Governed routing of enterprise data in hybrid mobile applications

US 9,807,060 B2
Filed: 03/13/2015
Issued: 10/31/2017
Est. Priority Date: 03/13/2015
Status: Active Grant

First Claim

Patent Images

1. A method of protecting enterprise data with respect to a hybrid application in a mobile device that accesses a global computer information network using enterprise infrastructure, said method comprising:

utilizing at least one processor to execute computer code that performs the steps of;

detecting the hybrid application in the mobile device, the hybrid application being configured to communicate with an enterprise network and a non-enterprise network;

providing, in communication with the hybrid application, controls for segregating data flows from the enterprise network and non-enterprise network;

identifying, at least one data flow comprising enterprise content; and

providing a policy service which applies a policy for the segregating and governed routing of data flows from the enterprise network and the non-enterprise network to be carried out by the provided controls;

wherein the policy service in conjunction with the controls isolates the at least one data flow from other data flows by recognizing the data flows as a collection of stack+heap variables and isolating the variables belonging to the at least one data flow from the variables belonging to the remaining data flows; and

wherein the policy service in conjunction with the controls routes the at least one data flow to a predetermined data sink and wherein the controls identify permissions designating at least one application that has permission to access the predetermined data sink with the at least one data flow.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and arrangements for protecting enterprise data with respect to a hybrid application in a mobile device that accesses a global computer information network using enterprise infrastructure. A hybrid application is recognized in a mobile device, the hybrid application being configured to communicate with an enterprise network and a non-enterprise network. There are provided, in communication with the hybrid application, controls for segregating data flows from the enterprise network and non-enterprise network. A policy service is provided, which applies a policy for the segregating and governed routing of data flows from the enterprise network and the non-enterprise network. Other variants and embodiments are broadly contemplated herein.

19 Citations

20 Claims

1. A method of protecting enterprise data with respect to a hybrid application in a mobile device that accesses a global computer information network using enterprise infrastructure, said method comprising:
- utilizing at least one processor to execute computer code that performs the steps of;
  
  detecting the hybrid application in the mobile device, the hybrid application being configured to communicate with an enterprise network and a non-enterprise network;
  
  providing, in communication with the hybrid application, controls for segregating data flows from the enterprise network and non-enterprise network;
  
  identifying, at least one data flow comprising enterprise content; and
  
  providing a policy service which applies a policy for the segregating and governed routing of data flows from the enterprise network and the non-enterprise network to be carried out by the provided controls;
  
  wherein the policy service in conjunction with the controls isolates the at least one data flow from other data flows by recognizing the data flows as a collection of stack+heap variables and isolating the variables belonging to the at least one data flow from the variables belonging to the remaining data flows; and
  
  wherein the policy service in conjunction with the controls routes the at least one data flow to a predetermined data sink and wherein the controls identify permissions designating at least one application that has permission to access the predetermined data sink with the at least one data flow.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method according to claim 1, wherein the policy indicates at least one enterprise domain to be segregated from non-enterprise data flows within the hybrid application.
  - 3. The method according to claim 1, wherein:
    - the controls are provided in the mobile device runtime; and
      
      the controls are configured to selectively permit the hybrid application to write data from a data flow to one or more data sinks.
  - 4. The method according to claim 1, comprising providing controls for segregating data flows within a server-side adapter corresponding to the hybrid application.
  - 5. The method according to claim 4, wherein the controls at the server-side adapter are configured to selectively permit the adapter to write data from a data flow to one or more data sinks.
  - 6. The method according to claim 1, comprising configuring, via the policy service, data sink controls in at least one of:
    - a runtime of the mobile device and an enterprise server.
  - 7. The method according to claim 6, wherein said configuring comprises configuring the data sink controls at the start of an enterprise data flow.
  - 8. The method according to claim 7, wherein the policy indicates one or more data sinks to which data from the enterprise data flow is permissibly be routed.
  - 9. The method according to claim 1, comprising providing, in communication with the hybrid application, controls for governed routing of data flows from the enterprise network.
  - 10. The method according to claim 9, wherein the policy indicates one or more data sinks to which data from the enterprise data flow is permissibly be routed.
  - 11. The method according to claim 1, comprising implementing the controls in middleware, without modification to the hybrid application.

12. An apparatus for protecting enterprise data with respect to a hybrid application in a mobile device that accesses a global computer information network using enterprise infrastructure, said apparatus comprising:
- at least one hardware processor; and
  
  a computer readable storage medium having computer readable program code embodied therewith, executable by the at least one hardware processor, and comprising;
  
  computer readable program code configured to detect the hybrid application in the mobile device, the hybrid application being configured to communicate with an enterprise network and a non-enterprise network;
  
  computer readable program code configured to provide, in communication with the hybrid application, controls for segregating data flows from the enterprise network and non-enterprise network;
  
  computer readable program code configured to identify, at least one data flow comprising enterprise content; and
  
  computer readable program code configured to provide a policy service which applies a policy for the segregating and governed routing of data flows from the enterprise network and the non-enterprise network to be carried out by the provided controls;
  
  wherein the policy service in conjunction with the controls isolates the at least one data flow from other data flows by recognizing the data flows as a collection of stack+heap variables and isolating the variables belonging to the at least one data flow from the variables belonging to the remaining data flows;
  
  anwherein the policy service in conjunction with the controls routes the at least one data flow to a predetermined data sink and wherein the controls identify permissions designating at least one application that has permission to access the predetermined data sink with the at least one data flow.

13. A non-transitory computer program product for protecting enterprise data with respect to a hybrid application in a mobile device that accesses a global computer information network using enterprise infrastructure, said non-transitory computer program product comprising:
- a computer readable storage medium having computer readable program code embodied therewith and comprising;
  
  computer readable program code configured to detect the hybrid application in the mobiie device, the hybrid application being configured to communicate with an enterprise network and a non-enterprise network;
  
  computer readable program code configured to provide, in communication with the hybrid application, controls for segregating data flows from the enterprise network and non-enterprise network;
  
  computer readable program code configured to identify, at least one data flow comprising enterprise content; and
  
  computer readable program code configured to provide a policy service which applies a policy for the segregating and governed routing of data flows from the enterprise network and the non-enterprise network to be carried out by the provided controls;
  
  wherein the policy service in conjunction with the controls isolates the at least one data flow from other data flows by recognizing the data flows as a collection of stack+heap variables and isolating the variables belonging to the at least one data flow from the variables belonging to the remaining data flows; and
  
  wherein the policy service in conjunction with the controls routes the at least one data flow to a predetermined data sink and wherein the controls identify permissions designating at least one application that has permission to access the predetermined data sink with the at least one data flow.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The non-transitory computer program product according to claim 13, wherein the policy indicates at least one enterprise domain to be segregated from non-enterprise data flows within the hybrid application.
  - 15. The non-transitory computer program product according to claim 13, wherein:
    - the controls are provided in the mobile device runtime; and
      
      the controls are configured to selectively permit the hybrid application to write data from a data flow to one or more data sinks.
  - 16. The non-transitory computer program product according to claim 13, wherein said computer readable program code is configured to provide controls for segregating data flows within a server-side adapter corresponding to the hybrid application.
  - 17. The non-transitory computer program product according to claim 13, wherein the policy service configures data sink controls in at least one of:
    - a runtime of the mobile device and an enterprise server.
  - 18. The non-transitory computer program product according to claim 13, wherein said computer readable program code is configured to provide, in communication with the hybrid application, controls for governed routing of data flows from the enterprise network.
  - 19. The non-transitory computer program product according to claim 18, wherein the policy indicates one or more data sinks to which data from the enterprise data flow is permissibly be routed.

20. A method comprising:
- detecting a hybrid application in a mobile device, the hybrid application being configured to communicate with an enterprise network and a non-enterprise network;
  
  providing, in communication with the hybrid application, controls for segregating data flows from the enterprise network and non-enterprise network, the controls being provided in the mobile device runtime, and being configured to selectively permit the hybrid application to write data from a data flow to one or more data sinks;
  
  implementing the controls for segregating data flows in middleware, without modification to the hybrid application;
  
  providing, in communication with the hybrid application, controls for governed routing of data flows from the enterprise network;
  
  providing controls for segregating data flows within a server-side adapter corresponding to the hybrid application; and
  
  providing a policy service which applies a policy for the segregating and governed routing of data flows from the enterprise network and the non-enterprise network to be carried out by the provided controls;
  
  the policy indicating data flows from at least one enterprise domain to be segregated from non-enterprise data flows within the hybrid application from other data flows by recognizing the data flows as a collection of stack+heap variables and segregating the variables belonging to the at least one data flow from the variables belonging to the remaining data flows; and
  
  wherein the policy routes the data flows from the at least one enterprise domain to a predetermined data sink and wherein the controls identify permissions designating at least one application that has permission to access the predetermined data sink with the data flows from the at least one enterprise domain.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Kodeswaran, Palanivel A., Naldurg, Prasad G., Ramakrishna, Venkatraman, Seshadri, Arvind, Steiner, Michael
Primary Examiner(s)
LWIN, MAUNG T

Application Number

US14/657,539
Publication Number

US 20160267286A1
Time in Patent Office

963 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/6263   during internet communicati...

H04L 63/04   for providing a confidentia...

H04L 63/102   Entity profiles

Governed routing of enterprise data in hybrid mobile applications

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

19 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Governed routing of enterprise data in hybrid mobile applications

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

19 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others