Embedding security posture in network traffic

US 10,021,101 B2
Filed: 07/28/2017
Issued: 07/10/2018
Est. Priority Date: 10/17/2013
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

registering a service node with a device management server to provide a service;

negotiating with the device management server regarding a data structure associated with security posture information, wherein the data structure includes a mapping of one or more security postures to corresponding posture values;

receiving from a mobile device a message that includes the security posture information;

validating the mobile device based on the security posture information; and

providing the mobile device with access to the service based at least in part on the validation.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embedding security posture in network traffic is disclosed. Security posture information is received. The security posture information is embedded into a message. The message including the security posture information is sent from a mobile device to a service node. The service node uses the security posture information to validate the mobile device to access a service. The service accesses the service based at least in part on the validation.

15 Citations

26 Claims

1. A method, comprising:
- registering a service node with a device management server to provide a service;
  
  negotiating with the device management server regarding a data structure associated with security posture information, wherein the data structure includes a mapping of one or more security postures to corresponding posture values;
  
  receiving from a mobile device a message that includes the security posture information;
  
  validating the mobile device based on the security posture information; and
  
  providing the mobile device with access to the service based at least in part on the validation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The method of claim 1, wherein the one or more security postures includes at least one of a secure posture value, a not secure posture value, a jailbroken security posture value, a rooted security posture value, an unauthorized application installed security posture value, and/or a password policy violation security posture value.
  - 3. The method of claim 1, wherein the mobile device is configure to send to the device management server, state information, wherein the state information is used at the device management server to generate the security posture information.
  - 4. The method of claim 3, wherein the state information includes one or more of mobile device state information, application inventory information, and policy state information.
  - 5. The method of claim 3, wherein the mobile device is configured to send the state information from a management agent on the mobile device to the device management server.
  - 6. The method of claim 3, wherein the device management server is configured to perform the steps of:
    - receiving the state information;
      
      determining a posture of the mobile device at least in part by applying rules to the state information;
      
      generating the security posture information including a security posture value indicating the security posture of the mobile device; and
      
      sending the security posture information to the mobile device.
  - 7. The method of claim 1, wherein the mobile device is configured to:
    - determine a posture of the mobile device based at least in part on state information; and
      
      generate the security posture information indicating the posture of the mobile device.
  - 8. The method of claim 7, wherein a management agent on the mobile device is configured to determine the posture and to send the security posture information to a managed application on the mobile device.
  - 9. The method of claim 7, wherein a virtual private network client on the mobile device is configured to determine the posture.
  - 10. The method of claim 9, wherein a managed application of the mobile device embeds the security posture information into the message.
  - 11. The method of claim 1, wherein the mobile device is configured to embed the security posture information into the message.
  - 12. The method of claim 11, wherein the embedding step includes embedding the security posture information into a header of a hypertext transfer protocol (HTTP) message.
  - 13. The method of claim 11, wherein the embedding step includes embedding the security posture information into a Wi-Fi user profile associated with the mobile device.
  - 14. The method of claim 11, wherein the embedding step includes adding the security posture information to a portion of the message, wherein the message includes information to be sent to the service node irrespective of the security posture information.
  - 15. The method of claim 1, wherein the security posture information includes one or more of mobile device posture information, timestamp information, and a service identifier associated with the service node.
  - 16. The method of claim 1, wherein the security posture information includes a first set of security posture information generated at the mobile device and a second set of security posture information generated at a device management server.
  - 17. The method of claim 15, further comprising:
    - selecting a set of security posture information based at least in part on timestamp information included in the sets of security posture information; and
      
      analyzing the selected set of security posture information.
  - 18. The method of claim 1, wherein the security posture information is encrypted at the device management server using encryption information associated with the service node.
  - 19. The method of claim 18, further comprising using the encryption information associated with the service node to extract the security posture information from the message.
  - 20. The method of claim 1, wherein registering the service node with the device management server includes determining one or more of a service identifier associated with the service, encryption information associated with the service node, a communication protocol, one or more security values, and a security posture expiration period.

21. A method, comprising:
- registering a service node with a device management server to provide a service;
  
  negotiating with the device management server regarding a data structure associated with security posture information, wherein the data structure includes a mapping of one or more security postures to corresponding posture values;
  
  receiving from a mobile device a message that includes the security posture information;
  
  analyzing the security posture information;
  
  validating the mobile device based on the security posture information; and
  
  providing the mobile device access to the service based at least in part on the analysis of the security posture information.
- View Dependent Claims (22, 23)
- - 22. The method of claim 21, wherein analyzing the security posture information includes:
    - applying a policy to one or more of a security posture value and a security posture expiration time included in the security posture information;
      
      determining that the mobile device is validated to access the service based at least in part on the application of the policy; and
      
      providing the mobile device access to the service based at least in part on the determination.
  - 23. The method of claim 22, further comprising providing information to the mobile device including operations to be performed to gain access to the service.

24. A method, comprising:
- registering a service node with a device management server to provide a service;
  
  negotiating with the device management server regarding a data structure associated with security posture information, wherein the data structure includes a mapping of one or more security postures to corresponding posture values;
  
  receiving from a mobile device a message that includes the security posture information;
  
  analyzing the security posture information;
  
  validating the mobile device based on the security posture information; and
  
  denying the mobile device access to the service based at least in part on the analysis of the security posture information.

25. A system, comprising:
- a processor; and
  
  a memory coupled with the processor, wherein the memory is configured to provide the processor with instructions which when executed cause the processor to;
  
  register a service node with a device management server to provide a service;
  
  negotiate with the device management server regarding a data structure associated with security posture information, wherein the data structure includes a mapping of one or more security postures to corresponding posture values;
  
  receive from a mobile device a message that includes the security posture information;
  
  validate the mobile device based on the security posture information; and
  
  provide the mobile device with access to the service based at least in part on the validation.

26. A computer program product, the computer program product being embodied in a tangible non-transitory computer readable storage medium and comprising computer instructions for:
- registering a service node with a device management server to provide a service;
  
  negotiating with the device management server regarding a data structure associated with security posture information, wherein the data structure includes a mapping of one or more security postures to corresponding posture values;
  
  receiving from a mobile device a message that includes the security posture information;
  
  validating the mobile device based on the security posture information;
  
  providing the mobile device with access to the service based at least in part on the validation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ivanti, Inc. (Ivanti Software, Inc.)
Original Assignee
MobileIron, Inc.
Inventors
Batchu, Suresh Kumar, Kim, Mansu
Primary Examiner(s)
Parsons, Theodore C

Application Number

US15/663,445
Publication Number

US 20170331823A1
Time in Patent Office

347 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/44   Program or device authentic...

G06F 21/57   Certifying or maintaining t...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/0272   Virtual private networks

H04L 63/0428   wherein the data content is...

H04L 63/0876   based on the identity of th...

H04L 63/102   Entity profiles

H04W 12/02   Protecting privacy or anony...

H04W 12/03   Protecting confidentiality,...

H04W 12/069   using certificates or pre-s...

H04W 12/084   using delegated authorisati...

H04W 12/088   using filters or firewalls

Embedding security posture in network traffic

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

15 Citations

26 Claims

Specification

Use Cases

Quick Links

Others

Embedding security posture in network traffic

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

26 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others