Client application based access control in cloud security systems for mobile devices

US 10,728,252 B2
Filed: 07/07/2018
Issued: 07/28/2020
Est. Priority Date: 01/29/2016
Status: Active Grant

First Claim

Patent Images

1. A cloud-based security system for controlling access to network resources, the cloud-based security system comprising:

a plurality of processing nodes communicatively coupled to the Internet and an enterprise network; and

one or more authority nodes communicatively coupled to the plurality of processing nodes, the one or more authority nodes configured to store policy data regarding security policies of the enterprise network, the one or more authority nodes further configured to distribute the policy data to each of the plurality of processing nodes;

wherein a first processing node of the plurality of processing nodes is communicatively coupled to a user device and is configured to control communication between the user device and the enterprise network,wherein the first processing node is configured to authenticate the user and provide the user device of the authenticated user access to the enterprise network;

wherein the first processing node is further configured to receive an access request performed by an application on the user device of the authenticated user for accessing a selection of network resources on the enterprise network,wherein the first processing node is further configured to evaluate the access request to identify the application that performed the access request, the application residing on the user device of the authenticated user,wherein the first processing node is further configured to control access to the network resources on the enterprise network based on the policy data identifying access permissions of applications for accessing the network resources, an access permission of the application that performed the access request, and the selection of network resources requested, andwherein the access permission of the application is to a subset of the network resources and the first processing node is configured to control the access by;

in response to the subset of the network resources including the selection of network resources, allowing the access request,in response to the subset of network resources not including the selection of network resources and the application is legitimate, redirecting the access request to an authorized application on the user device, andin response to the subset of network resources not including the selection of network resources and the application is not legitimate, denying the request thereby blocking the access request for accessing the selection of network resources.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A cloud-based security system enforcing application-based control of network resources includes a plurality of nodes communicatively coupled to the Internet; and one or more authority nodes communicatively coupled to the plurality of nodes; wherein a node of the plurality of nodes is communicatively coupled to a user device via the Internet, and wherein the node is configured to receive a request from a user device for network resources on the Internet or in an external network, to evaluate the request to determine an application on the user device associated with the request, and to provide application-based control of the request based on the determined application and the network resources.

Citations

18 Claims

1. A cloud-based security system for controlling access to network resources, the cloud-based security system comprising:
- a plurality of processing nodes communicatively coupled to the Internet and an enterprise network; and
  
  one or more authority nodes communicatively coupled to the plurality of processing nodes, the one or more authority nodes configured to store policy data regarding security policies of the enterprise network, the one or more authority nodes further configured to distribute the policy data to each of the plurality of processing nodes;
  
  wherein a first processing node of the plurality of processing nodes is communicatively coupled to a user device and is configured to control communication between the user device and the enterprise network,wherein the first processing node is configured to authenticate the user and provide the user device of the authenticated user access to the enterprise network;
  
  wherein the first processing node is further configured to receive an access request performed by an application on the user device of the authenticated user for accessing a selection of network resources on the enterprise network,wherein the first processing node is further configured to evaluate the access request to identify the application that performed the access request, the application residing on the user device of the authenticated user,wherein the first processing node is further configured to control access to the network resources on the enterprise network based on the policy data identifying access permissions of applications for accessing the network resources, an access permission of the application that performed the access request, and the selection of network resources requested, andwherein the access permission of the application is to a subset of the network resources and the first processing node is configured to control the access by;
  
  in response to the subset of the network resources including the selection of network resources, allowing the access request,in response to the subset of network resources not including the selection of network resources and the application is legitimate, redirecting the access request to an authorized application on the user device, andin response to the subset of network resources not including the selection of network resources and the application is not legitimate, denying the request thereby blocking the access request for accessing the selection of network resources.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The cloud-based security system of claim 1, wherein the first processing node is configured to control the access by limiting which applications on the user device are able to access the selection of network resources.
  - 3. The cloud-based security system of claim 1, wherein the application is legitimate if the application is authorized to access the enterprise network but unauthorized to access the selection of network resources requested.
  - 4. The cloud-based security system of claim 3, wherein the first processing node is configured to redirect the access request by utilizing a response from the first processing node to the user device with a location header pointing to the custom Uniform Resource Locator (URL) of the application being redirected.
  - 5. The cloud-based security system of claim 1, wherein the first processing node is configured to identify the application by analyzing a request body of the access request, where the access request utilizes Hypertext Transfer Protocol (HTTP).
  - 6. The cloud-based security system of claim 1, wherein the security policies comprise one or more of i) user privileges, ii) content that is not allowed, and iii) restricted domains.
  - 7. The cloud-based security system of claim 6, wherein the security policies comprise one or more of i) blocking the network resources from specific types of applications, ii) redirecting the access request to a different application, iii) blocking specific network resources from all applications, and iv) cautioning if the application does not match a specific application for the selection of network resources.
  - 8. The cloud-based security system of claim 1, wherein the user device is connected to the first processing node using one of a proxy and a tunnel and the first processing node is configured to monitor all traffic between the user device and the Internet and enterprise network.

9. A user device comprising:
- a network interface configured to communicatively connect to the Internet and an enterprise network via a cloud-based security system;
  
  a processor communicatively coupled to the network interface; and
  
  memory storing computer-readable instructions configured to cause the processor to execute an application,wherein the user device receives access to the enterprise network once a processing node of the cloud-based security system authenticates the user,wherein the application is configured to send an access request to the processing node of the cloud-based security system, the processing node being communicatively coupled to the Internet and the enterprise network, the access request configured for requesting access to a selection of network resources of the enterprise network via the cloud-based security system for the authenticated user, the access request allowing the processing node to identify a type of the application to control communication between the network interface and the enterprise network based on policy data regarding security policies of the enterprise network that includes identifying access permissions of applications for accessing network resources, an access permission of the identified type of the application that performed the access request, and the selection of network resources requested, andwherein the access permission of the application is to a subset of the network resources and the first processing node is configured to control the access by;
  
  in response to the subset of the network resources including the selection of network resources, allowing the access request,in response to the subset of network resources not including the selection of network resources and the application is legitimate, redirecting the access request to an authorized application on the user device, andin response to the subset of network resources not including the selection of network resources and the application is not legitimate, denying the request thereby blocking the access request for accessing the selection of network resources.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The user device of claim 9, wherein controlling the communication between the network interface and the enterprise network comprises limiting which applications on the user device are able to access the selection of network resources.
  - 11. The user device of claim 9, wherein the application is legitimate if the application is authorized to access the enterprise network but unauthorized to access the selection of network resources requested.
  - 12. The user device of claim 9, wherein the access request utilizes Hypertext Transfer Protocol (HTTP) such that the processing node of the cloud-based security system identifies the type of the application through analysis of a request body of the access request.
  - 13. The user device of claim 9, wherein the user device is connected to the cloud-based security system using one of a proxy and a tunnel and the processing node is configured to monitor all traffic between the user device and the Internet.

14. A method comprising:
- in a cloud-based security system comprising a plurality of nodes communicatively coupled to the Internet, upon authenticating a user and providing a user device of the authenticated user access to an enterprise network, receiving an access request from the user device of the authenticated user performed by an application on the user device, the access request configured for requesting access to a selection of network resources on the enterprise network;
  
  evaluating the access request to identify the application that performed the access request, the application residing on the user device of the authenticated user; and
  
  responsive to pre-defined security policies associated with the enterprise network, the pre-defined security policies identifying access permissions of applications for accessing network resources, controlling access to the network resources based on an access permission of the application that performed the access request and the selection of network resources requested, wherein controlling access comprises limiting which applications on the user device are able to access the network resources,wherein the access permission of the application is to a subset of the network resources and the cloud-based security system is configured to control the access by;
  
  in response to the subset of the network resources including the selection of network resources, allowing the access request,in response to the subset of network resources not including the selection of network resources and the application is legitimate redirecting the access request to an authorized application on the user device, andin response to the subset of network resources not including the selection of network resources and the application is not legitimate, denying the request thereby blocking the access request for accessing the selection of network resources.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The method of claim 14, wherein controlling access comprises one of:
    - denying the access request thereby blocking the access request from the network resources if the application is unauthorized,allowing the access request if the application is authorized, orredirecting the access request to an authorized application on the user device.
  - 16. The method of claim 14, wherein the application is legitimate if the application is authorized to access the enterprise network but unauthorized to access the selection of network resources requested.
  - 17. The method of claim 14, further comprising:
    - storing the pre-defined security policies on one or more authority nodes of the cloud-based security system; and
      
      distributing the pre-defined security policies to one or more processing nodes of the cloud-based security system, the one or more processing nodes configured to control the access to the network resources of the enterprise network.
  - 18. The method of claim 17, wherein the pre-defined security policies comprise one or more of i) blocking the network resources from specific types of applications, ii) redirecting the access request to a different application, iii) blocking specific network resources from all applications, and iv) cautioning if the application does not match a specific application for the selection of network resources.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Zscaler Incorporated
Original Assignee
Zscaler Incorporated
Inventors
Desai, Purvi, Bansal, Abhinav
Primary Examiner(s)
Brown, Christopher J

Application Number

US16/029,558
Publication Number

US 20180316684A1
Time in Patent Office

752 Days
Field of Search

726 1
US Class Current
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/0281   Proxies

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/101   Access control lists [ACL]

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

H04L 67/02   based on web technology, e....

H04L 67/10   in which an application is ...

H04L 67/563   Data redirection of data ne...

H04W 12/08   Access security

H04W 12/37   Managing security policies ...

Client application based access control in cloud security systems for mobile devices

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Client application based access control in cloud security systems for mobile devices

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links