[go: up one dir, main page]

HK1205405B - Method and computing device for establishing connectivity between an enterprise security perimeter of a device and an enterprise - Google Patents

Method and computing device for establishing connectivity between an enterprise security perimeter of a device and an enterprise Download PDF

Info

Publication number
HK1205405B
HK1205405B HK15105915.4A HK15105915A HK1205405B HK 1205405 B HK1205405 B HK 1205405B HK 15105915 A HK15105915 A HK 15105915A HK 1205405 B HK1205405 B HK 1205405B
Authority
HK
Hong Kong
Prior art keywords
enterprise
perimeter
computing device
communication
mobile communication
Prior art date
Application number
HK15105915.4A
Other languages
Chinese (zh)
Other versions
HK1205405A1 (en
Inventor
迈克尔‧史蒂芬‧布朗
赫伯特‧安东尼‧利特尔
格拉汉姆‧拉塞尔
戴维‧弗朗西斯‧塔普什科
Original Assignee
黑莓有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US13/563,447 external-priority patent/US9015809B2/en
Application filed by 黑莓有限公司 filed Critical 黑莓有限公司
Publication of HK1205405A1 publication Critical patent/HK1205405A1/en
Publication of HK1205405B publication Critical patent/HK1205405B/en

Links

Abstract

A first device establishes a connection with a second device and attempts access, via the connection to an enterprise server of an enterprise. The first device may have a number of security perimeters, ones of which are allowed to use various communications proxies provided by the second device. If the first device and the second device are associated with a same common enterprise, an enterprise perimeter of the first device may be enabled to access the enterprise using an enterprise proxy of the second device.

Description

Method and computing device for establishing connection between enterprise security perimeter of device and enterprise
Cross Reference to Related Applications
This application claims the benefit of U.S. provisional application No.61/600,902, filed on day 2, 20, 2012, the entire contents of which are expressly incorporated herein by reference.
Technical Field
The present disclosure relates to establishing a connection between a device and an enterprise, and in particular to establishing a connection service for an enterprise security perimeter within the device.
Background
In many instances, a computing device may include data, applications, or network resources whose accessibility is controlled by a security policy. For example, security policies may relate to user accounts, administrative rights, password protection, database management, access privileges, networking, and other aspects that affect device operation. Device resources may be assigned according to different security requirements.
Disclosure of Invention
Drawings
FIG. 1 is an example communication system illustrating a first computing device obtaining access to enterprise resources via a mobile communication device.
FIG. 2A is an example communication system similar to FIG. 1, in which one or more optional components of the first computing device are described.
Fig. 2B is an example communication system similar to fig. 1, in which one or more optional components of the mobile communication device are described.
3A-C are example displays of a first computing device illustrating an example process for accessing an enterprise perimeter configured on the first computing device.
Fig. 4 is a flow diagram illustrating an example method for a first computing device to establish a proxy service via a mobile communication device.
Fig. 5 is an example communication system including a first computing device having a plurality of selectable security perimeters and establishing a proxy service via another device, such as a mobile communication device.
FIG. 6 is a flow diagram illustrating an example method that may be used by the first computing device of FIG. 5 to determine whether a proxy connection via a mobile communication device should be associated with an enterprise perimeter.
Fig. 7 illustrates the example communication system of fig. 5 operating in accordance with the flowchart of fig. 6 to determine whether a proxy connection provided by a mobile communication device should be associated with an enterprise perimeter.
Fig. 8 illustrates the example communication system of fig. 5 after determining that the proxy connection provided by the mobile communication device should be associated with an enterprise perimeter.
Fig. 9 illustrates another example communication system of fig. 5 operating in accordance with the flowchart of fig. 6 to determine whether a network connection provided by a mobile communication device should be associated with an enterprise perimeter.
Fig. 10 illustrates the example communication system of fig. 9 after determining that proxy connections provided by mobile communication devices should not be associated with an enterprise perimeter.
Like reference symbols in the various drawings indicate like elements.
Detailed Description
The present disclosure relates to systems and methods for enabling access to various network or proxy resources within different security perimeters configured in a computing device. A perimeter may generally refer to a security policy used to create a logical separation of resources, such as applications, stored data, and/or network access. Resources included within the perimeter may be encrypted and cryptographically protected to securely separate these resources from resources in different perimeters. For example, resources in different perimeters may be prohibited from transmitting data. In some implementations, the perimeter may include a personal perimeter and an enterprise perimeter (or a corporate perimeter). A personal perimeter may generally refer to a perimeter created by a user by default and managed by the same user. An enterprise perimeter may generally refer to a perimeter created by or by a user and managed by a remote management server or service (e.g., a Blackberry Enterprise Server (BES), a blackberry tablet management service (BPAS), or a Blackberry Device Server (BDS), etc.), which may or may not be associated with an enterprise (e.g., a business). In this disclosure, perimeters configured in a computing device may also be referred to as security partitions, security zones, roles (personas), identity profiles, or other similar terms, where operations within different perimeters are controlled by different security policies. Hereinafter, for simplicity, a perimeter will be used to refer to any of the above terms. Hereinafter, a personal perimeter may refer to a perimeter configured and managed by an end user, while an enterprise user may refer to a perimeter configured and managed by an enterprise device server.
Methods and systems for enabling enterprise proxy resources in an enterprise perimeter when accessing enterprise services via a mobile communication device having a secure connection to the enterprise services are described herein. For example, if the mobile communication device has been preconfigured with a connection to an enterprise network, an enterprise perimeter configured on the tablet computer may connect to the same enterprise network through an enterprise proxy connection provided by the mobile communication device. Terms such as "enterprise" as used herein may refer to a business or work relationship, as well as other types of networked environments in which centralized resources are managed in a unified manner.
A computing device (e.g., a tablet computer) may establish a connection to a mobile communication device in order to access other networks. In some systems, the mobile communication device may be used as a proxy or gateway connection that provides the computing device with access to other networks. Computing devices may use "tethering" technology to access enterprise networks, such as through mobile communication devices. For example, a mobile communication device (e.g., a blackberry smart phone) may have a secure connection to an enterprise network via a mobile telecommunications service. The mobile communication device may access (e.g., through a cellular network) an enterprise service associated with an enterprise network. The mobile communication device may provide access to enterprise services and/or enterprise networks to one or more perimeters configured in a tethered or otherwise associated computing device. At one endIn some implementations, the mobile communication device can be connected via direct wireless connection (e.g., wireless LAN, Bluetooth)TM) Tethered to the computing device. In some implementations according to the present disclosure, an enterprise perimeter in a computing device can access enterprise services in an enterprise network via a tether to a mobile communication device. It will be apparent to those skilled in the art that: other types of devices may be used for tethered connections to the enterprise network. In this disclosure, for simplicity, a mobile communication device will be used to describe a device that can selectively provide access to an enterprise network via a tether or any other suitable pairing or connection.
Fig. 1 is an example communication system 100 illustrating a first computing device 102 obtaining access to enterprise resources via a mobile communication device 104. At a high level, the system 100 includes a first computing device 102 communicably coupled with a mobile communication device 104. Mobile communication device 104 may be communicatively coupled to cellular network 106 and enterprise network 108. The first computing device 102 includes perimeters 110a and 110b configured to prevent access to partitioned resources. The mobile communication device 104 includes a mobile enterprise perimeter 110c configured to prevent access to resources associated therewith. The enterprise network 108 includes an enterprise server 112 for providing access to server resource accounts. For a high-level description of operation, the first computing device 102 may wirelessly transmit a connection request for connecting to a network using the mobile communication device 104. The mobile communication device 104 may perform authentication before allowing the connection and then send information indicating that the connection request is allowed. The transmitted information may include information about the networks available at the mobile communication device 104, including the identification associated with the mobile enterprise perimeter 110 c. The identification included in the transmitted information may be used by the first computing device 102 to determine whether the mobile communication device 104 has a mobile enterprise perimeter 110c associated with one of the perimeters 110a and 110 b.
Referring to a more detailed description of the elements, devices 102 and 104 may be any local or remote computing device operable to receive requests from a user via a user interface, such as a Graphical User Interface (GUI), CLI (command line interface), or any of a variety of other user interfaces. In various implementations, devices 102 and 104 may comprise electronic computing devices operable to receive, transmit, process, and store any suitable data associated with communication system 100. As used in this disclosure, devices 102 and 104 are intended to include any electronic or computing device with network communication capabilities. For example, devices 102 and 104 may be: a tablet computer, personal computer, laptop computer, touch screen terminal, workstation, network computer, kiosk (kiosk), wireless data port, wireless or wired telephone, Personal Data Assistant (PDA), smart phone, at least one processor in these or other devices, or any other suitable processing device. For example, devices 102 and 104 may comprise mobile communication devices and may or may not include input devices such as a keypad, touch screen, mouse, or other device capable of accepting information and output devices that communicate information associated with the operation of a resource, including digital data, visual information, or a GUI. Devices 102 and 104 may include fixed or removable storage media (such as a magnetic computer diskette, CD-ROM, flash memory, or other suitable media) for receiving input from and providing output to a user via a display (such as a GUI). Further, the devices 102 and 104 may include fewer or more perimeters than are shown in this and other figures.
In some implementations, the first computing device 102 and the mobile communication device 104 can use bluetoothTMWi-Fi, WiMAX, Near Field Communication (NFC), or other wireless communication protocol. The computing device 102 may communicate with the mobile communication device 104 over a wireless connection 114. The mobile communication device 104 may communicate wirelessly with the cellular network 106. For example, the mobile communication device 104 can include one or more wireless network capabilities, including second generation (2G), third generation (3G), and/or fourth generation (4G) telecommunications technologies. Example 2G, 3G and 4G telecommunications network standards include: global system for mobile communications (GSM), interim standard 95(IS-95), Universal Mobile Telecommunications System (UMTS), CDMA2000 (code division multiple access), 3GPP Long Term Evolution (LTE), LTE advanced (LTE-a), and the like.
In some implementations, the first computing device 102 may access the enterprise server 112 via the mobile communication device 104 based on a tether or any other connection. In this case, if the mobile communication device 104 (e.g., a blackberry smart phone) includes tether functionality and is capable of performing cellular network communications with the enterprise server 112, the mobile communication device 104 can thus be used as a connection device (also referred to as a tether or bridge device) to enable communications between the first computing device 102 and the enterprise server 112. The first computing device 102 and the mobile communication device 104 may use a direct wireless connection (e.g., bluetooth)TMInfrared, optical connection, Wi-Fi, WiMax, RFID, NFC, etc.), wired connection (e.g., USB, firewire, etc.), or a personal or local area network. The mobile communication device 104 may access an enterprise account maintained on the enterprise server 112. The mobile communication device 104 can also associate the mobile enterprise perimeter 110c with an enterprise account, the mobile enterprise perimeter 110c maintaining security policies locally on the mobile communication device 104. The enterprise account may be, for example, an account that pushes data to the mobile communication device 104.
The enterprise network 108 may be a network associated with an enterprise. An enterprise may include a company or business entity, a government agency, a nonprofit agency, or any other organization, and may be associated with accounts configured on one or both of devices 102 and 104. In some implementations, the enterprise may be the owner of the device 102 or 104. In some implementations, the device 102 or 104 may be owned by a user, and in these cases, the user may be an enterprise that is used to configure an enterprise perimeter on the device. Of course, the enterprise may also lease the devices 102 or 104, or may hire contractors or agents responsible for maintaining, configuring, controlling, and/or managing the devices 102 and 104. In the illustrated implementation, the network 108 may facilitate communication with the devices 102 and 104. The network 108 may communicate, for example, Internet Protocol (IP) packets, frame relay frames, Asynchronous Transfer Mode (ATM) cells, voice, video, data, and other suitable information between network addresses. Further, although the enterprise network 108 is illustrated as a single network, the network 108 may include multiple networks. In short, enterprise network 108 is any suitable network configured to communicate with device 104. In the illustrated implementation, the enterprise network 108 includes an enterprise server 112.
Enterprise server 112 may include any software, hardware, firmware, or combination thereof configured to manage access to one or more server resource accounts. The enterprise account may be, for example, an ActiveSync email, calendar, or contact account. The enterprise accounts may be associated with an enterprise perimeter (e.g., 110a, 110b, and/or 110c) such that the enterprise perimeter may secure applications, data, and security policies for accessing the accounts. Enterprise server 112 may maintain or enforce resources, settings, and security policies associated with enterprise perimeters and accounts. The enterprise server 112 can receive requests associated with enterprise accounts and initiate generation of the perimeter 110 in conjunction with providing access to the accounts. In some implementations, enterprise server 112 may send information indicating a security policy for accessing server resource accounts. As described above, the enterprise server 112 may also assign an enterprise identifier to the device, along with permission to access the server user account. For example, enterprise server 112 may send the enterprise identifier along with the security policy to device 102 or 104. The enterprise identifier may include a network address, employee number, or other string.
FIG. 2A is an example communication system similar to FIG. 1, in which one or more optional components of the first computing device are described.
The first computing device 202 comprises an example implementation of the first computing device 102. As shown, the communication system 200 includes a first computing device 202, which first computing device 202 can be communicatively coupled to a mobile communication device 204, as illustrated by arrow 250 in fig. 2B. The mobile communication device 204 may access a public network 208a and/or an enterprise network 208 b. More details regarding the mobile communication device 204 are depicted in fig. 2B. The first computing device 202 includes one or more network interfaces, which may include a Wi-Fi interface 210a, a cellular interface 210b, a Local Area Network (LAN) interface 210c, a universal serial bus (USB, not shown), and BluetoothTMThe interface 210 d. Other interfaces may be provided and used in accordance with the present disclosure. As described above, the network is connectedThe port may include various wired or wireless communication interfaces known to those skilled in the relevant arts. In FIG. 2A, the network interfaces 210 a-210 d provide for communication with the mobile communication device 204. For example, the bluetooth interface 210d may include a short-range radio frequency connection (shown as arrow 250) between the first computing device 202 and the mobile communication device 204. The use of a short-range radio frequency connection (or alternatively, a direct wired connection) may be referred to as a tether or pairing between the first computing device 202 and the mobile communication device 204.
The first computing device 202 may be configured with one or more perimeters. In the example system in fig. 2A, the first computing device 202 is configured with a first perimeter 220a and a second perimeter 220 b. In the example of FIG. 2A, the first perimeter 220a is referred to as a "personal" perimeter, and the second perimeter 220b is referred to as an "enterprise perimeter". In each of the perimeters 220a, 220b, various applications, data, configurations, and network interfaces may be managed through one or more security policies associated with the perimeters. For example, the first perimeter 220a has a first application 222, data (not shown), configuration 224, and a plurality of ports (one of which has reference numeral 226). The second perimeter 220b includes one or more applications 232 (e.g., "work" applications), data (not shown), configuration 234, and a plurality of ports (one of which has reference numeral 236). The second perimeter 220b may also include Virtual Private Network (VPN) functionality 238 that may be provided by hardware, software, or any combination thereof. Perimeter manager 240 (which, according to the present disclosure, may include bridge manager 242) facilitates enforcing security policies and providing additional security policies that control access to each perimeter 220a, 220 b. For example, the perimeter manager 240 may perform password protection before allowing the user to invoke an application or resource associated with a particular perimeter.
The perimeter manager 240 may include a bridge manager 242. The bridge manager 242 may be part of the perimeter manager 240 or may be a separate module. The perimeter manager 240 and the bridge manager 242 may be implemented as part of an operating system that controls the operation of the first computing device 202. Bridge manager 242 is responsible for managing ports 226, 236 used to facilitate access between perimeters 220a, 220b and interfaces 210 a-210 d. In one example, bridge manager 242 may control ports 226, 236 to facilitate tethering. In the example of fig. 2A and 2B, when a communication channel is established by tethering or pairing the first computing device 202 and the mobile communication device 204 (shown as arrow 250), the bridge manager 242 creates one or more separate sockets representing different sessions between the two devices. For example, the bridge manager 242 may create a first socket associated with a first agent at the mobile communication device. Each socket may be associated with a session (also referred to as a link) on a communication channel. The communication channel may have multiple communication sessions established over the same communication channel. In the example of fig. 2A, the first socket at the first computing device 202 is directly associated with the first port at the mobile communication device 204. By establishing a socket associated with a port, the two devices 202, 204 can maintain separation of communication sessions between the devices. For example, a communication session related to a first socket is directed to a first agent. Similarly, communications to/from the second socket are directed to the second agent, which may be communicatively linked to the enterprise network 208 b. Rules implemented at the mobile communication device are used to keep traffic for each session separate at the mobile communication device. Similarly, rules are established at the first computing device 202 to keep sessions separate by associating sessions with specific sockets and/or ports.
Bridge manager 242 maintains ports 226, 236 at first computing device 202 and may also use ports 226, 236 and interfaces 210 a-210 d to create one or more "virtual interfaces". Such a virtual interface may be implemented by an operating system to separately identify an interface for each of the perimeters 220a, 220b, respectively. As shown in FIG. 2A, a first application 222 is located in a first perimeter 220a and may access interfaces 210 a-210 d using one or more ports 226 to access the public network 208 a. However, the first application 222 does not have access to ports 236 that are configured only within the second perimeter 220 b. The perimeter configuration for each perimeter may allow access to specific applications, and this complexity is not the subject of this disclosure. For purposes of this disclosure, an application configured within a perimeter can only access network resources associated with ports that the application is in the same perimeter. In some implementations, ports 226 can be identified using the same port identification as ports 236, such as when they are oriented on the same physical interface and do not have a perimeter-specific configuration. However, in the present disclosure, instances of ports enabled within the perimeter are considered to be the only ports that have been associated by the bridge manager to a particular physical interface, and in some cases, are also considered to be the only ports that are associated by the bridge manager to a particular session on the physical interface.
In the present disclosure, a particular perimeter may include data, network access resources (e.g., via a virtual interface), applications, profiles, one or more policies, combinations thereof, or other resources. The data may include various objects or data, including categories, frames, applications, backup data, business objects, jobs, web pages, web page templates, database tables, repositories storing business and/or dynamic information, and any other suitable information (including any parameters, variables, algorithms, instructions, rules, constraints, or references thereto associated with the devices and/or applications).
Fig. 2B is an example communication system 249 similar to fig. 1 in which one or more optional components of the mobile communication device 204 are described. System 249 illustrates a case where first computing device 202 is communicatively coupled (via communications channel 250) to mobile communications device 204 using one or more ports 226, 236 and tether 251 (which can be accomplished using any of interfaces 210 a-210 d in fig. 2A). On communication channel 250, there may be one or more separate communication sessions 254, 256. In an example, the first communication session 254 from the first computing device 202 is associated with a connection broker 264 of the mobile communication device 204. The public connection broker 264 provides access 284 to the public network 208 a. The mobile communication device 204 can provide access 284 using one or more other network interfaces (such as WiFi, cellular, etc.) collectively represented in the figure as interface 294.
In an example, the second communication session 256 from the first computing device 202 may be associated with an enterprise connection broker 266. The enterprise connectivity agent 266 provides access 286 to the enterprise network 208 b. In some implementations, the enterprise connection proxy 266 can also provide access to data associated with a mobile enterprise perimeter, such as data associated with a personal information management "PIM" application configured on the mobile communication device and associated with an enterprise account. A secure tunnel or virtual private network feature 296 between the mobile communication device 204 and the enterprise network 208b may be used to provide connectivity to the enterprise resources 297.
Fig. 3A is an example screen 300 illustrating access to an enterprise perimeter of a first computing device using a GUI. The GUI may be presented on a touch screen display 300 of a computing device (e.g., a blackberry Playbook tablet PC) as described with respect to fig. 1 or 2. As shown in the first screen 300 of the example GUI, the left-hand side of the GUI displays content included in the person perimeter 302. The personal perimeter 302 may be the default perimeter of the computing device described with respect to fig. 2. Since personal perimeter 302 may be a default perimeter, a user of a computing device may be allowed to access and manipulate documents under personal perimeter 302. The right-hand side of the GUI displays information associated with an enterprise perimeter (or corporate perimeter) 304. As shown, the user has not logged into the enterprise perimeter. Thus, the corporate screens associated with the enterprise perimeter 304 are locked. The user may slide or click on the scroll bar 306 to trigger the password authentication process.
Fig. 3B is a second screen 320 of the example GUI. In this implementation, screen 320 shows a popup 322 that prompts receipt of a password to log into the perimeter of the enterprise. Upon authenticating the password, the computing device may determine whether to grant access to the resource based on the user credentials.
Fig. 3C is a third screen 340 of the example GUI. In these implementations, the personal perimeter 302 and the business perimeter 342 are displayed separately. The documents included in the personal perimeter 302 and the enterprise perimeter 304 are logically separate from each other and stored in the computing device. The user may not be allowed to transfer files between the personal perimeter 302 and the enterprise perimeter 342. In this manner, corporate data included in the enterprise perimeter 342 may be secured.
Fig. 4 is a flow diagram illustrating an example method 400 for a first computing device to establish a proxy service via a mobile communication device. The method described in connection with fig. 4 may be implemented using software, hardware, or any combination thereof. In one example, instructions executable by a processor to implement the method of fig. 4 may be stored on a computer-readable medium (e.g., memory), which may be tangible. In one alternative, the instructions may be hard-coded into a processor or other hardware. The illustrated method is described with reference to the system 100 of fig. 1, but the method may be used by any other suitable system. Further, the system 100 may use any other suitable technique for manufacturing the system 100. Thus, some of the steps in this flowchart may occur concurrently and/or in a different order than shown. The system 100 may also use methods with additional steps, fewer steps, and/or different steps, so long as the methods remain suitable.
The method 400 begins at step 402, where a computing device establishes a connection (e.g., a communication channel) with a second device, such as a mobile communication device. Establishing a connection will typically include an authentication and verification process whereby the computing device and the second device establish a first level of trust that permits the use of the communication channel to create one or more sessions. Information related to establishing a connection can be found in us patent applications 13/195, 587. At step 404, the computing device receives an indication of a mobile enterprise perimeter on a second device. Next, at step 406, the computing device creates one or more sockets associated with the agent on the second device. For example, the computing device may create a socket associated with an enterprise agent that provides access to the enterprise network. At step 408, the computing device determines whether the mobile enterprise perimeter of the second device is associated with an enterprise perimeter configured on the computing device. This step may include a comparison with respect to the key, a comparison with respect to the security information, a comparison with respect to the perimeter identifier, or other comparisons.
At step 410, the method determines whether the business perimeters match, in other words, whether they are all associated with the same business. Steps 408 and 410 may be the same step in some implementations, or may be performed as separate tests. Step 410 may include an attempt to verify that the enterprise perimeter of the computing device and the mobile enterprise perimeter of the second device are both associated with the same enterprise network. Example techniques useful for step 410 can be seen in the description of FIGS. 5-10.
If the enterprise perimeter of the computing device does not match the mobile enterprise perimeter of the mobile communication device, then optionally, at step 414, the computing device may create a new perimeter (e.g., an "unknown corporate perimeter"). If the enterprise perimeter of the computing device does match the mobile enterprise perimeter of the mobile communication device, then at step 412, the bridge manager of the computing device enables ports in the enterprise perimeter to allow the enterprise perimeter to access the enterprise agents. Fig. 5 includes a first computing device 502 (such as computing devices 102, 202) and a mobile communication device 504 (which may be similar to mobile communication devices 104, 204).
In the example of fig. 5, the first computing device 502 may be coupled to a communication device 504, and the communication device 504 may be coupled to one of a first enterprise network 512 and a second enterprise network 530. The first computing device 502 may have been previously associated with an enterprise network (e.g., one of 512 or 530). Initially, it is not known whether the mobile communication device 504 is coupled to the same enterprise network as the enterprise network associated with the particular secure second perimeter of the computing device 502.
The first enterprise network 512 may include one or more servers, such as an enterprise device server 514 and an enterprise mobility server 516. An enterprise device server may refer to an administrative server that provides enterprise management of at least an enterprise perimeter on a computing device. An enterprise mobile server may refer to a mobile data gateway that provides enterprise services to mobile communication devices. First enterprise network 512 may also include one or more web services, such as company a application server 518 and Enterprise Management Administration Service (EMAS) 520. Other servers or services may also be included.
The second enterprise network 530 may include an enterprise mobile server 532 and a company B application server 534. In the present disclosure, application servers (such as company a application server 518 and company B application server 534) may be any type of server or application maintained within an enterprise network. Examples of application servers may include email servers, mail gateways, file sharing servers, intranet website servers, data storage systems, and so forth.
The mobile communication device 504 may include an enterprise proxy 522, which may be associated with an enterprise mobility server 516 or an enterprise mobility server 532. In one example, the enterprise proxy 522 may be hardware and/or software that interfaces with an enterprise mobility server, such as enterprise mobility server 516 or enterprise mobility server 532. Typically, the mobile communication device 504 will also be associated with an enterprise mobile server. However, when computing device 502 first establishes a pairing or tether with mobile communication device 504, bridge manager 590 does not know whether enterprise agent 522 is connected to an enterprise mobile server in the same enterprise network 512 as enterprise device server 514 (such as enterprise mobile server 516) or to a different enterprise mobile server 532 in a different enterprise network 530. The mobile communication device 504 may include a personal information management application 524, a connection broker 526, and other applications not shown.
The first communication device 502 includes a first perimeter 550 and a second perimeter 554. Services and systems within the first and second perimeters 550, 554 may be connected to one or more network resources via ports and interfaces, such as Wi-Fi 556, tether 558, or any other suitable interface. As shown in fig. 5, these security perimeters may correspond to personal and enterprise perimeters, but this is just one example of a security perimeter that may be used in the first computing device 502. In fact, fewer, more, or different security perimeters may be used.
The first perimeter 550 (which may be a personal security perimeter) may include one or more applications 560, and the one or more applications 560 may utilize a network connection, such as may be provided via ports 562, 563 located within the personal security perimeter 550. The first port 562 may access a public network (e.g., the internet) via one of any number of connections, including a WLAN network, a wired network, or even using a connection proxy of a mobile communication device as described in fig. 2A, 2B.
As shown in fig. 5, the second perimeter 554 (which may be an enterprise security perimeter) may include applications such as a personal information management application 570 and an enterprise management application 572. Other applications (not shown) may also be included. The second perimeter 554 can also include a VPN 574 connected to one or more ports 576, 578, 580. The ports may be controlled (e.g., enabled/disabled, exposed/hidden, configured/deactivated) by the bridge manager 590.
The application utilizes a connection to the enterprise device server 514 via a port 576, the port 576 communicating with the enterprise device server 514 via one of any number of connections such as a Wi-Fi interface, including a WLAN network, a wired network, a public network, a connection proxy provided by a tethered mobile communication device, or via any other suitable connection. The port 576 could potentially be associated with a security certificate (e.g., SSL), a Virtual Private Network (VPN)574, or other type of encryption to provide private communications between the enterprise security perimeter 554 and the enterprise device server 514. Applications 570, 572 may optionally utilize network connectivity provided by the mobile communication device 504 via port 578 or port 580 and the tether interface 558. Ports 562, 563, 576, 578, 580 may be implemented using one or more agents or any other suitable software, hardware or combination of software and hardware.
As shown in fig. 5, the second perimeter 554 may connect to the enterprise device services 514 through a VPN 574, ports 576 and WiFi connections 556. When the first computing device 502 is paired or connected with the mobile communication device 504 (e.g., by a tether using bluetooth, a wired connection, etc.), the first computing device 502 may utilize some or all of the network resources provided by the mobile communication device 504. When initially paired, the port 578 in the second perimeter 554 may be enabled by the bridge manager 590. However, port 578 is only allowed to obtain connectivity to the public network 592 using the connection agent 526 of the mobile communication device 504. If the computing device 502 determines that the mobile communication device 504 is connected to the same enterprise network 512 associated with a second perimeter (e.g., enterprise device server 514), the bridge manager 590 of the computing device 502 may allow the enterprise perimeter 554 access the enterprise agent 522 of the mobile communication device via port 580 and tether 558.
Fig. 6 is a flow diagram illustrating an example method 600 that may be used by the first computing device 502 of fig. 5 to determine whether a network connection provided by the mobile communication device 504 should be associated with a second security perimeter (e.g., enterprise security perimeter 554). The method described in connection with fig. 6 may be implemented using software, hardware, or any combination thereof. In one example, instructions executable by a processor to implement the method of fig. 6 may be stored on a computer-readable medium (such as a memory), which may be tangible. In one alternative, the instructions may be hard-coded into a processor or other hardware. As shown in fig. 6, the first computing device 502 establishes a pairing (e.g., tether) with the mobile communication device 504 (block 605). The first computing device 502 requests enterprise authentication to determine whether the enterprise associated with the first computing device 502 is the same as the enterprise to which the mobile communication device 504 is communicatively coupled (block 610). The first computing device 502 attempts to establish communication with its associated enterprise over a network connection provided by the tethered mobile communication device 504 (block 615). If a connection is established (block 620), the connection is associated with the enterprise with which the first computing device 502 is associated, and thus a port (e.g., port 580) may be established or available to the tethered mobile communication device 504 within the enterprise security perimeter 554 (block 625). The port would allow access via the mobile communication device 504 using, for example, a tether 558 or any other suitable connection. Alternatively, if a connection cannot be established (block 620), the enterprise with which the first computing device 502 and the mobile communication device 504 are associated is not the same, and thus only ports (e.g., port 578) that provide an interface to the connection broker 526 will be established within the enterprise perimeter 554. Optionally, a new perimeter may be established on the computing device and the new perimeter may be configured with another port associated with the enterprise to which the mobile communication device is connected (block 630).
Fig. 7 illustrates the example communication system of fig. 5 operating in accordance with the flowchart of fig. 6 to determine whether the connection provided by association with the mobile communication device 504 should be associated with the enterprise security perimeter 554 of the first computing device 502. In the example of fig. 7, the mobile communication device 504 is paired with the first computing device 502 using a communication channel (such as a tethered connection). The communication channel may be managed by the bridge manager 590 within the first computing device 502. Although the bridge manager 590 may be implemented using software, the bridge manager 590 may be implemented using hardware, software, firmware, or any suitable combination thereof. Over the communication channel, a plurality of sessions may be established, including at least a first session (reference numeral 702) linked to the enterprise proxy 522 of the mobile communication device 504. The first session has an associated socket (not shown) related to enterprise proxy 522. The bridge manager 590 controls the use of the associated sockets within the perimeter and exposes the associated sockets in the form of "ports" as described herein.
After the communication channel is established, the bridge manager 590 enables limited use of the port 708 (reference numeral 710). The restricted use of the port 708 has security rules executed by the bridge manager 590 (and optionally also by rules at the mobile communication device 504) such that the restricted use of the port 708 provides only restricted connectivity for the second perimeter 554. In particular, the limited use of port 708 provides only a connection for enterprise management application 572 to attempt to communicate to enterprise management administration service 520. After establishing limited use of port 708, bridge manager 590 requests (reference 711) enterprise management application 572 to attempt to establish communication with enterprise management administrative service 520 at enterprise network 512 associated with second perimeter 554. The limited use of the port 708 enables communications to be passed from the enterprise management application 572 through the enterprise proxy 522 of the mobile communication device 504. Enterprise management application 572 uses limited use of port 708 in attempting to establish a connection (reference 712), such as an SSL connection, to enterprise management administration service 520 through enterprise proxy 522 of mobile communication device 504 and to enterprise mobile server 516. If enterprise management application 572 is capable of interfacing with enterprise administrative services 520 through enterprise mobile server 516, first computing device 502 (managed by the enterprise providing enterprise administrative services 520) must be associated with first enterprise network 512 with which mobile communication device 504 is also associated. Enterprise management application 572 reports (reference numeral 714) to bridge manager 590 whether a connection to enterprise management administration service 520 exists and, if such a connection does exist, makes port 708 available to the rest of the applications within enterprise security perimeter 554.
Although the test in which the connection between enterprise administrative server 520 and enterprise mobile server 516 is tested is described above, other tests are possible. For example, any test that verifies that enterprise administrative server 520 is part of the same network as enterprise mobile server 516 may be used. Fig. 8 shows the system of fig. 7 after the process of fig. 6 has been performed and it has been determined that both the first computing device 502 and the mobile communication device 504 are associated with the first enterprise network 512. As shown in fig. 8, the personal information management application 570 and the enterprise management application 572 both have access to port 576, port 578, and port 580 (which may be the same port as port 708 with limited use that was originally provided). In addition, enterprise device server 514 and enterprise mobile server 516 both have access to company a application server 518 and enterprise administrative services 520.
While the foregoing examples describe a pairing between the first computing device 502 and the mobile communication device 504 (where both the first computing device 502 and the mobile communication device 504 are associated with the first enterprise network 512), situations may arise where the mobile communication device 504 is not associated with the first enterprise network 512. As shown, the mobile communication device 504 may not be associated with the first enterprise network 512, but may be associated with the second enterprise network 530.
Fig. 9 illustrates the example communication system of fig. 5 operating in accordance with the flowchart of fig. 6 to determine whether a virtual interface of a network connection provided by the mobile communication device 504 should be associated with the enterprise security perimeter 554. As shown in fig. 9, a mobile communication device 504 can be communicatively coupled with a first computing device 502. This pairing may be performed using software, such as bridge manager 590 of first computing device 502.
After pairing is performed, the bridge manager 590 establishes (reference numeral 904) limited use of the port 708 as described in fig. 8. The bridge manager 590 then requests (reference numeral 906) the enterprise management application 572 to attempt to establish communication with the enterprise associated with the first computing device 502. Enterprise management application 572 attempts to use port 708 to establish a connection (reference 908), such as an SSL connection, to enterprise management administration service 520 through port 708 (and through enterprise proxy 522 of mobile communication device 504 and through enterprise mobile server 532). Enterprise management application 572 will not be able to connect with enterprise administrative service 520 through enterprise mobile server 532 because enterprise mobile server 532 and enterprise administrative service 520 are within different enterprise networks 512, 530. Enterprise management application 572 reports (reference numeral 910) to bridge manager 590 that no connection to enterprise management administration service 520 exists and, because such a connection does not exist, port 708 is not made available to enterprise security perimeter 554. The first communication device 502 is still bridged (tethered) to the mobile device 504, but it is directly associated with the connection broker 526 of the mobile communication device 504. Thus, the enterprise security perimeter 554 may use the port 578 to gain public network access, but may not use the enterprise proxy 522 of the mobile communication device 504.
Fig. 10 illustrates the system of fig. 5 after the process of fig. 6 has been performed and it has been determined that the first computing device 502 and the mobile communication device 504 are not both associated with the first enterprise network 512. As shown in fig. 10, the personal information management application 570 has access to a port 578 within the enterprise security perimeter 554.
Although the bridge manager 590 is shown as operating within the first communication device 502, the bridge manager 590 may also operate partially or fully within the mobile communication device 504. For example, the bridge manager 590 may be located within the mobile communication device 504 and may control the ports 562, 563, 576, 578, and 580 via a tethered connection to the first communication device 502. According to this example, enterprise proxy 522 can be controlled to provide services to port 708 only if the request from port 708 is a request made from enterprise mobile application 572. In another example, the bridge manager 590 may operate partially or wholly within another entity on the network. For example, an enterprise mobile service or enterprise device server may host bridge manager 590.
Alternatively, since the bridge manager 590 may arbitrate access to the enterprise agent 522 of the mobile communication device 504, the bridge manager 590 may cause the creation of a (new) third perimeter 1001 that includes the port 1002.
Various embodiments of the present invention have been described. Nevertheless, it will be understood that various modifications may be made without departing from the scope of the invention as set forth in the claims.

Claims (16)

1. A method in a computing device, the method comprising:
establishing a communication channel with a mobile communication device;
establishing one or more communication sessions over the communication channel, including at least a first communication session associated with an enterprise proxy of the mobile communication device;
attempting to establish a connection with a service at an enterprise network via the first communication session; and
selectively providing access privileges to a first security perimeter of the computing device, the access privileges allowing applications of the first security perimeter to communicate further with the first communication session, the selective providing of the access privileges based on whether the attempted connection with the service at the enterprise network has been established by the first communication session.
2. The method of claim 1, wherein the communication channel comprises a tethered communication channel.
3. The method of claim 1, further comprising:
providing restricted access privileges to the first security perimeter to utilize the first communication session.
4. The method of claim 3, wherein providing restricted access privileges includes enabling virtual communication ports associated with an enterprise perimeter.
5. The method of claim 3, wherein the attempted connection is attempted by an enterprise management application in the first security perimeter that attempts a connection via the first communication session using the restricted access privilege, the method further comprising: when the attempted connection is established with a service at an enterprise network via restricted access privileges of the first communication session, access privileges to the first communication session are enabled for other applications in the first security perimeter.
6. The method of claim 1, wherein the application at the enterprise network comprises an enterprise management application.
7. The method of claim 1, wherein attempting to communicate with the enterprise network comprises: an enterprise proxy at the mobile communication device is used.
8. The method of claim 1, wherein attempting to communicate with the enterprise network comprises: requesting the application to attempt to communicate with the enterprise network, and the application being in the first security perimeter.
9. The method of claim 1, wherein the service at the enterprise network comprises an enterprise administrative service.
10. The method of claim 1, further comprising: disabling the first communication session when the attempted connection with the service at the enterprise network is not established.
11. The method of claim 10, further comprising:
establishing a second communication session over the communication channel, the second communication session not associated with the enterprise agent.
12. A first computing device, comprising:
a network interface configured to establish a communication channel with a mobile communication device;
a perimeter manager configured to manage at least one security perimeter established on the first computing device, the security perimeter having associated applications and security policies; and
a bridge manager configured to establish a communication socket in the secure perimeter, the communication socket associated with a first communication session on the communication channel with the mobile communication device,
wherein the bridge manager selectively enables or disables the communication sockets in the security perimeter based on whether an enterprise management application is able to establish a connection to a service at an enterprise network via the first communication session.
13. The first computing device of claim 12, wherein the first communication session is established to an enterprise proxy on the mobile communication device.
14. The first computing device of claim 12, wherein the network interface is a wireless communication interface.
15. The first computing device of claim 12, wherein the computing device is a tablet computer.
16. A method in a mobile communication device, the method comprising:
establishing a communication channel with a computing device;
establishing one or more communication sessions over the communication channel, including at least a first communication session associated with an enterprise proxy of the mobile communication device, the enterprise proxy communicatively coupled to an enterprise network;
receiving, from the computing device, a request to establish a connection with a service at the enterprise network via the first communication session; and
attempting to establish a connection with the service at the enterprise network on behalf of the computing device; and
providing information regarding the attempted communication to the computing device.
HK15105915.4A 2012-02-20 2013-02-19 Method and computing device for establishing connectivity between an enterprise security perimeter of a device and an enterprise HK1205405B (en)

Applications Claiming Priority (5)

Application Number Priority Date Filing Date Title
US201261600902P 2012-02-20 2012-02-20
US61/600,902 2012-02-20
US13/563,447 2012-07-31
US13/563,447 US9015809B2 (en) 2012-02-20 2012-07-31 Establishing connectivity between an enterprise security perimeter of a device and an enterprise
PCT/CA2013/050128 WO2013123596A1 (en) 2012-02-20 2013-02-19 Establishing connectivity between an enterprise security perimeter of a device and an enterprise

Publications (2)

Publication Number Publication Date
HK1205405A1 HK1205405A1 (en) 2015-12-11
HK1205405B true HK1205405B (en) 2019-06-21

Family

ID=

Similar Documents

Publication Publication Date Title
EP2629557B1 (en) Establishing connectivity between an enterprise security perimeter of a device and an enterprise
EP2584809B1 (en) Associating services to perimeters
CA2868896C (en) Secure mobile framework
US8839354B2 (en) Mobile enterprise server and client device interaction
US20140020062A1 (en) Techniques for protecting mobile applications
US9769172B2 (en) Method of accessing a network securely from a personal device, a personal device, a network server and an access point
CN111683054A (en) Method and apparatus for remote access
US20100333176A1 (en) Enabling Dynamic Authentication With Different Protocols on the Same Port for a Switch
US20130097657A1 (en) Dynamically Generating Perimeters
US20070143408A1 (en) Enterprise to enterprise instant messaging
US20210385229A1 (en) Device zoning in a network gateway device
KR102108000B1 (en) System and method for controlling virtual private network
CN106134143A (en) Method, apparatus and system for dynamic network access-in management
TWI462604B (en) Wireless network client-authentication system and wireless network connection method thereof
EP3127002B1 (en) Mobile device management broker
US9553849B1 (en) Securing data based on network connectivity
KR20140071744A (en) Method and apparatus for differentiated security control for smart communication device based on security policy negotiation
EP2741465A1 (en) Method and device for managing secure communications in dynamic network environments
HK1205405B (en) Method and computing device for establishing connectivity between an enterprise security perimeter of a device and an enterprise
US12010099B1 (en) Identity-based distributed cloud firewall for access and network segmentation
KR20240048158A (en) Method and system for controlling federation policy based on zta for enterprise wireless network infrastructure
Silva Secure iPhone Access to Corporate Web Applications