GB2532951A - Device management user centric identity for security protection - Google Patents

Device management user centric identity for security protection Download PDF

Info

Publication number
GB2532951A
GB2532951A GB1421344.1A GB201421344A GB2532951A GB 2532951 A GB2532951 A GB 2532951A GB 201421344 A GB201421344 A GB 201421344A GB 2532951 A GB2532951 A GB 2532951A
Authority
GB
United Kingdom
Prior art keywords
security
user
mobile device
device management
platform
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB1421344.1A
Other versions
GB201421344D0 (en
Inventor
Sanders David
Patrikios Nestor
De Bernardi Fabio
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Vodafone IP Licensing Ltd
Original Assignee
Vodafone IP Licensing Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Vodafone IP Licensing Ltd filed Critical Vodafone IP Licensing Ltd
Priority to GB1421344.1A priority Critical patent/GB2532951A/en
Publication of GB201421344D0 publication Critical patent/GB201421344D0/en
Priority to PCT/EP2015/077884 priority patent/WO2016087323A1/en
Publication of GB2532951A publication Critical patent/GB2532951A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/06Selective distribution of broadcast services, e.g. multimedia broadcast multicast service [MBMS]; Services to user groups; One-way selective calling services
    • H04W4/08User group management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/50Service provisioning or reconfiguring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/104Grouping of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W28/00Network traffic management; Network resource management
    • H04W28/02Traffic management, e.g. flow control or congestion control
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/72Subscriber identity

Abstract

A mobile device management and security system is configured to control usage and security of managed mobile devices of a group of users registered to the system. This system enables central management of the security policies applied to users own devices used to access corporate networks. The system comprises a security platform 110 in a core of a cellular telecommunications network, and a mobile device management platform (MDMP)120. The MDMP 120 is configured: to receive, for each user of the group of users, an indication of a MSISDN for a subscription of each user of the group registered to the network and to associate the MSISDN with a respective userID; to store an administrator-configurable security policy set for each user, said security policy set including a secure web profile defining a security policy for data traffic to be sent to the respective user; and to send to the security platform the MSISDN and data pertaining to the associated secure web profile for each user. The security platform is configured: to receive and store an association between the MSISDNs for each user of the group of users and the associated secure web profile for each user as indicated by the MDMP; and on receipt of data traffic to be routed in the core to one of the stored MSISDNs, to apply to the user-requested data the security policies indicated in the secure web profile associated with that MSISDN. The centrally managed security policies are applied to the data requested by the users e.g. packet inspection filtering, phishing filter, spam filter and/or malware filter.

Description

DEVICE MANAGEMENT USER CENTRIC IDENTITY FOR SECURITY
PROTECTION
FIELD OF THE INVENTION
[1] The present application relates to a mobile device management and security system and method, and to a security platform and a mobile device management platform for use in a mobile device management and security system.
BACKGROUND
[2] Enterprises (e.g. private or public companies, academic institutions, partnerships, governmental and quasi-governmental institutions, etc) provide enterprise users (e.g. employees) with access to computing resources (such as email servers, data resources for customer relationship management (CRM) systems, document management systems (DMS), enterprise resource planning (ERR) systems, and billing and accounting systems, etc) via an enterprise network (which may be supported by dedicated computing hardware directly connected by a local area network, or by distributed hardware which may be connected by a virtual private network over the internet, or by being hosted virtually in the cloud).
[3] It is becoming increasingly common for enterprise users to access the resources provided in the enterprise network using mobile devices such as laptops, tablets and smart phones. For this, the enterprise may provide the enterprise user with a mobile device for accessing the enterprise resources and for enterprise use. However, a current trend is towards enterprise users using their personally owned mobile devices to access the enterprise resources as well for their own personal use.
[4] This accessing of enterprise resources using mobile devices introduces a significant security vulnerability that confidential or sensitive information accessed by and stored on the remote devices or access to the enterprise resources themselves may become compromised if the devices are stolen, hacked by malware, viruses or if the enterprise user is subjected to a successful phishing or other security attack [5] To attempt to mitigate the exposure of enterprise resources to the vulnerabilities posed by mobile devices, mobile device management (MDM) software is now used to manage enterprise use of these mobile devices that have access to the enterprise network. The MDM software has a client component, installed on the user mobile device, that allows an enterprise-level administrator operating a server -1 -component of the MDM software to define security policy sets for e users to control the configuration and security settings of the user's mobile devices registered to the enterprise user group. For this, the MUM server component sends security policy updates over the air (OTA) to the user devices where the client component of the MDM software receives those updates and configures the device accordingly. The administrator may operate the MDM software to set security policies for individual users, for groups thereof or for all the enterprise users registered to the enterprise.
[6] For example, the MDM software may be used by an enterprise administrator to restrict a user from installing certain black-listed applications or to allow or require a user to only install certain approved, white-listed applications (e.g. virus protection). Further, security policies set by the administrator implemented by the MDM software on the device may enforce security restrictions on the user, such as requiring users to set passwords having certain lengths and characters, and for detecting any attempts to jailbreak the device. Security policies may be provided to implement a wide range of restrictions and functionalities at the device, such as implementing basic find, lock and wipe capabilities.
[7] Generally, the enterprise users of the MDM software are keyed by a user identifier (userlD) that uniquely identifies that user within the enterprise MUM user croup. The MDM userlD is a general free-form identifier for the user which could be a username, email address or even a Mobile Station International Subscriber Directory Number (MSISDN) for a subscription of the user registered to the cellular telecommunications network. Thus the OTA security policy updates for a given user are sent to devices registered with the userlD for the user by a device identifier (devicelD). There is no dependency in the MDM platform on an MSISDN of a user subscription as the user may use a device that does not have a subscription to a cellular network to access the enterprise resources. Similarly, if a user transfers a subscriber identity module (SIM) card for authenticating and identifying the subscription to the network by the MSISDN from one mobile device to another, the MUM security settings remain with the original enrolled device keyed by userlD and are not transferred to the new device with the SIM card.
[8] Enterprise users of mobile devices are often also provided by the enterprise with a subscription to a mobile cellular communication network, for example by providing a subscriber identity module (SIM) card for insertion into the mobile device usable to authenticate and identify the subscription to the network by an MSISDN. -2 -
The network operator uses the MSISDN identified to the network by the SIM card to connect voice calls to the device and to establish and maintain data plane connections to the device to send and receive data which may include, for example, email, http requests and return web traffic, served web pages, streaming data including audio and video, etc. [9] To protect the enterprise and the enterprise user device, having access to the enterprise network resources, from threats such as identity theft, fraud, intelligence gathering and sabotage, the mobile cellular telecommunications network may provide a security platform that the enterprise can use to provide a safe Internet experience for its enterprise users connecting to the internet over the cellular GERS/3G/4G network for data transfer. The security platform is provided in the core of the mobile cellular telecommunications network, e.g. by the network provider, and it supports basic and advanced security features for data traffic being routed to and from the user devices based on the MSISDN to/from which the data traffic is routed.
[10] Specifically, the security platform can provide content filtering (e.g. by packet inspection), anti-malware capabilities, anti-phishing capabilities and anti-spam capabilities. An administration portal for the security platform allows an enterprise administrator to customise security policies keyed by MSISDN of the enterprise users to be applied to the data traffic in the core network. These security policies are set by the administrator operating the security platform portal on a subscription-bysubscription basis.
[11] Thus currently, enterprise networks and resources are protected by administrator control of a separate security platform and mobile device management platform.
[12] It is in this context that the present invention has been devised. SUMMARY OF THE INVENTION [13] Viewed from one aspect, the present invention provides a mobile device management and security system configured to control usage and security of managed mobile devices of a group of users registered to the system: The system comprises: a security platform in a core of a cellular telecommunications network; and a mobile device management platform. The mobile device management platform is configured: to receive, for each user of ihe group of users, an indication of a Mobile Station International Subscriber Directory Number (MSISDN) for a subscription of each user of the croup registered to the cellular telecommunications -3 -network and to associate the MSISDN with a respective userlD for the user; to store, for each user of the group of users, an administrator-configurable security policy set for each user, said security policy set including a secure web profile defining a security policy for data traffic to be sent to the respective user over the cellular telecommunications network; and to send to the security platform the MSISDN and data pertaining to the associated secure web profile for each user. The security platform is configured: to receive and store an association between the MSISDNs for each user of the group of users and the associated secure web profile for each user as indicated by the mobile device management platform; and on receipt of data traffic to be routed in the core to one of the stored MSISDNs, to apply to the user-requested data security policies indicated in the secure web profile associated with that MSISDN.
[14] In accordance with the present invention; a mobile device management and security system is provided in which a mobile device management (MDM) platform received and stores a relation between the userlD used to key MDM over the air security policy updates for each user and the MSISDN for a subscription to a mobile cellular network for those users. Further, the MDM platform then provides functionality that allows a secure web profile defining a security policy for a user's safe Internet experience to be managed as part of the security policy set for the enterprise at a user or group level. The secure web profile for each user is then sent to the security platform in the core network of the mobile telecommunications network, keyed by MSISDN. In this way; enterprise resource security officers are provided with a single platform that enables the setting of MOM security policies and mobile cellular telecommunication network security policies for enterprise users at a user or group level. This is achieved by combining and relating the two different user identity paradigms, namely, userlD centric for MOM systems and MSISDN centric for mobile cellular telecommunication network security systems.
[15] In embodiments; the security platform is configurable; by indication in a secure web profile, to apply one or more security policies keyed by MSISDN of the recipient user of the data packet, the security policies including: a packet inspection filtering to filter out certain content; an anti-phishing filter; an anti-spam filter; the an anti-malware filter.
[16] In embodiments; the mobile device management and security system further comprises: a traffic management platform configured to function as a load balancer
-
for data traffic in the core of the cellular telecommunications network, having a traffic steering module configures the traffic management platform to forward to the data traffic for an MSISDN having a secure web profile to the security platform for processing.
[17] In embodiments, the traffic steering module further configures the traffic management platform to receive the filtered data traffic for the MSISDN from the security platform and to forward it to the MSISDN.
[18] In embodiments, the mobile device management platform is further configured: to store in the administrator-configurable security policy set for each userlD of the group of users a managed device profile defining a device management policy for managing the operation of a device by the user; and to send to the device the managed device profiles to user mobile devices.
[19] In embodiments, the mobile device management and security system further comprises a mobile device of a user of the group of users comprising device management software for configuring the device: to receive and store from the mobile device management platform the managed device profile associated with the user's userlD; and to apply the management policies indicated in the managed device profile to manage the operation of the device by the user.
[20] In embodiments, the mobile device management software further configures the mobile device to send a request to the mobile device management platform for the managed device profile associated with the userlD of the user logged into the mobile device management software.
[21] In embodiments, the mobile device management platform is further configured, in response to receiving from the mobile device the request for the managed device profile indicating a userlD, to send the managed device profile to the mobile device.
[22] In embodiments, the mobile device management platform is further configured: to receive a batch MSISDNs for users of a group and to store an association between the MSISDNs and the userlDs for the users. In this way, an enterprise can add its enterprise user's subscriptions to the MDM platform in bulk to provide enterprise-wide control over their security and access to enterprise resources over the mobile cellular telecommunications network.
[23] In embodiments, the mobile device management platform is further configured to provide a portal accessible by administrator of the group of users operable to
-
assign security policy sets for users of the group of users at an individual or group level. In this way, enterprise administrators can control the security and access of a group of users to enterprise resources using subscriptions to mobile cellular telecommunications networks from a mobile device management platform portal.
[24] In embodiments, the group of users is an enterprise group or a family group of consumers. The invention may also be applicable to consumer groups such as families, where the parent acts as an administrator for the security and MDM controls applied to children's access to the intemet on their mobile electronic devices through subscriptions to the mobile cellular telecommunications network.
[25] In embodiments, the mobile device management platform is configured to maintain a database relating the MSISDNs of a group of users to the userlDs of the group of users.
[26] In embodiments, the mobile device management and security system further comprises a global integration gateway configured to receive the secure web profile from the mobile device management platform and to send the secure web profile directly to the security platform in a core of a mobile telecommunications network.
[27] Alternatively, or in addition, in embodiments; the mobile device management and security system, further comprises a global integration gateway configured to receive the secure web profile from the mobile device management platform and to send the secure web profile to the security platform in a core of a mobile telecommunications network via a local integration gateway of the mobile telecommunications network.
[28] Viewed from another aspect, the present invention provides a security platform in a core of a cellular telecommunications network for use in a mobile device management and security system as claimed in a proceeding claim configured to control usage and security of managed mobile devices of a group of users registered to the system, the security platform being configured: to receive and store from a mobile device management platform an association between the Mobile Station International Subscriber Directory Number (MSISDN) for a subscription of each user of the croup registered to the cellular telecommunications network and an associated secure web profile for each user as indicated by the mobile device management platform; and on receipt of data traffic to be routed in the core to one of the stored MSISDNs, to apply to the user-requested data security policies indicated in the secure web profile associated with that MSISDN.
-
[29] Viewed from yet another aspect, the present invention provides a mobile device management platform for use in a mobile device management and security system as claimed in a proceeding claim configured to control usage arid security of managed mobile devices of a group of users registered to the system, the mobile device management platform being configured: to receive, for each user of the group of users, an indication of a Mobile Station International Subscriber Directory Number (MSISDN) for a subscription of each user of the group registered to the cellular telecommunications network and to associate the MSISDN with a respective userlD for the user; to store, for each user of the group of users, an administrator-configurable security policy set for each user, said security policy set including a secure web profile defining a security policy for data traffic to be sent to the respective user over the cellular telecommunications network; and to send to a security platform in the core of the mobile telecommunications network the MSISDN and data pertaining to the associated secure web profile for each user for the security platform to apply to user-requested data to be routed to the MSISDN of a user of the group of users security policies indicated in the secure web profile associated with that MSISDN.
[30] Viewed from yet another aspect, the present invention provides a mobile device management and security method for controlling usage and security of managed mobile devices of a group of users registered to the system, comprising: at a mobile device management platform: receiving, at a mobile device management platform, for each user of the group of users, an indication of a Mobile Station International Subscriber Directory Number (MSISDN) for a subscription of each user of the group registered to the cellular telecommunications network; associating each MSISDN with a respective userlD for the user; storing, for each user of the group of users, an administrator-configurable security policy set for each user, said security policy set including a secure web profile defining a security policy for data traffic to be sent to the respective user over the cellular telecommunications network; and sending to a security platform to a security platform in the core of the mobile telecommunications network the MSISDN and data pertaining to the associated secure web profile for each user: and, at the security platform: receiving and storing an association between the MSISDNs for each user of ihe group of users and the associated secure web profile for each user as indicated by the mobile device management platform; and on receipt of data traffic to be routed in the core to one of the stored MSISDNs, applying to the user-requested data securty policies indicated in the secure web profile associated with that MSISDN.
[31] Within the scope of this application it is expressly envisaged that the various aspects, embodiments, examples and alternatives set out in the preceding paragraphs, in the claims and/or in the following description and drawings, and in particular the individual features thereof, may be taken independently or in any combination Features described in connection with one aspect or embodiment of the invention are applicable to all aspects or embodiments, unless such features are incompatible.
BRIEF DESCRIPTION OF THE DRAWINGS
[32] Certain preferred embodiments will now be described, by way of example only, with reference to the accompanying drawings, in which: [33] Figure 1 shows a schematic illustration of an MDM and security system in accordance with an embodiment of the present invention and an example organisational hierarchy of the enterprise administrator, enterprise users and enterprise devices of the system; [34] Figure 2 shows a schematic diagram of an enterprise user mobile device, MOM platform and security platform in accordance with an embodiment of the present invention; and [35] Figure 3 shows a process flow diagram for a method of a mobile device management and security method for controlling usage and security of managed mobile devices of a group of users registered to the system.
DETAILED DESCRIPTION OF THE EMBODIMENTS
[36] The detailed description set forth below in connection with the appended drawings is intended as a description of presently preferred embodiments of the invention, and is not intended to represent the only forms in which the present invention may be practised. It is to be understood that the same or equivalent functions may be accomplished by different embodiments that are intended to be encompassed within the spirit and scope of the invention. Furthermore, terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that apparatuses and method steps that comprises a list of elements or steps does not include only those elements but may include other elements or steps not expressly listed or inherent. An element or step proceeded by
-
"comprises...a" does not, without more constraints preclude the existence of additional identical elements or steps that comprises the element or step.
[37] Referring now to Figure 1, there is shown a mobile device management arid security system comprising a mobile device management (MOM) platform 120 and a security platform 110 provided in the core 104 of a local mobile cellular telecommunications network which may be a GPRS, UMTS or LIE network. The cellular telecommunications network further comprises plural base stations 103a, 103b that provide a radio access network (RAN) comprising a number of radio cells, which acts as an air interface to allow mobile radio communications with user mobile electronic devices or user equipment 102a... ni,; within those cells by establishing radio bearers therebetween. The mobile electronic devices 102ar... nil may be tablets, laptops, or as in this case, smartphones, or another appropriate electronic device for connecting to the mobile cellular telecommunications network to allow a user data communication with the Internet therethrough. The mobile telecommunications network supports voice communications by a public switched telephone network PSTN (not shown) using the devices mobile electronic devices 102a(... nu and data communications with, for example. the Internet 105, using those devices 102a.... n.
[38] Referring now also to Figure 2, a subscriber identity module (SIM) 1026 is removably inserted into an electronic device (e.g. 107..a smart phone). The SIM 1026 carries a Mobile Station International Subscriber Directory Number (MSISDN) usable to authenticate and uniquely identify a subscription of a user to voice and data communications services provided over mobile cellular telecommunications network by the network provider. The MSISDN functions as a global title for routing data and voice communications in the core network 104 to the electronic device 102a carrying the SIM 1026E. In this way, a user 101a of an electronic device 102a; may, using a browser program stored in a memory I 024; of the electronic device 102, send a data request via the core 104 of the mobile cellular telecommunications network to a web server via the Internet 105 located by a uniform resource locator (URL) to serve to the electronic device 102; content constructed by Hypertext Markup Language (HTML) as a website. The core network 104 routes the content of the website to the electronic device 102; using the MSISDN of the SIM 1026; where it is displayed in a graphical user interface of the browser on a display screen thereof (not shown). -9-
[39] In an enterprise context, an enterprise (e.g. private or public companies, academic institutions, partnerships, governmental and quasi-governmental institutions, etc) may provide employees (or other agents of the enterprise) 101a..n with one or more electronic devices 102a... n; for their use in conducting their activities in the course of carrying out their duties for the enterprise. Alternatively, enterprise users may "bring their own devices" for the purposes of carrying out their business activities for the enterprise, which is increasingly common. For example, in the user group shown in Figure 1, user 101a has two enterprise devices, a srnartphone 101am and a tablet 101 a12, registered to the MDIv1 platform 120, user 101b has one device, smartphone 1011g11, and so on.
[40] These enterprise users (e.g. employees) 101a...n may use their devices 102a... n; to access enterprise computing resources (such as email servers, data resources for customer relationship management (CRM) systems, document management systems (DMS), enterprise resource planning (ERP) systems, and billing and accounting systems, etc). This may be via the internet or via an enterprise network which may be supported by dedicated computing hardware directly connected by a local area network, or by distributed hardware which may be connected by a virtual private network over the interne:, or by being hosted virtually in the cloud.
[41] To provide the enterprise users 101a... r with voice and data connectivity using mobile cellular telecommunications network, the IT administrator 101A may provide the enterprise users 101a...n with subscriptions from the mobile cellular telecommunications network service provider for voice and data communications therethrough. Alternatively, in a "bring your own device" context, the user may have access the mobile cellular telecommunications network by his or her own subscription thereto. Not all of the devices 102a...n; that the enterprise users 101a...n use to access enterprise resources are provided with subscriptions to the mobile telecommunications network. For example, some laptops or tablet devices are not provided with the necessary input/output hardware and software to enable them to communicate with the RAN nodes 103a,b. Instead, these devices provide connectivity for the user to access enterprise resources by, for example, a VViFi connection to a wireless access point of a wired network.
[42] To access the enterprise resources using the mobile cellular telecommunications network, however, the enterprise electronic device 102a; carries -10 -a SIM having an associated MSISDN to authenticate and uniquely identify the enterprise users 101a subscription to enable voice and data communications to be routed to the device 102a.
[43] To monitor and control the use and security of the device in accessing the enterprise resources over the Internet using the mobile cellular telecommunications network, a security platform 110 is provided in the core network 104 to carry out security controls on data traffic in the core network 104 received frornito be sent to the user electronic devices 102a.1...ni based on the MSISDN of the users. The security platform 110 is provided as a server that is configured by a security platformn programme 113 instantiated in the RAM 112 to cause the processor 111 to perform security operations on data traffic in the core network 104 based on the MSISDN to which that traffic is to be routed. The security operations may include content filtering, anti-virus and malware filtering, harmful website protection (e g. antiphishing), etc. [44] To control the security settings for the enterprise users 101a...n and their one or more devices 102a.ni, a mobile device management platform 120 is provided. The MOM platform 120 is provided with a mobile device management server program 123 instantiated in RAM 122 that configures the processor 121 to provide, using a web server, a web portal accessible over the internet by the IT administrator 101A. Using the portal, the IT administrator 101A can set the security settings for a given enterprise user 101a...n at an individual or group level. The security settings for each user generate a security policy set that is stored in security policy set store 127. The security policy sets stored in security policy set store 127 are generally keyed for each user 101a.. n by a userlD that uniquely identifies that user in the MOM platform 120 and by a devicelD that uniquely identifies the device 102a...ni, in the MOM platform 120.
[45] To allow control of the security platform 110 in the core 104 of the mobile cellular telecommunications network, which uses a different, subscriber-based paradigm for distinguishing data traffic in the core network 104 and filtering it for security purposes, the MSISONs of each user subscription are also received at MDM platform 120 and stored in MSISDN store 125. The MSISDNs of each user's subscription may be received at the MOM platform 120 by being individually input by the IT administrator 101A or by being retrieved in bulk automatically from, for example, the enterprise's CRM or ERP systems.
- -
[46] A hierarchical relation or affiliation between userlDs, the device IDs and the MSISDNs for the user subscriptions is generated in the MDM platform 120 and stored in the userlD-devicelD-MSISDN store 126. This facilitates the setting of the security policies for each user in the MDM platform 120 and for the communication of those security policies to the relevant enterprise user devices 102a...a or security platform 110 in the core network 104 keyed by the relevant one of the userid, device ID and MSISDN. The IT administrator 101A can group the users together into user groups dependent on, for example, department, seniority, security clearance level etc. [47] Security policy updates, in the form of secure web profile updates 106, keyed by MSISDN, are sent by the MDM platform 120 to the security platform 110 for controlling the filtering of data traffic on the network where they are stored in the MSISDN secure web profile store 115 in memory 114. The security platform program 113 instantiated in the RAM 112 configures the processor 111 to apply, based on the secure web profile for a given user subscription stored in MSISDN secure web profile store 115, filters and other security controls to data traffic in the core network 104 keyed by the MSISDN to/from which the data is to be routed.
[48] Security policy updates, in the form of managed device profiles, keyed by userlD and optionally also devicelD, are sentby the MDM platform 120 by (e.g. by broadcasting) over the air (OVA) updates and stored in the managed device profile store 1025i of the relevant devices 1...a belonging to the relevant users 101a...n. In order to control the security settings and use of the devices 102a... a by the users 101a... n, each enterprise user mobile device device 102a... a is provided with a mobile device management platform client program 1023 instantiated in RAM 1022 that configures the processor 1021 to implement security policies based on the managed device profiles received from the mobile device management platform 120 by over the air (OTA) updates and stored in the managed device profile store 1025. For example, by operating the mobile device management platform 120 the IT administrator 101A can set a password security policy and an email security policy for each user keyed by that user's userlD. The user 102a's devices 102a, both receive and store the managed device profile updates setting the password security policy and email security policy based on userlD. Alternatively, to set a security policy for a specific device, a security policy may be keyed by device ID as well as userlD such that, for example, only device 102a receives and stores managed -12 -device profile update setting the password security policy. The mobile device management platform client program 1023; then applies the security policies of the managed device profiles stored in managed device profile store 1025; such that, for example, a minimum password length and character requirement is applied by the device 102ai, which may also require the user 102a to chance the password periodically.
[49] To set the security settings for each user, the IT administrator 101A may use an Internet-connected computer or even a mobile electronic device (not shown) to point a browser to a specific URI.. providing the web portal for the MOM platform 120. On logging in and proving his or her credentials, the IT administrator 101A is presented with a graphical user interface displayed on a display of the device (not shown) having a number of user-manipulateable widgets and controls by which the security settings for each enterprise user 101a...n, group of users or devices can be chosen. These security settings then generate and store or update the stored security profile set for each user. The mobile device management platform server program 123 then signals the security policies or any changes thereto, to the security platform 110 and the user devices 102a1...ni in the form of secure web profile updates 106 and managed device profile updates 107. The IVIDM platform 120 and portal may be provided at a global level by the mobile cellular telecommunications network provider, arid this platform may provide enterprise users globally with control over security settings for users in different regional or national mobile cellular telecommunications networks. The MDM platform 120 may send the secure web profiles for users directly to the security platforms in the core of the relevant national or regional mobile cellular telecommunications networks. Alternatively, a global integration gateway may be provided configured to receive the secure web profiles from the global mobile device management platform 120 and to send the secure web profiles to the security platform in a core 104 of the relevant mobile telecommunications networks via a local integration gateway of the mobile telecommunications network. This helps to account for local differences between the mobile telecommunications networks.
[50] The mobile device management and security system 100 enables enterprises to monitor and control the security of mobile electronic devices of enterprise users in accessing enterprise resources from a device management and content security perspective for communications through a cellular network from a single portal on a -13-user by user or group basis. This is enabled in part by the storing of linking of the user subscription IDs (i a the fv1SISDNs) with the userlDs and user profiles in the MOM portal.
[51] Figure 3 is a process flow diagram showing a method of a mobile device management and security platform for controlling usage and security of managed mobile devices of a group of users registered to the system.
[52] The method includes, at step 301, at mobile device management platform 120, receiving, for each user of the group of users 101a... n, an indication of a Mobile Station International Subscriber Directory Number (MSISDN) for a subscription of each user of the group registered to the cellular telecommunications network. These are then stored in MSISON store 125. These may be received at the MOM platform 120 by being individually input by the IT administrator 101A or by being retrieved in bulk automatically from, for example, the enterprise's ORM or ERR systems.
[53] Then, at step 302, an association between each MSISDN and a respective userlD for the user is created and stored e.g. in User1D-DevicelD-MSISDN store 126. This may be performed manually but is preferably performed automatically in a bulk import for instance from the enterprise CRIVI or ERR system.
[54] Next, at step 303, the method comprises storing, for each user of the group of users, an administrator-configurable security policy set for each user. This is performed by the IT administrator 101A configuring security settings for users on a user by user basis or group basis using the portal provided by the MDM platform 120. The security policy set includes a secure web profile defining a security policy for data traffic to be sent to the respective user over the cellular telecommunications network. The security policy set also includes a managed device profile defining a device management policy for managing the operation of a device by the user. The managed device profile may include, for example, an email security profile and a password security profile and any other number of security profiles indicating a security policy for security aspects and functionality provided by the mobile device management client software 1023i operating in the RAM 1022i of the mobile device 102i. The secure web profile is keyed by the MSISDN of the user, whereas the managed device profile is keyed by the userlD and/or the devicelD.
[55] Next, at step 304, the MDM platform 120 sends the stored secure web profile (or merely changes thereto) to the security platform 110 in the core 104 of the mobile cellular telecommunications network local to the user device. This may be sent by -14-the MOM platform 120 direct to the security platform 110, or may be sent first to a global integration gateway and then onto a local integration gateway adapted for the local mobiie telecommunications network. The secure web profile is keyed by the relevant user's MSISDN.
[56] On receiving the secure web profile for the or each of the group of users, in step 306 the security platform 110 stores the secure web profile settings for a given MSISDN in MSISDN security profile store 115.
[57] Then, in step 307, security platform continually monitors data traffic in the core 104 of the mobile cellular telecommunications network that is to be routed to/from MSISDN for which there is a secure web profile stored in MSISDN security profile store 115. To achieve this, in embodiments the mobile device management and security system further comprises a traffic management platform (not shown) configured to function as a load balancer for data traffic in the core of the cellular telecommunications network. The traffic management platform has a traffic steering module that configures the traffic management platform to forward data traffic for an MSISON having a secure web profile to the security platform for processing. The traffic steering module further configures the traffic management platform to receive the filtered data traffic for the MSISDN from the security platform and to forward it to the MSISDN.
[58] When such data is detected, at step 308, the security platform 110 applies to the data the security control and filter functionality indicated by the secure web profile 115 for that MSISDN. The security platform 110 is configurable, by indication in a secure web profile, to apply one or more security policies keyed by MSISDN of the recipient user of the data packet. The security policies include: a packet inspection filtering to filter out certain content; an anti-phishing filter; an anti-spam filter; an anti-malware filter.
[59] Finally for the security platform 110, at step 309 the filtered and control result is routed to the Internet or to the user. For example, where a web content filter has detected and filtered out adult or sensitive content in a webpage to be routed to an MSISDN for which web content filter setting is indicated in that MSISDN's secure web profile, the security platform 110 may send a blocked webpage notification to the MSISDN.
-15 - [60] Simultaneously, at step 305, the MDM platform 120 also sends, by an over the air transfer, the managed device profile (or changes thereto) keyed by userlD and/or devicelD.
[61] On receiving the managed device profile, at step 311, the user mobile electronic device 102a; stores the managed device profile in the managed device profile store 1025i.
[62] Then finally for the user mobile device 102ai, in step 312the MOM platform client program 1023i applies the device management settings and controls in the cases for the user device in the stored managed device profile.
[63] In accordance with the present invention, a mobile device management and security system is provided in which a mobile device management (MOM) platform received in stores relation between the userlD used to key MOM over the air security policy updates for users and the MSISDN for subscriptions to mobile cellular networks for those users. Further, the MOM platform then provides functionality that allows a secure web profile defining a security policy for a user's safe Internet experience to be managed as part of the security policy set for the enterprise at a user or group level. The secure web profile for each user is then sent to the security platform in the core network of the mobile telecommunications network, keyed by MSISDN. In this way, enterprise resource security officers are provided with a single platform that enables the setting of IVIDM security policies and mobile cellular telecommunication network security policies for enterprise users at a user or group level. This is achieved by combining and relating the two different user identity paradigms, namely, userlD centric for MOM systems and MSISDN centric for mobile cellular telecommunication network security systems.
[64] While this detailed description and the embodiments set out above disclosed invention the context of an enterprise setting, aspects of the present invention can also be implemented to provide a device management and security platform for use in a consumer family setting in which they had of the family would be an IT administrator that sets the security policies for members of the family user group such as children.
[65] The description of the preferred embodiments of the present invention has been presented for purposes of illustration and description, but is not intended to be exhaustive or to limit the invention to the forms disclosed. It will be appreciated by those skilled in the art that changes could be made to the embodiments described -16 -above without departing from the broad inventive concept thereof. It is understood, therefore, that this invention is not limited to the particular embodiment disclosed, but covers modifications within the scope of the present invention as defined by the appended claims.
-17 -

Claims (17)

  1. CLAIMSA mobile device management and security system configured to control usage and security of managed mobile devices of a group of users registered to the system, comprising: a security platform in a core of a cellular telecommunications network; and a mobile device management platform configured: to receive, for each user of the group of users, an indication of a Mobile Station International Subscriber Directory Number (MSISDN) for a subscription of each user of the group registered to the cellular telecommunications network and to associate the MSISDN with a respective userlD for the user; to store, for each user of the group of users, an administrator--configurable security policy set for each user, said security policy set including a secure web profile defining a security policy for data traffic to be sent to the respective user over the cellular telecommunications network; and to send to the security platform the MSISDN and data pertaining to the associated secure web profile for each user; wherein the security platform is configured: to receive and store an association between the MSISDNs for each user of the group of users and the associated secure web profile for each user as indicated by the mobile device management platform; and on receipt of data traffic to be routed in the core to one of the stored MSISDNs, to apply to the user-requested data security policies indicated in the secure web profile associated with that MSISDN.
  2. 2. A mobile device management and security system as claimed in claim 1, wherein the security platform is configurable, by indication in a secure web profile, to apply one or more security policies keyed by MSISDN of the recipient user of the data packet, the security policies including: a packet inspection filtering to filter out certain content; -18 -an anti-phishing filter; an anti-spam filter; the an anti-malware filter.
  3. 3. A mobile device management and security system as claimed in claim 1 or 2, further comprising: a traffic management platform configured to function as a load balancer for data traffic in the core of the cellular telecommunications network, having a traffic steering module configures the traffic management platform to forward to the data traffic for an MSISDN having a secure web profile to the security platform for processing.
  4. 4. A mobile device management and security system as claimed in claim 3, wherein the traffic steering module further configures the traffic management platform to receive the filtered data traffic for the MSISDN from the security platform and to forward it to the MSISDN.
  5. 5. A mobile device management and security system as claimed in any proceeding claim, wherein the mobile device management platform is further configured: to store in the administrator-configurable security policy set for each userld of the group of users a managed device profile defining a device management policy for managing the operation of a device by the user; and to send to the device the managed device profiles to user mobile devices.
  6. 6. A mobile device management and security system as claimed in claim 5, further comprising a mobile device of the user of the group of users comprising device management software for configuring the device: to receive and store from the mobile device management platform the managed device profile associated with the user's userlD; and to apply the management policies indicated in the managed device profile to manage the operation of the device by the user. -19-
  7. 7. A mobile device management and security system as claimed in claim 6, wherein the mobile device management software further configures the mobile device to send a request to the mobile device management platform for the managed device profile associated with the userlD of the user logged into the mobile device management software.
  8. 8. A mobile device management and security system as claimed in claim 7, wherein the mobile device management platform is further configured, in response to receiving from the mobile device the request for the managed device profile indicating a userlD, to send the managed device profile to the mobile device.
  9. 9. A mobile device management and security system as claimed in any proceeding claim, wherein the mobile device management platform is further configured: to receive a batch MSISDNs for users of a group and to store an association between the MSISDNs and the userlDs for the users.
  10. 10. A mobile device management and security system as claimed in any proceeding claim, wherein the mobile device management platform is further configured to provide a portal accessible by administrator of the group of users operable to assign security policy sets for users of the group of users at an individual or group level.
  11. 11. A mobile device management and security system as claimed in any proceeding claim, wherein the group of users is an enterprise group or a family group of consumers.
  12. 12. A mobile device management and security system as claimed in a proceeding claim, wherein the mobile device management platform is configured to maintain a database relating the MSISDNs of a croup of users to the userlDs of the group of users.
  13. 13. A mobile device management and security system as claimed in a proceeding claim, further comprising a global integration gateway configured to receive the secure web profile from the mobile device management platform and to send the secure web profile directly to the security platform in a core of a mobile telecommunications network.
  14. 14. A mobile device management and security system as claimed in any of claims 1 to 12, further comprising a global integration gateway configured to receive the secure web profile from the mobile device management platform and to send the -20 -secure web profile to the security platform in a core of a mobile telecommunications network via a local integration gateway of the mobile telecommunications network.
  15. 15. A security platform in a core of a cellular telecommunications network for use in a mobile device management and security system as claimed in a proceeding claim configured to control usage and security of managed mobile devices of a group of users registered to the system, the security platform being configured: to receive and store from a mobile device management platform an association between the Mobile Station International Subscriber Directory Number (MSISDN) for a subscription of each user of the group registered to the cellular telecommunications network and an associated secure web profile for each user as indicated by the mobile device management platform; and on receipt of data traffic to be routed in the core to one of the stored MSISDNs, to apply to the user-requested data security policies indicated in the secure web profile associated with that MSISDN.
  16. 16. A mobile device management platform for use in a mobile device management and security system as claimed in a proceeding claim configured to control usage and security of managed mobile devices of a group of users registered to the system, the mobile device management platform being configured: to receive, for each user of the group of users, an indication of a Mobile Station International Subscriber Directory Number (MSISDN) for a subscription of each user of the group registered to the cellular telecommunications network and to associate the MSISDN with a respective userlD for the user; to store, for each user of the group of users, an administrator-configurable security policy set for each user; said security policy set including a secure web profile defining a security policy for data traffic to be sent to the respective user over the cellular telecommunications network; and to send to a security platform in the core of the mobile telecommunications network the MSISDN and data pertaining to the associated secure web profile for each user for the security platform to apply to user-requested data to be routed to the MSISDN of a user of the group of users security policies indicated in the secure web profile associated with that MSISDN.-21 -
  17. 17. A mobile device management and security method for controlling usage and security of managed mobile devices of a group of users registered to the system, comprising: at a mobile device management platform: receiving, at a mobile device management platform, for each user of the group of users, an indication of a Mobile Station International Subscriber Directory Number (MSISDN) for a subscription of each user of the group registered to the cellular telecommunications network; associating each MSISDN with a respective userlD for the user; storing, for each user of the group of users, an administrator-configurable security policy set for each user, said security policy set including a secure web profile defining a security policy for data traffic to be sent to the respective user over the cellular telecommunications network; and sending to a security platform to a security platform in the core of the mobile telecommunications network the MSISDN and data pedal-ling to the associated secure web profile for each user; and, at the security platform: receiving and storing an association between the MSISDNs for each user of the group of users and the associated secure web profile for each user as indicated by the mobile device management platform; and on receipt of data traffic to be routed in the core to one of the stored MSISDNs, applying to the user-requested data security policies indicated in the secure web profile associated with that MSISDN.-22 -
GB1421344.1A 2014-12-02 2014-12-02 Device management user centric identity for security protection Withdrawn GB2532951A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
GB1421344.1A GB2532951A (en) 2014-12-02 2014-12-02 Device management user centric identity for security protection
PCT/EP2015/077884 WO2016087323A1 (en) 2014-12-02 2015-11-27 Device management user centric identity for security

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB1421344.1A GB2532951A (en) 2014-12-02 2014-12-02 Device management user centric identity for security protection

Publications (2)

Publication Number Publication Date
GB201421344D0 GB201421344D0 (en) 2015-01-14
GB2532951A true GB2532951A (en) 2016-06-08

Family

ID=52349771

Family Applications (1)

Application Number Title Priority Date Filing Date
GB1421344.1A Withdrawn GB2532951A (en) 2014-12-02 2014-12-02 Device management user centric identity for security protection

Country Status (2)

Country Link
GB (1) GB2532951A (en)
WO (1) WO2016087323A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115883259A (en) * 2023-02-23 2023-03-31 成都万创科技股份有限公司 Mobile equipment management and control method and device

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10437625B2 (en) 2017-06-16 2019-10-08 Microsoft Technology Licensing, Llc Evaluating configuration requests in a virtual machine

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008149326A2 (en) * 2007-06-07 2008-12-11 Alcatel Lucent System and method of network access security policy management for multimodal device
WO2014207712A1 (en) * 2013-06-28 2014-12-31 Athonet S.R.L. Radio access network control of media session
US20150012964A1 (en) * 2013-07-03 2015-01-08 Fortinet, Inc. Application layer-based single sign on

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005064498A1 (en) * 2003-12-23 2005-07-14 Trust Digital, Llc System and method for enforcing a security policy on mobile devices using dynamically generated security profiles
CN101444119A (en) * 2006-03-27 2009-05-27 意大利电信股份公司 System for implementing security police on mobile communication equipment
EP2025095A2 (en) * 2006-06-08 2009-02-18 Hewlett-Packard Development Company, L.P. Device management in a network
US8924488B2 (en) * 2010-07-27 2014-12-30 At&T Intellectual Property I, L.P. Employing report ratios for intelligent mobile messaging classification and anti-spam defense

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008149326A2 (en) * 2007-06-07 2008-12-11 Alcatel Lucent System and method of network access security policy management for multimodal device
WO2014207712A1 (en) * 2013-06-28 2014-12-31 Athonet S.R.L. Radio access network control of media session
US20150012964A1 (en) * 2013-07-03 2015-01-08 Fortinet, Inc. Application layer-based single sign on

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115883259A (en) * 2023-02-23 2023-03-31 成都万创科技股份有限公司 Mobile equipment management and control method and device
CN115883259B (en) * 2023-02-23 2023-04-28 成都万创科技股份有限公司 Mobile equipment management and control method and device

Also Published As

Publication number Publication date
GB201421344D0 (en) 2015-01-14
WO2016087323A1 (en) 2016-06-09

Similar Documents

Publication Publication Date Title
US11489878B2 (en) Mobile device security, device management, and policy enforcement in a cloud-based system
US11134058B1 (en) Network traffic inspection
US10958662B1 (en) Access proxy platform
US9609460B2 (en) Cloud based mobile device security and policy enforcement
US9531758B2 (en) Dynamic user identification and policy enforcement in cloud-based secure web gateways
US9473537B2 (en) Cloud based mobile device management systems and methods
US9065800B2 (en) Dynamic user identification and policy enforcement in cloud-based secure web gateways
US7539862B2 (en) Method and system for verifying and updating the configuration of an access device during authentication
US11457040B1 (en) Reverse TCP/IP stack
CA3010378C (en) System and method for providing customized response messages based on requested website
KR20110124208A (en) Health-based access to network resources
US20160119764A1 (en) Application download notification in hierarchical groups of consumer users of mobile devices
WO2016087323A1 (en) Device management user centric identity for security
GB2547231A (en) Apparatus, method and computer program product for use in authenticating a user
Holtmanns et al. Subscriber profile extraction and modification via diameter interconnection
US20220286898A1 (en) Systems and methods for selectable application-specific quality of service parameters in a wireless network
WO2018150390A1 (en) System and method for accessing a privately hosted application from a device connected to a wireless network
JP5632429B2 (en) Service authentication method and system for building a closed communication environment in an open communication environment
US20240107294A1 (en) Identity-Based Policy Enforcement for SIM Devices
CA3125768A1 (en) Subscriber identity management
US20160308838A1 (en) Digital switchboard

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)