Policy-based dynamic information flow control on mobile devices

US 20130290709A1
Filed: 04/26/2012
Published: 10/31/2013
Est. Priority Date: 04/26/2012
Status: Active Grant

First Claim

Patent Images

1-8. -8. (canceled)

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system are provided for securing data on a mobile device that supports both enterprise and personal applications. According to the method, information flows and data accesses are tracked on the device at run-time to enable access control decisions to be performed based on a policy, such as an enterprise privacy policy that has been distributed to the device from an enterprise server. The policy may be updated by events at the device as well as at the enterprise server.

134 Citations

25 Claims

1-8. -8. (canceled)

9. Apparatus associated with a mobile device that is configured to execute both enterprise applications and personal applications, comprising:
- a processor;
  
  computer memory holding computer program instructions that when executed by the processor perform a method to enforce an enterprise policy, the method comprising;
  
  receiving and storing an enterprise policy;
  
  responsive to an application seeking access to enterprise data stored in the mobile device, retrieving the policy;
  
  determining whether a context identified in the policy is satisfied;
  
  if the context identified in the policy is satisfied, enabling the application to access the enterprise data.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The apparatus as described in claim 9 wherein the method further includes:
    - receiving and storing a key; and
      
      using the key to encrypt the enterprise data.
  - 11. The apparatus as described in claim 10 wherein the method further includes:
    - if the context identified in the policy is satisfied, applying the key to decrypt the enterprise data; and
      
      providing the enterprise data to the application.
  - 12. The apparatus as described in claim 9 wherein the method further includes updating the enterprise policy.
  - 13. The apparatus as described in claim 12 wherein the enterprise policy is updated upon a trigger event at one of:
    - the mobile device, and an enterprise server.
  - 14. The apparatus as described in claim 12 wherein the updating step includes executing an integrity check at the mobile device prior to permitting update to the enterprise policy.
  - 15. The apparatus as described in claim 9 wherein the enterprise policy is one of:
    - a static policy that defines an attribute that must be verified before permitting the application to access the enterprise data, and a dynamic policy that defines a run-time behavior that must be satisfied before permitting the application to access the enterprise data.
  - 16. The apparatus as described in claim 9 wherein the enterprise policy is a security policy that defines a run-time behavior when multiple applications execute concurrently on the mobile device, at least one of the multiple applications being an enterprise application.

17. A computer program product in a computer readable medium for use in a mobile device data processing system, the computer program product holding computer program instructions which, when executed by the data processing system, perform a method to enforce an enterprise policy on the mobile device, the mobile device configured to execute both enterprise applications and personal applications, the method comprising:
- receiving and storing an enterprise policy;
  
  responsive to an application seeking access to enterprise data stored in the mobile device, retrieving the policy;
  
  determining whether a context identified in the policy is satisfied;
  
  if the context identified in the policy is satisfied, enabling the application to access the enterprise data.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The computer program product as described in claim 17 wherein the method further includes:
    - receiving and storing a key; and
      
      using the key to encrypt the enterprise data.
  - 19. The computer program product as described in claim 18 wherein the method further includes:
    - if the context identified in the policy is satisfied, applying the key to decrypt the enterprise data; and
      
      providing the enterprise data to the application.
  - 20. The computer program product as described in claim 17 wherein the method further includes updating the enterprise policy.
  - 21. The computer program product as described in claim 20 wherein the enterprise policy is updated upon a trigger event at one of:
    - the mobile device, and an enterprise server.
  - 22. The computer program product as described in claim 20 wherein the updating step includes executing an integrity check at the mobile device prior to permitting update to the enterprise policy.
  - 23. The computer program product as described in claim 17 wherein the enterprise policy is one of:
    - a static policy that defines an attribute that must be verified before permitting the application to access the enterprise data, and a dynamic policy that defines a run-time behavior that must be satisfied before permitting the application to access the enterprise data.
  - 24. The computer program product as described in claim 17 wherein the enterprise policy is a security policy that defines a run-time behavior when multiple applications execute concurrently on the mobile device, at least one of the multiple applications being an enterprise application.

25. A mobile device, comprising:
- a hardware processor;
  
  one or more data stores in which are stored;
  
  an enterprise security policy, an enterprise application, and a personal application; and
  
  a trusted platform module executed by the hardware processor to provide run-time enforcement of the enterprise policy to restrict use of enterprise data except by the enterprise application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Muppidi, Sridhar R., Mukherjea, Sougata, Kapoor, Shalini, Kodeswaran, Palanivel Andiappan, Nandakumar, Vikrant

Granted Patent

US 9,253,209 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/168
CPC Class Codes

H04L 63/20 for managing network securi...

H04W 12/086 using security domains

Policy-based dynamic information flow control on mobile devices

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

134 Citations

25 Claims

Specification

Use Cases

Quick Links

Others

Policy-based dynamic information flow control on mobile devices

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

134 Citations

25 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others