Clustered device access control based on physical and temporal proximity to the user

US 8,561,142 B1
Filed: 06/01/2012
Issued: 10/15/2013
Est. Priority Date: 06/01/2012
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for dynamically determining which of a plurality of computing devices associated with a user are trusted and which are non-trusted, based on physical and temporal proximity between the computing devices and the user, the method comprising the steps of:

identifying a plurality of computing devices associated with a user, each computing device of the plurality of computing devices being used to access backend computing resources of an enterprise;

tracking geo-locations of the computing devices of the plurality of computing devices, and times of establishment of the tracked geo-locations;

receiving a trusted authentication from a specific one of the plurality of computing devices, wherein the trusted authentication comprises more than a conventional control for a user to access the computing device and more than a conventional authentication for a computing device to access backend computing resources;

responsive to receiving the trusted authentication from the specific computing device, classifying the specific computing device as a primary node of a trusted cluster, and defining a current geo-location of the user as the geo-location of the specific device, as of a time of the trusted authentication; and

determining trusted and non-trusted computing devices of the plurality of computing devices, based on physical distances between geo-locations of the computing devices and the defined current geo-location of the user, and based on differences in time between times of establishment of the geo-locations of the computing devices and a time of establishment of the geo-location of the user;

wherein the trusted computing devices are allowed to access the backend resources subject to conventional access controls and the non-trusted devices are not allowed to access the backend resources.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A plurality of computing devices used to access backend computing resources of an enterprise by a specific user are identified, and geo-locations of the devices at specific times are tracked. A trusted authentication is received from a specific one of the devices. Responsive to the trusted authentication, the specific device is classified as the primary node of a trusted cluster, and the current geo-location of the user is defined as the geo-location of the specific device, as of the time of the trusted authentication. Devices are assigned to a logical trusted device cluster or to a logical non-trusted device cluster, based on distances between the device geo-locations and the current geo-location of the user, and based on differences between establishment times of the device geo-locations and the establishment time of the user'"'"'s geo-location.

67 Citations

View as Search Results

20 Claims

1. A computer implemented method for dynamically determining which of a plurality of computing devices associated with a user are trusted and which are non-trusted, based on physical and temporal proximity between the computing devices and the user, the method comprising the steps of:
- identifying a plurality of computing devices associated with a user, each computing device of the plurality of computing devices being used to access backend computing resources of an enterprise;
  
  tracking geo-locations of the computing devices of the plurality of computing devices, and times of establishment of the tracked geo-locations;
  
  receiving a trusted authentication from a specific one of the plurality of computing devices, wherein the trusted authentication comprises more than a conventional control for a user to access the computing device and more than a conventional authentication for a computing device to access backend computing resources;
  
  responsive to receiving the trusted authentication from the specific computing device, classifying the specific computing device as a primary node of a trusted cluster, and defining a current geo-location of the user as the geo-location of the specific device, as of a time of the trusted authentication; and
  
  determining trusted and non-trusted computing devices of the plurality of computing devices, based on physical distances between geo-locations of the computing devices and the defined current geo-location of the user, and based on differences in time between times of establishment of the geo-locations of the computing devices and a time of establishment of the geo-location of the user;
  
  wherein the trusted computing devices are allowed to access the backend resources subject to conventional access controls and the non-trusted devices are not allowed to access the backend resources.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1 further comprising:
    - assigning trusted computing devices to a logical trusted device cluster; and
      
      assigning non-trusted computing devices to a logical non-trusted device cluster.
  - 3. The method of claim 1 wherein determining trusted and non-trusted computing devices of the plurality further comprises:
    - responsive to receiving a trusted authentication from a specific computing device, determining whether each computing device of the plurality is trusted;
      
      assigning trusted computing devices to a logical trusted device cluster; and
      
      assigning non-trusted computing devices to a logical non-trusted device cluster.
  - 4. The method of claim 1 wherein determining trusted and non-trusted computing devices of the plurality further comprises:
    - responsive to a specific computing device attempting to access backend resources, determining whether the specific computing device is trusted.
  - 5. The method of claim 1 wherein determining trusted and non-trusted computing devices of the plurality further comprises:
    - responsive to receiving a new geo-location from a specific computing device, determining whether the specific computing device is trusted.
  - 6. The method of claim 1 further comprising:
    - receiving a new trusted authentication from a new, specific one of the plurality of computing devices;
      
      responsive to receiving the new trusted authentication from the new, specific computing device, classifying the new, specific computing device as the primary node of the trusted cluster, and defining the current geo-location of the user as the geo-location of the new, specific device, as of a time of the new trusted authentication; and
      
      re-determining trusted and non-trusted computing devices of the plurality.
  - 7. The method of claim 1 further comprising:
    - receiving a new geo-location from the primary node of the trusted cluster;
      
      re-defining the current geo-location of the user as the new geo-location of the primary node, as of a time of receiving the new geo-location; and
      
      re-determining trusted and non-trusted computing devices of the plurality.
  - 8. The method of claim 1 further comprising:
    - receiving a new geo-location from a trusted device;
      
      re-defining the current geo-location of the user as the new geo-location of the trusted device, as of a time of receiving the new geo-location; and
      
      re-determining trusted and non-trusted computing devices of the plurality.
  - 9. The method of claim 1 further comprising:
    - receiving an attempt from a non-trusted computing device to access backend resources; and
      
      blocking the received attempt.
  - 10. The method of claim 1 further comprising:
    - classifying a computing device as being non-trusted responsive to not being able to determine a current geo-location of the computing device.
  - 11. The method of claim 1 wherein receiving a trusted authentication from a specific one of the plurality of computing devices further comprises:
    - receiving a two-factor authentication from the specific one of the plurality of computing devices.

12. At least one non-transitory computer readable medium for dynamically determining which of a plurality of computing devices associated with a user are trusted and which are non-trusted, based on physical and temporal proximity between the computing devices and the user, the at least one non-transitory computer readable medium storing program code that, when loaded into computer memory and executed by a processor performs the following steps:
- a identifying a plurality of computing devices associated with a user, each computing device of the plurality of computing devices being used to access backend computing resources of an enterprise;
  
  tracking geo-locations of the computing devices of the plurality of computing devices, and times of establishment of the tracked geo-locations;
  
  receiving a trusted authentication from a specific one of the plurality of computing devices, wherein the trusted authentication comprises more than a conventional control for a user to access the computing device and more than a conventional authentication for a computing device to access backend computing resources;
  
  responsive to receiving the trusted authentication from the specific computing device, classifying the specific computing device as a primary node of a trusted cluster, and defining a current geo-location of the user as the geo-location of the specific device, as of a time of the trusted authentication; and
  
  determining trusted and non-trusted computing devices of the plurality of computing devices, based on physical distances between geo-locations of the computing devices and the defined current geo-location of the user, and based on differences in time between times of establishment of the geo-locations of the computing devices and a time of establishment of the geo-location of the user;
  
  wherein the trusted computing devices are allowed to access the backend resources subject to conventional access controls and the non-trusted devices are not allowed to access the backend resources.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The at least one non-transitory computer readable of claim 12 further storing program code that, when loaded into computer memory and executed by a processor performs the following steps:
    - assigning trusted computing devices to a logical trusted device cluster; and
      
      assigning non-trusted computing devices to a logical non-trusted device cluster.
  - 14. The at least one non-transitory computer readable of claim 12 wherein determining trusted and non-trusted computing devices of the plurality further comprises:
    - responsive to receiving a trusted authentication from a specific computing device, determining whether each computing device of the plurality is trusted;
      
      assigning trusted computing devices to a logical trusted device cluster; and
      
      assigning non-trusted computing devices to a logical non-trusted device cluster.
  - 15. The at least one non-transitory computer readable of claim 12 wherein determining trusted and non-trusted computing devices of the plurality further comprises:
    - responsive to a specific computing device attempting to access backend resources, determining whether the specific computing device is trusted.
  - 16. The at least one non-transitory computer readable of claim 12 wherein determining trusted and non-trusted computing devices of the plurality further comprises:
    - responsive to receiving a new geo-location from a specific computing device, determining whether the specific computing device is trusted.
  - 17. The at least one non-transitory computer readable of claim 12 further storing program code that, when loaded into computer memory and executed by a processor performs the following steps:
    - receiving a new trusted authentication from a new, specific one of the plurality of computing devices;
      
      responsive to receiving the new trusted authentication from the new, specific computing device, classifying the new, specific computing device as the primary node of the trusted cluster, and defining the current geo-location of the user as the geo-location of the new, specific device, as of a time of the new trusted authentication; and
      
      re-determining trusted and non-trusted computing devices of the plurality.
  - 18. The at least one non-transitory computer readable of claim 12 further storing program code that, when loaded into computer memory and executed by a processor performs the following steps:
    - receiving a new geo-location from the primary node of the trusted cluster;
      
      re-defining the current geo-location of the user as the new geo-location of the primary node, as of a time of receiving the new geo-location; and
      
      re-determining trusted and non-trusted computing devices of the plurality.
  - 19. The at least one non-transitory computer readable of claim 12 further storing program code that, when loaded into computer memory and executed by a processor performs the following steps:
    - receiving an attempt from a non-trusted computing device to access backend resources; and
      
      blocking the received attempt.

20. A computer system for dynamically determining which of a plurality of computing devices associated with a user are trusted and which are non-trusted, based on physical and temporal proximity between the computing devices and the user, the computer system comprising:
- computer memory;
  
  at least one processor;
  
  a device identifying module residing in the computer memory, configured to identify a plurality of computing devices associated with a user, each computing device of the plurality of computing devices being used to access backend computing resources of an enterprise;
  
  a geo-location tracking module residing in the computer memory, configured to track geo-locations of the computing devices of the plurality of computing devices, and times of establishment of the tracked geo-locations;
  
  a device authenticating module residing in the computer memory, configured to receive a trusted authentication from a specific one of the plurality of computing devices, wherein the trusted authentication comprises more than a conventional control for a user to access the computing device and more than a conventional authentication for a computing device to access backend computing resources;
  
  a cluster assigning module residing in the computer memory, configured to classify the specific computing device as a primary node of a trusted cluster, and to define a current geo-location of the user as the geo-location of the specific device as of a time of the trusted authentication, responsive to receiving the trusted authentication from the specific computing device; and
  
  the cluster assigning module being further configured to determine trusted and non-trusted computing devices of the plurality of computing devices, based on physical distances between geo-locations of the computing devices and the defined current geo-location of the user, and based on differences in time between times of establishment of the geo-locations of the computing devices and a time of establishment of the geo-location of the user;
  
  wherein the trusted computing devices are allowed to access the backend resources subject to conventional access controls and the non-trusted devices are not allowed to access the backend resources.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Sobel, William E.
Primary Examiner(s)
Patel, Haresh N

Application Number

US13/487,099
Time in Patent Office

501 Days
Field of Search

726 1- 8, 713185-189, 709/3, 709217-228
US Class Current

726/3
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/6218   to a system of files or obj...

G06F 2221/2111   Location-sensitive, e.g. ge...

H04L 63/08   for authentication of entit...

H04L 63/107   wherein the security polici...

H04L 63/12   Applying verification of th...

Clustered device access control based on physical and temporal proximity to the user

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

67 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Clustered device access control based on physical and temporal proximity to the user

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

67 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others