This case relates generally to communications and, more specifically but not exclusively, to secure communications.
While most corporations employ various security mechanisms within their corporate networks, such mechanisms do not always adequately secure communications of the corporate users of the corporate networks.
Various deficiencies in the prior art are addressed by embodiments for supporting secure communications.
In one embodiment, an apparatus includes a processor and a memory communicatively coupled to the processor. The processor is configured to receive, from a user device of a corporate user, communication request information associated with a communication request initiated via the user device, the communication request information specifying a context of the requested communication. The processor is configured to select a communication context-based security profile for the requested communication based on the communication request information. The processor is configured to propagate an indication of the selected communication context-based security profile toward at least one of the user device and a network device for use in applying at least one security mechanism to the requested communication.
In one embodiment, a method uses at least one processor to perform steps of receiving, from a user device of a corporate user, communication request information associated with a communication request initiated via the user device where the communication request information specifies a context of the requested communication, selecting a communication context-based security profile for the requested communication based on the communication request information, and propagating an indication of the selected communication context-based security profile toward at least one of the user device and a network device for use in applying at least one security mechanism to the requested communication.
In one embodiment, an apparatus includes a processor and a memory communicatively coupled to the processor. The processor is configured to detect initiation of a communication request at a user device. The processor is configured to determine communication request information associated with the communication request. The processor is configured to propagate the communication request information toward a communication assurance agent. The processor is configured to receive, from the communication assurance agent, an indication of a communication context-based security profile selected by the communication assurance agent for use by the user device in applying at least one security mechanism to the requested communication.
In one embodiment, a method uses at least one processor to perform steps of detecting initiation of a communication request at a user device, determining communication request information associated with the communication request, propagating the communication request information toward a communication assurance agent, and receiving, from the communication assurance agent, an indication of a communication context-based security profile selected by the communication assurance agent for use by the user device in applying at least one security mechanism to the requested communication.
The teachings herein can be readily understood by considering the following detailed description in conjunction with the accompanying drawings, in which:
To facilitate understanding, identical reference numerals have been used, where possible, to designate identical elements that are common to the figures.
In general, secure communication capabilities are depicted and described herein, although various other capabilities also may be presented herein.
In one embodiment, a secure communication capability uses communication context-based security profiles associated with a corporate user to assure communications by or otherwise associated with the corporate user. The communications by or otherwise associated with the corporate user may be assured regardless of various elements used to support communication by or otherwise associated with the corporate user. For example, communications by or otherwise associated with the corporate user may be assured regardless of one or more of the user device used by the corporate user for the communication (e.g., whether it be a corporate user device behind a corporate firewall and on a corporate network, a corporate user device used by the user outside of the corporate network, a personal user device of the corporate user, and the like), a communication channel used for the communication, a communication medium used for the communication, a communication mode used for the communication, and the like). In this manner, a secure blanket is imposed over all communication mechanisms used to support communications by or otherwise associated with the corporate user regarding corporate matters, where the security blanket may be imposed irrespective of various elements used to support communication by or otherwise associated with the corporate user (e.g., as noted above, irrespective of one or more of the user device used by the corporate user for the communication, a communication channel used for the communication, a communication medium used for the communication, a communication mode used for the communication, and the like). In one embodiment, the security blanket also may be extended to personal communications by the corporate user from any suitable user device (e.g., a corporate user device(s) and/or a personal user device(s)).
As depicted in
The user devices 102 of the corporate user include a corporate user device 1021 located within the corporate network 110 (e.g., associated with a corporate Intranet and/or behind a corporate firewall), a corporate user device 1022 located outside of the corporate network 110 and receiving network access from one of the access networks 120 (illustratively, access network 1200, and a personal user device 1022 located outside of the corporate network 110 and receiving network access from one of the access networks 120 (illustratively, access network 120N). The user devices 102 may include any suitable types of user devices (e.g., desktop computers, laptop computers, tablet computers, smart phones, cloud-based information stores, and the like). It is noted that the cloud-based information stores also may be considered as user devices (or user elements) as users may interact with such virtual entities to retrieve their information.
The user devices 102 are used by the corporate user to communicate regarding corporate matters, where communications regarding corporate matters also may be referred to herein as corporate communications or corporate-related communications. For example, the corporate user may use corporate user device 1021 for communications regarding corporate matters while in the office (e.g., where corporate user device 1021 is a computer located in the office of the corporate user) may use corporate user device 1022 for communications regarding corporate matters while traveling outside of the office (e.g., where corporate user device 1022 is a smart phone supplied to the corporate user by the corporation), and may use personal user device 1023 for communications regarding corporate matters while located at home (e.g., where corporate user device 1023 is a personal computer located in the home of the corporate user). This exemplary movement of the corporate user is depicted in
The user devices 102 may be used for any suitable types of corporate communications.
In one embodiment, for example, corporate communications by or otherwise associated with the corporate user may include voice calls (e.g., to other employees of the corporate user, suppliers, customers, partners, and the like), voicemails (e.g., to other employees of the corporate user, suppliers, customers, partners, and the like), e-mails (e.g., to other employees of the corporate user, suppliers, customers, partners, and the like), Simple Messaging Service (SMS) messaging, Instant Messaging (IM), web browsing (e.g., searching for information using a search engine and the like), video calls, social media related communications (e.g., corporate social media, public social media, and the like), commerce-related communications (e.g., eCommerce, Business-to-Business (B2B) Commerce, and the like), web-based conferencing services (e.g., LiveMeeting, NetMeeting, and the like), communications related to cloud interactions (e.g., public cloud interactions, private cloud interactions, and the like), and the like, as well as various combinations thereof.
In one embodiment, for example, corporate communications by or otherwise associated with the corporate user may include network-centric communications which may be part of communications initiated by the corporate user and/or may be complementary to the communications initiated by the corporate user (e.g., where the communications may be spawned in response to one or more conditions associated with communications initiated by the corporate user). For example, network-centric communications which may be part of communications initiated by the corporate user and/or may be complementary to the communications initiated by the corporate user may include call forwarding, email forwarding, voice mail, voice mail forwarding, voice mail transcription, content uploading, content tagging, multi-mode communication (e.g., where a session transforms from one type of session to another type of session, where a session transforms from one device to another device, and the like), multi-device interaction within a service, and the like, as well as various combinations thereof.
It is noted that the underlying communications capabilities (e.g., equipment, services, and the like) which may support the above-described corporate communication types will be understood by one skilled in the art. For example, voice calls may be supported using one or more of a Public Switched Telephone Network (PSTN), Voice Over IP (VoIP), Private Branch Exchanges (PBXs), IP-PBXs, wireline networks, wireless networks, cloud-based PBX capabilities, over-the-top (OTT) voice applications, and the like, as well as various combinations thereof. For example, e-mails may be supported using one or more of data communication networks, email services, and the like. The types of underlying communications capabilities used to support the other listed communication types will be understood.
It is noted that various combinations of such communication types of a corporation (and, optionally, the underlying communications capabilities supporting such communication types) may be referred to collectively herein as an open communications environment of the corporation (e.g., supporting user-to-user interactions, user-to-machine interactions, machine-to-user interactions, and machine-to-machine interactions).
The user devices 102 each are configured to detect communication requests initiated by the corporate user via the user devices 102. For example, when the corporate user initiates a request to communicate via one of the user devices 102, the user device 102 detects an indication of the request to communicate and propagates the indication of the request to communicate such that it is automatically detected by the communication assurance agent 141. The user device 102 also may determine information associated with the request to communicate (denoted herein as requested communication information) and propagate the information associated with the communication request such that it is automatically detected by the communication assurance agent. The manner in which the requested communication is initiated is expected to vary for the different communication types. For example, for voice communication the corporate user may dial a number and press a submit button to initiate a call, open a voice call application and select the name of a person to call, and the like. For example, for e-mail communication the corporate user may open an email application, log in to an email service, open an e-mail message to be sent and begin to enter information (e.g., the name(s) of the intended recipient(s), subject information, and the like), and the like. For example, for SMS communication the corporate user may open an SMS application, log in to an SMS service, open an SMS message to be sent and begin to enter information (e.g., the name(s) of the intended recipient(s), subject information, and the like), and the like. For example, for IM communication the corporate user may open an IM application, log into an IM service, open an IM message to be sent and begin to enter information, and the like. For example, for web browsing the corporate user may open a web browser, begin to enter search criteria into a search interface of a web browser, and the like. More generally, a request by the corporate user to communicate may be considered to include an action(s) via which an indication of a request to communicate may be automatically detected by the communication assurance agent 141 and, optionally, any associated information suitable for use by communication assurance agent 141 to determine the type of security to be applied to the requested communication of the corporate user.
It will be appreciated that, although primarily depicted and described with respect to the corporate user using three specific user devices 102 to communicate regarding corporate matters, the corporate user may use fewer or more user devices 102 to communicate regarding corporate matters and/or may use other types of user devices 102 to communicate regarding corporate matters.
The corporate network 110 is a corporate intranet. The corporate network 110 may be owned/maintained by the corporation which employs the corporate user directly or indirectly and/or by one or more Managed Services entities. The corporate network 110 may include various elements and services as will be understood by one skilled in the art. For example, the corporate network 110 may include IT systems, IT networks, private clouds, hosted application centers, private data centers, public data centers, wireline and/or wireless networks, private communication networks, user devices, peripherals associated with user devices, and the like, as well as various combinations thereof. It is noted that, in general, corporations use security mechanisms to secure their corporate networks and communications by their employees via their corporate networks. For example, security mechanisms typically used in corporate networks include firewalls, encryption/decryption of communications, virtual private networks (VPNs), and the like, as well as various combinations thereof. However, such security mechanisms typically used in corporate networks do not always guarantee end-to-end communication assurance or information assurance for communications by employees via the corporate networks, and certainly do not guarantee end-to-end communication assurance or information assurance for communications by employees via external networks. The current security environment of the corporation cannot adequately monitor the complex interactions that are made by corporate users of the corporation and the open communications environment of the corporation.
The access networks 120 may include any suitable access networks via which the corporate user may communicate regarding corporate matters. For example, the access networks 120 may include wireline access networks (e.g., cable networks, DSL networks, and the like) and/or wireless access networks (e.g., cellular networks, Wireless Fidelity (Wi-Fi) networks, satellite networks, and the like).
The communication network 130 represents any wide area communication network(s) adapted to transport communications of the corporate user. For example, the communication network 130 may include backhaul networks, the Internet, and the like as well as various combinations thereof.
The communication assurance network 140 includes communication assurance agent 141, profiles database 142, and security assurance grading engine 145. The communication assurance agent 141 is configured to provide security mechanisms to improve security of communications by the corporate user regarding corporate matters. The communication assurance agent 141 also may be configured to provide security mechanisms to improve security of communications by the corporate user regarding personal matters. The communication assurance agent 141 is configured to provide such security mechanisms using information from profiles database 142 and/or using security assurance grading engine 145 (and/or information from security assurance grading engine 145).
The profiles database 142 includes a user profile 143 for the corporate user. The user profile 143 of the corporate user includes user information associated with the corporate user (e.g., name, address, network identification information, and the like, as well as various combinations thereof). The user profile 143 of the corporate user further includes communication context-based security profiles 144 (and/or otherwise points to communication context-based security profiles 144) associated with the corporate user.
The communication context-based security profiles 144 for the corporate user include one or more profiles to be used in conjunction with communications of the corporate user. In general, a communication context-based security profile 144 for the corporate user specifies a security policy that is defined based on the context of the communication of corporate user, where the security policy specifies one or more security mechanisms to be applied for the communication of corporate user (e.g., a requested communication of the corporate user having associated therewith requested communication information matching the communication context defined by the security policy has the associated security mechanism(s) of the security policy applied thereto).
The communication context-based security profiles 144 for the corporate user are defined and retrieved based on communication context. In one embodiment, communication context for a communication of the corporate user may be based on one or more of the type of communication to be used for the communication of the corporate user (e.g., voice, email, SMS, video, web browsing, and the like), an identity of the corporate user, a role of the corporate user (e.g., within the corporation, with a particular group within the corporation, for a particular project of the corporation, and the like), relationship-based information associated with the corporate user (an indication of a group within the corporation to which the corporate user belong, an indication of a project of the corporation on which the corporate user works, an indication of a relationship between the corporate user and an intended recipient(s) of the communication, and the like), a device type of the user device 102 used by the corporate user (e.g., fixed versus mobile, wireline versus wireless, computer versus smartphone, and the like), a network type of a network(s) to be used to support the communication, an identifier identifying the user device 102 being used by the corporate user for the communication, a recipient type of an intended recipient(s) of the communication, an identity of an intended recipient(s) of the communication, a subject of the communication, one or more details of the communication, and the like, as well as various combinations thereof. As noted above, the communication context-based security profiles 144 for the corporate user may be defined based on one or more of the above-described types of context information. Similarly, as noted above, when the corporate user initiates a request to communicate, requested communication information associated with the request to communicate and indicative of the context of the request to communicate (denoted herein as requested communication information) may be used to retrieve an appropriate communication context-based security profile 144 for use in providing security for the requested communication of the corporate user (e.g., in the form of one or more security mechanisms specified by the appropriate communication context-based security profile 144 retrieved for the requested communication of the corporate user).
The communication context-based security profiles 144 for the corporate user may be defined for communications of the corporate user which may be between any suitable entities/devices and may be of any suitable type. For example, the communication of the corporate user may be between two user devices (e.g., between two users, between a group of individuals, and the like), between more than two user devices (e.g., conference calls, video conferencing, chat rooms, and the like), machine(s)-to-machine(s), and the like, as well as various combinations thereof. For example, the communication type may be a voice-based communication (e.g., a voice call between the corporate user and another user, a voice call between the corporate user and multiple other users, and the like), an email-based communication (e.g., sending of an email by the corporate user, the corporate user receiving a voicemail as an attachment in an email message by a service provider, and the like), an SMS-based communication (e.g., the corporate user sending a text message, the corporate user receiving a text message including a voicemail transcribed into text and included within the text message, and the like), a video-based communication, a web browsing communication, and the like, as well as various combinations thereof. It is noted that such communication types also may be referred to herein as communication services or communication service types (e.g., voice services, email services, SMS services, video services, web browsing services, and the like, as well as various combinations thereof).
The communication context-based security profiles 144 for the corporate user may be defined using information from various resources. The resources may include one or more of: (1) one or more profiles of the corporate user (e.g., business profiles, personal profiles, social profiles, and the like), (2) the relationships and/or associations of the corporate user to one or more other users, one or more groups of users, one or more associations, one or more enterprises, one or more institutions, and the like, (3) the relationships and/or associations of the corporate user to a project, a type of project, an activity, a type of activity, a profession, a type of profession, an interest, a type of interest, a club, a type of club, and the like, (4) the relationships and/or associations of the corporate user to a service, a type of service, and the like, (5) the relationships and/or associations of the corporate user to a device or devices (e.g., to a device being used by the corporate user (e.g., corporate user device 1021, corporate user device 1022, personal user device 1023, and the like), to a device with which the corporate user is to communicate, and the like), to a type of device (e.g., corporate versus personal, fixed versus mobile, computer versus smart phone, and the like), and the like, (6) the relationships and/or associations of the corporate user to use of a mode of communication, (7) communication environments and associated capabilities of the communication environments (e.g., where different communication environments offer different capabilities in terms of services, features, class of service, quality of service, user experience, identity management, storage, and the like), and (8) any other suitable type(s) of resources from which information may be determined for use in providing the communication context-based security profiles 144 for the corporate user. Although primarily depicted and described with respect to definition of the communication context-based security profiles 144 for the corporate user based on information specific to the corporate user, it is noted that the communication context-based security profiles 144 for the corporate user may be defined based on information associated with multiple corporate users (e.g., where communication context-based security profiles are defined for multiple corporate users based on information associated with the multiple corporate users and then the communication context-based security profiles are associated with each of the multiple corporate users for use in providing communication context-based security for the multiple corporate users). The communication context-based security profiles 144 for the corporate user also may be defined by deriving the context-based security profiles 144 for the corporate user from past communications by the corporate user (e.g., based on historical information associated with communication services/events as determined from various resources within one or more communication environments), and the like, as well as various combinations thereof.
The communication context-based security profiles 144 for the corporate user may be retrieved, in response to requests by the corporate user to communicate, based on requested communication information determined from the requests to communicate (where the requested communication information may include any of the types of information which may be used to define the communication context-based security profiles 144).
The communication context-based security profiles 144 are adapted to provide communication assurance for communication services used by the corporate user, as well as to provide information assurance for information transported via communication services used by the corporate user. The communication context-based security profiles 144 are adapted to provide information assurance even in cases where information of a communication by the corporate user has multiple states and/or multiple delivery mechanisms (e.g., where a caller leaves a voicemail for the corporate user that is later retrieved by the corporate user, where the corporate user leaves a voicemail for a fellow employee and the voicemail is sent to the employee as an attachment in an email, where a caller leaves a voicemail for the corporate user and the voicemail is converted into text and sent to the corporate user in a text message, and the like). The communication context-based security profiles 144 are adapted to provide communication/information assurance for communication services used for corporate communications within the corporation (e.g., between the corporate user and one or more corporate users and/or devices of the corporation), for communication services used for corporate communications outside of the corporation (e.g., between the corporate user and one or more users and/or devices outside of the corporation), for personal communications by the corporate user, and the like. In this manner, the communication context-based security profiles 144 are adapted to ensure that the end-to-end communication channel, and the information transported via the end-to-end communication channel, receives the appropriate level of security. Furthermore, the communication context-based security profiles 144 are adapted to ensure that the communication of the corporate user, and the information transported via the communication of the corporate user, are assured the appropriate level of security throughout the existence of that communication/information irrespective of its state or the delivery mechanism used.
As noted above, the communication context-based security profiles 144 may be defined based on communication context in a number of ways. The communication context-based security profiles 144 may be defined at any suitable granularity. The communication context-based security profiles 144 may be organized in any suitable manner (e.g., in a flat arrangement, in a hierarchical arrangement, and the like, as well as various combinations thereof). These and various other characteristics of the communication context-based security profiles 144 may be better understood by way of reference to exemplary communication context-based security profiles 144 depicted and described with respect to
The security assurance grading engine 145 maintains a plurality of security grades 1461-146N and a custom security grade 146CUSTOM (collectively, security grades 146, which also are denoted as GRADE1-GRADEN and GRADECUSTOM). The custom security grade 146CUSTOM may be defined using two or more of security grades 1461-146N.
The security assurance grading engine 145 may be configured to define the security grades 146. The security assurance grading engine 145 may be configured to define the security grades 146 based on the communication context-based security profiles 144 of the corporate user. The security assurance grading engine 145 may be configured to generate the security grades 146 (e.g., using information from the communication context-based security profiles 144 of the profile database 141). In one embodiment, the security grades 146 may be considered to be a representation of the communication context-based security profiles 144 of the corporate user (e.g., where each security grade 146 represents one or more of the communication context-based security profiles 144 maintained for the corporate user). In one embodiment, the security grades 146 may be generated via processing of the communication context-based security profiles 144 of the corporate user. It is noted that fewer or more security grades 146 may be defined/generated. It is noted that fewer or more than one custom grade 146CUSTOM may be defined/generated. It is noted that the security grades 146 also may be referred to herein as security blankets.
The security grades 146 are adapted for use by communication assurance agent 140 (and, optionally, by the security assurance grading engine 145) to provide security mechanisms to provide security assurance for communications of the corporate user. In one embodiment, each security grade 146 has one or more security mechanisms associated therewith, where the security mechanism(s) associated with a security grade 146 include the security mechanism(s) to be applied for communications of the corporate user that are deemed to fall within that security grade 146. In one embodiment, when a communication type/service is deemed to be of a particular security grade 146, each communication associated with the communication type/service receives the same grade of service based on the security mechanism(s) of that security grade 146, where such security may be applied independent of time, network type, communication medium, storage medium, and the like.
The definition/generation and use of the security grades 146 may be better understood by way of reference to
It is noted that, although primarily depicted and described with respect to embodiments in which the communication assurance agent 141, the profiles database 142, and the security grades database 145 are deployed within a network (illustratively, communication assurance network 140), the communication assurance agent 141, the profiles database 142, and/or the security grades database 145 may be deployed in any suitable manner (e.g., one or more of these elements may reside within a service provider network, one or more of these elements may reside within corporate network 110, one or more of these elements may reside within a Federated System, and the like, as well as various combinations thereof).
It is noted that, although system 100 is depicted and described with respect to improving security of a single corporate user, system 100 may be configured to improve security for any number of corporate users of any number of corporations.
It is noted that, although system 100 is depicted and described with respect to improving security of a corporate user, system 100 may be configured to improve security for any suitable type(s) of users (e.g., users employed by corporations but only looking to improve security of their personal communications, users not employed by corporations but looking to improve security of their personal communications, and the like, as well as various combinations thereof).
The user profile 143 of the corporate user includes user information associated with the corporate user. The user profile 143 of the corporate user further also includes and/or has associated therewith communication context-based security profiles 144.
The communication context-based security profiles 144 for the corporate user include a plurality of corporate security profiles 144C1-144CN (collectively, corporate security profiles 144C).
The corporate security profiles 144C may be better understood by considering an exemplary scenario in which the corporate user is a member of an organization within the corporation, is a member of an organization (ORG1) within the corporation, is a member of a group (GROUP 4) within the organization, and is assigned to work on two projects (PROJECT A within GROUP 4 and PROJECT F which is a multi-group project).
The corporate security profile 144C1 is a profile defined for the corporation (e.g., to be used for any type of communication by the corporate user with any other member of the corporation).
The corporate security profile 144C2 is a profile defined for ORG1 of which the corporate user is a member (e.g., to be used for any type of communication by the corporate user with any other member of ORG1).
The corporate security profile 144C3 is a profile defined for GROUP 4 of which the corporate user is a member (e.g., to be used for any type of communication by the corporate user with any other member of GROUP 4). The corporate security profile 144C3 includes two sub-profiles to be used for communications by the corporate user using two different user devices of the corporate user (e.g., a CORPORATE DEVICE profile to be used for communications by the corporate user with any other person of GROUP 4 where the corporate user is using a corporate user device (e.g., corporate user device 1021 or corporate user device 1022) and a PERSONAL DEVICE profile to be used for communications by the corporate user with any other person of GROUP 4 where the corporate user is using a personal user device (e.g., personal user device 1023)).
The corporate security profile 144C4 is a profile defined for PROJECT A to which the corporate user is assigned and includes two sub-profiles to be used for different types of communications by the corporate user related to PROJECT A (e.g., a VOICE profile to be used for voice communications by the corporate user with any other person associated with project A and an EMAIL profile to be used for email communications by the corporate user with any other person associated with project A).
The corporate security profile 144C5 is a profile defined for PROJECT F to which the corporate user is assigned and includes two sub-profiles to be used for communications by the corporate user with different groups working on PROJECT F (e.g., a GROUP 4 profile to be used for communications by the corporate user with any other person of GROUP 4 who is assigned to work on PROJECT F and an OTHER profile to be used for communications by the corporate user with any other person associated with PROJECT 4 but not in GROUP 4).
The corporate security profile 144C6 is a profile defined for customers of the corporation (e.g., to be used for any type of communication by the corporate user with any of the customers of the corporation).
The corporate security profile 144C7 is a profile defined for any voice-based communication by the corporate user.
The corporate security profile 144C7 includes three sub-profiles to be used for communications by the corporate user using three different user devices of the corporate user (e.g., a CORPORATE DESKTOP DEVICE profile to be used for communications by the corporate user using corporate user device 1021, a CORPORATE MOBILE DEVICE profile to be used for communications by the corporate user using corporate user device 1022, and a PERSONAL DEVICE profile to be used for communications by the corporate user using corporate user device 1023).
The corporate security profile 144C8 is a profile defined for any web browsing to be performed by the corporate user.
The corporate security profile 144CN is intended to represent the fact that any suitable number of corporate security profiles 144C may be defined for the corporate user.
It is noted that the corporate security profiles 144C are merely exemplary and, thus, that any suitable numbers, types, and arrangements of corporate security profiles 144C may be maintained for the corporate user.
The corporate security profiles 144C may be defined by the corporation on behalf of the corporate user (and, optionally, modified by the corporate user as needed), defined by the corporate user, and the like, as well as various combinations thereof.
It is noted that, although depicted and described with respect to embodiments in which the corporate security profiles 144C are defined for the corporate user, the corporate security profiles 144C may be defined for any suitable set of corporate users of the corporation and the user profile of the corporate user may then simply point to the corporate security profiles 144C to thereby associate those corporate security profiles 144C with the corporate user for use in improving security of corporation-related communications of the corporate user.
The communication context-based security profiles 144 for the corporate user also may include a plurality of personal security profiles 144P1-144PN (collectively, personal security profiles 144P).
The personal security profile 144P1 is a profile defined for any personal voice communication to be performed by the corporate user.
The personal security profile 144P2 is a profile defined for any personal e-mail communication to be performed by the corporate user and includes three sub-profiles to be used for e-mail communications with different groups of people (e.g., a first sub-profile for e-mails to family and friends of the corporate user, a second sub-profile for e-mails to acquaintances of the corporate user, and a third sub-profile for e-mails to doctors of the corporate user).
The personal security profile 144P3 is a profile defined for any type of communication to be performed by the corporate user with one or more of the financial institutions of the corporate user.
The personal security profile 144P2 is a profile defined for any web-related communications to be performed by the corporate user and includes two sub-profiles to be used for different types of web browsing (e.g., a first sub-profile for web browsing and a second sub-profile for web-based purchases made by the corporate user).
The personal security profile 144PN is intended to represent the fact that any suitable number of personal security profiles 144P may be defined for the corporate user.
It is noted that the personal security profiles 144P are merely exemplary and, thus, that any suitable numbers, types, and arrangements of personal security profiles 144P may be maintained for the corporate user.
The personal security profiles 144P may be defined by the defined by the corporate user, defined by one or more other entities on behalf of the corporate user (and, optionally, modified by the corporate user as needed), and the like, as well as various combinations thereof.
It is noted that, although depicted and described with respect to embodiments in which the personal security profiles 144P are defined for the corporate user, the personal security profiles 144P may be defined for any suitable set of users and the user profile of the corporate user may then simply point to the personal security profiles 144P to thereby associate those personal security profiles 144P with the corporate user for use in improving security of personal communications of the corporate user.
The communication context-based security profiles 144 of the user profile 143 of the corporate user each may specify one or more security mechanisms to be used to secure the associated communications of the corporate user. For example, such security mechanisms may include use of encryption and decryption, and the like, as well as various combinations thereof. It will be appreciated that the types of security mechanisms associated with a given communication context-based security profile 144 may depend on factors such as the type of communication which may be used, the necessary or desired level of security for the communication, and the like, as well as various combinations thereof.
It is noted that, although primarily depicted and described with respect to embodiments in which the communication context-based security profiles 144 are stored in the profiles database 142 associated with communication assurance agent 141, some or all of the communication context-based security profiles 144 may be stored in other locations. For example, corporation-related communication context-based security profiles of the corporate user may be stored within the corporate network 110. For example, personal communication context-based security profiles of the corporate user may be stored within the corporate network 110 and/or a home network of the user. For example, personal communication context-based security profiles of the corporate user may be stored within the communications environments of entities with which the corporate user may communicate (e.g., Health Insurance Portability and Accounting Act (HIPPA)-related security profiles maintained within communications environments of doctors, Securities and Exchange Commission (SEC)-related security requirements maintained within communications environments of financial institutions, and the like). In at least some such embodiments, the profiles database 142 may store indexes to communication context-based security profiles 144 stored in the other location(s), such that the communication assurance agent 141 may use the indexes in order to retrieve the communication context-based security profiles 144 when needed. In this sense, it will be appreciated that communication context-based security profiles 144 may be considered to be maintained in any suitable storage location(s) such that they are accessible for use by communication assurance agent 141 in providing security mechanisms for the corporate user.
As depicted in
As further depicted in
As further depicted in
As depicted in
As further depicted in
The use of security grades 146 of the corporate user in order to secure the communications by the corporate user may be better understood by way of the following examples.
In a first example, the user selects user device 1021 (e.g., a corporate smart phone of the corporate user) and initiates a voice call to his or her doctor. The context of the initiated communication of the corporate user (e.g., a voice call from the corporate user to the doctor via the corporate smart phone) results in selection of a particular security grade for use in securing the initiated communication (illustratively, the security grade 1461 which also is denoted as G1). As illustrated in
In a second example, the user selects user device 1022 (e.g., a personal smart phone of the corporate user) and initiates a voice call to his or her colleague at the corporation. The context of the initiated communication of the corporate user (e.g., a voice call from the corporate user to another corporate user via the personal smart phone) results in selection of a particular security grade for use in securing the initiated communication (illustratively, the security grade 1462 which also is denoted as G2). As illustrated in
The use of communication context-based security profiles 144 to improve security of communications by the corporate user is depicted and described with respect to
At step 505, method 500 begins.
At step 510, the user device of the corporate user detects a communication request. As described herein, detection of the communication request may vary across different communication types. For example, for voice communications the user device may detect entry of a telephone number and pressing of a submit button to initiate a call, opening of a voice call application and selecting of the name of a person to call, and the like. For example, for e-mail communication the user device may detect opening of an email application, logging in to an email service, opening of an e-mail message to be sent and entry of information, and the like. For example, for SMS communication the user device may detect opening of an SMS application, logging in to an SMS service, opening of an SMS message to be sent and entry of information, and the like. For example, for web browsing the user device may detect opening of a web browser, entry of search criteria into a search interface of a web browser, and the like. More generally, a request by the corporate user to communicate may be considered to include an action via which an indication of a request to communicate may be detected by the user device 110.
At step 515, the user device of the corporate user determines communication request information associated with the communication request. For example, the communication request information may include an identity of the corporate user of the user device, an identifier identifying the user device of the corporate user, an indication of a type of user device of the corporate user (e.g., corporate versus personal, fixed versus mobile, and the like), an identity of at least one entity and/or device intended as a destination of the requested communication, a communication type of the requested communication (e.g., voice call, e-mail, SMS message, web browsing, and the like), a subject of the requested communication, one or more details of the requested communication, and the like, as well as various combinations thereof. It is noted that, in at least some cases, a portion of the communication request information may be determined as part of step 510.
At step 520, the user device of the corporate user propagates the communication request information toward the communication assurance agent. At step 525, the communication assurance agent receives the communication request information from the user device of the corporate user.
At step 530, the communication assurance agent selects a communication context-based security profile based on the communication request information.
The communication assurance agent identifies the communication context-based security profiles associated with the corporate user (e.g., from information included within the communication request information received at the communication assurance agent from the user device). The communication assurance agent then selects one of the communication context-based security profiles associated with the corporate user, as the communication context-based security profile to be used for the requested communication of the corporate user, based on the communication request information received at the communication assurance agent from the user device. The selection of the communication context-based security profile may be performed based on keyword matching between information included in the communication request information and information included in the communication context-based security profiles associated with the corporate user, by considering the communication context-based security profiles associated with the corporate user in priority order until identifying one of the communication context-based security profiles as being a match satisfying a matching threshold, by considering portions of the communication request information in priority order until identifying one of the communication context-based security profiles as being a match satisfying a matching threshold, and the like, as well as various combinations thereof.
In one embodiment, where multiple communication context-based security profiles apply to the requested communication of the corporate user, any potential conflict between the multiple communication context-based security profiles may be resolved in any suitable manner (e.g., based on priority levels assigned to the communication context-based security profiles, using a lowest common denominator approach via comparison of security features of the communication context-based security profiles, using a greatest common denominator approach, via comparison of security features of the communication context-based security profiles, and the like, as well as various combinations thereof).
At step 535, the communication assurance agent propagates an indication of the selected communication context-based security profile toward the user device. At step 540, the user device receives the indication of the selected communication context-based security profile from the communication assurance agent.
At step 545, the user device initiates the requested communication based on the selected communication context-based security profile. The communication context-based security profile indicates one or more security mechanisms to be used for the requested communication of the corporate user. It will be appreciated that the initiation of the requested communication based on the selected communication context-based security profile depends, at least in part, on the type of communication. Thus, the initiation of the requested communication based on the selected communication context-based security profile may be better understood by considering examples related to different types of communication which may be initiated by the corporate user.
For example, where the indication of the requested communication indicates initiation of a voice call, initiation of the requested communication based on the selected communication context-based security profile may include initiating signaling for establishing the voice session such that the voice session is based on one or more security parameters (e.g., using a particular type of encryption/decryption).
For example, where the indication of the requested communication indicates sending of an e-mail, initiation of the requested communication based on the selected communication context-based security profile may include sending the email from the user device using one or more security mechanisms (e.g., using a particular type of encryption/decryption, and the like).
For example, where the indication of the requested communication indicates sending of an SMS message, initiation of the requested communication based on the selected communication context-based security profile may include sending the SMS message from the user device using one or more security mechanisms (e.g., using a particular type of encryption/decryption, and the like).
For example, where the indication of the requested communication indicates entry of information for browsing the Internet, initiation of the requested communication based on the selected communication context-based security profile may include sending the search request from the user device using one or more security mechanisms related to web browsing.
For example, where the indication of the requested communication indicates entry of information for making a purchase via the Internet, initiation of the requested communication based on the selected communication context-based security profile may include sending the search request from the user device using one or more security mechanisms (e.g., using a particular type of encryption/decryption, and the like).
It is noted that the security mechanisms may be applied in any suitable manner, which may depend on the type(s) of security mechanism(s) to be applied. In at least some embodiments, one or more of the security mechanisms may be delivered as security application programming interfaces (APIs).
At step 550, the method 500 ends.
It is noted that, although primarily depicted and described with respect to embodiments in which the communication assurance agent propagates an indication of the selected communication context-based security profile toward the user device, the communication assurance agent alternatively or additionally may propagate an indication of the selected communication context-based security profile toward at least one network device which may be configured to apply one or more security mechanisms for the requested communication of the user device. For example, the communication assurance agent alternatively or additionally may propagate an indication of the selected communication context-based security profile toward a boundary device of the corporate network with which the user device is associated, toward one or more devices of an access network with which the user device is associated, toward one or more devices of a core network supporting the requested communication of the corporate user, toward one or more servers providing services related to the requested communication, toward one or more application servers related to the requested communication, and the like, as well as various combinations thereof.
It is noted that, although primarily depicted and described with respect to embodiments in which the communication assurance agent selects one communication context-based security profile for the requested communication of the corporate user, in at least some embodiments the communication assurance agent may be configured to select multiple communication context-based security profile for the requested communication of the corporate user.
In one embodiment, the communication assurance agent may select one of the multiple communication context-based security profiles on behalf of the user device (e.g., selecting the profiles based on a prioritization of the profiles, selecting the profile having the most stringent security requirements, and or using any other suitable selection criteria) and propagate an indication of the selected one of the communication context-based security profiles toward the user device for use by the user device for the requested communication of the corporate user.
In one embodiment, the communication assurance agent may select two or more of the communication context-based security profiles on behalf of the user device (e.g., based on any suitable selection criteria, such as those discussed above for selection of one of the communication context-based security profiles by the communication assurance agent on behalf of the user device) and propagate indications of the selected communication context-based security profiles toward the user device. In one embodiment, the communication assurance agent may propagate indications of each of the selected communication context-based security profiles toward the user device. In one embodiment, in which the user device receives indications of multiple communication context-based security profiles from the communication assurance agent, the user device may select one of the multiple communication context-based security profiles to use for the requested communication, and then to use the selected one of the communication context-based security profiles for the requested communication. In one embodiment, in which the user device receives indications of multiple communication context-based security profiles from the communication assurance agent, the user device may use some or all of the multiple communication context-based security profiles (to the extent that such communication context-based security policies are consistent with each other) for the requested communication (e.g., applying all security mechanisms specified in the communication context-based security profiles, applying the most stringent of each of the security mechanisms specified in the communication context-based security profiles, and the like).
It is noted that, although primarily depicted and described with respect to embodiments in which a communication context-based security profile is determined only for the source side of a requested communication, a communication context-based security profile also may be determined for the destination side of a requested communication. In one embodiment, the process performed for the destination side of the requested communication is similar to the process performed for the source side of the requested communication as depicted and described with respect to
It is noted that, although primarily depicted and described herein with respect to embodiments in which the security mechanism/service grade is applied to the requested communication of the corporate user, the security mechanism(s)/service grade to be applied to the requested communication of the corporate user, and/or any other suitable the security mechanism(s)/service grade, may be applied to any communication/service derived from the requested communication of the corporate user irrespective of whether or not the corporate user or the user device of the corporate user is involved (directly or indirectly) in communication/service derived from the requested communication of the corporate user. This may be used, for example, where one or more communications/services are spawned by some action or actions taken by or otherwise associated with the corporate user.
For example, when the corporate user leaves a voicemail for an intended recipient and the delivery of the voicemail to a voice mailbox of the intended recipient is secured using an appropriate security mechanism(s)/security grade, one or more settings for the intended recipient may result in initiation by a network device of a voicemail transcription service which enables a text transcription of the voicemail to be delivered to the intended recipient via email or text message and the delivery of the text transcription of the voicemail may then be secured using an appropriate security mechanism(s)/security grade (which may be the same as or different than the security mechanism(s)/security grade used to deliver the voicemail to the voice mailbox of the intended recipient) in accordance with embodiments depicted and described herein.
For example, when the corporate user is having a health problem and initiates a call to his or her doctor, a voice connection is established between the corporate user and the doctor using an appropriate security mechanism(s)/security grade based on the context of the requested communication. In this case, during the voice call between the corporate user and the doctor, a service hosted within the network and monitoring the content of the voice call may detect distress on the part of the corporate user and, in response, may automatically initiate conversion of the voice call to a video call between the corporate user and the doctor such that the doctor can perform a visual inspection of the corporate user almost immediately. In this case, the video call that is spawned automatically as a result of monitoring performed within the network may then be secured using an appropriate security mechanism(s)/security grade (which may be the same as or different than the security mechanism(s)/security grade used for the voice call between the corporate user and the doctor) in accordance with embodiments depicted and described herein.
It will be appreciated that these are merely a few of the ways in which derived instances of a requested communication of a corporate user may be provided with appropriate security and assurance in accordance with embodiments depicted and described herein. In one embodiment, the communication assurance agent 141 is configured to detect initiation of a derived instance of the requested communication. The derived instance of the requested communication may include one or both of a service and a communication. The communication assurance agent 141 may be configured to initiate application of the at least one security mechanism to the derived instance of the requested communication. The communication assurance agent 141, where the communication context-based security profile selected for the requested communication of the corporate user is a first communication context-based security profile, may be configured to select a second communication context-based security profile for the derived instance of the requested communication, and propagate an indication of the selected second communication context-based security profile toward at least one of the user device and a network device for use in applying at least one security mechanism to the derived instance of the requested communication.
It is noted that, although primarily depicted and described with respect to embodiments in which the communication assurance agent 141 is hosted within a network, the communication assurance agent 141 may be hosted at any other suitable location. In one embodiment, for example, the communication assurance agent 141 may be hosted within the corporate network 110 for use by multiple corporate users (including the corporate user depicted and described with respect to
Although primarily depicted and described with respect to providing security for communications of corporate users, the various embodiments depicted and described herein may be adapted for use in providing security for communications of any other suitable types of end users.
As depicted in
It will be appreciated that the functions depicted and described herein may be implemented in software (e.g., via implementation of software on one or more processors) and/or may be implemented in hardware (e.g., using a general purpose computer, one or more application specific integrated circuits (ASIC), and/or any other hardware equivalents).
It will be appreciated that the functions depicted and described herein may be implemented in software (e.g., for executing on a general purpose computer (e.g., via execution by one or more processors) so as to implement a special purpose computer) and/or may be implemented in hardware (e.g., using one or more application specific integrated circuits (ASIC) and/or one or more other hardware equivalents).
In one embodiment, the cooperating process 605 can be loaded into memory 604 and executed by the processor 602 to implement functions as discussed herein. Thus, cooperating process 605 (including associated data structures) can be stored on a computer readable storage medium, e.g., RAM memory, magnetic or optical drive or diskette, and the like.
It will be appreciated that computer 600 depicted in
It is contemplated that some of the steps discussed herein as software methods may be implemented within hardware, for example, as circuitry that cooperates with the processor to perform various method steps. Portions of the functions/elements described herein may be implemented as a computer program product wherein computer instructions, when processed by a computer, adapt the operation of the computer such that the methods and/or techniques described herein are invoked or otherwise provided. Instructions for invoking the inventive methods may be stored in fixed or removable media, transmitted via a data stream in a broadcast or other signal bearing medium, and/or stored within a memory within a computing device operating according to the instructions.
Although various embodiments which incorporate the teachings of the present invention have been shown and described in detail herein, those skilled in the art can readily devise many other varied embodiments that still incorporate these teachings.
This application claims the benefit of U.S. Provisional Patent Application Ser. No. 61/614,345 entitled “NEW SECURE COMMUNICATION MECHANISMS AND CAPABILITIES,” filed Mar. 22, 2012, which is hereby incorporated herein by reference in its entirety.
Number | Date | Country | |
---|---|---|---|
61614345 | Mar 2012 | US |