Secure container for protecting enterprise data on a mobile device

US 9,143,530 B2
Filed: 10/10/2012
Issued: 09/22/2015
Est. Priority Date: 10/11/2011
Status: Active Grant

First Claim

Patent Images

1. A mobile device comprising computer-readable storage and at least one processor configured to execute computer-executable code stored on the computer-readable storage, the mobile device comprising:

a secure container component installed on the computer-readable storage of the mobile device, the installed secure container component implemented by computer executable code stored on the computer-readable storage of the mobile device to create a secure document container on the computer-readable storage, the secure document container comprising a file system for a first portion of the computer-readable storage, the secure document container being encrypted, the secure document container storing first enterprise data of an enterprise, the first enterprise data including at least one enterprise document;

a second portion of the computer-readable storage of the mobile device, the second portion of the computer-readable storage storing private data of a user of the mobile device, the private data associated with activity of the user that is outside of a role of the user in the enterprise, the second portion of the computer-readable storage being unencrypted, the first portion of the computer-readable storage being logically separate from the second portion of the computer-readable storage, wherein the first enterprise data in the secure document container is logically separate from the private data in the second portion of the computer-readable storage;

an access manager implemented by computer-executable code stored on the computer-readable storage of the mobile device that limits access to the file system for the first portion of the computer-readable storage based on one or more document-access policies that restrict availability of the first enterprise data stored in the secure document container, wherein a non-enterprise application not associated with the enterprise is prevented from accessing the first enterprise data stored in the secure document container; and

a secure virtual machine implemented by computer-executable code stored on the computer-readable storage of the mobile device, wherein an enterprise application associated with the enterprise and running in the secure virtual machine is configured to access the first enterprise data stored in the secure document container,wherein the first enterprise data is only accessible by the enterprise application associated with the enterprise after the enterprise application receives correct user credentials from the user, andwherein the document-access policies prevent a second enterprise document from being saved in the secure document container, wherein the second enterprise document is available for viewing on the mobile device only when the mobile device is connected to a system of the enterprise.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system is disclosed that includes components and features for enabling enterprise users to securely access enterprise resources (documents, data, application servers, etc.) using their mobile devices. An enterprise can use some or all components of the system to, for example, securely but flexibly implement a BYOD (bring your own device) policy in which users can run both personal applications and secure enterprise applications on their mobile devices. The system may, for example, implement policies for controlling mobile device accesses to enterprise resources based on device attributes (e.g., what mobile applications are installed), user attributes (e.g., the user'"'"'s position or department), behavioral attributes, and other criteria. Client-side code installed on the mobile devices may further enhance security by, for example, creating a secure container for locally storing enterprise data, creating a secure execution environment for running enterprise applications, and/or creating secure application tunnels for communicating with the enterprise system.

523 Citations

28 Claims

1. A mobile device comprising computer-readable storage and at least one processor configured to execute computer-executable code stored on the computer-readable storage, the mobile device comprising:
- a secure container component installed on the computer-readable storage of the mobile device, the installed secure container component implemented by computer executable code stored on the computer-readable storage of the mobile device to create a secure document container on the computer-readable storage, the secure document container comprising a file system for a first portion of the computer-readable storage, the secure document container being encrypted, the secure document container storing first enterprise data of an enterprise, the first enterprise data including at least one enterprise document;
  
  a second portion of the computer-readable storage of the mobile device, the second portion of the computer-readable storage storing private data of a user of the mobile device, the private data associated with activity of the user that is outside of a role of the user in the enterprise, the second portion of the computer-readable storage being unencrypted, the first portion of the computer-readable storage being logically separate from the second portion of the computer-readable storage, wherein the first enterprise data in the secure document container is logically separate from the private data in the second portion of the computer-readable storage;
  
  an access manager implemented by computer-executable code stored on the computer-readable storage of the mobile device that limits access to the file system for the first portion of the computer-readable storage based on one or more document-access policies that restrict availability of the first enterprise data stored in the secure document container, wherein a non-enterprise application not associated with the enterprise is prevented from accessing the first enterprise data stored in the secure document container; and
  
  a secure virtual machine implemented by computer-executable code stored on the computer-readable storage of the mobile device, wherein an enterprise application associated with the enterprise and running in the secure virtual machine is configured to access the first enterprise data stored in the secure document container,wherein the first enterprise data is only accessible by the enterprise application associated with the enterprise after the enterprise application receives correct user credentials from the user, andwherein the document-access policies prevent a second enterprise document from being saved in the secure document container, wherein the second enterprise document is available for viewing on the mobile device only when the mobile device is connected to a system of the enterprise.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The mobile device of claim 1, wherein the access manager enables the enterprise to remotely initiate deletion of at least a portion of the first enterprise data from the secure document container, without modifying the private data stored in the second portion of the computer-readable storage.
  - 3. The mobile device of claim 1, wherein the access manager determines whether to store, in the secure document container, third enterprise data received from an enterprise computing system of the enterprise based on a mode of communication between the mobile device and the enterprise computing system, wherein:
    - in a case of the mode of communication being a first mode of communication, the third enterprise data received from the enterprise computing system is stored in the secure document container, andin a case of the mode of communication being a second mode of communication, the third enterprise data received from the enterprise computing system is stored in the second portion of the computer-readable storage.
  - 4. The mobile device of claim 3, wherein the first mode of communication comprises the mobile device receiving the third enterprise data via an application tunnel through a tunneling mediator of the enterprise computing system.
  - 5. The mobile device of claim 1, wherein the access manager prevents, based on the one or more document-access policies, the non-enterprise application not associated with the enterprise from copying data from the at least one enterprise document stored in the secure document container.
  - 6. The mobile device of claim 1, wherein the access manager limits access to the at least one enterprise document in the secure document container based on properties of a software application requesting access to the at least one enterprise document.
  - 7. The mobile device of claim 1, wherein the access manager prevents, based on the one or more document-access policies, a software application from saving the at least one enterprise document to the second portion of the computer-readable storage of the mobile device.
  - 8. The mobile device of claim 1, wherein the access manager prevents, based on the one or more document-access policies, a software application from attaching the at least one enterprise document to an email sent from the mobile device.
  - 9. The mobile device of claim 1, comprising an executable component implemented by computer-executable code stored on the computer-readable storage of the mobile device, the executable component configured to:
    - determine that the at least one enterprise document is attached to an email being send from the mobile device;
      
      encrypt the at least one enterprise document attached to the email being sent from the mobile device using an attachment key;
      
      encrypt the attachment key; and
      
      cause transmission of the encrypted attachment key with the encrypted at least one enterprise document attached to the email being sent from the mobile device.

10. A method comprising:
- creating, by a secure container component installed on a mobile device, a secure document container on computer-readable storage of the mobile device, the secure document container being encrypted and comprising a file system for a first portion of the computer-readable storage, wherein the first portion is separate from a second portion of the computer-readable storage of the mobile device, wherein the second portion of the computer-readable storage stores private data of a user of the mobile device, the private data associated with activity of the user that is outside of a role of the user in an enterprise, the second portion of the computer-readable storage being unencrypted;
  
  receiving, by the mobile device, first enterprise data from an enterprise resource of the enterprise;
  
  storing, by the mobile device, the first enterprise data in the secure document container, the storing occurring automatically under control of an enterprise agent running on the mobile device;
  
  selectively controlling, by the mobile device, access to the first enterprise data in the secure document container in accordance with one or more document-access policies, the one or more document-access policies defining conditions for accessing the first enterprise data in the secure document container, wherein access to the second portion of the computer-readable storage of the mobile device is provided independent of the one or more document-access policies,wherein a non-enterprise application installed on the mobile device and not associated with the enterprise is prevented from accessing the first enterprise data in the secure document container,wherein an enterprise application associated with the enterprise and running in a secure virtual machine on the mobile device is configured to access the first enterprise data in the secure document container,wherein the first enterprise data in the secure document container is only accessible by the enterprise application associated with the enterprise after the enterprise application receives correct user credentials from the user of the mobile device, andwherein the one or more document-access policies prevent an enterprise document from being saved in the secure document container, wherein the enterprise document is available for viewing on the mobile device only when the mobile device is connected to a system of the enterprise.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The method of claim 10, comprising:
    - deleting, by the mobile device, the first enterprise data in the secure document container responsive to at least one of an indication that the mobile device is compromised and an indication that the user is no longer associated with the enterprise; and
      
      leaving, by the mobile device, the second portion of the computer-readable storage of the mobile device unmodified.
  - 12. The method of claim 10, comprising deleting, by the mobile device, the first enterprise data in the secure document container in response to receiving an indication of an expiration of a period of time.
  - 13. The method of claim 10, wherein the conditions for accessing the first enterprise data in the secure document container comprise one or more of:
    - an expiration of a period of time; and
      
      a location of the mobile device being outside of a geographical zone.
  - 14. The method of claim 10, wherein the conditions for accessing the first enterprise data in the secure document container comprise which component of the mobile device requests access to the first enterprise data in the secure document container.
  - 15. The method of claim 10, wherein the first enterprise data is received from the enterprise resource via an application tunnel formed between the enterprise resource and an application running on the mobile device, the application tunnel using protocol encapsulation to send data over a network.
  - 16. The method of claim 15, wherein storing the first enterprise data in the secure document container of the mobile device is at least partly responsive to detecting that the first enterprise data was received from the enterprise resource via the application tunnel.
  - 17. The method of claim 10, comprising preventing the first enterprise data in the secure document container from being saved to the second portion of the computer-readable storage of the mobile device.
  - 18. The method of claim 10, comprising deleting the first enterprise data from the secure document container in response to receiving an indication that a location of the mobile device is outside of a predefined geographical zone.

19. A non-transitory storage medium comprising instructions stored thereon executable by a processor of a mobile device to perform a process comprising:
- creating, within a first portion of a memory of the mobile device, a secure document container, the secure document container comprising a file system and being encrypted, wherein the first portion is separate from a second portion of the memory of the mobile device, wherein the second portion of the memory stores private data of a user of the mobile device, the private data associated with activity of the user that is outside of a role of the user in an enterprise, and the second portion of the memory being unencrypted;
  
  storing first enterprise data in the secure document container, the storing occurring automatically under control of an enterprise agent running on the mobile device;
  
  storing non-enterprise data in the second portion of the memory of the mobile device; and
  
  restricting access to the first enterprise data in the secure document container based on one or more rules defining conditions for allowing access to the first enterprise data in the secure document container, wherein access to the second portion of the memory of the mobile device is provided independent of the one or more rules,wherein a non-enterprise application installed on the mobile device and not associated with the enterprise is prevented from accessing the first enterprise data in the secure document container,wherein an enterprise application associated with the enterprise and running in a secure virtual machine on the mobile device is configured to access the first enterprise data in the secure document container,wherein the first enterprise data in the secure document container is only accessible by the enterprise application associated with the enterprise after the enterprise application receives correct user credentials for the user of the mobile device, andwherein the one or more rules prevent an enterprise document from being saved in the secure document container, wherein the enterprise document is available for viewing on the mobile device only when the mobile device is connected to a system of the enterprise.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 20. The non-transitory storage medium of claim 19, wherein the process comprises causing the enterprise application to communicate with an enterprise resource via an application tunnel formed between the enterprise resource and the enterprise application, the application tunnel using protocol encapsulation to send the enterprise data over a network.
  - 21. The non-transitory storage medium of claim 19, wherein the process comprises deleting the first enterprise data in the secure document container without modifying the second portion of the memory of the mobile device, in response to at least one of detecting and receiving an indication of a condition defined in at least one of the one or more rules.
  - 22. The non-transitory storage medium of claim 19, wherein the one or more rules are configured to restrict access to the first enterprise data in the secure document container based on a geographical restriction.
  - 23. The non-transitory storage medium of claim 22, wherein the process comprises deleting at least a portion of the first enterprise data from the secure document container in response to determining that the mobile device is located outside of a defined geographical area.
  - 24. The non-transitory storage medium of claim 19, wherein the enterprise application is running in a secure virtual machine on the mobile device, the secure virtual machine being separate from a virtual machine of an operating system of the mobile device, and wherein the one or more rules prevent an application running outside the secure virtual machine on the mobile device from accessing the first enterprise data in the secure document container.
  - 25. The non-transitory storage medium of claim 19, wherein the process comprises receiving the first enterprise data via an application running in a secure browser installed on the mobile device, the secure browser configured to regulate access of the application running in the secure browser to the secure document container.
  - 26. The non-transitory storage medium of claim 25,wherein the secure document container comprises a secure cache for the secure browser installed on the mobile device, and wherein the secure browser is configured to:
    - determine that a connection speed of a network connection of the mobile device is below a threshold;
      
      prevent the application running in the secure browser from detecting that the connection speed is below the threshold; and
      
      store, in the secure cache in the secure document container, data requested to be transmitted over the network connection by the application running in the secure browser.
  - 27. The non-transitory storage medium of claim 19, wherein the one or more rules are configured to restrict access to the first enterprise data in the secure document container based on a temporal restriction.
  - 28. The non-transitory storage medium of claim 27, wherein the process comprises deleting at least a portion of the first enterprise data from the secure document container when a specified period of time expires.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Qureshi, Waheed, McGinty, John M., Andre, Olivier, Abdullah, Shafaq, DeBenning, Thomas H., Datoo, Ahmed, Roach, Kelly Brian
Primary Examiner(s)
Pham, Hung Q

Application Number

US13/649,069
Publication Number

US 20140006347A1
Time in Patent Office

1,077 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/12   Protecting executable software

G06F 21/14   against software analysis o...

G06F 21/53   by executing in a restricte...

G06F 21/62   Protecting access to data v...

G06F 21/6209   to a single file or object,...

G06F 21/6218   to a system of files or obj...

G06F 2221/2113   Multi-level security, e.g. ...

G06F 8/53   Decompilation; Disassembly

H04L 2209/80   Wireless network architectu...

H04L 63/0428   wherein the data content is...

H04L 63/0471   applying encryption by an i...

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

H04L 67/10   in which an application is ...

H04L 9/0822   using key encryption key

H04L 9/0825   using asymmetric-key encryp...

H04L 9/0891   Revocation or update of sec...

H04W 12/06   Authentication

H04W 12/086   using security domains

H04W 12/30   Security of mobile devices;...

H04W 12/37 : Managing security policies ...

H04W 12/64 : using geofenced areas

H04W 4/02 : Services making use of loca...

H04W 4/029 : Location-based management o...

View All

Secure container for protecting enterprise data on a mobile device

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

523 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Secure container for protecting enterprise data on a mobile device

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

523 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links