US20180352003A1 - Network Access Control with Compliance Policy Check - Google Patents
Network Access Control with Compliance Policy Check Download PDFInfo
- Publication number
- US20180352003A1 US20180352003A1 US16/059,467 US201816059467A US2018352003A1 US 20180352003 A1 US20180352003 A1 US 20180352003A1 US 201816059467 A US201816059467 A US 201816059467A US 2018352003 A1 US2018352003 A1 US 2018352003A1
- Authority
- US
- United States
- Prior art keywords
- user device
- check result
- compliance
- compliance check
- authentication application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Definitions
- Network access control also called network admission control
- NAC Network access control
- SAAS Software-as-a-Service
- an NAC server performs authentication and authorization functions for the user devices of potential subscribers by verifying login information, e.g. username and password, when the user devices attempt to login to the proprietary network, e.g., through the Internet.
- the NAC server may restrict the data that each particular user or user device can access and may implement anti-threat applications such as firewalls, antivirus software, and spyware-detection programs.
- the NAC server may also regulate and restrict the actions that individual subscribers can do within the proprietary network once they are logged in.
- NAC Network Access Management Entities
- corporations corporations, agencies, and other entities that require the user environment to be rigidly controlled.
- security issues still arise with respect to NAC systems in proprietary networks with large numbers of users and many different, frequently changing, devices that may be used to access the proprietary network.
- An example is a proprietary network for a large university with multiple departments, numerous access points and thousands of users with various backgrounds and objectives.
- Some embodiments of the present invention involve a method in which an authentication application receives a request from a user device to access a software-as-a-service server; retrieves a compliance check result generated by a network access control server based on 1) compliance data collected by a client application on the user device, and 2) a security policy for the software-as-a-service server; grants access by the user device to the software-as-a-service server when the compliance check result is positive; and denies access by the user device to the software-as-a-service server when the compliance check result is negative.
- a web browser cookie or a client certificate is used to convey to the authentication application the compliance check result or a user device identifier.
- Some embodiments of the present invention involve a method in which a client application on a user device collects compliance data on the user device; and sends the compliance data to a network access control server for the network access control server to generate a compliance check result based on the compliance data and a security policy for a software-as-a-service server, wherein the compliance check result is for use by an authentication application to grant access by the user device to the software-as-a-service server when the compliance check result is positive and to deny access by the user device to the software-as-a-service server when the compliance check result is negative.
- a web browser cookie or a client certificate is used to convey to the authentication application the compliance check result or a user device identifier.
- Some embodiments of the present invention involve a method and system including a network access control server, an authentication application running on a software-as-a-service server, and a device application running on a user device.
- the device application collects compliance data regarding the user device and communicates the compliance data to the network access control server.
- the network access control server generates and stores a compliance check result based on whether the compliance data indicates that the user device is compliant with a security policy for the software-as-a-service server.
- the client application stores a user device identifier in a client certificate on the user device.
- the authentication application requests the client certificate during a login procedure, reads the user device identifier, and requests the compliance check result from the network access control server.
- the authentication application grants access by the user device when the compliance check result is positive; and the authentication application denies access by the user device when the compliance check result is negative.
- the authentication application requests the compliance data from the network access control server.
- the authentication application may grant or deny access by the user device based on both the compliance check result and the compliance data.
- an authentication server generates a secure session ID when the user device attempts to login to the software-as-a-service server and the compliance check result is positive.
- the authentication application grants access by the user device based on the secure session ID.
- the compliance data includes hardware, software, and configuration data of the user device.
- the compliance data may include an encryption state of the user device, a malware infection state of the user device, and/or whether an unwanted application is present on the user device.
- FIG. 1 is a simplified schematic diagram of an example network computerized system incorporating an embodiment of the present invention.
- FIG. 2 is a simplified flowchart of a compliance check process for a user device used in the example network computerized system shown in FIG. 1 in accordance with an embodiment of the present invention.
- FIG. 3 is a simplified flowchart of an authentication process for a user device within the example network computerized system shown in FIG. 1 in accordance with an embodiment of the present invention.
- FIG. 4 is a simplified schematic diagram of another example network computerized system incorporating an embodiment of the present invention.
- FIG. 5 is a simplified schematic diagram of a network access control (NAC) server for use in the example network computerized system shown in FIG. 1 in accordance with an embodiment of the present invention.
- NAC network access control
- FIG. 6 is a simplified schematic diagram of an SAAS server for use in the example network computerized system shown in FIG. 1 in accordance with an embodiment of the present invention.
- FIG. 7 is a simplified schematic diagram of a user device for use in the example network computerized system shown in FIG. 1 in accordance with an embodiment of the present invention.
- the network computerized system 100 generally includes one or more network access control (NAC) server 101 , one or more Software-as-a-Service (SAAS) server 102 , and one or more user device 103 .
- the NAC server 101 , the SAAS server 102 , and the user device 103 generally communicate with each other via a network 104 , such as the Internet, a cloud-based network, a wide area network (WAN), etc.
- the SAAS server 102 generally provides services to user devices (e.g. 103 ) that have been granted access after having been properly authenticated as being compliant with a compliance security policy that is customized for the requirements of the SAAS server 102 .
- the compliance check and authentication procedures enable a relatively high level of security for the user devices 103 that access the SAAS server 102 , without the SAAS server 102 having to place any additional information on the user devices 103 that would assist the SAAS server 102 in authenticating the user devices 103 .
- This level of security may be in addition to a typical username/password login procedure for the user devices 103 .
- embodiments of the present invention may be used on almost any operating system or hardware platform and with almost any available web browser, e.g., Internet Explorer (IE), Firefox, Chrome, Safari, Opera, etc.
- the compliance check procedure injects the results of the compliance check (and/or any other information needed for authenticating the user device 103 ) into a web browser cookie stored in some or all of the web browsers on the user device 103 .
- the SAAS server 102 (or an authentication application) can request the cookie in order to perform the authentication procedure when the user device 103 attempts to access the SAAS server 102 through one of the web browsers.
- Some other access control solutions typically include perimeter firewalls, intrusion detection and prevention, anti-malware, physical isolation, and maybe some additional baseline security mechanisms.
- these techniques require continuous monitoring of authentication, access, and activity on sensitive data, which is extremely difficult for maintenance.
- access control is generally directly handled by the SAAS server 102 , or an authentication component thereof, without additional appliances or a proxy service.
- Embodiments of the present invention therefore, generally enable authentication techniques that do not require such continuous monitoring.
- some additional components present in a conventional system may be eliminated, thereby decreasing or reducing maintenance requirements as well as opportunities to bypass security controls.
- an endpoint client application 105 running on the user device 103 scans the user device 103 and collects data on the hardware, software, and configuration of the user device 103 .
- the endpoint client application 105 may use low level drivers, a high level registry, and/or software inspection to collect some of this data.
- This data may be referred to as “health data,” since much of the data generally relates to the fitness of the user device 103 for accessing the services of the SAAS server 102 .
- this data may be referred to as “compliance data,” since the data is generally used to determine whether the user device 103 is properly compliant with a security or compliance policy for accessing the services of the SAAS server 102 .
- the compliance data and an identity data (or user device identifier generated by the user device 103 or the NAC server 101 ) for the user device 103 are sent to the NAC server 101 .
- the NAC server 101 may manage the security policies for the SAAS servers 102 , host a device information database, and receive the compliance data from the user devices 103 .
- the NAC server 101 generally uses the compliance data and the identity data to generate a “compliance check result” that indicates whether the user device 103 is compliant with the security policy for the SAAS server 102 .
- an authentication application 106 running on the SAAS server 102 manages the user authentication process by using the compliance check result (among other appropriate information) to determine whether to grant or deny access. If the user device 103 is supposed to be able to access more than one of the SAAS server 102 , each potentially having different security policies, then the NAC server 101 generates a compliance check result for each such SAAS server 102 .
- the compliance data collected by the user device 103 generally includes information related to an encryption state of data stored on the user device 103 , the potential for a malware infection in the user device 103 , the presence of potentially unwanted or undesirable applications on the user device 103 , and/or unwanted hardware, among other potential types of data.
- the types of data generally relate to the potential for a breach of security or a corruption, loss or theft of the data that the user device 103 may receive from the SAAS server 102 or malicious files that the user device 103 may send to the SAAS server 102 .
- the compliance check result may indicate whether the user device 103 passes or fails compliance with the security policy on one or more grounds.
- the compliance check result is a mere pass/fail flag, causing the authentication application 106 to either grant or deny access to the SAAS server 102 for the user device 103 .
- the compliance check result may include additional information or compliance details, e.g., the specific grounds for failure, a pass/fail flag for each individual component of the compliance data, the running state of some applications, anti-malware definition state information, etc.
- the authentication application 106 can provide more than a simple grant or deny response to an attempt by the user device 103 to login to the SAAS server 102 .
- the authentication application 106 may provide different levels of access to the SAAS server 102 for the user devices 103 , or may provide different alerts or reports to an administrator regarding attempts to access the SAAS server 102 , based on the information in the compliance check result.
- the authentication application 106 uses the identity data for the user device 103 to query the NAC server 101 to obtain the compliance data and make an access grant/deny decision according to the actual device status, e.g., by performing the compliance check by the authentication application 106 , instead of by the NAC server 101 .
- the compliance security policy is defined and managed on the SAAS server 102 , while the device inspection and identification is still performed by the endpoint client application 105 .
- the endpoint client application 105 has access to “settings” information for the user device 103 . With this capability, the endpoint client application 105 can determine various information about the user device 103 . For example, the endpoint client application 105 may be able to determine whether or not the user device 103 is set up to require a system password to be entered upon booting of the user device 103 or bringing the user device 103 out of a standby/hibernation or a screensaver mode.
- the system password may prevent unauthorized use of the user device 103 when the user device 103 is lost, stolen or borrowed, so the security policy for the SAAS server 102 may require use of the system password in order to reduce the likelihood of unauthorized use of the user device 103 to access the SAAS server 102 .
- the endpoint client application 105 may, thus, include information in the compliance data that indicates whether the system password feature of the user device 103 is enabled. In this manner, if the compliance data indicates that the user device 103 is not set up to use the system password, then the compliance check result may indicate a failure to meet the security policy, and the authentication application 106 may deny access to the SAAS server 102 for the user device 103 .
- the vendor responsible for the SAAS server 102 may require that some or all of the data maintained by the SAAS server 102 be encrypted when stored on a storage device, e.g., for privacy, business or regulatory reasons.
- the encryption state of the user device 103 is relevant to the SAAS vendor, because all users who download the data or access the services from the SAAS server 102 may also be required to maintain the data in an appropriate encryption state. In this manner, the data can be protected from theft or viewing by an unauthorized party even after it has been downloaded from the SAAS server 102 to the user device 103 , because the data still cannot be accessed without a decryption key.
- the endpoint client application 105 may determine whether the user device 103 includes and uses an appropriate encryption software. For this purpose, the endpoint client application 105 may be able to detect the presence of a variety of different security applications in a variety of different security categories. The endpoint client application 105 may detect whether such security products are both installed and enabled in the user device 103 . The endpoint client application 105 may further detect whether such security products are properly configured to adequately protect the user device 103 . Alternatively, the endpoint client application 105 may simply determine whether data stored on the user device 103 is encrypted. Additionally, the endpoint client application 105 may determine how well the user device 103 encrypts data (i.e.
- the compliance data transmitted by the endpoint client application 105 to the NAC server 101 may include information indicative of the presence/absence of encryption software on the user device 103 , the specific encryption software used by the user device 103 , whether an encryption product is installed in the user device 103 but not enabled, whether an encryption product is enabled only for some volumes but not for other volumes in the user device 103 , the encryption state of data stored in the user device 103 and/or some other indicia indicative of encryption in the user device 103 .
- the encryption-related information may then be used by the NAC server 101 to generate at least part of the compliance check result.
- the NAC server 101 compares the encryption-related information to the security policy for the SAAS server 102 and sets one or more indicia in the compliance check result related to encryption in the user device 103 .
- the lack of proper encryption may be a complete bar to granting access by the authentication application 106 to the data or services in the SAAS server 102 for the user device 103 , so the compliance check result may include a simple pass/fail indicia for the encryption state of the user device 103 .
- the authentication application 106 may grant limited access to data or services on the SAAS server 102 for the user device 103 when the compliance check result indicates a lack of proper encryption on the user device 103 .
- a more detailed compliance check result may indicate a level of encryption (e.g., a no/low/medium/high indicia) on the user device 103 , and the authentication application 106 may set a level of access for the user device 103 that depends on the level of encryption.
- access to some data or services in the SAAS server 102 may require one set of encryption indicia to indicate “pass,” and access to other data or services in the SAAS server 102 may require a different set of encryption indicia to indicate “pass.”
- the vendor responsible for the SAAS server 102 may require that the user devices 103 that access the SAAS server 102 have adequate protection against computer viruses and other malware.
- the endpoint client application 105 can generally detect the presence of a variety of different antivirus products on the user device 103 , and the compliance data collected by the endpoint client application 105 may indicate the presence or absence of such products.
- the vendor may consider certain antivirus products to provide inadequate protection.
- the compliance data may indicate the specific antivirus products that are installed and activated in the user device 103 .
- the vendor may consider some antivirus products to be inadequate unless certain features of the antivirus products are enabled or set in a particular manner.
- the endpoint client application 105 may be further capable of querying the antivirus products to determine their settings.
- the compliance data may further indicate these settings.
- the vendor may consider user devices 103 that are attacked too often by malware to be too big of a risk to access the SAAS server 102 .
- the endpoint client application 105 may be capable of querying the antivirus products to determine how often the user device 103 has experienced a malware attack or infection in any given period of time.
- the compliance data may further indicate this information.
- the NAC server 101 may include in the compliance check result a simple pass/fail indicia indicative of whether the user device 103 has adequate malware protection.
- a more detailed compliance check result may include information for one or more of the different types of malware-related compliance data described above.
- the authentication application 106 may then deny access to the SAAS server 102 for user devices 103 that have a compliance check result that indicates a failure to comply with anti-malware criteria of the security policy.
- the authentication application 106 may grant limited access when the compliance check result indicates that the user device 103 passes some of the malware-related criteria of the security policy, but fails to meet other (potentially minor) criteria.
- the NAC server 101 may have several different antivirus products in operation.
- the endpoint client application 105 may forward suspect programs, portions of suspect programs or data generated from suspect programs (e.g., hash data) to the NAC server 101 .
- the NAC server 101 can then analyze this information with the various antivirus products to determine whether the user device 103 has a malware infection and optionally the potential severity of the infection.
- the NAC server 101 may then inform the endpoint client application 105 that the user device 103 has a malware infection (and optionally the nature or severity of the infection) and/or may include this information in the compliance check result.
- the authentication application 106 may then grant or deny access (or limited access) to the SAAS server 102 for the user device 103 .
- the vendor responsible for the SAAS server 102 may require that the user devices 103 that access the SAAS server 102 not have certain unwanted or undesirable applications or unusual, suspect, risky or vulnerable hardware components. These applications may not necessarily be malware, but simply applications whose normal operations may compromise the security of the data or services of the SAAS server 102 or the performance of the user device 103 . Such applications may provide a “back door” for unregulated or uncontrolled access to data from the SAAS server 102 by unauthorized people. For example, a backup or sync application may be able to read data stored on the user device 103 and back it up or sync it to a network or cloud storage facility. If the data is encrypted, then the security risk may be minimal.
- decrypted data may be uploaded to potentially unsecure storage facilities.
- some unwanted hardware components may not necessarily be a security problem.
- an unusual hardware component may simply be a component that is unidentifiable, so it is unknown whether there is an actual security problem with this component.
- a hardware component may be suspect if it is identified as an ordinary, but unnecessary, component.
- keyboards are typically ordinary components commonly connected to the user devices 103
- a second keyboard detected as being connected to the user device 103 may be suspect, because it is unnecessary and could actually be a type of malware called “Bad USB.”
- a web camera, microphone, or other enabled I/O device in the user device 103 may be risky, since these devices may be used to acquire information about the user device 103 .
- hardware components that are known to be vulnerable, or outdated hardware that could potentially have become vulnerable may represent a security issue. Therefore, to be safe, it may be preferable in some embodiments to deny access to user devices 103 that have any detected unusual, suspect, risky or vulnerable hardware components.
- the endpoint client application 105 may be capable of detecting the presence of such applications or hardware known to present a potential security risk or that are unidentifiable.
- the collected compliance data therefore, may include an indication of the presence of such applications or hardware and/or the identity of these applications or hardware.
- the compliance check result may provide this information to the authentication application 106 . Then the authentication application 106 may deny access to the SAAS server 102 for the user device 103 or may alert the user device 103 that the identified applications or hardware must be disabled, uninstalled or removed before access can be granted.
- Each of the various types of information described herein may be collected into the compliance data by the endpoint client application 105 and sent to the NAC server 101 for analysis with regard to the security policy for the SAAS server 102 .
- the NAC server 101 may then generate the compliance check result based on this compliance data, so the authentication application 106 is able to determine whether to grant or deny access to the SAAS server 102 by the user device 103 .
- the endpoint client application 105 may update the compliance data.
- the updated compliance data may then be used by the NAC server 101 to update the compliance check result.
- the updates may occur upon demand (e.g., by a user of the user device 103 ) or at regular time intervals (e.g., every few minutes, hours or days).
- the endpoint client application 105 may initiate a compliance data update upon detecting a change in the hardware, software or configuration of the user device 103 .
- the authentication application 106 may be capable of detecting an expired compliance check result, e.g., if the compliance check result contains an expiration time stamp (or creation/modification date), and the security policy sets a maximum time between compliance data updates. In this case, if the compliance check result is too old, the authentication application 106 may deny access to the SAAS server 102 for the user device 103 until the compliance check result has been updated. Additionally, the update may be required to occur even if the compliance data has not changed in order to reset the time stamp and ensure that the compliance check result is current. In general, an expiration time stamp may be set to be slightly later than the next expected scan or compliance data collection time, so the endpoint client application 105 and the NAC server 101 have time to perform the update.
- an expiration time stamp may be set to be slightly later than the next expected scan or compliance data collection time, so the endpoint client application 105 and the NAC server 101 have time to perform the update.
- the endpoint client application 105 may be installed or deployed in the user device 103 in any appropriate manner.
- a user of the user device 103 may install and activate the endpoint client application 105 from an online download or storage device upload (e.g., from a CD, DVD, flash drive, etc.) or activate the endpoint client application as a browser plugin or as a portable executable that does not require any installation.
- an administrator of the SAAS server 102 (or of a customer of the SAAS server 102 ) may install the endpoint client application 105 before the user is allowed to use the user device 103 .
- the endpoint client application 105 may be automatically installed (optionally with user approval) in the user device 103 upon the first attempt by the user device 103 to access the SAAS server 102 .
- the authentication application 106 may obtain the compliance check result in any appropriate manner.
- the NAC server 101 may send the compliance check result to the endpoint client application 105 , which may insert the compliance check result (and the identity data of the user device 103 ) into a web browser cookie and inject the cookie into a local database(s) for any web browsers installed in the user device 103 .
- the authentication application 106 may request the cookie from the web browser and thereby obtain the compliance check result.
- HTML5 could be used with local storage to enable the authentication application 106 to obtain the compliance check result.
- the NAC server 101 does not send the compliance check result to the endpoint client application 105 .
- the NAC server 101 (or another network storage device) maintains the compliance check result, and the endpoint client application 105 stores the identity data for the user device 103 in the cookie.
- the authentication application 106 detects an attempt to access the SAAS server 102 by the user device 103 (e.g., by the web browser on the user device 103 )
- the authentication application 106 requests the cookie from the user device 103 , or the web browser thereon, and thereby obtains the identity data for the user device 103 .
- the endpoint client application 105 stores the identity data for the user device 103 in a client certificate on the user device 103 . Then when the authentication application 106 detects an attempt to access the SAAS server 102 by the user device 103 , the authentication application 106 requests the client certificate from the user device 103 and thereby obtains the identity data for the user device 103 .
- the client certificate is a digital certificate that typically contains a variety of information, such as a serial number, an entity identified by the client certificate, a signature, an entity that issued the client certificate, etc.
- the client certificate is conventionally used by a client device to make authenticated requests to a remote server in mutual authentication designs for strong assurances of a requester's identity.
- the endpoint client application 105 when the endpoint client application 105 is installed or run on the user device 103 , the endpoint client application 105 installs the client certificate (signed) in a “personal certificate store” or “keychain” on the user device 103 . In some embodiments, when the endpoint client application 105 is uninstalled or exited on the user device 103 , the endpoint client application 105 removes the client certificate. The presence (or absence) of the client certificate, therefore, can be used to infer the presence (or absence) of the endpoint client application 105 on the user device 103 , or vice versa, in some embodiments. The configuration needed to request and read the client certificate is different for different web servers.
- the web server when using Nginx (a type of web server), the web server is configured with an ssl_verify_client setting. The contents of the client certificate are then available to the web server as variables $ssl_client_cert or $ssl_client_s_dn.
- the authentication application 106 requests the compliance check result from the NAC server 101 (or other network storage device).
- the authentication application 106 requests a simple pass/fail response from the NAC server 101 , instead of a detailed compliance check result.
- the authentication application 106 may use the identity data in the cookie or client certificate to request the original compliance data from the NAC server 101 . Then the authentication application 106 , instead of the NAC server 101 , may perform the compliance check and produce the compliance check result.
- the compliance check result is optionally encrypted to reduce the likelihood of tampering with the data therein. Without encryption, such tampering could make it possible for the user device 103 to improperly gain access to the SAAS server 102 or for the authentication application 106 to improperly deny the access.
- the NAC server 101 sends the compliance check result to the endpoint client application 105 for insertion in the web browser cookie or client certificate, the NAC server 101 encrypts the compliance check result before sending it to the endpoint client application 105 .
- the NAC server 101 sends the compliance check result to the endpoint client application 105 for insertion in the web browser cookie or client certificate
- the NAC server 101 sends an encryption key along with the compliance check result, so the endpoint client application 105 can encrypt the compliance check result before inserting it into the cookie or client certificate.
- the encryption key may be specific for the SAAS server 102 , so each user device 103 may receive the same encryption key for the same SAAS server 102 .
- the NAC server 101 encrypts the compliance check result before sending it to the authentication application 106 .
- the NAC server 101 may encrypt the compliance data before sending it or provide the authentication application 106 with the encryption key with which to encrypt the compliance data.
- the authentication application 106 obtains a decryption key (specific for the SAAS server 102 and paired with the encryption key) from the NAC server 101 in order to decrypt the compliance check result.
- the authentication application 106 may receive the encrypted compliance check result in the cookie or client certificate from the user device 103 , but may send it to the NAC server 101 for decryption and receive back a simple pass/fail response from the NAC server 101 .
- the unencrypted compliance check results do not leave the NAC server 101 , so this embodiment may provide better security than those embodiments that do allow unencrypted compliance check results to leave the NAC server 101 .
- the authentication application 106 may determine that the compliance check result cannot be trusted or is insufficient to be the sole basis on which the authentication application 106 grants or denies access to the SAAS server 102 for the user device 103 .
- the compliance check result may provide only summary information or a simple uninformative pass/fail indicia for some components of the compliance data, or some portion of the compliance check result may have an incorrect format (an indication of possible tampering), or there may be some reason for suspecting that at least part of the compliance check result is in error.
- the authentication application 106 may request the most recent complete compliance data (or a portion thereof) from the NAC server 101 in order to make its own comparison with the requirements of the security policy. The access grant/deny decision can then be made based on the results of this comparison.
- FIG. 2 An example process 200 for collecting the compliance data and generating the compliance check result is shown in FIG. 2 in accordance with some embodiments.
- the process 200 is generally performed by, or performed under the control of, the endpoint client application 105 , the NAC server 101 , and a web browser 201 on the user device 103 .
- one or more processes for collecting the compliance data and generating the compliance check result may use other appropriate steps or combinations or orderings of steps.
- the endpoint client application 103 After the endpoint client application 103 has been installed and launched on the user device 103 , the endpoint client application 103 performs a security compliance check to collect (at 202 ) all of the various components of the compliance data, as described above. At 203 , the endpoint client application 103 sends the compliance data, along with the identity data for the user device 103 (and if necessary, an identity data for the SAAS server 102 that the user device 103 will access), through the network 104 to the NAC server 101 .
- the NAC server 101 receives the compliance data and the identity data for the user device 103 . (Alternatively, the NAC server 101 receives the compliance data and then generates the identity data for the user device 103 .)
- the NAC server 101 compares the received compliance data with the security policy for the SAAS server 102 and generates the compliance check result with whatever details are specified, e.g., by the vendor for the SAAS server 102 or the vendor's customer.
- the NAC server 101 sends (at 206 ) the compliance check result and the encryption key for the specified SAAS server 102 through the network 104 to the endpoint client application 105 . (Alternatively, the NAC server 101 encrypts the compliance check result and sends the encrypted compliance check result to the endpoint client application 105 .)
- the endpoint client application 105 receives (at 207 ) the compliance check result (and the encryption key if the compliance check result is not already encrypted).
- the endpoint client application 105 generates a cookie (for each web browser installed in the user device 103 or for a specified web browser) containing the received compliance check result, the identity data for the user device 103 , and a time stamp or expiration time.
- the endpoint client application 105 generates the client certificate (at 208 ) containing the received compliance check result, the identity data for the user device 103 , and a time stamp or expiration time.
- the endpoint client application 105 encrypts the data in the cookie or client certificate using the received encryption key if the compliance check result is not already encrypted in this embodiment.
- the endpoint client application 105 injects the cookie onto each web browser (or the specified web browser(s)) where the cookie is stored (at 210 ) in a local database(s) or a storage location(s) used by the web browser(s).
- the endpoint client application 105 may use a low level driver to inject and manage the cookie.
- the endpoint client application 105 stores the client certificate (at 209 ) in the memory or data storage of the user device 103 (e.g., in the system certificates management for Windows-based user devices, the OSX keychain service for Apple OSX-based user devices, or other appropriate data storage location depending on the operating system of the user device).
- the user device 103 is then ready to be used to access the SAAS server 102 .
- FIG. 2 An example process 300 for authenticating the user device 103 for access to the SAAS server 102 is shown in FIG. 2 in accordance with some embodiments.
- the process 300 is generally performed by, or performed under the control of, the NAC server 101 , the authentication application 106 on the SAAS server 102 , and the web browser 201 on the user device 103 .
- one or more processes for collecting the compliance data and generating the compliance check result may use other appropriate steps or combinations or orderings of steps.
- the user of the user device 103 attempts to login to the SAAS server 102 using the web browser 201 , so the web browser 201 sends (at 301 ) through the network 104 a request to access the SAAS server 102 .
- An initial login procedure between the user device 103 and the SAAS server 102 is performed (at 302 ), e.g., with an exchange of a username and password.
- the authentication application 106 requests (at 303 ) the special cookie or client certificate from user device 103 , or the web browser 201 , which sends (at 304 ) the cookie or client certificate (e.g., from the local database, the system certificates management, the keychain service, or other appropriate data storage location) to the authentication application 106 .
- the cookie or client certificate e.g., from the local database, the system certificates management, the keychain service, or other appropriate data storage location
- the authentication application 106 if the authentication application 106 has not already obtained the decryption key from the NAC server 101 , then the authentication application 106 sends (at 305 ) to the NAC server 101 a request for the decryption key.
- the NAC server 101 which maintains the encryption/decryption key pairs in a database, sends (at 306 ) the decryption key to the authentication application 106 .
- the authentication application 106 decrypts (at 307 ) the cookie or client certificate contents to obtain the compliance check result and the identity data for the user device 103 .
- the authentication application 106 may also check the time stamp or expiration time and deny access if the cookie or client certificate has expired.
- the authentication application 106 determines whether the compliance check result can be trusted, as described above.
- the authentication application 106 determines (at 309 ) whether to grant or deny access to the SAAS server 102 for the user device 103 based on the contents of the compliance check result. If access is granted, then the user of the user device 103 may begin accessing the data and/or services of the SAAS server 102 through the web browser 201 . If access is denied, on the other hand, then any appropriate response may be made, e.g., sending an error message to the web browser 201 , alerting an administrator of a failed access attempt, logging the failed access attempt, flagging the user device 103 as having a history of being rejected, etc.
- the authentication application 106 may send (at 310 ) the identity data for the user device 103 to the NAC server 101 and request the original most recent compliance data (or a portion thereof) maintained for the user device 103 .
- the NAC server 101 receives the request and the identity data, it sends (at 311 ) the requested compliance data (or portion thereof) to the authentication application 106 .
- the authentication application 106 determines (at 312 ) whether to grant or deny access to the SAAS server 102 for the user device 103 based on the contents of the compliance data (and optionally on any trusted portions of the compliance check result).
- the user of the user device 103 may begin accessing the data and/or services of the SAAS server 102 through the web browser 201 . If access is denied, on the other hand, then any appropriate response may be made, e.g., sending an error message to the web browser 201 , alerting an administrator of a failed access attempt, logging the failed access attempt, flagging the user device 103 as having a history of being rejected, etc.
- the network computerized system 400 generally includes one or more of the NAC server 101 , one or more of the SAAS server 102 , one or more of the user device 103 , and one or more of an authentication and SSO (Single Sign On) server 401 .
- the NAC server 101 , the SAAS server 102 , the user device 103 , and the authentication and SSO server 401 generally communicate with each other via the network 104 .
- the NAC server 101 , the SAAS server 102 , the user device 103 , and the network 104 may be similar to the above description, but with any following distinguishing features.
- the authentication and SSO server 401 performs some of the previously described functions of the authentication application 106 .
- the authentication application 106 is between the SAAS server 102 and the user device 103 and intercepts any attempt to login transparent to the user device 103 .
- the authentication and SSO server 401 generally performs the functions of retrieving the cookie or client certificate and making the access grant/deny decision, as described above for the authentication application 106 . If access is granted for the user device 103 , then the authentication and SSO server 401 authenticates a secure session ID to the web browser (on the user device 103 ) for the web browser and the SAAS server 102 to interact.
- the SAAS server 102 on the other hand, primarily performs only the function of hosting the sensitive data and services.
- the authentication application 106 is generally reduced to accepting the secure session for the SAAS server 102 , i.e., simply granting access by the user device 103 based on the secure session ID.
- the web browser then uses the authenticated session to access data and/or services on the SAAS server 102 .
- the authentication and SSO server 401 also obtains the decryption key (if used) from the NAC server 101 .
- the authentication and SSO server 401 further decrypts the contents of the cookie or client certificate received from the user device 103 and/or any encrypted data (e.g., compliance check result or compliance data) received from the NAC server 101 .
- a benefit of this alternative solution is that little or no changes are required for the SAAS server 102 from a conventional SAAS server. Therefore, almost any customer (of the NAC server 101 and/or of the SAAS server 102 ) could build a variation of the authentication and SSO server 401 and integrate it into the rest of the network computerized system 400 to isolate the authentication functions from the SAAS functions.
- FIG. 5 A simplified schematic diagram showing an example structure for the NAC server 101 is shown in FIG. 5 in accordance with an embodiment of the present invention.
- the NAC server 101 may represent one or more physical computer devices, such as web servers, network storage devices, etc.
- the NAC server 101 may be referred to as a cloud server.
- the NAC server 101 generally includes at least one processor 500 , a main memory 501 , a data storage 502 , a user I/O 503 , and a network I/O 504 , among other components not shown for simplicity, connected or coupled together by a data communication subsystem 505 .
- the data storage 502 generally maintains the compliance security policy 506 , the compliance data 507 , the encryption/decryption keys 508 , a compliance check application 509 , and the compliance check results 510 .
- the processor 500 represents one or more central processing units on one or more PCBs in one or more housings or enclosures.
- the main memory 501 represents one or more RAM modules on one or more PCBs in one or more housings or enclosures.
- the data storage 502 represents any appropriate number or combination of internal or external physical mass storage devices, such as hard drives, optical drives, network-attached storage (NAS) devices, flash drives, etc.
- the user I/O 503 represents one or more appropriate user interface devices, such as keyboards, pointing devices, displays, etc.
- the network I/O 504 represents any appropriate networking devices, such as network adapters, etc. for communicating through the network 104 .
- the data communication subsystem 505 represents any appropriate communication hardware for connecting the other components in a single unit or in a distributed manner on one or more PCBs, within one or more housings or enclosures, within one or more rack assemblies, etc.
- the processor 500 interacts with the endpoint client application 105 through the network I/O 504 , as described above, to generate the compliance check results 510 based on the compliance security policy 506 and the compliance data 507 .
- the processor 500 then causes the compliance check results 510 to be sent through the network I/O 504 along with the encryption key ( 508 ) to the endpoint client application 105 .
- the SAAS server 102 requests any data (e.g., the decryption key ( 508 ), the compliance check result 510 or the compliance data 507 ) from the NAC server 101 , as described above, the processor 500 causes the data to be sent to the SAAS server 102 through the network I/O 504 .
- FIG. 6 A simplified schematic diagram showing an example structure for the SAAS server 102 is shown in FIG. 6 in accordance with an embodiment of the present invention.
- the SAAS server 102 may represent one or more physical computer devices, such as web servers, network storage devices, cloud-based devices, etc.
- the SAAS server 102 generally includes at least one processor 600 , a main memory 601 , a data storage 602 , a user I/O 603 , and a network I/O 604 , among other components not shown for simplicity, connected or coupled together by a data communication subsystem 605 .
- the data storage 602 generally maintains the decryption key 606 , SAAS applications and data 607 , and the authentication application 106 .
- the SAAS applications and data 607 generally represent the services and data used by the user devices 103 after being granted access to the SAAS server 102 .
- the processor 600 represents one or more central processing units on one or more PCBs in one or more housings or enclosures.
- the main memory 601 represents one or more RAM modules on one or more PCBs in one or more housings or enclosures.
- the data storage 602 represents any appropriate number or combination of internal or external physical mass storage devices, such as hard drives, optical drives, network-attached storage (NAS) devices, flash drives, etc.
- the user I/O 603 represents one or more appropriate user interface devices, such as keyboards, pointing devices, displays, etc.
- the network I/O 604 represents any appropriate networking devices, such as network adapters, etc. for communicating through the network 104 .
- the data communication subsystem 605 represents any appropriate communication hardware for connecting the other components in a single unit or in a distributed manner on one or more PCBs, within one or more housings or enclosures, within one or more rack assemblies, etc.
- the processor 600 interacts with web browser of the user device 103 and the NAC server 101 through the network I/O 604 , as described above, to determine whether to grant or deny access to the SAAS server 102 for the user device 103 . If the user device 103 is granted access, then under control of the SAAS applications and data 607 , the processor further interacts with the web browser of the user device 103 through the network I/O 604 to provide the services and data that the user of the user device 103 wants to access.
- FIG. 7 A simplified schematic diagram showing an example structure for the user device 103 is shown in FIG. 7 in accordance with an embodiment of the present invention. Other embodiments may use other components and combinations of components.
- the user device 103 may be a desktop computer, a workstation, a notebook computer, a tablet computer, a hand held computer, a cell phone, a smart phone, a game console or any other appropriate computerized device that a person/user may use to access the SAAS server 102 through the network 104 .
- the user device 103 generally includes at least one processor 700 , a main memory 701 , a data storage 702 , a user I/O 703 , and a network I/O 704 , among other components not shown for simplicity, connected or coupled together by a data communication subsystem 705 .
- the data storage 702 generally maintains the endpoint client application 105 , the compliance data 706 , an encryption application 707 , the web browser(s) 708 , the cookie local database(s) 709 or the client certificate 713 (e.g., in the system certificates management, the keychain service, or other appropriate data storage location), security and antivirus applications 710 , the encryption key 711 , and other applications 712 .
- the processor 700 represents one or more central processing units on one or more PCBs in one or more housings or enclosures.
- the main memory 701 represents one or more RAM modules on one or more PCBs in one or more housings or enclosures.
- the data storage 702 represents any appropriate number or combination of internal or external physical mass storage devices, such as hard drives, optical drives, network-attached storage (NAS) devices, flash drives, etc.
- the user I/O 703 represents one or more appropriate user interface devices, such as keyboards, pointing devices, displays, etc.
- the network I/O 704 represents any appropriate networking devices, such as network adapters, etc. for communicating through the network 104 .
- the data communication subsystem 705 represents any appropriate communication hardware for connecting the other components in a single unit or in a distributed manner on one or more PCBs, within one or more housings or enclosures, within one or more rack assemblies, etc.
- the processor 700 interacts with the encryption application 707 , the security and antivirus applications 710 , and the other applications 712 to collect the compliance data 706 . Then the processor 700 interacts with the NAC server 101 through the network I/O 704 , as described above, to generate the compliance check results based on the compliance security policy and the compliance data 706 and to create the cookie or client certificate (encrypted with the encryption key 711 ) and inject it into the cookie or client certificate local database(s) 709 . Then under control of the web browser 708 , the processor 700 interacts with the authentication application 106 to attempt to gain access to the SAAS server 102 through the network I/O 704 and the network 104 .
- the processor 700 interacts with the SAAS applications and data 607 of the SAAS server 102 through the network I/O 704 and the network 104 to use the services and data that the user wants.
Abstract
Description
- This patent application is a continuation of U.S. patent application Ser. No. 15/069,459 filed Mar. 14, 2016, which is a continuation-in-part of U.S. patent application Ser. No. 14/572,699 filed Dec. 16, 2014, which are incorporated by reference herein.
- Network access control (NAC), also called network admission control, enhances or enables the security of a proprietary network (e.g., a Software-as-a-Service (SAAS) proprietary network server) by restricting the availability of network resources to endpoint user devices that comply with a defined security policy. In some cases, an NAC server performs authentication and authorization functions for the user devices of potential subscribers by verifying login information, e.g. username and password, when the user devices attempt to login to the proprietary network, e.g., through the Internet. In addition, the NAC server may restrict the data that each particular user or user device can access and may implement anti-threat applications such as firewalls, antivirus software, and spyware-detection programs. The NAC server may also regulate and restrict the actions that individual subscribers can do within the proprietary network once they are logged in.
- NAC is commonly used by corporations, agencies, and other entities that require the user environment to be rigidly controlled. However, security issues still arise with respect to NAC systems in proprietary networks with large numbers of users and many different, frequently changing, devices that may be used to access the proprietary network. An example is a proprietary network for a large university with multiple departments, numerous access points and thousands of users with various backgrounds and objectives.
- Some embodiments of the present invention involve a method in which an authentication application receives a request from a user device to access a software-as-a-service server; retrieves a compliance check result generated by a network access control server based on 1) compliance data collected by a client application on the user device, and 2) a security policy for the software-as-a-service server; grants access by the user device to the software-as-a-service server when the compliance check result is positive; and denies access by the user device to the software-as-a-service server when the compliance check result is negative. In some embodiments, a web browser cookie or a client certificate is used to convey to the authentication application the compliance check result or a user device identifier.
- Some embodiments of the present invention involve a method in which a client application on a user device collects compliance data on the user device; and sends the compliance data to a network access control server for the network access control server to generate a compliance check result based on the compliance data and a security policy for a software-as-a-service server, wherein the compliance check result is for use by an authentication application to grant access by the user device to the software-as-a-service server when the compliance check result is positive and to deny access by the user device to the software-as-a-service server when the compliance check result is negative. In some embodiments, a web browser cookie or a client certificate is used to convey to the authentication application the compliance check result or a user device identifier.
- Some embodiments of the present invention involve a method and system including a network access control server, an authentication application running on a software-as-a-service server, and a device application running on a user device. The device application collects compliance data regarding the user device and communicates the compliance data to the network access control server. The network access control server generates and stores a compliance check result based on whether the compliance data indicates that the user device is compliant with a security policy for the software-as-a-service server. The client application stores a user device identifier in a client certificate on the user device. The authentication application requests the client certificate during a login procedure, reads the user device identifier, and requests the compliance check result from the network access control server. The authentication application grants access by the user device when the compliance check result is positive; and the authentication application denies access by the user device when the compliance check result is negative.
- In some embodiments, the authentication application requests the compliance data from the network access control server. In this case, the authentication application may grant or deny access by the user device based on both the compliance check result and the compliance data.
- In some embodiments, an authentication server generates a secure session ID when the user device attempts to login to the software-as-a-service server and the compliance check result is positive. In this case, the authentication application grants access by the user device based on the secure session ID.
- In some embodiments, the compliance data includes hardware, software, and configuration data of the user device. For example, the compliance data may include an encryption state of the user device, a malware infection state of the user device, and/or whether an unwanted application is present on the user device.
-
FIG. 1 is a simplified schematic diagram of an example network computerized system incorporating an embodiment of the present invention. -
FIG. 2 is a simplified flowchart of a compliance check process for a user device used in the example network computerized system shown inFIG. 1 in accordance with an embodiment of the present invention. -
FIG. 3 is a simplified flowchart of an authentication process for a user device within the example network computerized system shown inFIG. 1 in accordance with an embodiment of the present invention. -
FIG. 4 is a simplified schematic diagram of another example network computerized system incorporating an embodiment of the present invention. -
FIG. 5 is a simplified schematic diagram of a network access control (NAC) server for use in the example network computerized system shown inFIG. 1 in accordance with an embodiment of the present invention. -
FIG. 6 is a simplified schematic diagram of an SAAS server for use in the example network computerized system shown inFIG. 1 in accordance with an embodiment of the present invention. -
FIG. 7 is a simplified schematic diagram of a user device for use in the example network computerized system shown inFIG. 1 in accordance with an embodiment of the present invention. - Reference now will be made in detail to embodiments of the disclosed invention, one or more examples of which are illustrated in the accompanying drawings. Each example is provided by way of explanation of the present technology, not as a limitation of the present technology. In fact, it will be apparent to those skilled in the art that modifications and variations can be made in the present technology without departing from the spirit and scope thereof. For instance, features illustrated or described as part of one embodiment may be used with another embodiment to yield a still further embodiment. Thus, it is intended that the present subject matter covers all such modifications and variations within the scope of the appended claims and their equivalents.
- An example network
computerized system 100 incorporating an embodiment of the present invention is shown inFIG. 1 . The networkcomputerized system 100 generally includes one or more network access control (NAC)server 101, one or more Software-as-a-Service (SAAS)server 102, and one ormore user device 103. TheNAC server 101, the SAASserver 102, and theuser device 103 generally communicate with each other via anetwork 104, such as the Internet, a cloud-based network, a wide area network (WAN), etc. The SAASserver 102 generally provides services to user devices (e.g. 103) that have been granted access after having been properly authenticated as being compliant with a compliance security policy that is customized for the requirements of the SAASserver 102. The compliance check and authentication procedures enable a relatively high level of security for theuser devices 103 that access the SAASserver 102, without the SAASserver 102 having to place any additional information on theuser devices 103 that would assist the SAASserver 102 in authenticating theuser devices 103. This level of security may be in addition to a typical username/password login procedure for theuser devices 103. Additionally, embodiments of the present invention may be used on almost any operating system or hardware platform and with almost any available web browser, e.g., Internet Explorer (IE), Firefox, Chrome, Safari, Opera, etc. Furthermore, in some embodiments, the compliance check procedure injects the results of the compliance check (and/or any other information needed for authenticating the user device 103) into a web browser cookie stored in some or all of the web browsers on theuser device 103. Then the SAAS server 102 (or an authentication application) can request the cookie in order to perform the authentication procedure when theuser device 103 attempts to access theSAAS server 102 through one of the web browsers. - Some other access control solutions typically include perimeter firewalls, intrusion detection and prevention, anti-malware, physical isolation, and maybe some additional baseline security mechanisms. However, these techniques require continuous monitoring of authentication, access, and activity on sensitive data, which is extremely difficult for maintenance. According to embodiments of the present invention, on the other hand, although there are various options for handling the decision to grant access, access control is generally directly handled by the SAAS
server 102, or an authentication component thereof, without additional appliances or a proxy service. Embodiments of the present invention, therefore, generally enable authentication techniques that do not require such continuous monitoring. Thus, some additional components present in a conventional system may be eliminated, thereby decreasing or reducing maintenance requirements as well as opportunities to bypass security controls. - Additionally, some other access control solutions use a gateway server with a single sign on (SSO) feature enabled. The enterprise end users, therefore, access the SAAS server through the gateway server. However, these techniques may not be sufficiently secure to satisfy the security requirements of some SAAS vendors. Embodiments of the present invention, on the other hand, generally enable authentication techniques that are very robust and secure due to the compliance check described herein.
- To perform the compliance check and enable the authentication capabilities herein, an
endpoint client application 105 running on theuser device 103 scans theuser device 103 and collects data on the hardware, software, and configuration of theuser device 103. Theendpoint client application 105 may use low level drivers, a high level registry, and/or software inspection to collect some of this data. This data may be referred to as “health data,” since much of the data generally relates to the fitness of theuser device 103 for accessing the services of the SAASserver 102. Alternatively, this data may be referred to as “compliance data,” since the data is generally used to determine whether theuser device 103 is properly compliant with a security or compliance policy for accessing the services of the SAASserver 102. The compliance data and an identity data (or user device identifier generated by theuser device 103 or the NAC server 101) for theuser device 103 are sent to theNAC server 101. - The
NAC server 101 may manage the security policies for theSAAS servers 102, host a device information database, and receive the compliance data from theuser devices 103. TheNAC server 101 generally uses the compliance data and the identity data to generate a “compliance check result” that indicates whether theuser device 103 is compliant with the security policy for theSAAS server 102. Then when theuser device 103 attempts to access or login to theSAAS server 102, anauthentication application 106 running on theSAAS server 102 manages the user authentication process by using the compliance check result (among other appropriate information) to determine whether to grant or deny access. If theuser device 103 is supposed to be able to access more than one of theSAAS server 102, each potentially having different security policies, then theNAC server 101 generates a compliance check result for eachsuch SAAS server 102. - The compliance data collected by the
user device 103 generally includes information related to an encryption state of data stored on theuser device 103, the potential for a malware infection in theuser device 103, the presence of potentially unwanted or undesirable applications on theuser device 103, and/or unwanted hardware, among other potential types of data. The types of data generally relate to the potential for a breach of security or a corruption, loss or theft of the data that theuser device 103 may receive from theSAAS server 102 or malicious files that theuser device 103 may send to theSAAS server 102. - The compliance check result may indicate whether the
user device 103 passes or fails compliance with the security policy on one or more grounds. In a simple form, the compliance check result is a mere pass/fail flag, causing theauthentication application 106 to either grant or deny access to theSAAS server 102 for theuser device 103. In more complex or more detailed forms, the compliance check result may include additional information or compliance details, e.g., the specific grounds for failure, a pass/fail flag for each individual component of the compliance data, the running state of some applications, anti-malware definition state information, etc. In this manner, theauthentication application 106 can provide more than a simple grant or deny response to an attempt by theuser device 103 to login to theSAAS server 102. For example, theauthentication application 106 may provide different levels of access to theSAAS server 102 for theuser devices 103, or may provide different alerts or reports to an administrator regarding attempts to access theSAAS server 102, based on the information in the compliance check result. - In some embodiments, the
authentication application 106 uses the identity data for theuser device 103 to query theNAC server 101 to obtain the compliance data and make an access grant/deny decision according to the actual device status, e.g., by performing the compliance check by theauthentication application 106, instead of by theNAC server 101. In this case, the compliance security policy is defined and managed on theSAAS server 102, while the device inspection and identification is still performed by theendpoint client application 105. - In some embodiments, the
endpoint client application 105 has access to “settings” information for theuser device 103. With this capability, theendpoint client application 105 can determine various information about theuser device 103. For example, theendpoint client application 105 may be able to determine whether or not theuser device 103 is set up to require a system password to be entered upon booting of theuser device 103 or bringing theuser device 103 out of a standby/hibernation or a screensaver mode. The system password may prevent unauthorized use of theuser device 103 when theuser device 103 is lost, stolen or borrowed, so the security policy for theSAAS server 102 may require use of the system password in order to reduce the likelihood of unauthorized use of theuser device 103 to access theSAAS server 102. Theendpoint client application 105 may, thus, include information in the compliance data that indicates whether the system password feature of theuser device 103 is enabled. In this manner, if the compliance data indicates that theuser device 103 is not set up to use the system password, then the compliance check result may indicate a failure to meet the security policy, and theauthentication application 106 may deny access to theSAAS server 102 for theuser device 103. - In some embodiments, the vendor responsible for the
SAAS server 102 may require that some or all of the data maintained by theSAAS server 102 be encrypted when stored on a storage device, e.g., for privacy, business or regulatory reasons. In this case, the encryption state of theuser device 103 is relevant to the SAAS vendor, because all users who download the data or access the services from theSAAS server 102 may also be required to maintain the data in an appropriate encryption state. In this manner, the data can be protected from theft or viewing by an unauthorized party even after it has been downloaded from theSAAS server 102 to theuser device 103, because the data still cannot be accessed without a decryption key. - To ensure proper encryption of downloaded data, the
endpoint client application 105 may determine whether theuser device 103 includes and uses an appropriate encryption software. For this purpose, theendpoint client application 105 may be able to detect the presence of a variety of different security applications in a variety of different security categories. Theendpoint client application 105 may detect whether such security products are both installed and enabled in theuser device 103. Theendpoint client application 105 may further detect whether such security products are properly configured to adequately protect theuser device 103. Alternatively, theendpoint client application 105 may simply determine whether data stored on theuser device 103 is encrypted. Additionally, theendpoint client application 105 may determine how well theuser device 103 encrypts data (i.e. how easy the encryption is to break) based on the type of encryption, length of encryption key or the specific encryption software (or version thereof). Therefore, the compliance data transmitted by theendpoint client application 105 to theNAC server 101 may include information indicative of the presence/absence of encryption software on theuser device 103, the specific encryption software used by theuser device 103, whether an encryption product is installed in theuser device 103 but not enabled, whether an encryption product is enabled only for some volumes but not for other volumes in theuser device 103, the encryption state of data stored in theuser device 103 and/or some other indicia indicative of encryption in theuser device 103. - The encryption-related information may then be used by the
NAC server 101 to generate at least part of the compliance check result. TheNAC server 101, thus, compares the encryption-related information to the security policy for theSAAS server 102 and sets one or more indicia in the compliance check result related to encryption in theuser device 103. In some embodiments, the lack of proper encryption may be a complete bar to granting access by theauthentication application 106 to the data or services in theSAAS server 102 for theuser device 103, so the compliance check result may include a simple pass/fail indicia for the encryption state of theuser device 103. In other embodiments, theauthentication application 106 may grant limited access to data or services on theSAAS server 102 for theuser device 103 when the compliance check result indicates a lack of proper encryption on theuser device 103. In still other embodiments, a more detailed compliance check result may indicate a level of encryption (e.g., a no/low/medium/high indicia) on theuser device 103, and theauthentication application 106 may set a level of access for theuser device 103 that depends on the level of encryption. In other embodiments, access to some data or services in theSAAS server 102 may require one set of encryption indicia to indicate “pass,” and access to other data or services in theSAAS server 102 may require a different set of encryption indicia to indicate “pass.” - In some embodiments, the vendor responsible for the
SAAS server 102 may require that theuser devices 103 that access theSAAS server 102 have adequate protection against computer viruses and other malware. In this case, theendpoint client application 105 can generally detect the presence of a variety of different antivirus products on theuser device 103, and the compliance data collected by theendpoint client application 105 may indicate the presence or absence of such products. - Additionally, the vendor may consider certain antivirus products to provide inadequate protection. In this case, the compliance data may indicate the specific antivirus products that are installed and activated in the
user device 103. - Furthermore, the vendor may consider some antivirus products to be inadequate unless certain features of the antivirus products are enabled or set in a particular manner. In this case, the
endpoint client application 105 may be further capable of querying the antivirus products to determine their settings. The compliance data may further indicate these settings. - Also, the vendor may consider
user devices 103 that are attacked too often by malware to be too big of a risk to access theSAAS server 102. In this case, theendpoint client application 105 may be capable of querying the antivirus products to determine how often theuser device 103 has experienced a malware attack or infection in any given period of time. The compliance data may further indicate this information. - Upon analyzing the malware-related compliance data with respect to the security policy for the
SAAS server 102, theNAC server 101 may include in the compliance check result a simple pass/fail indicia indicative of whether theuser device 103 has adequate malware protection. Alternatively, a more detailed compliance check result may include information for one or more of the different types of malware-related compliance data described above. Theauthentication application 106 may then deny access to theSAAS server 102 foruser devices 103 that have a compliance check result that indicates a failure to comply with anti-malware criteria of the security policy. Alternatively, theauthentication application 106 may grant limited access when the compliance check result indicates that theuser device 103 passes some of the malware-related criteria of the security policy, but fails to meet other (potentially minor) criteria. - In some embodiments, the
NAC server 101 may have several different antivirus products in operation. In this case, theendpoint client application 105 may forward suspect programs, portions of suspect programs or data generated from suspect programs (e.g., hash data) to theNAC server 101. TheNAC server 101 can then analyze this information with the various antivirus products to determine whether theuser device 103 has a malware infection and optionally the potential severity of the infection. TheNAC server 101 may then inform theendpoint client application 105 that theuser device 103 has a malware infection (and optionally the nature or severity of the infection) and/or may include this information in the compliance check result. Theauthentication application 106 may then grant or deny access (or limited access) to theSAAS server 102 for theuser device 103. - In some embodiments, the vendor responsible for the
SAAS server 102 may require that theuser devices 103 that access theSAAS server 102 not have certain unwanted or undesirable applications or unusual, suspect, risky or vulnerable hardware components. These applications may not necessarily be malware, but simply applications whose normal operations may compromise the security of the data or services of theSAAS server 102 or the performance of theuser device 103. Such applications may provide a “back door” for unregulated or uncontrolled access to data from theSAAS server 102 by unauthorized people. For example, a backup or sync application may be able to read data stored on theuser device 103 and back it up or sync it to a network or cloud storage facility. If the data is encrypted, then the security risk may be minimal. However, if theuser device 103 decrypts the data before the backup application obtains it, then decrypted data may be uploaded to potentially unsecure storage facilities. Additionally, some unwanted hardware components may not necessarily be a security problem. However, an unusual hardware component may simply be a component that is unidentifiable, so it is unknown whether there is an actual security problem with this component. Also, a hardware component may be suspect if it is identified as an ordinary, but unnecessary, component. For example, although keyboards are typically ordinary components commonly connected to theuser devices 103, a second keyboard detected as being connected to theuser device 103 may be suspect, because it is unnecessary and could actually be a type of malware called “Bad USB.” Furthermore, a web camera, microphone, or other enabled I/O device in theuser device 103 may be risky, since these devices may be used to acquire information about theuser device 103. In addition, hardware components that are known to be vulnerable, or outdated hardware that could potentially have become vulnerable, may represent a security issue. Therefore, to be safe, it may be preferable in some embodiments to deny access touser devices 103 that have any detected unusual, suspect, risky or vulnerable hardware components. - The
endpoint client application 105, may be capable of detecting the presence of such applications or hardware known to present a potential security risk or that are unidentifiable. The collected compliance data, therefore, may include an indication of the presence of such applications or hardware and/or the identity of these applications or hardware. The compliance check result may provide this information to theauthentication application 106. Then theauthentication application 106 may deny access to theSAAS server 102 for theuser device 103 or may alert theuser device 103 that the identified applications or hardware must be disabled, uninstalled or removed before access can be granted. - Each of the various types of information described herein (and any other potentially relevant data) may be collected into the compliance data by the
endpoint client application 105 and sent to theNAC server 101 for analysis with regard to the security policy for theSAAS server 102. TheNAC server 101 may then generate the compliance check result based on this compliance data, so theauthentication application 106 is able to determine whether to grant or deny access to theSAAS server 102 by theuser device 103. - Since the various types of information can potentially change at any time, the
endpoint client application 105 may update the compliance data. The updated compliance data may then be used by theNAC server 101 to update the compliance check result. The updates may occur upon demand (e.g., by a user of the user device 103) or at regular time intervals (e.g., every few minutes, hours or days). Alternatively, similar to the manner in which antivirus programs scan newly installed software and data, theendpoint client application 105 may initiate a compliance data update upon detecting a change in the hardware, software or configuration of theuser device 103. Furthermore, theauthentication application 106 may be capable of detecting an expired compliance check result, e.g., if the compliance check result contains an expiration time stamp (or creation/modification date), and the security policy sets a maximum time between compliance data updates. In this case, if the compliance check result is too old, theauthentication application 106 may deny access to theSAAS server 102 for theuser device 103 until the compliance check result has been updated. Additionally, the update may be required to occur even if the compliance data has not changed in order to reset the time stamp and ensure that the compliance check result is current. In general, an expiration time stamp may be set to be slightly later than the next expected scan or compliance data collection time, so theendpoint client application 105 and theNAC server 101 have time to perform the update. - The
endpoint client application 105 may be installed or deployed in theuser device 103 in any appropriate manner. For example, a user of theuser device 103 may install and activate theendpoint client application 105 from an online download or storage device upload (e.g., from a CD, DVD, flash drive, etc.) or activate the endpoint client application as a browser plugin or as a portable executable that does not require any installation. Alternatively, an administrator of the SAAS server 102 (or of a customer of the SAAS server 102) may install theendpoint client application 105 before the user is allowed to use theuser device 103. In some embodiments, theendpoint client application 105 may be automatically installed (optionally with user approval) in theuser device 103 upon the first attempt by theuser device 103 to access theSAAS server 102. - The
authentication application 106 may obtain the compliance check result in any appropriate manner. For example, theNAC server 101 may send the compliance check result to theendpoint client application 105, which may insert the compliance check result (and the identity data of the user device 103) into a web browser cookie and inject the cookie into a local database(s) for any web browsers installed in theuser device 103. Then when theauthentication application 106 detects an attempt to access theSAAS server 102 by the web browser on theuser device 103, theauthentication application 106 may request the cookie from the web browser and thereby obtain the compliance check result. In another example, HTML5 could be used with local storage to enable theauthentication application 106 to obtain the compliance check result. - Alternatively, in some embodiments, the
NAC server 101 does not send the compliance check result to theendpoint client application 105. Instead, the NAC server 101 (or another network storage device) maintains the compliance check result, and theendpoint client application 105 stores the identity data for theuser device 103 in the cookie. Then when theauthentication application 106 detects an attempt to access theSAAS server 102 by the user device 103 (e.g., by the web browser on the user device 103), theauthentication application 106 requests the cookie from theuser device 103, or the web browser thereon, and thereby obtains the identity data for theuser device 103. - Alternatively, in some embodiments, the
endpoint client application 105 stores the identity data for theuser device 103 in a client certificate on theuser device 103. Then when theauthentication application 106 detects an attempt to access theSAAS server 102 by theuser device 103, theauthentication application 106 requests the client certificate from theuser device 103 and thereby obtains the identity data for theuser device 103. The client certificate is a digital certificate that typically contains a variety of information, such as a serial number, an entity identified by the client certificate, a signature, an entity that issued the client certificate, etc. The client certificate is conventionally used by a client device to make authenticated requests to a remote server in mutual authentication designs for strong assurances of a requester's identity. In the present case, when theendpoint client application 105 is installed or run on theuser device 103, theendpoint client application 105 installs the client certificate (signed) in a “personal certificate store” or “keychain” on theuser device 103. In some embodiments, when theendpoint client application 105 is uninstalled or exited on theuser device 103, theendpoint client application 105 removes the client certificate. The presence (or absence) of the client certificate, therefore, can be used to infer the presence (or absence) of theendpoint client application 105 on theuser device 103, or vice versa, in some embodiments. The configuration needed to request and read the client certificate is different for different web servers. For example, when using Nginx (a type of web server), the web server is configured with an ssl_verify_client setting. The contents of the client certificate are then available to the web server as variables $ssl_client_cert or $ssl_client_s_dn. - With the identity data, the
authentication application 106 requests the compliance check result from the NAC server 101 (or other network storage device). Alternatively, with the identity data, theauthentication application 106 requests a simple pass/fail response from theNAC server 101, instead of a detailed compliance check result. In other alternatives, theauthentication application 106 may use the identity data in the cookie or client certificate to request the original compliance data from theNAC server 101. Then theauthentication application 106, instead of theNAC server 101, may perform the compliance check and produce the compliance check result. - In some embodiments, the compliance check result is optionally encrypted to reduce the likelihood of tampering with the data therein. Without encryption, such tampering could make it possible for the
user device 103 to improperly gain access to theSAAS server 102 or for theauthentication application 106 to improperly deny the access. In some embodiments in which theNAC server 101 sends the compliance check result to theendpoint client application 105 for insertion in the web browser cookie or client certificate, theNAC server 101 encrypts the compliance check result before sending it to theendpoint client application 105. In other embodiments in which theNAC server 101 sends the compliance check result to theendpoint client application 105 for insertion in the web browser cookie or client certificate, theNAC server 101 sends an encryption key along with the compliance check result, so theendpoint client application 105 can encrypt the compliance check result before inserting it into the cookie or client certificate. (The encryption key may be specific for theSAAS server 102, so eachuser device 103 may receive the same encryption key for thesame SAAS server 102.) In some embodiments in which theNAC server 101 does not send the compliance check result to theendpoint client application 105, theNAC server 101 encrypts the compliance check result before sending it to theauthentication application 106. In some embodiments in which theNAC server 101 sends the compliance data (instead of the compliance check result) to theauthentication application 106 for performing the compliance check by theauthentication application 106, theNAC server 101 may encrypt the compliance data before sending it or provide theauthentication application 106 with the encryption key with which to encrypt the compliance data. In each case, theauthentication application 106 obtains a decryption key (specific for theSAAS server 102 and paired with the encryption key) from theNAC server 101 in order to decrypt the compliance check result. In other embodiments, however, theauthentication application 106 may receive the encrypted compliance check result in the cookie or client certificate from theuser device 103, but may send it to theNAC server 101 for decryption and receive back a simple pass/fail response from theNAC server 101. In this embodiment, the unencrypted compliance check results do not leave theNAC server 101, so this embodiment may provide better security than those embodiments that do allow unencrypted compliance check results to leave theNAC server 101. - In some embodiments, the
authentication application 106 may determine that the compliance check result cannot be trusted or is insufficient to be the sole basis on which theauthentication application 106 grants or denies access to theSAAS server 102 for theuser device 103. For example, the compliance check result may provide only summary information or a simple uninformative pass/fail indicia for some components of the compliance data, or some portion of the compliance check result may have an incorrect format (an indication of possible tampering), or there may be some reason for suspecting that at least part of the compliance check result is in error. In this case, theauthentication application 106 may request the most recent complete compliance data (or a portion thereof) from theNAC server 101 in order to make its own comparison with the requirements of the security policy. The access grant/deny decision can then be made based on the results of this comparison. - An
example process 200 for collecting the compliance data and generating the compliance check result is shown inFIG. 2 in accordance with some embodiments. Theprocess 200 is generally performed by, or performed under the control of, theendpoint client application 105, theNAC server 101, and aweb browser 201 on theuser device 103. In other embodiments, one or more processes for collecting the compliance data and generating the compliance check result may use other appropriate steps or combinations or orderings of steps. - After the
endpoint client application 103 has been installed and launched on theuser device 103, theendpoint client application 103 performs a security compliance check to collect (at 202) all of the various components of the compliance data, as described above. At 203, theendpoint client application 103 sends the compliance data, along with the identity data for the user device 103 (and if necessary, an identity data for theSAAS server 102 that theuser device 103 will access), through thenetwork 104 to theNAC server 101. - At 204, the
NAC server 101 receives the compliance data and the identity data for theuser device 103. (Alternatively, theNAC server 101 receives the compliance data and then generates the identity data for theuser device 103.) At 205, theNAC server 101 compares the received compliance data with the security policy for theSAAS server 102 and generates the compliance check result with whatever details are specified, e.g., by the vendor for theSAAS server 102 or the vendor's customer. In the illustrated embodiment, theNAC server 101 sends (at 206) the compliance check result and the encryption key for the specifiedSAAS server 102 through thenetwork 104 to theendpoint client application 105. (Alternatively, theNAC server 101 encrypts the compliance check result and sends the encrypted compliance check result to theendpoint client application 105.) - In the illustrated embodiment, the
endpoint client application 105 receives (at 207) the compliance check result (and the encryption key if the compliance check result is not already encrypted). At 208, theendpoint client application 105 generates a cookie (for each web browser installed in theuser device 103 or for a specified web browser) containing the received compliance check result, the identity data for theuser device 103, and a time stamp or expiration time. Alternatively, for embodiments using a client certificate, theendpoint client application 105 generates the client certificate (at 208) containing the received compliance check result, the identity data for theuser device 103, and a time stamp or expiration time. Also, theendpoint client application 105 encrypts the data in the cookie or client certificate using the received encryption key if the compliance check result is not already encrypted in this embodiment. At 209, theendpoint client application 105 injects the cookie onto each web browser (or the specified web browser(s)) where the cookie is stored (at 210) in a local database(s) or a storage location(s) used by the web browser(s). Theendpoint client application 105 may use a low level driver to inject and manage the cookie. Alternatively, for embodiments using a client certificate, theendpoint client application 105 stores the client certificate (at 209) in the memory or data storage of the user device 103 (e.g., in the system certificates management for Windows-based user devices, the OSX keychain service for Apple OSX-based user devices, or other appropriate data storage location depending on the operating system of the user device). Theuser device 103 is then ready to be used to access theSAAS server 102. - An
example process 300 for authenticating theuser device 103 for access to theSAAS server 102 is shown inFIG. 2 in accordance with some embodiments. Theprocess 300 is generally performed by, or performed under the control of, theNAC server 101, theauthentication application 106 on theSAAS server 102, and theweb browser 201 on theuser device 103. In other embodiments, one or more processes for collecting the compliance data and generating the compliance check result may use other appropriate steps or combinations or orderings of steps. - To begin, the user of the
user device 103 attempts to login to theSAAS server 102 using theweb browser 201, so theweb browser 201 sends (at 301) through the network 104 a request to access theSAAS server 102. An initial login procedure between theuser device 103 and theSAAS server 102 is performed (at 302), e.g., with an exchange of a username and password. If the username and password are correct, then theauthentication application 106 requests (at 303) the special cookie or client certificate fromuser device 103, or theweb browser 201, which sends (at 304) the cookie or client certificate (e.g., from the local database, the system certificates management, the keychain service, or other appropriate data storage location) to theauthentication application 106. - In this embodiment, if the
authentication application 106 has not already obtained the decryption key from theNAC server 101, then theauthentication application 106 sends (at 305) to the NAC server 101 a request for the decryption key. TheNAC server 101, which maintains the encryption/decryption key pairs in a database, sends (at 306) the decryption key to theauthentication application 106. - In this embodiment, the
authentication application 106 decrypts (at 307) the cookie or client certificate contents to obtain the compliance check result and the identity data for theuser device 103. Theauthentication application 106 may also check the time stamp or expiration time and deny access if the cookie or client certificate has expired. At 308, theauthentication application 106 determines whether the compliance check result can be trusted, as described above. - If there is no reason to suspect that the compliance check result is in error or has been tampered with, as determined at 308, then the
authentication application 106 determines (at 309) whether to grant or deny access to theSAAS server 102 for theuser device 103 based on the contents of the compliance check result. If access is granted, then the user of theuser device 103 may begin accessing the data and/or services of theSAAS server 102 through theweb browser 201. If access is denied, on the other hand, then any appropriate response may be made, e.g., sending an error message to theweb browser 201, alerting an administrator of a failed access attempt, logging the failed access attempt, flagging theuser device 103 as having a history of being rejected, etc. - If there is reason to suspect that the compliance check result is in error or has been tampered with, as determined at 308, then the
authentication application 106 may send (at 310) the identity data for theuser device 103 to theNAC server 101 and request the original most recent compliance data (or a portion thereof) maintained for theuser device 103. When theNAC server 101 receives the request and the identity data, it sends (at 311) the requested compliance data (or portion thereof) to theauthentication application 106. Then theauthentication application 106 determines (at 312) whether to grant or deny access to theSAAS server 102 for theuser device 103 based on the contents of the compliance data (and optionally on any trusted portions of the compliance check result). If access is granted, then the user of theuser device 103 may begin accessing the data and/or services of theSAAS server 102 through theweb browser 201. If access is denied, on the other hand, then any appropriate response may be made, e.g., sending an error message to theweb browser 201, alerting an administrator of a failed access attempt, logging the failed access attempt, flagging theuser device 103 as having a history of being rejected, etc. - An alternative example network
computerized system 400 incorporating an embodiment of the present invention is shown inFIG. 4 . The networkcomputerized system 400 generally includes one or more of theNAC server 101, one or more of theSAAS server 102, one or more of theuser device 103, and one or more of an authentication and SSO (Single Sign On)server 401. TheNAC server 101, theSAAS server 102, theuser device 103, and the authentication andSSO server 401 generally communicate with each other via thenetwork 104. TheNAC server 101, theSAAS server 102, theuser device 103, and thenetwork 104 may be similar to the above description, but with any following distinguishing features. For example, the authentication andSSO server 401 performs some of the previously described functions of theauthentication application 106. In other words, theauthentication application 106 is between theSAAS server 102 and theuser device 103 and intercepts any attempt to login transparent to theuser device 103. - In this embodiment, the authentication and
SSO server 401 generally performs the functions of retrieving the cookie or client certificate and making the access grant/deny decision, as described above for theauthentication application 106. If access is granted for theuser device 103, then the authentication andSSO server 401 authenticates a secure session ID to the web browser (on the user device 103) for the web browser and theSAAS server 102 to interact. TheSAAS server 102, on the other hand, primarily performs only the function of hosting the sensitive data and services. Theauthentication application 106 is generally reduced to accepting the secure session for theSAAS server 102, i.e., simply granting access by theuser device 103 based on the secure session ID. The web browser then uses the authenticated session to access data and/or services on theSAAS server 102. - In this embodiment, the authentication and
SSO server 401 also obtains the decryption key (if used) from theNAC server 101. Thus, the authentication andSSO server 401 further decrypts the contents of the cookie or client certificate received from theuser device 103 and/or any encrypted data (e.g., compliance check result or compliance data) received from theNAC server 101. - A benefit of this alternative solution is that little or no changes are required for the
SAAS server 102 from a conventional SAAS server. Therefore, almost any customer (of theNAC server 101 and/or of the SAAS server 102) could build a variation of the authentication andSSO server 401 and integrate it into the rest of the networkcomputerized system 400 to isolate the authentication functions from the SAAS functions. - A simplified schematic diagram showing an example structure for the
NAC server 101 is shown inFIG. 5 in accordance with an embodiment of the present invention. Other embodiments may use other components and combinations of components. For example, theNAC server 101 may represent one or more physical computer devices, such as web servers, network storage devices, etc. In some embodiments implemented at least partially in a cloud network potentially with data synchronized across multiple geolocations, theNAC server 101 may be referred to as a cloud server. - In the illustrated embodiment, the
NAC server 101 generally includes at least oneprocessor 500, amain memory 501, adata storage 502, a user I/O 503, and a network I/O 504, among other components not shown for simplicity, connected or coupled together by adata communication subsystem 505. Thedata storage 502 generally maintains thecompliance security policy 506, thecompliance data 507, the encryption/decryption keys 508, acompliance check application 509, and the compliance check results 510. - The
processor 500 represents one or more central processing units on one or more PCBs in one or more housings or enclosures. Themain memory 501 represents one or more RAM modules on one or more PCBs in one or more housings or enclosures. Thedata storage 502 represents any appropriate number or combination of internal or external physical mass storage devices, such as hard drives, optical drives, network-attached storage (NAS) devices, flash drives, etc. The user I/O 503 represents one or more appropriate user interface devices, such as keyboards, pointing devices, displays, etc. The network I/O 504 represents any appropriate networking devices, such as network adapters, etc. for communicating through thenetwork 104. Thedata communication subsystem 505 represents any appropriate communication hardware for connecting the other components in a single unit or in a distributed manner on one or more PCBs, within one or more housings or enclosures, within one or more rack assemblies, etc. - Under control of the
compliance check application 509, theprocessor 500 interacts with theendpoint client application 105 through the network I/O 504, as described above, to generate the compliance check results 510 based on thecompliance security policy 506 and thecompliance data 507. Theprocessor 500 then causes the compliance check results 510 to be sent through the network I/O 504 along with the encryption key (508) to theendpoint client application 105. When theSAAS server 102 requests any data (e.g., the decryption key (508), thecompliance check result 510 or the compliance data 507) from theNAC server 101, as described above, theprocessor 500 causes the data to be sent to theSAAS server 102 through the network I/O 504. - A simplified schematic diagram showing an example structure for the
SAAS server 102 is shown inFIG. 6 in accordance with an embodiment of the present invention. Other embodiments may use other components and combinations of components. For example, theSAAS server 102 may represent one or more physical computer devices, such as web servers, network storage devices, cloud-based devices, etc. - In the illustrated embodiment, the
SAAS server 102 generally includes at least oneprocessor 600, amain memory 601, adata storage 602, a user I/O 603, and a network I/O 604, among other components not shown for simplicity, connected or coupled together by adata communication subsystem 605. Thedata storage 602 generally maintains thedecryption key 606, SAAS applications anddata 607, and theauthentication application 106. The SAAS applications anddata 607 generally represent the services and data used by theuser devices 103 after being granted access to theSAAS server 102. - The
processor 600 represents one or more central processing units on one or more PCBs in one or more housings or enclosures. Themain memory 601 represents one or more RAM modules on one or more PCBs in one or more housings or enclosures. Thedata storage 602 represents any appropriate number or combination of internal or external physical mass storage devices, such as hard drives, optical drives, network-attached storage (NAS) devices, flash drives, etc. The user I/O 603 represents one or more appropriate user interface devices, such as keyboards, pointing devices, displays, etc. The network I/O 604 represents any appropriate networking devices, such as network adapters, etc. for communicating through thenetwork 104. Thedata communication subsystem 605 represents any appropriate communication hardware for connecting the other components in a single unit or in a distributed manner on one or more PCBs, within one or more housings or enclosures, within one or more rack assemblies, etc. - Under control of the
authentication application 106, theprocessor 600 interacts with web browser of theuser device 103 and theNAC server 101 through the network I/O 604, as described above, to determine whether to grant or deny access to theSAAS server 102 for theuser device 103. If theuser device 103 is granted access, then under control of the SAAS applications anddata 607, the processor further interacts with the web browser of theuser device 103 through the network I/O 604 to provide the services and data that the user of theuser device 103 wants to access. - A simplified schematic diagram showing an example structure for the
user device 103 is shown inFIG. 7 in accordance with an embodiment of the present invention. Other embodiments may use other components and combinations of components. Theuser device 103 may be a desktop computer, a workstation, a notebook computer, a tablet computer, a hand held computer, a cell phone, a smart phone, a game console or any other appropriate computerized device that a person/user may use to access theSAAS server 102 through thenetwork 104. - In the illustrated embodiment, the
user device 103 generally includes at least oneprocessor 700, amain memory 701, adata storage 702, a user I/O 703, and a network I/O 704, among other components not shown for simplicity, connected or coupled together by adata communication subsystem 705. Thedata storage 702 generally maintains theendpoint client application 105, thecompliance data 706, anencryption application 707, the web browser(s) 708, the cookie local database(s) 709 or the client certificate 713 (e.g., in the system certificates management, the keychain service, or other appropriate data storage location), security andantivirus applications 710, theencryption key 711, andother applications 712. - The
processor 700 represents one or more central processing units on one or more PCBs in one or more housings or enclosures. Themain memory 701 represents one or more RAM modules on one or more PCBs in one or more housings or enclosures. Thedata storage 702 represents any appropriate number or combination of internal or external physical mass storage devices, such as hard drives, optical drives, network-attached storage (NAS) devices, flash drives, etc. The user I/O 703 represents one or more appropriate user interface devices, such as keyboards, pointing devices, displays, etc. The network I/O 704 represents any appropriate networking devices, such as network adapters, etc. for communicating through thenetwork 104. Thedata communication subsystem 705 represents any appropriate communication hardware for connecting the other components in a single unit or in a distributed manner on one or more PCBs, within one or more housings or enclosures, within one or more rack assemblies, etc. - Under control of the
endpoint client application 105, theprocessor 700 interacts with theencryption application 707, the security andantivirus applications 710, and theother applications 712 to collect thecompliance data 706. Then theprocessor 700 interacts with theNAC server 101 through the network I/O 704, as described above, to generate the compliance check results based on the compliance security policy and thecompliance data 706 and to create the cookie or client certificate (encrypted with the encryption key 711) and inject it into the cookie or client certificate local database(s) 709. Then under control of theweb browser 708, theprocessor 700 interacts with theauthentication application 106 to attempt to gain access to theSAAS server 102 through the network I/O 704 and thenetwork 104. If theuser device 103 is granted access, then under control of theweb browser 708, theprocessor 700 interacts with the SAAS applications anddata 607 of theSAAS server 102 through the network I/O 704 and thenetwork 104 to use the services and data that the user wants. - Although embodiments of the invention have been discussed primarily with respect to specific embodiments thereof, other variations are possible. Various configurations of the described structures or processes may be used in place of, or in addition to, the configurations presented herein.
- Those skilled in the art will appreciate that the foregoing description is by way of example only, and is not intended to limit the invention. Nothing in the disclosure should indicate that the invention is limited to systems that are implemented on a single computerized system. In general, any diagrams presented are only intended to indicate one possible configuration, and many variations are possible. Those skilled in the art will also appreciate that methods and systems consistent with the present invention are suitable for use in a wide range of applications encompassing NAC systems.
- While the specification has been described in detail with respect to specific embodiments of the invention, it will be appreciated that those skilled in the art, upon attaining an understanding of the foregoing, may readily conceive of alterations to, variations of, and equivalents to these embodiments. These and other modifications and variations to the present invention may be practiced by those skilled in the art, without departing from the spirit and scope of the present invention, which is more particularly set forth in the appended claims.
Claims (20)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US16/059,467 US20180352003A1 (en) | 2014-12-16 | 2018-08-09 | Network Access Control with Compliance Policy Check |
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/572,699 US9288199B1 (en) | 2014-12-16 | 2014-12-16 | Network access control with compliance policy check |
US15/069,459 US10063594B2 (en) | 2014-12-16 | 2016-03-14 | Network access control with compliance policy check |
US16/059,467 US20180352003A1 (en) | 2014-12-16 | 2018-08-09 | Network Access Control with Compliance Policy Check |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/069,459 Continuation US10063594B2 (en) | 2014-12-16 | 2016-03-14 | Network access control with compliance policy check |
Publications (1)
Publication Number | Publication Date |
---|---|
US20180352003A1 true US20180352003A1 (en) | 2018-12-06 |
Family
ID=56287150
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/069,459 Active 2035-07-25 US10063594B2 (en) | 2014-12-16 | 2016-03-14 | Network access control with compliance policy check |
US16/059,467 Abandoned US20180352003A1 (en) | 2014-12-16 | 2018-08-09 | Network Access Control with Compliance Policy Check |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/069,459 Active 2035-07-25 US10063594B2 (en) | 2014-12-16 | 2016-03-14 | Network access control with compliance policy check |
Country Status (1)
Country | Link |
---|---|
US (2) | US10063594B2 (en) |
Cited By (146)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10496803B2 (en) | 2016-06-10 | 2019-12-03 | OneTrust, LLC | Data processing systems and methods for efficiently assessing the risk of privacy campaigns |
US10496846B1 (en) | 2016-06-10 | 2019-12-03 | OneTrust, LLC | Data processing and communications systems and methods for the efficient implementation of privacy by design |
US10503926B2 (en) | 2016-06-10 | 2019-12-10 | OneTrust, LLC | Consent receipt management systems and related methods |
US10509920B2 (en) | 2016-06-10 | 2019-12-17 | OneTrust, LLC | Data processing systems for processing data subject access requests |
US10509894B2 (en) | 2016-06-10 | 2019-12-17 | OneTrust, LLC | Data processing and scanning systems for assessing vendor risk |
US20190384899A1 (en) * | 2016-06-10 | 2019-12-19 | OneTrust, LLC | Data processing and scanning systems for assessing vendor risk |
US10558821B2 (en) | 2016-06-10 | 2020-02-11 | OneTrust, LLC | Data processing systems for fulfilling data subject access requests and related methods |
US10564935B2 (en) | 2016-06-10 | 2020-02-18 | OneTrust, LLC | Data processing systems for integration of consumer feedback with data subject access requests and related methods |
US10565161B2 (en) | 2016-06-10 | 2020-02-18 | OneTrust, LLC | Data processing systems for processing data subject access requests |
US10567439B2 (en) | 2016-06-10 | 2020-02-18 | OneTrust, LLC | Data processing systems and methods for performing privacy assessments and monitoring of new versions of computer code for privacy compliance |
US10565397B1 (en) | 2016-06-10 | 2020-02-18 | OneTrust, LLC | Data processing systems for fulfilling data subject access requests and related methods |
US10565236B1 (en) | 2016-06-10 | 2020-02-18 | OneTrust, LLC | Data processing systems for generating and populating a data inventory |
US10564936B2 (en) | 2016-06-10 | 2020-02-18 | OneTrust, LLC | Data processing systems for identity validation of data subject access requests and related methods |
US10574705B2 (en) | 2016-06-10 | 2020-02-25 | OneTrust, LLC | Data processing and scanning systems for generating and populating a data inventory |
US10572686B2 (en) | 2016-06-10 | 2020-02-25 | OneTrust, LLC | Consent receipt management systems and related methods |
US10586075B2 (en) | 2016-06-10 | 2020-03-10 | OneTrust, LLC | Data processing systems for orphaned data identification and deletion and related methods |
US10585968B2 (en) | 2016-06-10 | 2020-03-10 | OneTrust, LLC | Data processing systems for fulfilling data subject access requests and related methods |
US10586072B2 (en) | 2016-06-10 | 2020-03-10 | OneTrust, LLC | Data processing systems for measuring privacy maturity within an organization |
US10594740B2 (en) | 2016-06-10 | 2020-03-17 | OneTrust, LLC | Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods |
US10592648B2 (en) | 2016-06-10 | 2020-03-17 | OneTrust, LLC | Consent receipt management systems and related methods |
US10592692B2 (en) | 2016-06-10 | 2020-03-17 | OneTrust, LLC | Data processing systems for central consent repository and related methods |
US10599870B2 (en) | 2016-06-10 | 2020-03-24 | OneTrust, LLC | Data processing systems for identifying, assessing, and remediating data processing risks using data modeling techniques |
US10606916B2 (en) | 2016-06-10 | 2020-03-31 | OneTrust, LLC | Data processing user interface monitoring systems and related methods |
US10607028B2 (en) | 2016-06-10 | 2020-03-31 | OneTrust, LLC | Data processing systems for data testing to confirm data deletion and related methods |
US10614246B2 (en) | 2016-06-10 | 2020-04-07 | OneTrust, LLC | Data processing systems and methods for auditing data request compliance |
US10614247B2 (en) | 2016-06-10 | 2020-04-07 | OneTrust, LLC | Data processing systems for automated classification of personal information from documents and related methods |
US10642870B2 (en) | 2016-06-10 | 2020-05-05 | OneTrust, LLC | Data processing systems and methods for automatically detecting and documenting privacy-related aspects of computer software |
US10678945B2 (en) | 2016-06-10 | 2020-06-09 | OneTrust, LLC | Consent receipt management systems and related methods |
US10685140B2 (en) | 2016-06-10 | 2020-06-16 | OneTrust, LLC | Consent receipt management systems and related methods |
US10692033B2 (en) | 2016-06-10 | 2020-06-23 | OneTrust, LLC | Data processing systems for identifying, assessing, and remediating data processing risks using data modeling techniques |
US10706447B2 (en) | 2016-04-01 | 2020-07-07 | OneTrust, LLC | Data processing systems and communication systems and methods for the efficient generation of privacy risk assessments |
US10706174B2 (en) | 2016-06-10 | 2020-07-07 | OneTrust, LLC | Data processing systems for prioritizing data subject access requests for fulfillment and related methods |
US10706176B2 (en) | 2016-06-10 | 2020-07-07 | OneTrust, LLC | Data-processing consent refresh, re-prompt, and recapture systems and related methods |
US10706379B2 (en) | 2016-06-10 | 2020-07-07 | OneTrust, LLC | Data processing systems for automatic preparation for remediation and related methods |
US10706131B2 (en) | 2016-06-10 | 2020-07-07 | OneTrust, LLC | Data processing systems and methods for efficiently assessing the risk of privacy campaigns |
US10708305B2 (en) | 2016-06-10 | 2020-07-07 | OneTrust, LLC | Automated data processing systems and methods for automatically processing requests for privacy-related information |
US10713387B2 (en) | 2016-06-10 | 2020-07-14 | OneTrust, LLC | Consent conversion optimization systems and related methods |
US10726158B2 (en) | 2016-06-10 | 2020-07-28 | OneTrust, LLC | Consent receipt management and automated process blocking systems and related methods |
US10740487B2 (en) | 2016-06-10 | 2020-08-11 | OneTrust, LLC | Data processing systems and methods for populating and maintaining a centralized database of personal data |
US10762236B2 (en) | 2016-06-10 | 2020-09-01 | OneTrust, LLC | Data processing user interface monitoring systems and related methods |
US10769301B2 (en) | 2016-06-10 | 2020-09-08 | OneTrust, LLC | Data processing systems for webform crawling to map processing activities and related methods |
US10776518B2 (en) | 2016-06-10 | 2020-09-15 | OneTrust, LLC | Consent receipt management systems and related methods |
US10776517B2 (en) | 2016-06-10 | 2020-09-15 | OneTrust, LLC | Data processing systems for calculating and communicating cost of fulfilling data subject access requests and related methods |
US10776514B2 (en) | 2016-06-10 | 2020-09-15 | OneTrust, LLC | Data processing systems for the identification and deletion of personal data in computer systems |
US10783256B2 (en) | 2016-06-10 | 2020-09-22 | OneTrust, LLC | Data processing systems for data transfer risk identification and related methods |
US10798133B2 (en) | 2016-06-10 | 2020-10-06 | OneTrust, LLC | Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods |
US10796260B2 (en) | 2016-06-10 | 2020-10-06 | OneTrust, LLC | Privacy management systems and methods |
US10803200B2 (en) | 2016-06-10 | 2020-10-13 | OneTrust, LLC | Data processing systems for processing and managing data subject access in a distributed environment |
US10803198B2 (en) | 2016-06-10 | 2020-10-13 | OneTrust, LLC | Data processing systems for use in automatically generating, populating, and submitting data subject access requests |
US10803202B2 (en) | 2018-09-07 | 2020-10-13 | OneTrust, LLC | Data processing systems for orphaned data identification and deletion and related methods |
US10839102B2 (en) | 2016-06-10 | 2020-11-17 | OneTrust, LLC | Data processing systems for identifying and modifying processes that are subject to data subject access requests |
US10848523B2 (en) | 2016-06-10 | 2020-11-24 | OneTrust, LLC | Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods |
US10846433B2 (en) | 2016-06-10 | 2020-11-24 | OneTrust, LLC | Data processing consent management systems and related methods |
US10873606B2 (en) | 2016-06-10 | 2020-12-22 | OneTrust, LLC | Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods |
US10878127B2 (en) | 2016-06-10 | 2020-12-29 | OneTrust, LLC | Data subject access request processing systems and related methods |
US10885485B2 (en) | 2016-06-10 | 2021-01-05 | OneTrust, LLC | Privacy management systems and methods |
US10896394B2 (en) | 2016-06-10 | 2021-01-19 | OneTrust, LLC | Privacy management systems and methods |
US10909488B2 (en) | 2016-06-10 | 2021-02-02 | OneTrust, LLC | Data processing systems for assessing readiness for responding to privacy-related incidents |
US10909265B2 (en) | 2016-06-10 | 2021-02-02 | OneTrust, LLC | Application privacy scanning systems and related methods |
US10944725B2 (en) | 2016-06-10 | 2021-03-09 | OneTrust, LLC | Data processing systems and methods for using a data model to select a target data asset in a data migration |
US10949170B2 (en) * | 2016-06-10 | 2021-03-16 | OneTrust, LLC | Data processing systems for integration of consumer feedback with data subject access requests and related methods |
US10949565B2 (en) | 2016-06-10 | 2021-03-16 | OneTrust, LLC | Data processing systems for generating and populating a data inventory |
US10970675B2 (en) | 2016-06-10 | 2021-04-06 | OneTrust, LLC | Data processing systems for generating and populating a data inventory |
US10997318B2 (en) | 2016-06-10 | 2021-05-04 | OneTrust, LLC | Data processing systems for generating and populating a data inventory for processing data access requests |
US10997315B2 (en) | 2016-06-10 | 2021-05-04 | OneTrust, LLC | Data processing systems for fulfilling data subject access requests and related methods |
US11004125B2 (en) | 2016-04-01 | 2021-05-11 | OneTrust, LLC | Data processing systems and methods for integrating privacy information management systems with data loss prevention tools or other tools for privacy design |
US11025675B2 (en) | 2016-06-10 | 2021-06-01 | OneTrust, LLC | Data processing systems and methods for performing privacy assessments and monitoring of new versions of computer code for privacy compliance |
US11023842B2 (en) | 2016-06-10 | 2021-06-01 | OneTrust, LLC | Data processing systems and methods for bundled privacy policies |
US11038925B2 (en) | 2016-06-10 | 2021-06-15 | OneTrust, LLC | Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods |
US11050790B2 (en) | 2016-08-24 | 2021-06-29 | Alertsec, Inc. | Independent encryption compliance verification system |
US11057356B2 (en) | 2016-06-10 | 2021-07-06 | OneTrust, LLC | Automated data processing systems and methods for automatically processing data subject access requests using a chatbot |
US11074367B2 (en) | 2016-06-10 | 2021-07-27 | OneTrust, LLC | Data processing systems for identity validation for consumer rights requests and related methods |
US11087260B2 (en) | 2016-06-10 | 2021-08-10 | OneTrust, LLC | Data processing systems and methods for customizing privacy training |
US11100444B2 (en) | 2016-06-10 | 2021-08-24 | OneTrust, LLC | Data processing systems and methods for providing training in a vendor procurement process |
US11134086B2 (en) | 2016-06-10 | 2021-09-28 | OneTrust, LLC | Consent conversion optimization systems and related methods |
US11138242B2 (en) | 2016-06-10 | 2021-10-05 | OneTrust, LLC | Data processing systems and methods for automatically detecting and documenting privacy-related aspects of computer software |
US11138299B2 (en) | 2016-06-10 | 2021-10-05 | OneTrust, LLC | Data processing and scanning systems for assessing vendor risk |
US11144675B2 (en) | 2018-09-07 | 2021-10-12 | OneTrust, LLC | Data processing systems and methods for automatically protecting sensitive data within privacy management systems |
US11146566B2 (en) | 2016-06-10 | 2021-10-12 | OneTrust, LLC | Data processing systems for fulfilling data subject access requests and related methods |
US11144622B2 (en) | 2016-06-10 | 2021-10-12 | OneTrust, LLC | Privacy management systems and methods |
US11151233B2 (en) | 2016-06-10 | 2021-10-19 | OneTrust, LLC | Data processing and scanning systems for assessing vendor risk |
US11157600B2 (en) | 2016-06-10 | 2021-10-26 | OneTrust, LLC | Data processing and scanning systems for assessing vendor risk |
US11188862B2 (en) | 2016-06-10 | 2021-11-30 | OneTrust, LLC | Privacy management systems and methods |
US11188615B2 (en) | 2016-06-10 | 2021-11-30 | OneTrust, LLC | Data processing consent capture systems and related methods |
US11200341B2 (en) | 2016-06-10 | 2021-12-14 | OneTrust, LLC | Consent receipt management systems and related methods |
US11210420B2 (en) | 2016-06-10 | 2021-12-28 | OneTrust, LLC | Data subject access request processing systems and related methods |
US11222142B2 (en) | 2016-06-10 | 2022-01-11 | OneTrust, LLC | Data processing systems for validating authorization for personal data collection, storage, and processing |
US11222139B2 (en) | 2016-06-10 | 2022-01-11 | OneTrust, LLC | Data processing systems and methods for automatic discovery and assessment of mobile software development kits |
US11222309B2 (en) | 2016-06-10 | 2022-01-11 | OneTrust, LLC | Data processing systems for generating and populating a data inventory |
US11227247B2 (en) | 2016-06-10 | 2022-01-18 | OneTrust, LLC | Data processing systems and methods for bundled privacy policies |
US11228620B2 (en) | 2016-06-10 | 2022-01-18 | OneTrust, LLC | Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods |
US11238390B2 (en) | 2016-06-10 | 2022-02-01 | OneTrust, LLC | Privacy management systems and methods |
US11244367B2 (en) | 2016-04-01 | 2022-02-08 | OneTrust, LLC | Data processing systems and methods for integrating privacy information management systems with data loss prevention tools or other tools for privacy design |
US11277448B2 (en) | 2016-06-10 | 2022-03-15 | OneTrust, LLC | Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods |
US11295316B2 (en) | 2016-06-10 | 2022-04-05 | OneTrust, LLC | Data processing systems for identity validation for consumer rights requests and related methods |
US11294939B2 (en) | 2016-06-10 | 2022-04-05 | OneTrust, LLC | Data processing systems and methods for automatically detecting and documenting privacy-related aspects of computer software |
US11301796B2 (en) | 2016-06-10 | 2022-04-12 | OneTrust, LLC | Data processing systems and methods for customizing privacy training |
US11328092B2 (en) | 2016-06-10 | 2022-05-10 | OneTrust, LLC | Data processing systems for processing and managing data subject access in a distributed environment |
US11336697B2 (en) | 2016-06-10 | 2022-05-17 | OneTrust, LLC | Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods |
US11341447B2 (en) | 2016-06-10 | 2022-05-24 | OneTrust, LLC | Privacy management systems and methods |
US11343284B2 (en) | 2016-06-10 | 2022-05-24 | OneTrust, LLC | Data processing systems and methods for performing privacy assessments and monitoring of new versions of computer code for privacy compliance |
US11354434B2 (en) | 2016-06-10 | 2022-06-07 | OneTrust, LLC | Data processing systems for verification of consent and notice processing and related methods |
US11354435B2 (en) | 2016-06-10 | 2022-06-07 | OneTrust, LLC | Data processing systems for data testing to confirm data deletion and related methods |
US11366909B2 (en) | 2016-06-10 | 2022-06-21 | OneTrust, LLC | Data processing and scanning systems for assessing vendor risk |
US11366786B2 (en) | 2016-06-10 | 2022-06-21 | OneTrust, LLC | Data processing systems for processing data subject access requests |
US11373007B2 (en) | 2017-06-16 | 2022-06-28 | OneTrust, LLC | Data processing systems for identifying whether cookies contain personally identifying information |
US11392720B2 (en) | 2016-06-10 | 2022-07-19 | OneTrust, LLC | Data processing systems for verification of consent and notice processing and related methods |
US11397819B2 (en) | 2020-11-06 | 2022-07-26 | OneTrust, LLC | Systems and methods for identifying data processing activities based on data discovery results |
US11403377B2 (en) | 2016-06-10 | 2022-08-02 | OneTrust, LLC | Privacy management systems and methods |
US11418492B2 (en) | 2016-06-10 | 2022-08-16 | OneTrust, LLC | Data processing systems and methods for using a data model to select a target data asset in a data migration |
US11416589B2 (en) | 2016-06-10 | 2022-08-16 | OneTrust, LLC | Data processing and scanning systems for assessing vendor risk |
US11416590B2 (en) | 2016-06-10 | 2022-08-16 | OneTrust, LLC | Data processing and scanning systems for assessing vendor risk |
US11416109B2 (en) | 2016-06-10 | 2022-08-16 | OneTrust, LLC | Automated data processing systems and methods for automatically processing data subject access requests using a chatbot |
US11416798B2 (en) | 2016-06-10 | 2022-08-16 | OneTrust, LLC | Data processing systems and methods for providing training in a vendor procurement process |
US11436373B2 (en) | 2020-09-15 | 2022-09-06 | OneTrust, LLC | Data processing systems and methods for detecting tools for the automatic blocking of consent requests |
US11438386B2 (en) | 2016-06-10 | 2022-09-06 | OneTrust, LLC | Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods |
US11442906B2 (en) | 2021-02-04 | 2022-09-13 | OneTrust, LLC | Managing custom attributes for domain objects defined within microservices |
US11444976B2 (en) | 2020-07-28 | 2022-09-13 | OneTrust, LLC | Systems and methods for automatically blocking the use of tracking tools |
US11461500B2 (en) | 2016-06-10 | 2022-10-04 | OneTrust, LLC | Data processing systems for cookie compliance testing with website scanning and related methods |
US11475136B2 (en) | 2016-06-10 | 2022-10-18 | OneTrust, LLC | Data processing systems for data transfer risk identification and related methods |
US11475165B2 (en) | 2020-08-06 | 2022-10-18 | OneTrust, LLC | Data processing systems and methods for automatically redacting unstructured data from a data subject access request |
US11481710B2 (en) | 2016-06-10 | 2022-10-25 | OneTrust, LLC | Privacy management systems and methods |
US11494515B2 (en) | 2021-02-08 | 2022-11-08 | OneTrust, LLC | Data processing systems and methods for anonymizing data samples in classification analysis |
US11520928B2 (en) | 2016-06-10 | 2022-12-06 | OneTrust, LLC | Data processing systems for generating personal data receipts and related methods |
US11526624B2 (en) | 2020-09-21 | 2022-12-13 | OneTrust, LLC | Data processing systems and methods for automatically detecting target data transfers and target data processing |
US11533315B2 (en) | 2021-03-08 | 2022-12-20 | OneTrust, LLC | Data transfer discovery and analysis systems and related methods |
US11546661B2 (en) | 2021-02-18 | 2023-01-03 | OneTrust, LLC | Selective redaction of media content |
US11544409B2 (en) | 2018-09-07 | 2023-01-03 | OneTrust, LLC | Data processing systems and methods for automatically protecting sensitive data within privacy management systems |
US11544667B2 (en) | 2016-06-10 | 2023-01-03 | OneTrust, LLC | Data processing systems for generating and populating a data inventory |
US11556635B2 (en) * | 2020-04-28 | 2023-01-17 | Bank Of America Corporation | System for evaluation and weighting of resource usage activity |
US11562097B2 (en) | 2016-06-10 | 2023-01-24 | OneTrust, LLC | Data processing systems for central consent repository and related methods |
US11562078B2 (en) | 2021-04-16 | 2023-01-24 | OneTrust, LLC | Assessing and managing computational risk involved with integrating third party computing functionality within a computing system |
US11586700B2 (en) | 2016-06-10 | 2023-02-21 | OneTrust, LLC | Data processing systems and methods for automatically blocking the use of tracking tools |
US11601464B2 (en) | 2021-02-10 | 2023-03-07 | OneTrust, LLC | Systems and methods for mitigating risks of third-party computing system functionality integration into a first-party computing system |
US11620142B1 (en) | 2022-06-03 | 2023-04-04 | OneTrust, LLC | Generating and customizing user interfaces for demonstrating functions of interactive user environments |
US11625502B2 (en) | 2016-06-10 | 2023-04-11 | OneTrust, LLC | Data processing systems for identifying and modifying processes that are subject to data subject access requests |
US11636171B2 (en) | 2016-06-10 | 2023-04-25 | OneTrust, LLC | Data processing user interface monitoring systems and related methods |
US11651106B2 (en) | 2016-06-10 | 2023-05-16 | OneTrust, LLC | Data processing systems for fulfilling data subject access requests and related methods |
US11651402B2 (en) | 2016-04-01 | 2023-05-16 | OneTrust, LLC | Data processing systems and communication systems and methods for the efficient generation of risk assessments |
US11651104B2 (en) | 2016-06-10 | 2023-05-16 | OneTrust, LLC | Consent receipt management systems and related methods |
US11675929B2 (en) | 2016-06-10 | 2023-06-13 | OneTrust, LLC | Data processing consent sharing systems and related methods |
US11687528B2 (en) | 2021-01-25 | 2023-06-27 | OneTrust, LLC | Systems and methods for discovery, classification, and indexing of data in a native computing system |
US11727141B2 (en) | 2016-06-10 | 2023-08-15 | OneTrust, LLC | Data processing systems and methods for synching privacy-related user consent across multiple computing devices |
US11775348B2 (en) | 2021-02-17 | 2023-10-03 | OneTrust, LLC | Managing custom workflows for domain objects defined within microservices |
US11797528B2 (en) | 2020-07-08 | 2023-10-24 | OneTrust, LLC | Systems and methods for targeted data discovery |
US11907376B2 (en) | 2021-04-13 | 2024-02-20 | Saudi Arabian Oil Company | Compliance verification testing using negative validation |
Families Citing this family (28)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10491685B2 (en) * | 2015-03-31 | 2019-11-26 | Microsoft Technology Licensing, Llc | Session transfer between resources |
US10880172B2 (en) * | 2015-11-12 | 2020-12-29 | International Business Machines Corporation | Optimization of cloud compliance services based on compliance actions |
US11184766B1 (en) * | 2016-09-07 | 2021-11-23 | Locurity Inc. | Systems and methods for continuous authentication, identity assurance and access control |
US9794297B1 (en) | 2016-10-03 | 2017-10-17 | International Business Machines Corporation | Security compliance framework usage |
US10652278B2 (en) | 2016-12-19 | 2020-05-12 | Forescout Technologies, Inc. | Compliance monitoring |
US11120151B1 (en) | 2017-08-02 | 2021-09-14 | Seagate Technology Llc | Systems and methods for unlocking self-encrypting data storage devices |
US10855451B1 (en) * | 2017-08-02 | 2020-12-01 | Seagate Technology Llc | Removable circuit for unlocking self-encrypting data storage devices |
US10897466B2 (en) * | 2018-03-30 | 2021-01-19 | Microsoft Technology Licensing, Llc | System and method for externally-delegated access control and authorization |
EP3585027B1 (en) * | 2018-06-20 | 2021-11-03 | Siemens Aktiengesellschaft | Method for connecting a terminal to a crosslinkable computer infrastructure |
US20200028879A1 (en) * | 2018-07-17 | 2020-01-23 | Microsoft Technology Licensing, Llc | Queryless device configuration determination-based techniques for mobile device management |
US11184223B2 (en) | 2018-07-31 | 2021-11-23 | Microsoft Technology Licensing, Llc | Implementation of compliance settings by a mobile device for compliance with a configuration scenario |
JP7199949B2 (en) * | 2018-12-12 | 2023-01-06 | キヤノン株式会社 | Information processing device, system, control method for information processing device, control method for system, and program |
US10965547B1 (en) * | 2018-12-26 | 2021-03-30 | BetterCloud, Inc. | Methods and systems to manage data objects in a cloud computing environment |
US11122086B2 (en) * | 2019-05-30 | 2021-09-14 | International Business Machines Corporation | Cookie compliance management |
CN110417776B (en) * | 2019-07-29 | 2022-03-25 | 大唐高鸿信安(浙江)信息科技有限公司 | Identity authentication method and device |
US11533320B2 (en) | 2020-03-04 | 2022-12-20 | Pulse Secure, Llc | Optimize compliance evaluation of endpoints |
US11936664B2 (en) * | 2020-03-14 | 2024-03-19 | Microsoft Technology Licensing, Llc | Identity attack detection and blocking |
WO2021232347A1 (en) * | 2020-05-21 | 2021-11-25 | Citrix Systems, Inc. | Cross device single sign-on |
US11971995B2 (en) | 2020-07-15 | 2024-04-30 | Kyndryl, Inc. | Remediation of regulatory non-compliance |
US11526633B2 (en) | 2020-08-27 | 2022-12-13 | Kyndryl, Inc. | Media exfiltration prevention system |
US11489721B2 (en) * | 2020-09-22 | 2022-11-01 | Vmware, Inc. | Dynamic compliance management |
US11711396B1 (en) | 2021-06-24 | 2023-07-25 | Airgap Networks Inc. | Extended enterprise browser blocking spread of ransomware from alternate browsers in a system providing agentless lateral movement protection from ransomware for endpoints deployed under a default gateway with point to point links |
US11757934B1 (en) | 2021-06-24 | 2023-09-12 | Airgap Networks Inc. | Extended browser monitoring inbound connection requests for agentless lateral movement protection from ransomware for endpoints deployed under a default gateway with point to point links |
US11722519B1 (en) | 2021-06-24 | 2023-08-08 | Airgap Networks Inc. | System and method for dynamically avoiding double encryption of already encrypted traffic over point-to-point virtual private networks for lateral movement protection from ransomware |
US11916957B1 (en) | 2021-06-24 | 2024-02-27 | Airgap Networks Inc. | System and method for utilizing DHCP relay to police DHCP address assignment in ransomware protected network |
US11757933B1 (en) * | 2021-06-24 | 2023-09-12 | Airgap Networks Inc. | System and method for agentless lateral movement protection from ransomware for endpoints deployed under a default gateway with point to point links |
US11736520B1 (en) * | 2021-06-24 | 2023-08-22 | Airgap Networks Inc. | Rapid incidence agentless lateral movement protection from ransomware for endpoints deployed under a default gateway with point to point links |
US11695799B1 (en) | 2021-06-24 | 2023-07-04 | Airgap Networks Inc. | System and method for secure user access and agentless lateral movement protection from ransomware for endpoints deployed under a default gateway with point to point links |
Citations (21)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040167984A1 (en) * | 2001-07-06 | 2004-08-26 | Zone Labs, Inc. | System Providing Methodology for Access Control with Cooperative Enforcement |
US20050278775A1 (en) * | 2004-06-09 | 2005-12-15 | Ross Alan D | Multifactor device authentication |
US20070055752A1 (en) * | 2005-09-08 | 2007-03-08 | Fiberlink | Dynamic network connection based on compliance |
US20080047016A1 (en) * | 2006-08-16 | 2008-02-21 | Cybrinth, Llc | CCLIF: A quantified methodology system to assess risk of IT architectures and cyber operations |
US20080298588A1 (en) * | 2007-06-04 | 2008-12-04 | Shakkarwar Rajesh G | Methods and systems for the authentication of a user |
US20110219103A1 (en) * | 2010-03-02 | 2011-09-08 | Bank Of America Corporation | Quarantine tool |
US20130047263A1 (en) * | 2011-08-15 | 2013-02-21 | Bank Of America Corporation | Method and Apparatus for Emergency Session Validation |
US20130091544A1 (en) * | 2011-10-07 | 2013-04-11 | Duo Security, Inc. | System and method for enforcing a policy for an authenticator device |
US20130152169A1 (en) * | 2011-12-09 | 2013-06-13 | Erich Stuntebeck | Controlling access to resources on a network |
US20130339736A1 (en) * | 2012-06-19 | 2013-12-19 | Alex Nayshtut | Periodic platform based web session re-validation |
US20140053238A1 (en) * | 2013-10-29 | 2014-02-20 | Sky Socket, Llc | Attempted Security Breach Remediation |
US20140053226A1 (en) * | 2012-08-14 | 2014-02-20 | Ca, Inc. | Self-adaptive and proactive virtual machine images adjustment to environmental security risks in a cloud environment |
US20140109194A1 (en) * | 2013-12-05 | 2014-04-17 | Sky Socket, Llc | Authentication Delegation |
US20140123292A1 (en) * | 2012-10-30 | 2014-05-01 | Samsung Sds Co., Ltd. | Transit control for data |
US20140173705A1 (en) * | 2012-12-19 | 2014-06-19 | Jive Software, Inc. | Distributed authentication using persistent stateless credentials |
US20140258711A1 (en) * | 2014-05-20 | 2014-09-11 | Airwatch Llc | Application Specific Certificate Management |
US20150304358A1 (en) * | 2013-05-16 | 2015-10-22 | Airwatch Llc | Rights Management Services Integration with Mobile Device Management |
US20160044511A1 (en) * | 2014-08-07 | 2016-02-11 | Mobile Iron, Inc. | Device identification in service authorization |
US20160197958A1 (en) * | 2014-06-25 | 2016-07-07 | Airwatch Llc | Issuing security commands to a client device |
US9646309B2 (en) * | 2014-04-04 | 2017-05-09 | Mobilespaces | Method for authentication and assuring compliance of devices accessing external services |
US20180046525A1 (en) * | 2013-09-13 | 2018-02-15 | Airwatch Llc | Fast and accurate identification of message-based api calls in application binaries |
Family Cites Families (23)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7526792B2 (en) * | 2004-06-09 | 2009-04-28 | Intel Corporation | Integration of policy compliance enforcement and device authentication |
JP2006065690A (en) * | 2004-08-27 | 2006-03-09 | Ntt Docomo Inc | Device authentication apparatus, service controller, service request apparatus, device authentication method, service control method, and service request method |
US8418238B2 (en) * | 2008-03-30 | 2013-04-09 | Symplified, Inc. | System, method, and apparatus for managing access to resources across a network |
US8516602B2 (en) * | 2008-04-25 | 2013-08-20 | Nokia Corporation | Methods, apparatuses, and computer program products for providing distributed access rights management using access rights filters |
US8539544B2 (en) * | 2008-05-30 | 2013-09-17 | Motorola Mobility Llc | Method of optimizing policy conformance check for a device with a large set of posture attribute combinations |
US20170270292A1 (en) * | 2008-11-26 | 2017-09-21 | David Harrison | Relevancy improvement through targeting of information based on data gathered from a networked device associated with a security sandbox of a client device |
US8527774B2 (en) * | 2009-05-28 | 2013-09-03 | Kaazing Corporation | System and methods for providing stateless security management for web applications using non-HTTP communications protocols |
EP2550621A4 (en) | 2010-03-25 | 2015-09-16 | Virtustream Canada Holdings Inc | System and method for secure cloud computing |
US9282097B2 (en) | 2010-05-07 | 2016-03-08 | Citrix Systems, Inc. | Systems and methods for providing single sign on access to enterprise SAAS and cloud hosted applications |
US8869255B2 (en) * | 2010-11-30 | 2014-10-21 | Forticom Group Ltd | Method and system for abstracted and randomized one-time use passwords for transactional authentication |
US9699168B2 (en) | 2010-12-13 | 2017-07-04 | International Business Machines Corporation | Method and system for authenticating a rich client to a web or cloud application |
EP2701893B1 (en) * | 2011-04-27 | 2018-07-04 | Grow Software Limited | Improvements for 3d design and manufacturing systems |
US9524388B2 (en) * | 2011-10-07 | 2016-12-20 | Duo Security, Inc. | System and method for enforcing a policy for an authenticator device |
US9887838B2 (en) * | 2011-12-15 | 2018-02-06 | Intel Corporation | Method and device for secure communications over a network using a hardware security engine |
US9003023B2 (en) | 2012-06-13 | 2015-04-07 | Zscaler, Inc. | Systems and methods for interactive analytics of internet traffic |
US8769651B2 (en) * | 2012-09-19 | 2014-07-01 | Secureauth Corporation | Mobile multifactor single-sign-on authentication |
JP6057666B2 (en) * | 2012-10-25 | 2017-01-11 | キヤノン株式会社 | Image forming apparatus, information processing method, and program |
US9378350B2 (en) * | 2013-03-15 | 2016-06-28 | Airwatch Llc | Facial capture managing access to resources by a device |
US8997187B2 (en) * | 2013-03-15 | 2015-03-31 | Airwatch Llc | Delegating authorization to applications on a client device in a networked environment |
KR20140131764A (en) * | 2013-05-06 | 2014-11-14 | 삼성전자주식회사 | Method and apparatus of access certificate in a wireless communication system |
US9584492B2 (en) * | 2014-06-23 | 2017-02-28 | Vmware, Inc. | Cryptographic proxy service |
US9311464B2 (en) * | 2014-08-19 | 2016-04-12 | Airwatch, Llc | Authentication via accelerometer |
US9288199B1 (en) | 2014-12-16 | 2016-03-15 | OPSWAT, Inc. | Network access control with compliance policy check |
-
2016
- 2016-03-14 US US15/069,459 patent/US10063594B2/en active Active
-
2018
- 2018-08-09 US US16/059,467 patent/US20180352003A1/en not_active Abandoned
Patent Citations (22)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040167984A1 (en) * | 2001-07-06 | 2004-08-26 | Zone Labs, Inc. | System Providing Methodology for Access Control with Cooperative Enforcement |
US20050278775A1 (en) * | 2004-06-09 | 2005-12-15 | Ross Alan D | Multifactor device authentication |
US20070055752A1 (en) * | 2005-09-08 | 2007-03-08 | Fiberlink | Dynamic network connection based on compliance |
US20080047016A1 (en) * | 2006-08-16 | 2008-02-21 | Cybrinth, Llc | CCLIF: A quantified methodology system to assess risk of IT architectures and cyber operations |
US20080298588A1 (en) * | 2007-06-04 | 2008-12-04 | Shakkarwar Rajesh G | Methods and systems for the authentication of a user |
US20110219103A1 (en) * | 2010-03-02 | 2011-09-08 | Bank Of America Corporation | Quarantine tool |
US20130047263A1 (en) * | 2011-08-15 | 2013-02-21 | Bank Of America Corporation | Method and Apparatus for Emergency Session Validation |
US20130091544A1 (en) * | 2011-10-07 | 2013-04-11 | Duo Security, Inc. | System and method for enforcing a policy for an authenticator device |
US20130152169A1 (en) * | 2011-12-09 | 2013-06-13 | Erich Stuntebeck | Controlling access to resources on a network |
US20130339736A1 (en) * | 2012-06-19 | 2013-12-19 | Alex Nayshtut | Periodic platform based web session re-validation |
US20140053226A1 (en) * | 2012-08-14 | 2014-02-20 | Ca, Inc. | Self-adaptive and proactive virtual machine images adjustment to environmental security risks in a cloud environment |
US20140123292A1 (en) * | 2012-10-30 | 2014-05-01 | Samsung Sds Co., Ltd. | Transit control for data |
US20140173705A1 (en) * | 2012-12-19 | 2014-06-19 | Jive Software, Inc. | Distributed authentication using persistent stateless credentials |
US20150304358A1 (en) * | 2013-05-16 | 2015-10-22 | Airwatch Llc | Rights Management Services Integration with Mobile Device Management |
US20180046525A1 (en) * | 2013-09-13 | 2018-02-15 | Airwatch Llc | Fast and accurate identification of message-based api calls in application binaries |
US20140053238A1 (en) * | 2013-10-29 | 2014-02-20 | Sky Socket, Llc | Attempted Security Breach Remediation |
US20140109194A1 (en) * | 2013-12-05 | 2014-04-17 | Sky Socket, Llc | Authentication Delegation |
US9646309B2 (en) * | 2014-04-04 | 2017-05-09 | Mobilespaces | Method for authentication and assuring compliance of devices accessing external services |
US20140258711A1 (en) * | 2014-05-20 | 2014-09-11 | Airwatch Llc | Application Specific Certificate Management |
US20170250807A1 (en) * | 2014-05-20 | 2017-08-31 | Vmware, Inc. | Application Specific Certificate Management |
US20160197958A1 (en) * | 2014-06-25 | 2016-07-07 | Airwatch Llc | Issuing security commands to a client device |
US20160044511A1 (en) * | 2014-08-07 | 2016-02-11 | Mobile Iron, Inc. | Device identification in service authorization |
Cited By (234)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10706447B2 (en) | 2016-04-01 | 2020-07-07 | OneTrust, LLC | Data processing systems and communication systems and methods for the efficient generation of privacy risk assessments |
US11651402B2 (en) | 2016-04-01 | 2023-05-16 | OneTrust, LLC | Data processing systems and communication systems and methods for the efficient generation of risk assessments |
US11244367B2 (en) | 2016-04-01 | 2022-02-08 | OneTrust, LLC | Data processing systems and methods for integrating privacy information management systems with data loss prevention tools or other tools for privacy design |
US11004125B2 (en) | 2016-04-01 | 2021-05-11 | OneTrust, LLC | Data processing systems and methods for integrating privacy information management systems with data loss prevention tools or other tools for privacy design |
US10956952B2 (en) | 2016-04-01 | 2021-03-23 | OneTrust, LLC | Data processing systems and communication systems and methods for the efficient generation of privacy risk assessments |
US10853859B2 (en) | 2016-04-01 | 2020-12-01 | OneTrust, LLC | Data processing systems and methods for operationalizing privacy compliance and assessing the risk of various respective privacy campaigns |
US11138242B2 (en) | 2016-06-10 | 2021-10-05 | OneTrust, LLC | Data processing systems and methods for automatically detecting and documenting privacy-related aspects of computer software |
US11146566B2 (en) | 2016-06-10 | 2021-10-12 | OneTrust, LLC | Data processing systems for fulfilling data subject access requests and related methods |
US10565161B2 (en) | 2016-06-10 | 2020-02-18 | OneTrust, LLC | Data processing systems for processing data subject access requests |
US10567439B2 (en) | 2016-06-10 | 2020-02-18 | OneTrust, LLC | Data processing systems and methods for performing privacy assessments and monitoring of new versions of computer code for privacy compliance |
US10565397B1 (en) | 2016-06-10 | 2020-02-18 | OneTrust, LLC | Data processing systems for fulfilling data subject access requests and related methods |
US10565236B1 (en) | 2016-06-10 | 2020-02-18 | OneTrust, LLC | Data processing systems for generating and populating a data inventory |
US10564936B2 (en) | 2016-06-10 | 2020-02-18 | OneTrust, LLC | Data processing systems for identity validation of data subject access requests and related methods |
US10574705B2 (en) | 2016-06-10 | 2020-02-25 | OneTrust, LLC | Data processing and scanning systems for generating and populating a data inventory |
US10572686B2 (en) | 2016-06-10 | 2020-02-25 | OneTrust, LLC | Consent receipt management systems and related methods |
US10586075B2 (en) | 2016-06-10 | 2020-03-10 | OneTrust, LLC | Data processing systems for orphaned data identification and deletion and related methods |
US10585968B2 (en) | 2016-06-10 | 2020-03-10 | OneTrust, LLC | Data processing systems for fulfilling data subject access requests and related methods |
US10586072B2 (en) | 2016-06-10 | 2020-03-10 | OneTrust, LLC | Data processing systems for measuring privacy maturity within an organization |
US11960564B2 (en) | 2016-06-10 | 2024-04-16 | OneTrust, LLC | Data processing systems and methods for automatically blocking the use of tracking tools |
US10592648B2 (en) | 2016-06-10 | 2020-03-17 | OneTrust, LLC | Consent receipt management systems and related methods |
US10592692B2 (en) | 2016-06-10 | 2020-03-17 | OneTrust, LLC | Data processing systems for central consent repository and related methods |
US10599870B2 (en) | 2016-06-10 | 2020-03-24 | OneTrust, LLC | Data processing systems for identifying, assessing, and remediating data processing risks using data modeling techniques |
US10606916B2 (en) | 2016-06-10 | 2020-03-31 | OneTrust, LLC | Data processing user interface monitoring systems and related methods |
US10607028B2 (en) | 2016-06-10 | 2020-03-31 | OneTrust, LLC | Data processing systems for data testing to confirm data deletion and related methods |
US10614246B2 (en) | 2016-06-10 | 2020-04-07 | OneTrust, LLC | Data processing systems and methods for auditing data request compliance |
US10614247B2 (en) | 2016-06-10 | 2020-04-07 | OneTrust, LLC | Data processing systems for automated classification of personal information from documents and related methods |
US10642870B2 (en) | 2016-06-10 | 2020-05-05 | OneTrust, LLC | Data processing systems and methods for automatically detecting and documenting privacy-related aspects of computer software |
US10678945B2 (en) | 2016-06-10 | 2020-06-09 | OneTrust, LLC | Consent receipt management systems and related methods |
US10685140B2 (en) | 2016-06-10 | 2020-06-16 | OneTrust, LLC | Consent receipt management systems and related methods |
US10692033B2 (en) | 2016-06-10 | 2020-06-23 | OneTrust, LLC | Data processing systems for identifying, assessing, and remediating data processing risks using data modeling techniques |
US10558821B2 (en) | 2016-06-10 | 2020-02-11 | OneTrust, LLC | Data processing systems for fulfilling data subject access requests and related methods |
US10706174B2 (en) | 2016-06-10 | 2020-07-07 | OneTrust, LLC | Data processing systems for prioritizing data subject access requests for fulfillment and related methods |
US10706176B2 (en) | 2016-06-10 | 2020-07-07 | OneTrust, LLC | Data-processing consent refresh, re-prompt, and recapture systems and related methods |
US10706379B2 (en) | 2016-06-10 | 2020-07-07 | OneTrust, LLC | Data processing systems for automatic preparation for remediation and related methods |
US10706131B2 (en) | 2016-06-10 | 2020-07-07 | OneTrust, LLC | Data processing systems and methods for efficiently assessing the risk of privacy campaigns |
US10705801B2 (en) | 2016-06-10 | 2020-07-07 | OneTrust, LLC | Data processing systems for identity validation of data subject access requests and related methods |
US10708305B2 (en) | 2016-06-10 | 2020-07-07 | OneTrust, LLC | Automated data processing systems and methods for automatically processing requests for privacy-related information |
US10713387B2 (en) | 2016-06-10 | 2020-07-14 | OneTrust, LLC | Consent conversion optimization systems and related methods |
US10726158B2 (en) | 2016-06-10 | 2020-07-28 | OneTrust, LLC | Consent receipt management and automated process blocking systems and related methods |
US10740487B2 (en) | 2016-06-10 | 2020-08-11 | OneTrust, LLC | Data processing systems and methods for populating and maintaining a centralized database of personal data |
US10754981B2 (en) | 2016-06-10 | 2020-08-25 | OneTrust, LLC | Data processing systems for fulfilling data subject access requests and related methods |
US10762236B2 (en) | 2016-06-10 | 2020-09-01 | OneTrust, LLC | Data processing user interface monitoring systems and related methods |
US10769301B2 (en) | 2016-06-10 | 2020-09-08 | OneTrust, LLC | Data processing systems for webform crawling to map processing activities and related methods |
US10769303B2 (en) | 2016-06-10 | 2020-09-08 | OneTrust, LLC | Data processing systems for central consent repository and related methods |
US10769302B2 (en) | 2016-06-10 | 2020-09-08 | OneTrust, LLC | Consent receipt management systems and related methods |
US10776518B2 (en) | 2016-06-10 | 2020-09-15 | OneTrust, LLC | Consent receipt management systems and related methods |
US10776515B2 (en) | 2016-06-10 | 2020-09-15 | OneTrust, LLC | Data processing systems for fulfilling data subject access requests and related methods |
US10776517B2 (en) | 2016-06-10 | 2020-09-15 | OneTrust, LLC | Data processing systems for calculating and communicating cost of fulfilling data subject access requests and related methods |
US10776514B2 (en) | 2016-06-10 | 2020-09-15 | OneTrust, LLC | Data processing systems for the identification and deletion of personal data in computer systems |
US10783256B2 (en) | 2016-06-10 | 2020-09-22 | OneTrust, LLC | Data processing systems for data transfer risk identification and related methods |
US10791150B2 (en) | 2016-06-10 | 2020-09-29 | OneTrust, LLC | Data processing and scanning systems for generating and populating a data inventory |
US10798133B2 (en) | 2016-06-10 | 2020-10-06 | OneTrust, LLC | Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods |
US10796020B2 (en) | 2016-06-10 | 2020-10-06 | OneTrust, LLC | Consent receipt management systems and related methods |
US10796260B2 (en) | 2016-06-10 | 2020-10-06 | OneTrust, LLC | Privacy management systems and methods |
US10803200B2 (en) | 2016-06-10 | 2020-10-13 | OneTrust, LLC | Data processing systems for processing and managing data subject access in a distributed environment |
US10803198B2 (en) | 2016-06-10 | 2020-10-13 | OneTrust, LLC | Data processing systems for use in automatically generating, populating, and submitting data subject access requests |
US10803097B2 (en) | 2016-06-10 | 2020-10-13 | OneTrust, LLC | Data processing systems for generating and populating a data inventory |
US11921894B2 (en) | 2016-06-10 | 2024-03-05 | OneTrust, LLC | Data processing systems for generating and populating a data inventory for processing data access requests |
US10805354B2 (en) | 2016-06-10 | 2020-10-13 | OneTrust, LLC | Data processing systems and methods for performing privacy assessments and monitoring of new versions of computer code for privacy compliance |
US10803199B2 (en) | 2016-06-10 | 2020-10-13 | OneTrust, LLC | Data processing and communications systems and methods for the efficient implementation of privacy by design |
US10839102B2 (en) | 2016-06-10 | 2020-11-17 | OneTrust, LLC | Data processing systems for identifying and modifying processes that are subject to data subject access requests |
US10846261B2 (en) | 2016-06-10 | 2020-11-24 | OneTrust, LLC | Data processing systems for processing data subject access requests |
US10848523B2 (en) | 2016-06-10 | 2020-11-24 | OneTrust, LLC | Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods |
US10846433B2 (en) | 2016-06-10 | 2020-11-24 | OneTrust, LLC | Data processing consent management systems and related methods |
US20190384899A1 (en) * | 2016-06-10 | 2019-12-19 | OneTrust, LLC | Data processing and scanning systems for assessing vendor risk |
US10853501B2 (en) * | 2016-06-10 | 2020-12-01 | OneTrust, LLC | Data processing and scanning systems for assessing vendor risk |
US10867072B2 (en) | 2016-06-10 | 2020-12-15 | OneTrust, LLC | Data processing systems for measuring privacy maturity within an organization |
US10867007B2 (en) | 2016-06-10 | 2020-12-15 | OneTrust, LLC | Data processing systems for fulfilling data subject access requests and related methods |
US10873606B2 (en) | 2016-06-10 | 2020-12-22 | OneTrust, LLC | Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods |
US10878127B2 (en) | 2016-06-10 | 2020-12-29 | OneTrust, LLC | Data subject access request processing systems and related methods |
US10885485B2 (en) | 2016-06-10 | 2021-01-05 | OneTrust, LLC | Privacy management systems and methods |
US10896394B2 (en) | 2016-06-10 | 2021-01-19 | OneTrust, LLC | Privacy management systems and methods |
US10909488B2 (en) | 2016-06-10 | 2021-02-02 | OneTrust, LLC | Data processing systems for assessing readiness for responding to privacy-related incidents |
US10909265B2 (en) | 2016-06-10 | 2021-02-02 | OneTrust, LLC | Application privacy scanning systems and related methods |
US10929559B2 (en) | 2016-06-10 | 2021-02-23 | OneTrust, LLC | Data processing systems for data testing to confirm data deletion and related methods |
US10944725B2 (en) | 2016-06-10 | 2021-03-09 | OneTrust, LLC | Data processing systems and methods for using a data model to select a target data asset in a data migration |
US10949170B2 (en) * | 2016-06-10 | 2021-03-16 | OneTrust, LLC | Data processing systems for integration of consumer feedback with data subject access requests and related methods |
US10949544B2 (en) | 2016-06-10 | 2021-03-16 | OneTrust, LLC | Data processing systems for data transfer risk identification and related methods |
US10949565B2 (en) | 2016-06-10 | 2021-03-16 | OneTrust, LLC | Data processing systems for generating and populating a data inventory |
US10949567B2 (en) | 2016-06-10 | 2021-03-16 | OneTrust, LLC | Data processing systems for fulfilling data subject access requests and related methods |
US10509894B2 (en) | 2016-06-10 | 2019-12-17 | OneTrust, LLC | Data processing and scanning systems for assessing vendor risk |
US11868507B2 (en) | 2016-06-10 | 2024-01-09 | OneTrust, LLC | Data processing systems for cookie compliance testing with website scanning and related methods |
US10970371B2 (en) | 2016-06-10 | 2021-04-06 | OneTrust, LLC | Consent receipt management systems and related methods |
US10970675B2 (en) | 2016-06-10 | 2021-04-06 | OneTrust, LLC | Data processing systems for generating and populating a data inventory |
US11138299B2 (en) | 2016-06-10 | 2021-10-05 | OneTrust, LLC | Data processing and scanning systems for assessing vendor risk |
US10984132B2 (en) | 2016-06-10 | 2021-04-20 | OneTrust, LLC | Data processing systems and methods for populating and maintaining a centralized database of personal data |
US10997542B2 (en) | 2016-06-10 | 2021-05-04 | OneTrust, LLC | Privacy management systems and methods |
US10997318B2 (en) | 2016-06-10 | 2021-05-04 | OneTrust, LLC | Data processing systems for generating and populating a data inventory for processing data access requests |
US10997315B2 (en) | 2016-06-10 | 2021-05-04 | OneTrust, LLC | Data processing systems for fulfilling data subject access requests and related methods |
US10509920B2 (en) | 2016-06-10 | 2019-12-17 | OneTrust, LLC | Data processing systems for processing data subject access requests |
US11025675B2 (en) | 2016-06-10 | 2021-06-01 | OneTrust, LLC | Data processing systems and methods for performing privacy assessments and monitoring of new versions of computer code for privacy compliance |
US11023616B2 (en) | 2016-06-10 | 2021-06-01 | OneTrust, LLC | Data processing systems for identifying, assessing, and remediating data processing risks using data modeling techniques |
US11023842B2 (en) | 2016-06-10 | 2021-06-01 | OneTrust, LLC | Data processing systems and methods for bundled privacy policies |
US11030563B2 (en) | 2016-06-10 | 2021-06-08 | OneTrust, LLC | Privacy management systems and methods |
US11030327B2 (en) | 2016-06-10 | 2021-06-08 | OneTrust, LLC | Data processing and scanning systems for assessing vendor risk |
US11030274B2 (en) | 2016-06-10 | 2021-06-08 | OneTrust, LLC | Data processing user interface monitoring systems and related methods |
US11038925B2 (en) | 2016-06-10 | 2021-06-15 | OneTrust, LLC | Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods |
US11036882B2 (en) | 2016-06-10 | 2021-06-15 | OneTrust, LLC | Data processing systems for processing and managing data subject access in a distributed environment |
US11036771B2 (en) | 2016-06-10 | 2021-06-15 | OneTrust, LLC | Data processing systems for generating and populating a data inventory |
US11036674B2 (en) | 2016-06-10 | 2021-06-15 | OneTrust, LLC | Data processing systems for processing data subject access requests |
US11847182B2 (en) | 2016-06-10 | 2023-12-19 | OneTrust, LLC | Data processing consent capture systems and related methods |
US11057356B2 (en) | 2016-06-10 | 2021-07-06 | OneTrust, LLC | Automated data processing systems and methods for automatically processing data subject access requests using a chatbot |
US11062051B2 (en) | 2016-06-10 | 2021-07-13 | OneTrust, LLC | Consent receipt management systems and related methods |
US11068618B2 (en) | 2016-06-10 | 2021-07-20 | OneTrust, LLC | Data processing systems for central consent repository and related methods |
US11070593B2 (en) | 2016-06-10 | 2021-07-20 | OneTrust, LLC | Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods |
US11074367B2 (en) | 2016-06-10 | 2021-07-27 | OneTrust, LLC | Data processing systems for identity validation for consumer rights requests and related methods |
US11087260B2 (en) | 2016-06-10 | 2021-08-10 | OneTrust, LLC | Data processing systems and methods for customizing privacy training |
US11100445B2 (en) | 2016-06-10 | 2021-08-24 | OneTrust, LLC | Data processing systems for assessing readiness for responding to privacy-related incidents |
US11100444B2 (en) | 2016-06-10 | 2021-08-24 | OneTrust, LLC | Data processing systems and methods for providing training in a vendor procurement process |
US11113416B2 (en) | 2016-06-10 | 2021-09-07 | OneTrust, LLC | Application privacy scanning systems and related methods |
US11120162B2 (en) | 2016-06-10 | 2021-09-14 | OneTrust, LLC | Data processing systems for data testing to confirm data deletion and related methods |
US11122011B2 (en) | 2016-06-10 | 2021-09-14 | OneTrust, LLC | Data processing systems and methods for using a data model to select a target data asset in a data migration |
US11120161B2 (en) | 2016-06-10 | 2021-09-14 | OneTrust, LLC | Data subject access request processing systems and related methods |
US11126748B2 (en) | 2016-06-10 | 2021-09-21 | OneTrust, LLC | Data processing consent management systems and related methods |
US11134086B2 (en) | 2016-06-10 | 2021-09-28 | OneTrust, LLC | Consent conversion optimization systems and related methods |
US11138336B2 (en) | 2016-06-10 | 2021-10-05 | OneTrust, LLC | Data processing systems for generating and populating a data inventory |
US10496803B2 (en) | 2016-06-10 | 2019-12-03 | OneTrust, LLC | Data processing systems and methods for efficiently assessing the risk of privacy campaigns |
US11138318B2 (en) | 2016-06-10 | 2021-10-05 | OneTrust, LLC | Data processing systems for data transfer risk identification and related methods |
US10972509B2 (en) | 2016-06-10 | 2021-04-06 | OneTrust, LLC | Data processing and scanning systems for generating and populating a data inventory |
US10564935B2 (en) | 2016-06-10 | 2020-02-18 | OneTrust, LLC | Data processing systems for integration of consumer feedback with data subject access requests and related methods |
US10594740B2 (en) | 2016-06-10 | 2020-03-17 | OneTrust, LLC | Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods |
US11144670B2 (en) | 2016-06-10 | 2021-10-12 | OneTrust, LLC | Data processing systems for identifying and modifying processes that are subject to data subject access requests |
US11144622B2 (en) | 2016-06-10 | 2021-10-12 | OneTrust, LLC | Privacy management systems and methods |
US11151233B2 (en) | 2016-06-10 | 2021-10-19 | OneTrust, LLC | Data processing and scanning systems for assessing vendor risk |
US11157600B2 (en) | 2016-06-10 | 2021-10-26 | OneTrust, LLC | Data processing and scanning systems for assessing vendor risk |
US11727141B2 (en) | 2016-06-10 | 2023-08-15 | OneTrust, LLC | Data processing systems and methods for synching privacy-related user consent across multiple computing devices |
US11182501B2 (en) | 2016-06-10 | 2021-11-23 | OneTrust, LLC | Data processing systems for fulfilling data subject access requests and related methods |
US11188862B2 (en) | 2016-06-10 | 2021-11-30 | OneTrust, LLC | Privacy management systems and methods |
US11188615B2 (en) | 2016-06-10 | 2021-11-30 | OneTrust, LLC | Data processing consent capture systems and related methods |
US11195134B2 (en) | 2016-06-10 | 2021-12-07 | OneTrust, LLC | Privacy management systems and methods |
US11200341B2 (en) | 2016-06-10 | 2021-12-14 | OneTrust, LLC | Consent receipt management systems and related methods |
US11210420B2 (en) | 2016-06-10 | 2021-12-28 | OneTrust, LLC | Data subject access request processing systems and related methods |
US11222142B2 (en) | 2016-06-10 | 2022-01-11 | OneTrust, LLC | Data processing systems for validating authorization for personal data collection, storage, and processing |
US11222139B2 (en) | 2016-06-10 | 2022-01-11 | OneTrust, LLC | Data processing systems and methods for automatic discovery and assessment of mobile software development kits |
US11222309B2 (en) | 2016-06-10 | 2022-01-11 | OneTrust, LLC | Data processing systems for generating and populating a data inventory |
US11227247B2 (en) | 2016-06-10 | 2022-01-18 | OneTrust, LLC | Data processing systems and methods for bundled privacy policies |
US11228620B2 (en) | 2016-06-10 | 2022-01-18 | OneTrust, LLC | Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods |
US11238390B2 (en) | 2016-06-10 | 2022-02-01 | OneTrust, LLC | Privacy management systems and methods |
US11240273B2 (en) | 2016-06-10 | 2022-02-01 | OneTrust, LLC | Data processing and scanning systems for generating and populating a data inventory |
US11244072B2 (en) | 2016-06-10 | 2022-02-08 | OneTrust, LLC | Data processing systems for identifying, assessing, and remediating data processing risks using data modeling techniques |
US11244071B2 (en) | 2016-06-10 | 2022-02-08 | OneTrust, LLC | Data processing systems for use in automatically generating, populating, and submitting data subject access requests |
US10503926B2 (en) | 2016-06-10 | 2019-12-10 | OneTrust, LLC | Consent receipt management systems and related methods |
US11256777B2 (en) | 2016-06-10 | 2022-02-22 | OneTrust, LLC | Data processing user interface monitoring systems and related methods |
US11277448B2 (en) | 2016-06-10 | 2022-03-15 | OneTrust, LLC | Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods |
US11295316B2 (en) | 2016-06-10 | 2022-04-05 | OneTrust, LLC | Data processing systems for identity validation for consumer rights requests and related methods |
US11294939B2 (en) | 2016-06-10 | 2022-04-05 | OneTrust, LLC | Data processing systems and methods for automatically detecting and documenting privacy-related aspects of computer software |
US11301796B2 (en) | 2016-06-10 | 2022-04-12 | OneTrust, LLC | Data processing systems and methods for customizing privacy training |
US11301589B2 (en) | 2016-06-10 | 2022-04-12 | OneTrust, LLC | Consent receipt management systems and related methods |
US11308435B2 (en) | 2016-06-10 | 2022-04-19 | OneTrust, LLC | Data processing systems for identifying, assessing, and remediating data processing risks using data modeling techniques |
US11328240B2 (en) | 2016-06-10 | 2022-05-10 | OneTrust, LLC | Data processing systems for assessing readiness for responding to privacy-related incidents |
US11328092B2 (en) | 2016-06-10 | 2022-05-10 | OneTrust, LLC | Data processing systems for processing and managing data subject access in a distributed environment |
US11334682B2 (en) | 2016-06-10 | 2022-05-17 | OneTrust, LLC | Data subject access request processing systems and related methods |
US11334681B2 (en) | 2016-06-10 | 2022-05-17 | OneTrust, LLC | Application privacy scanning systems and related meihods |
US11336697B2 (en) | 2016-06-10 | 2022-05-17 | OneTrust, LLC | Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods |
US11341447B2 (en) | 2016-06-10 | 2022-05-24 | OneTrust, LLC | Privacy management systems and methods |
US11343284B2 (en) | 2016-06-10 | 2022-05-24 | OneTrust, LLC | Data processing systems and methods for performing privacy assessments and monitoring of new versions of computer code for privacy compliance |
US11347889B2 (en) | 2016-06-10 | 2022-05-31 | OneTrust, LLC | Data processing systems for generating and populating a data inventory |
US11354434B2 (en) | 2016-06-10 | 2022-06-07 | OneTrust, LLC | Data processing systems for verification of consent and notice processing and related methods |
US11354435B2 (en) | 2016-06-10 | 2022-06-07 | OneTrust, LLC | Data processing systems for data testing to confirm data deletion and related methods |
US11361057B2 (en) | 2016-06-10 | 2022-06-14 | OneTrust, LLC | Consent receipt management systems and related methods |
US11366909B2 (en) | 2016-06-10 | 2022-06-21 | OneTrust, LLC | Data processing and scanning systems for assessing vendor risk |
US11366786B2 (en) | 2016-06-10 | 2022-06-21 | OneTrust, LLC | Data processing systems for processing data subject access requests |
US11675929B2 (en) | 2016-06-10 | 2023-06-13 | OneTrust, LLC | Data processing consent sharing systems and related methods |
US11392720B2 (en) | 2016-06-10 | 2022-07-19 | OneTrust, LLC | Data processing systems for verification of consent and notice processing and related methods |
US11651104B2 (en) | 2016-06-10 | 2023-05-16 | OneTrust, LLC | Consent receipt management systems and related methods |
US11403377B2 (en) | 2016-06-10 | 2022-08-02 | OneTrust, LLC | Privacy management systems and methods |
US11409908B2 (en) | 2016-06-10 | 2022-08-09 | OneTrust, LLC | Data processing systems and methods for populating and maintaining a centralized database of personal data |
US11418492B2 (en) | 2016-06-10 | 2022-08-16 | OneTrust, LLC | Data processing systems and methods for using a data model to select a target data asset in a data migration |
US11418516B2 (en) | 2016-06-10 | 2022-08-16 | OneTrust, LLC | Consent conversion optimization systems and related methods |
US11416589B2 (en) | 2016-06-10 | 2022-08-16 | OneTrust, LLC | Data processing and scanning systems for assessing vendor risk |
US11416590B2 (en) | 2016-06-10 | 2022-08-16 | OneTrust, LLC | Data processing and scanning systems for assessing vendor risk |
US11416576B2 (en) | 2016-06-10 | 2022-08-16 | OneTrust, LLC | Data processing consent capture systems and related methods |
US11416109B2 (en) | 2016-06-10 | 2022-08-16 | OneTrust, LLC | Automated data processing systems and methods for automatically processing data subject access requests using a chatbot |
US11416634B2 (en) | 2016-06-10 | 2022-08-16 | OneTrust, LLC | Consent receipt management systems and related methods |
US11416798B2 (en) | 2016-06-10 | 2022-08-16 | OneTrust, LLC | Data processing systems and methods for providing training in a vendor procurement process |
US11416636B2 (en) | 2016-06-10 | 2022-08-16 | OneTrust, LLC | Data processing consent management systems and related methods |
US10496846B1 (en) | 2016-06-10 | 2019-12-03 | OneTrust, LLC | Data processing and communications systems and methods for the efficient implementation of privacy by design |
US11438386B2 (en) | 2016-06-10 | 2022-09-06 | OneTrust, LLC | Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods |
US11651106B2 (en) | 2016-06-10 | 2023-05-16 | OneTrust, LLC | Data processing systems for fulfilling data subject access requests and related methods |
US11645353B2 (en) | 2016-06-10 | 2023-05-09 | OneTrust, LLC | Data processing consent capture systems and related methods |
US11449633B2 (en) | 2016-06-10 | 2022-09-20 | OneTrust, LLC | Data processing systems and methods for automatic discovery and assessment of mobile software development kits |
US11461500B2 (en) | 2016-06-10 | 2022-10-04 | OneTrust, LLC | Data processing systems for cookie compliance testing with website scanning and related methods |
US11461722B2 (en) | 2016-06-10 | 2022-10-04 | OneTrust, LLC | Questionnaire response automation for compliance management |
US11468196B2 (en) | 2016-06-10 | 2022-10-11 | OneTrust, LLC | Data processing systems for validating authorization for personal data collection, storage, and processing |
US11468386B2 (en) | 2016-06-10 | 2022-10-11 | OneTrust, LLC | Data processing systems and methods for bundled privacy policies |
US11475136B2 (en) | 2016-06-10 | 2022-10-18 | OneTrust, LLC | Data processing systems for data transfer risk identification and related methods |
US11645418B2 (en) | 2016-06-10 | 2023-05-09 | OneTrust, LLC | Data processing systems for data testing to confirm data deletion and related methods |
US11481710B2 (en) | 2016-06-10 | 2022-10-25 | OneTrust, LLC | Privacy management systems and methods |
US11488085B2 (en) | 2016-06-10 | 2022-11-01 | OneTrust, LLC | Questionnaire response automation for compliance management |
US11636171B2 (en) | 2016-06-10 | 2023-04-25 | OneTrust, LLC | Data processing user interface monitoring systems and related methods |
US11520928B2 (en) | 2016-06-10 | 2022-12-06 | OneTrust, LLC | Data processing systems for generating personal data receipts and related methods |
US11625502B2 (en) | 2016-06-10 | 2023-04-11 | OneTrust, LLC | Data processing systems for identifying and modifying processes that are subject to data subject access requests |
US11609939B2 (en) | 2016-06-10 | 2023-03-21 | OneTrust, LLC | Data processing systems and methods for automatically detecting and documenting privacy-related aspects of computer software |
US11586762B2 (en) | 2016-06-10 | 2023-02-21 | OneTrust, LLC | Data processing systems and methods for auditing data request compliance |
US11586700B2 (en) | 2016-06-10 | 2023-02-21 | OneTrust, LLC | Data processing systems and methods for automatically blocking the use of tracking tools |
US11544405B2 (en) | 2016-06-10 | 2023-01-03 | OneTrust, LLC | Data processing systems for verification of consent and notice processing and related methods |
US11544667B2 (en) | 2016-06-10 | 2023-01-03 | OneTrust, LLC | Data processing systems for generating and populating a data inventory |
US11551174B2 (en) | 2016-06-10 | 2023-01-10 | OneTrust, LLC | Privacy management systems and methods |
US11550897B2 (en) | 2016-06-10 | 2023-01-10 | OneTrust, LLC | Data processing and scanning systems for assessing vendor risk |
US11556672B2 (en) | 2016-06-10 | 2023-01-17 | OneTrust, LLC | Data processing systems for verification of consent and notice processing and related methods |
US11562097B2 (en) | 2016-06-10 | 2023-01-24 | OneTrust, LLC | Data processing systems for central consent repository and related methods |
US11558429B2 (en) | 2016-06-10 | 2023-01-17 | OneTrust, LLC | Data processing and scanning systems for generating and populating a data inventory |
US11050790B2 (en) | 2016-08-24 | 2021-06-29 | Alertsec, Inc. | Independent encryption compliance verification system |
US11647053B2 (en) | 2016-08-24 | 2023-05-09 | Alertsec Inc. | Compliance verification system |
US11373007B2 (en) | 2017-06-16 | 2022-06-28 | OneTrust, LLC | Data processing systems for identifying whether cookies contain personally identifying information |
US11663359B2 (en) | 2017-06-16 | 2023-05-30 | OneTrust, LLC | Data processing systems for identifying whether cookies contain personally identifying information |
US11157654B2 (en) | 2018-09-07 | 2021-10-26 | OneTrust, LLC | Data processing systems for orphaned data identification and deletion and related methods |
US10803202B2 (en) | 2018-09-07 | 2020-10-13 | OneTrust, LLC | Data processing systems for orphaned data identification and deletion and related methods |
US11593523B2 (en) | 2018-09-07 | 2023-02-28 | OneTrust, LLC | Data processing systems for orphaned data identification and deletion and related methods |
US11144675B2 (en) | 2018-09-07 | 2021-10-12 | OneTrust, LLC | Data processing systems and methods for automatically protecting sensitive data within privacy management systems |
US11544409B2 (en) | 2018-09-07 | 2023-01-03 | OneTrust, LLC | Data processing systems and methods for automatically protecting sensitive data within privacy management systems |
US11947708B2 (en) | 2018-09-07 | 2024-04-02 | OneTrust, LLC | Data processing systems and methods for automatically protecting sensitive data within privacy management systems |
US10963591B2 (en) | 2018-09-07 | 2021-03-30 | OneTrust, LLC | Data processing systems for orphaned data identification and deletion and related methods |
US11556635B2 (en) * | 2020-04-28 | 2023-01-17 | Bank Of America Corporation | System for evaluation and weighting of resource usage activity |
US11797528B2 (en) | 2020-07-08 | 2023-10-24 | OneTrust, LLC | Systems and methods for targeted data discovery |
US11968229B2 (en) | 2020-07-28 | 2024-04-23 | OneTrust, LLC | Systems and methods for automatically blocking the use of tracking tools |
US11444976B2 (en) | 2020-07-28 | 2022-09-13 | OneTrust, LLC | Systems and methods for automatically blocking the use of tracking tools |
US11475165B2 (en) | 2020-08-06 | 2022-10-18 | OneTrust, LLC | Data processing systems and methods for automatically redacting unstructured data from a data subject access request |
US11704440B2 (en) | 2020-09-15 | 2023-07-18 | OneTrust, LLC | Data processing systems and methods for preventing execution of an action documenting a consent rejection |
US11436373B2 (en) | 2020-09-15 | 2022-09-06 | OneTrust, LLC | Data processing systems and methods for detecting tools for the automatic blocking of consent requests |
US11526624B2 (en) | 2020-09-21 | 2022-12-13 | OneTrust, LLC | Data processing systems and methods for automatically detecting target data transfers and target data processing |
US11615192B2 (en) | 2020-11-06 | 2023-03-28 | OneTrust, LLC | Systems and methods for identifying data processing activities based on data discovery results |
US11397819B2 (en) | 2020-11-06 | 2022-07-26 | OneTrust, LLC | Systems and methods for identifying data processing activities based on data discovery results |
US11687528B2 (en) | 2021-01-25 | 2023-06-27 | OneTrust, LLC | Systems and methods for discovery, classification, and indexing of data in a native computing system |
US11442906B2 (en) | 2021-02-04 | 2022-09-13 | OneTrust, LLC | Managing custom attributes for domain objects defined within microservices |
US11494515B2 (en) | 2021-02-08 | 2022-11-08 | OneTrust, LLC | Data processing systems and methods for anonymizing data samples in classification analysis |
US11601464B2 (en) | 2021-02-10 | 2023-03-07 | OneTrust, LLC | Systems and methods for mitigating risks of third-party computing system functionality integration into a first-party computing system |
US11775348B2 (en) | 2021-02-17 | 2023-10-03 | OneTrust, LLC | Managing custom workflows for domain objects defined within microservices |
US11546661B2 (en) | 2021-02-18 | 2023-01-03 | OneTrust, LLC | Selective redaction of media content |
US11533315B2 (en) | 2021-03-08 | 2022-12-20 | OneTrust, LLC | Data transfer discovery and analysis systems and related methods |
US11907376B2 (en) | 2021-04-13 | 2024-02-20 | Saudi Arabian Oil Company | Compliance verification testing using negative validation |
US11816224B2 (en) | 2021-04-16 | 2023-11-14 | OneTrust, LLC | Assessing and managing computational risk involved with integrating third party computing functionality within a computing system |
US11562078B2 (en) | 2021-04-16 | 2023-01-24 | OneTrust, LLC | Assessing and managing computational risk involved with integrating third party computing functionality within a computing system |
US11620142B1 (en) | 2022-06-03 | 2023-04-04 | OneTrust, LLC | Generating and customizing user interfaces for demonstrating functions of interactive user environments |
Also Published As
Publication number | Publication date |
---|---|
US20160197962A1 (en) | 2016-07-07 |
US10063594B2 (en) | 2018-08-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10063594B2 (en) | Network access control with compliance policy check | |
US9288199B1 (en) | Network access control with compliance policy check | |
US9866567B2 (en) | Systems and methods for detecting and reacting to malicious activity in computer networks | |
US10057282B2 (en) | Detecting and reacting to malicious activity in decrypted application data | |
US11036869B2 (en) | Data security with a security module | |
US8245042B2 (en) | Shielding a sensitive file | |
US10211977B1 (en) | Secure management of information using a security module | |
US10333930B2 (en) | System and method for transparent multi-factor authentication and security posture checking | |
JP7185077B2 (en) | Methods and Measurable SLA Security and Compliance Platforms to Prevent Root Level Access Attacks | |
US11637842B2 (en) | Detection of security intrusion in a computing system | |
Cahill et al. | Client-based authentication technology: user-centric authentication using secure containers | |
RU2443017C1 (en) | System of data protection from unauthorized access to the data that constitutes national security information | |
Kim et al. | Security analysis and bypass user authentication bound to device of windows hello in the wild | |
Badhwar | Advanced Active Directory Attacks and Prevention | |
RU2571372C1 (en) | System for protecting information containing state secrets from unauthorised access | |
Sotirios | Windows Active Directory Security Audit | |
US20240146536A1 (en) | Network access using hardware-based security | |
RU2504835C1 (en) | System for protecting information containing state secrets from unauthorised access | |
RU2648942C1 (en) | System of protection of information from unauthorized access | |
Corella et al. | An example of a derived credentials architecture | |
Papadopoulos | Windows Active Directory security audit | |
Donaldson et al. | Cybersecurity Capability Value Scales | |
CN117874741A (en) | Browser trusted running method, system, computer equipment and storage medium | |
CN115801432A (en) | Cloud data center efficient protection safety service management system and design method | |
CN117749417A (en) | Cross-domain identity authentication method and system based on cloud environment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: OPSWAT, INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:WINN, ADAM GREGORY;CZARNY, BENJAMIN;MO, JIANPENG;AND OTHERS;SIGNING DATES FROM 20160415 TO 20180418;REEL/FRAME:046697/0819 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
AS | Assignment |
Owner name: OPSWAT, INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:MO, JIANPENG;REEL/FRAME:047212/0314 Effective date: 20181010 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: FINAL REJECTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: ADVISORY ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |