Mobile device security policy based on authorized scopes

US 20140157351A1
Filed: 12/04/2012
Published: 06/05/2014
Est. Priority Date: 12/04/2012
Status: Active Grant

First Claim

Patent Images

1. A method to enforce an enterprise security policy when a request for access to a service is initiated at a mobile device, comprising:

responsive to a user authentication that grants an authorization to the mobile device to access the service, providing a notification to the mobile device that a security policy associated with the mobile device has changed to require at least one additional security constraint;

responsive to receiving a notification from the mobile device that the additional security constraint has been met, providing an authorization token to the mobile device;

responsive to receipt of the authorization token, determining whether the authorization token is valid; and

responsive to a determination that the authorization token is valid and that the changed security policy is in force at the mobile device, permitting access to the service.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique to enforce mobile device security policy is based on a “risk profile” of the individual device, where the risk profile is fine-grained and based on the types of applications installed on the device, the services they are accessing, and the operation(s) the user granted the device authorization to perform. Thus, the approach takes into account not only the actual applications installed on the device (and those actively in use), but also the services those applications are accessing, and the scope of operations the user has granted the device authorization to perform. By combining this information to create the risk profile, a suitable security policy, including one that does not unnecessarily degrade device usability, may then be applied.

63 Citations

View as Search Results

24 Claims

1. A method to enforce an enterprise security policy when a request for access to a service is initiated at a mobile device, comprising:
- responsive to a user authentication that grants an authorization to the mobile device to access the service, providing a notification to the mobile device that a security policy associated with the mobile device has changed to require at least one additional security constraint;
  
  responsive to receiving a notification from the mobile device that the additional security constraint has been met, providing an authorization token to the mobile device;
  
  responsive to receipt of the authorization token, determining whether the authorization token is valid; and
  
  responsive to a determination that the authorization token is valid and that the changed security policy is in force at the mobile device, permitting access to the service.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method as described in claim 1 wherein the determination that the changed security policy is in force at the mobile device further includes:
    - verifying whether the user has complied with the security policy as changed to reflect the additional security constraint for this service access.
  - 3. The method as described in claim 1 wherein the determination that the changed security policy is in force at the mobile device further includes:
    - contacting a security policy agent associated with the mobile device to query whether the security policy associated with the authorization and that is bound to the authorization token has been enforced for this particular access to the service; and
      
      receiving an affirmative response to the query.
  - 4. The method as described in claim 1 further including denying access to the service if the changed security policy is not in force at the mobile device.
  - 5. The method as described in claim 4 further including revoking the authorization token.
  - 6. The method as described in claim 1 further including maintaining a mapping that associates a service and its authorization scope to a security policy requirement level that defines one or more security policy requirements for the mobile device.
  - 7. The method as described in claim 6 further including providing the mobile device with the one or more security policy requirements.

8. Apparatus to enforce an enterprise security policy when a request for access to a service is initiated at a mobile device, comprising:
- a processor;
  
  computer memory holding computer program instructions that when executed by the processor perform a method, the method comprising;
  
  responsive to a user authentication that grants an authorization to the mobile device to access the service, providing a notification to the mobile device that a security policy associated with the mobile device has changed to require at least one additional security constraint;
  
  responsive to receiving a notification from the mobile device that the additional security constraint has been met, providing an authorization token to the mobile device;
  
  responsive to receipt of the authorization token, determining whether the authorization token is valid; and
  
  responsive to a determination that the authorization token is valid and that the changed security policy is in force at the mobile device, permitting access to the service.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The apparatus as described in claim 8 wherein the determination by the method that the changed security policy is in force at the mobile device further includes:
    - verifying whether the user has complied with the security policy as changed to reflect the additional security constraint for this service access.
  - 10. The apparatus as described in claim 8 wherein the determination by the method that the changed security policy is in force at the mobile device further includes:
    - contacting a security policy agent associated with the mobile device to query whether the security policy associated with the authorization and that is bound to the authorization token has been enforced for this particular access to the service; and
      
      receiving an affirmative response to the query.
  - 11. The apparatus as described in claim 8 wherein the method further includes denying access to the service if the changed security policy is not in force at the mobile device.
  - 12. The apparatus as described in claim 11 wherein the method further includes revoking the authorization token.
  - 13. The apparatus as described in claim 8 wherein the method further includes maintaining a mapping that associates a service and its authorization scope to a security policy requirement level that defines one or more security policy requirements for the mobile device.
  - 14. The apparatus as described in claim 13 wherein the method further includes providing the mobile device with the one or more security policy requirements.

15. A computer program product in a non-transitory computer readable storage medium for use in a data processing system, the computer program product holding computer program instructions which, when executed by the data processing system, perform a method to enforce an enterprise security policy when a request for access to a service is initiated at a mobile device, the method comprising:
- responsive to a user authentication that grants an authorization to the mobile device to access the service, providing a notification to the mobile device that a security policy associated with the mobile device has changed to require at least one additional security constraint;
  
  responsive to receiving a notification from the mobile device that the additional security constraint has been met, providing an authorization token to the mobile device;
  
  responsive to receipt of the authorization token, determining whether the authorization token is valid; and
  
  responsive to a determination that the authorization token is valid and that the changed security policy is in force at the mobile device, permitting access to the service.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer program product as described in claim 15 wherein the determination by the method that the changed security policy is in force at the mobile device further includes:
    - verifying whether the user has complied with the security policy as changed to reflect the additional security constraint for this service access.
  - 17. The computer program product as described in claim 15 wherein the determination by the method that the changed security policy is in force at the mobile device further includes:
    - contacting a security policy agent associated with the mobile device to query whether the security policy associated with the authorization and that is bound to the authorization token has been enforced for this particular access to the service; and
      
      receiving an affirmative response to the query.
  - 18. The computer program product as described in claim 15 wherein the method further includes denying access to the service if the changed security policy is not in force at the mobile device.
  - 19. The computer program product as described in claim 18 wherein the method further includes revoking the authorization token.
  - 20. The computer program product as described in claim 15 wherein the method further includes maintaining a mapping that associates a service and its authorization scope to a security policy requirement level that defines one or more security policy requirements for the mobile device.

21. The computer program product as described in claim 21 wherein the method further includes providing the mobile device with the one or more security policy requirements.

22. A mobile device, comprising:
- a hardware processor;
  
  computer memory;
  
  a mobile application adapted to request a service to a secure back-end application, the mobile application prompting a user to perform an authentication to grant an authorization to the mobile device to access the service; and
  
  a security policy enforcement agent executed by the hardware processor and responsive to a successful authentication for receiving a notification that a security policy associated with the mobile device has changed to require at least one additional security constraint, the security policy enforcement agent enforcing the changed security policy to enable the mobile application to obtain access to the service.
- View Dependent Claims (23, 24)
- - 23. The mobile device as described in claim 22 wherein the security policy enforcement agent enforces the changed security policy by providing determining whether the at least one additional security constraint has been met and, if so, receiving an authorization token that is bound to the authorization.
  - 24. The mobile device as described in claim 23 wherein the mobile application forwards the authorization token for verification.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Canning, Simon Gilbert, Weeden, Shane Bradley, Viselli, Stephen, Moore, David Paul

Granted Patent

US 10,834,133 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

H04W 12/37   Managing security policies ...

Mobile device security policy based on authorized scopes

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

63 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Mobile device security policy based on authorized scopes

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

63 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links