Claims
- 1. A computer-implemented system for providing protection of data accessible by a mobile device comprising:
a location detection module for detecting a location associated with a network environment in which the mobile device is operating; a policy setting module having a communication interface with the location detection module for communication of the detected location, the policy setting module determining a current security policy based upon the detected location, the security policy determining accessibility of data for the mobile device; and a policy enforcement control module having a communication interface with the policy setting module for communication of the current security policy to be enforced, the enforcement control module comprising one or more enforcement mechanism modules for enforcing the current security policy.
- 2. The system of claim 1 further comprising:
a layer manager being communicatively coupled to a network interface and being communicatively coupled to the location detection module, the layer manager communicating one or more parameters received from the network to the location detection module.
- 3. The system of claim 2 further comprising a user interface module for controlling one or more user interfaces for receiving input and displaying output, the policy setting module having a communication interface with the user interface module wherein the policy setting module defines an aspect of a security policy based on input received from the user interface module.
- 4. The system of claim 1 wherein the location detection module continuously detects the location in which the mobile device is operating;
responsive to a new location being detected, notifying the policy setting module via the communication interface of the new detected location; responsive to the notification of the new detected location, the policy setting module determining whether the current security policy is to be changed to another policy; and responsive to the change in policy being indicated, automatically making the other policy the current security policy; and responsive to the other policy being made the current security policy, the policy enforcement module automatically enforcing the other policy as the current policy.
- 5. The system of claim 2 wherein the location detection module detects a location based on a parameter received from the network.
- 6. The system of claim 3 wherein the location detection module detects a location based on a plurality of parameters received from the network.
- 7. The system of claim 6 wherein at least two of the plurality of parameters is associated with a different layer in a model for communications between computers in a network.
- 8. The system of claim 1 wherein
the location detection module comprises instructions for determining whether a first subset including M parameters of a set of N parameters received from the network indicates a location in accordance with a predetermined matching criteria.
- 9. The system of claim 8 wherein the location detection module comprises instructions for assigning weighted values to each parameter in a set, calculating a number using the weighted values, responsive to the calculated number satisfying a predetermined threshold for a location, assigning that location as the detected location.
- 10. The system of claim 8 wherein the M parameters includes a domain identifier.
- 11. The system of claim 8 wherein the M parameters includes a gateway server identifier.
- 12. The system of claim 8 wherein the M parameters includes a domain name system server Internet Protocol address.
- 13. The system of claim 8 wherein the M parameters includes a dynamic host control protocol server Internet Protocol address.
- 14. The system of claim 5 wherein the parameter is a media access control address.
- 15. The system of claim 6 wherein one of the parameters is an Internet Protocol address and another of the parameters is a port identifier.
- 16. The system of claim 6 wherein one of the parameters is an Internet Protocol address and another of the parameters is an application parameter.
- 17. The system of claim 1 wherein the location detection module includes instructions for detecting location based upon a cryptographic authentication protocol between the mobile device and a server.
- 18. The system of claim 3 further comprising:
a security features module for determining whether one or more security features have an activity status of inactive or active in a communication session between the mobile device and another computer; and the policy setting module having a communication interface with the security features module for communication of the activity status of the one or more security features, the policy setting module determining the current security policy based upon the activity status of the one or more security features as well as the detected location.
- 19. A computer-implemented system for providing protection of data accessible by a mobile device comprising:
a security features module for determining whether one or more security features have an activity status of inactive or active in a communication session between the mobile device and another computer; a policy setting module having a communication interface with the security features module for communication of the activity status of the one or more security features, the policy setting module determining the current security policy based upon the activity status of the one or more security features; and a policy enforcement control module having a communication interface with the policy setting module for communication of the current security policy to be enforced, the enforcement control module comprising one or more enforcement mechanism modules for enforcing the current security policy.
- 20. The system of claim 19 wherein at least one of the security features is a connection type of wired or wireless.
- 21. The system of claim 19 wherein at least one of the security features is a security software program.
- 22. The system of claim 1 wherein the policy enforcement control module prevents the mobile device from transferring data using one or more applications not permitted by the current security policy.
- 23. The system of claim 1 wherein the policy enforcement control module executes rules of the current security policy requiring that files being transferred using one or more applications be encrypted.
- 24. The system of claim 1 wherein the policy enforcement control module prevents the mobile device from transferring a file using a particular application in accordance with the current security policy.
- 25. The system of claim 1 wherein the one or more enforcement mechanism modules for enforcing the current security policy comprises an adaptive port blocking module for filtering network traffic on one or more designated ports in accordance with the current security policy.
- 26. The system of claim 1 wherein the adaptive port blocking module performs the following in accordance with a first security policy:
allowing inbound network traffic to the mobile device, the inbound network traffic being responsive to one or more previously sent requests in outbound network traffic transmitted from the device; and blocking inbound network traffic that is not responsive to the one or more previously sent requests in outbound network traffic.
- 27. The system of claim 1 wherein the adaptive port blocking module performs the following in accordance with a second security policy:
blocking all inbound network traffic to the mobile device and all outbound network traffic from the mobile device.
- 28. The system of claim 26 wherein the adaptive port blocking module performs the following for a user-defined port group in accordance with a first security policy:
allowing inbound network traffic to the mobile device, the inbound network traffic being responsive to one or more previously sent requests in outbound network traffic transmitted from the device; and blocking inbound network traffic that is not responsive to the one or more previously sent requests in outbound network traffic.
- 29. The system of claim 1 wherein the one or more enforcement mechanism modules comprises a file filter module for controlling access to a file in accordance with a first security policy.
- 30. The system of claim 29 wherein the first security policy comprises the following rule that is enforced by the file filter module:
allowing access only to an encrypted version of the file.
- 31. The system of claim 29 wherein the first security policy comprises the following rules that are enforced by the file filter module:
hiding the file.
- 32. The system of claim 29 wherein the first security policy comprises the following rules that are enforced by the file filter module:
responsive to a request of a first application type for the file, hiding the file; and responsive to another request from a second application type for the file, allowing access to the file.
- 33. The system of claim 29 wherein the first security policy comprises the following rules that are enforced by the file filter module:
responsive to a request of a first application type for the file, allowing access only to an encrypted version of the file; and responsive to another request from a second application type for the file, allowing access to an unencrypted version of the file.
- 34. A computer-implemented method for providing protection of data accessible by a mobile device comprising:
detecting a location associated with a network environment in which the mobile device is operating; determining a current security policy based upon the detected location, the security policy determining accessibility of data for the mobile device; and enforcing the current security policy.
- 35. The method of claim 1 further comprising:
determining whether one or more security features have an activity status of inactive or active in a communication session between the mobile device and another computer; and determining the current security policy based upon the activity status of the one or more security features as well as the detected location.
- 36. A computer-implemented method for providing protection of data accessible by a mobile device comprising:
determining whether one or more security features have an activity status of inactive or active in a communication session between the mobile device and another computer; and determining a current security policy based upon the activity status of the one or more security features; and enforcing the current security policy.
- 37. The method of claim 34 wherein the detecting the location in which the mobile device is operating includes detecting the location on a continuous basis;
wherein determining a current security policy based upon the detected location includes changing the current security policy automatically responsive to a notification of a newly detected location that is associated with another policy; and and wherein enforcing the current security policy includes automatically enforcing the other policy as the current policy.
- 38. The method of claim 34 wherein detecting the location in which the mobile device is operating is based on a parameter received from the network.
- 39. The method of claim 34 wherein detecting the location in which the mobile device is operating is based on a plurality of parameters received from the network.
- 40. The method of claim 39 wherein at least two of the plurality of parameters is associated with a different layer in a model for communications between computers in a network.
- 41. The method of claim 34 wherein detecting the location in which the mobile device is operating comprises determining whether a first subset including M parameters of a set of N parameters received from the network indicates a location in accordance with a pre-determined matching criteria.
- 42. The method of claim 34 wherein detecting the location in which the mobile device is operating comprises assigning weight values to each of N parameters, calculating a number using the weight values, responsive to the calculated number satisfying a predetermined number for a location, assigning that location as the detected location.
- 43. The method of claim 42 wherein the number is a sum.
- 44. The method of claim 42 wherein the number is an average.
- 43. The method of claim 41 wherein the M parameters includes a domain identifier.
- 44. The method of claim 41 wherein the M parameters includes a gateway server identifier.
- 45. The method of claim 41 wherein the M parameters includes a domain name system server Internet Protocol address.
- 46. The method of claim 41 wherein the M parameters includes a dynamic host control protocol server Internet Protocol address.
- 47. The method of claim 38 wherein the parameter is a media access control address.
- 48. The method of claim 39 wherein one of the parameters is an Internet Protocol address and another of the parameters is a port identifier.
- 49. The method of claim 39 wherein one of the parameters is an Internet Protocol address and another of the parameters is an application parameter.
- 50. The method of claim 34 wherein detecting the location in which the mobile device is operating is based upon a cryptographic authentication protocol between the mobile device and a server.
- 51. The method of claim 34 wherein detecting the location in which the mobile device is operating comprises:
determining whether a first subset including M parameters of a set of N parameters received from the network indicates a location in accordance with a predetermined matching criteria.
- 52. The method of claim 34 wherein detecting the location in which the mobile device is operating comprises:
assigning weighted values to each parameter in a set; calculating a number using the weighted values; and responsive to the calculated number satisfying a predetermined threshold for a location, assigning that location as the detected location.
- 53. The method of claim 34 wherein enforcing the current security policy comprises:
responsive to a request for the file using a first application type for transfer, hiding the file.
- 54. The method of claim 53 wherein enforcing the current security policy further comprises:
responsive to another request from a second application type for the file, allowing access to the file.
- 55. The method of claim 34 wherein enforcing the current security policy comprises:
responsive to a request of a first application type for the file, allowing access only to an encrypted version of the file.
- 56. The method of claim 55 wherein enforcing the current security policy further comprises:
responsive to another request from a second application type for the file, allowing access to an unencrypted version of the file.
- 57. The method of claim 34 wherein enforcing the current security policy comprises preventing the mobile device from transferring data using one or more applications not permitted by the current security policy.
- 58. The method of claim 34 wherein enforcing the current security policy comprises:
performing adaptive port blocking filtering of network traffic on one or more designated ports in accordance with the current security policy.
- 59. The method of claim 58 wherein adaptive port blocking filtering includes performing the following in accordance with a first security policy:
allowing inbound network traffic to the mobile device, the inbound network traffic being responsive to one or more previously sent requests in outbound network traffic transmitted from the device; and blocking inbound network traffic that is not responsive to the one or more previously sent requests in outbound network traffic.
- 60. The method of claim 58 wherein adaptive port blocking filtering includes performing the following in accordance with a second security policy:
blocking all inbound network traffic to the mobile device and all outbound network traffic from the mobile device.
- 61. The method of claim 58 wherein adaptive port blocking filtering includes performing the following for a user-defined port group in accordance with a first security policy:
allowing inbound network traffic to the mobile device, the inbound network traffic being responsive to one or more previously sent requests in outbound network traffic transmitted from the device; and blocking inbound network traffic that is not responsive to the one or more previously sent requests in outbound network traffic.
- 62. The method of claim 34 wherein enforcing the current security policy includes controlling access to a file in accordance with a first security policy.
- 63. The method of claim 62 wherein controlling access to a file in accordance with a first security policy comprises:
responsive to encryption of the file being required for file transfer by the first security policy, allowing access only to an encrypted version of the file.
- 64. The method of claim 62 wherein controlling access to a file in accordance with a first security policy comprises:
responsive to transfer of the file being prohibited by the first security policy, hiding the file.
- 65. A computer-implemented system for providing protection of data accessible by a mobile device comprising:
means for detecting a location associated with a network environment in which the mobile device is operating; means for determining a current security policy based upon the detected location, the security policy determining accessibility of data for the mobile device; and means for enforcing the current security policy.
- 66. The system of claim 65 further comprising:
means for determining whether one or more security features have an activity status of inactive or active in a communication session between the mobile device and another computer; and means for determining the current security policy based upon the activity status of the one or more security features as well as the detected location.
- 67. A computer-implemented system for providing protection of data accessible by a mobile device comprising:
means for determining whether one or more security features have an activity status of inactive or active in a communication session between the mobile device and another computer; and means for determining a current security policy based upon the activity status of the one or more security features; and means for enforcing the current security policy.
- 68. A computer-usable medium comprising instructions for causing a computing device to execute a method for providing protection of data accessible by a mobile device, the method comprising:
detecting a location associated with a network environment in which the mobile device is operating; determining a current security policy based upon the detected location, the security policy determining accessibility of data for the mobile device; and enforcing the current security policy.
- 69. A computer-usable medium comprising instructions for causing a computing device to execute a method for providing protection of data accessible by a mobile device, the method comprising:
determining whether one or more security features have an activity status of inactive or active in a communication session between the mobile device and another computer; and determining a current security policy based upon the activity status of the one or more security features; and enforcing the current security policy.
CROSS-REFERENCE TO RELATED APPLICATIONS
[0001] This application claims the benefit of priority under 35 U.S.C. § 119(e) to U.S. provisional patent application No. 60/434,485, filed on Dec. 18, 2002, entitled “System And Method For Protecting Data Based On Location Of Mobile Devices” having inventors Michael Wright, Peter Boucher, Gabe Nault, Merrill Smith, Sterling Jacobsen, and Jonathan Wood.
[0002] This application also claims the benefit of priority under 35 U.S.C. § 119(e) to U.S. provisional patent application No. 60/438,556, filed on Jan. 6, 2003, entitled “Remote Management For Protecting And Accessing Data Based On A Connection Type Or An Environment Of A Mobile Device” having inventors Michael Wright, Peter Boucher, Gabe Nault, Merrill Smith, Sterling Jacobsen, Jonathan Wood and Robert Mims.
Provisional Applications (2)
|
Number |
Date |
Country |
|
60434485 |
Dec 2002 |
US |
|
60438556 |
Jan 2003 |
US |