SECURE MOBILE FRAMEWORK

US 20130263212A1
Filed: 04/01/2013
Published: 10/03/2013
Est. Priority Date: 03/30/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, at a gateway associated with an enterprise, an authentication request from a remote device to access a service provided by the enterprise, wherein the request originates from an enterprise managed application running on the remote device;

generating a framework authentication token and a security policy based on the service provided by the enterprise that the remote device is requesting to access;

transmitting the framework authentication token and the security policy to the remote device, wherein the remote device ensures compliance with the security policy before generating a connection request to connect to the service; and

receiving, from the remote device, the connection request based on the framework authentication token and the security policy, wherein a service authenticator determines if the remote device is authorized to access the service.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for a secure mobile framework to securely connect applications running on mobile devices to services within an enterprise are provided. Various embodiments provide mechanisms of securitizing data and communication between mobile devices and end point services accessed from a gateway of responsible authorization, authentication, anomaly detection, fraud detection, and policy management. Some embodiments provide for the integration of server and client side security mechanisms, binding of a user/application/device to an endpoint service along with multiple encryption mechanisms. For example, the secure mobile framework provides a secure container on the mobile device, secure files, a virtual file system partition, a multiple level authentication approach (e.g., to access a secure container on the mobile device and to access enterprise services), and a server side fraud detection system.

119 Citations

25 Claims

1. A method comprising:
- receiving, at a gateway associated with an enterprise, an authentication request from a remote device to access a service provided by the enterprise, wherein the request originates from an enterprise managed application running on the remote device;
  
  generating a framework authentication token and a security policy based on the service provided by the enterprise that the remote device is requesting to access;
  
  transmitting the framework authentication token and the security policy to the remote device, wherein the remote device ensures compliance with the security policy before generating a connection request to connect to the service; and
  
  receiving, from the remote device, the connection request based on the framework authentication token and the security policy, wherein a service authenticator determines if the remote device is authorized to access the service.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, further comprising generating a user binding token based on a user identifier and an application identifier.
  - 3. The method of claim 2, wherein generating the framework authentication token includes binding the enterprise authentication token, the user binding token, and a framework authentication token expiration date.
  - 4. The method of claim 3, further comprising digitally signing the framework authentication token.
  - 5. The method of claim 1, further comprising:
    - performing an operating system integrity check to determine if an expected operating system integrity is present; and
      
      denying the remote device access to the gateway if the expected operating system integrity is not present.
  - 6. The method of claim 1, wherein the remote device includes a secure container for storing data related to the service and the security policy provides a set of requirements indicating access controls for the application and secure container.
  - 7. The method of claim 6, wherein the framework authentication token is stored in the secure container.
  - 8. The method of claim 6, wherein access to the secure container is dependent on successful validation of a user credential and a successful operating system integrity check.
  - 9. The method of claim 1, wherein the security policy identifies a password structure and a password duration based on the service.
  - 10. The method of claim 1, further comprising:
    - monitoring interactions between the enterprise managed application and the service; and
      
      generating, upon violation of one or more fraud policies, an elevated authentication request or a termination of access to the gateway and the service.
  - 11. The method of claim 1, wherein the service includes an e-mail service, a trading service, a payment processing service, a customer relationship management service, an inventory system service, a business intelligence service, a healthcare service, a student information service, or a reservation service.
  - 12. The method of claim 1, wherein the service includes a secure service or a service containing sensitive information.

13. A system comprising:
- a gateway configured to provide remote devices access to services of an enterprise, wherein the remote devices have stored thereon one or more applications managed by the enterprise;
  
  an authenticator, accessible by the gateway, configured to determine if a user is authorized to access the enterprise and to construct policies regarding the management of the one or more applications;
  
  a token generator, accessible by the gateway, configured to generate one or more tokens for creating secure connections between the one or more applications managed by the enterprise and the services; and
  
  a communications module configured to communicate the policies to the remote devices.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The system of claim 13, further comprising a discovery service configured to determine which of the services of the enterprise to connect with the one or more applications.
  - 15. The system of claim 14, wherein the discovery service selects which of the services to connect with the one or more applications is based on the user and a set of associated privileges.
  - 16. The system of claim 13, wherein the token generator generates an enterprise authentication token, a user binding token, and a framework authentication token.
  - 17. The system of claim 16, wherein framework authentication token includes the enterprise authentication token, the user binding token, and a framework authentication token expiration date.
  - 18. The system of claim 16, wherein the user binding token is generated based on a user identifier, a device identifier, device type identifier, and an application family identifier.
  - 19. The system of claim 13, further comprising an anomaly detector configured to monitor activity between the remote devices and the services and generate an anomaly indicator, and wherein the anomaly detector further determines a reaction to the anomaly indicator.
  - 20. The system of claim 13, wherein the gateway includes multiple levels each of which provides isolated authentication protocols and activity logging.

21. A method comprising:
- receiving, at a gateway, a request from an initiating device to establish a service connection between an enterprise managed application running on the initiating device and an enterprise service, wherein the request includes authentication credentials associated with an end-user;
  
  generating a framework authentication token;
  
  transmitting the framework authentication token to the initiating device, wherein upon receipt the initiating device initiates a service connection request based on the authentication token; and
  
  creating a secure connection between the enterprise service and the initiating device upon successful validation of the service connection request.
- View Dependent Claims (22, 23, 24, 25)
- - 22. The method of claim 21, wherein any data transmitted to the initiating device is stored within a secure container only accessible by the enterprise managed application.
  - 23. The method of claim 21, further comprising gathering information about the initiating device and the enterprise managed application.
  - 24. The method of claim 21, further comprising determining a policy that the initiating device should enact in managing the enterprise managed application.
  - 25. The method of claim 24, wherein the secure connection will not be created if the enterprise cannot verify the initiating device is enacting the policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Synchronoss Technologies Incorporated
Original Assignee
Goldman Sachs & Company (Goldman Sachs Group Incorporated)
Inventors
Faltyn, Daniel, Smith, Andrew J.R.

Granted Patent

US 9,565,212 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/20   for managing network securi...

H04W 12/06   Authentication

H04W 12/08   Access security

H04W 12/37   Managing security policies ...

SECURE MOBILE FRAMEWORK

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

119 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

SECURE MOBILE FRAMEWORK

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

119 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links