US20150281281A1 - Identification of unauthorized application data in a corporate network - Google Patents
Identification of unauthorized application data in a corporate network Download PDFInfo
- Publication number
- US20150281281A1 US20150281281A1 US14/319,136 US201414319136A US2015281281A1 US 20150281281 A1 US20150281281 A1 US 20150281281A1 US 201414319136 A US201414319136 A US 201414319136A US 2015281281 A1 US2015281281 A1 US 2015281281A1
- Authority
- US
- United States
- Prior art keywords
- server
- applications
- corporate network
- rule set
- client device
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/30—Security of mobile devices; Security of mobile applications
- H04W12/37—Managing security policies for mobile devices or for controlling mobile applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
Definitions
- VPN virtual private network
- An appliance works in conjunction with an agent on a remote device to control application access to a corporate network.
- granular application control may be implemented.
- a device user may determine what applications from a set of applications may access the corporate network and which applications do not access the network.
- the policies applied to application traffic may be generated by an administrator.
- Policies may also be applied from a remote server to data stored on the user device.
- An embodiment may include a method for establishing a connection.
- the method may include establishing a connection between a user client device and a VPN (Virtual Private Network) server.
- the user client device may have a plurality of applications.
- Corporate network access may be granted by the server to applications within the list of applications on the user device that satisfy a rule set. This rule set will be used by the server to generate a list of applications that may be granted access to the corporate network.
- a system for establishing a connection may include a server in communication with a user client device.
- the server may include a processor, memory, and one or more applications stored in memory at the server and executable to establish a connection between a user client device and a server, the user client device having a plurality of applications, receive by a server a list of applications on a user device requesting access to a corporate network, and grant corporate network access by the server to applications within the list of applications on the user device that satisfy a rule set
- FIG. 1 illustrates a block diagram of a client communicating with a remote server.
- FIG. 2 illustrates a method for providing application access to a network.
- FIG. 3 illustrates a method for generating a rule set for a device application.
- FIG. 4 illustrates a method for generating policies for a device application.
- FIG. 5 is a block diagram of an exemplary system for implementing a computing device.
- An Internet appliance works in conjunction with an agent on a remote device to control application access to a corporate network.
- granular application control may be implemented.
- a device user may determine what applications from a set of applications may access the corporate network and which applications do not access the network.
- the policies applied to application traffic may be generated by an administrator. Policies may also be applied as the traffic passes through the VPN server before it enters the corporate network.
- FIG. 1 illustrates a block diagram of a client communicating with a remote server.
- the system of FIG. 1 includes client device 110 , network 120 , VPN appliance 130 , and corporate network 140 .
- VPN appliance 130 may include tunnel server 136 , policy server 134 , and data store 138 .
- corporate network 140 may include one or more servers such as corporate server 142 .
- Client 110 may include a user device that is not controlled by the entity that provides the corporate network 140 .
- Client 110 may be implemented as a mobile device such as a smart phone, tablet or laptop computer, a desktop computer, or other computing device.
- Network 120 may include one or more networks used to communicate data between client device 120 and, ultimately, corporate server 142 .
- network 120 may include a private network, public network, the Internet, an intranet, a local area network, a wide area network, a wireless network, a cellular network, and a combination of these networks.
- Tunnel server 130 on VPN appliance 125 may establish a VPN tunnel and communicate with client device 110 and serve as an intermediary between client device 110 and corporate server 142 .
- This VPN may be used to allow applications on the client device 110 to communicate with a corporate server 142 in a secure fashion even though traffic is flowing over a public network 120 .
- the policy server may include one or more applications that perform functionality discussed herein, such as for example generating and applying policy rules.
- Datastore 138 may store and process data, and is accessible by servers 132 , 134 and 136 .
- datastore 138 may store communication log data, application lists, application information, and other data.
- the client device 110 may communicate with tunnel server 136 to authorize access to corporate server 142 .
- the client may also communicate through an API Server 132 which is a peer to the tunnel server and is used to authenticate the user, retrieve the list of applications, authenticate a device, and other functionality. Both API Server 132 and Tunnel Server 136 may communicate with policy server 134 to obtain policy decisions to help provide responses to client requests
- corporate server 142 of corporate network 140 may be accessed by the user device 110 through tunnel server 136 of VPN appliance 130 .
- tunnel server 136 may receive and analyze all network traffic to confirm the traffic is from an authorized application before the traffic may access the corporate server. Access to corporate server 142 and other resources on corporate network 140 is determined by both policy server 134 and tunnel server 136 .
- Tunnel Server 136 provides policy enforcement and traffic analysis while policy server 134 is the policy decision point, and the two servers work in concert to both analyze traffic and apply policy.
- User acceptance of a user agreement is verified at step 220 .
- the user may be authorized for the corporate network access.
- a policy server determines authorization of the user, device, and checks access permissions. The policy allows for application access to particular data for a particular device type and user type. Once the user has accepted the user agreement, the user may be authorized to access a corporate network.
- Application traffic is transmitted between the client applications and corporate server via a VPN appliance at step 225 .
- the agent running on the client device sends the application identifier for the application and may send a code signature for the application.
- the code signature may include a hash of application information of some sort.
- An agent on the client device may monitor communication data and provide information to the user of the device regarding what applications are communicating with the corporate network. From this information, the user may determine if only authorized applications are communicating with the corporate network and if the authorized applications are communicating appropriately.
- Policies may be applied to data at a user device at step 230 .
- Application communication with a server may be analyzed or audited at some point in time. By collecting data for the application communication with the server, a user may determine if the application is complying with any relevant policies or requirements. Storing data for subsequent auditing is discussed in more detail below with respect to FIG. 4 .
- FIG. 3 illustrates a method for generating a rule set for a device application.
- An interface is provided to an administrator for authoring an application policy at step 305 .
- the interface may be provided through a client application, web page, mobile application or other program.
- the interface may allow the administrator to specify how application traffic and data are to be handled and processed via one or more policies.
- Each policy may specify one or more parameters such as a particular application, device type, operating system type, time period, set of users, destinations IP address or port on the corporate network, and other parameters.
- Policy rules are received through the interface from the administrator at step 310 .
- the policy rules are stored and applied to an application at step 315 .
- the present system provides two levels of control.
- the client is supposed to only send traffic to the server for the set of applications that may be allowed access.
- the tunnel server checks with the policy server for permission to allow traffic that it received to enter the corporate network. This second step is done on the VPN appliance with information provided by the client about the current connection (application, destination, etc).
- a single rule set may grant access to device level and application level access control. Such a single rule set may provide a much better administrator experience.
- FIG. 5 is a block diagram of an exemplary system for implementing a computing device.
- System 500 of FIG. 5 may be implemented in the contexts of the likes of client device 110 , VPN appliance 130 and corporate server 142 .
- the computing system 500 of FIG. 5 includes one or more processors 510 and memory 520 .
- Main memory 510 stores, in part, instructions and data for execution by processor 510 .
- Main memory 520 can store the executable code when in operation.
- the system 500 of FIG. 5 further includes a mass storage device 530 , portable storage medium drive(s) 540 , output devices 550 , user input devices 560 , a graphics display 570 , and peripheral devices 580 .
- Mass storage device 530 which may be implemented with a magnetic disk drive or an optical disk drive, is a non-volatile storage device for storing data and instructions for use by processor unit 510 . Mass storage device 530 can store the system software for implementing embodiments of the present invention for purposes of loading that software into main memory 520 .
- Portable storage device 540 operates in conjunction with a portable non-volatile storage medium, such as a floppy disk, compact disk or Digital video disc, to input and output data and code to and from the computer system 500 of FIG. 5 .
- the system software for implementing embodiments of the present invention may be stored on such a portable medium and input to the computer system 500 via the portable storage device 540 .
- Input devices 560 provide a portion of a user interface.
- Input devices 560 may include an alpha-numeric keypad, such as a keyboard, for inputting alpha-numeric and other information, or a pointing device, such as a mouse, a trackball, stylus, or cursor direction keys.
- the system 500 as shown in FIG. 5 includes output devices 550 . Examples of suitable output devices include speakers, printers, network interfaces, and monitors.
- Display system 570 may include a liquid crystal display (LCD) or other suitable display device.
- Display system 570 receives textual and graphical information, and processes the information for output to the display device.
- LCD liquid crystal display
- Peripherals 580 may include any type of computer support device to add additional functionality to the computer system.
- peripheral device(s) 580 may include a modem or a router.
- the components contained in the computer system 500 of FIG. 5 are those typically found in computer systems that may be suitable for use with embodiments of the present invention and are intended to represent a broad category of such computer components that are well known in the art.
- the computer system 500 of FIG. 5 can be a personal computer, hand held computing device, telephone, mobile computing device, workstation, server, minicomputer, mainframe computer, or any other computing device.
- the computer can also include different bus configurations, networked platforms, multi-processor platforms, etc.
- Various operating systems can be used including Unix, Linux, Windows, Macintosh OS, Palm OS, iOS, Android and other suitable operating systems.
Abstract
Description
- This application claims the priority benefit of U.S. Provisional Application Ser. No. 61/973,248, titled “Mobile Connect,” filed Mar. 31, 2014, the disclosure of which is incorporated herein by reference.
- Consumers continue to push for a mechanism that allows them to use their own device to perform typical work tasks. In most cases, these devices are owned by the individual user, which means the company may have zero control over them. Because companies have little if any control over these user devices, there is concern regarding providing the device access to corporate remote networks due to the potential for attacks vectors (nefarious applications, leaking, tampering, or otherwise disclosing of critical intellectual property owned by company). The market has coined the term “unmanaged device” or “BYOD” (bring your own device) to represent any device that is not owned or controlled by the company that needs access to the corporate network so the employee can do their work. In most cases, this device is owned by the employee requesting access. Some companies require employee devices to be put under mobile device management (MDM) control before allowed onto the corporate network, but such a configuration is not really zero control.
- Most mobile solutions are all or nothing—all data is shared or no data is shared with respect to a corporate intranet (i.e., an appliance based network). With the advent of BYOD, users need to access the corporate intranet but do not want their personal information to be available to the corporate intranet. Likewise, the corporate intranet may not want to risk exposure to certain content on the user device that is not germane (or appropriate) for the corporate network.
- Secure communication with a corporate network can be achieved through virtual private network (VPN) connections. Current VPN clients that provide application level control block traffic in that VPN application running on the client device. For example, some companies provide a per-app VPN solution. Despite current VPN per application solutions, there are still concerns regarding the vulnerability of corporate network access from personal user devices.
- There is a need for managing access to corporate networks by a user's personal device that applies to more than network traffic and provides a more granular solution.
- An appliance works in conjunction with an agent on a remote device to control application access to a corporate network. In conjunction with an SSL tunnel and policy operating at the appliance, granular application control may be implemented. In particular, a device user may determine what applications from a set of applications may access the corporate network and which applications do not access the network. The policies applied to application traffic may be generated by an administrator. Policies may also be applied from a remote server to data stored on the user device.
- An embodiment may include a method for establishing a connection. The method may include establishing a connection between a user client device and a VPN (Virtual Private Network) server. The user client device may have a plurality of applications. Corporate network access may be granted by the server to applications within the list of applications on the user device that satisfy a rule set. This rule set will be used by the server to generate a list of applications that may be granted access to the corporate network.
- In an embodiment, a system for establishing a connection may include a server in communication with a user client device. The server may include a processor, memory, and one or more applications stored in memory at the server and executable to establish a connection between a user client device and a server, the user client device having a plurality of applications, receive by a server a list of applications on a user device requesting access to a corporate network, and grant corporate network access by the server to applications within the list of applications on the user device that satisfy a rule set
-
FIG. 1 illustrates a block diagram of a client communicating with a remote server. -
FIG. 2 illustrates a method for providing application access to a network. -
FIG. 3 illustrates a method for generating a rule set for a device application. -
FIG. 4 illustrates a method for generating policies for a device application. -
FIG. 5 is a block diagram of an exemplary system for implementing a computing device. - An Internet appliance works in conjunction with an agent on a remote device to control application access to a corporate network. In conjunction with an SSL tunnel and policy operating at the appliance, granular application control may be implemented. In particular, a device user may determine what applications from a set of applications may access the corporate network and which applications do not access the network. The policies applied to application traffic may be generated by an administrator. Policies may also be applied as the traffic passes through the VPN server before it enters the corporate network.
-
FIG. 1 illustrates a block diagram of a client communicating with a remote server. The system ofFIG. 1 includesclient device 110,network 120,VPN appliance 130, andcorporate network 140.VPN appliance 130 may includetunnel server 136,policy server 134, anddata store 138.Corporate network 140 may include one or more servers such ascorporate server 142. -
Client 110 may include a user device that is not controlled by the entity that provides thecorporate network 140.Client 110 may be implemented as a mobile device such as a smart phone, tablet or laptop computer, a desktop computer, or other computing device. -
Network 120 may include one or more networks used to communicate data betweenclient device 120 and, ultimately,corporate server 142. For example,network 120 may include a private network, public network, the Internet, an intranet, a local area network, a wide area network, a wireless network, a cellular network, and a combination of these networks. -
Tunnel server 130 on VPN appliance 125 may establish a VPN tunnel and communicate withclient device 110 and serve as an intermediary betweenclient device 110 andcorporate server 142. This VPN may be used to allow applications on theclient device 110 to communicate with acorporate server 142 in a secure fashion even though traffic is flowing over apublic network 120. - The policy server may include one or more applications that perform functionality discussed herein, such as for example generating and applying policy rules.
Datastore 138 may store and process data, and is accessible byservers datastore 138 may store communication log data, application lists, application information, and other data. Theclient device 110 may communicate withtunnel server 136 to authorize access tocorporate server 142. The client may also communicate through anAPI Server 132 which is a peer to the tunnel server and is used to authenticate the user, retrieve the list of applications, authenticate a device, and other functionality. BothAPI Server 132 and Tunnel Server 136 may communicate withpolicy server 134 to obtain policy decisions to help provide responses to client requests -
Corporate server 142 ofcorporate network 140 may be accessed by theuser device 110 throughtunnel server 136 ofVPN appliance 130. In this case,tunnel server 136 may receive and analyze all network traffic to confirm the traffic is from an authorized application before the traffic may access the corporate server. Access tocorporate server 142 and other resources oncorporate network 140 is determined by bothpolicy server 134 andtunnel server 136. TunnelServer 136 provides policy enforcement and traffic analysis whilepolicy server 134 is the policy decision point, and the two servers work in concert to both analyze traffic and apply policy. -
FIG. 2 illustrates a method for providing application access to a network. A VPN connection is established between the tunnel server and an agent on the client atstep 205. The agent may initiate the VPN establishment by sending a VPN request to the VPN appliance. - A user is authenticated at
step 210. User authentication is performed to identify the user of the device. A user device is then classified to determine if it meets acceptable parameters atstep 215. After the user authenticates, the system will attempt to verify the user's device. In some instances, an administrator defines a set of device attributes, and the system may attempt to find a set of attributes that match the device. Classification of the device may include retrieval of a unique equipment identifier along with other device attribute data. The unique equipment identifier and device attribute data may be collected by an agent and transmitted topolicy server 134. The attribute data may be used by the policy server to determine ifclient device 110 may allow for application control by the policy server via the agent. - Once the user is authenticated and the device is classified, the data store is queried to determine if a matching entry for the user and device exist. If the user and device combination are found in the data store, then the user and device have established a connection with the corporate network before and the version of the user agreement previously agreed to by the user is checked against the most recent version. If the most recent user agreement has not changed from the stored user agreement for the user and device combination, then the present system does not provide the user with the same user agreement and a portion of or all of step 220 (and corresponding method of
FIG. 4 ) will not per performed for the current session. - If the device requires a new user agreement to be accepted, either because the user and device combination is not found in the data store or the current version of the user agreement does not match the stored version of the user agreement, the method continues to step 220.
- User acceptance of a user agreement is verified at
step 220. Once a user accepts a user agreement, the user may be authorized for the corporate network access. In some embodiments, a policy server determines authorization of the user, device, and checks access permissions. The policy allows for application access to particular data for a particular device type and user type. Once the user has accepted the user agreement, the user may be authorized to access a corporate network. - Application traffic may be transmitted to the corporate network at
step 225. An agent on the client device may monitor communication data and provide information to the user of the device regarding what applications are communicating with the corporate network. - Application traffic is transmitted between the client applications and corporate server via a VPN appliance at
step 225. When applications first attempt to communicate with the corporate network atstep 345, the agent running on the client device sends the application identifier for the application and may send a code signature for the application. The code signature may include a hash of application information of some sort. - An agent on the client device may monitor communication data and provide information to the user of the device regarding what applications are communicating with the corporate network. From this information, the user may determine if only authorized applications are communicating with the corporate network and if the authorized applications are communicating appropriately.
- Policies may be applied to data at a user device at
step 230. Application communication with a server may be analyzed or audited at some point in time. By collecting data for the application communication with the server, a user may determine if the application is complying with any relevant policies or requirements. Storing data for subsequent auditing is discussed in more detail below with respect toFIG. 4 . -
FIG. 3 illustrates a method for generating a rule set for a device application. An interface is provided to an administrator for authoring an application policy atstep 305. The interface may be provided through a client application, web page, mobile application or other program. The interface may allow the administrator to specify how application traffic and data are to be handled and processed via one or more policies. Each policy may specify one or more parameters such as a particular application, device type, operating system type, time period, set of users, destinations IP address or port on the corporate network, and other parameters. Policy rules are received through the interface from the administrator atstep 310. The policy rules are stored and applied to an application atstep 315. -
FIG. 4 illustrates a method for generating policies for a device application. A corporate network request is received by the tunnel server from an application atstep 410. The tunnel server may communicate with the policy server to send detailed information regarding the connection to the policy server. The detailed information may include, for example, application identifier, application signature (e.g., a hash of application information), network destination and user connection information. The policy server compares the information to a rules list atstep 420. As part of the comparison, the policy server determines if the connection information corresponds to a rule that grants or denies access to the connection request or if no rule can be found. If a rule denies access or no rule can be found for the connection information, the request is denied atstep 430. If a rule is found that grants access based on the connection information, the connection request is granted and corporate network access is granted atstep 435. - Hence, the present system provides two levels of control. In the first, the client is supposed to only send traffic to the server for the set of applications that may be allowed access. In the second, the tunnel server checks with the policy server for permission to allow traffic that it received to enter the corporate network. This second step is done on the VPN appliance with information provided by the client about the current connection (application, destination, etc).
- In some instances, there may be only one list of policy rules on an appliance. That list contains rules that grant access at the device level, or the application level or both. A single rule set may grant access to device level and application level access control. Such a single rule set may provide a much better administrator experience.
-
FIG. 5 is a block diagram of an exemplary system for implementing a computing device.System 500 ofFIG. 5 may be implemented in the contexts of the likes ofclient device 110,VPN appliance 130 andcorporate server 142. Thecomputing system 500 ofFIG. 5 includes one ormore processors 510 andmemory 520.Main memory 510 stores, in part, instructions and data for execution byprocessor 510.Main memory 520 can store the executable code when in operation. Thesystem 500 ofFIG. 5 further includes amass storage device 530, portable storage medium drive(s) 540,output devices 550,user input devices 560, agraphics display 570, andperipheral devices 580. - The components shown in
FIG. 5 are depicted as being connected via asingle bus 590. However, the components may be connected through one or more data transport means. For example,processor unit 510 andmain memory 520 may be connected via a local microprocessor bus, and themass storage device 530, peripheral device(s) 580,portable storage device 540, anddisplay system 570 may be connected via one or more input/output (I/O) buses. -
Mass storage device 530, which may be implemented with a magnetic disk drive or an optical disk drive, is a non-volatile storage device for storing data and instructions for use byprocessor unit 510.Mass storage device 530 can store the system software for implementing embodiments of the present invention for purposes of loading that software intomain memory 520. -
Portable storage device 540 operates in conjunction with a portable non-volatile storage medium, such as a floppy disk, compact disk or Digital video disc, to input and output data and code to and from thecomputer system 500 ofFIG. 5 . The system software for implementing embodiments of the present invention may be stored on such a portable medium and input to thecomputer system 500 via theportable storage device 540. -
Input devices 560 provide a portion of a user interface.Input devices 560 may include an alpha-numeric keypad, such as a keyboard, for inputting alpha-numeric and other information, or a pointing device, such as a mouse, a trackball, stylus, or cursor direction keys. Additionally, thesystem 500 as shown inFIG. 5 includesoutput devices 550. Examples of suitable output devices include speakers, printers, network interfaces, and monitors. -
Display system 570 may include a liquid crystal display (LCD) or other suitable display device.Display system 570 receives textual and graphical information, and processes the information for output to the display device. -
Peripherals 580 may include any type of computer support device to add additional functionality to the computer system. For example, peripheral device(s) 580 may include a modem or a router. - The components contained in the
computer system 500 ofFIG. 5 are those typically found in computer systems that may be suitable for use with embodiments of the present invention and are intended to represent a broad category of such computer components that are well known in the art. Thus, thecomputer system 500 ofFIG. 5 can be a personal computer, hand held computing device, telephone, mobile computing device, workstation, server, minicomputer, mainframe computer, or any other computing device. The computer can also include different bus configurations, networked platforms, multi-processor platforms, etc. Various operating systems can be used including Unix, Linux, Windows, Macintosh OS, Palm OS, iOS, Android and other suitable operating systems. - The foregoing detailed description of the technology herein has been presented for purposes of illustration and description. It is not intended to be exhaustive or to limit the technology to the precise form disclosed. Many modifications and variations are possible in light of the above teaching. The described embodiments were chosen in order to best explain the principles of the technology and its practical application to thereby enable others skilled in the art to best utilize the technology in various embodiments and with various modifications as are suited to the particular use contemplated. It is intended that the scope of the technology be defined by the claims appended hereto.
Claims (36)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/319,136 US20150281281A1 (en) | 2014-03-31 | 2014-06-30 | Identification of unauthorized application data in a corporate network |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US201461973248P | 2014-03-31 | 2014-03-31 | |
US14/319,136 US20150281281A1 (en) | 2014-03-31 | 2014-06-30 | Identification of unauthorized application data in a corporate network |
Publications (1)
Publication Number | Publication Date |
---|---|
US20150281281A1 true US20150281281A1 (en) | 2015-10-01 |
Family
ID=54191900
Family Applications (4)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/319,145 Active US10382398B2 (en) | 2014-03-31 | 2014-06-30 | Application signature authorization |
US14/319,136 Abandoned US20150281281A1 (en) | 2014-03-31 | 2014-06-30 | Identification of unauthorized application data in a corporate network |
US14/319,166 Abandoned US20150281003A1 (en) | 2014-03-31 | 2014-06-30 | Mobile application control |
US16/533,665 Active 2034-11-12 US11140131B2 (en) | 2014-03-31 | 2019-08-06 | Application signature authorization |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/319,145 Active US10382398B2 (en) | 2014-03-31 | 2014-06-30 | Application signature authorization |
Family Applications After (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/319,166 Abandoned US20150281003A1 (en) | 2014-03-31 | 2014-06-30 | Mobile application control |
US16/533,665 Active 2034-11-12 US11140131B2 (en) | 2014-03-31 | 2019-08-06 | Application signature authorization |
Country Status (1)
Country | Link |
---|---|
US (4) | US10382398B2 (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20150334133A1 (en) * | 2014-05-14 | 2015-11-19 | Sequitur Labs Inc. | Hardware implementation methods and system for secure, policy-based access control for computing devices |
US10382398B2 (en) | 2014-03-31 | 2019-08-13 | Sonicwall Inc. | Application signature authorization |
US10419488B2 (en) | 2017-03-03 | 2019-09-17 | Microsoft Technology Licensing, Llc | Delegating security policy management authority to managed accounts |
US10511632B2 (en) | 2017-03-03 | 2019-12-17 | Microsoft Technology Licensing, Llc | Incremental security policy development for an enterprise network |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20020129271A1 (en) * | 2001-03-12 | 2002-09-12 | Lucent Technologies Inc. | Method and apparatus for order independent processing of virtual private network protocols |
US7155512B2 (en) * | 2001-05-23 | 2006-12-26 | Tekelec | Methods and systems for automatically configuring network monitoring system |
US7448080B2 (en) * | 2003-06-30 | 2008-11-04 | Nokia, Inc. | Method for implementing secure corporate communication |
Family Cites Families (34)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7076568B2 (en) * | 1997-10-14 | 2006-07-11 | Alacritech, Inc. | Data communication apparatus for computer intelligent network interface card which transfers data between a network and a storage device according designated uniform datagram protocol socket |
US6963740B1 (en) * | 2001-07-31 | 2005-11-08 | Mobile-Mind, Inc. | Secure enterprise communication system utilizing enterprise-specific security/trust token-enabled wireless communication devices |
US6804777B2 (en) * | 2002-05-15 | 2004-10-12 | Threatguard, Inc. | System and method for application-level virtual private network |
US7353533B2 (en) | 2002-12-18 | 2008-04-01 | Novell, Inc. | Administration of protection of data accessible by a mobile device |
US7526800B2 (en) | 2003-02-28 | 2009-04-28 | Novell, Inc. | Administration of protection of data accessible by a mobile device |
US8020192B2 (en) | 2003-02-28 | 2011-09-13 | Michael Wright | Administration of protection of data accessible by a mobile device |
US20080109679A1 (en) | 2003-02-28 | 2008-05-08 | Michael Wright | Administration of protection of data accessible by a mobile device |
US7099974B2 (en) * | 2003-03-20 | 2006-08-29 | International Business Machines Corporation | Method, apparatus, and system for reducing resource contention in multiprocessor systems |
US20050183143A1 (en) | 2004-02-13 | 2005-08-18 | Anderholm Eric J. | Methods and systems for monitoring user, application or device activity |
US7546956B2 (en) | 2004-04-30 | 2009-06-16 | Research In Motion Limited | System and method of operation control on an electronic device |
WO2006042410A1 (en) * | 2004-10-20 | 2006-04-27 | Rateflex Systems, Inc. | System and method for managing use and access of a communication network |
US7617541B2 (en) | 2005-09-09 | 2009-11-10 | Netapp, Inc. | Method and/or system to authorize access to stored data |
US20070220511A1 (en) * | 2006-03-15 | 2007-09-20 | Clarke James C | Ensuring a stable application debugging environment via a unique hashcode identifier |
US7917963B2 (en) | 2006-08-09 | 2011-03-29 | Antenna Vaultus, Inc. | System for providing mobile data security |
US9454527B2 (en) * | 2007-05-11 | 2016-09-27 | Robert E. Marsh | Method and computer-readable media for creating verified business transaction documents |
US8280373B2 (en) * | 2007-09-04 | 2012-10-02 | Airwide Solutions Inc. | Terminal device control server and method for controlling access to a mobile communication network |
US8589541B2 (en) | 2009-01-28 | 2013-11-19 | Headwater Partners I Llc | Device-assisted services for protecting network capacity |
US8463733B2 (en) * | 2008-11-11 | 2013-06-11 | Oracle International Corporation | Using dotplots for comparing and finding patterns in sequences of data points |
US8793758B2 (en) | 2009-01-28 | 2014-07-29 | Headwater Partners I Llc | Security, fraud detection, and fraud mitigation in device-assisted services systems |
US9195982B2 (en) * | 2010-02-04 | 2015-11-24 | Rick N. Orr | System and method for interfacing a client device with a point of sale system |
US8990920B2 (en) * | 2011-02-11 | 2015-03-24 | Mocana Corporation | Creating a virtual private network (VPN) for a single app on an internet-enabled device or system |
US8938809B2 (en) * | 2011-06-24 | 2015-01-20 | Google Technology Holdings LLC | Retrieval of data across multiple partitions of a storage device using digital signatures |
US9143530B2 (en) * | 2011-10-11 | 2015-09-22 | Citrix Systems, Inc. | Secure container for protecting enterprise data on a mobile device |
US20140032733A1 (en) | 2011-10-11 | 2014-01-30 | Citrix Systems, Inc. | Policy-Based Application Management |
US8713684B2 (en) | 2012-02-24 | 2014-04-29 | Appthority, Inc. | Quantifying the risks of applications for mobile devices |
US9405723B2 (en) | 2012-05-02 | 2016-08-02 | Kony, Inc. | Mobile application management systems and methods thereof |
US9532286B2 (en) | 2012-06-15 | 2016-12-27 | Hewlett Packard Enterprise Development Lp | Controlling communication of data for different user personas |
US9847948B2 (en) * | 2012-07-09 | 2017-12-19 | Eturi Corp. | Schedule and location responsive agreement compliance controlled device throttle |
US9245128B2 (en) | 2013-03-06 | 2016-01-26 | Microsoft Technology Licensing, Llc | Limiting enterprise applications and settings on devices |
US9396320B2 (en) * | 2013-03-22 | 2016-07-19 | Nok Nok Labs, Inc. | System and method for non-intrusive, privacy-preserving authentication |
US20130254889A1 (en) | 2013-03-29 | 2013-09-26 | Sky Socket, Llc | Server-Side Restricted Software Compliance |
US9703987B2 (en) | 2013-05-02 | 2017-07-11 | Syntonic Wireless, Inc. | Identity based connected services |
US9576153B2 (en) * | 2013-08-23 | 2017-02-21 | Cellco Partnership | Device and method for providing information from a backend component to a frontend component by a secure device management abstraction and unification module |
US10382398B2 (en) | 2014-03-31 | 2019-08-13 | Sonicwall Inc. | Application signature authorization |
-
2014
- 2014-06-30 US US14/319,145 patent/US10382398B2/en active Active
- 2014-06-30 US US14/319,136 patent/US20150281281A1/en not_active Abandoned
- 2014-06-30 US US14/319,166 patent/US20150281003A1/en not_active Abandoned
-
2019
- 2019-08-06 US US16/533,665 patent/US11140131B2/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20020129271A1 (en) * | 2001-03-12 | 2002-09-12 | Lucent Technologies Inc. | Method and apparatus for order independent processing of virtual private network protocols |
US7155512B2 (en) * | 2001-05-23 | 2006-12-26 | Tekelec | Methods and systems for automatically configuring network monitoring system |
US7448080B2 (en) * | 2003-06-30 | 2008-11-04 | Nokia, Inc. | Method for implementing secure corporate communication |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10382398B2 (en) | 2014-03-31 | 2019-08-13 | Sonicwall Inc. | Application signature authorization |
US11140131B2 (en) | 2014-03-31 | 2021-10-05 | Sonicwall Inc. | Application signature authorization |
US20150334133A1 (en) * | 2014-05-14 | 2015-11-19 | Sequitur Labs Inc. | Hardware implementation methods and system for secure, policy-based access control for computing devices |
US10581852B2 (en) * | 2014-05-14 | 2020-03-03 | Sequitur Labs, Inc. | Hardware implementation methods and system for secure, policy-based access control for computing devices |
US10419488B2 (en) | 2017-03-03 | 2019-09-17 | Microsoft Technology Licensing, Llc | Delegating security policy management authority to managed accounts |
US10511632B2 (en) | 2017-03-03 | 2019-12-17 | Microsoft Technology Licensing, Llc | Incremental security policy development for an enterprise network |
Also Published As
Publication number | Publication date |
---|---|
US20200053051A1 (en) | 2020-02-13 |
US11140131B2 (en) | 2021-10-05 |
US20150281003A1 (en) | 2015-10-01 |
US10382398B2 (en) | 2019-08-13 |
US20150281282A1 (en) | 2015-10-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11647005B2 (en) | Systems and methods for application pre-launch | |
US10880292B2 (en) | Seamless transition between WEB and API resource access | |
US9087189B1 (en) | Network access control for cloud services | |
US9313203B2 (en) | Systems and methods for identifying a secure application when connecting to a network | |
US11558484B2 (en) | Systems and methods for secure peer-to-peer caching | |
CN113711563B (en) | Fine granularity token based access control | |
US10623508B2 (en) | Systems and methods for integrated service discovery for network applications | |
US9225744B1 (en) | Constrained credentialed impersonation | |
US20230048038A1 (en) | Systems and methods for traffic accounting for saas usage | |
US11647025B2 (en) | Systems and methods for continuous authentication | |
US11140131B2 (en) | Application signature authorization | |
US11841931B2 (en) | Systems and methods for dynamically enforcing digital rights management via embedded browser | |
US9081982B2 (en) | Authorized data access based on the rights of a user and a location | |
US10366240B1 (en) | Authorization to access a server in the cloud without obtaining an initial secret | |
KR20110117136A (en) | Secure system access without password sharing | |
US11290574B2 (en) | Systems and methods for aggregating skills provided by a plurality of digital assistants | |
US11411904B2 (en) | Systems and methods for filtering notifications for end points associated with a user | |
US10999067B2 (en) | Data stream identity | |
US10432587B2 (en) | VPN deep packet inspection | |
WO2022095958A1 (en) | Resource management method and device, computer system, and readable storage medium | |
US20230155984A1 (en) | Trusted execution environment for service mesh | |
EP2790123A1 (en) | Generating A Data Audit Trail For Cross Perimeter Data Transfer |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT, TEXAS Free format text: SECURITY AGREEMENT;ASSIGNORS:AVENTAIL LLC;DELL PRODUCTS L.P.;DELL SOFTWARE INC.;REEL/FRAME:040039/0642 Effective date: 20160907 Owner name: CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLATERAL AGENT, NORTH CAROLINA Free format text: SECURITY AGREEMENT;ASSIGNORS:AVENTAIL LLC;DELL PRODUCTS, L.P.;DELL SOFTWARE INC.;REEL/FRAME:040030/0187 Effective date: 20160907 Owner name: CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLAT Free format text: SECURITY AGREEMENT;ASSIGNORS:AVENTAIL LLC;DELL PRODUCTS, L.P.;DELL SOFTWARE INC.;REEL/FRAME:040030/0187 Effective date: 20160907 Owner name: THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., A Free format text: SECURITY AGREEMENT;ASSIGNORS:AVENTAIL LLC;DELL PRODUCTS L.P.;DELL SOFTWARE INC.;REEL/FRAME:040039/0642 Effective date: 20160907 |
|
AS | Assignment |
Owner name: DELL SOFTWARE INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:DELL PRODUCTS L.P.;REEL/FRAME:040520/0220 Effective date: 20161031 Owner name: DELL SOFTWARE INC., CALIFORNIA Free format text: RELEASE OF SECURITY INTEREST IN CERTAIN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (040039/0642);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A.;REEL/FRAME:040521/0016 Effective date: 20161031 Owner name: AVENTAIL LLC, CALIFORNIA Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:040521/0467 Effective date: 20161031 Owner name: DELL SOFTWARE INC., CALIFORNIA Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:040521/0467 Effective date: 20161031 Owner name: DELL PRODUCTS, L.P., TEXAS Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:040521/0467 Effective date: 20161031 Owner name: DELL PRODUCTS L.P., TEXAS Free format text: RELEASE OF SECURITY INTEREST IN CERTAIN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (040039/0642);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A.;REEL/FRAME:040521/0016 Effective date: 20161031 Owner name: AVENTAIL LLC, CALIFORNIA Free format text: RELEASE OF SECURITY INTEREST IN CERTAIN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (040039/0642);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A.;REEL/FRAME:040521/0016 Effective date: 20161031 |
|
AS | Assignment |
Owner name: QUEST SOFTWARE INC., CALIFORNIA Free format text: CHANGE OF NAME;ASSIGNOR:DELL SOFTWARE INC.;REEL/FRAME:040551/0885 Effective date: 20161101 |
|
AS | Assignment |
Owner name: CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLATERAL AGENT, NEW YORK Free format text: FIRST LIEN PATENT SECURITY AGREEMENT;ASSIGNOR:DELL SOFTWARE INC.;REEL/FRAME:040581/0850 Effective date: 20161031 Owner name: CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLAT Free format text: FIRST LIEN PATENT SECURITY AGREEMENT;ASSIGNOR:DELL SOFTWARE INC.;REEL/FRAME:040581/0850 Effective date: 20161031 |
|
AS | Assignment |
Owner name: CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLATERAL AGENT, NEW YORK Free format text: SECOND LIEN PATENT SECURITY AGREEMENT;ASSIGNOR:DELL SOFTWARE INC.;REEL/FRAME:040587/0624 Effective date: 20161031 Owner name: CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLAT Free format text: SECOND LIEN PATENT SECURITY AGREEMENT;ASSIGNOR:DELL SOFTWARE INC.;REEL/FRAME:040587/0624 Effective date: 20161031 |
|
AS | Assignment |
Owner name: QUEST SOFTWARE INC. (F/K/A DELL SOFTWARE INC.), CALIFORNIA Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE ASSIGNEE PREVIOUSLY RECORDED AT REEL: 040587 FRAME: 0624. ASSIGNOR(S) HEREBY CONFIRMS THE ASSIGNMENT;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:044811/0598 Effective date: 20171114 Owner name: AVENTAIL LLC, CALIFORNIA Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE ASSIGNEE PREVIOUSLY RECORDED AT REEL: 040587 FRAME: 0624. ASSIGNOR(S) HEREBY CONFIRMS THE ASSIGNMENT;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:044811/0598 Effective date: 20171114 Owner name: QUEST SOFTWARE INC. (F/K/A DELL SOFTWARE INC.), CA Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE ASSIGNEE PREVIOUSLY RECORDED AT REEL: 040587 FRAME: 0624. ASSIGNOR(S) HEREBY CONFIRMS THE ASSIGNMENT;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:044811/0598 Effective date: 20171114 |
|
AS | Assignment |
Owner name: SONICWALL US HOLDINGS INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:PETERSON, CHRISTOPHER D.;REEL/FRAME:045522/0542 Effective date: 20160901 |
|
AS | Assignment |
Owner name: QUEST SOFTWARE INC. (F/K/A DELL SOFTWARE INC.), CALIFORNIA Free format text: RELEASE OF FIRST LIEN SECURITY INTEREST IN PATENTS RECORDED AT R/F 040581/0850;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLATERAL AGENT;REEL/FRAME:046211/0735 Effective date: 20180518 Owner name: AVENTAIL LLC, CALIFORNIA Free format text: RELEASE OF FIRST LIEN SECURITY INTEREST IN PATENTS RECORDED AT R/F 040581/0850;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLATERAL AGENT;REEL/FRAME:046211/0735 Effective date: 20180518 Owner name: QUEST SOFTWARE INC. (F/K/A DELL SOFTWARE INC.), CA Free format text: RELEASE OF FIRST LIEN SECURITY INTEREST IN PATENTS RECORDED AT R/F 040581/0850;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLATERAL AGENT;REEL/FRAME:046211/0735 Effective date: 20180518 |
|
AS | Assignment |
Owner name: SONICWALL US HOLDINGS INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:TELEHOWSKI, DAVID;REEL/FRAME:046287/0434 Effective date: 20180530 Owner name: SONICWALL US HOLDINGS INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:KAUFFMAN, JEFFREY;REEL/FRAME:046287/0479 Effective date: 20180524 |
|
AS | Assignment |
Owner name: CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLATERAL AGENT, NEW YORK Free format text: FIRST LIEN PATENT SECURITY AGREEMENT;ASSIGNOR:QUEST SOFTWARE INC.;REEL/FRAME:046327/0347 Effective date: 20180518 Owner name: CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLATERAL AGENT, NEW YORK Free format text: SECOND LIEN PATENT SECURITY AGREEMENT;ASSIGNOR:QUEST SOFTWARE INC.;REEL/FRAME:046327/0486 Effective date: 20180518 Owner name: CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLAT Free format text: FIRST LIEN PATENT SECURITY AGREEMENT;ASSIGNOR:QUEST SOFTWARE INC.;REEL/FRAME:046327/0347 Effective date: 20180518 Owner name: CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLAT Free format text: SECOND LIEN PATENT SECURITY AGREEMENT;ASSIGNOR:QUEST SOFTWARE INC.;REEL/FRAME:046327/0486 Effective date: 20180518 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: FINAL REJECTION MAILED |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |
|
AS | Assignment |
Owner name: QUEST SOFTWARE INC., CALIFORNIA Free format text: RELEASE OF FIRST LIEN SECURITY INTEREST IN PATENTS;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLATERAL AGENT;REEL/FRAME:059105/0479 Effective date: 20220201 Owner name: QUEST SOFTWARE INC., CALIFORNIA Free format text: RELEASE OF SECOND LIEN SECURITY INTEREST IN PATENTS;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLATERAL AGENT;REEL/FRAME:059096/0683 Effective date: 20220201 |