Constant access gateway and de-duplicated data cache server

US 9,621,405 B2
Filed: 08/24/2011
Issued: 04/11/2017
Est. Priority Date: 08/24/2010
Status: Active Grant

First Claim

Patent Images

1. A method for initiating secure communication between a data store and a client device via a gateway, the method comprising:

receiving, from the data store, a request to establish a control channel between the data store and the gateway;

receiving, at the gateway, from the client device, a first connection initiation request to establish a first connection between the client device and the gateway, the first connection initiation request including a connection request to the data store;

forwarding the connection request included in the first connection initiation request, from the gateway to the data store, via the control channel in response to receiving the first connection initiation request from the client device;

receiving, at the gateway, from the data store, a second connection initiation request to establish a second connection between the gateway and the data store;

receiving authentication information corresponding to the client device from the gateway at the data store via the control channel;

authenticating the client device on the basis of the received authentication information, and thereafter selectively establishing the second connection in dependence on the authentication;

joining, at the gateway, the first connection between the client device and the gateway and the second connection between the gateway and the data store;

determining, at the gateway, data flow mode for the client device based on a security policy associated with the client device, the data flow modes comprising an inflow only mode, an outflow only mode, and an inflow and outflow mode, wherein the inflow only mode permits inbound flow of data to the data store but does not permit outbound flow of data from the data store, wherein the outflow only mode permits outbound flow of data from the data store but does not permit inbound flow of data to the data store, and wherein the inflow and outflow mode permits inbound flow of data to the data store and outbound flow of data from the data store;

in response to receiving inbound data from the client device via the first connection at the gateway;

when the data flow mode is determined to be one of the inflow only mode or the inflow and outflow mode, transmitting, from the gateway, the received inbound data to the data store via the second connection; and

when the data flow mode is determined to be the outflow only mode, refusing to transmit, from the gateway, the received inbound data to the data store via the second connection;

in response to receiving outbound data from the data store via the second connection at the gateway;

when the data flow mode is determined to be one of the outflow only mode or the inflow and outflow mode, transmitting, from the gateway, the received outbound data to the client device via the first connection; and

when the data flow mode is determined to be the inflow only mode, refusing to transmit, from the gateway, the received outbound data to the client device via the first connection.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An Constant Access Gateway provides secure access for remote mobile computing users to centrally stored data without requiring a VPN connection or a direct connection to the LAN in which the data resides. A Cache Server works alone or in conjunction with the Constant Access Gateway to provide distributed access to the centrally stored data. The Cache Server performs local storage of de-duplicated versions of the centrally stored data, and may interact with the Constant Access Gateway to maintain cache coherency with the central data store.

Citations

41 Claims

1. A method for initiating secure communication between a data store and a client device via a gateway, the method comprising:
- receiving, from the data store, a request to establish a control channel between the data store and the gateway;
  
  receiving, at the gateway, from the client device, a first connection initiation request to establish a first connection between the client device and the gateway, the first connection initiation request including a connection request to the data store;
  
  forwarding the connection request included in the first connection initiation request, from the gateway to the data store, via the control channel in response to receiving the first connection initiation request from the client device;
  
  receiving, at the gateway, from the data store, a second connection initiation request to establish a second connection between the gateway and the data store;
  
  receiving authentication information corresponding to the client device from the gateway at the data store via the control channel;
  
  authenticating the client device on the basis of the received authentication information, and thereafter selectively establishing the second connection in dependence on the authentication;
  
  joining, at the gateway, the first connection between the client device and the gateway and the second connection between the gateway and the data store;
  
  determining, at the gateway, data flow mode for the client device based on a security policy associated with the client device, the data flow modes comprising an inflow only mode, an outflow only mode, and an inflow and outflow mode, wherein the inflow only mode permits inbound flow of data to the data store but does not permit outbound flow of data from the data store, wherein the outflow only mode permits outbound flow of data from the data store but does not permit inbound flow of data to the data store, and wherein the inflow and outflow mode permits inbound flow of data to the data store and outbound flow of data from the data store;
  
  in response to receiving inbound data from the client device via the first connection at the gateway;
  
  when the data flow mode is determined to be one of the inflow only mode or the inflow and outflow mode, transmitting, from the gateway, the received inbound data to the data store via the second connection; and
  
  when the data flow mode is determined to be the outflow only mode, refusing to transmit, from the gateway, the received inbound data to the data store via the second connection;
  
  in response to receiving outbound data from the data store via the second connection at the gateway;
  
  when the data flow mode is determined to be one of the outflow only mode or the inflow and outflow mode, transmitting, from the gateway, the received outbound data to the client device via the first connection; and
  
  when the data flow mode is determined to be the inflow only mode, refusing to transmit, from the gateway, the received outbound data to the client device via the first connection.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, further comprising:
    - receiving authentication information at the gateway from the data store;
      
      authenticating the data store on the basis of the received authentication information; and
      
      thereafterselectively establishing the control channel in dependence on the authentication.
  - 3. The method of claim 1, wherein the connection request from the gateway to the data store includes a unique identifier assigned to the first connection.
  - 4. The method of claim 1, further comprising:
    - determining at the data store which resources and associated actions are available to the client device; and
      
      publishing the available resources and associated actions to the client device.
  - 5. The method of claim 1, further comprising:
    - using a unique identifier assigned to the first connection to create the second connection.
  - 6. The method of claim 1, wherein the inbound data and the outbound data are encrypted.
  - 7. The method of claim 1, further comprising:
    - receiving authentication information at the gateway from the client device;
      
      authenticating the client device on the basis of the received authentication information; and
      
      selectively establishing the first connection in dependence on the authentication.
  - 8. The method of claim 7, wherein the received authentication information comprises a secure token.
  - 9. The method of claim 1, wherein the security policy is based on at least one property of the client device.
  - 10. The method of claim 9, wherein the at least one property comprises one of a device profile of the client device, a user profile associated with the client device, or a location of the client device.
  - 11. The method of claim 1, wherein the security policy is based on a property associated with the outbound data.
  - 12. The method of claim 1, wherein the security policy is based on a property associated with the inbound data.
  - 13. The method of claim 1, wherein the security policy is based on metadata associated with the outbound data.
  - 14. The method of claim 1, wherein the security policy is based on metadata associated with the inbound data.

15. A system for providing secure communication between a data store and a client device via a gateway, the system comprising:
- the data store configured to;
  
  store data in a computer-readable form;
  
  initiate a control channel with the gateway; and
  
  initiate a second connection with the gateway in response to receiving a connection request from the gateway at the data store;
  
  the gateway configured to;
  
  receive, at the gateway, from the client device, a first connection initiation request to establish a first connection between the client device and the gateway, the first connection initiation request including a connection request to the data store;
  
  forward the connection request included in the first connection initiation request to the data store via the control channel in response to receiving, over the first connection, the first connection initiation request from the client device;
  
  receive authentication information from the data store; and
  
  authenticate the data store on the basis of the received authentication information;
  
  establish the second connection to the data store;
  
  determine data flow mode for the client device based on a security policy associated with the client device, the data flow modes comprising an inflow only mode, an outflow only mode, and an inflow and outflow mode, wherein the inflow only mode permits inbound flow of data to the data store but does not permit outbound flow of data from the data store, wherein the outflow only mode permits outbound flow of data from the data store but does not permit inbound flow of data to the data store, and wherein the inflow and outflow mode permits inbound flow of data to the data store and outbound flow of data from the data store;
  
  in response to receiving inbound data from the client device via the first connection;
  
  when the data flow mode is determined to be one of the inflow only mode or the inflow and outflow mode, transmit the received inbound data to the data store via the second connection; and
  
  when the data flow mode is determined to be the outflow only mode, refuse to transmit the received inbound data to the data store via the second connection;
  
  in response to receiving outbound data from the data store via the second connection;
  
  when the data flow mode is determined to be one of the outflow only mode or the inflow and outflow mode, transmit the received outbound data to the client device via the first connection; and
  
  when the data flow mode is determined to be the inflow only mode, refuse to transmit the received outbound data to the client device via the first connection.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 16. The system of claim 15, further comprising:
    - a firewall configured to selectively allow communication between the gateway and the data store.
  - 17. The system of claim 15, wherein the gateway is further configured to:
    - include a unique identifier assigned to the first connection in the connection request.
  - 18. The system of claim 15, wherein the gateway is further configured to:
    - transmit authentication information corresponding to the client device to the data store via the control channel, in order to enable the data store to authenticate the client device.
  - 19. The system of claim 15, wherein the data store is further configured to:
    - determine which resources and associated actions are available to the client device; and
      
      publish said resources and associated actions to the client device.
  - 20. The system of claim 15, wherein the gateway is further configured to:
    - assign a unique identifier to the first connection and associate the second connection with the first communication channel on the basis of the unique identifier.
  - 21. The system of claim 15, wherein the inbound data and the outbound data are encrypted.
  - 22. The system of claim 15, wherein the security policy is based on at least one property of the client device.
  - 23. The system of claim 22, wherein the at least one property comprises one of a device profile of the client device, a user profile associated with the client device, or a location of the client device.
  - 24. The system of claim 15, wherein the security policy is based on a property associated with the outbound data.
  - 25. The system of claim 15, wherein the security policy is based on a property associated with the inbound data.
  - 26. The system of claim 15, wherein the security policy is based on metadata associated with the outbound data.
  - 27. The system of claim 15, wherein the security policy is based on metadata associated with the inbound data.
  - 28. The system of claim 15, wherein the gateway is further configured to:
    - receive authentication information from the client device;
      
      authenticate the client device on the basis of said authentication information; and
      
      establish the first connection.
  - 29. The system of claim 28, wherein the authentication information comprises a secure token.

30. A gateway for facilitating secure communication between a data store and a client device, the gateway comprising:
- a processor; and
  
  a memory comprising computer program code,wherein the processor is configured to process the computer program code and cause the gateway to;
  
  establish a control channel between the gateway and the data store, wherein the establishment of the control channel is initiated by the data store;
  
  receive, at the gateway, from the client device, a first connection initiation request to establish a first connection between the client device and the gateway, the first connection initiation request including a connection request to the data store;
  
  forward the connection request included in the first connection initiation request, from the gateway to the data store, via the control channel in response to receiving the first connection initiation request from the client device;
  
  establish a second connection between the gateway and the data store, wherein the establishment of the second connection is initiated by the data store in response to receiving the connection request from the gateway at the data store, wherein establishing the second connection between the gateway and the data store includes;
  
  receiving authentication information from the data store;
  
  authenticating the data store on the basis of the received authentication information; and
  
  selectively establishing the control channel based on the authentication;
  
  determine data flow mode for the client device based on a security policy associated with the client device, the data flow modes comprising an inflow only mode, an outflow only mode, and an inflow and outflow mode, wherein the inflow only mode permits inbound flow of data to the data store but does not permit outbound flow of data from the data store, wherein the outflow only mode permits outbound flow of data from the data store but does not permit inbound flow of data to the data store, and wherein the inflow and outflow mode permits inbound flow of data to the data store and outbound flow of data from the data store;
  
  in response to receiving inbound data from the client device via the first connection;
  
  when the data flow mode is determined to be one of the inflow only mode or the inflow and outflow mode, transmit the received inbound data to the data store via the second connection; and
  
  when the data flow mode is determined to be the outflow only mode, refuse to transmit the received inbound data to the data store via the second connection;
  
  in response to receiving outbound data from the data store via the second connection;
  
  when the data flow mode is determined to be one of the outflow only mode or the inflow and outflow mode, transmit the received outbound data to the client device via the first connection; and
  
  when the data flow mode is determined to be the inflow only mode, refuse to transmit the received outbound data to the client device via the first connection.
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
- - 31. The gateway of claim 30, wherein the connection request from the gateway to the data store includes a unique identifier assigned to the first connection.
  - 32. The gateway of claim 30, wherein the processor is further configured to process the computer program code and cause the gateway to:
    - send authentication information corresponding to the client device to the data store via the control channel, wherein the authentication data is configured to be used by the data store in order to authenticate the client device.
  - 33. The gateway of claim 30, wherein the inbound data and the outbound data are encrypted.
  - 34. The gateway of claim 30, wherein the processor is further configured to process the computer program code and cause the gateway to:
    - receive authentication information from the client device; and
      
      authenticate the client device on the basis of the received authentication information.
  - 35. The gateway of claim 34, wherein the received authentication information comprises a secure token.
  - 36. The gateway of claim 30, wherein the security policy is based on at least one property of the client device.
  - 37. The gateway of claim 30, wherein the at least one property comprises one of a device profile of the client device, a user profile associated with the client device, or a location of the client device.
  - 38. The gateway of claim 30, wherein the security policy is based on a property associated with the outbound data.
  - 39. The gateway of claim 30, wherein the security policy is based on a property associated with the inbound data.
  - 40. The gateway of claim 30, wherein the security policy is based on metadata associated with the outbound data.
  - 41. The gateway of claim 30, wherein the security policy is based on metadata associated with the inbound data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Malikie Innovations Limited (Key Patent Innovations Limited)
Original Assignee
Good Technology Holdings Limited (Blackberry Limited)
Inventors
Chaudhry, Puneesh, Jain, Sanjay
Primary Examiner(s)
HUQ, FARZANA B

Application Number

US13/216,962
Publication Number

US 20120054296A1
Time in Patent Office

2,057 Days
Field of Search

709213, 709218, 709227, 709230-231, 709238, 709244, 709246, 726 3, 726 12, 726 27
US Class Current
CPC Class Codes

H04L 63/0245   Filtering by information in...

H04L 63/0263   Rule management

H04L 63/0272   Virtual private networks

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

H04L 67/04   specially adapted for termi...

H04L 67/1095   Replication or mirroring of...

H04L 67/141   Setup of application sessio...

H04L 67/146   Markers for unambiguous ide...

H04L 67/56   Provisioning of proxy servi...

H04L 67/568   Storing data temporarily at...

H04L 69/14   Multichannel or multilink p...

Constant access gateway and de-duplicated data cache server

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

41 Claims

Specification

Solutions

Use Cases

Quick Links

Constant access gateway and de-duplicated data cache server

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

41 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links