System and method for creating and applying categorization-based policy to secure a mobile communications device from access to certain data objects

US 9,294,500 B2
Filed: 06/27/2014
Issued: 03/22/2016
Est. Priority Date: 10/21/2008
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

a) at a server running a security component, creating a plurality of security policies, wherein each of the plurality of security policies is associated with at least one of a plurality of categories of data objects;

b) storing the plurality of security policies in data storage accessible to the server running the security component;

c) at the server running the security component, establishing communication with a mobile communications device to obtain information about the mobile communications device, the information including information relating to data objects on the mobile communications device;

d) at the server running the security component, based on the information relating to data objects on the mobile communications device, determining at least a first category of data objects on the mobile communications device;

e) at the server running the security component, based upon the determined at least a first category of data objects, identifying from the plurality of security policies, security policy that is apt for the mobile communications device; and

,f) at the server running the security component, providing the identified security policy to the mobile communications device.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A server creates categorization-based application policies and selects a specific policy to send to a mobile communications device. In one embodiment, the mobile communication device applies the categorization-based application policy received from the server to information about a data object (e.g., application) that the device wants to access (or has accessed). Based on the application of the categorization-based policy, the device may be permitted to access the data object or the device may not be permitted to access the data object.

313 Citations

33 Claims

1. A method comprising:
- a) at a server running a security component, creating a plurality of security policies, wherein each of the plurality of security policies is associated with at least one of a plurality of categories of data objects;
  
  b) storing the plurality of security policies in data storage accessible to the server running the security component;
  
  c) at the server running the security component, establishing communication with a mobile communications device to obtain information about the mobile communications device, the information including information relating to data objects on the mobile communications device;
  
  d) at the server running the security component, based on the information relating to data objects on the mobile communications device, determining at least a first category of data objects on the mobile communications device;
  
  e) at the server running the security component, based upon the determined at least a first category of data objects, identifying from the plurality of security policies, security policy that is apt for the mobile communications device; and
  
  ,f) at the server running the security component, providing the identified security policy to the mobile communications device.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein creating a plurality of security policies comprises processing:
    - categorization data about data objects available for access by mobile communications devices;
      
      mobile communications device data about mobile communications devices; and
      
      data about mobile communications device operating systems to create the plurality of security policies.
  - 3. The method of claim 2, wherein the mobile communications device data comprises data about types of mobile communications devices.
  - 4. The method of claim 1, wherein establishing communication with a mobile communications device comprises establishing communication with a security component running on the mobile communications device.
  - 5. The method of claim 1, wherein the obtained information about the mobile communications device comprises the mobile communications device type and operating system.

6. A method comprising:
- a) at a mobile communications device running a security component, receiving user input about categories of data objects that the mobile communications device is permitted to access and about categories of data objects the mobile communications device is not permitted to access;
  
  b) at the mobile communications device, processing the user input by the security component to create a security policy, wherein the security policy is associated with at least one of a plurality of categories of data objects;
  
  c) at the mobile communications device security component, receiving a request to access a data object and information about the data object;
  
  d) at the mobile communications device security component, based on the information about the data object, determining a category for the data object;
  
  e) at the mobile communications device security component, determining that the security policy is applicable to the data object based on the determined category for the data object;
  
  f) at the mobile communications device security component, applying the security policy to the information about the data object to determine whether the security policy permits access to the data object, and;
  
  g) in response to the mobile communications device security component determining that access to the data object is permitted, permitting the mobile communications device to access the data object, orh) in response to the mobile communications device security component determining that access to the data object is not permitted, not permitting the mobile communications device to access the data object.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The method of claim 6, wherein, when the mobile communications device is not permitted to access the data object, the data object is deleted from the mobile communications device when the data object is present.
  - 8. The method of claim 6, wherein, when the mobile communications device is not permitted to access the data object, the data object is quarantined so that the data object is not accessible to the mobile communications device when the data object is present.
  - 9. The method of claim 6, further comprising obtaining data about an operating system used by the mobile communications device, and wherein the processing comprises processing the user input and the data about the operating system to create a security policy.
  - 10. The method of claim 6, wherein in response to the mobile communications device security component permitting access to the data object, the method further comprises, at the mobile communications device, receiving the data object.

11. A method comprising:
- a) at a server running a application security component, receiving administrator input about categories of data objects that mobile communications devices are permitted to access and about categories of data objects that mobile communications devices are not permitted to access;
  
  b) at the server running the security component, processing the administrator input to create a plurality of security policies, wherein each of the plurality of security policies is associated with at least one of a plurality of categories of data objects;
  
  c) storing the plurality of security policies in data storage accessible to the server running the security component;
  
  d) at the server running the security component, establishing communication with a mobile communications device to obtain information about the mobile communications device, the information including information relating to at least one data object on the mobile communications device;
  
  e) at the server running the security component, based on the information relating to the at least one data object on the mobile communications device, determining at least a first category of data objects on the mobile communications device;
  
  f) at the server running the security component, based upon the determined at least a first category of data objects, identifying from the plurality of security policies, a security policy that is apt for the mobile communications device; and
  
  g) at the server running the security component, providing the identified security policy to the mobile communications device.
- View Dependent Claims (12, 13, 14)
- - 12. The method of claim 11, wherein establishing communication with a mobile communications device comprises establishing communication with a security component running on the mobile communications device.
  - 13. The method of claim 11, further comprising obtaining data about mobile communications devices, and wherein the processing comprises processing the administrator input and the data about the mobile communications devices to create the plurality of security policies.
  - 14. The method of claim 13, wherein the data about mobile communications devices comprises data about mobile communications device types and operating systems.

15. A method comprising:
- a) at a mobile communications device running a security component, receiving a request to access a data object and information about the data object;
  
  b) at the mobile communications device, in response to the request, sending the information about the data object and information about the mobile communications device to a server; and
  
  ;
  
  c) at the mobile communications device, receiving notification from the server that the mobile communications device is permitted to access the data object in response to the server determining that the mobile communications device is permitted to access the data object, the determination based on;
  
  a. an identified security policy, wherein the identified policy is identified from a plurality of security policies, wherein the plurality of security policies is created from processing administrator input about categories of data objects that mobile communications devices are permitted to access and about categories of data objects that mobile communications devices are not permitted to access, and wherein each of the plurality of security policies is associated with at least one of a plurality of categories of data objects, andb. the information about the data object, wherein, based on the information about the data object, the server determines a category of the data object, and wherein the identified security policy is identified from the plurality based on the determined category of the data object;
  
  or,d) at the mobile communications device, receiving notification from the server that the mobile communications device is not permitted to access the data object in response to the server determining that the mobile communications device is not permitted to access the data object, the determination based on;
  
  a. an identified security policy, wherein the identified policy is identified from a plurality of security policies, wherein the plurality of security policies is created from processing administrator input about categories of data objects that mobile communications devices are permitted to access and about categories of data objects that mobile communications devices are not permitted to access, and wherein each of the plurality of security policies is associated with at least one of a plurality of categories of data objects, andb. the information about the data object, wherein, based on the information about the data object, the server determines a category of the data object, and wherein the identified security policy is identified from the plurality based on the determined category of the data object.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The method of claim 15 wherein, when the mobile communications device is not permitted to access the data object, the data object is deleted from the mobile communications device when the data object is present.
  - 17. The method of claim 15, wherein, when the mobile communications device is not permitted to access the data object, the data object is quarantined so that the data object is not accessible to the mobile communications device when the data object is present.
  - 18. The method of claim 15, wherein the information about the mobile communications device comprises data about an operating system used by the mobile communications device.
  - 19. The method of claim 15, wherein in response to receiving notification from the server that the mobile communications device is permitted to access the data object, the method further comprises, at the mobile communications device, receiving the data object.

20. A method comprising:
- a) at a server running a security component, processing;
  
  categorization data about data objects available for access by mobile communications devices;
  
  mobile communications device data about types of mobile communications devices; and
  
  data about mobile communications device operating systems, to create a plurality of security policies, wherein each of the plurality of security policies is associated with at least one of a plurality of categories of data objects;
  
  b) storing the plurality of security policies in data storage accessible to the server running the security component;
  
  c) establishing communication between the server running the security component and a mobile communications device;
  
  d) at the server running the security component, obtaining information about the mobile communications device including the mobile communications device type and operating system;
  
  e) at the server running the security component, obtaining information from the mobile communications device about a data object;
  
  f) at the server running the security component, based on the information about the data object, determining a category of the data object;
  
  g) at the server running the security component, based upon the determined category of the data object and upon the obtained mobile communications device type and operating system, identifying from the plurality, a security policy that is apt for the mobile communications device;
  
  h) at the server running the security component, applying the identified security policy to the obtained information about the data object; and
  
  ;
  
  i) in response to the server running the security component determining that, based on the identified security policy, the mobile communications device is permitted to access the data object, the server running the security component notifies the mobile communications device that it is permitted to access the data object, or,j) in response to the server running the security component determining that, based on the identified security policy, the mobile communications device is not permitted to access the data object, the server running the security component notifies the mobile communications device that it is not permitted to access the data object.
- View Dependent Claims (21, 22, 23)
- - 21. The method of claim 20, wherein establishing communication with a mobile communications device comprises establishing communication with a security component running on the mobile communications device.
  - 22. The method of claim 20, wherein, when the server running the security component determines that the mobile communications device is not permitted to access the data object, the server running the security component notifies the mobile communications device to delete the data object when the data object is present.
  - 23. The method of claim 20, wherein, when the server running the security component determines that the mobile communications device is not permitted to access the data object, the server running the security component notifies the mobile communications device to quarantine the data object so that the data object is not accessible to the mobile communications device when the data object is present.

24. A system, comprising at least one processor and memory and instructions that when executed cause the at least one processor to:
- a) create a plurality of security policies, wherein each of the plurality of security policies is associated with at least one of a plurality of categories of data objects;
  
  b) store the plurality of security policies in data storage;
  
  c) establish communication with a mobile communications device to obtain information about the mobile communications device, the information including information relating to at least one data object on the mobile communications device;
  
  d) based on the information relating to at least one data object on the mobile communications device, determine at least a first category of data objects on the mobile communications device;
  
  e) based upon the determined at least a first category of data objects, identify from the plurality of security policies, a security policy that is apt for the mobile communications device; and
  
  ,f) provide the identified security policy to the mobile communications device.
- View Dependent Claims (25)
- - 25. The system of claim 24, wherein create a plurality of security policies comprises processing:
    - categorization data about data objects available for access by mobile communications devices;
      
      mobile communications device data about mobile communications devices; and
      
      data about mobile communications device operating systems, to create the plurality of security policies.

26. A method comprising:
- a) at a server running a security component, receiving administrator input about security policies for mobile communications devices;
  
  b) at the server running a security component, storing a plurality of security policies in data storage accessible to the server running a security component, the plurality of security policies stored based on the administrator input, wherein each of the plurality of security policies is associated with at least one of a plurality of categories of data objects;
  
  c) at the server running a security component, receiving from a mobile communications device a request for access to a data object, the request comprising information about the data object and about the mobile communications device;
  
  d) at the server running a security component, based on the information about the data object and about the mobile communications device, determining at least a first category for the of data object;
  
  e) at the server running a security component, based on the determined at least a first category for the data object, identifying from the plurality a security policy that is apt for the mobile communications device;
  
  g) at the server running a security component, applying the identified security policy to the data object based on the information received about the data object; and
  
  ;
  
  h) in response to the server running the security component determining that the mobile communications device is permitted to access the data object, the server running the security component notifies the mobile communications device that it is permitted to access the data object, ori) in response to the server running the security component determining that the mobile communications device is not permitted to access the data object, the server running the security component notifies the mobile communications device that it is not permitted to access the data object.
- View Dependent Claims (27, 28, 29, 30)
- - 27. The method of claim 26, wherein, when the server running the security component determines that the mobile communications device is not permitted to access the data object, the server running the security component notifies the mobile communications device to delete the data object when the data object is present.
  - 28. The method of claim 26, wherein, when the server running the security component determines that the mobile communications device is not permitted to access the data object, the server running the security component notifies the mobile communications device to quarantine the data object so that the data object is not accessible to the mobile communications device when the data object is present.
  - 29. The method of claim 26, wherein the received information used in identifying the security policy that is apt for the mobile communications device comprises:
    - the information received about the data object, the information received about the mobile communications device, or both the information received about the data object and the information received about the mobile communications device.
  - 30. The method of claim 26, wherein the information received about the mobile communications device comprises information about the mobile communications device type, and about the operating system on the mobile communications device.

31. A method comprising:
- a) at a mobile communications device running a security component, receiving a request to access a data object and information about the data object;
  
  b) at the mobile communications device, in response to the request, sending the information about the data object and information about the mobile communications device to a server; and
  
  ;
  
  c) at the mobile communications device, receiving notification from the server that the mobile communications device is permitted to access the data object in response to the server determining that the mobile communications device is permitted to access the data object, the determination based on;
  
  a. administrator input about security policies for mobile communications devices, the input used by the server to create at least one security policy, wherein each at least one security policy is associated with at least one corresponding category of data objects,b. the information about the data object, the data object information used by the server to determine a category of the data object,c. the information about the mobile communications device,d. a security policy identified from the at least one security policy based on the determined category of the data object, ande. applying the identified security policy to the information about the data object;
  
  ord) at the mobile communications device, receiving notification from the server that the mobile communications device is not permitted to access the data object in response to the server determining that the mobile communications device is not permitted to access the data object, the determination based on;
  
  a. administrator input about security policies for mobile communications devices, the input used by the server to create at least one security policy, wherein each at least one security policy is associated with at least one corresponding category of data objects,b. the information about the data object, the data object information used by the server to determine a category of the data object,c. the information about the mobile communications device,d. a security policy identified from the at least one security policy based on the determined category of the data object, ande. applying the identified security policy to the information about the data object.
- View Dependent Claims (32, 33)
- - 32. The method of claim 31, wherein, when the mobile communications device is not permitted to access the data object, the data object is deleted from the mobile communications device when the data object is present.
  - 33. The method of claim 31, wherein, when the mobile communications device is not permitted to access the data object, the data object is quarantined so that the data object is not accessible to the mobile communication device when the data object is present.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lookout Incorporated
Original Assignee
Lookout Incorporated
Inventors
Mahaffey, Kevin Patrick
Primary Examiner(s)
CHEN, SHIN HON

Application Number

US14/318,450
Publication Number

US 20140310770A1
Time in Patent Office

634 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/564   by virus signature recognition

G06F 21/57   Certifying or maintaining t...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

System and method for creating and applying categorization-based policy to secure a mobile communications device from access to certain data objects

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

313 Citations

33 Claims

Specification

Use Cases

Quick Links

Others

System and method for creating and applying categorization-based policy to secure a mobile communications device from access to certain data objects

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

313 Citations

33 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others