Mobile device security policy based on authorized scopes
First Claim
1. A method to enforce an enterprise security policy when a request for access to a service is initiated at a mobile device, comprising:
- responsive to a user authentication that grants an authorization to the mobile device to access the service, providing a notification to the mobile device that a security policy associated with the mobile device has changed to require at least one additional security constraint;
responsive to receiving a notification from the mobile device that the additional security constraint has been met, providing an authorization token to the mobile device;
responsive to receipt of the authorization token, determining whether the authorization token is valid; and
responsive to a determination that the authorization token is valid and that the changed security policy is in force at the mobile device, permitting access to the service.
1 Assignment
0 Petitions
Accused Products
Abstract
A technique to enforce mobile device security policy is based on a “risk profile” of the individual device, where the risk profile is fine-grained and based on the types of applications installed on the device, the services they are accessing, and the operation(s) the user granted the device authorization to perform. Thus, the approach takes into account not only the actual applications installed on the device (and those actively in use), but also the services those applications are accessing, and the scope of operations the user has granted the device authorization to perform. By combining this information to create the risk profile, a suitable security policy, including one that does not unnecessarily degrade device usability, may then be applied.
63 Citations
24 Claims
-
1. A method to enforce an enterprise security policy when a request for access to a service is initiated at a mobile device, comprising:
-
responsive to a user authentication that grants an authorization to the mobile device to access the service, providing a notification to the mobile device that a security policy associated with the mobile device has changed to require at least one additional security constraint; responsive to receiving a notification from the mobile device that the additional security constraint has been met, providing an authorization token to the mobile device; responsive to receipt of the authorization token, determining whether the authorization token is valid; and responsive to a determination that the authorization token is valid and that the changed security policy is in force at the mobile device, permitting access to the service. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. Apparatus to enforce an enterprise security policy when a request for access to a service is initiated at a mobile device, comprising:
-
a processor; computer memory holding computer program instructions that when executed by the processor perform a method, the method comprising; responsive to a user authentication that grants an authorization to the mobile device to access the service, providing a notification to the mobile device that a security policy associated with the mobile device has changed to require at least one additional security constraint; responsive to receiving a notification from the mobile device that the additional security constraint has been met, providing an authorization token to the mobile device; responsive to receipt of the authorization token, determining whether the authorization token is valid; and responsive to a determination that the authorization token is valid and that the changed security policy is in force at the mobile device, permitting access to the service. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer program product in a non-transitory computer readable storage medium for use in a data processing system, the computer program product holding computer program instructions which, when executed by the data processing system, perform a method to enforce an enterprise security policy when a request for access to a service is initiated at a mobile device, the method comprising:
-
responsive to a user authentication that grants an authorization to the mobile device to access the service, providing a notification to the mobile device that a security policy associated with the mobile device has changed to require at least one additional security constraint; responsive to receiving a notification from the mobile device that the additional security constraint has been met, providing an authorization token to the mobile device; responsive to receipt of the authorization token, determining whether the authorization token is valid; and responsive to a determination that the authorization token is valid and that the changed security policy is in force at the mobile device, permitting access to the service. - View Dependent Claims (16, 17, 18, 19, 20)
-
-
21. The computer program product as described in claim 21 wherein the method further includes providing the mobile device with the one or more security policy requirements.
-
22. A mobile device, comprising:
-
a hardware processor; computer memory; a mobile application adapted to request a service to a secure back-end application, the mobile application prompting a user to perform an authentication to grant an authorization to the mobile device to access the service; and a security policy enforcement agent executed by the hardware processor and responsive to a successful authentication for receiving a notification that a security policy associated with the mobile device has changed to require at least one additional security constraint, the security policy enforcement agent enforcing the changed security policy to enable the mobile application to obtain access to the service. - View Dependent Claims (23, 24)
-
Specification