IDENTIFICATION OF UNAUTHORIZED APPLICATION DATA IN A CORPORATE NETWORK
An appliance works in conjunction with an agent on a remote device to control application access to a corporate network. In conjunction with an SSL tunnel and policy operating at the appliance, granular application control may be implemented. In particular, a device user may determine what applications from a set of applications may access the corporate network and which applications do not access the network. The policies applied to application traffic may be generated by an administrator. Policies may also be applied from a remote server to data stored on the user device.
This application claims the priority benefit of U.S. Provisional Application Ser. No. 61/973,248, titled “Mobile Connect,” filed Mar. 31, 2014, the disclosure of which is incorporated herein by reference.
BACKGROUND OF THE INVENTIONConsumers continue to push for a mechanism that allows them to use their own device to perform typical work tasks. In most cases, these devices are owned by the individual user, which means the company may have zero control over them. Because companies have little if any control over these user devices, there is concern regarding providing the device access to corporate remote networks due to the potential for attacks vectors (nefarious applications, leaking, tampering, or otherwise disclosing of critical intellectual property owned by company). The market has coined the term “unmanaged device” or “BYOD” (bring your own device) to represent any device that is not owned or controlled by the company that needs access to the corporate network so the employee can do their work. In most cases, this device is owned by the employee requesting access. Some companies require employee devices to be put under mobile device management (MDM) control before allowed onto the corporate network, but such a configuration is not really zero control.
Most mobile solutions are all or nothing—all data is shared or no data is shared with respect to a corporate intranet (i.e., an appliance based network). With the advent of BYOD, users need to access the corporate intranet but do not want their personal information to be available to the corporate intranet. Likewise, the corporate intranet may not want to risk exposure to certain content on the user device that is not germane (or appropriate) for the corporate network.
Secure communication with a corporate network can be achieved through virtual private network (VPN) connections. Current VPN clients that provide application level control block traffic in that VPN application running on the client device. For example, some companies provide a per-app VPN solution. Despite current VPN per application solutions, there are still concerns regarding the vulnerability of corporate network access from personal user devices.
There is a need for managing access to corporate networks by a user's personal device that applies to more than network traffic and provides a more granular solution.
SUMMARY OF THE CLAIMED INVENTIONAn appliance works in conjunction with an agent on a remote device to control application access to a corporate network. In conjunction with an SSL tunnel and policy operating at the appliance, granular application control may be implemented. In particular, a device user may determine what applications from a set of applications may access the corporate network and which applications do not access the network. The policies applied to application traffic may be generated by an administrator. Policies may also be applied from a remote server to data stored on the user device.
An embodiment may include a method for establishing a connection. The method may include establishing a connection between a user client device and a VPN (Virtual Private Network) server. The user client device may have a plurality of applications. Corporate network access may be granted by the server to applications within the list of applications on the user device that satisfy a rule set. This rule set will be used by the server to generate a list of applications that may be granted access to the corporate network.
In an embodiment, a system for establishing a connection may include a server in communication with a user client device. The server may include a processor, memory, and one or more applications stored in memory at the server and executable to establish a connection between a user client device and a server, the user client device having a plurality of applications, receive by a server a list of applications on a user device requesting access to a corporate network, and grant corporate network access by the server to applications within the list of applications on the user device that satisfy a rule set
An Internet appliance works in conjunction with an agent on a remote device to control application access to a corporate network. In conjunction with an SSL tunnel and policy operating at the appliance, granular application control may be implemented. In particular, a device user may determine what applications from a set of applications may access the corporate network and which applications do not access the network. The policies applied to application traffic may be generated by an administrator. Policies may also be applied as the traffic passes through the VPN server before it enters the corporate network.
Client 110 may include a user device that is not controlled by the entity that provides the corporate network 140. Client 110 may be implemented as a mobile device such as a smart phone, tablet or laptop computer, a desktop computer, or other computing device.
Network 120 may include one or more networks used to communicate data between client device 120 and, ultimately, corporate server 142. For example, network 120 may include a private network, public network, the Internet, an intranet, a local area network, a wide area network, a wireless network, a cellular network, and a combination of these networks.
Tunnel server 130 on VPN appliance 125 may establish a VPN tunnel and communicate with client device 110 and serve as an intermediary between client device 110 and corporate server 142. This VPN may be used to allow applications on the client device 110 to communicate with a corporate server 142 in a secure fashion even though traffic is flowing over a public network 120.
The policy server may include one or more applications that perform functionality discussed herein, such as for example generating and applying policy rules. Datastore 138 may store and process data, and is accessible by servers 132, 134 and 136. For example, datastore 138 may store communication log data, application lists, application information, and other data. The client device 110 may communicate with tunnel server 136 to authorize access to corporate server 142. The client may also communicate through an API Server 132 which is a peer to the tunnel server and is used to authenticate the user, retrieve the list of applications, authenticate a device, and other functionality. Both API Server 132 and Tunnel Server 136 may communicate with policy server 134 to obtain policy decisions to help provide responses to client requests
Corporate server 142 of corporate network 140 may be accessed by the user device 110 through tunnel server 136 of VPN appliance 130. In this case, tunnel server 136 may receive and analyze all network traffic to confirm the traffic is from an authorized application before the traffic may access the corporate server. Access to corporate server 142 and other resources on corporate network 140 is determined by both policy server 134 and tunnel server 136. Tunnel Server 136 provides policy enforcement and traffic analysis while policy server 134 is the policy decision point, and the two servers work in concert to both analyze traffic and apply policy.
A user is authenticated at step 210. User authentication is performed to identify the user of the device. A user device is then classified to determine if it meets acceptable parameters at step 215. After the user authenticates, the system will attempt to verify the user's device. In some instances, an administrator defines a set of device attributes, and the system may attempt to find a set of attributes that match the device. Classification of the device may include retrieval of a unique equipment identifier along with other device attribute data. The unique equipment identifier and device attribute data may be collected by an agent and transmitted to policy server 134. The attribute data may be used by the policy server to determine if client device 110 may allow for application control by the policy server via the agent.
Once the user is authenticated and the device is classified, the data store is queried to determine if a matching entry for the user and device exist. If the user and device combination are found in the data store, then the user and device have established a connection with the corporate network before and the version of the user agreement previously agreed to by the user is checked against the most recent version. If the most recent user agreement has not changed from the stored user agreement for the user and device combination, then the present system does not provide the user with the same user agreement and a portion of or all of step 220 (and corresponding method of
If the device requires a new user agreement to be accepted, either because the user and device combination is not found in the data store or the current version of the user agreement does not match the stored version of the user agreement, the method continues to step 220.
User acceptance of a user agreement is verified at step 220. Once a user accepts a user agreement, the user may be authorized for the corporate network access. In some embodiments, a policy server determines authorization of the user, device, and checks access permissions. The policy allows for application access to particular data for a particular device type and user type. Once the user has accepted the user agreement, the user may be authorized to access a corporate network.
Application traffic may be transmitted to the corporate network at step 225. An agent on the client device may monitor communication data and provide information to the user of the device regarding what applications are communicating with the corporate network.
Application traffic is transmitted between the client applications and corporate server via a VPN appliance at step 225. When applications first attempt to communicate with the corporate network at step 345, the agent running on the client device sends the application identifier for the application and may send a code signature for the application. The code signature may include a hash of application information of some sort.
An agent on the client device may monitor communication data and provide information to the user of the device regarding what applications are communicating with the corporate network. From this information, the user may determine if only authorized applications are communicating with the corporate network and if the authorized applications are communicating appropriately.
Policies may be applied to data at a user device at step 230. Application communication with a server may be analyzed or audited at some point in time. By collecting data for the application communication with the server, a user may determine if the application is complying with any relevant policies or requirements. Storing data for subsequent auditing is discussed in more detail below with respect to
Hence, the present system provides two levels of control. In the first, the client is supposed to only send traffic to the server for the set of applications that may be allowed access. In the second, the tunnel server checks with the policy server for permission to allow traffic that it received to enter the corporate network. This second step is done on the VPN appliance with information provided by the client about the current connection (application, destination, etc).
In some instances, there may be only one list of policy rules on an appliance. That list contains rules that grant access at the device level, or the application level or both. A single rule set may grant access to device level and application level access control. Such a single rule set may provide a much better administrator experience.
The components shown in
Mass storage device 530, which may be implemented with a magnetic disk drive or an optical disk drive, is a non-volatile storage device for storing data and instructions for use by processor unit 510. Mass storage device 530 can store the system software for implementing embodiments of the present invention for purposes of loading that software into main memory 520.
Portable storage device 540 operates in conjunction with a portable non-volatile storage medium, such as a floppy disk, compact disk or Digital video disc, to input and output data and code to and from the computer system 500 of
Input devices 560 provide a portion of a user interface. Input devices 560 may include an alpha-numeric keypad, such as a keyboard, for inputting alpha-numeric and other information, or a pointing device, such as a mouse, a trackball, stylus, or cursor direction keys. Additionally, the system 500 as shown in
Display system 570 may include a liquid crystal display (LCD) or other suitable display device. Display system 570 receives textual and graphical information, and processes the information for output to the display device.
Peripherals 580 may include any type of computer support device to add additional functionality to the computer system. For example, peripheral device(s) 580 may include a modem or a router.
The components contained in the computer system 500 of
The foregoing detailed description of the technology herein has been presented for purposes of illustration and description. It is not intended to be exhaustive or to limit the technology to the precise form disclosed. Many modifications and variations are possible in light of the above teaching. The described embodiments were chosen in order to best explain the principles of the technology and its practical application to thereby enable others skilled in the art to best utilize the technology in various embodiments and with various modifications as are suited to the particular use contemplated. It is intended that the scope of the technology be defined by the claims appended hereto.
Claims
1. A method for establishing a connection, comprising:
- establishing a connection between a user client device and a server, the user client device having a plurality of applications;
- receiving by a server a list of applications on a user device requesting access to a corporate network;
- granting corporate network access by the server to applications within the list of applications on the user device that satisfy a rule set.
2. The method of claim 1, wherein the connection is a virtual private network tunnel.
3. The method of claim 1, wherein the server is located on the edge of the corporate network and receives all corporate network access requests.
4. The method of claim 1, wherein granting corporate network access by the server to applications within the list of applications on the user device that satisfy the rule set includes denying corporate network access by the server to applications within the list of applications on the user device that do not satisfy the rule set.
5. The method of claim 1, wherein the rule set includes at least one rule that specifies access by an application of the list of applications to a selected set of corporate resources for a selected set of one or more users.
6. The method of claim 1, wherein the rule set allows a single rule to control both device level corporate network access and application level corporate network access.
7. The method of claim 1, further comprising providing the rule set to the client device from the server, the rule set applied to application data traffic initiated from the client and intended for the corporate network.
8. The method of claim 1, further comprising controlling application data accessed at the user client device by the corporate network based on the rule set.
9. The method of claim 1, wherein the policy controls data access by an application at the user client device.
10. The method of claim 1, wherein the rule set controls whether application data is transmitted to the corporate network.
11. The method of claim 1, wherein the policy is enforced at the server.
12. The method of claim 11, further comprising:
- modifying the rule set; and
- applying the modified rule set to application data at the user client device.
13. A non-transitory computer readable storage medium having embodied thereon a program, the program being executable by a processor to perform a method for establishing a connection, the method comprising:
- establishing a connection between a user client device and a server, the user client device having a plurality of applications;
- applying a policy created at a server to data at the user client device; and
- controlling data access at the user client device based on the policy. establishing a connection between a user client device and a server, the user client device having a plurality of applications;
- receiving by a server a list of applications on a user device requesting access to a corporate network;
- granting corporate network access by the server to applications within the list of applications on the user device that satisfy a rule set.
14. The non-transitory computer readable storage medium of claim 13, wherein the connection is a virtual private network tunnel.
15. The non-transitory computer readable storage medium of claim 13, wherein the server is located on the edge of the corporate network and receives all corporate network access requests.
16. The non-transitory computer readable storage medium of claim 13, wherein granting corporate network access by the server to applications within the list of applications on the user device that satisfy the rule set includes denying corporate network access by the server to applications within the list of applications on the user device that do not satisfy the rule set.
17. The non-transitory computer readable storage medium of claim 13, wherein the rule set includes at least one rule that specifies access by an application of the list of applications to a selected set of corporate resources for a selected set of one or more users.
18. The non-transitory computer readable storage medium of claim 13, wherein the rule set controls device level corporate network access and application level corporate network access.
19. The non-transitory computer readable storage medium of claim 13, further comprising providing the rule set to the client device from the server, the rule set applied to application data traffic initiated from the client and intended for the corporate network.
20. The non-transitory computer readable storage medium of claim 13, the method of claim 1, further comprising controlling application data accessed at the user client device by the corporate network based on the rule set.
21. The non-transitory computer readable storage medium of claim 13, wherein the policy controls data access by an application at the user client device.
22. The non-transitory computer readable storage medium of claim 13, wherein the rule set controls whether application data is transmitted to the corporate network.
23. The non-transitory computer readable storage medium of claim 13, wherein the policy is created at the server.
24. The non-transitory computer readable storage medium of claim 23, further comprising:
- modifying the rule set; and
- applying the modified rule set to application data at the user client device.
25. A system for establishing a connection, the system including:
- a server in communication with a user client device, the server including a processor, memory, and one or more applications stored in memory at the server and executable to establish a connection between a user client device and a server, the user client device having a plurality of applications, receive by a server a list of applications on a user device requesting access to a corporate network, and grant corporate network access by the server to applications within the list of applications on the user device that satisfy a rule set.
26. The system of claim 25, wherein the connection is a virtual private network tunnel.
27. The system of claim 25, wherein the server is located on the edge of the corporate network and receives all corporate network access requests.
28. The system of claim 25, wherein granting corporate network access by the server to applications within the list of applications on the user device that satisfy the rule set includes denying corporate network access by the server to applications within the list of applications on the user device that do not satisfy the rule set.
29. The system of claim 25, wherein the rule set includes at least one rule that specifies access by an application of the list of applications to a selected set of corporate resources for a selected set of one or more users.
30. The system of claim 25, wherein the rule set controls device level corporate network access and application level corporate network access.
31. The system of claim 25, further comprising providing the rule set to the client device from the server, the rule set applied to application data traffic initiated from the client and intended for the corporate network.
32. The system of claim 25, the method of claim 1, further comprising controlling application data accessed at the user client device by the corporate network based on the rule set.
33. The system of claim 25, wherein the policy controls data access by an application at the user client device.
34. The system of claim 25, wherein the rule set controls whether application data is transmitted to the corporate network.
35. The system of claim 25, wherein the policy is created at the server.
36. The system of claim 35, further comprising:
- modifying the rule set; and
- applying the modified rule set to application data at the user client device.
Type: Application
Filed: Jun 30, 2014
Publication Date: Oct 1, 2015
Inventors: Chris D. Peterson (Bellingham, WA), Jeffrey Kauffman (Brier, WA)
Application Number: 14/319,136