Protecting enterprise data through policy-based encryption of message attachments
First Claim
1. Non-transitory computer storage storing an executable component configured to provide functionality for selectively protecting attachment data addressed to a mobile device, the executable component comprising instructions that direct one or more computing devices to a process that comprises:
- receiving, from an enterprise resource, an attachment to a message, the message addressed to the mobile device;
determining whether to encrypt the attachment based on one or more configurable access policies of an enterprise; and
when a determination is made to encrypt the attachment;
encrypting the attachment;
causing transmission of the encrypted attachment to the mobile device in place of the attachment;
encrypting an attachment key used to encrypt the attachment; and
causing transmission of the encrypted attachment key with the encrypted attachment to the mobile device.
9 Assignments
0 Petitions
Accused Products
Abstract
A system is disclosed that includes components and features for enabling enterprise users to securely access enterprise resources (documents, data, application servers, etc.) using their mobile devices. An enterprise can use some or all components of the system to, for example, securely but flexibly implement a BYOD (bring your own device) policy in which users can run both personal applications and secure enterprise applications on their mobile devices. The system may, for example, implement policies for controlling mobile device accesses to enterprise resources based on device attributes (e.g., what mobile applications are installed), user attributes (e.g., the user'"'"'s position or department), behavioral attributes, and other criteria. Client-side code installed on the mobile devices may further enhance security by, for example, creating a secure container for locally storing enterprise data, creating a secure execution environment for running enterprise applications, and/or creating secure application tunnels for communicating with the enterprise system.
-
Citations
32 Claims
-
1. Non-transitory computer storage storing an executable component configured to provide functionality for selectively protecting attachment data addressed to a mobile device, the executable component comprising instructions that direct one or more computing devices to a process that comprises:
-
receiving, from an enterprise resource, an attachment to a message, the message addressed to the mobile device; determining whether to encrypt the attachment based on one or more configurable access policies of an enterprise; and when a determination is made to encrypt the attachment; encrypting the attachment; causing transmission of the encrypted attachment to the mobile device in place of the attachment; encrypting an attachment key used to encrypt the attachment; and causing transmission of the encrypted attachment key with the encrypted attachment to the mobile device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A system comprising:
-
a data store configured to store one or more rules defining conditions under which to encrypt an attachment; and one or more computing devices in communication with the data store, the one or more computing devices configured to; monitor messages from an enterprise computing system that are addressed to a mobile device; determine whether to encrypt an attachment to a selected one of the messages at least partly by comparing a condition associated with the selected message to a value associated with the condition in the one or more rules stored in the data store; encrypt an attachment key used to encrypt the attachment, wherein the attachment key is encrypted such that only the mobile device is configured to decrypt the attachment key; and cause transmission of the encrypted attachment key to the mobile device. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
-
-
30. A method of selectively protecting email-attachment data addressed to a mobile device, the method comprising:
-
monitoring, by a computing device, email messages from an enterprise resource that are addressed to the mobile device; detecting that data requested by the mobile device from the enterprise resource includes an attachment to a selected one of the email messages; determining whether to encrypt the attachment to the selected one of the email messages for transmission to the mobile device at least partly based on whether a particular mobile application is installed on the mobile device; and in response to determining to encrypt the attachment, causing encryption of the attachment.
-
-
31. Non-transitory computer storage storing an executable component that is configured to be installed on a mobile device to provide functionality for securely accessing data from an enterprise-computing system, the executable component comprising instructions that direct the mobile device to perform a process that comprises:
-
determining that an email message received by the mobile device includes an attachment that has been encrypted by a gateway associated with the enterprise-computing system; prompting a user of the mobile device to provide access credentials; and decrypting the attachment stored on the mobile device using a key obtained from the enterprise-computing system, the decrypting occurring transparently to an email client installed on the mobile device, the decrypting occurring transparently to an enterprise-email server of the enterprise-computing system, wherein the decrypting is responsive to detecting that the access credentials received from the user indicate that the user is authorized to access the attachment according to one or more enterprise-access policies. - View Dependent Claims (32)
-
Specification