Secure virtual file management system

US 8,863,298 B2
Filed: 01/04/2013
Issued: 10/14/2014
Est. Priority Date: 01/06/2012
Status: Expired due to Fees

First Claim

Patent Images

1. A virtual file management system (VFMS) providing secure movement of managed content across a plurality of storage domains and one or more mobile devices, the VFMS comprising:

a data infrastructure that is both coupled to and collecting metadata of the plurality of storage domains and the one or more mobile devices, the plurality of storage domains distributively storing the managed content, the data infrastructure organizing the managed content into a virtual file system;

a client application running on the one or more mobile devices configured to retrieve and use the virtual file system to process a data request of a user, the data request comprising the transfer of a portion of the managed content from a source location to a target location, the target location comprising one or more of a local storage of the one or more mobile devices and at least one of the plurality of storage domains;

the data infrastructure comprising a policy definition and decision component that generates and maintains policies defining controls for encryption operations applied to the portion in connection with the transfer; and

the client application processing the data request using the virtual file system, the processing the data request including retrieving the policies and enforcing the policies by applying the controls on the one or more mobile devices, the controlled encryption operations including applying one or more of a file level encryption and a master key encryption, the master key encryption comprising the client application encrypting the portion on the one or more devices and interfacing with the data infrastructure using a client side library to place the encrypted portion in a container and to retrieve the encrypted portion from the container using one or more master keys maintained by the data infrastructure, the client application exposing the client side library to one or more mobile applications running on the one or more mobile devices, the one or more mobile applications using the client side library to apply the controlled encryption operations in accessing the container.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A virtual file management system provides user access to managed content on mobile devices. The system comprises storage domains storing the managed content distributively using file systems, and a data infrastructure that organizes the managed content into a virtual file system that maintains information of storage domain specific file system primitives for accessing corresponding portions of the managed content. The data infrastructure, which maintains metadata of the storage domains and the mobile devices, comprises a policy definition and decision component that maintains policies defining controls for permissible operations on the managed content, the permissible operations including the file system primitives. A client application hosted on the mobile devices is coupled to the data infrastructure and the storage domains and includes an enforcement component that communicates with the policy definition and decision component to retrieve and enforce the policies by applying the controls on the mobile devices.

Citations

76 Claims

1. A virtual file management system (VFMS) providing secure movement of managed content across a plurality of storage domains and one or more mobile devices, the VFMS comprising:
- a data infrastructure that is both coupled to and collecting metadata of the plurality of storage domains and the one or more mobile devices, the plurality of storage domains distributively storing the managed content, the data infrastructure organizing the managed content into a virtual file system;
  
  a client application running on the one or more mobile devices configured to retrieve and use the virtual file system to process a data request of a user, the data request comprising the transfer of a portion of the managed content from a source location to a target location, the target location comprising one or more of a local storage of the one or more mobile devices and at least one of the plurality of storage domains;
  
  the data infrastructure comprising a policy definition and decision component that generates and maintains policies defining controls for encryption operations applied to the portion in connection with the transfer; and
  
  the client application processing the data request using the virtual file system, the processing the data request including retrieving the policies and enforcing the policies by applying the controls on the one or more mobile devices, the controlled encryption operations including applying one or more of a file level encryption and a master key encryption, the master key encryption comprising the client application encrypting the portion on the one or more devices and interfacing with the data infrastructure using a client side library to place the encrypted portion in a container and to retrieve the encrypted portion from the container using one or more master keys maintained by the data infrastructure, the client application exposing the client side library to one or more mobile applications running on the one or more mobile devices, the one or more mobile applications using the client side library to apply the controlled encryption operations in accessing the container.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76)
- - 2. The system of claim 1, wherein the plurality of storage domains include one or more of shared storage of an enterprise and cloud based storage.
  - 3. The system of claim 2, wherein the shared storage of an enterprise includes enterprise content management systems including at least one of an enterprise storage domain, shared drives, and a directory service, wherein the shared drives include one or more of Network File System (NFS), Common Internet File System CIFS), and Distributed File System (DFS) based shared drives, wherein the cloud based storage includes a cloud based storage domain.
  - 4. The system of claim 1, wherein the client application comprises a native mobile application for the one or more mobile devices.
  - 5. The system of claim 4, wherein the client application includes a web based Hypertext Markup Language 5 (HTML5) application, wherein the one or more mobile devices includes a web browser client accessing the HTML5 application.
  - 6. The system of claim 1, wherein the one or more mobile devices include a smartphone device and a tablet.
  - 7. The system of claim 1, the plurality of storage domains including one or more file systems, the one or more file systems including a first file system and a second file system, wherein a content hierarchy of the first file system is different than the content hierarchy of the second file system.
  - 8. The system of claim 1, wherein the data infrastructure is one or more of a private and public cloud based service.
  - 9. The system of claim 8, the data infrastructure interfacing with the plurality of storage domains using one or more of a public interface and a protocol, wherein the public interface includes Representational State Transfer (REST) communications, Simple Object Access Protocol (SOAP) communications and proprietary application programming interfaces (APIs), wherein the protocol includes Web Distributed Authoring and Versioning WebDAV), Common Internet File System (CIFS) and Network File System (NFS).
  - 10. The system of claim 9, the interfacing with the plurality of storage domains including collecting storage domain specific file system primitives for accessing corresponding portions of the managed content, the data infrastructure mapping the storage domain specific file system primitives to corresponding content of the plurality of storage domains.
  - 11. The system of claim 10, the information of the storage domain specific file system primitives including a first and a second set of primitives, wherein the first set is different than the second set, wherein the storage domain specific file system primitives include read, write, delete, update, copy, and move.
  - 12. The system of claim 11, the organizing the managed content into a virtual file system comprising using information of the storage domain specific file system primitives, the plurality of storage domains and the metadata.
  - 13. The system of claim 12, the virtual file system providing virtual file system primitives including one or more of create, read, update, delete, rename, list, move, copy, get metadata, view, edit, annotate, copy and move across physical file systems, and open in specific applications for editing/viewing, wherein the plurality of storage domains comprise the physical file systems.
  - 14. The system of claim 1, wherein the metadata comprises at least one of an identity component, a content metadata component, a device component, and a policy component.
  - 15. The system of claim 14, wherein the device component comprises information of mobile device configuration parameters of the one or more mobile devices, the mobile device configuration parameters including device specific policies and permissions in place for the one or more mobile devices.
  - 16. The system of claim 15, wherein the policy component comprises storage domain specific policies inherited from each of the plurality of storage domains, the storage domain specific policies including user and group level permissions and policies with respect to the managed content.
  - 17. The system of claim 16, the identity component including unique device identifiers for each of the one or more mobile devices and information of storage domain identities of the user for each of the plurality of storage domains, the identity component associating the storage domain identities and the device identifiers with a user identity.
  - 18. The system of claim 17, the metadata component including storage domain metadata of managed content stored on each of the plurality of storage domains, the storage domain metadata including name of files, creation date of files, owner of files, and corresponding storage domain content hierarchy.
  - 19. The system of claim 16, the generating and maintaining the policies comprising the policy definition and decision component coupled to a management console that allows an administrator an ability to define additional policies using the metadata, the additional policies defining one or more additional controls for the encryption operations on the managed content.
  - 20. The system of claim 19, wherein the additional policies are defined for an enterprise.
  - 21. The system of claim 20, wherein the additional policies define the one or more additional controls for a user associated with the enterprise, wherein the user associated with the enterprise comprises the user of the one or more mobile devices.
  - 22. The system of claim 21, wherein the additional policies define the one or more additional controls for groups of users associated with the enterprise, wherein the groups of users comprise the user associated with the enterprise.
  - 23. The system of claim 22, the administrator creating the groups of users using custom groups and standard groups, the groups of users including one or more of owners, members, visitors, viewers, on-premise employees, offsite employees, partners and customers.
  - 24. The system of claim 23, wherein the additional policies define the one or more additional controls for a specific mobile device, wherein the specific mobile device includes the one or more mobile devices.
  - 25. The system of claim 24, wherein the additional policies define the one or more additional controls for the plurality of storage domains.
  - 26. The system of claim 25, wherein the additional policies define the one or more additional controls for the portion of the managed content.
  - 27. The system of claim 26, the additional policies including a second set of controls applicable to the specific mobile device, wherein the specific mobile device includes a configuration of operating system, operating system version and device type.
  - 28. The system of claim 27, the additional policies including a third set of controls applicable to the user associated with the enterprise or the groups of users associated with the enterprise.
  - 29. The system of claim 28, the generating and maintaining the policies including storing the additional policies, the device specific policies and permissions and the storage domain specific policies in a policy store of the data infrastructure.
  - 30. The system of claim 29, the generating and maintaining the policies comprising algorithmically compiling at least one of the additional policies for the user associated with the enterprise accessing the portion of the managed content of the plurality of storage domains using the specific mobile device.
  - 31. The system of claim 30, the compiling comprising retrieving and aggregating the one or more additional controls for the user and groups of users associated with the enterprise, the one or more additional controls for the portion of the managed content, the one or more controls for the plurality of storage domains, the one or more additional controls of the specific mobile device, the second set of controls, the third set of controls, the device specific policies and permissions and the storage domain specific policies.
  - 32. The system of claim 1, wherein the file level encryption includes hardware encryption applied to the portion on the one or more mobile devices, wherein the portion comprises files stored in the temporary cache of the one or more mobile devices.
  - 33. The system of claim 1, wherein the file level encryption includes local encryption applied to the portion on the one or more mobile devices, wherein the portion comprises files and documents stored in local folders on the device.
  - 34. The system of claim 33, wherein the local encryption comprises generating a symmetric key based on credentials of the user, the client application using the symmetric key to encrypt the portion, the client application storing the symmetric key in a mobile device operating system key chain.
  - 35. The system of claim 1, wherein the encrypting the portion comprises using symmetric key encryption, wherein the symmetric key encryption comprises encrypting the portion using a symmetric key.
  - 36. The system of claim 35, wherein the placing the encrypted portion in the container comprises sending the symmetric key to the data infrastructure, the sending the symmetric key to the data infrastructure comprising sending the key using a secure key distribution and management protocol.
  - 37. The system of claim 36, wherein the placing the encrypted portion in the container comprises the data infrastructure receiving and encrypting the symmetric key using a master key of the one or more master keys, the data infrastructure returning a master key encrypted symmetric key using the secure key distribution and management protocol and the client application placing the encrypted portion and the master key encrypted symmetric key in the container.
  - 38. The system of claim 37, wherein the container includes an envelope, the envelope comprising an .acxs data format, wherein the envelope includes one or more of a class of the master key and a length of the master key.
  - 39. The system of claim 38, wherein the retrieving the encrypted portion from the container comprises retrieving the master key encrypted symmetric key from the envelope and sending the master key encrypted symmetric key to the data infrastructure using the secure key distribution and management protocol.
  - 40. The system of claim 39, wherein the retrieving the encrypted portion from the container comprises the data infrastructure receiving the master key encrypted symmetric key and retrieving the symmetric key, the retrieving the symmetric key comprising the data infrastructure using the master key to decrypt the master key encrypted symmetric key.
  - 41. The system of claim 40, wherein the retrieving the encrypted portion from the container comprises returning the symmetric key to the client application using the secure key distribution and management protocol, the client application receiving the symmetric key and using the symmetric key to decrypt the encrypted portion.
  - 42. The system of claim 1, comprising applying the encryption operations to the portion during the transfer, the encryption operations including encrypting and decrypting the portion.
  - 43. The system of claim 42, the source location comprising one or more of the local storage of the one or more mobile devices and the plurality of storage domains.
  - 44. The system of claim 43, wherein the transfer comprises decrypting the portion according to a format applied at the source location.
  - 45. The system of claim 44, wherein the format includes the file level encryption.
  - 46. The system of claim 44, wherein the format includes the master key encryption.
  - 47. The system of claim 46, wherein decrypting the master key encryption comprises retrieving the portion from the container.
  - 48. The system of claim 42, the encrypting the portion during the transfer including using the file level encryption.
  - 49. The system of claim 42, the encrypting the portion during the transfer including using the master key encryption, the using the master key encryption comprising placing the encrypted portion in the container.
  - 50. The system of claim 49, wherein the encrypting the portion during the transfer using the master key encryption comprises storing the container at the target location.
  - 51. The system of claim 1, the client side library enabling the client application to communicate with the data infrastructure, the communicating comprising issuing calls to the data infrastructure to one or more of retrieve information for applying at least one of the encrypted operations, retrieve the policies and enforce the policies.
  - 52. The system of claim 51, the one or more mobile applications embedding the client side library using a secure file exchange protocol to access the client side library.
  - 53. The system of claim 52, the exposing the client side library including exposing the client side library to additional devices and corresponding software platforms, the additional devices and corresponding software platforms embedding the client side library using the secure file exchange protocol to access the client side library.
  - 54. The system of claim 53, the one or more mobile applications using the client side library to retrieve information from the data infrastructure for accessing the container.
  - 55. The system of claim 54, the accessing the container including decrypting and viewing the encrypted portion.
  - 56. The system of claim 55, wherein one or more mobile applications include trusted applications and untrusted applications, the container restricting access to the trusted applications, wherein the trusted applications embed the client side library, the restricting the access including the client side library blocking communication of an untrusted application with the client side library.
  - 57. The system of claim 1, the client application requesting offline access to the container, and in response to the request the data infrastructure issuing special keys to the client application, wherein the special keys are valid for a predetermined amount of time.
  - 58. The system of claim 57, wherein the client application stores the special keys on the one or more mobile devices using a hardware security element operating system provided key chain, the client application issuing calls on the client side library to obtain information of the special keys for accessing the container.
  - 59. The system of claim 58, the accessing the container comprising decrypting and viewing the encrypted portion.
  - 60. The system of claim 1, the transfer comprising the transfer of the container from the client application to a trusted application of the one or more mobile applications, wherein the container comprises the encrypted portion, wherein after the transfer, a copy of the container resides in the sandboxed file system of the trusted application.
  - 61. The system of claim 60, wherein a secure file exchange module of the trusted application embeds the client side library by using a secure file exchange protocol to access the client side library.
  - 62. The system of claim 61, the accessing the container comprising the secure file exchange module using the client side library to communicate with the data infrastructure and retrieve from the data infrastructure information for decrypting the encrypted portion in the container and viewing the portion.
  - 63. The system of claim 35, wherein the data infrastructure manages the one or more master keys on behalf of an enterprise customer.
  - 64. The system of claim 63, wherein the one or more master keys includes one or more classes of master key.
  - 65. The system of claim 64, wherein the one or more classes of master keys correspond to one or more of a user, a group of users, a device group, a storage domain and the one or more mobile applications.
  - 66. The system of claim 65, the data infrastructure disabling client side library calls to the data infrastructure by disabling the corresponding class of master key associated with the one or more of a user, a group of users, a device group, a storage domain and the one or more mobile applications.
  - 67. The system of claim 66, wherein the enterprise creates the one or more classes, wherein the enterprise revokes the one or more classes.
  - 68. The system of claim 67, wherein the data infrastructure stores the one or more master keys in a secure lockbox, wherein the secure lockbox encrypts and decrypts the symmetric key using the one or more master keys.
  - 69. The system of claim 68, wherein the enterprise maintains the one or more keys on-premise or on public cloud using hardware security module.
  - 70. The system of claim 69, wherein the data infrastructure maintains an on-premise pluggability module that allows the secure lockbox to encrypt and decrypt the symmetric key using the one or more master keys from the on-premise or public cloud hardware security module.
  - 71. The system of claim 1, wherein the client application cooperates with the data infrastructure to track information of the controlled encrypted operations, the tracking the controlled encrypted operations includes tracking information of the data request to transfer the portion.
  - 72. The system of claim 71, the information of the data request including information of the user, information of the source location and information of the controlled encrypted operations.
  - 73. The system of claim 72, the client application cooperating with the data infrastructure to associate a trusted file stamp with the information of the data request and stamping the portion with the trusted file stamp.
  - 74. The system of claim 73, the trusted file stamp visually encoding the information of the data request using one or more of a color and a symbol.
  - 75. The system of claim 74, wherein users interact with the trusted file stamp to obtain the information of the data request.
  - 76. The system of claim 73, the tracking the controlled encrypted operations including tracking a series of data requests associated with the portion, the series of data requests comprising the data request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ivanti, Inc. (Ivanti Software, Inc.)
Original Assignee
MobileIron, Inc.
Inventors
Akella, Venkata Sastry, Sharma, Rahul, Krishnan, Sanjeev, Srinivasan, Babu
Primary Examiner(s)
Zee, Edward

Application Number

US13/734,545
Publication Number

US 20130219176A1
Time in Patent Office

648 Days
Field of Search

726/26, 726/28, 726/29, 713/189
US Class Current

726/26
CPC Class Codes

G06F 16/185   Hierarchical storage manage...

G06F 16/188   Virtual file systems

G06F 21/60   Protecting data

G06F 21/6218   to a system of files or obj...

G06F 2221/2111   Location-sensitive, e.g. ge...

G06Q 10/10   Office automation; Time man...

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/0435   wherein the sending and rec...

H04L 63/0815   providing single-sign-on or...

H04L 9/0822   using key encryption key

H04L 9/0825   using asymmetric-key encryp...

H04L 9/0894   Escrow, recovery or storing...

H04W 12/02   Protecting privacy or anony...

H04W 12/08   Access security

H04W 12/37   Managing security policies ...

Secure virtual file management system

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

76 Claims

Specification

Solutions

Use Cases

Quick Links

Secure virtual file management system

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

76 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links