(19) United States
`(12) Patent Application Publication (10) Pub. No.: US 2015/0100357 A1
`Seese et al.
`(43) Pub. Date:
`Apr. 9, 2015
`
`US 201501 00357A1
`
`(54) SYSTEMS AND METHODS FOR CLOUD
`DATALOSS PREVENTION INTEGRATION
`(71) Applicants: Scott Alan Seese, Saratoga, CA (US);
`Sachin Vijayan, San Jose, CA (US);
`Chirag Shah, Fremont, CA (US)
`(72) Inventors: Scott Alan Seese, Saratoga, CA (US);
`Sachin Vijayan, San Jose, CA (US);
`Chirag Shah, Fremont, CA (US)
`
`(21) Appl. No.: 14/138,050
`(22) Filed:
`Dec. 21, 2013
`
`Related U.S. Application Data
`(60) Provisional application No. 61/886,430, filed on Oct.
`3, 2013.
`
`Publication Classification
`
`(51) Int. Cl.
`G06O 10/06
`H04L 29/08
`
`(2006.01)
`(2006.01)
`
`(52) U.S. Cl.
`CPC ............ G06O 10/0631 (2013.01); H04L 67/06
`2013.O1
`(
`)
`
`(57)
`
`ABSTRACT
`
`A system, method, and computer readable medium is pro
`vided to provide an integrated Storage system. For example,
`an embodiment may detect, by an enterprise computer sys
`tem, an activity notification from a cloud service that stores
`data on behalf of an enterprise. The activity notification may
`specify a file name involved in an activity performed by the
`cloud service (e.g., creating or modifying a file). The enter
`prise computer system may then download a file (or contents
`thereof) from the cloud service using the file name specified
`by the activity notification. After downloading the file, the
`enterprise computer system may analyze the file against a
`data loss prevention rule. Based on an outcome from the data
`loss prevention rule, the enterprise computer system may
`communicate an action response to the cloud service. The
`action response may direct the cloud service to perform an
`action on the file stored by the cloud service.
`
`-100
`
`
`
`Coit Service Conster
`
`14.
`
`sh Attic for Renegati
`Y-M Y-
`
`ra New i Changed Files
`
`
`
`
`
`
`
`
`
`Cotic Service
`13
`
`Coud Services
`34C
`
`
`
`Cloud Service
`CA
`
`Page 1 of 15
`
`Netskope Exhibit 1007
`
`

`

`Patent Application Publication
`
`Apr. 9, 2015 Sheet 1 of 6
`
`US 2015/01 00357 A1
`
`Cloid Service Constine
`
`18
`
`
`
`
`
`------------1--
`
`Cloud Services
`48
`
`Cloud Service2
`43
`
`
`
`
`
`
`
`Cold Services
`aA
`
`FIG. I.
`
`Page 2 of 15
`
`Netskope Exhibit 1007
`
`

`

`Patent Application Publication
`
`Apr. 9, 2015 Sheet 2 of 6
`
`US 2015/01 00357 A1
`
`-200
`
`
`
`Cloud Service
`OAA
`
`6
`
`FIG. 2
`
`Page 3 of 15
`
`Netskope Exhibit 1007
`
`

`

`Patent Application Publication
`
`Apr. 9, 2015 Sheet 3 of 6
`
`US 2015/01 00357 A1
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Page 4 of 15
`
`Netskope Exhibit 1007
`
`

`

`Patent Application Publication
`
`Apr. 9, 2015 Sheet 4 of 6
`
`US 2015/01 00357 A1
`
`-200
`
`
`
`Coud Service
`4A
`
`4.
`
`402
`
`FIG. 4
`
`Page 5 of 15
`
`Netskope Exhibit 1007
`
`

`

`Patent Application Publication
`
`Apr. 9, 2015 Sheet 5 of 6
`
`US 2015/01 00357 A1
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`SaaS S3
`
`&SS as Sc
`
`Page 6 of 15
`
`Netskope Exhibit 1007
`
`

`

`Patent Application Publication
`
`Apr. 9, 2015 Sheet 6 of 6
`
`US 2015/01 00357 A1
`
`PRC}{ESSOR
`
`SO2
`
`24
`
`NSR CONS
`
`WAN WEACRY
`
`NSR CONS
`
`64.
`S4
`
`68
`
`SAC ?try
`
`s
`
`24
`
`NSR CONS
`
`SC
`
`NEWRK
`NTERACE
`DEWCE
`
`65
`
`NEWCRK
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`WCEO
`SAY
`
`6.
`
`Ai-Air C
`N
`CEWCE
`
`8.
`
`NAWGAO
`EVCE
`
`84
`
`RWE jNE
`AC-NE
`READABE
`ED?
`NSR CONS
`
`s
`
`822
`
`24
`
`SGNA
`GENERATON
`EVCE
`
`88
`
`
`
`
`
`
`
`FIG. 6
`
`Page 7 of 15
`
`Netskope Exhibit 1007
`
`

`

`US 2015/01 00357 A1
`
`Apr. 9, 2015
`
`SYSTEMIS AND METHODS FOR CLOUD
`DATALOSS PREVENTION INTEGRATION
`
`RELATED APPLICATIONS
`0001. This application claims the benefit of U.S. Provi
`sional Application No. 61/886,430, filed Oct. 3, 2013, entitled
`“Cloud Data Loss Prevention Integration.” which is herein
`incorporated by reference in its entirety.
`
`TECHNICAL FIELD
`0002 This application relates to data processing. In par
`ticular, example embodiments may relate to systems and
`methods for integrating a cloud service with information
`systems of an enterprise.
`
`BACKGROUND
`0003 Traditional cloud service providers may provide a
`cloud service to a user, Such as an enterprise, for storing data
`on computer resources hosted by the cloud service provider.
`In this way, a company's data is stored by and accessible from
`multiple distributed and connected resources that comprise a
`cloud. Cloud storage can provide the benefits of greater
`accessibility and reliability; rapid deployment; strong protec
`tion for databackup, archival, and disaster recovery purposes;
`and lower overall storage costs as a result of not having to
`purchase, manage, and maintain expensive hardware.
`0004. There are three traditional types of cloud storage
`systems. The first type of cloud storage system may be
`referred to as public cloud storage. In public cloud storage, an
`enterprise and a storage service provider are separate entities.
`The computational resources used to store data are managed
`by the storage service provider and are not part of the enter
`prise's data center. Thus, the cloud storage provider fully
`manages the computational resources used to manage the
`enterprise's data stored within the cloud storage system.
`0005. The second type of cloud storage system may be
`referred to as private cloud storage. In private cloud storage,
`the enterprise and cloud storage provider are integrated
`within the enterprise's data center. This may mean that the
`storage provider has infrastructure within the enterprise's
`data center. Private cloud storage helps resolve the potential
`for security and performance concerns while still offering the
`advantages of cloud storage.
`0006. The third type of cloud storage system may be
`referred to as hybrid cloud storage. In hybrid cloud storage,
`Some critical data resides in the enterprise’s private cloud
`while other data is stored and accessible from a public cloud
`storage provider. Thus, hybrid cloud storage systems may be
`Some combination of public and private cloud storage sys
`temS.
`0007 Currently, enterprises adopting a cloud strategy for
`their storage systems generally adopt one or more of these
`three types of cloud storage systems depending on the needs
`of the enterprise.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`0008. The present invention is illustrated by way of
`example, and not by way of limitation, in the figures of the
`accompanying drawings in which:
`0009 FIG. 1 is a system diagram depicting an integrated
`storage system, according to one embodiment;
`0010 FIG. 2 is a data flow diagram of the integrated stor
`age system of FIG. 1, according to an example embodiment;
`
`FIG. 3 is a flow chart illustrating a method of pro
`0011
`viding integrated DLP Support, according to an example
`embodiment;
`0012 FIG. 4 is a data flow diagramofan integrated storage
`system for performing on-demand scans of files stored on a
`cloud service, according to an example embodiment;
`0013 FIG. 5 is a flow chart showing a method for perform
`ing on-demand scans, according to an example embodiment;
`and
`0014 FIG. 6 shows a diagrammatic representation of
`machine in the example form of a computer system within
`which a set of instructions may be executed causing the
`machine to perform any one or more of the methodologies
`discussed herein.
`
`DETAILED DESCRIPTION
`0015. Although example embodiments have been
`described with reference to specific examples, it is to be
`appreciated that various modifications and changes may be
`made to these embodiments without departing from the
`broader spirit and scope of the invention. Accordingly, the
`specification and drawings are to be regarded in an illustrative
`rather than a restrictive sense.
`0016 Example embodiments may relate to integrating a
`data loss prevention (“DLP) policy (or policies) of an enter
`prise with data stored on a cloud service. As is discussed
`below, a DLP policy may be a process that identifies confi
`dential data (e.g., credit card numbers, social security num
`bers, and the like), tracks that data as it moves through and out
`of enterprise, or prevents unauthorized disclosure of data by
`creating and enforcing disclosure policies. However, in some
`cases, an enterprise, or employees thereof, may store data in
`a cloud service, such as Box.com(R). Example embodiments
`may then relate to an enforcing a DLP policy where data is
`stored outside the enterprise by a cloud service.
`0017 For example, an example embodiment may detect,
`by an enterprise computer system, an activity notification
`from a cloud service that stores data on behalf of an enter
`prise. The activity notification may specify a file name
`involved in an activity performed by the cloud service (e.g.,
`creating or modifying a file). The enterprise computer system
`may then download a file (or contents thereof) from the cloud
`service using the file name specified by the activity notifica
`tion. After downloading the file, the enterprise computer sys
`tem may analyze the file against a data loss prevention rule.
`Based on an outcome from the data loss prevention rule, the
`enterprise computer system may communicate an action
`response to the cloud service. The action response directing
`the cloud service to performan action on the file stored by the
`cloud service.
`0018. Accordingly, an example embodiment may use an
`event-driven system, where the cloud service initiates a DLP
`process by notifying the enterprise computer systems when
`an activity is performed on a file of the enterprise but stored by
`the cloud service. In other example embodiments, discussed
`in greater detail below, the computer systems of an enterprise
`may initiate a process of analyzing a file against one or more
`DLP rules. An enterprise may initiate the process of analyzing
`a file against one or more DLP rules to perform on-demand
`scans of a user share.
`0019. These and other embodiments are now described by
`way of example and not limitation.
`
`Page 8 of 15
`
`Netskope Exhibit 1007
`
`

`

`US 2015/01 00357 A1
`
`Apr. 9, 2015
`
`System Overview of an Event-Based Integrated Storage
`System
`0020 FIG. 1 is a system diagram depicting an integrated
`storage system 100, according to one embodiment, wherein
`an enterprise 102 is integrated with one or more cloud ser
`vices, such as any combination of cloud services 104A-C.
`0021. The enterprise 102 may be a computer system oper
`ated by an entity (e.g., a business, organization, company,
`person, or any other Suitable entity) that manages, processes,
`stores, or communicates data. To fulfill its data storage needs,
`in full or in part, the enterprise 102 may be communicatively
`coupled to one or more of the cloud services 104A-C.
`0022. The cloud services 104A-C may provide cloud stor
`age services to users (e.g., employees, departments, teams,
`etc.) of the enterprise. Accordingly, the cloud services
`104A-C may provide cloud services where data “owned by
`the enterprise is stored, at least partially, on computational
`resources managed by the cloud services 104A-C. Examples
`of providers of cloud services for storing data include BOX.
`COMR, SKYDRIVER,YAMMER(R), SALESFORCE(R), and
`DROPBOXOR, to name a few.
`0023. In addition to general storage needs, the enterprise
`102 may deploy a data loss prevention policy to address data
`loss concerns. DLP as used herein, is broadly defined as any
`Solution or process that identifies confidential data, tracks that
`data as it moves through and out of the computer systems of
`the enterprise 102, or prevents unauthorized disclosure of
`data by creating and enforcing disclosure policies. In some
`embodiments, DLP may involve an on-demandora schedule
`based solution that scans data at data storage locations to
`identify confidential data that may be stored at those data
`storage locations and, if so configured, to take appropriate
`remedial action. Examples of confidential data may include
`Social security numbers, financial data (e.g., credit card num
`ber, magnetic stripe data, and the like), username and pass
`word pairs, proprietary information, licensed data (e.g., copy
`righted works), or any other data that may compromise the
`enterprise if the data is misappropriated.
`0024. With respect to FIG.1, DLP may be provided for the
`enterprise 102 through an integration of components or mod
`ules of the enterprise 102 and the cloud services 104A-C. For
`example, as shown in FIG. 1, the enterprise 102 may include
`a job scheduler 112, a DLP backend server 114, and a DLP
`engine 116, while the cloud services 104A-C may each
`include a notification port. See, for example, notification
`ports 118A-C.
`0025. The job scheduler 112 may be a computer-imple
`mented module configured to serve as a listener service for
`the cloud services 104A-C to contact and issue "notifica
`tions' concerning data (e.g., file) uploads and modifications
`and, responsive to receiving a notification, the job Scheduler
`112 may add a job corresponding to the activity notification in
`a job queue. To receive the notifications issued by the cloud
`services 104A-C, the job scheduler 112 may provide an API
`based on industry standard application programming inter
`face (API) types and common protocols, such as Hypertext
`Transfer Protocol (“HTTP)/HTTP Secure (“HTTPS), Rep
`resentational State Transfer (“REST), Simple Object Access
`Protocol (“SOAP), etc. In some cases the notifications sent
`from the cloud services 104A-C may be protected via a secure
`communication protocol Such as Secure Socket Layer
`(“SSL)/Transport Layer Security (“TLS). Accordingly, the
`job Scheduler 112 may be configured to communicate using
`these secure communication protocols. Further, the job
`
`scheduler 112 may be configured to enforce authentication/
`authorization requirements at the API level through support
`of industry standards like OAuth, SSL/TLS, Security Asser
`tion Markup Language ("SAML).
`0026. The DLP backend server 114 may be a computer
`implemented module configured to process jobs from the job
`scheduler 112 and then communicate an action response to
`the cloud service. For example, as part of processing a job
`from the job scheduler, the DLP backend server 114 may
`identify a file corresponding to the job, obtain the identified
`file from the cloud service, and communicate the file to the
`DLP engine 116 for DLP analysis. After the DLP engine 116
`completes DLP analysis, the DLP backend server 114 may
`communicate an action response back to the cloud service.
`The action response may direct the cloud service to perform
`a specified action on the file stored in the cloud service.
`0027. The DLP engine 116 may be a computer-imple
`mented module configured to Verify files against one or more
`DLP rules. A DLP rule may be data and/or logic that specify
`conditions when a file violates a DLP policy of the enterprise.
`The DLP rule may also specify an action that is to be per
`formed by the cloud service in response to a detected viola
`tion of one or more DLP rules. By way of example and not
`limitation, such actions may include removing the file from
`the cloud service, messaging the enterprise user concerning
`the violation, removing any backup or revisions of the file
`which may be in violation, or any other Suitable operation
`involving the file or the enterprise user.
`0028. With respect to the cloud services 104A-C, the noti
`fication ports 118A-C may each be computer-implemented
`modules configured to communicate activity notifications to
`the job scheduler 112 and receive notification responses from
`the backend server 114. For example, the cloud service 104A
`may be configured to communicate, via the notification port
`118A, an activity notification to the job scheduler 112 when
`ever a file belonging to the enterprise is created or modified in
`the cloud storage service offered by the cloud service 102A.
`An activity notification may be a data message that includes
`any number of the following fields:
`0029) Cloud Service ID: This field identifies the pro
`vider that is sending the notification and identifies the
`return destination for the notification response. In some
`cases, the cloud service ID may be represented as a
`uniform resource locator, a unique code, or any other
`Suitable data capable of uniquely identifying the various
`cloud services. By way of example and not limitation,
`the cloud service ID may specify https://dropbox.com,
`https://app.box.com, or any other identifier associated
`with a cloud service provider. In addition to specifying a
`uniform resource locator (“URL) associated with the
`cloud service provider, the cloud service ID may further
`include an identifier assigned to the notification port
`118A, such as a port number.
`0030 FileID: This field identifies a file identifier for the
`file in which the activity notification is being generated.
`For example, if an enterprise user creates a file with the
`identifier “Foo.doc,” the file ID field may specify “Foo.
`doc.” It is to be appreciated that the file identifier speci
`fied by the file ID field does not necessarily have to be a
`file name. In some cases, the file identifier may be a
`uniquely generated number or code assigned to files
`maintained by the cloud service provider.
`0.031
`Enterprise User ID: This field identifies the enter
`rp
`prise user that has initiated the activity to the file speci
`
`Page 9 of 15
`
`Netskope Exhibit 1007
`
`

`

`US 2015/01 00357 A1
`
`Apr. 9, 2015
`
`fied by the file ID field. The enterprise userID may be the
`username assigned to the account within the cloud ser
`vice provider.
`0032. File Path: This field specifies information for
`retrieval of the file for DLP analysis. In some cases, the
`file path field may include data that specifies a directory
`structure that can be used to retrieve or otherwise access
`the file specified by the file ID field.
`0033 File Activity: This field identifies the file activity
`that triggers the notification. Examples of file activities
`may include an upload of a new file within the cloud
`storage system, modification of the contents of an exist
`ing file, a change of permissions associated with a file, a
`change of a file name, deleting a file, or any other file
`operation Supported by a filesystem.
`0034) Action: This is an optional field that may be blank
`if included in the activity notification. The purpose of
`this field may be to provide a field for the enterprise 102
`to specify an action for the cloud service provider to
`perform after DLP analysis. Thus, the action field may
`be a field that includes data specified by the enterprise
`102.
`0035. In addition to sending activity notifications to the
`enterprise 102 (e.g., the job scheduler 112), the notification
`port 118A may also be configured to receive notification
`responses communicated by the backend server 114. In some
`cases, the notification responses may include some or all of
`the fields specified by the activity notification. For example,
`the notification response may include one or more fields
`specifying a cloud service ID, file ID, an enterprise userID, a
`file path, a file activity, and an action. The contents or values
`of these fields may be the values specified by the activity
`notification to which the notification response corresponds.
`However, some fields may be updated by the backend server
`to specifying a remedial action specified by the DLP engine
`116. The remedial actions may be specified by the action field
`of the notification response. As described above, examples of
`actions may include, but are not limited to, removing the file
`from the cloud service, messaging the enterprise user con
`cerning the violation, removing any backup or revisions of the
`file which may be in violation, or any other suitable operation
`involving the file or the enterprise user.
`
`Example Data Flow for an Event-Based Integrated Storage
`System
`0036 FIG. 2 is a data flow diagram of the integrated stor
`age system 100 of FIG. 1, according to an example embodi
`ment. In some embodiments, the data flow is implemented by
`one or more processors, as may be executed by one or more of
`the modules or components shown in FIG. 1. Accordingly,
`FIG. 2 is described with reference thereto.
`0037. At step 1, the cloud service 104A pushes an activity
`notification to the job scheduler 112. The activity notification
`may include fields that include data that indicate that a file
`maintained by the cloud service 104A has been uploaded or
`changed by an enterprise user. As described above, the noti
`fication may include, among other things, data fields that
`specify a cloud service identifier, a file identifier, an enterprise
`user identifier, a file path, or a file activity. It is to be appre
`ciated that the activity notification may include data that is
`standardized between the cloud consumer 102 and one or
`more of the cloud services 104A-C. Further, this notification
`may be communicated in a trusted and secure manner, utiliz
`ing, for example, SSL certificates.
`
`0038. As part of step 1, the job scheduler 112 verifies and
`queues the activity notification, in the form of a job, to be
`retrieved by the backend server 114. As described above, the
`activity notification, and in turn, the job, includes all the basic
`detail required to retrieve the file from the cloud service 104a.
`It is to be appreciated that the terms job and activity notifica
`tion may, in Some embodiments, refer to the same data object,
`while, in other embodiments, these terms may refer to differ
`ent data objects where a job is a data type with one or more
`data fields that derive values from a corresponding activity
`notification.
`0039. At step 2, backend server 114 pulls the job from the
`job scheduler 112 and, at step 3, the back end server 114
`connects to cloud service 104A to obtain (e.g., by pulling or
`downloading) the file from cloud service 104a. In some cases,
`the backend server 114 may pull the file using the data fields
`specified by the activity notification (e.g., the file ID, the
`cloud service ID, the file path, and the like). It is to be appre
`ciated that some embodiments may use trusted and secure
`communication protocols, such as SSL certification, to
`request and receive the file from the cloud service 104a.
`0040. At step 4, the backend server 114 communicates
`(via, for example, using a communication protocol Such as
`Internet Content Adaptation Protocol (“ICAP)) the file to
`DLP engine 116 for DLP analysis. In some embodiments,
`step 4 may further involve the backend server 114 erasing the
`contents of the file from any storage device that may have
`been used to temporarily store the file.
`0041 At step 5, the DLP engine 116 analyzes the file and
`the file contents against one or more DLP rules and selects an
`action response. In some cases, a DLP rule may be data or
`logic that specifies a condition and a triggered response. If the
`content of the file and/or metadata of the file matches the
`condition specified by the DLP rule, then the DLP engine 116
`may communicate the action response to the backend server
`114. If, however, the file (e.g., the content or metadata
`thereof) does not match the condition of any of the DLP rules,
`the DLP engine 116 may select a no action action response.
`0042. At step 6, the backend server 114 receives a DLP
`analysis response from the DLP engine 116 that specifies the
`selected action response. Responsive to receiving the selected
`action response, the backend server 114 inserts the selected
`action response into a notification response to the activity
`notification previously received at step 1. As described above,
`a notification response be a data message derived from the
`activity notification. Accordingly, step 6 may simply involve,
`among other things, updating the action field of the activity
`notification with a value corresponding to the selected DLP
`action.
`0043. At step 7, the backend server 114 connects to the
`cloud service 104A through the notification port 118A and
`pushes a notification response, which may contain metadata
`and the action, to the notification port 118a.
`0044. At step 8, the cloud service 104a performs a reme
`diation action corresponding to the value of the action field of
`the notification response. For example, the cloud service 104a
`may delete the file corresponding to the activity represented
`by the activity notification.
`0045. It is to be appreciated the steps shown in FIG. 2 are
`illustrative of an example embodiment and should not be
`interpreted as limiting the scope of other embodiments con
`templated by this disclosure. For example, it is to be appre
`ciated that the term “step’ should not be interpreted as requir
`ing any particular sequence or order of operation. It is to be
`
`Page 10 of 15
`
`Netskope Exhibit 1007
`
`

`

`US 2015/01 00357 A1
`
`Apr. 9, 2015
`
`appreciated further that FIG. 2 provides specific references to
`"pushing” and "pulling operations by way of example and
`not by way of limitation. Thus, this disclosure contemplates
`that other embodiments may use other Suitable sequences of
`“pushing” or “pulling data.
`0046 FIG. 3 is a flow chart illustrating a method 300 of
`providing integrated DLP Support, according to an example
`embodiment. In some embodiments, the method 300 may
`characterize the operations shown in FIG. 2 in greater detail.
`0047. The method 300 may begin at operation 302 when
`the cloud service provider 102A communicates an activity
`notification to the job scheduler 112. The activity notification
`may represent a file system operation performed by the cloud
`service 102a with respect to a given file or directory. As
`described above, in some cases, the activity notification may
`include data specifying the cloud service provider, a filename
`corresponding to the activity, a file path, an activity identifier,
`an enterprise user ID, and the like. As FIG. 3 illustrates,
`operation302 pushes the activity notification to the job sched
`uler 112; however, other embodiments may operate such that
`the job scheduler 112 pulls the activity notification from the
`notification port 118A of the cloud service 102A.
`0048. At operation 304, the job scheduler 112 may receive
`the activity notification communicated by the cloud service
`102A. Upon receiving the activity notification, the job sched
`uler 112 may verify that the activity notification was sent from
`a trusted Source. In some embodiments, a trusted Source is
`verified through a certificate used to establish a secure com
`munication (e.g., via SSL/TLS). It is to be appreciated that, in
`other embodiments, secure tokens that are passed along with
`the communication can be used for authentication.
`0049. At operation 306, the job scheduler 112 may verify
`the data fields of the activity notification. For example, the job
`scheduler 112 may verify the data fields of the activity noti
`fication by determining whether one or more of the data fields
`include invalid values. For example, where the activity noti
`fication is missing a file name, the job Scheduler 112 may
`signal that one or more data fields from the activity notifica
`tion are invalid. As another example, if the activity notifica
`tion includes a directory path in an incorrect format, the job
`schedule 112 may signal that the directory path is incorrect
`and, in some cases, may specify an expected format.
`0050. If one or more of the data fields from the activity
`notification are invalid, the job scheduler 112, at operation
`308, may communicate an error message to the cloud service
`102A. The error message may include a description that iden
`tifies which data field is invalid and why that data field is
`invalid. At operation 310, the cloud service 102A may resolve
`the error by, for example, entering information missing from
`the original Submission.
`0051
`Returning back to operation 306, if, on the other
`hand, the job scheduler 112 determines that the data fields are
`instead valid, the job scheduler 112 adds, at operation 312, a
`job representing the activity notification to a job scheduler, or
`any other suitable data structure that maintains a collection of
`jobs that are to be processed by the DLP engine 116. The job
`may have one or more of the data fields specified by the
`activity notification.
`0052 At operation 314, the backend server 114 obtains the
`job from the job scheduler 112. Then, at operation 316, the
`backend server 116 may obtain the file involved in the
`detected activity from the cloud service 102a. In some
`embodiments, obtaining the file from the cloud service 102
`may involve the backend server 114 parsing data from the job
`
`and then using the data to access the file through the file
`system interface exposed by the cloud service 102A. For
`example, the backend server 114 may communicate a file
`request to the cloud service 102A, where the file request may
`include, among other things, a filename, a file path, an enter
`prise user ID, and the like. Using information from the file
`request, the cloud service 102A may, at operation 317, send
`the file (or files) to the backend server 114.
`0053) Operation 318 may begin the DLP analysis phase.
`For example, at operation 318, the backend server 114 may
`pass the file (or files) to the DLP engine 116 for DLP analysis.
`Once the DLP engine 116 receives the file (or files), the
`backend server 114 may delete the file (or files) from storage.
`Thus, the file (or files) obtained from the backend server 114
`from the cloud server 102A are only maintained in memory
`for a limited time.
`0054) Once the DLP engine 116 receives the file (or files)
`from the backend server 114, the DLP engine 116 may then
`analyze the file (or files) based on one or more DLP rules. This
`is shown as operation 320. As described above, an example
`DLP rule may specify a condition in which a file may violate
`a policy of the enterprise. A DLP rule may further specify an
`action that the cloud service 102A is to perform in response to
`detecting that the file (or files) violates a policy of the enter
`prise. Example embodiments of DLP rules may include data
`or logic configured to identify confidential data, Such as Social
`security numbers, financial data (e.g., credit card number,
`magnetic stripe data, and the like), username and password
`pairs, proprietary information, licensed data (e.g., copy
`righted works), or any other data that may compromise the
`enterprise if the data is misappropriated.
`0055. At operation 322, the backend server 114 receives
`the selected action from the DLP engine 116. In some cases,
`the selected action may be received in a way that the selected
`action is mapped back to the job used to analyze the file
`passed to the DLP engine 116 at operation 318. For example,
`passing the file to the DLP engine 116 may be a function call
`that blocks on the result (e.g., the selected action). In other
`cases, the selected action may be communicated to the back
`end server 114 with an identifier mapped to the message that
`sent the file to the DLP engine 116, an identifier mapped to the
`job corresponding to the file, an identifier mapped to the
`activity notification, or any other message.
`0056. At operation 324, the backend server 114 then gen
`erates a notification result that is then communicated to the
`cloud service 102A. The notification result may include the
`action selected by the DLP engine 116. The notification result
`may also include one or more data fields specified by the
`activity notification, such as data fields that specify a file
`name, a file path, an enterprise userID, and the like.
`0057. At operation 326, the cloud service 104A receives
`the notification result from the backend server 114. Then, at
`operation 328, the cloud service 102A identifies the selected
`action from the notification result and then performs the
`selected action on the file that initiated the activity notifica
`tion. For example, the cloud service 102A may remove the file
`specified by the notification result or may alert the user of
`improperactivity. In some cases, after the cloud service 102A
`performs the selected action, the cloud service may notify the
`enterprise that the selected action was performed. This is
`shown as operation 330.
`0058 As FIG. 3 shows, the cloud service 102A, the job
`scheduler 112, the backend server 114, and the DLP engine
`116 may each generate one or more reports as part of per
`
`Page 11 of 15
`
`Netskope Exhibit 1007
`
`

`

`US 2015/01 00357 A1
`
`Apr. 9, 2015
`
`forming the method 300. For example, the cloud service
`102A may be configured to generate a cloud service report
`340 that tracks and reports on the number of fil