitive data 21 can be freely displayed to the user through a first device 71 like a software application (e . g. MS-Word®) while the sensitive data 22 is displayed to the user through the second device 72 like a software application (like Web- browser) only if the user has properly authenticated to the secure storage unit 60.
  • a software application e . g. MS-Word®
  • the sensitive data 22 is displayed to the user through the second device 72 like a software application (like Web- browser) only if the user has properly authenticated to the secure storage unit 60.
  • both first and second devices may be merged in a single one so that the user can read the whole document through a single device.
  • the system 90 can include the display device 72 and the accessor agent can provide the display device 72 with the computed link value.
  • the display device 72 can be adapted to generate the request by using the link value and to send it to the secure storage unit 60 for retrieving the target data .
  • Figure 2 shows a flow chart for securing access to a digital document according to an example of the invention .
  • the initial version 20 of the digital document contains a set of data (i.e, both sensitive and non-sensitive data) .
  • the initial version 20 has been parsed to identify a list 40 of sensitive data. This operation can be performed manually or automated using mechanism automated Data Discovery and Classification Process which is known per se.
  • a subset (at least one non-sensitive data) of said set of data is identified then a link value is computed by applying a preset function to the identified subset.
  • Part of data contained in the digital document may be meta-data attached to the document itself like the name of the file of the document, the URL of the web page allowing to get the digital document, the version number of the document or the author.
  • the link value 35 is allocated to a target data 22 belonging to list 40 and an entry 61 comprising said target data is recorded in the secure storage unit 60.
  • the link value allows to reach the target data 22 in the secure storage.
  • the secure storage unit is configured to check access rules for authorizing or denying a request initiated by a user and aiming at accessing a data stored in one of its entries .
  • an updated version 30 of the digital document is created by removing the target data 22 from the initial version 20 of the digital document.
  • the target data does not appear as such in the updated version any more . It has been moved to the secure storage unit 60.
  • a display value 33 can be identified and inserted in place of the target data 22 in the updated version 30 of the digital document .
  • the display value can be generated on- the-fly or retrieved from a preset list of pattern stored in the secure storage unit or in another device.
  • the link value may also be generated by applying the preset function to both the identified subset and the display value (at step 20) .
  • step 10 & 20 can be executed several times using different preset functions and/or policies to identify the subset of data to be used as input parameter ( s ) of the preset functions .
  • Figure 3 shows a flow chart for securely accessing a digital document according to an example of the invention .
  • An updated version 30 of the digital document is assumed to have been generated according to the process of Figure 2.
  • the updated version 30 comprises non-sensitive data only.
  • the updated version of the digital document is made available to a user 80.
  • the updated version (also named current version) can be sent to the user or made available via a repository for example.
  • step 40 the existence of a target data (i.e. sensitive data) belonging to the previous (e.g. initial) version of the digital document and missing from the current version of the digital document is detected.
  • This detection operation is carried out on the basis on the current version of the digital document on1y .
  • the list 40 can be used to detect the existence of the target data 22,
  • a subset of the content of the current version is identified in relation with the target data then a link value allocated to the target data is generated by applying a preset function to the identified subset.
  • the digital document can be a digital record in a software-as-a-service system, such as SalesforceTM, which is being viewed by a user via a web page.
  • the link value can be derived from record and field IDs extracted from the web page .
  • each version of the digital document can be handled through several formats.
  • the rendering format may be different from the storing format.
  • the updated version of the digital document can be stored using a XML or JSON format while it can be displayed on a web page using a HTML format.
  • data belonging to the digital document may be expressed using different formats .
  • a document may be in either a JSON format or an HTML format.
  • the link value can be computed from a JSON record ID and JSON attribute names .
  • the link value can be computed from the URL and form field IDs. Both formats are assumed to result in the same final link value.
  • the syntax elements of the used format can be considered as being data belonging to a particular version of the digital document .
  • a request is built by using the link value for retrieving the target data from the secure storage unit .
  • the target data is provided to the user (via a display device) only if the secure storage unit successfully checked the compliance of the request with preset access ru1es . ( i . e . if the user i s authori zed to access the target data . )
  • request generation and request sending can be fully automated so that the user does not need to explicitly trigger the retrieving of the target data .
  • the user can be requested to provide his/her credentials (and possibly additional information) so that the secure storage can perform the access rules checking .
  • the target data can be displayed to the user via a specific display device 72 (like a browser) while the non-sensitive data contained in the current version 30 are displayed to the user through another display device 71.
  • all data can be displayed to the user through a single display device .
  • rendering of the data to the user can also be done via sound or tactile interfaces .
  • the user must authenticate each time a request to retrieve a sensitive data is received by the secure storage unit.
  • the secure storage unit may authenticate the user only once and authorize further access from this user during a session without new credentials checking .
  • a session can be an authenticated context estab1i shed between t.he user' s web browser and the web server which provides access to the sensitive data.
  • the session can be materialized as a cookie.
  • the invention applies to any types of access like read access and write access.
  • a secure storage unit can store data related to several updated versions of a plurality of documents.
  • the invention allows freely forwarding or distributing a document without revealing certain critical information.
  • the updated version of a document may be emailed, printed, stored on a cloud service without containing certain information whose access must remain restricted.
  • the access control rules can be applied selectively based on who is accessing, on what device, from where as well as the class of the information.
  • access to part of the document can be dynamically refined (Access rules can be changed at any time) since Access rules are enforced only when a user attempts to access the protected data.
  • the invention allows to centralize credentials management and highly ease the management of secret/encryption keys.
  • the architectures of the systems shown at Figure 1 are provided as example only. These architectures may be different.
  • the generator can work with several secure storage units or the secure storage unit can include several databases.
  • the secure storage unit can include a web server which manages the interface between users and the secure storage unit and performs checking operations for authentication and authorization of the user.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Multimedia (AREA)
  • Technology Law (AREA)
  • Bioethics (AREA)
  • Artificial Intelligence (AREA)
  • Audiology, Speech & Language Pathology (AREA)
  • Computational Linguistics (AREA)
  • Document Processing Apparatus (AREA)
  • Storage Device Security (AREA)

Abstract

The invention is a method for securing a digital document. An initial version of the digital document contains a set of data. The method comprises:- generating a link value by applying a preset function to a subset of the set of data,- allocating the link value to a target data belonging to the set of data and storing an entry comprising the target data in a secure storage unit, the target data being reachable in the secure storage unit through the link value, the secure storage unit being configured to use access rules for authorizing or denying a request initiated by a user and aiming at accessing the target data comprised in said entry,- generating an updated version of the digital document by removing the target data from the initial version of the digital document.

Description

METHODS FOR SECURING AND ACCESSING A DIGITAL DOCUMENT
Field of the invention
The present invention relates to methods for securing digital documents. It relates particularly to methods of securing access to digital documents comprising at least two types of data requiring different security 1eve1 manage ents .
Background of the invention
Many laws and company policies exist around the world to restrict access to certain classes of information stored in structured documents . It is known to encrypt the full document or to redact the document . Redaction provides no simple or automated means to recover the sensitive information. Encryption renders the document entirely unusable by any system without access to the encryption key. This creates significant inconveniences including, for example, the ability for a computer system to index file contents for the purpose of creating a searchable index. In addition, encryption of a document using a key (either cryptographic or password) requires significant controls over the key - including the distribution and control of the key. There is need to provide a solution allowing for the document to be usable and freely distributed except that access to sensitive information remain restricted. Summary of the Invention
The invention aims at solving the above mentioned technical problem.
An object of the present invention is a computer- implemented method for securing a digital document., an initial version of the digital document containing a set of data. The method comprises:
generating a link value by applying a preset function to a subset of said set of data,
allocating said link value to a target data belonging to said set and storing an entry comprising said target data in a secure storage unit, said target data being reachable in the secure storage unit through the link value, the secure storage unit being configured to use access rules for authorizing or denying a request initiated by a user and aiming at accessing the target data comprised in said entry,
generating an updated version of the digital document by removing said target data from the initial version of the digital document.
Advantageously, a display value may be inserted in place of the target data in the updated version of the digital document .
Advantageously, the display value may be a random value or a meaningless token.
Advantageously, the display value and the target data may have a similar format .
Advantageously, the link value may be generated by applying the preset function to the display value .
Another obj ect of the present invention is a computer-implemented method for securely accessing a digital document containing a set of data by a user. The method comprises:
- from a current version of the digital document, detecting the existence of a target data belonging to a previous version of the digital document and missing from the current version of the digital document,
generating a link value allocated to the target data by applying a preset function to a subset of said sen or oata,
- generating a request by using the link value for- retrieving the target data from a secure storage unit, and
- providing the user with the target data only if the secure storage unit successfully checked the compliance of the request with preset access rules.
Advantageously, the current version may comprise a display value in place of the target data.
Advantageously, the user may be provided with the set of data through a first software application and the target data through a second software application separate from the first software application.
Another object of the present invention is a system for securing a digital document, an initial version of the digital document containing a set of data. The system comprises a hardware processor, a secure storage unit and a generator including instructions that, 'when executed by the processor, cause said generator to identify a target data belonging to said set, to generate a link value by applying a preset function to a subset of said set and to store an entry comprising said target data in the secure storage unit, said target data being reachable in the secure storage unit through said link value. The secure storage is adapted to use access rules for authorizing or denying a request initiated by a user and aiming at accessing the target data comprised in the entry. Said instructions, when executed by the processor, cause said generator to generate an updated version of the digital document by removing the target data from the initial version of the digital document.
Advantageously, the generator may be configured to insert a display value in place of the target data in the updated version of the digital document.
Advantageously, the generator may be configured to set the display value with a random value or a meaningless token.
Advantageously, the generator may be configured to generate the link value by applying the preset function to the display value.
Another obj ect of the present invention is a system for securely accessing a digital document containing a set of data. The system comprises a hardware processor and an accessor agent including instructions that, when executed by the processor, cause said accessor agent to:
- detect, from a current version of the digital document, the existence of a target data belonging to a previous version of the digital document and missing from the current version of the digital document,
- build a link value allocated to the target data by applying a preset function to a subset of said set of data. The system is adapted to generate a request by using the link value for retrieving the target data from a secure storage unit and to forward the retrieved target data to a display device for rendering to a user .
Advantageously, the current version may comprise a display value in place of the target data and the accessor agent may be adapted to generate the link value by applying the preset function to the display value .
Brief description of the drawings
Other characteristics and advantages of the present invention will emerge more clearly from a reading of the following description of a number of preferred embodiments of the invention with reference to the corresponding accompanying drawings in which :
Figure 1 shows an example of architecture of a system for generating a protected digital document and a system for securely accessing data belonging to the protected digital document according to the invention;
Figure 2 depicts a flow chart for securing access to a digital document according to an example of the invention; and
Figure 3 depicts a flow chart for securely accessing a digital document according to an example of the invention.
Detailed description of the preferred embodiments The invention may apply to any type of digital document comprising several types of data that need to be managed according to different security policies. It is well-suited for managing structured documents comprising sensitive data. It applies to any digital document like a text file or a spreadsheet document, regardless of their format .
Figure 1 shows an example of architecture of a securing system 10 for generating a protected digital document and an accessing system 90 for securely accessing data belonging to the protected digital document according to the invention.
In this example, the system 10 is deployed in cloud environment .
The system 10 comprises a generator 50 and a secure storage unit 60.
Let ' s assume that an initial version 20 of a digital document contains a set of data including at least two type of data. For instance the initial version 20 can contain both a non-sensitive data 21 and a sensitive data 22. The automated system 10 is designed to take as input data both the initial version 20 of the document and a list 40 of data of the second type (e.g. sensitive data) contained in the initial version 20 of the document. The list 40 may be built by a so-called automated Data Discovery and Classification
Process .
For example data of the second type may be financial reports, medical information, personally identifiable information (PIT) or confidential data.
Alternatively, the system 10 can be adapted to automatically identify the sensitive data contained in the initial version 20 of the document. The generator includes a hardware processor and a first set of instructions that, when executed by the processor, causes said generator to generate a link value 35 by applying a preset function to a subset of said set of data, to allocate said link value to a target data (of the second type) belonging to said set of data and to record an entry 61 comprising the target data 22 in the secure storage unit 60. The target data 22 is reachable in the secure storage unit through the link value 35.
The generator has both the ability to identify the relevant input parameter ( s ) for the preset function and to apply the preset function to the identified input parameter (s) .
If the digital document is a web page/ form, the generator can build the link value 35 by using a combination of unique and unvarying elements of the content, such as the page' s URL and the form field' s name .
If the digital document is a spreadsheet stored in a document management system or cloud file storage system, where such system gives the document a unique and stable document identifier, the generator can build the link value 35 by using that document identifier and the coordinates of the spreadsheet cell containing the sensitive data (r.e, sheet number, column, and row) .
Advantageously, the link value may be generated by concatenating a preset string with the built value. Assuming that the preset string is https : //wxyz . com/app/ , the generated link value may be https : //wxyz . com/app/BFIJLPSTVZ . The link value may be generated as a Uniform Resource Locator (URL) .
Other examples for identifying the relevant input parameter ( s ) and the preset function can be applied to digital documents structured by record or by lines. For instance, in a text file, the (non-sensitive) content of all odd lines preceding the line comprising the target data can be taken as input parameter (s) and the preset function can be a Hash function.
Thus the link value can be generated from metadata of the digital document, data contained in the document or a combination of both.
The generator includes a second set of instructions that, when executed by the processor, cause said generator to generate an updated version 30 of the digital document by removing the target data from the initial version of the digital document. It is to be noted that the data of the first type (e.g. non sensitive data) remain present in the updated version 30 of the digital document.
The subset of data used as input parameter ( s ) of the preset function must be kept in the updated version 30 of the digital document.
Advantageously, the generator can be configured to generate a display value (noted 33 at Fig. 1) and to insert this display value in place of the target data (noted 22 at Fig. 1 ) in the updated version 30 of the digital document .
In one embodiment, the generator can be adapted to generate a display value having a random value . In another embodiment, the generator can be adapted to generate a display value that gives an indication to the user (reader) . Thus the user may have the choice to click on the display value (in the updated version of the document) to trigger the retrieving of the corresponding target data.
In another embodiment, the generator can be adapted to select a display value among a predefined list of strings or to use a unique predefined string for all target data to be replaced.
Hence, the generator can be designed to insert either a meaningful or meaningless display value.
The generator can be designed to set the display value with a non-textual information like an icon or a button .
Preferably, the generator creates a display value having a format similar to those of the initial target data. For instance, assuming that the target data has the following format: 123-45-6789, the display value can be: 000-11-2222 or XXX-XX-6789. Hence the format of the inserted data replacing the original data is kept unchanged ,
The generator can be adapted to generate the link value by applying a preset function to the display value. In other words, the generator can use both the display value and a subset of the data of the initial version 20 for generating the link value. By reference to the above-described example and assuming that the display value is xxxxx57, the generated link value can be https : //wxyz . com/app/BFIJLPSTVZ/xxxxx57. In order to simplify the presentation, only one target data 22 is represented at Figure 1. The initial version of the document may comprise several target data which are removed and associated to as many link values by the generator.
The initial version of the document may also comprise data of more than two types and the generator may apply different preset functions (and policy to select the input parameter) according to each type of data.
The secure storage unit 60 can include a database (or a file system) , a set of access rules and a controller engine 65 able to check whether a request trying to access a record stored in the secure storage unit complies with the access rules . The controller engine is able to authorize or deny the request according to predefined access rules . The controller engine may check user'' s credentials like a passphrase, a biometric data, a One-Time password or a cryptographic value computed from a secret key allocated to the user for example.
Each entry stored in the secure storage unit 60 can comprise several fields . For example, an entry may have the following structure: where Index has a unique value allowing to identity the entry among the others,
where URI is the link value, where Snort Code is the display value,
where Metadata may contain various data like the entry creation/update date, author, country origin, file name of the updated version of the document, and where Information is a target (e,g, sensitive) data removed from the document.
In one embodiment, the access rules can be defined according to the profile of the users. For instance, a user accredited at level 2 is authorized to access all types of data while a user accredited at level 1 can only access data of first type.
In another embodiment, the access rules can be defined according to both the profile of the user and the type of data . For instance, a financial data can be accessed only by Finance employees.
In another embodiment, the access rules can be defined so as to take into account the type of user' s device (e.g. a Personal computer may be assumed to be more secure than a smart phone) .
In another embodiment, the access rules can be defined to take into account the user's location. Thus access to a target data type can be restricted to users located in the company office only for instance .
In another embodiment, the access rules can define access rights which are set with an expiration date.
The system can be configured to log any attempt to access data of the second type from the updated version of the digital document. Hence repeated unauthorized attempts may be detected and trigger appropriate security measures. Such log may also be used to monitor and size the system 10. Although the system 10 described at Figure 1 manages two types of data, it may manage a large number of types of data.
Once the updated version 30 of the document has been generated, it can be made available to a user 80.
The user may be an individual, a software application or a computer machine.
The system 90 for securely accessing data belonging to the updated version 30 of the digital document can be deployed on client side. For instance, it may be hosted in a laptop or a smartphone.
The system 90 comprises a processor and an accessor agent 75 including a first set of instructions that, when executed by the processor, cause said accessor agent to detect, from the current version 30 (e.g. updated version) of the digital document, the existence of a target data belonging to a previous version of the digital document and missing from the current version of the digital document.
For example, the accessor agent 75 can be adapted to detect the presence of a predefined list of fields in the current version 30 for deducing the existence of a target data belonging to a previous version of the digital document. For instance, the accessor agent 75 can be configured to detect a field named "secret key", "passport number" or "Amount" and to deduce that a corresponding sensitive data should be retrieved from the secure storaue unit.
In another example, the accessor agent 75 can be adapted to detect the presence of a predefined 1ist of patterns (or tokens) which are assumed to be display values inserted by the system 10.
In another example, the accessor agent 75 can be adapted to detect the existence of a target data belonging to a previous version of the digital document by applying a predefined function to a part of the current version of the document. For instance by applying a hash function to the first 5 lines (or records or cells) and comparing the result with a list of pre-stored reference hashes.
Regarding the detection of removed data, another option would be using the unique identifier of the enclosing document to look up the list of all sensitive data removed from the original , then using information from the meta data stored with each entry in that list to know which fields in the document are reolacements.
For example, a list of replacements can be retrieved from a specific document, then see that the list includes a data located at cell E5 in the document .
The accessor agent 75 includes a second set of instructions that, when executed by the processor, cause said accessor agent to build a link value 35 allocated to the target data by applying a preset function to a subset of the data found in the current version 30. In fact the accessor agent is adapted to re-compute the link value which has been created and allocated to the target data by the system 10.
The accessor agent is designed to perform selection and computation operations similar to those made by the generator 5 500 ooff tthhee system 10, The system 90 is configured to generate a request by using the link value for retrieving the target data from the secure storage unit 60 and to forward the retrieved target data to a display device 72 for rendering to a user.
In one embodiment, the accessor agent directly sends the request (comprising the computed link value) aiming at retrieving the target data from the secure storage unit 60, receives the target data and provides the display device 72 with the target data. The non- sensitive data can be displayed to the user through another display device 71.
When the user 80 start reading the updated version 30 of the document, the non-sensitive data 21 can be freely displayed to the user through a first device 71 like a software application (e . g. MS-Word®) while the sensitive data 22 is displayed to the user through the second device 72 like a software application (like Web- browser) only if the user has properly authenticated to the secure storage unit 60.
Alternatively, both first and second devices may be merged in a single one so that the user can read the whole document through a single device.
In another embodiment (not shown) , the system 90 can include the display device 72 and the accessor agent can provide the display device 72 with the computed link value. The display device 72 can be adapted to generate the request by using the link value and to send it to the secure storage unit 60 for retrieving the target data . Figure 2 shows a flow chart for securing access to a digital document according to an example of the invention .
By reference to Figure 1, the initial version 20 of the digital document contains a set of data (i.e, both sensitive and non-sensitive data) . In a preliminary phase, the initial version 20 has been parsed to identify a list 40 of sensitive data. This operation can be performed manually or automated using mechanism automated Data Discovery and Classification Process which is known per se.
At step S10, a subset (at least one non-sensitive data) of said set of data is identified then a link value is computed by applying a preset function to the identified subset. Part of data contained in the digital document may be meta-data attached to the document itself like the name of the file of the document, the URL of the web page allowing to get the digital document, the version number of the document or the author.
At step S20, the link value 35 is allocated to a target data 22 belonging to list 40 and an entry 61 comprising said target data is recorded in the secure storage unit 60. The link value allows to reach the target data 22 in the secure storage. The secure storage unit is configured to check access rules for authorizing or denying a request initiated by a user and aiming at accessing a data stored in one of its entries . At step S30, an updated version 30 of the digital document is created by removing the target data 22 from the initial version 20 of the digital document.
It is to be noted that at the end of this step, the target data does not appear as such in the updated version any more . It has been moved to the secure storage unit 60.
Advantageously, a display value 33 can be identified and inserted in place of the target data 22 in the updated version 30 of the digital document . The display value can be generated on- the-fly or retrieved from a preset list of pattern stored in the secure storage unit or in another device.
In one embodiment, the link value may also be generated by applying the preset function to both the identified subset and the display value (at step 20) .
This sequence is performed for each data of the list 40. If the initial version of the document contains sensitive data requiring different security levels, the process (steps 10 & 20) can be executed several times using different preset functions and/or policies to identify the subset of data to be used as input parameter ( s ) of the preset functions .
Figure 3 shows a flow chart for securely accessing a digital document according to an example of the invention .
An updated version 30 of the digital document is assumed to have been generated according to the process of Figure 2. In this example, the updated version 30 comprises non-sensitive data only. The updated version of the digital document is made available to a user 80. The updated version (also named current version) can be sent to the user or made available via a repository for example.
At step 40, the existence of a target data (i.e. sensitive data) belonging to the previous (e.g. initial) version of the digital document and missing from the current version of the digital document is detected. This detection operation is carried out on the basis on the current version of the digital document on1y .
Alternatively, the list 40 can be used to detect the existence of the target data 22,
At step 50, a subset of the content of the current version is identified in relation with the target data then a link value allocated to the target data is generated by applying a preset function to the identified subset.
For instance, the digital document can be a digital record in a software-as-a-service system, such as Salesforce™, which is being viewed by a user via a web page. The link value can be derived from record and field IDs extracted from the web page .
It is to be noted that each version of the digital document can be handled through several formats. In particular the rendering format may be different from the storing format. For instance, the updated version of the digital document can be stored using a XML or JSON format while it can be displayed on a web page using a HTML format. In other words, data belonging to the digital document may be expressed using different formats .
Different context information may be used from each version/ format to derive the link, but that in each case, the method of derivation must resolve to the same link. For example, if a document may be in either a JSON format or an HTML format. For the JSPN format, the link value can be computed from a JSON record ID and JSON attribute names . For the HTML format, the link value can be computed from the URL and form field IDs. Both formats are assumed to result in the same final link value.
The syntax elements of the used format can be considered as being data belonging to a particular version of the digital document .
At step 60, a request is built by using the link value for retrieving the target data from the secure storage unit .
At step 70, the target data is provided to the user (via a display device) only if the secure storage unit successfully checked the compliance of the request with preset access ru1es . ( i . e . if the user i s authori zed to access the target data . )
It is to be noted that request generation and request sending can be fully automated so that the user does not need to explicitly trigger the retrieving of the target data . The user can be requested to provide his/her credentials (and possibly additional information) so that the secure storage can perform the access rules checking . In one embodiment, assuming that the request has been authorized, the target data can be displayed to the user via a specific display device 72 (like a browser) while the non-sensitive data contained in the current version 30 are displayed to the user through another display device 71. Alternatively, all data can be displayed to the user through a single display device .
It is to be noted that the rendering of the data to the user can also be done via sound or tactile interfaces .
In one embodiment, the user must authenticate each time a request to retrieve a sensitive data is received by the secure storage unit.
In another embodiment, the secure storage unit may authenticate the user only once and authorize further access from this user during a session without new credentials checking . For instance a session can be an authenticated context estab1i shed between t.he user' s web browser and the web server which provides access to the sensitive data. The session can be materialized as a cookie.
It must be understood, within the scope of the invention, that the above-described embodiments are provided as non-limitative examples. In particular, the features described in the presented embodiments and examples may be combined.
The invention applies to any types of access like read access and write access.
A secure storage unit can store data related to several updated versions of a plurality of documents. The invention allows freely forwarding or distributing a document without revealing certain critical information. Hence the updated version of a document may be emailed, printed, stored on a cloud service without containing certain information whose access must remain restricted. Moreover, the access control rules can be applied selectively based on who is accessing, on what device, from where as well as the class of the information.
Thanks to the invention, access to part of the document can be dynamically refined (Access rules can be changed at any time) since Access rules are enforced only when a user attempts to access the protected data.
In addition, the invention allows to centralize credentials management and highly ease the management of secret/encryption keys.
The architectures of the systems shown at Figure 1 are provided as example only. These architectures may be different. For example, the generator can work with several secure storage units or the secure storage unit can include several databases. The secure storage unit can include a web server which manages the interface between users and the secure storage unit and performs checking operations for authentication and authorization of the user.
Although described in the framework of cloud environment, the invention also applies to any type of framework

Claims

1. A computer-implemented method for securing a digital document , an initial version of said digital document containing a set of data, the method comprising:
generating a link value by applying a preset function to a subset of said set of data,
allocating said link value to a target data belonging to said set and storing an entry comprising sard target data in a secure storage unit, said target data being reachable in the secure storage unit through the link value, the secure storage unit being configured to use access rules for authorizing or denying a request initiated by a user and aiming at accessing the target data comprised in said entry,
generating an updated version of the digital document by removing said target data from the initial version oi tne digital oocamenu 2, The method according to claim 1 , wherein a display value is inserted in place of the target data in the updated version of the digital document.
3. The method according to claim 2 , wherein the display value is a random value or a meaningless token . . The method according to claim 2 or 3, wherein the display value and the target data have a similar format .
5. The method according to claim 2, 3 or 4, wherein the link value is generated by applying the preset function to the display value.
6. A computer-implemented method for securely accessing a digital document containing a set of data by a user, the method comprising:
- from a current version of the digital document, detecting the existence of a target data belonging to a previous version of the digital document and missing from the current version of the digital document,
- generating a link value allocated to the target data by applying a preset function to a subset of said set of data,
- generating a request by using the link value for retrieving the target data from a secure storage unit,
- providing the user with the target data only if the secure storage unit successfully checked the compliance of the request with preset access rules.
7. The method according to claim 6, wherein the current version comprises a display value in place of the target data.
8. The method according to claim 7, wherein the link value is generated by applying the preset function to the display value. 9. The method according to claim 6, wherein the user is provided with the set of data through a first software application and said target data through a second software application separate from the first software application. 10. A system for securing a digital document, an initial version of said digital document containing a set of data, the system comprising a hardware processor,
wherein the system comprises a secure storage unit and a generator including instructions that, when executed by the processor, cause said generator to identify a target data belonging to said set, to generate a link value by applying a preset function to a subset of said set and to store an entry comprising said target data in the secure storage unit, said target data being reachable in the secure storage unit through said link va1ue ,
wherein the secure storage is configured to use access rules for authorizing or denying a request initiated by a user and aiming at accessing the target data comprised in the entry, and
wherein said instructions, when executed by the processor, cause said generator to generate an updated version of the digital document by removing said target data from the initial version of the digital document.
11. The system according to claim 10, wherein the generator is configured to insert a display value in place of the target data in the updated version of the digital document.
12. The system according to claim 11, wherein the generator is configured to set the display value with a random value or a meaningless token. 13. The system according to claim 11 or 12, wherein the generator is configured to generate the link value by applying the preset function to the display value. 14. A system for securely accessing a digital document containing a set of data, the system comprising a hardware processor,
wherein the system comprises an accessor agent including instructions that, when executed by the processor, cause said accessor agent to:
- detect, from a current version of the digital document, the existence of a target data belonging to a previous version of the digital document and missing from the current version of the digital document,
- build a link value allocated to the target data by applying a preset function to a subset of said set of data,
wherein the system is configured to generate a request by using the link value for retrieving the target data from a secure storage unit and to forward the retrieved target data to a display device for- rendering to a user.
15. The system according to claim 14, wherein the current version comprises a display value in place of the target data and wherein the accessor agent is adapted to generate the link value by applying the preset function to the display value.
EP19795397.9A 2018-10-10 2019-10-10 Methods for securing and accessing a digital document Ceased EP3864560A1 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US16/156,353 US10970408B2 (en) 2018-10-10 2018-10-10 Method for securing a digital document
US16/156,349 US11625496B2 (en) 2018-10-10 2018-10-10 Methods for securing and accessing a digital document
US16/166,770 US10956590B2 (en) 2018-10-22 2018-10-22 Methods for securely managing a paper document
PCT/US2019/055551 WO2020077048A1 (en) 2018-10-10 2019-10-10 Methods for securing and accessing a digital document

Publications (1)

Publication Number Publication Date
EP3864560A1 true EP3864560A1 (en) 2021-08-18

Family

ID=68345084

Family Applications (2)

Application Number Title Priority Date Filing Date
EP19794842.5A Ceased EP3864559A1 (en) 2018-10-10 2019-10-10 Method for securing a digital document
EP19795397.9A Ceased EP3864560A1 (en) 2018-10-10 2019-10-10 Methods for securing and accessing a digital document

Family Applications Before (1)

Application Number Title Priority Date Filing Date
EP19794842.5A Ceased EP3864559A1 (en) 2018-10-10 2019-10-10 Method for securing a digital document

Country Status (2)

Country Link
EP (2) EP3864559A1 (en)
WO (2) WO2020077061A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113553480A (en) * 2021-07-28 2021-10-26 用友汽车信息科技(上海)股份有限公司 Document auditing method, document auditing device and readable storage medium

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4586913B2 (en) * 2008-09-19 2010-11-24 富士ゼロックス株式会社 Document management system, document use management apparatus, and program
CN101859360A (en) * 2009-04-08 2010-10-13 黄金富 File security processing method, corresponding software and decryption reading device
EP2803001A1 (en) * 2011-10-31 2014-11-19 Forsythe Hamish Method, process and system to atomically structure varied data and transform into context associated data
CN102722737B (en) * 2012-05-13 2015-11-25 河南大学 A kind of paper document tamper resistant method

Also Published As

Publication number Publication date
WO2020077048A1 (en) 2020-04-16
WO2020077061A1 (en) 2020-04-16
EP3864559A1 (en) 2021-08-18

Similar Documents

Publication Publication Date Title
US11775678B2 (en) Tagging and auditing sensitive information in a database environment
US11947704B2 (en) Tagging and auditing sensitive information in a database environment
US10002151B2 (en) Client computer for updating a database stored on a server via a network
US11290446B2 (en) Access to data stored in a cloud
US20180285591A1 (en) Document redaction with data isolation
US20070226488A1 (en) System and method for protecting digital files
WO2014143786A1 (en) Data tokenization in an intermediary node
EP3864560A1 (en) Methods for securing and accessing a digital document
US10970408B2 (en) Method for securing a digital document
US11625496B2 (en) Methods for securing and accessing a digital document
US10956590B2 (en) Methods for securely managing a paper document
JP4371995B2 (en) Shared file access control method, system, server device, and program
CA3043983A1 (en) Tagging and auditing sensitive information in a database environment
Amos Cloud computing-Securing patient data
CN120277702A (en) Statistical information visibility control in an enclave database
NZ618683B2 (en) Access control to data stored in a cloud

Legal Events

Date Code Title Description
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: UNKNOWN

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20210510

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

DAV Request for validation of the european patent (deleted)
DAX Request for extension of the european patent (deleted)
RAP3 Party data changed (applicant data changed or rights of an application transferred)

Owner name: THALES DIS CPL USA, INC.

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: EXAMINATION IS IN PROGRESS

17Q First examination report despatched

Effective date: 20221208

REG Reference to a national code

Ref country code: DE

Ref legal event code: R003

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION HAS BEEN REFUSED

18R Application refused

Effective date: 20250326

点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载