Administration of protection of data accessible by a mobile device

US 20050055578A1
Filed: 07/21/2004
Published: 03/10/2005
Est. Priority Date: 02/28/2003
Status: Active Grant

First Claim

Patent Images

1. In a mobile computing device, a computer-implemented system for providing protection of data accessible by a mobile computing device comprising:

a location detection module for detecting the location associated with the network environment in which the mobile device is operating;

a policy setting module being communicatively coupled with the location detection module for communication of the detected location and being communicatively coupled over a network to a policy management module, the policy setting module determining a current security policy from the one or more security policies received from the policy management module based upon criteria including the detected location, and a policy enforcement control module being communicatively coupled with the policy setting module for communication of the current security policy to be enforced, the enforcement control module comprising one or more enforcement mechanism modules for enforcing the current security policy.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The protection of data on a client mobile computing device by a server computer system such as within an enterprise network or on a separate mobile computing device is described. Security tools are described that provide different security policies to be enforced based on a location associated with a network environment in which a mobile device is operating. Methods for detecting the location of the mobile device are described. Additionally, the security tools may also provide for enforcing different policies based on security features. Examples of security features include the type of connection, wired or wireless, over which data is being transferred, the operation of anti-virus software, or the type of network adapter card. The different security policies provide enforcement mechanisms that may be tailored based upon the detected location and/or active security features associated with the mobile device. Examples of enforcement mechanisms are adaptive port blocking, file hiding and file encryption.

614 Citations

33 Claims

1. In a mobile computing device, a computer-implemented system for providing protection of data accessible by a mobile computing device comprising:
- a location detection module for detecting the location associated with the network environment in which the mobile device is operating;
  
  a policy setting module being communicatively coupled with the location detection module for communication of the detected location and being communicatively coupled over a network to a policy management module, the policy setting module determining a current security policy from the one or more security policies received from the policy management module based upon criteria including the detected location, and a policy enforcement control module being communicatively coupled with the policy setting module for communication of the current security policy to be enforced, the enforcement control module comprising one or more enforcement mechanism modules for enforcing the current security policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The system of claim 1 wherein the policy setting module sends an update request to the policy management module, the update request requesting any new versions of the one or more policies used by the mobile device.
  - 3. The system of claim 1 further comprising a security features module for determining whether one or more security features have an activity status of inactive or active in a communication session between the mobile device and another computer;
    - and the policy setting module having a communication interface with the security features module for communication of the activity status of the one or more security features, the policy setting module determining the current security policy from the one or more security policies received from the policy management module based upon criteria further including the activity status of the one or more security features.
  - 4. The system of claim 1 wherein the mobile device is operating in an unmanaged mode, the policy setting module having a communication interface with the user interface module wherein the policy setting module defines an aspect of a security policy based on input received from the user interface module.
  - 5. The system of claim 1 wherein at least one of the security features is a connection type of wired or wireless.
  - 6. The system of claim 1 wherein at least one of the security features is a security software program.
  - 7. The system of claim 1 wherein at least one of the security features is a network class.
  - 8. The system of claim 7 wherein the network class is one from the group of:
    - a type of mobile communications system, a type of wireless communications system, 802.3, 802.15, 802.16, a variation of 802.11 and 3G.
  - 9. The system of claim 1 wherein the location detection module continuously detects the location in which the mobile device is operating;
    - responsive to a new location being detected, notifying the policy setting module via the communication interface of the new detected location;
      
      responsive to the notification of the new detected location, the policy setting module determining whether the current security policy is to be changed to another policy; and
      
      responsive to the change in policy being indicated, automatically making the other policy the current security policy; and
      
      responsive to the other policy being made the current security policy, the policy enforcement module automatically enforcing the other policy as the current policy.
  - 10. The system of claim 1 wherein the location detection module determines location by comparing a criterion of operation of the mobile device to a set of criteria associated with locations.
  - 11. The system of claim 1 wherein the location detection module monitors at least one criterion of operation of the mobile device for the current location and compares the criterion to that associated locations.
  - 12. The system of claim 1 wherein the location detection module monitors criteria of operation of the mobile device for a current location and compares the criteria to that associated with locations.
  - 13. The system of claim 1 wherein the location detection module sends a notification to the policy setting module if the criteria of operation of the mobile device for the current location are different from the criteria associated with a location set by the policy setting module.
  - 14. The system of claim 1 wherein the location detection module sends a notification to the policy setting module to change the security policy to that for a second location if the criteria of operation of the mobile device for the current location match the criteria associated with second location.
  - 15. The system of claim 12 wherein the criteria of operation of the mobile device are a weighted average of one or more network parameters.
  - 16. The system of claim 12 wherein location detection module creates a weighted average of one or more network parameters for each location.
  - 17. The system of claim 12 wherein location detection module determines whether there is more that one location in a set of possible locations that match the criteria of operation of the mobile device, and sets the location to the current detected location if there is not more that one location.
  - 18. The system of claim 12 wherein location detection module determines whether there is more that one location in a set of possible locations that match the criteria of operation of the mobile device, and sends a notification to the policy setting module to change the security policy to a default setting.
  - 19. The system of claim 12 wherein the network parameter include at least one from the group of:
    - a Domain, Gateway, DHCP server, DNS1 server, DNS2 server, DNS3 server, and WINS server, a MAC address, an IP address, a port value, and an application identifier or application information derived by an application.

20. A method for detecting a location of a mobile computing device for use in protecting data accessible to the mobile device, the method comprising the steps of:
- setting a predefined value for a criterion for each location;
  
  detecting a current value for a criterion;
  
  comparing the current value to a set of criteria for locations; and
  
  determining a location based the comparison.
- View Dependent Claims (21, 22, 23)
- - 21. The method of claim 20 further comprising the steps of changing a security policy based on the determined location.
  - 22. The method of claim 20 wherein the predefined value for the criterion for each location is a weighted average of one or more network parameters.
  - 23. The method of claim 20 further comprising the steps of:
    - determining whether the location has changed; and
      
      modifying the security policy to match the location if location has changed.

24. A method for detecting a current location from a set of possible locations for a mobile computing device for use in protecting data accessible to the mobile device, the method comprising the steps of:
- obtaining at least one current network environment parameter;
  
  determining whether the obtained current network environment parameter matches a predefined parameter for a first location; and
  
  performing a location detection test using valid historical parameters to verify the first location.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 25. The method of claim 24, further comprising the step of setting the first location as the location of the mobile device.
  - 26. The method of claim 24, further comprising the step of testing whether the first location is a false positive.
  - 27. The method of claim 26, wherein the step of testing whether the first location is a false positive is performed by comparing the obtaining at least one current network environment parameter to override criteria.
  - 28. The method of claim 24, if the obtained current network environment parameter does not match the predefined parameter for the first location, further comprising the steps of:
    - determining a second location having a network environment parameter from the set of possible locations that is the closet match to the current network environment parameter;
      
      testing the network environment parameter for the second location to override criteria;
      
      setting the second location as the current location if the override criteria do not match; and
      
      setting a default location as the current location if the override criteria do match.
  - 29. The method of claim 24, further comprising the step of updating the valid historical parameters.
  - 30. The method of claim 29, further comprising the step of updating the valid historical parameters comprises the steps of:
    - determining whether a parameter has been previously detected;
      
      marking the parameter as a valid historical parameter for determining location;
  - 31. The method of claim 29, further comprising the step of updating the valid historical parameters comprises the steps of:
    - maintaining a first count of the number of times a parameter has been previously detected;
      
      maintaining a second count of the number of times the parameter has been previously detected as valid; and
      
      marking the parameter as a valid historical parameter for determining location if the first count is less than the second count.
  - 32. The method of claim 24, wherein the step of performing a location detection test using valid historical parameters to verify the first location uses a composite value of several independent terms to define a location threshold.
  - 33. The method of claim 32, wherein the location threshold normalized sum of these components as represented below:
    - $\frac{\sum c_{j} y_{j} v_{j} + \sum w_{i} x_{i} + \sum a_{k} p_{k} z_{k}}{\sum w_{i} + \sum c_{j} y_{j} + \sum a_{k} p_{k}}$

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apple Inc.
Original Assignee
Novell Incorporated (Open Text Corporation)
Inventors
Wright, Michael, Mims, Robert, Jacobson, Sterling K., Nault, Gabe, Smith, Merrill, Boucher, Peter, Wood, Jonathan

Granted Patent

US 7,526,800 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

G06F 21/32   using biometric data, e.g. ...

G06F 21/554   involving event detection a...

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 2221/2111   Location-sensitive, e.g. ge...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 12/4604   LAN interconnection over a ...

H04L 63/0272   Virtual private networks

H04L 63/045   wherein the sending and rec...

H04L 63/0492   by using a location-limited...

H04L 63/08   for authentication of entit...

H04L 63/105   Multiple levels of security

H04L 63/166   at the transport layer

H04L 63/20   for managing network securi...

H04L 67/52   specially adapted for the l...

H04L 67/55   Push-based network services

H04W 12/02   Protecting privacy or anony...

H04W 12/06   Authentication

H04W 12/08   Access security

H04W 12/12   Detection or prevention of ...

H04W 12/30 : Security of mobile devices;...

H04W 12/63 : Location-dependent; Proximi...

H04W 4/02 : Services making use of loca...

H04W 4/029 : Location-based management o...

View All

Administration of protection of data accessible by a mobile device

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

614 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Administration of protection of data accessible by a mobile device

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

614 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links