Enforcing restrictions on third-party accounts

US 9,602,540 B1
Filed: 06/13/2013
Issued: 03/21/2017
Est. Priority Date: 06/13/2013
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable medium embodying a program executable in at least one computing device with memory, wherein when executed the program causes the at least one computing device with memory to at least:

manage a plurality of third-party network site accounts for a plurality of users in an organization;

determine that one of the plurality of users has requested access to a third-party network site, the third-party network site being operated by a third party that does not correspond to the organization;

determine whether one of the plurality of third-party network site accounts is available for use by the one of the plurality of users for accessing the third-party network site;

configure a client associated with one of the plurality of users to access the third-party network site using a security credential corresponding to the one of the plurality of third-party network site accounts in response to determining that the one of the plurality of third-party network site accounts is available for use by the one of the plurality of users for accessing the third-party network site, wherein the security credential is inaccessible to the one of the plurality of users;

inspect network traffic between the client and the third-party network site to determine whether the network traffic complies with a first rule restricting personal use of the one of the plurality of third-party network site accounts that is managed by the organization and a second rule blocking use of a third-party network site account that is unmanaged by the organization; and

implement an action in response to determining that the network traffic does not comply with the first rule and the second rule.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are various embodiments for management of third-party accounts for users in an organization. Network traffic between a client and a third-party network site under management is inspected. The client is associated with a user in an organization. It is determined whether the network traffic corresponds to a managed account with the third-party network site. It is determined whether the network traffic complies with a rule established by the organization. An action is implemented in response to determining that the network traffic does not comply with the rule.

53 Citations

View as Search Results

20 Claims

1. A non-transitory computer-readable medium embodying a program executable in at least one computing device with memory, wherein when executed the program causes the at least one computing device with memory to at least:
- manage a plurality of third-party network site accounts for a plurality of users in an organization;
  
  determine that one of the plurality of users has requested access to a third-party network site, the third-party network site being operated by a third party that does not correspond to the organization;
  
  determine whether one of the plurality of third-party network site accounts is available for use by the one of the plurality of users for accessing the third-party network site;
  
  configure a client associated with one of the plurality of users to access the third-party network site using a security credential corresponding to the one of the plurality of third-party network site accounts in response to determining that the one of the plurality of third-party network site accounts is available for use by the one of the plurality of users for accessing the third-party network site, wherein the security credential is inaccessible to the one of the plurality of users;
  
  inspect network traffic between the client and the third-party network site to determine whether the network traffic complies with a first rule restricting personal use of the one of the plurality of third-party network site accounts that is managed by the organization and a second rule blocking use of a third-party network site account that is unmanaged by the organization; and
  
  implement an action in response to determining that the network traffic does not comply with the first rule and the second rule.
- View Dependent Claims (2)
- - 2. The non-transitory computer-readable medium of claim 1, wherein when executed the program further causes the at least one computing device to at least establish the first rule based at least in part on whether the one of the plurality of users has indicated that the one of the plurality of third-party network site accounts is for organizational purposes.

3. A system, comprising:
- at least one computing device with memory; and
  
  at least one application executable in the at least one computing device, wherein when executed the at least one application causes the at least one computing device to at least;
  
  inspect network traffic between a client computing device and a third-party network site, wherein the network traffic is under management and monitored by an organization, the client computing device being associated with a user in the organization, the third-party network site being operated by a third party that does not correspond to the organization;
  
  determine whether the network traffic corresponds to account-based usage of the third-party network site;
  
  determine whether the account-based usage represented in the network traffic complies with a first rule established by the organization that restricts personal use of a first account managed by the organization and a second rule established by the organization that blocks the account-based usage corresponding to a second account that is not managed by the organization; and
  
  implement an action in response to determining that the account-based usage does not comply with the first rule or the second rule.
- View Dependent Claims (4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 4. The system of claim 3, wherein inspection of the network traffic is implemented in a proxy server application configured to route the network traffic between the client computing device and the third-party network site.
  - 5. The system of claim 3, wherein the account-based usage represented in the network traffic corresponds to usage of one of a plurality of managed accounts of the user with a plurality of different third-party network sites, and the first rule is specific to the one of the plurality of managed accounts.
  - 6. The system of claim 3, wherein the first rule established by the organization specifies that organizational data should not be provided via the first account represented in the network traffic.
  - 7. The system of claim 3, wherein the first rule established by the organization specifies that the first account should be used only for organizational purposes.
  - 8. The system of claim 3, wherein the first rule established by the organization specifies predefined canary data that should not be provided or accessed via the first account.
  - 9. The system of claim 3, wherein the first rule established by the organization specifies at least one keyword for matching against the network traffic.
  - 10. The system of claim 3, wherein the first rule established by the organization specifies at least one document type for matching against the network traffic.
  - 11. The system of claim 3, wherein the first rule established by the organization specifies at least one geographical location for matching against a geotag detected within the network traffic, or the first rule established by the organization relates to behavior-based identity verification of the user.
  - 12. The system of claim 3, wherein when executed the at least one application further causes the at least one computing device to at least:
    - in response to receiving a user specification of whether the first account is for organizational purposes, establish the first rule based at least in part on the user specification of whether the first account is for organizational purposes.
  - 13. The system of claim 12, wherein the user specification of whether the first account is for organizational purposes is received as part of an account creation workflow.
  - 14. The system of claim 3, wherein the action comprises disabling the first account with the third-party network site or disabling an account of the user with the organization.
  - 15. The system of claim 5, wherein a security credential for the one of the plurality of managed accounts is inaccessible to the user.

16. A method, comprising:
- inspecting, via at least one of one or more computing devices with memory, network traffic between a client computing device and a third-party network site, wherein the network traffic is under management and monitored by an organization, the client computing device being associated with a user in the organization, the third-party network site being operated by a third party that does not correspond to the organization;
  
  determining, via at least one of the one or more computing devices, whether the network traffic corresponds to account-based usage of the third-party network site;
  
  determining, via at least one of the one or more computing devices, whether the account-based usage represented in the network traffic complies with a first rule established by the organization that restricts personal use of a first account managed by the organization and a second rule established by the organization that blocks the account-based usage corresponding to a second account that is not managed by the organization; and
  
  implementing, via at least one of the one or more computing devices, an action in response to determining that the account-based usage does not comply with the first rule or the second rule.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16, wherein the first rule established by the organization specifies that organizational data should not be provided via the first account represented in the network traffic.
  - 18. The method of claim 16, wherein the first rule established by the organization specifies that the first account should be used only for organizational purposes.
  - 19. The method of claim 16, wherein the first rule established by the organization specifies predefined canary data that should not be provided or accessed via the first account.
  - 20. The method of claim 16, wherein the first rule established by the organization specifies at least one geographical location for matching against a geotag detected within the network traffic.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Johansson, Jesper Mikael, Canavor, Darren Ernest, McClintock, Jon Arron
Primary Examiner(s)
Zecher, Dede
Assistant Examiner(s)
LAKHIA, VIRAL S

Application Number

US13/917,143
Time in Patent Office

1,377 Days
Field of Search

726/2, 726/3, 726/812, 713/152, 709/225, 709/229
US Class Current

1/1
CPC Class Codes

H04L 63/0281   Proxies

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

Enforcing restrictions on third-party accounts

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

53 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Enforcing restrictions on third-party accounts

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

53 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links