Gateway for controlling mobile device access to enterprise resources

US 9,378,359 B2
Filed: 10/10/2012
Issued: 06/28/2016
Est. Priority Date: 10/11/2011
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

an enterprise resource comprising computer hardware configured to electronically communicate with a computing device over a communication network; and

a gateway comprising computer hardware, the gateway configured to;

receive a request from a mobile device to access the enterprise resource, the request formatted according to a protocol and including a property of the mobile device, the request comprising a header and a payload;

store a gateway rule comprising an indication to encrypt data transmitted to the mobile device via the gateway when the property of the request from the mobile device corresponds to a property value in the gateway rule;

parse the payload of the request from the mobile device to determine a character-encoding scheme of the payload of the request;

based on the character-encoding scheme of the payload of the request, determine whether the property of the request from the mobile device corresponds to the property value in the gateway rule; and

responsive to determining that the property of the request from the mobile device corresponds to the property value in the gateway rule, cause the data transmitted to the mobile device via the gateway to be encrypted.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system is disclosed that includes components and features for enabling enterprise users to securely access enterprise resources (documents, data, application servers, etc.) using their mobile devices. An enterprise can use some or all components of the system to, for example, securely but flexibly implement a BYOD (bring your own device) policy in which users can run both personal applications and secure enterprise applications on their mobile devices. The system may, for example, implement policies for controlling mobile device accesses to enterprise resources based on device attributes (e.g., what mobile applications are installed), user attributes (e.g., the user'"'"'s position or department), behavioral attributes, and other criteria. Client-side code installed on the mobile devices may further enhance security by, for example, creating a secure container for locally storing enterprise data, creating a secure execution environment for running enterprise applications, and/or creating secure application tunnels for communicating with the enterprise system.

Citations

29 Claims

1. A system comprising:
- an enterprise resource comprising computer hardware configured to electronically communicate with a computing device over a communication network; and
  
  a gateway comprising computer hardware, the gateway configured to;
  
  receive a request from a mobile device to access the enterprise resource, the request formatted according to a protocol and including a property of the mobile device, the request comprising a header and a payload;
  
  store a gateway rule comprising an indication to encrypt data transmitted to the mobile device via the gateway when the property of the request from the mobile device corresponds to a property value in the gateway rule;
  
  parse the payload of the request from the mobile device to determine a character-encoding scheme of the payload of the request;
  
  based on the character-encoding scheme of the payload of the request, determine whether the property of the request from the mobile device corresponds to the property value in the gateway rule; and
  
  responsive to determining that the property of the request from the mobile device corresponds to the property value in the gateway rule, cause the data transmitted to the mobile device via the gateway to be encrypted.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein the gateway is configured to:
    - based on the property of the request from the mobile device, either allow access to the enterprise resource or deny access to the enterprise resource.
  - 3. The system of claim 1, wherein the gateway is configured to:
    - store a second gateway rule comprising an indication to deny the request from the mobile device to access the enterprise resource when the mobile device has a particular application stored thereon.
  - 4. The system of claim 1, wherein the gateway is configured to:
    - based on the property of the request from the mobile device, block the mobile device from receiving an email attachment.
  - 5. The system of claim 1, wherein the gateway is configured to:
    - store a second gateway rule comprising an indication to take first action based on a user of the mobile device having a first role in the enterprise, and a second action based on the user of the mobile device having a second role in the enterprise different from the first role.
  - 6. The system of claim 1, wherein one or more computing devices configured to implement the gateway comprise at least one of a firewall server and a computing device configured to control a firewall server.
  - 7. The system of claim 1, wherein the gateway is configured to:
    - store at least one statically defined gateway rule; and
      
      store at least one gateway rule received from one or more gateway rule providers.
  - 8. The system of claim 1, wherein the property of the request from the mobile device is associated with an identity of a user of the mobile device.

9. Non-transitory computer-readable media storing executable instructions that, when executed by one or more processors, cause a system to:
- receive, from a mobile device, a request to access an enterprise resource, the request formatted according to a protocol and including a property of the mobile device, the request comprising a header and a payload;
  
  parse the payload of the request to determine a character-encoding scheme of the payload of the request;
  
  based on the character-encoding scheme of the payload of the request, determine whether the property of the request from the mobile device corresponds to a property value in a gateway rule stored on the system; and
  
  responsive to determining that the property of the request corresponds to the property value in the gateway rule, cause data transmitted to the mobile device via the gateway to be encrypted.
- View Dependent Claims (10, 11, 12)
- - 10. The non-transitory computer-readable media of claim 9, wherein the executable instructions, when executed by the one or more processors, cause the system to:
    - determine a relative priority among a plurality of gateway rules each having a property value corresponding to the property of the request, wherein an action taken responsive to determining the relative priority corresponds to the gateway rule of the plurality of gateway rules that has a highest relative priority.
  - 11. The non-transitory computer-readable media of claim 9, wherein the executable instructions, when executed by the one or more processors, cause the system to:
    - periodically send requests for new gateway rules to one or more gateway rule providers; and
      
      receive the new gateway rules from the one or more gateway rule providers, in response to the requests for the new gateway rules.
  - 12. The non-transitory computer-readable media of claim 9, wherein the executable instructions, when executed by the one or more processors, cause the system to:
    - receive the gateway rule from a meta-application; and
      
      store the gateway rule on the system.

13. A method comprising:
- monitoring, by a computing device, communications between a mobile device and an enterprise resource of an enterprise-computing system;
  
  detecting, by the computing device, that a selected one of the communications between the mobile device and the enterprise resource is formatted according to a protocol;
  
  parsing, by the computing device, a payload of the selected one of the communications to determine a character-encoding scheme of the payload;
  
  based on the character-encoding scheme of the payload, determining, by the computing device, whether a condition of the selected one of the communications corresponds to a condition identified in one or more predefined rules; and
  
  responsive to determining that the condition of the selected one of the communications corresponds to the condition identified in the one or more predefined rules, encrypting, by the computing device, data in the selected one of the communications between to the mobile device and the enterprise resource, the data being transmitted via the computing device.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 14. The method of claim 13, comprising:
    - determining, by the computing device, based on a first protocol-specific condition of the selected one of the communications, a particular role of a user associated with the mobile device in the enterprise;
      
      determining, by the computing device, based on a second protocol-specific condition of the selected one of the communications, one or more properties of the mobile device; and
      
      determining, by the computing device, whether to allow or deny access to the enterprise resource by the mobile device based on the particular role of the user and the one or more properties of the mobile device.
  - 15. The method of claim 14, comprising:
    - determining, by the computing device, based on the second protocol-specific condition, whether a particular application is installed on the mobile device; and
      
      determining, by the computing device, whether to allow or deny the access to the enterprise resource by the mobile device based on whether the particular application is installed on the mobile device.
  - 16. The method of claim 14, comprising:
    - determining, by the computing device, based on the second protocol-specific condition, a geographical location of the mobile device; and
      
      determining, by the computing device, whether to allow or deny the access to the enterprise resource by the mobile device based on the geographic location of the mobile device.
  - 17. The method of claim 14, comprising:
    - determining, by the computing device, based on the second protocol-specific condition, a time of the selected one of the communications; and
      
      determining, by the computing device, whether to allow or deny the access to the enterprise resource by the mobile device based on the time of the selected one of the communications.
  - 18. The method of claim 13, wherein the protocol is an email protocol.
  - 19. The method of claim 13, wherein encrypting the data comprises encrypting an email attachment.
  - 20. The method of claim 13, comprising:
    - inspecting, by the computing device, the payload of the selected one of the communications to determine an expected use of the data by an application running on the mobile device,wherein an action identified in the one or more predefined rules is selected based on determining the expected use of the data by the application.
  - 21. The method of claim 13,wherein a first property of the mobile device corresponds to a property of a first group defined in a first rule of the one or more predefined rules, wherein a first action identified in the first rule includes allowing the mobile device access to the enterprise resource,wherein a second property of the mobile device corresponds to a property of a second group defined in a second rule of the one or more predefined rules, wherein a second action identified in the second rule includes denying the mobile device access to the enterprise resource,wherein the method comprises:
    - determining, by the computing device, that a conflict exists between the first rule and the second rule, the conflict existing due to the mobile device having the property of the first group and the mobile device having the property of the second group;
      
      resolving, by the computing device, the conflict based on prioritizing the first rule and the second rule based on an order of the one or more predefined rules; and
      
      based on the resolving the conflict, allowing or denying, by the computing device, the mobile device access to the enterprise resource.
  - 22. The method of claim 13, comprising:
    - identifying, by the computing device, an email attachment in the payload of the selected one of the communications based on the character-encoding scheme of the payload;
      
      separating, by the computing device, the email attachment in the payload from an associated email in the payload; and
      
      encrypting, by the computing device, the email attachment in the payload.
  - 23. The method of claim 22, comprising:
    - appending, by the computing device, a particular suffix to the encrypted email attachment to signify that the encrypted email attachment is encrypted.
  - 24. The method of claim 22, comprising:
    - adjusting, by the computing device, a header attribute of a header of the selected one of the communications to identify that the email attachment is encrypted.
  - 25. The method of claim 13, wherein the character-encoding scheme of the payload of the request is Wireless Application Protocol (WAP) Binary Extensible Markup Language (XML) (WBXML).

26. A system comprising:
- one or more processors; and
  
  non-transitory memory storing executable instructions that, when executed by the one or more processors, cause the system to;
  
  receive, from a mobile device, a request to access an enterprise resource, the request formatted according to a protocol and including a property of the mobile device, the request comprising a header and a payload;
  
  parse the payload of the request to determine a character-encoding scheme of the payload of the request;
  
  based on the character-encoding scheme of the payload of the request, determine whether the property of the request from the mobile device corresponds to a property value in a rule stored on the system; and
  
  responsive to determining that the property of the request corresponds to the property value in the rule, cause data transmitted to the mobile device via the system to be encrypted.
- View Dependent Claims (27)
- - 27. The system of claim 26, wherein the non-transitory memory stores further executable instructions that, when executed by the one or more processors, cause the system to:
    - register with an Internet Server Application Programming Interface (ISAPI) to receive notifications; and
      
      maintain a context stage to track a processing stage of the request to access the enterprise resource.

28. A gateway comprising:
- one or more processors; and
  
  non-transitory memory storing executable instructions that, when executed by the one or more processors, cause the gateway to;
  
  receive, from a mobile device, a request to access an enterprise resource, the request formatted according to a protocol and including a property of the mobile device, the request comprising a header and a payload;
  
  parse the payload of the request to determine a character-encoding scheme of the payload of the request;
  
  based on the character-encoding scheme of the payload of the request, determine whether the property of the request from the mobile device corresponds to a property value in a gateway rule stored on the gateway; and
  
  responsive to determining that the property of the request corresponds to the property value in the gateway rule, cause data transmitted to the mobile device via the gateway to be encrypted.
- View Dependent Claims (29)
- - 29. The gateway of claim 28, wherein the non-transitory memory stores further executable instructions that, when executed by the one or more processors, cause the gateway to:
    - determine one or more properties of an email attachment in the payload of the request;
      
      determine whether one or more predefined keywords are included in the email attachment in the payload of the request; and
      
      responsive to determining that the one or more predefined keywords are included in the email attachment in the payload of the request, encrypt the email attachment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Qureshi, Waheed, McGinty, John M.
Primary Examiner(s)
Kim, Tae

Application Number

US13/649,076
Publication Number

US 20140007214A1
Time in Patent Office

1,357 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/12   Protecting executable software

G06F 21/14   against software analysis o...

G06F 21/53   by executing in a restricte...

G06F 21/62   Protecting access to data v...

G06F 21/6209   to a single file or object,...

G06F 21/6218   to a system of files or obj...

G06F 2221/2113   Multi-level security, e.g. ...

G06F 8/53   Decompilation; Disassembly

H04L 2209/80   Wireless

H04L 63/0428   wherein the data content is...

H04L 63/0471   applying encryption by an i...

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

H04L 67/10   in which an application is ...

H04L 9/0822   using key encryption key

H04L 9/0825   using asymmetric-key encryp...

H04L 9/0891   Revocation or update of sec...

H04W 12/06   Authentication

H04W 12/086   using security domains

H04W 12/30   Security of mobile devices;...

H04W 12/37 : Managing security policies ...

H04W 12/64 : using geofenced areas

H04W 4/02 : Services making use of loca...

H04W 4/029 : Location-based management o...

View All

Gateway for controlling mobile device access to enterprise resources

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Gateway for controlling mobile device access to enterprise resources

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links