POLICY-BASED SECURE CONTAINERS FOR MULTIPLE ENTERPRISE APPLICATIONS

US 20140189777A1
Filed: 12/28/2012
Published: 07/03/2014
Est. Priority Date: 12/28/2012
Status: Active Grant

First Claim

Patent Images

1. A client computing device for applying enterprise policies to applications comprising:

a trust agent module to send device attribute information that identifies attributes of the client computing device to an enterprise policy server; and

a security management module to;

send a request for an enterprise application to the enterprise policy server in response to receiving a user request for a session with the enterprise application;

receive a security policy for the enterprise application from the enterprise policy server in response to sending the device attribute information and the request for access to the enterprise application;

determine whether a secure container exists on the client computing device for the security policy;

construct the secure container on the client computing device for the security policy in response to determining the secure container does not exist; and

add the enterprise application to the secure container;

wherein the secure container is to enforce the security policy while the enterprise application is executed on the client computing device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Technologies for providing policy-based secure containers for multiple enterprise applications include a client computing device and an enterprise policy server. The client computing device sends device attribute information and a request for access to an enterprise application to the enterprise policy server. The enterprise policy server determines a device trust level based on the device attribute information and a data sensitivity level based on the enterprise application, and sends a security policy to the client computing device based on the device trust level and the data sensitivity level. The client computing device references or creates a secure container for the security policy, adds the enterprise application to the secure container, and enforces the security policy while executing the enterprise application in the secure container. Multiple enterprise applications may be added to each secure container. Other embodiments are described and claimed.

74 Citations

View as Search Results

28 Claims

1. A client computing device for applying enterprise policies to applications comprising:
- a trust agent module to send device attribute information that identifies attributes of the client computing device to an enterprise policy server; and
  
  a security management module to;
  
  send a request for an enterprise application to the enterprise policy server in response to receiving a user request for a session with the enterprise application;
  
  receive a security policy for the enterprise application from the enterprise policy server in response to sending the device attribute information and the request for access to the enterprise application;
  
  determine whether a secure container exists on the client computing device for the security policy;
  
  construct the secure container on the client computing device for the security policy in response to determining the secure container does not exist; and
  
  add the enterprise application to the secure container;
  
  wherein the secure container is to enforce the security policy while the enterprise application is executed on the client computing device.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The client computing device of claim 1, wherein the security management module comprises a security management module further to receive the enterprise application from the enterprise policy server.
  - 3. The client computing device of claim 1, wherein the security policy comprises a security policy to:
    - allow the enterprise application to securely communicate with other enterprise applications in the secure container; and
      
      prevent the enterprise application from communicating with applications not in the secure container.
  - 4. The client computing device of claim 1, wherein the security policy comprises a security policy to require a user of the client computing device to authenticate prior to execution of the enterprise application.
  - 5. The client computing device of claim 4, wherein the security policy comprises a security policy to require the user to authenticate for the secure container without requiring the user to authenticate for the enterprise application of the secure container.
  - 6. The client computing device of claim 1, wherein the security policy comprises a security policy to:
    - (i) encrypt data accessed or stored by the enterprise application or (ii) remove data created by the enterprise application when the enterprise application terminates.
  - 7. The client computing device of claim 1, wherein the security policy comprises a security policy to log activities of the enterprise application.

8. One or more machine readable storage media comprising a plurality of instructions that in response to being executed result in a client computing device:
- sending device attribute information that identifies attributes of the client computing device from the client computing device to an enterprise policy server;
  
  sending a request for access to an enterprise application to the enterprise policy server;
  
  receiving, on the client computing device, a security policy for the enterprise application based on the device attribute information;
  
  determining, on the client computing device, whether a secure container exists for the security policy;
  
  constructing, on the client computing device, the secure container for the security policy in response to determining the secure container does not exist;
  
  adding, on the client computing device, the enterprise application to the secure container;
  
  executing, on the client computing device, the enterprise application; and
  
  enforcing, on the client computing device, the security policy while the enterprise application is executed on the client computing device.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The machine-readable media of claim 8, further comprising a plurality of instructions that in response to being executed result in the client computing device receiving the enterprise application from the enterprise policy server.
  - 10. The machine-readable media of claim 8, wherein enforcing the security policy comprises:
    - allowing the enterprise application to securely communicate with other enterprise applications in the secure container; and
      
      preventing the enterprise application from communicating with applications not in the secure container.
  - 11. The machine-readable media of claim 8, wherein enforcing the security policy comprises requiring a user of the client computing device to authenticate prior to execution of the enterprise application.
  - 12. The machine-readable media of claim 11, wherein requiring the user to authenticate comprises requiring the user to authenticate for the secure container without requiring the user to authenticate for the enterprise application of the secure container.
  - 13. The machine-readable media of claim 8, wherein enforcing the security policy comprises one of:
    - (i) encrypting data accessed or stored by the enterprise application or (ii) removing data created by the enterprise application when the enterprise application terminates.
  - 14. The machine-readable media of claim 8, wherein enforcing the security policy comprises logging activities of the enterprise application.

15. A method to apply enterprise policies to applications on a client computing device, the method comprising:
- sending device attribute information that identifies attributes of the client computing device from the client computing device to an enterprise policy server;
  
  sending, from the client computing device, a request for access to an enterprise application to the enterprise policy server;
  
  receiving, on the client computing device, a security policy for the enterprise application based on the device attribute information;
  
  determining, on the client computing device, whether a secure container exists for the security policy;
  
  constructing, on the client computing device, the secure container for the security policy in response to determining the secure container does not exist;
  
  adding, on the client computing device, the enterprise application to the secure container;
  
  executing, on the client computing device, the enterprise application; and
  
  enforcing, on the client computing device, the security policy while the enterprise application is executed on the client computing device.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15, wherein enforcing the security policy comprises:
    - allowing the enterprise application to securely communicate with other enterprise applications in the secure container; and
      
      preventing the enterprise application from communicating with applications not in the secure container.
  - 17. The method of claim 15, wherein enforcing the security policy comprises requiring a user of the client computing device to authenticate prior to execution of the enterprise application.
  - 18. The method of claim 17, wherein requiring the user to authenticate comprises requiring the user to authenticate for the secure container without requiring the user to authenticate for the enterprise application of the secure container.
  - 19. The method of claim 15, wherein enforcing the security policy comprises one of:
    - (i) encrypting data accessed or stored by the enterprise application or (ii) removing data created by the enterprise application when the enterprise application terminates
  - 20. The method of claim 15, wherein enforcing the security policy comprises logging activities of the enterprise application.

21. An enterprise policy server to determine enterprise security policies for a client computing device comprising:
- a trust calculation module to;
  
  receive device attribute information that identifies attributes of the client computing device; and
  
  determine a device trust level for the client computing device based on the device attribute information; and
  
  a policy determination module to;
  
  receive a request for an enterprise application from the client computing device;
  
  determine a data sensitivity level based on the enterprise application;
  
  determine a security policy based on the device trust level and the data sensitivity level; and
  
  send the security policy to the client computing device.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28)
- - 22. The enterprise policy server of claim 21, wherein the policy determination module comprises a policy determination module to select the data sensitivity level from a plurality of predefined data sensitivity levels associated with enterprise data that can be accessed by the enterprise application.
  - 23. The enterprise policy server of claim 21, further comprising a plurality of predefined security policies, wherein the policy determination module comprises a policy determination module to select the security policy from the plurality of predefined security policies based on the device trust level and the data sensitivity level.
  - 24. The enterprise policy server of claim 21, wherein the policy determination module comprises a policy determination module to send the enterprise application to the client computing device.
  - 25. The enterprise policy server of claim 21, wherein the security policy comprises a security policy to:
    - allow the enterprise application to securely communicate with other enterprise applications associated with the security policy; and
      
      prevent the enterprise application from communicating with applications not associated with the security policy.
  - 26. The enterprise policy server of claim 21, wherein the security policy comprises a security policy to require a user of the client computing device to authenticate prior to execution of the enterprise application.
  - 27. The enterprise policy server of claim 21, wherein the security policy comprises a security policy to require the client computing device to (i) encrypt data accessed or stored by the enterprise application;
    - or (ii) remove data created by the enterprise application when the enterprise application terminates.
  - 28. The enterprise policy server of claim 21, wherein the security policy comprises a security policy to require the client computing device to log activities of the enterprise application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Viswanathan, Tarun, Kahana, Uri, Ross, Alan, Birk, Eran

Granted Patent

US 9,276,963 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/105   Multiple levels of security

H04L 63/205   involving negotiation or de...

POLICY-BASED SECURE CONTAINERS FOR MULTIPLE ENTERPRISE APPLICATIONS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

74 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

POLICY-BASED SECURE CONTAINERS FOR MULTIPLE ENTERPRISE APPLICATIONS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

74 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links