Controlling enterprise access by mobile devices

US 8,832,793 B2
Filed: 03/07/2012
Issued: 09/09/2014
Est. Priority Date: 03/07/2012
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

at least one component running on at least one server and receiving device data for a plurality of devices and generating from the device data configuration data of processing components hosted on the device;

wherein the at least one component receives vulnerability data of a national database comprising a plurality of vulnerabilities of the processing components, wherein each vulnerability includes a severity rating;

wherein the at least one component generates a mapping of the vulnerability data to the configuration data of each device; and

wherein the at least one component selects for each device of the plurality of devices a set of the processing components and calculates for the set a trust score, wherein the calculating comprises calculating for each vulnerability of each processing component a vulnerability trust score that is proportional to the severity rating of each vulnerability, and calculating the trust score by combining the vulnerability trust score of each vulnerability, wherein access by each device to an enterprise is granted based on the trust score.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system comprising at least one component running on at least one server and receiving vulnerability data and, for each device of a plurality of devices, device data that includes data of at least one device component. The system includes a trust score corresponding to each device of the plurality of devices and representing a level of security applied to the device. The trust score is generated using a severity of the vulnerability data. The system includes an access control component coupled to the at least one component and controlling access of the plurality of devices to an enterprise using the trust score.

4 Citations

48 Claims

1. A system comprising:
- at least one component running on at least one server and receiving device data for a plurality of devices and generating from the device data configuration data of processing components hosted on the device;
  
  wherein the at least one component receives vulnerability data of a national database comprising a plurality of vulnerabilities of the processing components, wherein each vulnerability includes a severity rating;
  
  wherein the at least one component generates a mapping of the vulnerability data to the configuration data of each device; and
  
  wherein the at least one component selects for each device of the plurality of devices a set of the processing components and calculates for the set a trust score, wherein the calculating comprises calculating for each vulnerability of each processing component a vulnerability trust score that is proportional to the severity rating of each vulnerability, and calculating the trust score by combining the vulnerability trust score of each vulnerability, wherein access by each device to an enterprise is granted based on the trust score.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47)
- - 2. The system of claim 1, wherein the at least one component automatically receives the device data from each of the plurality of devices.
  - 3. The system of claim 2, wherein the at least one component receives the device data from a device connecting to the access server, wherein the device reports the device data via a user agent.
  - 4. The system of claim 2, wherein the at least one component receives the device data from a device connecting to the access server, wherein the device receives an electronic mail and content of the electronic mail causes the device to report the device data via a user agent.
  - 5. The system of claim 1, wherein the device data is manually provided to the at least one component.
  - 6. The system of claim 1, wherein the device data is received via semi-automatic entry into the at least one component.
  - 7. The system of claim 6, wherein at least one device of the plurality of devices comprises an agent application that collects the device data and transfers the device data to the at least one component.
  - 8. The system of claim 1, wherein the at least one component receives the device data from at least one remote source, wherein the at least one remote source is remote to the at least one server.
  - 9. The system of claim 1, wherein the at least one component receives supplemental device data from at least one remote source that is remote to the at least one server, wherein the at least one component supplements the device data using the supplemental device data.
  - 10. The system of claim 1, wherein the at least one component receives the device data via self-identification, wherein the self-identification includes sending an electronic query to a user of a device and receiving the device data in response to action on the device resulting from the electronic query.
  - 11. The system of claim 1, wherein the at least one component couples to a remote database and receives the vulnerability data from the remote database.
  - 12. The system of claim 11, wherein the at least one component periodically receives the vulnerability data.
  - 13. The system of claim 11, wherein the remote database comprises the National Vulnerabilities Database.
  - 14. The system of claim 1, where each vulnerability of the plurality of vulnerabilities is represented by a severity rating.
  - 15. The system of claim 14, wherein the trust score comprises an indicator of a level of security applied to the device by an enterprise that corresponds to the device.
  - 16. The system of claim 14, wherein the trust score comprises a numerical value.
  - 17. The system of claim 16, wherein the numerical value is in a range between and including zero (0) and ten (10).
  - 18. The system of claim 14, wherein the generating of the trust score comprises selecting a base score that corresponds to a highest trust level.
  - 19. The system of claim 18, wherein the generating of the trust score comprises reducing the base score by an amount corresponding to the severity rating of each vulnerability.
  - 20. The system of claim 19, wherein the generating of the trust score comprises applying to the base score a severity score corresponding to the severity of each vulnerability.
  - 21. The system of claim 20, wherein the base score is represented by a value of approximately ten (10).
  - 22. The system of claim 21, wherein the generating of the severity score comprises a formula
    D=(i²÷
    - 6)−
      
      ((2·
      
      i)÷
      
      3),wherein variable D represents the severity score, and variable i represents the severity rating of the vulnerability.
  - 23. The system of claim 14, wherein the at least one component updates and maintains the trust score.
  - 24. The system of claim 23, wherein the at least one component updates the trust score in response to receiving a new version of the vulnerability data.
  - 25. The system of claim 23, wherein the at least one component updates the trust score in response to receiving updated device data.
  - 26. The system of claim 23, wherein the at least one component updates the trust score in response to receiving device data corresponding to a new device.
  - 27. The system of claim 14, wherein the device data represents the processing components hosted on a corresponding device.
  - 28. The system of claim 27, wherein the device data comprises data of at least one of device identification, configuration, operating system (OS) name, OS version, platform name, platform software components, device system image, device manufacturer, device brand, device model, device code name, user agent, central processor unit (CPU) type, and bootloader version.
  - 29. The system of claim 27, wherein the at least one component uses the device data to identify the set of the processing components.
  - 30. The system of claim 27, wherein the at least one component generates the trust score using the set of the processing components and the device data of the device.
  - 31. The system of claim 27, wherein the at least one component generates a status list using at least one of the trust score and the device data, wherein the status list corresponds to an enterprise associated with the plurality of devices and includes a status corresponding to each device, wherein access of each device to the enterprise is controlled according to the status list.
  - 32. The system of claim 31, wherein control of the access comprises comparing the status list with data received from the device during a communication attempt and one of allowing and denying access to the device based on the results of the comparison.
  - 33. The system of claim 31, wherein the status is determined using at least one access policy of the enterprise.
  - 34. The system of claim 31, wherein the status is determined using at least one policy exception of the enterprise.
  - 35. The system of claim 31, wherein the status list includes the trust score.
  - 36. The system of claim 31, wherein the status comprises a first status that allows the device access to the enterprise.
  - 37. The system of claim 36, wherein the status comprises a second status that denies the device access to the enterprise.
  - 38. The system of claim 37, wherein the status comprises a third status that quarantines the device during an attempt to access the enterprise.
  - 39. The system of claim 31, wherein the status list includes type identification describing device type of the device.
  - 40. The system of claim 31, wherein the at least one component comprises a traffic filter that includes the status list, wherein the traffic filter is hosted on an access server of the enterprise, wherein the plurality of devices couple to the traffic filter to access the enterprise and the traffic filter controls the access using the status list.
  - 41. The system of claim 40, wherein, when the device data is deficient, the access server places in a hold status a connection with a device attempting to access the enterprise.
  - 42. The system of claim 41, wherein, while the connection is in the hold status, the at least one component attempts to couple to at least one additional device data source and complete the device data using the at least one additional device data source.
  - 43. The system of claim 40, wherein the traffic filter comprises at least one set of instructions executing under the traffic filter, wherein the at least one set of instructions is received from the at least one server.
  - 44. The system of claim 40, wherein the access server separately controls access to the enterprise by each software component of each device of the plurality of devices.
  - 45. The system of claim 31, wherein the at least one component maintains the device data of at least one device of the plurality of devices attempting to access the enterprise.
  - 46. The system of claim 1, wherein the at least one server generates at least one risk mitigation message corresponding to at least one device of the plurality of devices, wherein the risk mitigation message includes at least one suggested action for a user of the at least one device, wherein the at least one suggested action when taken reduces a risk associated with access to the enterprise by the at least one device.
  - 47. The system of claim 1, wherein the at least one server prioritizes the device data based on at least one of a type of the device data, a source of the device data, and consistency among parameters of the device data.

48. A method comprising:
- receiving device data for a plurality of devices;
  
  generating from the device data configuration data of processing components hosted on the device;
  
  receiving vulnerability data of a national database comprising a plurality of vulnerabilities of the processing components, wherein each vulnerability includes a severity rating;
  
  generating a mapping of the vulnerability data to the device data; and
  
  selecting for each device of the plurality of devices a set of the processing components and calculating for the set a trust score, wherein the calculating comprises calculating for each vulnerability of each processing component a vulnerability trust score that is proportional to the severity rating of each vulnerability, and calculating the trust score by combining the vulnerability trust score of each vulnerability, wherein access by each device to an enterprise is granted based on the trust score.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Rapid7, Inc.
Original Assignee
Rapid7, Inc.
Inventors
Sreenivas, Giridhar, Berglund, Kurt, Sigurdson, Derek, Parker, Jordan
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
FIELDS, COURTNEY D

Application Number

US13/414,565
Publication Number

US 20130239175A1
Time in Patent Office

916 Days
Field of Search

726/3, 726/4, 726/23, 726/24, 726/25
US Class Current

726/3
CPC Class Codes

G06F 21/35 communicating wirelessly

Controlling enterprise access by mobile devices

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

4 Citations

48 Claims

Specification

Solutions

Use Cases

Quick Links

Controlling enterprise access by mobile devices

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

4 Citations

48 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links