SECURE CONTAINER FOR PROTECTING ENTERPRISE DATA ON A MOBILE DEVICE

US 20140006347A1
Filed: 10/10/2012
Published: 01/02/2014
Est. Priority Date: 10/11/2011
Status: Active Grant

First Claim

Patent Images

1. A mobile device comprising computer-readable storage and at least one processor configured to execute computer-executable code stored on the computer-readable storage, said mobile device comprising:

a file system comprising a first portion of the computer-readable storage of the mobile device, the file system configured to store enterprise data including an enterprise document;

a second portion of the computer-readable storage configured to store private data associated with activity of a user of the mobile device that is outside of a role of the user in an enterprise, the second portion being logically separated from the file system; and

an access manager implemented by computer-executable code stored on the computer-readable storage of the mobile device, the access manager configured to store the enterprise document on the file system such that the enterprise document is logically separated from the private data, and to limit access of a software application installed on the mobile device to the enterprise document based on one or more document access policies associated with the enterprise document such that the software application has different restrictions for accessing the enterprise document than the private data.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system is disclosed that includes components and features for enabling enterprise users to securely access enterprise resources (documents, data, application servers, etc.) using their mobile devices. An enterprise can use some or all components of the system to, for example, securely but flexibly implement a BYOD (bring your own device) policy in which users can run both personal applications and secure enterprise applications on their mobile devices. The system may, for example, implement policies for controlling mobile device accesses to enterprise resources based on device attributes (e.g., what mobile applications are installed), user attributes (e.g., the user'"'"'s position or department), behavioral attributes, and other criteria. Client-side code installed on the mobile devices may further enhance security by, for example, creating a secure container for locally storing enterprise data, creating a secure execution environment for running enterprise applications, and/or creating secure application tunnels for communicating with the enterprise system.

Citations

26 Claims

1. A mobile device comprising computer-readable storage and at least one processor configured to execute computer-executable code stored on the computer-readable storage, said mobile device comprising:
- a file system comprising a first portion of the computer-readable storage of the mobile device, the file system configured to store enterprise data including an enterprise document;
  
  a second portion of the computer-readable storage configured to store private data associated with activity of a user of the mobile device that is outside of a role of the user in an enterprise, the second portion being logically separated from the file system; and
  
  an access manager implemented by computer-executable code stored on the computer-readable storage of the mobile device, the access manager configured to store the enterprise document on the file system such that the enterprise document is logically separated from the private data, and to limit access of a software application installed on the mobile device to the enterprise document based on one or more document access policies associated with the enterprise document such that the software application has different restrictions for accessing the enterprise document than the private data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The mobile device of claim 1, wherein the access manager is configured to enable the enterprise to remotely initiate deletion of at least a portion of the enterprise data stored on the file system, without modifying the private data stored on the second portion of computer-readable storage.
  - 3. The mobile device of claim 1, wherein the access manager is configured to determine whether to store enterprise documents received from an enterprise computing system on the file system based on a mode of communication between the mobile device and the enterprise computing system.
  - 4. The mobile device of claim 3, wherein the access manager is configured to store the received enterprise documents on the file system when the enterprise documents are transmitted to the mobile device via an application tunnel through a tunneling mediator of the enterprise computing system.
  - 5. The mobile device of claim 1, wherein the access manager is configured to prevent, based on the one or more access policies, the software application from at least one of:
    - copying data from the enterprise document;
      
      saving the enterprise document on the mobile device outside of the file system;
      
      orattaching the enterprise document to a communication sent from the mobile device to another computing device.
  - 6. The mobile device of claim 1, wherein the one or more document access policies limit access to the enterprise document in the file system based on access credentials provided by at least one of the user or the software application.
  - 7. The mobile device of claim 1, wherein the one or more document access policies limit access to the enterprise document in the file system based on at least one of properties of the software application or the component of the mobile device requesting access to the enterprise document.
  - 8. The mobile device of claim 1, wherein the access manager is configured to enable enterprise applications installed on the mobile device to access the enterprise document stored in the file system and to prevent non-enterprise applications from accessing the enterprise document stored in the file system.
  - 9. The mobile device of claim 1, wherein the access manager is configured to require that the enterprise document stored in the file system is encrypted.

10. A method of securing enterprise data stored on a mobile device, the method comprising:
- receiving, by the mobile device, enterprise data from an enterprise resource;
  
  storing the enterprise data in a secure document container of the mobile device such that the enterprise data is logically separated from non-enterprise data, the secure document container comprising computer-readable storage, said storing occurring automatically under control of an enterprise agent running on the mobile device; and
  
  selectively controlling access to the enterprise data stored in the secure document container of the mobile device in accordance with one or more document access policies, the one or more document access policies defining conditions for accessing the enterprise data, wherein access to the non-enterprise data is independent of the one or more document access policies.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The method of claim 10, further comprising deleting the enterprise data in the secure document container responsive to at least one of an indication that the mobile device is compromised or an indication that a user of the device is no longer associated with the enterprise, and leaving the non-enterprise data unmodified.
  - 12. The method of claim 10, further comprising deleting the enterprise data in response to receiving an indication of one or more of an expiration of a period of time or that a location of the mobile device is outside of a geographical zone.
  - 13. The method of claim 10, wherein the conditions comprise one or more of an expiration of a period of time or a location of the mobile device being outside of a geographical zone.
  - 14. The method of claim 10, wherein the conditions comprise one or more of:
    - which application stored on the mobile device requests access to the enterprise data;
      
      which component of the mobile device requests access to the enterprise data;
      
      orinformation associated with credentials provided with a request to access the enterprise data.
  - 15. The method of claim 10, wherein the enterprise data is received from the enterprise resource via an application tunnel formed between the enterprise resource and an application running on the mobile device, said application tunnel using protocol encapsulation to send data over a network.
  - 16. The method of claim 15, wherein storing the enterprise data in the secure document container of the mobile device is at least partly responsive to detecting that the enterprise data was received by the application tunnel.
  - 17. The method of claim 10, further comprising preventing the enterprise data stored in the secure document container of the mobile device from being stored outside of the secure document container on the mobile device.

18. A non-transitory storage medium comprising instructions stored thereon executable by a mobile device to perform a process, the process comprising:
- creating, within a portion of a memory of the mobile device, a secure document container for storing enterprise data, said secure document container separate from a storage space used to store non-enterprise data;
  
  storing enterprise data received from an enterprise computing system in the secure document container of the mobile device; and
  
  restricting access to the enterprise data stored in the secure document container based on one or more rules defining conditions for allowing access to the enterprise data stored in the secure document container, wherein access to the non-enterprise data stored on the mobile device is independent of the one or more rules.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26)
- - 19. The storage medium of claim 18, wherein the process comprises causing an application running on the mobile device to communicate with an enterprise resource of the enterprise computing system via an application tunnel formed between the enterprise resource and the application running on the mobile device, said application tunnel using protocol encapsulation to send enterprise data over a network.
  - 20. The storage medium of claim 18, wherein the process further comprises deleting the enterprise data in the secure document container independent of modifications to other data stored on the mobile device outside of the secure document container, in response to at least one of detecting or receiving an indication of a condition defined in at least one of the one or more rules.
  - 21. The storage medium of claim 18, wherein the one or more rules are configured to restrict access to the enterprise data based on at least one of a geographical restriction or a temporal restriction.
  - 22. The storage medium of claim 21, wherein the process further comprises deleting at least a portion of the enterprise data from the secure document container when a specified period of time expires or the mobile device is located outside of a defined geographical area.
  - 23. The storage medium of claim 18, wherein the conditions comprise access credentials provided by a user of the mobile device being validated.
  - 24. The storage medium of claim 18, wherein the process further comprises obtaining the enterprise data from an application running in a secure virtual machine, the secure virtual machine being separate from a virtual machine of an operating system of the mobile device.
  - 25. The storage medium of claim 18, wherein the process further comprises obtaining the enterprise data via an application running in a secure browser installed on the mobile device, said secure browser configured to regulate access of the application to the secure document container.
  - 26. The storage medium of claim 18, wherein the one or more rules are configured to deny access to the enterprise data stored in the secure document container when a non-enterprise application requests access to the enterprise data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Zenprise, Inc. (Cloud Software Group)
Inventors
Qureshi, Waheed, Roach, Kelly Brian, McGinty, John M., Andre, Olivier, Abdullah, Shafaq, DeBenning, Thomas H., Datoo, Ahmed

Granted Patent

US 9,143,530 B2
Time in Patent Office

Days
Field of Search
US Class Current

707/621
CPC Class Codes

G06F 21/12   Protecting executable software

G06F 21/14   against software analysis o...

G06F 21/53   by executing in a restricte...

G06F 21/62   Protecting access to data v...

G06F 21/6209   to a single file or object,...

G06F 21/6218   to a system of files or obj...

G06F 2221/2113   Multi-level security, e.g. ...

G06F 8/53   Decompilation; Disassembly

H04L 2209/80   Wireless

H04L 63/0428   wherein the data content is...

H04L 63/0471   applying encryption by an i...

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

H04L 67/10   in which an application is ...

H04L 9/0822   using key encryption key

H04L 9/0825   using asymmetric-key encryp...

H04L 9/0891   Revocation or update of sec...

H04W 12/06   Authentication

H04W 12/086   using security domains

H04W 12/30   Security of mobile devices;...

H04W 12/37 : Managing security policies ...

H04W 12/64 : using geofenced areas

H04W 4/02 : Services making use of loca...

H04W 4/029 : Location-based management o...

View All

SECURE CONTAINER FOR PROTECTING ENTERPRISE DATA ON A MOBILE DEVICE

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

SECURE CONTAINER FOR PROTECTING ENTERPRISE DATA ON A MOBILE DEVICE

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links