Network Access Control with Compliance Policy Check

US 20160197962A1
Filed: 03/14/2016
Published: 07/07/2016
Est. Priority Date: 12/16/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by an authentication application from a user device, a request to access a software-as-a-service server;

retrieving, by the authentication application, a compliance check result generated by a network access control server based on

1) compliance data collected by a client application on the user device, and

2) a security policy for the software-as-a-service server;

granting, by the authentication application, access by the user device to the software-as-a-service server when the compliance check result is positive; and

denying, by the authentication application, access by the user device to the software-as-a-service server when the compliance check result is negative.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the present invention include methods involving an authentication application, a client application, or a combination of a network access control server with the authentication application and the client application. The client application collects compliance data regarding the user device and communicates the compliance data to the network access control server. The network access control server generates a compliance check result based on whether the compliance data indicates that the user device is compliant with a security policy for the software-as-a-service server. The authentication application grants access by the user device when the compliance check result is positive; and the authentication application denies access by the user device when the compliance check result is negative. In some embodiments, the compliance check result or a user device identifier is stored in a web browser cookie or a client certificate on the user device.

Citations

19 Claims

1. A method comprising:
- receiving, by an authentication application from a user device, a request to access a software-as-a-service server;
  
  retrieving, by the authentication application, a compliance check result generated by a network access control server based on
  
  1) compliance data collected by a client application on the user device, and
  
  2) a security policy for the software-as-a-service server;
  
  granting, by the authentication application, access by the user device to the software-as-a-service server when the compliance check result is positive; and
  
  denying, by the authentication application, access by the user device to the software-as-a-service server when the compliance check result is negative.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the retrieving further comprises:
    - requesting, by the authentication application, a cookie of a web browser from the user device during a login procedure, the cookie containing the compliance check result; and
      
      reading, by the authentication application, the compliance check result from the cookie.
  - 3. The method of claim 1, wherein the retrieving further comprises:
    - requesting, by the authentication application, a cookie of a web browser from the user device during a login procedure, the cookie containing a user device identifier; and
      
      reading, by the authentication application, the user device identifier from the cookie; and
      
      based on the user device identifier, requesting, by the authentication application, the compliance check result from the network access control server.
  - 4. The method of claim 1, wherein the retrieving further comprises:
    - requesting, by the authentication application, a client certificate from the user device during a login procedure, the client certificate containing a user device identifier; and
      
      reading, by the authentication application, the user device identifier from the client certificate; and
      
      based on the user device identifier, requesting, by the authentication application, the compliance check result from the network access control server.
  - 5. The method of claim 1, further comprising:
    - requesting, by the authentication application, the compliance data from the network access control server; and
      
      granting and denying, by the authentication application, access by the user device based on the compliance check result and the compliance data.
  - 6. The method of claim 1, further comprising:
    - receiving, by the authentication application from the network access control server, a decryption key; and
      
      decrypting, by the authentication application using the decryption key, the compliance check result.
  - 7. The method of claim 1, further comprising:
    - generating, by an authentication server, a secure session ID when the compliance check result is positive; and
      
      granting, by the authentication application, access by the user device based on the secure session ID.
  - 8. The method of claim 1, wherein:
    - the compliance data includes at least one of;
      
      an encryption state of the user device, a malware infection state of the user device, whether an unwanted application is present on the user device, and whether an unwanted hardware component is present on the user device.

9. A method comprising:
- collecting, by a client application on a user device, compliance data on the user device; and
  
  sending, by the client application, the compliance data to a network access control server for the network access control server to generate a compliance check result based on the compliance data and a security policy for a software-as-a-service server, wherein the compliance check result is for use by an authentication application to grant access by the user device to the software-as-a-service server when the compliance check result is positive and to deny access by the user device to the software-as-a-service server when the compliance check result is negative.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The method of claim 9, wherein:
    - the compliance data includes at least one of;
      
      an encryption state of the user device, a malware infection state of the user device, whether an unwanted application is present on the user device, and whether an unwanted hardware component is present on the user device.
  - 11. The method of claim 9, further comprising:
    - receiving, by the client application, the compliance check result from the network access control server; and
      
      storing, by the client application, the compliance check result in a cookie of a web browser installed on the user device for the user device to send the compliance check result in the cookie to the authentication application upon receiving a request for the cookie from the authentication application during a login procedure.
  - 12. The method of claim 10, further comprising:
    - encrypting, by the client application, the compliance check result using an encryption key; and
      
      storing, by the client application, the encrypted compliance check result in the cookie further for the authentication application to decrypt the encrypted compliance check result using a decryption key that the authentication application receives from the network access control server.
  - 13. The method of claim 9, further comprising:
    - storing, by the client application, a user device identifier in a cookie of a web browser installed on the user device, for the user device to send the user device identifier in the cookie to the authentication application upon receiving a request for the cookie from the authentication application during a login procedure, and for the authentication application to request the compliance check result from the network access control server based on the user device identifier.
  - 14. The method of claim 9, further comprising:
    - storing, by the client application, a user device identifier in a client certificate on the user device, for the user device to send the user device identifier in the client certificate to the authentication application upon receiving a request for the client certificate from the authentication application during a login procedure, and for the authentication application to request the compliance check result from the network access control server based on the user device identifier.

15. A method comprising:
- collecting, by a client application, compliance data on a user device;
  
  sending, by the client application, the compliance data to a network access control server;
  
  generating, by the network access control server, a compliance check result based on the compliance data and a security policy for a software-as-a-service server;
  
  storing, by the network access control server, the compliance check result;
  
  storing, by the client application, a user device identifier in a client certificate on the user device;
  
  requesting, by an authentication application, the client certificate during a login procedure;
  
  reading, by the authentication application, the user device identifier from the client certificate;
  
  based on the user device identifier, requesting, by the authentication application, the compliance check result from the network access control server;
  
  granting, by the authentication application, access by the user device to the software-as-a-service server when the compliance check result is positive; and
  
  denying, by the authentication application, access by the user device to the software-as-a-service server when the compliance check result is negative.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The method of claim 15, further comprising:
    - encrypting the compliance check result using an encryption key;
      
      receiving, by the authentication application from the network access control server, a decryption key; and
      
      decrypting, by the authentication application using the decryption key, the compliance check result.
  - 17. The method of claim 15, further comprising:
    - requesting, by the authentication application, the compliance data from the network access control server; and
      
      granting and denying, by the authentication application, access by the user device based on the compliance check result and the compliance data.
  - 18. The method of claim 15, further comprising:
    - generating, by an authentication server, a secure session ID when the compliance check result is positive; and
      
      granting, by the authentication application, access by the user device based on the secure session ID.
  - 19. The method of claim 15, wherein:
    - the compliance data includes at least one of;
      
      an encryption state of the user device, a malware infection state of the user device, whether an unwanted application is present on the user device, and whether an unwanted hardware component is present on the user device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
OPSWAT, Inc.
Original Assignee
OPSWAT, Inc.
Inventors
Winn, Adam Gregory, Czarny, Benjamin, Mo, Jianpeng, Miao, Yiyi

Granted Patent

US 10,063,594 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/0823   using certificates cryptogr...

H04L 63/10   for controlling access to d...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/20   for managing network securi...

Network Access Control with Compliance Policy Check

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Network Access Control with Compliance Policy Check

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links