CONTROLLING MOBILE DEVICE ACCESS TO SECURE DATA

US 20140108793A1
Filed: 09/27/2013
Published: 04/17/2014
Est. Priority Date: 10/16/2012
Status: Abandoned Application

First Claim

Patent Images

1. A method, comprising:

intercepting, by a mobile device, a read or write operation from a managed application executing on the mobile device;

accessing, based on the read or write operation, a secure container that is a logical interface into which read or write operations are redirected and in which data is in an encrypted form;

determining to perform a selective wipe of data associated with the managed application;

deleting encrypted data from the secure container; and

transmitting a selective wipe acknowledgement to an access gateway, wherein the acknowledgement includes a listing of secure containers that included data that was deleted during the selective wipe.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various aspects of the disclosure relate to providing secure containers or data vaults for data of one or more managed applications. In some embodiments, each managed application may be assigned its own private data vault and/or may be assigned a shared data vault that is accessible to at least one other managed application. As the managed application executes, calls for access to the data may be intercepted and redirected to the secure containers. Data stored in a secure container may be encrypted according to a policy. Other aspects relate to deleting data from a secure container, such as via a selective wipe of data associated with a managed application. Further aspects relate to configuring and creating the secure containers, retrieving key information required to encrypt/decrypt the data stored in the secure containers, and publishing the managed applications, policy information and key information for download to a mobile device.

Citations

20 Claims

1. A method, comprising:
- intercepting, by a mobile device, a read or write operation from a managed application executing on the mobile device;
  
  accessing, based on the read or write operation, a secure container that is a logical interface into which read or write operations are redirected and in which data is in an encrypted form;
  
  determining to perform a selective wipe of data associated with the managed application;
  
  deleting encrypted data from the secure container; and
  
  transmitting a selective wipe acknowledgement to an access gateway, wherein the acknowledgement includes a listing of secure containers that included data that was deleted during the selective wipe.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the secure container includes a file system and access manager different from an unsecured location of the mobile device and wherein accessing the secure container is managed by a client agent installed on the mobile device.
  - 3. The method of claim 1, wherein the secure container is a private data vault that is accessible to only the managed application.
  - 4. The method of claim 1, wherein the secure container is a shared data vault that is accessible only to the managed application and one or more other managed applications.
  - 5. The method of claim 1, wherein the read or write operation includes a read operation of particular data, and the method further comprises:
    - retrieving an encrypted form of the particular data from the secure container based on a file system and access manager of the secure container;
      
      decrypting the encrypted form of the particular data, resulting in a decrypted form of the particular data, wherein said decrypting uses a key received via the access gateway through which a resource required by the managed application is accessible; and
      
      providing the decrypted form of the particular data to the managed application.
  - 6. The method of claim 1, wherein the read or write operation includes a write operation of particular data, and the method further comprises:
    - encrypting the particular data, resulting in an encrypted form of the particular data, wherein said encrypting uses a key received via the access gateway through which a resource required by the managed application is accessible; and
      
      providing the encrypted form of the particular data for storage to the secure container, said storage being based on a file system and access manager of the secure container.
  - 7. The method of claim 1, further comprising monitoring operating conditions of the mobile device, and wherein determining to perform the selective wipe is based on the operating conditions violating a policy received by the mobile device via the access gateway through which a resource required by the managed application is accessible.
  - 8. The method of claim 1, further comprising:
    - configuring the secure container based on a policy received by the mobile device via the access gateway through which a resource required by the managed application is accessible; and
      
      configuring a policy-aware interception layer to perform said intercepting of the read or write operation.
  - 9. The method of claim 1, wherein the secure container is located remotely from the mobile device, and wherein accessing the secure container includes transmitting the read or write operations via an application-specific virtual private network (VPN) tunnel.
  - 10. The method of claim 1, wherein the managed application includes a virtualized application, and the encrypted data includes data generated or used by the virtualized application.

11. An apparatus, comprising:
- at least one processor; and
  
  memory storing executable instructions configured to, when executed by the at least one processor, cause the apparatus to;
  
  intercept a read or write operation from a managed application executing on the apparatus;
  
  access, based on the read or write operation, a secure container that is a logical interface into which read or write operations are redirected and in which data is in an encrypted form;
  
  determine to perform a selective wipe of data associated with the managed application;
  
  delete encrypted data from the secure container; and
  
  transmit a selective wipe acknowledgement to an access gateway, wherein the acknowledgement includes a listing of secure containers that included data that was deleted during the selective wipe.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The apparatus of claim 11, wherein the secure container includes a file system and access manager different from an unsecured location of the apparatus and wherein accessing the secure container is managed by a client agent installed on the apparatus.
  - 13. The apparatus of claim 11, wherein the secure container is a private data vault that is accessible to only the managed application or is a shared data vault that is accessible only to the managed application and one or more other managed applications.
  - 14. The apparatus of claim 11, wherein the read or write operation includes a read operation of particular data, and wherein the executable instructions are configured to, when executed by the at least one processor, further cause the apparatus to:
    - retrieve an encrypted form of the particular data from the secure container based on a file system and access manager of the secure container;
      
      decrypt the encrypted form of the particular data, resulting in a decrypted form of the particular data, wherein said decrypting uses a key received via the access gateway through which a resource required by the managed application is accessible; and
      
      provide the decrypted form of the particular data to the managed application.
  - 15. The apparatus of claim 11, wherein the read or write operation includes a write operation of particular data, and wherein the executable instructions are configured to, when executed by the at least one processor, further cause the apparatus to:
    - encrypt the particular data, resulting in an encrypted form of the particular data, wherein said encrypting uses a key received via the access gateway through which a resource required by the managed application is accessible; and
      
      provide the encrypted form of the particular data for storage to the secure container, said storage being based on a file system and access manager of the secure container.
  - 16. The apparatus of claim 11, wherein the executable instructions are configured to, when executed by the at least one processor, further cause the apparatus to:
    - configure the secure container based on a policy received by the apparatus via the access gateway through which a resource required by the managed application is accessible; and
      
      configure a policy-aware interception layer to perform said intercepting of the read or write operation; and
      
      monitor operating conditions of the apparatus;
      
      wherein determining to perform the selective wipe is based on the operating conditions violating the policy received.

17. One or more non-transitory computer-readable media storing instructions configured to, when executed, cause at least one computing device to:
- intercept a read or write operation from a managed application executing on the at least one computing device;
  
  access, based on the read or write operation, a secure container that is a logical interface into which read or write operations are redirected and in which data is in an encrypted form;
  
  determine to perform a selective wipe of data associated with the managed application;
  
  delete encrypted data from the secure container; and
  
  transmit a selective wipe acknowledgement to an access gateway, wherein the acknowledgement includes a listing of secure containers that included data that was deleted during the selective wipe.
- View Dependent Claims (18, 19, 20)
- - 18. The one or more non-transitory computer-readable media of claim 17, wherein the instructions are configured to, when executed, further cause said at least one computing device to monitor operating conditions of the at least one computing device;
    - andwherein determining to perform the selective wipe is based on the operating conditions violating a policy received by the at least one computing device via the access gateway through which a resource required by the managed application is accessible.
  - 19. The one or more non-transitory computer-readable media of claim 17, wherein the instructions are configured to, when executed, further cause said at least one computing device to:
    - configure the secure container based on a policy received by the at least one computing device via the access gateway through which a resource required by the managed application is accessible; and
      
      configure a policy-aware interception layer to perform said intercepting of the read or write operation.
  - 20. The one or more non-transitory computer-readable media of claim 17, wherein the read or write operation includes a read operation of particular data, and wherein the instructions are configured to, when executed, further cause said at least one computing device to:
    - retrieve an encrypted form of the particular data from the secure container based on a file system and access manager of the secure container;
      
      decrypt the encrypted form of the particular data, resulting in a decrypted form of the particular data, wherein said decrypting uses a key received via the access gateway through which a resource required by the managed application is accessible; and
      
      provide the decrypted form of the particular data to the managed application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Barton, Gary, Lang, Zhongmin, Desai, Nitin, Walker, James Robert

Application Number

US14/039,632
Publication Number

US 20140108793A1
Time in Patent Office

Days
Field of Search
US Class Current

713/165
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/60   Protecting data

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

G06F 21/88   Detecting or preventing the...

G06F 2221/2143   Clearing memory, e.g. to pr...

H04L 63/0428   wherein the data content is...

H04L 67/10   in which an application is ...

H04W 12/06   Authentication

H04W 12/08   Access security

H04W 12/37   Managing security policies ...

H04W 12/63   Location-dependent; Proximi...

CONTROLLING MOBILE DEVICE ACCESS TO SECURE DATA

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

CONTROLLING MOBILE DEVICE ACCESS TO SECURE DATA

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links