Client application based access control in cloud security systems for mobile devices

US 10,044,719 B2
Filed: 01/29/2016
Issued: 08/07/2018
Est. Priority Date: 01/29/2016
Status: Active Grant

First Claim

Patent Images

1. A method, implemented by one or more nodes in a cloud-based security system, for enforcing application-based control of network resources, the method comprising:

receiving a request from a user device for the network resources, wherein the user device is connected to the cloud-based system through a tunnel such that all network traffic is forward thereto, prior to the network resources for inline monitoring;

evaluating the request through the cloud-based security system based on a tunnel protocol of the tunnel and determining an application on the user device performing the request; and

performing, at the one or more nodes in the cloud-based security system external and independent from the user device, one ofdenying the request if the application is unauthorized to access the network resources,redirecting the request to an authorized application on the user device via the tunnel protocol if the application is legitimate but unauthorized to access the network resources, wherein the redirecting has the cloud-based security system utilizes a Uniform Resource Locator (URL) command of REDIRECT to cause the user device to switch the request from the application to the authorized application, andallowing the request if the application is authorized to access the network resources.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods, implemented by one or more nodes in a cloud-based security system, for enforcing application-based control of network resources include receiving a request from a user device for the network resources; evaluating the request through the cloud-based security system and determining an application on the user device performing the request; and performing one of (1) denying the request if the application is unauthorized to access the network resources, (2) redirecting the request to an authorized application on the user device if the application is legitimate but unauthorized to access the network resources, and (3) allowing the request if the application is authorized to access the network resources.

50 Citations

View as Search Results

18 Claims

1. A method, implemented by one or more nodes in a cloud-based security system, for enforcing application-based control of network resources, the method comprising:
- receiving a request from a user device for the network resources, wherein the user device is connected to the cloud-based system through a tunnel such that all network traffic is forward thereto, prior to the network resources for inline monitoring;
  
  evaluating the request through the cloud-based security system based on a tunnel protocol of the tunnel and determining an application on the user device performing the request; and
  
  performing, at the one or more nodes in the cloud-based security system external and independent from the user device, one ofdenying the request if the application is unauthorized to access the network resources,redirecting the request to an authorized application on the user device via the tunnel protocol if the application is legitimate but unauthorized to access the network resources, wherein the redirecting has the cloud-based security system utilizes a Uniform Resource Locator (URL) command of REDIRECT to cause the user device to switch the request from the application to the authorized application, andallowing the request if the application is authorized to access the network resources.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the network resources are in an enterprise network, the user device is a mobile device, the mobile device is configured to communicate with the enterprise network through the cloud-based security system,wherein the enterprise network and the mobile device are both located external to the cloud-based security system, and the enterprise network and the mobile device are both located external to one another.
  - 3. The method of claim 1, wherein the network resources are connected to the cloud-based security system through a tunnel, and wherein the evaluating is based on a tunnel protocol used.
  - 4. The method of claim 1, wherein the redirecting comprisescausing the authorized application to intercept a redirect request,causing a tunnel between the user device and a network associated with the network resources, andenabling exchange of the network resources to the authorized application via the tunnel.
  - 5. The method of claim 1, further comprising:
    - receiving a list of whitelist and blacklist applications for determining the application, wherein the list is associated with the network resources.
  - 6. The method of claim 1, further comprising:
    - responsive to the denying, providing a notification to the end user through a mobile Operating System notification cloud.
  - 7. The method of claim 1, wherein the application comprises an email client and the network resources comprise email on a corporate network.
  - 8. The method of claim 1, wherein the application comprises a Web browser and the network resources comprise data files or content on a corporate network.

9. A node in a cloud-based security system configured to enforce application-based control of network resources, the node comprising:
- a network interface, a data store, and a processor communicatively coupled to one another; and
  
  memory storing computer executable instructions, and in response to execution by the processor, the computer-executable instructions cause the processor toreceive a request from a user device for the network resources, wherein the user device is connected to the cloud-based system through a tunnel such that all network traffic is forward thereto, prior to the network resources for inline monitoring,evaluate the request through the cloud-based security system based on a tunnel protocol of the tunnel and determine an application on the user device performing the request, andperform, in the node in the cloud-based security system external and independent from the user device, one ofdeny the request if the application is unauthorized to access the network resources,redirect the request to an authorized application on the user device via the tunnel protocol if the application is legitimate but unauthorized to access the network resources, wherein, for the redirect, the node in the cloud-based security system utilizes a Uniform Resource Locator (URL) command of REDIRECT to cause the user device to switch the request from the application to the authorized application, andallow the request if the application is authorized to access the network resources.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The node of claim 9, wherein the network resources are in an enterprise network, the user device is a mobile device, the mobile device is configured to communicate with the enterprise network through the cloud-based security system,wherein the enterprise network and the mobile device are both located external to the cloud-based security system, and the enterprise network and the mobile device are both located external to one another.
  - 11. The node of claim 9, wherein the network resources are connected to the cloud-based security system through a tunnel, and wherein the evaluating is based on a tunnel protocol used.
  - 12. The node of claim 9, wherein, to redirect, the computer-executable instructions cause the processor tocause the authorized application to intercept a redirect request,cause a tunnel between the user device and a network associated with the network resources, andenable exchange of the network resources to the authorized application via the tunnel.
  - 13. The node of claim 9, wherein the computer-executable instructions further cause the processor toreceive a list of whitelist and blacklist applications for determining the application, wherein the list is associated with the network resources.
  - 14. The node of claim 9, wherein the computer-executable instructions further cause the processor toresponsive to the denying, provide a notification to the end user through a mobile Operating System notification cloud.
  - 15. The node of claim 9, wherein the application comprises an email client and the network resources comprise email on a corporate network.
  - 16. The node of claim 9, wherein the application comprises a Web browser and the network resources comprise data files or content on a corporate network.

17. A user device configured to access a cloud-based security system which performs application-based control of network resources, the node comprising:
- a network interface, a data store, and a processor communicatively coupled to one another; and
  
  memory storing computer executable instructions, and in response to execution by the processor, the computer-executable instructions cause the processor toprovide a request the network resources through an application, wherein the user device is connected to the cloud-based system through a tunnel such that all network traffic is forward thereto, for inline monitoring,responsive to evaluation of the request through the cloud-based security system based on a tunnel protocol of the tunnel, perform one ofreceive a denial of the request if the application is unauthorized to access the network resources, wherein the request is denied and blocked in the cloud-based security system external and independent from the user device,cause redirection of the request to an authorized application by the cloud-based security system via the tunnel protocol if the application is legitimate but unauthorized to access the network resources, wherein the request redirected in the cloud-based security system external and independent from the user device such that the cloud-based security system utilizes a Uniform Resource Locator (URL) command of REDIRECT to cause the user device to switch the request from the application to the authorized application, andreceive a response to the request if the application is authorized to access the network resources, wherein the request is allowed in the cloud-based security system external and independent from the user device.
- View Dependent Claims (18)
- - 18. The user device of claim 17, wherein the network resources are in an enterprise network, the user device is a mobile device, the mobile device is configured to communicate with the enterprise network through the cloud-based security system,wherein the enterprise network and the mobile device are both located external to the cloud-based security system, and the enterprise network and the mobile device are both located external to one another.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Zscaler Incorporated
Original Assignee
Zscaler Incorporated
Inventors
Desai, Purvi, Bansal, Abhinav
Primary Examiner(s)
Brown, Christopher J

Application Number

US15/009,966
Publication Number

US 20170223024A1
Time in Patent Office

921 Days
Field of Search

726 1
US Class Current
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/0281   Proxies

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/101   Access control lists [ACL]

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

H04L 67/02   based on web technology, e....

H04L 67/10   in which an application is ...

H04L 67/563   Data redirection of data ne...

H04W 12/08   Access security

H04W 12/37   Managing security policies ...

Client application based access control in cloud security systems for mobile devices

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

50 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Client application based access control in cloud security systems for mobile devices

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

50 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links