Policy compliance-based secure data access

US 8,756,651 B2
Filed: 09/27/2011
Issued: 06/17/2014
Est. Priority Date: 09/27/2011
Status: Active Grant

First Claim

Patent Images

1. A method of verifying client compliance with a set of security policies in order to grant access to secure data, the method comprising:

under control of one or more computer systems configured with executable instructions,receiving, from a mobile device, a request for an authentication seed that includes security information enabling generation of an authentication code that is distinct from the authentication seed;

after receiving the request for the authentication seed from the mobile device, sending a request for a set of parameter values corresponding to a set of security policies to the mobile device in order to determine whether the mobile device complies with the set of security policies;

instructing the mobile device to impose at least one of the set of security policies on the mobile device;

receiving the set of parameter values from the mobile device;

determining whether the set of parameter values received from the mobile device indicates that the mobile device is in compliance with the set of security policies; and

after determining, sending the authentication seed to the mobile device to enable the mobile device to generate the authentication code when the set of parameter values indicates that the mobile device is in compliance with the set of security policies, the authentication code being generated based at least in part on the authentication seed.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Access control techniques relate to verifying compliance with security policies before enabling access to the computing resources. An application is provided on a client that generates verification codes using an authentication seed. Prior to granting the client the authentication seed necessary to generate a verification code, a server may perform a policy check on the client. Some embodiments ensure that the client complies with security policies imposed by an authenticating party by retrieving a number of parameter values from the client and then determining whether those parameter values comply with the security policies. Upon determining that the client complies, the authentication seed is issued to the client. In some embodiments, the authentication seed is provided such that a policy check is performed upon the generation of a verification code. The client is given access to secure information when the client is determined to comply with the security policies.

43 Citations

View as Search Results

37 Claims

1. A method of verifying client compliance with a set of security policies in order to grant access to secure data, the method comprising:
- under control of one or more computer systems configured with executable instructions,receiving, from a mobile device, a request for an authentication seed that includes security information enabling generation of an authentication code that is distinct from the authentication seed;
  
  after receiving the request for the authentication seed from the mobile device, sending a request for a set of parameter values corresponding to a set of security policies to the mobile device in order to determine whether the mobile device complies with the set of security policies;
  
  instructing the mobile device to impose at least one of the set of security policies on the mobile device;
  
  receiving the set of parameter values from the mobile device;
  
  determining whether the set of parameter values received from the mobile device indicates that the mobile device is in compliance with the set of security policies; and
  
  after determining, sending the authentication seed to the mobile device to enable the mobile device to generate the authentication code when the set of parameter values indicates that the mobile device is in compliance with the set of security policies, the authentication code being generated based at least in part on the authentication seed.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 34, 35, 36, 37)
- - 2. The method of claim 1, wherein the generation of the authentication code is further based on at least one of a current time value, a counter, or the previous authentication code.
  - 3. The method of claim 1 further comprising:
    - ending an error message to the mobile device when the set of parameter values indicates that the mobile device is not in compliance with the set of security policies.
  - 4. The method of claim 1, wherein the set of security policies comprises at least one of a minimum length of pin, remote wipe being enabled, up-to-date patch level, encrypted storage, automatic self-wipe being enabled upon a maximum number of incorrect entries/attempts, the mobile device being associated with a corporate email system, the mobile device being within a particular altitude range, the mobile device being within a particular temperature range, the mobile device being connected to a particular wireless network, or the mobile device being within a location range.
  - 5. The method of claim 1, wherein determining whether the set of parameter values indicates that the mobile device is in compliance comprises communicating with a policy enforcement agent in real time to certify that the set of parameter values is in compliance with the set of security policies.
  - 6. The method of claim 1, wherein determining whether the set of parameter values indicates that the mobile device is in compliance comprises transmitting software to the mobile device for execution on the mobile device, wherein the set of parameter values received from the mobile device includes an output from the execution of the software.
  - 7. The method of claim 1, wherein the request for the authentication seed is performed upon receiving a username and a password from a user of the mobile device at sign-in time.
  - 8. The method of claim 1, wherein the request for the authentication seed is performed upon activation of an application that generates the authentication code.
  - 9. The method of claim 1, wherein the set of security policies is unknown to the mobile device.
  - 34. The method of claim 1, further comprising, when the set of parameter values indicates that the mobile device is in compliance with the set of security policies, generating the authentication seed prior to the authentication code being generated.
  - 35. The method of claim 1, wherein a new authentication code is generated based at least in part on the authentication seed each time the mobile device activates an application to access the secure data.
  - 36. The method of claim 1, wherein the authentication code is generated based at least in part on the authentication seed and additional data available to the mobile device.
  - 37. The method of claim 1, wherein the authentication code is generated based at least in part on the authentication seed and a current time.

10. A method of authenticating a client by a server, the method comprising:
- under control of one or more computer systems configured with executable instructions,receiving a request for access to secure information from the client, the request including at least a response code generated based at least in part on an authentication seed accessible to the client and the server, the response code being distinct from the authentication seed;
  
  requesting a set of security parameter values from the client upon receiving the request, the set of security parameter values corresponding to a set of security policies imposed by the server;
  
  receiving the set of security parameter values from the client in order to determine whether security settings of the client comply with the set of security policies;
  
  after receiving the set of security parameter values, determining whether the set of security parameter values indicate that the client complies with the set of security policies; and
  
  enabling the client to access secure information upon determining that the client complies with the set of security policies.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The method of claim 10, wherein the generation of the response code is further based on at least one of a username, a password, a current time, a counter, a previous authentication code, the request, or a challenge provided by the server.
  - 12. The method of claim 10, wherein the determining comprises communicating with a policy enforcement agent in real time to certify that the set of security parameter values complies with the corresponding set of security policies.
  - 13. The method of claim 10 further comprising:
    - sending a set of instructions to the client upon receiving the request; and
      
      enabling the client to execute the set of instructions to determine whether the client complies with the set of security policies, wherein the set of security parameter values includes an output from an execution of the set of instructions.
  - 14. The method of claim 10, wherein the set of security parameter values includes an identifier for a current location of the client, the identifier being within a permissible territory specified by the corresponding security policy.
  - 15. The method of claim 10, wherein the request further includes a username and a password, wherein the client access to information is enabled upon verifying the username and the password.
  - 16. The method of claim 10, wherein the set of security policies includes a maximum permissible distance between the client and a location chosen by an authenticating party performing the determination.
  - 17. The method of claim 16, wherein a distance between the client and the location chosen by the authenticating party exceeds the maximum permissible distance when a roundtrip time for a signal between the client and the authenticating party exceeds a threshold duration.

18. A method of obtaining access to secure information through compliance with security policies, the method comprising:
- under control of one or more computer systems configured with executable instructions,activating an application that provides access to secure information;
  
  generating, on a client, an authentication code based at least in part on a seed value, the authentication code being distinct from the seed value;
  
  sending a request for access to secure information to a server, the request including at least the authentication code;
  
  providing a set of parameter values to the server that is configured to determine whether the client complies with a set of security policies, the set of parameter values corresponding to the set of security policies imposed by the server; and
  
  obtaining access to the secure information when the client is determined to comply with the set of security policies.
- View Dependent Claims (19, 20, 21, 22, 23, 24)
- - 19. The method of claim 18 further comprising:
    - receiving a request for the set of parameter values relating to the set of security policies.
  - 20. The method of claim 18, wherein the authentication code is generated using an application that includes the authentication seed bootstrapped onto the client.
  - 21. The method of claim 18 further comprising:
    - determining a current location using a location-determining element on the client, wherein one of the set of parameter values sent to the server is based on the determined location.
  - 22. The method of claim 18 further comprising:
    - requesting an updated version of the set of security policies; and
      
      determining whether the client complies using the updated version of the set of security policies.
  - 23. The method of claim 22, wherein the updated version is retrieved each time the request for access to secure information is made to ensure client compliance with updated security policies.
  - 24. The method of claim 18, wherein the client complies with one of the set of security policies when the client includes at least one of a remote-wipe capability being enabled and a minimum pin length requirement.

25. A non-transitory computer-readable storage medium including instructions for obtaining access to secure information using at least an authentication code, the instructions when executed by at least one processor of a computing system causing the computing system to, at least:
- send a request for an authentication seed to a server, the authentication seed being distinct from the authentication code;
  
  provide a set of values to the server that is configured to determine whether a client device complies with a set of security policies using the set of values;
  
  receive an error message when the client device is determined to not comply with the set of security policies;
  
  impose, by the client device, at least one of the set of security polices;
  
  receive the authentication seed when the client device is determined to comply with the set of security policies; and
  
  generate the authentication code, by the client device, based at least in part on the authentication seed,wherein the client device is capable of obtaining access to secure information using the authentication code generated using the authentication seed.
- View Dependent Claims (26, 27, 28, 29, 30)
- - 26. The non-transitory computer-readable storage medium of claim 25, wherein the instructions when executed further cause the computing system to:
    - receive program code;
      
      receive a request to execute the program code; and
      
      execute the program code, wherein the set of values is a set of output values from the execution of the program code.
  - 27. The non-transitory computer-readable storage medium of claim 25, wherein the instructions when executed further cause the computing system to:
    - install an authentication agent on the client device; and
      
      receive the set of security policies, wherein the authentication agent determines whether the client device complies with the set of security policies.
  - 28. The non-transitory computer-readable storage medium of claim 25, wherein the instructions when executed further cause the computing system to:
    - receive a request for a set of security parameter values corresponding to the set of security policies from the server, the set of values being the set of security parameter values, wherein the server determines whether the client device complies with the set of security policies by determining whether the set of security parameter values complies with the set of security policies.
  - 29. The non-transitory computer-readable storage medium of claim 28, wherein the server sends the set of security parameter values to a policy enforcement agent to perform the determination as to whether the client device complies with the security policies.
  - 30. The non-transitory computer-readable storage medium of claim 25, wherein the instructions when executed further cause the computing system to activate an application that is capable of providing an authentication code.

31. A system for verifying client compliance with a set of security policies in order to grant client access to secure data, the system comprising:
- a processor; and
  
  memory device including instructions that, when executed by the processor, cause the system to, at least;
  
  receive a request for an authentication seed;
  
  after receiving the request for the authentication seed, sending, to the client, a request for a response corresponding to a set of security policies;
  
  receive the response from the client after sending the request regarding the set of security policies;
  
  determine whether the response indicates that the client is in compliance with the set of security policies;
  
  instruct the client to impose at least one of the set of policies on the client;
  
  send the authentication seed to the client upon determining that the response indicates that the client is in compliance with the set of security policies; and
  
  generate an authentication code based at least in part on the authentication seed, the authentication code being distinct from the authentication seed,wherein the client is capable of obtaining access to sensitive information using at least the authentication code.
- View Dependent Claims (32, 33)
- - 32. The system of claim 31, wherein the response is a set of parameter values requested by a server, the set of parameter values including at least one of configuration information of the client or acknowledgement responses.
  - 33. The system of claim 31, wherein the instructions when executed further cause the system to:
    - send a computer program including a set of instructions for execution on the client, wherein the received response is an output of the computer program.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Baer, Graeme D., Roth, Gregory B.
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Korsak, Oleg

Application Number

US13/246,445
Publication Number

US 20130081101A1
Time in Patent Office

994 Days
Field of Search

726/1
US Class Current

726/1
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

H04L 2463/081   applying self-generating cr...

H04L 63/08   for authentication of entit...

H04L 63/20   for managing network securi...

Policy compliance-based secure data access

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

43 Citations

37 Claims

Specification

Solutions

Use Cases

Quick Links

Policy compliance-based secure data access

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

43 Citations

37 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links