System and method for secure, policy-based access control for mobile computing devices
First Claim
Patent Images
1. A system for hiding the adjudication for authorizing a client access request to a secure computing device resource, the system having hidden secure policy instructions, a hidden secure adjudication process and hidden secure condition and parameters for hidden permitted operations on the requested secure computing resource device, the system comprising:
- a hardened and hidden policy decision server having a secure persistent memory for storing hierarchical sets of policy instructions and parameters, and having a processor for applying at least one set of the hierarchical sets of policy instructions and parameters to the client access request and computing an adjudicated decision of authorized access or denial of access based on hidden permitted operations on the requested secure computing device resource;
an encrypted back-channel for communicating the client access request to the policy decision server and for hiding the policy instructions, the adjudication process, and the conditions and parameters utilized by the processor in adjudicating the client access requests from the requesting client;
an agent, hidden from the requesting client and coupled to the policy decision server by the encrypted back-channel for transmitting client access requests, including additional parameters needed to access the secure computing device resource as required by the policy instructions, to the policy decision server; and
a policy enforcement server coupled to the agent for receiving adjudicated decisions from the policy decision server, secure computing device resource and having an intercepting server for intercepting client access requests, said policy enforcement server being coupled to the agent for transmitting the access requests thereto, and for receiving and transmitting policy decisions to the agent and for enforcing the adjudicated decision received from the agent.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods for secure, policy-based, access control and management of mobile computing devices, including policy decision enforcement mechanisms, device and private network presence testing, aspects of file system controls, policy set sanity checking algorithms, performance optimizations.
44 Citations
9 Claims
-
1. A system for hiding the adjudication for authorizing a client access request to a secure computing device resource, the system having hidden secure policy instructions, a hidden secure adjudication process and hidden secure condition and parameters for hidden permitted operations on the requested secure computing resource device, the system comprising:
-
a hardened and hidden policy decision server having a secure persistent memory for storing hierarchical sets of policy instructions and parameters, and having a processor for applying at least one set of the hierarchical sets of policy instructions and parameters to the client access request and computing an adjudicated decision of authorized access or denial of access based on hidden permitted operations on the requested secure computing device resource; an encrypted back-channel for communicating the client access request to the policy decision server and for hiding the policy instructions, the adjudication process, and the conditions and parameters utilized by the processor in adjudicating the client access requests from the requesting client; an agent, hidden from the requesting client and coupled to the policy decision server by the encrypted back-channel for transmitting client access requests, including additional parameters needed to access the secure computing device resource as required by the policy instructions, to the policy decision server; and a policy enforcement server coupled to the agent for receiving adjudicated decisions from the policy decision server, secure computing device resource and having an intercepting server for intercepting client access requests, said policy enforcement server being coupled to the agent for transmitting the access requests thereto, and for receiving and transmitting policy decisions to the agent and for enforcing the adjudicated decision received from the agent. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method for hiding the adjudication of client access to a secure computing device resource, having secure policy instructions for permitted operations on the requested resource, comprising the steps of:
-
securely intercepting a client access request to access the computing device resource to which the client has no access and transmitting the client access request to an agent; transmitting the intercepted client access request to a policy decision server via an encrypted back-channel from the agent to a persistent memory; transmitting policy instructions and parameters from the persistent memory to the policy-decision server via the encrypted back-channel; transmitting a request for additional parameters as required by the policy instructions from the policy decision server to the agent via the encrypted back-channel; transmitting the additional parameters needed to access the requested resource required by the policy instructions from the agent to the policy decision serve via the encrypted back-channel; adjudicating the client access request at the policy decision server using the policy instructions for permitted operations on the requested resource; transmitting to the agent via the encrypted back-channel the adjudicated decision to allow or deny access by the client to the requested resource; enforcing the adjudicated decision received from the agent; and transmitting the adjudicated decision to the requesting client via the agent. - View Dependent Claims (7, 8, 9)
-
Specification