Abstract: A system for providing policy-controlled communication over the Internet includes a client endpoint function that executes on a client device while coupled to a first VPN tunnel, a service endpoint function that operates a remote service of a plurality of remote services, and a mid-link server coupled to the first VPN tunnel and a second VPN tunnel. The client endpoint function includes a first VPN endpoint component, and the service endpoint function includes a second VPN endpoint component. A router component operates to route network packet traffic between the first and second VPN tunnels via a route specified by a plurality of policies, an inspection component that analyzes network packet traffic in accordance with the plurality of policies. The plurality of policies for the network packet traffic and the content mediation selected dynamically on the basis of one or more of a user, an application, an endpoint, and a session.

Abstract: A system for providing policy-controlled communication over the Internet includes a client endpoint function that executes on a client device while coupled to a first VPN tunnel, a service endpoint function that operates a remote service of a plurality of remote services, and a mid-link server coupled to the first VPN tunnel and a second VPN tunnel. The client endpoint function includes a first VPN endpoint component, and the service endpoint function includes a second VPN endpoint component. A router component operates to route network packet traffic between the first and second VPN tunnels via a route specified by a plurality of policies, an inspection component that analyzes network packet traffic in accordance with the plurality of policies. The plurality of policies for the network packet traffic and the content mediation selected dynamically on the basis of one or more of a user, an application, an endpoint, and a session.

Abstract: Systems and methods for providing policy-controlled communication over the Internet are provided. A system may include a client endpoint function configured to execute on a client device while coupled to a first VPN tunnel, a service endpoint function that operates a remote service of a plurality of remote services, a gateway server including a first VPN termination point that authenticates and terminates the first VPN tunnel, a stitcher server including a second VPN termination point that authenticates and terminates a second VPN tunnel, and a mid-link server coupled to the first VPN tunnel and the second VPN tunnel. The mid-link server may include a plurality of Access Resource Servers (ARSs), and the gateway server and the stitcher server may communicate via a network connecting the plurality of ARSs.

Abstract: This invention provides secure, policy-based separation of data and applications on computer, especially personal computers that operate in different environments, such as those including personal applications and corporate applications, so that both types of applications can run simultaneously while complying with all required policies. The invention enables employees to use their personal devices for work purposes, or work devices for personal purposes. The secure, policy-based separation is created by dividing the data processing device into two or more “domains,” each with its own policies. These policies may be configured by the device owner, an IT department, or other data or application owner.

Abstract: Systems and methods for providing policy-controlled communication over the Internet are provided. A system may include a client endpoint function configured to execute on a client device while coupled to a first VPN tunnel, a service endpoint function that operates a remote service of a plurality of remote services, and a mid-link server coupled to the first VPN tunnel and a second VPN tunnel. The mid-link server may include an inspection component that analyzes network packet traffic in accordance with a plurality of policies. The inspection component may inspect the network packet traffic for specific content and provide instructions to a router component and/or a mediation component of the mid-link server. The instructions may be a function of at least one policy that applies to the specific content.

Abstract: Systems and methods for providing policy-controlled communication over the Internet are provided. A system may include a client endpoint function configured to execute on a client device while coupled to a first VPN tunnel, a service endpoint function that operates a remote service of a plurality of remote services, and a mid-link server coupled to the first VPN tunnel and a second VPN tunnel. The client endpoint function may include a first VPN endpoint component, and the service endpoint function may include a second VPN endpoint component. The mid-link server may include a first VPN termination point that authenticates and terminates the first VPN tunnel and a second VPN termination point that authenticates and terminates the second VPN tunnel. The first VPN termination point may re-authenticate the client device based on a first characteristic of the first VPN endpoint component and/or a second characteristic of the second VPN endpoint component.

Abstract: Systems and methods for policy-controlled communication over the Internet between third party client applications and remote services. A client device enforces policies on the communication between the applications and services. The communication is redirected through a mid-link server using a digitally protected tunnel. Network addresses of the client device and remote service are masked.

Abstract: This invention provides secure, policy-based separation of data and applications on computer, especially personal computers that operate in different environments, such as those including personal applications and corporate applications, so that both types of applications can run simultaneously while complying with all required policies. The invention enables employees to use their personal devices for work purposes, or work devices for personal purposes. The secure, policy-based separation is created by dividing the data processing device into two or more “domains,” each with its own policies. These policies may be configured by the device owner, an IT department, or other data or application owner.

Abstract: The invention provides a method for managing access to a network resource on a network from a mobile device, the method including the steps of intercepting a data stream from the mobile device attempting to access the network resource, extracting information from the intercepted data stream relating to at least one of the mobile device or a user of the mobile device, accessing at least one of enterprise service based information and third party information regarding at least one of the mobile device or the user of the mobile device, determining whether the mobile device is authorized to access the network resource, preparing an access decision that specifies whether the mobile device is authorized to access the network resource, and storing the access decision in a database on the network.

Abstract: Systems and methods for providing policy-controlled communication over the Internet are provided. A system may include a client endpoint function configured to execute on a client device while coupled to a first VPN tunnel, a service endpoint function that operates a remote service of a plurality of remote services, a gateway server including a first VPN termination point that authenticates and terminates the first VPN tunnel, a stitcher server including a second VPN termination point that authenticates and terminates a second VPN tunnel, and a mid-link server coupled to the first VPN tunnel and the second VPN tunnel. The mid-link server may include a plurality of Access Resource Servers (ARSs), and the gateway server and the stitcher server may communicate via a network connecting the plurality of ARSs.

Abstract: Systems and methods for providing policy-controlled communication over the Internet are provided. A system may include a client endpoint function configured to execute on a client device while coupled to a first VPN tunnel, a service endpoint function that operates a remote service of a plurality of remote services, and a mid-link server coupled to the first VPN tunnel and a second VPN tunnel. The mid-link server may include an inspection component that analyzes network packet traffic in accordance with a plurality of policies. The inspection component may inspect the network packet traffic for specific content and provide instructions to a router component and/or a mediation component of the mid-link server. The instructions may be a function of at least one policy that applies to the specific content.

Abstract: Systems and methods for providing policy-controlled communication over the Internet are provided. A system may include a client endpoint function configured to execute on a client device while coupled to a first VPN tunnel, a service endpoint function that operates a remote service of a plurality of remote services, and a mid-link server coupled to the first VPN tunnel and a second VPN tunnel. The client endpoint function may include a first VPN endpoint component, and the service endpoint function may include a second VPN endpoint component. The mid-link server may include a first VPN termination point that authenticates and terminates the first VPN tunnel and a second VPN termination point that authenticates and terminates the second VPN tunnel. The first VPN termination point may re-authenticate the client device based on a first characteristic of the first VPN endpoint component and/or a second characteristic of the second VPN endpoint component.

Abstract: Systems, software, and methods are provided for providing simpler and more secure ARSs that operate to separate and isolate configuration details from connecting systems by: moving most of the connection information to the easily secured ARS; requiring endpoints to initiate outbound connections to that server instead of exposing the systems to inbound connections from the internet; consolidating policy enforcement and routing decisions from the individual endpoints to an ARS; and consolidating network packet traffic filtering and monitoring in an ARS. The present invention substantially reduces the complexity of endpoint configurations by offloading most of the connection and endpoint validation, policy enforcement, information leakage management, and routing decisions from the endpoints to an ARS.

Abstract: Systems, software, and methods are provided for providing simpler and more secure ARSs that operate to separate and isolate configuration details from connecting systems by: moving most of the connection information to the easily secured ARS; requiring endpoints to initiate outbound connections to that server instead of exposing the systems to inbound connections from the internet; consolidating policy enforcement and routing decisions from the individual endpoints to an ARS; and consolidating network packet traffic filtering and monitoring in an ARS. The present invention substantially reduces the complexity of endpoint configurations by offloading most of the connection and endpoint validation, policy enforcement, information leakage management, and routing decisions from the endpoints to an ARS.

Abstract: Systems and methods are described for determining whether an electronic computing device complies with the security policy for a network.

Abstract: Systems, software, and methods are provided for providing simpler and more secure ARSs that operate to separate and isolate configuration details from connecting systems by: moving most of the connection information to the easily secured ARS; requiring endpoints to initiate outbound connections to that server instead of exposing the systems to inbound connections from the internet; consolidating policy enforcement and routing decisions from the individual endpoints to an ARS; and consolidating network packet traffic filtering and monitoring in an ARS. The present invention substantially reduces the complexity of endpoint configurations by offloading most of the connection and endpoint validation, policy enforcement, information leakage management, and routing decisions from the endpoints to an ARS.

Abstract: Methods, apparatus, systems, and non-transitory computer-readable media for managing a plurality of disparate computer application and data control policies on a computing device, especially a computing device connected to a computer network, are described. In one example, at least one policy distribution point is provided that includes least one policy distribution point including at least one information management policy. A plurality of policy enforcement points, including a first policy enforcement point operating at a first policy enforcement level, and a second enforcement point operating at second policy enforcement level, are also provided. A first policy element to the first policy enforcement point, and a second policy element to the second policy enforcement point, are allocated.

Abstract: This invention provides secure, policy-based separation of data and applications on computer, especially personal computers that operate in different environments, such as those including personal applications and corporate applications, so that both types of applications can run simultaneously while complying with all required policies. The invention enables employees to use their personal devices for work purposes, or work devices for personal purposes. The secure, policy-based separation is created by dividing the data processing device into two or more “domains,” each with its own policies. These policies may be configured by the device owner, an IT department, or other data or application owner.

Abstract: Methods, apparatus, systems, and non-transitory computer-readable media for managing a plurality of disparate computer application and data control policies on a computing device, especially a computing device connected to a computer network, are described. In one example, at least one policy distribution point is provided that includes least one policy distribution point including at least one information management policy. A plurality of policy enforcement points, including a first policy enforcement point operating at a first policy enforcement level, and a second enforcement point operating at second policy enforcement level, are also provided. A first policy element to the first policy enforcement point, and a second policy element to the second policy enforcement point, are allocated.

Abstract: Methods, apparatus, systems, and non-transitory computer-readable media for managing a plurality of disparate computer application and data control policies on a computing device, especially a computing device connected to a computer network, are described. In one example, at least one policy distribution point is provided that includes least one policy distribution point including at least one information management policy. A plurality of policy enforcement points, including a first policy enforcement point operating at a first policy enforcement level, and a second enforcement point operating at second policy enforcement level, are also provided. A first policy element to the first policy enforcement point, and a second policy element to the second policy enforcement point, are allocated.