GB2503230A - Location based network access - Google Patents

Location based network access Download PDF

Info

Publication number
GB2503230A
GB2503230A GB1210845.2A GB201210845A GB2503230A GB 2503230 A GB2503230 A GB 2503230A GB 201210845 A GB201210845 A GB 201210845A GB 2503230 A GB2503230 A GB 2503230A
Authority
GB
United Kingdom
Prior art keywords
data
location
application management
management policy
physical location
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB1210845.2A
Other versions
GB201210845D0 (en
Inventor
Peter Thomas Jones
Darren Robert Boyce
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
AppSense Ltd
Original Assignee
AppSense Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by AppSense Ltd filed Critical AppSense Ltd
Priority to GB1210845.2A priority Critical patent/GB2503230A/en
Publication of GB201210845D0 publication Critical patent/GB201210845D0/en
Priority to US13/919,679 priority patent/US20130340033A1/en
Publication of GB2503230A publication Critical patent/GB2503230A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/107Network architectures or network communication protocols for network security for controlling access to devices or network resources wherein the security policies are location-dependent, e.g. entities privileges depend on current location or allowing specific operations only from locally connected terminals
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/02Access restriction performed under specific conditions
    • H04W48/04Access restriction performed under specific conditions based on user or terminal location or mobility data, e.g. moving direction, speed

Abstract

Disclosed is a method of administering an application management policy comprising the steps of: identifying a first device e.g. a computer (10); determining a physical location of the first device (15); and setting the application management policy, i.e. determining the applications which the device may access, in accordance with the identification of the first device and the determination of the physical location (55). The identification is carried out by a server (50) in a network which the device wishes to access. Device user authentication may also be performed. The location data is obtained from e.g. GPS data using a GPS device either located in the device or, if the device has no GPS capability, using a second GPS-enabled device connected to the first device.

Description

Improvements in and relating to Location based Data Access Policies The present invention concerns the provision of controlled access to computer or other networked resources. Embodiments of the invention find particular, but not exclusive use, in the area known as BYOD or Bring Your Own Device. This is related to the growing phenomenon of staff using their own computing device(s) for work-related activities.
It is now relatively common for employees to work on their employer's business using their own devices. Such devices can include portable devices such as laptop computers, netbook computers, tablet computers (such as the Apple ® iPad ®) and smartphones.
However, although use of such devices can be convenient to both the employee and the employer, their use can create security vulnerabilities, since the employer is not in ultimate control of the devices and is unable to fully implement security and access policies.
It is an aim of embodiments of the present invention to permit the application of a security and access policy, which takes into account a number of different conditions and to allow or refuse access to certain applications on the basis of the evaluation of these conditions.
According to the present invention there is provided an apparatus and method as set forth in the appended claims. Other features of the invention will be apparent from the dependent claims, and the description which follows.
For a better understanding of the invention, and to show how embodiments of the same may be carried into effect, reference will now be made, by way of example, to the accompanying diagrammatic drawings in which: Figure 1 shows a method of administering an application management policy according to an embodiment of the present invention; Figure 2 shows a method of administering an application management policy according to another embodiment of the present invention; Figure 3 shows further detail relating to the method shown in Figure 2; Figure 4 shows a schematic of a first device communicating with a remote device according to an embodiment of the invention; Figure 5 shows a schematic of the first device of Figure 5 communicating with the remote device, and also with a further remote device; Figure 6 shows a schematic of the first device, in communication with a second local device and the two remote devices of Figure 5; and Figure 7 shows a computer system configured to perform embodiments of the present invention.
Figure 1 shows the steps involved in administering an application management policy. A user is in possession of a device for accessing a remote network. The device may be any form of computing device as set out earlier. In the following description, attention will be focussed on a portable computing device such as a laptop computer or tablet computer, but this is not intended to be limiting.
The application management policy is a process which runs on a computer system to which remote users may seek access. Corporations often use applications to allow access to business critical data. Users can access these applications running directly or via Virtual Desktop Infrastructure (VDI) or Remote Desktop Services (RDS) sessions from almost any device anywhere, provided a suitable network connection is available. This may present a problem to corporations in terms of control and security of their business information when users use these applications on mobile devices, since the data maybe more susceptible to being compromised by technological means e.g. packet sniffing. Also, simple visual interception (known as shoulder surfing) can be a problem, whereby sensitive data can simply be observed by third parties on the screen of the user's device.
At step 810, the user device is identified, upon which a user instance of a particular application is running. At step S20, the physical location of the user device is determined. At step S30, an application management policy is applied in accordance with the identification of the user device and its physical location.
To further understand this, Figure 2 shows a further embodiment, which is an addition to the method already set out above. The embodiment of Figure 2 locks to determine the identity of the user device SlO i.e. is it a device which is known to the system? A determination is also made of the identity of the user S15.
The second stage of the process S20 is to determine the physical location of the user device. This is done to ensure that the device is operating in a known location which has been pre-determined to be secure.
Then, the application management policy is applied based on the identification of the user device 30 and its location and the identification of the user S35.
To illustrate this, a user may use his portable device to access a corporate system from his desk using a Wi-Fi access point (AP). The Wi-Fi signal may also be accessible from the coffee shop next door to his office and the user would like to continue working from that location whilst taking a break. However, the data on his screen is vulnerable and may be intercepted. As such, even though the user is known and trusted, the physical location means that he is vulnerable and so the application management policy can restrict his access to all or some applications. For instance, if the user is a financial trader, access to financial trading systems could be restricted, so that they can only be accessed and operated from within a physical location which is known to be the corporate office.
Figure 3 shows further detail about the step S20 where the location of the user device is determined. At step S20a, a request is made of the user device to respond with its location.
Not all portable user devices are suitably equipped to respond with location data. For instance, some tablet computers are provided with GPS functionality, which enable them to determine their location with a given degree of accuracy, whereas many laptop computers lack this feature. However, in the absence of such functionality, the remote device may not be able to respond with a meaningful location response and the default action of the application management policy will be to deny access to some or all applications as a failsafe measure.
At step 20b, a determination is made if the user device is capable of providing location data. If it is, then the location data is sent to the remote server. If the user device is not capable of providing location data, then a determination is made if there is a second user device, in communication with the first user device, which is capable of providing location data.
To illustrate this, if the first user device is a laptop computer without OPS functionality, then it will not be able to respond to a request for location information and so the application management policy will bar access to certain applications as a result. However, as is increasingly common, the user of the laptop computer is likely to have about his personal smartphone, which is more likely to be provided with GPS functionality. A feature of an embodiment of the present invention is to use the location of the second user device as a proxy for the location of the first user device. This can be achieved by creating a communication link between the first and second user devices, ensuring that they are in close physical proximity. This ensures that the assumption that they are in the same location is always true.
In practice, the communication link between the two devices can be established using a physical connections, such as a data cable connecting the two devices. Alternatively, and in a preferred embodiment, a Low Power RF (LPRF) wireless connection is created between the two devices. An example of such a connection uses the Bluetooth protocol.
In practice, if a location request is made of the first user device, it then passes the request to the second user device after first establishing a communication link therewith if one is not already setup. The second device replies to the first device with the location information, which is then relayed to the remote server and the application management policy is applied accordingly.
Figure 4 shows a schematic of the first user device 10 in communication with the remote server 50. The communication is typically conducted over a local Wi-Fi connection and the internet. On receipt of the location data 15, the server 50 responds with an application management policy which is interpreted at the first device 10 so as to allow or deny access to one or more applications which may run on the first device.
The location data 15 may be retransmitted periodically so that if the first device moves, the policy can be re-evaluated and access to one or more applications can be terminated if the policy so dictates. Alternatively, the location data may only be re-transmitted if the first device moves more than a certain distance away from its last recorded location. This can prevent updates occurring too frequently.
Figure 5 shows a variation of the schematic in Figure 4. The system shown here additionally includes a second server 60, separate from the first server 50. In this case, the policy 55, which is communicated from the first server 50, controls access to the second server 60, meaning that communication 65 between the first device 10 and the second server 60 is effectively controlled and sanctioned by the application management policy.
Figure 6 shows the scenario whereby location data is obtained from the second user device 20, located in close proximity to the first user device 10. As shown there is a 2-way communication link 16 established between the first device 10 and the second device 20. The link 16 is preferably an LFRF connection, such as Bluetooth. Other features and elements of the system shown in Figure 6 are as shown in previous figures.
Throughout this specification, reference has been made to the location of the first device, determined primarily on the basis of GPS data provided either direct from the first device or from a second device whose location serves as a proxy for the first device. The preferred form of location data is OPS data, but there are occasions when this is not available and still other occasions where its accuracy can be enhanced by supplementing it with other location data, such as that derived from known Wi-Fi APs, mobile telephony base stations and the like. As such, the skilled person will understand that any means of providing location data, derived from one or more sources can be utilised by embodiments of the present invention.
Fig. 7 shows an illustrative environment 110 according to an embodiment of the invention. The skilled person will realise and understand that embodiments of the present invention may be implemented using any suitable computer system, and the example system shown in Figure 7 is exemplary only and provided for the purposes of completeness only. To this extent, environment 110 includes a computer system 120 that can perform a process described herein in order to perform an embodiment of the invention. In particular, computer system 120 is shown including a program 130, which makes computer system 120 operable to implement an embodiment of the invention by performing a process described herein.
Computer system 120 is shown including a processing component 122 (e.g., one or more processors), a storage component 124 (e.g., a storage hierarchy), an input/output (I/O) component 126 (e.g., one or more I/O interfaces and/or devices), and a communications pathway 128. In general, processing component 122 executes program code, such as program 130, which is at least partially fixed in storage component 124. While executing program code, processing component 122 can process data, which can result in reading and/or writing transformed data from/to storage component 124 and/or I/O component 126 for further processing. Pathway 128 provides a communications link between each of the components in computer system 120. I/O component 126 can comprise one or more human I/O devices, which enable a human user 112 to interact with computer system 120 and/or one or more communications devices to enable a system user 112 to communicate with computer system 120 using any type of communications link. To this extent, program 130 can manage a set of interfaces (e.g., graphical user interface(s), application program interface, and/or the like) that enable human and/or system users 112 to interact with program 130. Further, program 130 can manage (e.g., store, retrieve, create, manipulate, organize, present, etc.) the data, such as a plurality of data files 140, using any solution.
In any event, computer system 120 can comprise one or more general purpose computing articles of manufacture (e.g., computing devices) capable of executing program code, such as program 130, installed thereon. As used herein, it is understood that "program code" means any collection of instructions, in any language, code or notation, that cause a computing device having an information processing capability to perform a particular action either directly or after any combination of the following: (a) conversion to another language, code or notation; (b) reproduction in a different material form; and/or (c) decompression. To this extent, program 130 can be embodied as any combination of system software and/or application software.
Further, program 130 can be implemented using a set of modules. In this case, a module can enable computer system 120 to perform a set of tasks used by program 130, and can be separately developed and/or implemented apart from other portions of program 130. As used herein, the term "component" means any configuration of hardware, with or without software, which implements the functionality described in conjunction therewith using any solution, while the term "module" means program code that enables a computer system 120 to implement the actions described in conjunction therewith using any solution. When fixed in a storage component 124 of a computer system 120 that includes a processing component 122, a module is a substantial portion of a component that implements the actions. Regardless, it is understood that two or more components, modules, and/or systems may share some/all of their respective hardware and/or software. Further, it is understood that some of the functionality discussed herein may not be implemented or additional functionality may be included as part of computer system 120.
When computer system 120 comprises multiple computing devices, each computing device can have only a portion of program 130 fixed thereon (e.g., one or more modules).
However, it is understood that computer system 120 and program 130 are only representative of various possible equivalent computer systems that may perform a process described herein.
To this extent, in other embodiments, the functionality provided by computer system 120 and program 130 can be at least partially implemented by one or more computing devices that include any combination of general and/or specific purpose hardware with or without program code. In each embodiment, the hardware and program code, if included, can be created using standard engineering and programming techniques, respectively.
Regardless, when computer system 120 includes multiple computing devices, the computing devices can communicate over any type of communications link. Further, while performing a process described herein, computer system 120 can communicate with one or more other computer systems using any type of communications link. In either case, the communications link can comprise any combination of various types of optical fibre, wired, and/or wireless links; comprise any combination of one or more types of networks; and/or utilize any combination of various types of transmission techniques and protocols.
In any event, computer system 120 can obtain data from files 140 using any solution.
For example, computer system 120 can generate and/or be used to generate data files 140, retrieve data from files 140, which may be stored in one or more data stores, receive data from files 140 from another system, and/or the like.
Attention is directed to all papers and documents which are filed concurrently with or previous to this specification in connection with this application and which are open to public inspection with this specification, and the contents of all such papers and documents are incorporated herein by reference.
All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and/or all of the steps of any method or process so disclosed, may be combined in any combination, except combinations where at least some of such features and/or steps are mutually exclusive.
Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise. Thus, unless expressly stated otherwise, each feature disclosed is one example only of a generic series of equivalent or similar features.
The invention is not restricted to the details of the foregoing embodiment(s). The invention extends to any novel one, or any novel combination, of the features disclosed in this specification (including any accompanying claims, abstract and drawings), or to any novel one, or any novel combination, of the steps of any method or process so disclosed.

Claims (14)

  1. CLAIMS1. A method of administering an application management policy comprising the steps of: identifying a first device; determining a physical location of the first device; and setting the application management policy in accordance with the identification of the first device and the determination of the physical location.
  2. 2. The method of claim 1 further comprising the steps of: identifying a user of the first device; and setting the application management policy in accordance with the identification of the user and the determination of the physical location.
  3. 3. The method of claim 1 or 2 wherein the location data is obtained from the first device.
  4. 4. The method of claim 3 wherein the first device obtains location data from a second device, wherein the first device is in communication with the second device.
  5. 5. The method of claim 4 wherein the first device is in data communication with the second device via one or more of: a cable connection; a USB connection; low power RF (LPRF) technology; Bluetooth; Infra Red; or Wi-Fi.
  6. 6. The method of any one of claims 4 or 5 wherein the location data is derived from one or more of: GPS data; Wi-Fi data; or mobile telephony base-station data.
  7. 7. The method of any preceding claim wherein the physical location is determined periodically.
  8. 8. The method of any preceding claim wherein the application management policy is a policy for controlling access to a specific application or a specific data set, and access to the specific application or data set is permitted or denied in accordance with the policy.
  9. 9. A computer readable medium storing a computer program to operate a method according to any preceding claim.
  10. 10. A computer system comprising a first device and a second device, the second device being operable to: identify the first device; determine a physical location of the first device; and set an application management policy in accordance with the identification of the first device and the determination of the physical location.
  11. 11. A computer readable medium storing a computer program to operate a method according to any one of claims 1 to 9.
  12. 12. A method, substantially as hereinbefore described, having reference to the accompanying drawings.
  13. 13. A computer readable medium, substantially as hereinbefore described, having reference to the accompanying drawings.
  14. 14. A computer system, substantially as hereinbefore described, having reference to the accompanying drawings.
GB1210845.2A 2012-06-19 2012-06-19 Location based network access Withdrawn GB2503230A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
GB1210845.2A GB2503230A (en) 2012-06-19 2012-06-19 Location based network access
US13/919,679 US20130340033A1 (en) 2012-06-19 2013-06-17 Apparatus, methods and media for location based data access policies

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB1210845.2A GB2503230A (en) 2012-06-19 2012-06-19 Location based network access

Publications (2)

Publication Number Publication Date
GB201210845D0 GB201210845D0 (en) 2012-08-01
GB2503230A true GB2503230A (en) 2013-12-25

Family

ID=46641147

Family Applications (1)

Application Number Title Priority Date Filing Date
GB1210845.2A Withdrawn GB2503230A (en) 2012-06-19 2012-06-19 Location based network access

Country Status (2)

Country Link
US (1) US20130340033A1 (en)
GB (1) GB2503230A (en)

Families Citing this family (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9881261B2 (en) * 2014-02-25 2018-01-30 Paypal, Inc. Systems and methods for remote check-in
US9710648B2 (en) 2014-08-11 2017-07-18 Sentinel Labs Israel Ltd. Method of malware detection and system thereof
US11507663B2 (en) 2014-08-11 2022-11-22 Sentinel Labs Israel Ltd. Method of remediating operations performed by a program and system thereof
US20160149775A1 (en) * 2014-11-23 2016-05-26 Dennis Cheung Determining physical location of a networked computing device
US10110496B2 (en) * 2015-03-31 2018-10-23 Juniper Networks, Inc. Providing policy information on an existing communication channel
US9986506B2 (en) * 2015-12-17 2018-05-29 International Business Machines Corporation Global positioning system (GPS) signal piggyback in a distributed device environment
US10862896B2 (en) * 2016-04-21 2020-12-08 Dell Products, L.P. System and method for surrogate locational determination
US10785263B2 (en) * 2016-11-23 2020-09-22 Intertrust Technologies Corporation Mobile device service systems and methods using device orientation information
US11695800B2 (en) * 2016-12-19 2023-07-04 SentinelOne, Inc. Deceiving attackers accessing network data
US11616812B2 (en) 2016-12-19 2023-03-28 Attivo Networks Inc. Deceiving attackers accessing active directory data
US10599842B2 (en) * 2016-12-19 2020-03-24 Attivo Networks Inc. Deceiving attackers in endpoint systems
US10462171B2 (en) 2017-08-08 2019-10-29 Sentinel Labs Israel Ltd. Methods, systems, and devices for dynamically modeling and grouping endpoints for edge networking
WO2019078889A1 (en) 2017-10-20 2019-04-25 Hewlett-Packard Development Company, L.P. Device policy enforcement
US11470115B2 (en) 2018-02-09 2022-10-11 Attivo Networks, Inc. Implementing decoys in a network environment
EP3973427A4 (en) 2019-05-20 2023-06-21 Sentinel Labs Israel Ltd. Systems and methods for executable code detection, automatic feature extraction and position independent code detection
US11579857B2 (en) 2020-12-16 2023-02-14 Sentinel Labs Israel Ltd. Systems, methods and devices for device fingerprinting and automatic deployment of software in a computing network using a peer-to-peer approach
US11899782B1 (en) 2021-07-13 2024-02-13 SentinelOne, Inc. Preserving DLL hooks

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020094777A1 (en) * 2001-01-16 2002-07-18 Cannon Joseph M. Enhanced wireless network security using GPS
US20090293106A1 (en) * 2005-03-31 2009-11-26 Trapeze Networks, Inc. Method and apparatus for controlling wireless network access privileges based on wireless client location

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9009794B2 (en) * 2011-12-30 2015-04-14 Rovi Guides, Inc. Systems and methods for temporary assignment and exchange of digital access rights
US8774778B2 (en) * 2012-03-21 2014-07-08 International Business Machines Corporation Mobile location identifier for social check-in applications

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020094777A1 (en) * 2001-01-16 2002-07-18 Cannon Joseph M. Enhanced wireless network security using GPS
US20090293106A1 (en) * 2005-03-31 2009-11-26 Trapeze Networks, Inc. Method and apparatus for controlling wireless network access privileges based on wireless client location

Also Published As

Publication number Publication date
US20130340033A1 (en) 2013-12-19
GB201210845D0 (en) 2012-08-01

Similar Documents

Publication Publication Date Title
GB2503230A (en) Location based network access
US10686655B2 (en) Proximity and context aware mobile workspaces in enterprise systems
Garba et al. Review of the information security and privacy challenges in Bring Your Own Device (BYOD) environments
CN107005442B (en) Method and apparatus for remote access
CN108293045B (en) Single sign-on identity management between local and remote systems
CN105247531B (en) Managed browser is provided
US8719445B2 (en) System and method for load balancing multiple file transfer protocol (FTP) servers to service FTP connections for a cloud-based service
US10028139B2 (en) Leveraging mobile devices to enforce restricted area security
JP2021514496A (en) Asset management systems, methods, equipment, and electronic devices
US20140157351A1 (en) Mobile device security policy based on authorized scopes
US20140181801A1 (en) System and method for deploying preconfigured software
CN104838630A (en) Policy-based application management
CN108847990A (en) Mobile device management function is provided
US20150278541A1 (en) Multi-identity graphical user interface for secure file sharing
US9756173B2 (en) Leveraging mobile devices to enforce restricted area security
US20180089451A1 (en) Tokenized links with granular permissions
US20170208050A1 (en) Systems and methods for secure storage and management of credentials and encryption keys
CN105247832A (en) Method and apparatus for integrating security context in network routing decisions
CA3143383A1 (en) Cryptographic key orchestration between trusted containers in a multi-node cluster
US10324745B2 (en) Thin client with managed profile-specific remote virtual machines
Akram et al. Security, privacy and trust of user-centric solutions
Sahd et al. Mobile technology risk management
US9426163B2 (en) Collaboration space with event-trigger configuration views
US8543696B1 (en) Network access
US11848923B2 (en) Secure peer-to-peer connection network and associated protocols for a group-based communication system

Legal Events

Date Code Title Description
732E Amendments to the register in respect of changes of name or changes affecting rights (sect. 32/1977)

Free format text: REGISTERED BETWEEN 20160602 AND 20160608

WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)