Controlling Mobile Device Access to Secure Data

US 20150143120A1
Filed: 01/28/2015
Published: 05/21/2015
Est. Priority Date: 10/16/2012
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

as part of a process of configuring a managed application of a mobile device such that the managed application is able to be executed in accordance with a management framework defined by policy information received by the mobile device via an access gateway;

determining that legacy data associated with an application of the mobile device that was executed not in accordance with the management framework is to be configured for the managed application;

responsive to determining that the legacy data is to be configured for the managed application, encrypting the legacy data, resulting in encrypted legacy data;

storing a first set of the encrypted legacy data in a private secure container, wherein the private secure container is defined by the policy information and is private to the managed application; and

storing a second set of the encrypted legacy data in a shared secure container, wherein the shared secure container is defined by the policy information and is shared with at least one other managed application of the mobile device.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various aspects of the disclosure relate to providing secure containers or data vaults for data of one or more managed applications. In some embodiments, each managed application may be assigned its own private data vault and/or may be assigned a shared data vault that is accessible to at least one other managed application. As the managed application executes, calls for access to the data may be intercepted and redirected to the secure containers. Data stored in a secure container may be encrypted according to a policy. Other aspects relate to deleting data from a secure container, such as via a selective wipe of data associated with a managed application. Further aspects relate to configuring and creating the secure containers, retrieving key information required to encrypt/decrypt the data stored in the secure containers, and publishing the managed applications, policy information and key information for download to a mobile device.

6 Citations

View as Search Results

20 Claims

1. A method, comprising:
- as part of a process of configuring a managed application of a mobile device such that the managed application is able to be executed in accordance with a management framework defined by policy information received by the mobile device via an access gateway;
  
  determining that legacy data associated with an application of the mobile device that was executed not in accordance with the management framework is to be configured for the managed application;
  
  responsive to determining that the legacy data is to be configured for the managed application, encrypting the legacy data, resulting in encrypted legacy data;
  
  storing a first set of the encrypted legacy data in a private secure container, wherein the private secure container is defined by the policy information and is private to the managed application; and
  
  storing a second set of the encrypted legacy data in a shared secure container, wherein the shared secure container is defined by the policy information and is shared with at least one other managed application of the mobile device.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - obtaining, via the access gateway, key information that includes one or more keys for encrypting or decrypting data of the private secure container or the shared secure container.
  - 3. The method of claim 1, wherein the policy information defines that the private secure container and the shared secure container are to be used when the managed application is executing.
  - 4. The method of claim 3, further comprising:
    - intercepting a read or write operation from the managed application while the managed application is executing on the mobile device, wherein the read or write operation comprises an application programming interface (API) call available via a file system of the mobile device, wherein the file system of the mobile device is different from both a file system of the private secure container and a file system of the shared secure container, and wherein the read or write operation indicates a type of data to be read or written;
      
      determining, based on the policy information and the type of data to be read or written, whether to redirect the read or write operation to the shared secure container or the private secure container; and
      
      based on the determining, redirecting the read or write operation to the private secure container or the shared secure container.
  - 5. The method of claim 1, further comprising:
    - configuring the private secure container and the shared secure container based on the policy information, wherein the private secure container and the shared secure container are each a logical interface into which data is read from and written to in an encrypted form
  - 6. The method of claim 1, wherein the private secure container is a private data vault that is accessible to only the managed application.
  - 7. The method of claim 1, wherein the shared secure container is a shared data vault that is accessible only to the managed application and the at least one other managed application of the mobile device, wherein the policy information is assigned to the managed application and the at least one other managed application of the mobile device.

8. An apparatus, comprising:
- at least one processor; and
  
  memory storing executable instructions configured to, when executed by the at least one processor, cause the apparatus to;
  
  as part of a process of configuring a managed application of the apparatus such that the managed application is able to be executed in accordance with a management framework defined by policy information received by the apparatus via an access gateway;
  
  determine that legacy data associated with an application of the apparatus that was executed not in accordance with the management framework is to be configured for the managed application;
  
  responsive to determining that the legacy data is to be configured for the managed application, encrypt the legacy data, resulting in encrypted legacy data;
  
  store a first set of the encrypted legacy data in a private secure container, wherein the private secure container is defined by the policy information and is private to the managed application; and
  
  store a second set of the encrypted legacy data in a shared secure container, wherein the shared secure container is defined by the policy information and is shared with at least one other managed application of the apparatus.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The apparatus of claim 8, wherein the executable instructions, when executed by the at least one processor, cause the apparatus to:
    - obtain, via the access gateway, key information that includes one or more keys for encrypting or decrypting data of the private secure container or the shared secure container.
  - 10. The apparatus of claim 8, wherein the policy information defines that the private secure container and the shared secure container are to be used when the managed application is executing.
  - 11. The apparatus of claim 10, wherein the executable instructions, when executed by the at least one processor, cause the apparatus to:
    - intercept a read or write operation from the managed application while the managed application is executing on the apparatus, wherein the read or write operation comprises an application programming interface (API) call available via a file system of the apparatus, wherein the file system of the apparatus is different from both a file system of the private secure container and a file system of the shared secure container, and wherein the read or write operation indicates a type of data to be read or written;
      
      determine, based on the policy information and the type of data to be read or written, whether to redirect the read or write operation to the shared secure container or the private secure container; and
      
      based on the determining, redirect the read or write operation to the private secure container or the shared secure container.
  - 12. The apparatus of claim 8, wherein the executable instructions, when executed by the at least one processor, cause the apparatus to:
    - configure the private secure container and the shared secure container based on the policy information, wherein the private secure container and the shared secure container are each a logical interface into which data is read from and written to in an encrypted form
  - 13. The apparatus of claim 8, wherein the private secure container is a private data vault that is accessible to only the managed application, and wherein the shared secure container is a shared data vault that is accessible only to the managed application and the at least one other managed application of the apparatus, wherein the policy information is assigned to the managed application and the at least one other managed application of the apparatus.

14. One or more non-transitory memory storing executable instructions configured to, when executed, cause an apparatus to:
- as part of a process of configuring a managed application of the apparatus such that the managed application is able to be executed in accordance with a management framework defined by policy information received by the apparatus via an access gateway;
  
  determine that legacy data associated with an application of the apparatus that was executed not in accordance with the management framework is to be configured for the managed application;
  
  responsive to determining that the legacy data is to be configured for the managed application, encrypt the legacy data, resulting in encrypted legacy data;
  
  store a first set of the encrypted legacy data in a private secure container, wherein the private secure container is defined by the policy information and is private to the managed application; and
  
  store a second set of the encrypted legacy data in a shared secure container, wherein the shared secure container is defined by the policy information and is shared with at least one other managed application of the apparatus.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The one or more non-transitory memory of claim 14, wherein the executable instructions, when executed, cause the apparatus to:
    - obtain, via the access gateway, key information that includes one or more keys for encrypting or decrypting data of the private secure container or the shared secure container.
  - 16. The one or more non-transitory memory of claim 14, wherein the policy information defines that the private secure container and the shared secure container are to be used when the managed application is executing.
  - 17. The one or more non-transitory memory of claim 16, wherein the executable instructions, when executed, cause the apparatus to:
    - intercept a read or write operation from the managed application while the managed application is executing on the apparatus, wherein the read or write operation comprises an application programming interface (API) call available via a file system of the apparatus, wherein the file system of the apparatus is different from both a file system of the private secure container and a file system of the shared secure container, and wherein the read or write operation indicates a type of data to be read or written;
      
      determine, based on the policy information and the type of data to be read or written, whether to redirect the read or write operation to the shared secure container or the private secure container; and
      
      based on the determining, redirect the read or write operation to the private secure container or the shared secure container.
  - 18. The one or more non-transitory memory of claim 14, wherein the executable instructions, when executed, cause the apparatus to:
    - configure the private secure container and the shared secure container based on the policy information, wherein the private secure container and the shared secure container are each a logical interface into which data is read from and written to in an encrypted form
  - 19. The one or more non-transitory memory of claim 14, wherein the private secure container is a private data vault that is accessible to only the managed application.
  - 20. The one or more non-transitory memory of claim 14, wherein the shared secure container is a shared data vault that is accessible only to the managed application and the at least one other managed application of the apparatus, wherein the policy information is assigned to the managed application and the at least one other managed application of the apparatus.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Barton, Gary, Lang, Zhongmin, Desai, Nitin, Walker, James Robert

Granted Patent

US 9,602,474 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/168
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/60   Protecting data

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

G06F 21/88   Detecting or preventing the...

G06F 2221/2143   Clearing memory, e.g. to pr...

H04L 63/0428   wherein the data content is...

H04L 67/10   in which an application is ...

H04W 12/06   Authentication

H04W 12/08   Access security

H04W 12/37   Managing security policies ...

H04W 12/63   Location-dependent; Proximi...

Controlling Mobile Device Access to Secure Data

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

6 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Controlling Mobile Device Access to Secure Data

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

6 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links