Securing organizational computing assets over a network using virtual domains

US 9,027,086 B2
Filed: 03/11/2013
Issued: 05/05/2015
Est. Priority Date: 02/01/2013
Status: Active Grant

First Claim

Patent Images

1. A method for providing secure access to network resources, comprising:

at a server system having one or more processors and memory storing one or more programs for execution by the one or more processors;

storing encrypted identifying information for a plurality of client systems authorized to interact with the server system, wherein the encrypted identifying information is changed per client system per session;

creating a plurality of virtual domains, each virtual domain providing a respective logical set of network applications and information, distinct from the other virtual domains, wherein a respective logical set of network applications and information corresponds to a subset of network resources provided by the server system;

storing permissions associated with one or more users and the plurality of client systems, wherein the stored permissions associated with the one or more users are based on roles of the one or more users, and the stored permissions indicate one or more virtual domains, of the plurality of virtual domains, that are accessible to the one or more users and/or the plurality of client systems;

receiving a request associated with a first user and a first client system, including encrypted identifying information associated with the first client system, to access a first set of network applications and information;

in response to the request from the first client system to access the first set of network applications and information;

decrypting the encrypted identifying information associated with the first client system;

identifying, based on the decrypted identifying information, the first client system;

in accordance with a determination that the first client system corresponds to a client system in the plurality of client systems authorized to interact with the server system;

locating a first virtual domain of the plurality of virtual domains, wherein the first virtual domain provides the requested first set of network applications and information;

retrieving stored permissions of the first user and/or the first client system based on the decrypted identifying information; and

determining, based on the stored permissions associated with the first user and/or the first client system, whether the first user and/or the first client system is permitted to access the first virtual domain, including;

determining a current geographic location of the first client system; and

if the first client system is outside of a predetermined geographical area, rejecting the request to access the first set of network applications and information.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for connecting to a trust broker system is disclosed. The electronic device stores encrypted identifying information for a plurality of client systems authorized to interact with the server system, wherein the encrypted identifying information is changed per client system per session. The electronic device creates a plurality of virtual domains; each virtual domain representing a set of services and information distinct from the other virtual domains. The electronic device stores permissions associated with each respective client system in the plurality of client system. The electronic device receives a request from a first client system, including encrypted identifying information associated with the first client system, for information associated with a first virtual domain and then retrieves stored permissions of the first client system based on the encrypted identifying information. The electronic device determines whether the first client system is permitted to access the requested first virtual domain.

29 Citations

View as Search Results

12 Claims

1. A method for providing secure access to network resources, comprising:
- at a server system having one or more processors and memory storing one or more programs for execution by the one or more processors;
  
  storing encrypted identifying information for a plurality of client systems authorized to interact with the server system, wherein the encrypted identifying information is changed per client system per session;
  
  creating a plurality of virtual domains, each virtual domain providing a respective logical set of network applications and information, distinct from the other virtual domains, wherein a respective logical set of network applications and information corresponds to a subset of network resources provided by the server system;
  
  storing permissions associated with one or more users and the plurality of client systems, wherein the stored permissions associated with the one or more users are based on roles of the one or more users, and the stored permissions indicate one or more virtual domains, of the plurality of virtual domains, that are accessible to the one or more users and/or the plurality of client systems;
  
  receiving a request associated with a first user and a first client system, including encrypted identifying information associated with the first client system, to access a first set of network applications and information;
  
  in response to the request from the first client system to access the first set of network applications and information;
  
  decrypting the encrypted identifying information associated with the first client system;
  
  identifying, based on the decrypted identifying information, the first client system;
  
  in accordance with a determination that the first client system corresponds to a client system in the plurality of client systems authorized to interact with the server system;
  
  locating a first virtual domain of the plurality of virtual domains, wherein the first virtual domain provides the requested first set of network applications and information;
  
  retrieving stored permissions of the first user and/or the first client system based on the decrypted identifying information; and
  
  determining, based on the stored permissions associated with the first user and/or the first client system, whether the first user and/or the first client system is permitted to access the first virtual domain, including;
  
  determining a current geographic location of the first client system; and
  
  if the first client system is outside of a predetermined geographical area, rejecting the request to access the first set of network applications and information.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, further including:
    - in accordance with a determination that the first client system is not permitted to access the first virtual domain;
      
      rejecting the request to access the first set of network applications and information provided by the first virtual domain; and
      
      notifying the first client system of the rejection.
  - 3. The method of claim 1, further including:
    - in accordance with a determination that the first client system is permitted to access the first virtual domain;
      
      granting access to the requested first set of network applications and information to the first client system.
  - 4. The method of claim 1, wherein communications between the server system and the first client system are encrypted.

5. An electronic device for providing secure access to network resources, wherein the electronic device comprises a server system, comprising:
- one or more processors;
  
  memory storing one or more programs to be executed by the one or more processors;
  
  the one or more programs comprising instructions for;
  
  storing encrypted identifying information for a plurality of client systems authorized to interact with the server system, wherein the encrypted identifying information is changed per client system per session;
  
  creating a plurality of virtual domains each virtual domain providing a respective logical set of network applications and information, distinct from the other virtual domains, wherein a respective logical set of network applications and information corresponds to a subset of network resources provided by the server system;
  
  storing permissions associated with one or more users and the plurality of client systems, wherein the stored permissions associated with the one or more users are based on roles of the one or more users, and the stored permissions indicate one or more virtual domains, of the plurality of virtual domains, that are accessible to the one or more users and/or the plurality of client systems;
  
  receiving a request associated with a first user and a first client system, including encrypted identifying information associated with the first client system, to access a first set of network applications and information;
  
  in response to the request from the first client system to access the first set of network applications and information;
  
  decrypting the encrypted identifying information associated with the first client system;
  
  identifying, based on the decrypted identifying information, the first client system;
  
  in accordance with a determination that the first client system corresponds to a client system in the plurality of client systems authorized to interact with the server system;
  
  locating a first virtual domain of the plurality of virtual domains, wherein the first virtual domain provides the requested first set of network applications and information;
  
  retrieving stored permissions of the first user and/or the first client system based on the decrypted identifying information; and
  
  determining, based on the stored permissions associated with the first user and/or the first client system, whether the first user and/or the first client system is permitted to access the first virtual domain, including;
  
  determining a current geographic location of the first client system; and
  
  if the first client system is outside of a predetermined geographical area, rejecting the request to access the first set of network applications and information.
- View Dependent Claims (6, 7, 8)
- - 6. The device of claim 5, further including instructions for:
    - in accordance with a determination that the first client system is not permitted to access the first virtual domain;
      
      rejecting the request to access the first set of network applications and information provided by the first virtual domain; and
      
      notifying the first client system of the rejection.
  - 7. The device of claim 5, further including instructions for:
    - in accordance with a determination that the first client system is permitted to access the first virtual domain;
      
      granting access to the requested first set of network applications and information to the first client system.
  - 8. The device of claim 5, wherein communications between the server system and the first client system are encrypted.

9. A non-transitory computer readable storage medium storing one or more programs configured for execution by an electronic device with a camera, wherein the electronic device comprises a server system, the one or more programs comprising instructions for:
- at a server system having one or more processors and memory storing one or more programs for execution by the one or more processors;
  
  storing encrypted identifying information for a plurality of client systems authorized to interact with the server system, wherein the encrypted identifying information is changed per client system per session;
  
  creating a plurality of virtual domains, each virtual domain providing a respective logical set of network applications and information, distinct from the other virtual domains, wherein a respective logical set of network applications and information corresponds to a subset of network resources provided by the server system;
  
  storing permissions associated with one or more users and the plurality of client systems, wherein the stored permissions associated with the one or more users are based on roles of the one or more users, and the stored permissions indicate one or more virtual domains, of the plurality of virtual domains, that are accessible to the one or more users and/or the plurality of client systems;
  
  receiving a request associated with a first user and a first client system, including encrypted identifying information associated with the first client system, to access a first set of network applications and information;
  
  in response to the request from the first client system to access the first set of network applications and information;
  
  decrypting the encrypted identifying information associated with the first client system;
  
  identifying, based on the decrypted identifying information, the first client system;
  
  in accordance with a determination that the first client system corresponds to a client system in the plurality of client systems authorized to interact with the server system;
  
  locating a first virtual domain of the plurality of virtual domains, wherein the first virtual domain provides the requested first set of network applications and information;
  
  retrieving stored permissions of the first user and/or the first client system based on the decrypted identifying information; and
  
  determining, based on the stored permissions associated with the first user and/or the first client system, whether the first user and/or the first client system is permitted to access the first virtual domain, including;
  
  determining a current geographic location of the first client system; and
  
  if the first client system is outside of a predetermined geographical area, rejecting the request to access the first set of network applications and information.
- View Dependent Claims (10, 11, 12)
- - 10. The non-transitory computer readable storage medium of claim 9, further including instructions for:
    - in accordance with a determination that the first client system is not permitted to access the first virtual domain;
      
      rejecting the request to access the first set of network applications and information provided by the first virtual domain; and
      
      notifying the first client system of the rejection.
  - 11. The non-transitory computer readable storage medium of claim 9, further including instructions for:
    - in accordance with a determination that the first client system is permitted to access the first virtual domain;
      
      granting access to the requested first set of network applications and information to the first client system.
  - 12. The non-transitory computer readable storage medium of claim 9, wherein communications between the server system and the first client system are encrypted.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
Vidder, Inc. (Verizon Communications Inc.)
Inventors
Islam, Junaid, Bilger, Brent, Schroeder, Ted
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
BEHESHTI SHIRAZI, SAYED ARESH

Application Number

US13/794,668
Publication Number

US 20140223515A1
Time in Patent Office

785 Days
Field of Search

713/155, 713/164, 713/171, 713/182, 713/183, 726/4, 726/7, 726/15, 726/21, 709/217, 709/223
US Class Current

726/4
CPC Class Codes

G06F 21/31   User authentication

G06F 21/57   Certifying or maintaining t...

G06F 21/6218   to a system of files or obj...

G06F 2221/2111   Location-sensitive, e.g. ge...

G06F 2221/2113   Multi-level security, e.g. ...

H04L 2101/69   using geographic informatio...

H04L 63/0281   Proxies

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/0876   based on the identity of th...

H04L 63/10   for controlling access to d...

H04L 63/105   Multiple levels of security

H04L 63/107   wherein the security polici...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

H04L 67/01   Protocols

H04L 67/10   in which an application is ...

H04L 67/562   Brokering proxy services

Securing organizational computing assets over a network using virtual domains

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

29 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Securing organizational computing assets over a network using virtual domains

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

29 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links