Systems and methods for secure resource access and network communication

US 10,243,953 B2
Filed: 05/20/2014
Issued: 03/26/2019
Est. Priority Date: 05/20/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

receiving on a client device first credentials from a user and authenticating the user with an enterprise network based on the credentials through a first application on the client device, wherein the first application comprises a secure web browser executing on the client device;

creating a secure communication channel between the first application and the enterprise network based on the authentication by;

sending a connection request to a remote server from which the remote server can obtain a first transient network address from the client device,receiving a second transient network address from the remote server in response to the connection request, the second transient network address being an address of a connection point on the enterprise network, andcreating the secure communication channel to the connection point using the second transient network address, wherein the first application is configured to communicate over the secure communication channel;

receiving at the client device an indication that the user has been authenticated by a second, different application external to the enterprise network and configured for access through the first application, wherein second credentials generated based on the authentication of the user with the enterprise network are provided via the enterprise network, in a manner transparent to the user, to the second application for the authentication by the second application;

communicating with the second application by the first application over the secure communication channel;

storing received information from the second application in an encrypted repository on the client device;

receiving by the first application a plurality of policies, each policy comprising a respective resource and a respective permission for a respective action that can be performed by a user of the client device;

receiving by the first application a request to open a resource;

determining by the first application that one of the policies prohibits access by the resource to the encrypted repository and, based thereon, selecting a different third application to open the resource that does not have access to the encrypted repository; and

causing the third application to open the resource.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for secure resource access and network communication are provided. A plurality of policies are received on a client device, each policy comprising a respective resource and a respective permission for a respective action that can be performed by a user of the client device in regards to the resource. A first application, which is configured to store data in an encrypted repository on the client device, receives a request to open a resource. The first application determines that one of the policies prohibits access by the resource to the encrypted repository and, based thereon, selects a different second application to open the resource that does not have access to the encrypted repository. The second application then opens the resource.

39 Citations

View as Search Results

12 Claims

1. A computer-implemented method comprising:
- receiving on a client device first credentials from a user and authenticating the user with an enterprise network based on the credentials through a first application on the client device, wherein the first application comprises a secure web browser executing on the client device;
  
  creating a secure communication channel between the first application and the enterprise network based on the authentication by;
  
  sending a connection request to a remote server from which the remote server can obtain a first transient network address from the client device,receiving a second transient network address from the remote server in response to the connection request, the second transient network address being an address of a connection point on the enterprise network, andcreating the secure communication channel to the connection point using the second transient network address, wherein the first application is configured to communicate over the secure communication channel;
  
  receiving at the client device an indication that the user has been authenticated by a second, different application external to the enterprise network and configured for access through the first application, wherein second credentials generated based on the authentication of the user with the enterprise network are provided via the enterprise network, in a manner transparent to the user, to the second application for the authentication by the second application;
  
  communicating with the second application by the first application over the secure communication channel;
  
  storing received information from the second application in an encrypted repository on the client device;
  
  receiving by the first application a plurality of policies, each policy comprising a respective resource and a respective permission for a respective action that can be performed by a user of the client device;
  
  receiving by the first application a request to open a resource;
  
  determining by the first application that one of the policies prohibits access by the resource to the encrypted repository and, based thereon, selecting a different third application to open the resource that does not have access to the encrypted repository; and
  
  causing the third application to open the resource.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising using the credentials to decrypt an encryption key of the repository.
  - 3. The method of claim 1 wherein creating the secure communication channel comprises:
    - sending a connection request to a remote server wherein the remote server is configured to create the secure communication channel between the first application and a connection point in the enterprise network through the remote server; and
      
      receiving an acknowledgement from the remote server that the secure communication channel is established.
  - 4. The method of claim 1 wherein the first application is authenticated using an authentication provider and the second application is configured to trust the authentication provider.
  - 5. The method of claim 1, further comprising:
    - receiving a plurality of policies, wherein each policy comprises a respective resource and a respective permission for a respective action that can be performed by the user;
      
      selecting one or more of the policies that pertain to the second application; and
      
      configuring the first application to enforce the selected policies when the user accesses the second application through the first application.
  - 6. The method of claim 5 wherein a particular policy determines whether the user can view the resource, save data from the resource outside of encrypted repository, save the data from the resource within the encrypted repository, copy and paste a portion of data from the resource, print the resource, capture a screen shot of the resource, edit the resource, or send a particular protocol-level request.

7. A system comprising:
- one or more computers programmed to perform operations comprising;
  
  receiving on a client device first credentials from a user and authenticating the user with an enterprise network based on the credentials through a first application on the client device, wherein the first application comprises a secure web browser executing on the client device;
  
  creating a secure communication channel between the first application and the enterprise network based on the authentication by;
  
  sending a connection request to a remote server from which the remote server can obtain a first transient network address from the client device,receiving a second transient network address from the remote server in response to the connection request, the second transient network address being an address of a connection point on the enterprise network, andcreating the secure communication channel to the connection point using the second transient network address, wherein the first application is configured to communicate over the secure communication channel;
  
  receiving at the client device an indication that the user has been authenticated by a second, different application external to the enterprise network and configured for access through the first application, wherein second credentials generated based on the authentication of the user with the enterprise network are provided via the enterprise network, in a manner transparent to the user, to the second application for the authentication by the second application;
  
  communicating with the second application by the first application over the secure communication channel;
  
  storing received information from the second application in an encrypted repository on the client device;
  
  receiving by the first application a plurality of policies, each policy comprising a respective resource and a respective permission for a respective action that can be performed by a user of the client device;
  
  receiving by the first application a request to open a resource;
  
  determining by the first application that one of the policies prohibits access by the resource to the encrypted repository and, based thereon, selecting a different third application to open the resource that does not have access to the encrypted repository; and
  
  causing the third application to open the resource.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The system of claim 7, wherein the operations further comprise using the credentials to decrypt an encryption key of the repository.
  - 9. The system of claim 7 wherein creating the secure communication channel comprises:
    - sending a connection request to a remote server wherein the remote server is configured to create the secure communication channel between the first application and a connection point in the enterprise network through the remote server; and
      
      receiving an acknowledgement from the remote server that the secure communication channel is established.
  - 10. The system of claim 7, wherein the first application is authenticated using an authentication provider and the second application is configured to trust the authentication provider.
  - 11. The system of claim 7, wherein the operations further comprise:
    - receiving a plurality of policies, wherein each policy comprises a respective resource and a respective permission for a respective action that can be performed by the user;
      
      selecting one or more of the policies that pertain to the second application; and
      
      configuring the first application to enforce the selected policies when the user accesses the second application through the first application.
  - 12. The system of claim 11 wherein a particular policy determines whether the user can view the resource, save data from the resource outside of encrypted repository, save the data from the resource within the encrypted repository, copy and paste a portion of data from the resource, print the resource, capture a screen shot of the resource, edit the resource, or send a particular protocol-level request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Box Incorporated
Original Assignee
Box Incorporated
Inventors
Kus, Benjamin J., Spiegel, Jeremy S., Fan, Jonathan S., Loer, Peter B.
Primary Examiner(s)
Homayounmehr, Farid
Assistant Examiner(s)
Le, Thanh T

Application Number

US14/282,616
Publication Number

US 20160119342A1
Time in Patent Office

1,771 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/08   for authentication of entit...

H04L 63/0876   based on the identity of th...

Systems and methods for secure resource access and network communication

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

39 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for secure resource access and network communication

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

39 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links