Client application based access control in cloud security systems for mobile devices
First Claim
1. A cloud-based security system for controlling access to network resources, the cloud-based security system comprising:
- a plurality of processing nodes communicatively coupled to the Internet and an enterprise network; and
one or more authority nodes communicatively coupled to the plurality of processing nodes, the one or more authority nodes configured to store policy data regarding security policies of the enterprise network, the one or more authority nodes further configured to distribute the policy data to each of the plurality of processing nodes;
wherein a first processing node of the plurality of processing nodes is communicatively coupled to a user device and is configured to control communication between the user device and the enterprise network,wherein the first processing node is configured to authenticate the user and provide the user device of the authenticated user access to the enterprise network;
wherein the first processing node is further configured to receive an access request performed by an application on the user device of the authenticated user for accessing a selection of network resources on the enterprise network,wherein the first processing node is further configured to evaluate the access request to identify the application that performed the access request, the application residing on the user device of the authenticated user,wherein the first processing node is further configured to control access to the network resources on the enterprise network based on the policy data identifying access permissions of applications for accessing the network resources, an access permission of the application that performed the access request, and the selection of network resources requested, andwherein the access permission of the application is to a subset of the network resources and the first processing node is configured to control the access by;
in response to the subset of the network resources including the selection of network resources, allowing the access request,in response to the subset of network resources not including the selection of network resources and the application is legitimate, redirecting the access request to an authorized application on the user device, andin response to the subset of network resources not including the selection of network resources and the application is not legitimate, denying the request thereby blocking the access request for accessing the selection of network resources.
1 Assignment
0 Petitions
Accused Products
Abstract
A cloud-based security system enforcing application-based control of network resources includes a plurality of nodes communicatively coupled to the Internet; and one or more authority nodes communicatively coupled to the plurality of nodes; wherein a node of the plurality of nodes is communicatively coupled to a user device via the Internet, and wherein the node is configured to receive a request from a user device for network resources on the Internet or in an external network, to evaluate the request to determine an application on the user device associated with the request, and to provide application-based control of the request based on the determined application and the network resources.
-
Citations
18 Claims
-
1. A cloud-based security system for controlling access to network resources, the cloud-based security system comprising:
-
a plurality of processing nodes communicatively coupled to the Internet and an enterprise network; and one or more authority nodes communicatively coupled to the plurality of processing nodes, the one or more authority nodes configured to store policy data regarding security policies of the enterprise network, the one or more authority nodes further configured to distribute the policy data to each of the plurality of processing nodes; wherein a first processing node of the plurality of processing nodes is communicatively coupled to a user device and is configured to control communication between the user device and the enterprise network, wherein the first processing node is configured to authenticate the user and provide the user device of the authenticated user access to the enterprise network; wherein the first processing node is further configured to receive an access request performed by an application on the user device of the authenticated user for accessing a selection of network resources on the enterprise network, wherein the first processing node is further configured to evaluate the access request to identify the application that performed the access request, the application residing on the user device of the authenticated user, wherein the first processing node is further configured to control access to the network resources on the enterprise network based on the policy data identifying access permissions of applications for accessing the network resources, an access permission of the application that performed the access request, and the selection of network resources requested, and wherein the access permission of the application is to a subset of the network resources and the first processing node is configured to control the access by; in response to the subset of the network resources including the selection of network resources, allowing the access request, in response to the subset of network resources not including the selection of network resources and the application is legitimate, redirecting the access request to an authorized application on the user device, and in response to the subset of network resources not including the selection of network resources and the application is not legitimate, denying the request thereby blocking the access request for accessing the selection of network resources. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A user device comprising:
-
a network interface configured to communicatively connect to the Internet and an enterprise network via a cloud-based security system; a processor communicatively coupled to the network interface; and memory storing computer-readable instructions configured to cause the processor to execute an application, wherein the user device receives access to the enterprise network once a processing node of the cloud-based security system authenticates the user, wherein the application is configured to send an access request to the processing node of the cloud-based security system, the processing node being communicatively coupled to the Internet and the enterprise network, the access request configured for requesting access to a selection of network resources of the enterprise network via the cloud-based security system for the authenticated user, the access request allowing the processing node to identify a type of the application to control communication between the network interface and the enterprise network based on policy data regarding security policies of the enterprise network that includes identifying access permissions of applications for accessing network resources, an access permission of the identified type of the application that performed the access request, and the selection of network resources requested, and wherein the access permission of the application is to a subset of the network resources and the first processing node is configured to control the access by; in response to the subset of the network resources including the selection of network resources, allowing the access request, in response to the subset of network resources not including the selection of network resources and the application is legitimate, redirecting the access request to an authorized application on the user device, and in response to the subset of network resources not including the selection of network resources and the application is not legitimate, denying the request thereby blocking the access request for accessing the selection of network resources. - View Dependent Claims (10, 11, 12, 13)
-
-
14. A method comprising:
-
in a cloud-based security system comprising a plurality of nodes communicatively coupled to the Internet, upon authenticating a user and providing a user device of the authenticated user access to an enterprise network, receiving an access request from the user device of the authenticated user performed by an application on the user device, the access request configured for requesting access to a selection of network resources on the enterprise network; evaluating the access request to identify the application that performed the access request, the application residing on the user device of the authenticated user; and responsive to pre-defined security policies associated with the enterprise network, the pre-defined security policies identifying access permissions of applications for accessing network resources, controlling access to the network resources based on an access permission of the application that performed the access request and the selection of network resources requested, wherein controlling access comprises limiting which applications on the user device are able to access the network resources, wherein the access permission of the application is to a subset of the network resources and the cloud-based security system is configured to control the access by; in response to the subset of the network resources including the selection of network resources, allowing the access request, in response to the subset of network resources not including the selection of network resources and the application is legitimate redirecting the access request to an authorized application on the user device, and in response to the subset of network resources not including the selection of network resources and the application is not legitimate, denying the request thereby blocking the access request for accessing the selection of network resources. - View Dependent Claims (15, 16, 17, 18)
-
Specification