Invention for Cloud security systems for mobile devices: Client application-based access control

Internet / By

Invented by Purvi Desai, Abhinav BANSAL, Zscaler Inc

The market for cloud security systems for mobile devices has witnessed significant growth in recent years. With the increasing reliance on mobile devices for personal and professional use, the need for robust security measures to protect sensitive data has become paramount. One of the key components of mobile device security is client application-based access control, which plays a crucial role in ensuring the safety of cloud-based data. Client application-based access control refers to the process of granting or denying access to cloud services based on the client application requesting access. This method allows organizations to have granular control over which applications can access their cloud resources, thereby minimizing the risk of unauthorized access and data breaches. The market for cloud security systems that employ client application-based access control is driven by several factors. Firstly, the proliferation of mobile devices and the increasing adoption of cloud-based services have created a fertile ground for security solutions that cater specifically to mobile platforms. As more individuals and businesses store and access sensitive data on the cloud, the demand for robust security measures has grown exponentially. Secondly, the rise in cyber threats and the sophistication of hacking techniques have made it imperative for organizations to invest in comprehensive security systems. Mobile devices are particularly vulnerable to attacks due to their portability and the sheer volume of personal and corporate data they store. Client application-based access control provides an additional layer of security by ensuring that only trusted and authorized applications can access cloud resources. Furthermore, compliance regulations and data protection laws have become more stringent, compelling organizations to implement robust security measures. Client application-based access control helps organizations meet these requirements by allowing them to enforce access policies and monitor application behavior, thus ensuring compliance with relevant regulations. The market for cloud security systems that incorporate client application-based access control is highly competitive, with several key players vying for market share. These players offer a range of solutions that cater to different organizational needs, including secure containerization, mobile application management, and mobile threat defense. Secure containerization involves creating a secure environment on mobile devices, isolating corporate data and applications from personal ones. This approach ensures that even if a device is compromised, the sensitive data remains protected. Mobile application management focuses on managing and securing applications deployed on mobile devices, including enforcing access control policies and monitoring application behavior. Mobile threat defense solutions employ advanced analytics and machine learning algorithms to detect and mitigate mobile threats in real-time. In conclusion, the market for cloud security systems for mobile devices, specifically those incorporating client application-based access control, is witnessing rapid growth. The increasing reliance on mobile devices and cloud-based services, coupled with the rising cyber threats and compliance requirements, have fueled the demand for robust security solutions. Organizations are increasingly investing in comprehensive security systems that provide granular control over access to cloud resources, ensuring the safety of sensitive data. As the mobile landscape continues to evolve, the market for cloud security systems is expected to expand further, with innovative solutions emerging to address the ever-evolving security challenges.

The Zscaler Inc invention works as follows

The cloud-based system enforces application-based controls of network resources. It includes a plurality nodes communicatively connected to the Internet and one or more nodes of authority communicatively linked to the plurality. A node from the plurality is communicatively connected to a device user via the Internet. This node is configured for receiving a request on a device user to access network resources in the Internet or external networks, evaluating the request to identify an application associated with the device user, and providing application-based application-based based control based on application.

Background for Cloud security systems for mobile devices: Client application-based access control

There has been a rapid growth in the number of mobile endpoint devices and cloud-based services within enterprises. Information Technology (IT), administrators, can no longer ignore this device as it is outside of their responsibility. Role-based access control implemented on-premise Virtual Private Networks has traditionally been used to limit access to sensitive corporate resources. Users with the appropriate rights could access corporate resources through any application. In role-based controls, users can be grouped into groups. Then the access to resources is determined by their permissions. Resource access then becomes a function only of the permissions granted to the group and not the way the user accesses the resource. The number of ways that a user could access data was severely limited in the past due to the scarcity of these applications and the degree of control the IT admin held over the lockdown of desktop systems on premises where users were only allowed to install or remove limited software.

With the rise of BYOD, cloud computing, and mobility, there is a proliferation of mobile applications. These apps offer the user a wide range of options to access corporate resources, such as mail clients, file-sharing apps, third party browsers etc. It poses serious security risks when a user accidentally uses a malicious app to access sensitive corporate data. For example, a malicious application may use corporate information in unsavory ways, such as caching data or sending it over the network to a remote server. In the past an antivirus program was used to identify black/white lists of applications and remove them from the system. However, this method did not capture the relationship between the type of resource requested and the application that requests it. “For instance, users can continue to use any web browser for private Internet use but must use a secured web browser that conforms with enterprise security policies in order to access corporate resources.

In non-mobile, conventional environments, IT admins are in full control of the systems, which are locked down to prevent the installation of illegal software or removal legitimate ones. With the changing landscape, users can access corporate resources using a VPN app from any device, application, network or location. These risks can be prevented by limiting the access that users can have to network resources.

In one embodiment, a cloud based security system that enforces application-based controls of network resources includes: a plurality nodes communicatively connected to the Internet and one or multiple authority nodes. A node from the plurality is communicatively linked to a device user via the Internet. The node is configured for the following functions: to receive requests on behalf of a device user to access network resources in the Internet or external networks, to evaluate and determine the application on the device user associated with the requested network; to Application-based controls limit which user devices are allowed to access network resources. The application-based controls can include denial of the requests thereby blocking them from network resources, allowing the requests if they are authorized, or redirecting the request to a user-approved application.

The application-based controls can include redirecting the request to a legitimate application on the device that is authorized but not authorized to access the resource. The redirection may be done by using a response sent from the node back to the device, with a header that points to the Uniform Resource Locator of the application to which the request is being directed. The node may be configured to identify the application by analyzing the body of the HTTP request. One or more authority nodes can define policies for applications and associated network resources. Policies can include blocking network resources for specific applications, redirecting requests to another application, blocking specific network resource from all applications and warning if an application does not match the specific application. The node can monitor traffic between the user’s device and the Internet.

In another embodiment, the user device comprises a network-based security service that connects to the Internet through a cloud interface. The processor is communicatively connected to the interface, and memory stores computer-readable instructions to enable the processor to run an application. In this case, the application requests network resources from the cloud security system, which evaluates the request to determine the type of application. It then provides application-based controls based on both the determined application as well as the network resources. This application-based control restricts which applications are allowed to access network resources on the user device. Application-based controls can be a denial of a request, thereby blocking it from network resources, an allowance of a request, if authorized, or redirected to authorised application on the device. Application-based control may include redirecting the request to a legitimate application on the device that is not authorized to access the resource. The cloud-based system can determine the application by analyzing the request body. The cloud-based system can connect the user device to it using a proxy or tunnel, and then configure the node to monitor traffic between the device and the Internet.

The method can include, “In a second embodiment, a cloud-based system that includes a plurality nodes communicatively connected to the Internet receives a network resource request from a device user; evaluates the request to determine the application associated with the device user; and, responsive to predefined policies, provides application-based controls of the request, based on both the determined application and network resources, which limit which applications on a device user are able access network resources. This application-based control may include: denying the requested network resource access if an application is not authorized; allowing the request in the case of authorization; or redirecting to a user device application that is authorized. The application-based controls can include redirecting the request to a legitimate application on the device that is unauthorized to access the resource. The method may also include receiving policies that define the applications and network resources. Policies can include: i blocking network resources for specific types of application, ii redirecting requests to another application, iii blocking specific network resource from all applications and iv cautioning when the application doesn’t match the specific application.

In one embodiment, a method implemented by one or multiple nodes of a cloud-based system for enforcing network resource control based on application includes receiving a network resource request from a device user; evaluating the demand through the cloud security system; determining the application performing the request on the device user; and performing a one of the following: denying the access request if it is not authorized, redirecting the access request to a legitimate application on the device user if that application is legitimate, but

The computer-executable instruction causes the processor to receive the request from the user device, evaluate it through the cloud-based system, determine the application on the device that is performing the requested, and then perform one of the following: deny the requests if an application is not authorized to access network resources; redirect the request to a legitimate application on the device if an application is legitimate, but unauthorized, to access network resources; or allow the requests if an application is authorized to do so.

The cloud-based system can redirect the request from an unauthorized application to an authorized one if it is legitimate, but not authorized to access network resources.

The present disclosure, again, relates in different embodiments to client-application control systems and methods for cloud-based security systems, including mobile devices. The systems and methods introduced the concept of “application-based control” to overcome the limitations described previously. Access to sensitive network resources can be limited based on the type of application used. With a cloud-based security system, access to network resources that is uncontrolled can be limited through application-based controls. It is possible to extend role-based controls from users onto applications. The IT administrator can implement application-level security controls with a cloud security system. This allows them to restrict access to network resources to only whitelisted applications that meet the security standards for the enterprise.

The systems and methods are designed to address the explosive growth of mobile devices, BYOD, etc. The proliferation of mobile apps and their associated risks pose a major threat to traditional security models and systems. Cloud-based systems secure data while in transit, but they also ensure that network data can only be accessed by legitimate secure applications. This prevents the access of network resources through third party apps which pose a critical security risk for the enterprise. This allows users to access non-critical corporate assets using the applications they choose, thus catering to BYOD.

Referring to FIG. In one embodiment, the block diagram of a distributed system 100 is shown in FIG. The system 100 can be implemented, for instance, as an overlay network on a wide-area network (WAN), like the Internet, or a local network (LAN). The system 100 contains processing nodes 110 that detect and prevent the spread of security threats such as malware, spyware and viruses. They also filter content and perform Data Leakage Prevention. Processing nodes (PN) 110 can also record activity and enforce policy, including recording changes to various components and settings within the system 100. Examples of external systems include an enterprise system 200, computer devices 220 and mobile devices 230 or other computing and network systems that are communicatively connected to the system 100. In one embodiment, each processing node 110 can include a data inspection engine, such as a decision system. This data inspection engine operates on content items, like a webpage, file, email, or any other data or communication sent by or requested from an external system. In one embodiment, each of the processing 110 processes all data that is destined for the Internet or received therefrom. In another embodiment, data specific to each external system is processed by one of the processing 110. For example, only emails, only executables, etc. are processed.

Each processing node 110 can generate a D=[d1,d2,. . . , dn] a content item with one or more parts of C=[c1,c2,. . . , cm]. Each decision vector can identify a threat class, e.g. clean, spyware or malware, unwanted content, innocuous email, spam, unknown etc. The output of every element of the D decision vector may be based upon the output from one or more data-inspection engines. In one embodiment, threat classification can be reduced to subsets of categories such as violating, not violating, neutral or unknown. The processing node may, based on the subset, either allow or prevent distribution of a content item. It can also allow distribution after a cleaning procedure, or detect threats in the content. In one embodiment, actions taken by a processing node 110 can determine the threat classification and security policy of an external system from which or to which the item is sent. The content item violates if any part of C=[c1,c2,. . . Any one of the data-inspection engines at any of nodes 110 generates a classification that is ‘violating.

Each of these processing nodes can be implemented using one or more computer and communication devices, such as server computers, gateways switches etc. 3. In one embodiment, the processing modules 110 can serve as access layers 150. The access layer may provide external access to the security 100 system. In one embodiment, the processing nodes may each include Internet gateways, servers and/or other devices. The processing nodes may also be distributed geographically, for example, across a region, country, campus etc. A service agreement between the provider of the system and the owner of an external device may allow the system to provide security to the external device at any location in the geographical region.

The system 100 can monitor data communications in different ways depending on the size of the external system and the amount of data it requires. An enterprise 200, for example, may have several routers, switches etc. The routers, switch, etc., may be configured to establish communications through the nearest (in traffic communication time, for example) processing node 110. The device 110 may be configured so that communications are established through the nearest processing node (in terms of traffic communication time). Mobile device 230 can be configured to communicate with a nearest processing device 110 via any wireless access device available, such as a gateway or an access point. The browser and email programs of a single computer 220, like a personal computer owned by a consumer, can be configured to connect to the nearest processing node, which in turn acts as a proxy. An Internet service provider could have its entire customer traffic routed through the processing nodes.

In one embodiment, the authority nodes 120 may communicate with the processing nodes. The authority nodes (AN) 120 can store policy data and distribute it to the processing nodes. For example, the policy could define security policies that apply to a protected system. Examples of policy data include access privileges to users, disallowed websites or content, restricted domains etc. The authority nodes can distribute policy data to processing nodes. In one embodiment, the authority 120 nodes may also distribute threat information that includes classifications of content according to threat categories, such as a spam email domains list, a phishing site list, or a virus list. Push and pull distribution schemes are described below in greater detail. In one embodiment, the authority nodes can be implemented using one or more computers and communication devices. For example, the server 300 shown in FIG. 3. In some embodiments the authority nodes may act as an application layer. “The application layer 170 can, for example manage and provide threat data, policy data and data inspection engines for the processing nodes.

Other functions of the application layer may be provided at the application layer 170. For example, a front-end user interface (UI). The user interface front end 130 can provide an interface for users to define and provide security policies. For example, whether or not email traffic should be monitored, certain web sites excluded, etc. The user interface front-end can also provide security analysis and log report capabilities. Logging nodes (LNs) 140 serve as data logging layers 160 and store the underlying data that is used for security analysis and log reports. Each of the logging 140 nodes may store data relating to the security operations and the network traffic processed by each external system. In one embodiment, the data of the logging node may be anonymized to remove or obscure data that identifies an enterprise. For example, the identifying data can be removed in order to present an overall summary of security processing across all users and enterprises without revealing any account’s identity. In another embodiment, identifying information may be obfuscated (e.g. by providing a random number every time it is accessed), so that an overall summary of security processing can be broken down into accounts for all users and enterprises without revealing any account’s identity. In another embodiment, identifying data or logging data 140 may be further encoded, e.g. so that only an enterprise (or the user, if it is a single account) has access to logging data 140 for its account. There are other processes for anonymizing, obscuring, or securing the logging node data 140. As described in this document, systems and methods of tracking and auditing the changes in a cloud multi-tenant system can be implemented, for example, in the data logging layers 160.

In one embodiment, the external systems may include an access agent 180. The access agent 180, for example, is deployed within the enterprise 200. The access agent 180 can, for example facilitate security processing, by providing a hash of files on a device client to one of processing nodes. Or, it may facilitate authentication functions by allowing one of processing nodes to perform the function. The access agent 180 may facilitate other functions and processes. In one embodiment, the processing 110 can act as a proxy to receive user requests addressed directly to it. In another embodiment, in a transparent manner, the processing 110 can access requests from users that have been passed through it. For example, an enterprise 200 or other protected system may choose to use one of these modes. A browser, for example, can be configured manually or via the access agent 180 in order to access the processing server 110 using a forward proxy. All accesses to the processing node are directed in the forward proxy mode.

In one embodiment, a gateway enterprise may be configured to route user requests through the processing server 110 by creating a communication tunnel. Existing protocols, such as layer two tunneling protocols (L2TP) or generic routing encapsulation protocol (GRE), can be used to establish the tunnel. In another embodiment, processing nodes may be deployed on Internet service provider (ISP), nodes. ISP nodes can redirect traffic in transparent proxy mode to the processing nodes. Multiprotocol Label Switching (MPLS), a class of service, can be used by protected systems such as enterprise 200 to indicate the traffic that needs to be redirected. The access agent 180, for example, may be configured within the enterprise to perform MPLS Labeling. In another transparent proxy mode implementation, a protected server, such as enterprise 200, can identify the processing node as a next-hop router for communication with external servers.

Click here to view the patent on Google Patents.