USOO886.3298B2
(12) United States Patent (10) Patent No.: US 8,863,298 B2 Akella et al. (45) Date of Patent: Oct. 14, 2014
(54) SECURE VIRTUAL FILE MANAGEMENT USPC ...... 726/26, 28, 29; 713/189 SYSTEM See application file for complete search history. (71) Applicant: Mobile Iron, Inc., Mountain View, CA (56) References Cited (US) U.S. PATENT DOCUMENTS (72) Inventors: Venkata Sastry Akella, San Jose, CA 7,870,315 B2 1/2011 Moon (US); Rahul Sharma, San Jose, CA 2005, 0198061 A1 9, 2005 Robinson et al. (US); Sanjeev Krishnan, Bangalore 2007/0050620 A1 3/2007 Pham et al. (IN); Babu Srinivasan, Bangalore (IN) (Continued) (73) Assignee: Mobile Iron, Inc., Mountain View, CA OTHER PUBLICATIONS (US) Author Unknown, BackDoor. Generic 10. ACXS Info, Fix BackDoor. (*) Notice: Subject to any disclaimer, the term of this Generic 10. ACXS PC Errors, How to Guides to Fix Windows Errors patent is extended or adjusted under 35 Fix any PC Errors Fast and Easy Complete How-to PC Fix Guides, U.S.C. 154(b) by 0 days. p. 1-10, Aug. 2010, http://www. pcerrorsfix.org/howtofix/fix BackDoor. Generic 1 O.ACXS-error.html. (21) Appl. No.: 13/734,545 Primary Examiner — Edward Zee (22) Filed: Jan. 4, 2013 (74) Attorney, Agent, or Firm — Van Pelt, Yi & James LLP Prior Publication Data (65) (57) ABSTRACT US 2013/021917.6 A1 Aug. 22, 2013 A virtual file management system provides user access to Related U.S. Application Data managed content on mobile devices. The system comprises storage domains storing the managed content distributively (60) Provisional application No. 61/584,112, filed on Jan. 6, 2012, provisional application No. 61/724,966, filed using file systems, and a data infrastructure that organizes the on Nov. 10, 2012, provisional application No. managed content into a virtual file system that maintains 61/725,004, filed on Nov. 11, 2012, provisional information of storage domain specific file system primitives application No. 61/725,007, filed on Nov. 11, 2012. for accessing corresponding portions of the managed content. The data infrastructure, which maintains metadata of the Stor (51) Int. C. age domains and the mobile devices, comprises a policy H04L 29/06 (2006.01) definition and decision component that maintains policies G06F 7/30 (2006.01) defining controls for permissible operations on the managed G06F2L/62 (2013.01) content, the permissible operations including the file system (52) U.S. C. primitives. A client application hosted on the mobile devices CPC ...... G06F 17/302.33 (2013.01); H04L 63/0815 is coupled to the data infrastructure and the storage domains (2013.01); G06F 222 1/21 11 (2013.01); H04L and includes an enforcement component that communicates 63/0435 (2013.01); G06F 21/6218 (2013.01) with the policy definition and decision component to retrieve USPC ...... 726/26: 713/189 and enforce the policies by applying the controls on the (58) Field of Classification Search mobile devices. CPC ...... G06F 21/60; G06F 21/604: GO6F 21/62: GO6F 21 F6218 76 Claims, 36 Drawing Sheets
150-s generate symmetrickey Ks(document) at device per documentasis 1520-1s. Encrypt the document with Ks(document) 1530-1s. Wrap Ksdocument) with Kmclass} 1540-s envelope the encrypted document with wrapped key
Customer MasterKeys Kr Secure Key distribution and Management Protocol as a 530 Class A Class B Class C
1520 US 8,863.298 B2 Page 2
(56) References Cited 2009.0125902 A1 5, 2009 Ghosh et al. 2010, O257351 A1 10, 2010 O’Connor et al. U.S. PATENT DOCUMENTS 2011/OO47557 A1 2/2011 Koskimies 2011/0246427 A1 10, 2011 Modak et al. 2007/OO78775 A1 4/2007 Huapaya et al. 2011/025.2071 A1* 10, 2011 Cidon ...... 707/8O2 2008/0059.787 A1 3/2008 Hohenberger et al. 2009,0006334 A1 1/2009 MacLaurin et al. * cited by examiner U.S. Patent Oct. 14, 2014 Sheet 1 of 36 US 8,863,298 B2
Service/Policy 130 Management / Console Enterprise
Data Plane: Direct Connect N ECM Tablet
Averall Smart Content SeCure VPN Connect Exchange PhOne Control Plane Service
(CloudXchange) HTML5 Cloud Storage Control Plane 110 12O Tablet | COUd ECM
Cloud Storage
Cloud Storage Device NOde Cloud Service NOde Cloud Storage / Y NOdes 140 18O Y 150 COntrol Plane Data Plane: Direct Connect
FIG. 1 U.S. Patent Oct. 14, 2014 Sheet 2 of 36 US 8,863,298 B2
Averal Customer so AVe rail ACCOUntsAuditReports and Roles Monitoring Analytics and Insights
FederatedEnterprise identity Model Customer ACCOUnt AverallUser identity Customer in ( ACCount User Principal ae 210
MicroSoft Af E38F865 Windows Server
FIG. 2A U.S. Patent Oct. 14, 2014 Sheet 3 of 36 US 8,863,298 B2
Averail Customer ACCounts and Roles AVe a Audit Reports Monitoring Analytics and Insights
Federated Content Forest
Storage Domains
Microsoft 3 SharePoint 2000 iCloud
a. http:ll teams alsTeam1 Team? Team H a E E as a EE i EEE EEE SharePoint Team Sites
220
FIG. 2B U.S. Patent Oct. 14, 2014 Sheet 4 of 36 US 8,863.298 B2
AVerail Customer AVerail ACCOuntsAudit Reports and Roles Monitoring Analytics and Irisights
Device Management / Y iOS I As WindoWSPut people first.PhOne 1. Device configuration and settings 2. Device posture 3. Device management policies
FIG. 2C U.S. Patent Oct. 14, 2014 Sheet 5 of 36 US 8,863,298 B2
Averal Customer AVerail ACCOuntsAudit Reports and Roles Monitoring Analytics and Insights
Policy and Authorization Model 240 SSS it
Averail SharePoint, Box, Users Groups Policies Office365 policies G Magne s ComplianceOllaboration and Sharing Šsy (SS& (SSŠs 244 Sg domains t Synchronizationross-domain routing Permissions Mobile Application Device management
FIG. 2D U.S. Patent Oct. 14, 2014 Sheet 6 of 36 US 8,863.298 B2
DOCument Control Plane 350 Separation of Secure Document Control Plane and Data Plane - DOCument Control Plane 3& Averall Cloud Service Dropbox Cloud-hosted Storage for Consumers
350w 310 -
DOCuments 320 Isaia,OCure Control Plane g Cloud-hosted Y Enterprise Content Policy Management Systems/ MicroSoft SecurelDOCu ent (document) Office 365 - Source Policy (document)
7 NFS/CFS Permissions On-premise Shared Drives (document) Enterprise Content
Management Systems
DOCument
FIG. 3
U.S. Patent US 8,863,298 B2
@
S"OIH
U.S. Patent US 8,863,298 B2
9"OIH
U.S. Patent Oct. 14, 2014 Sheet 10 of 36 US 8,863,298 B2
ACXSISVDM
710 Policy Management System
Rest APIs Secure Lockbox Over
Key Management Key Distribution
U.S. Patent Oct. 14, 2014 Sheet 11 of 36 US 8,863,298 B2
Mobile Device Averail Application 82O Policy Enforcement MOCule 810
833 Key Management Module
830 Encryption MOdule 836 840 DOCument Viewer/ Editor
doCuments
file system 850
FIG. 8 U.S. Patent Oct. 14, 2014 Sheet 12 of 36 US 8,863.298 B2
Groups federated from Storage Domains
Standard Groups Owners Members Visitors Viewers
Custom Groups Examples: On-premise Employees Offsite Employees (3 Partners Customers User Principal Active Directory A7 Distribution Groups WindoWS Server Security Groups Active Directory
FIG. 9 U.S. Patent Oct. 14, 2014 Sheet 13 of 36 US 8,863.298 B2
U.S. Patent Oct. 14, 2014 Sheet 14 of 36 US 8,863,298 B2
TIVHAAVA NIWCW U.S. Patent US 8,863,298 B2
{{II"OIH
U.S. Patent Oct. 14, 2014 Sheet 17 of 36 US 8,863.298 B2
5
@| U.S. Patent Oct. 14, 2014 Sheet 18 of 36 US 8,863.298 B2
Cloud Storage CS1
Policy Enforcement Module
Secure DOCument on cloud
Key Encryption for consumer cloud Management DocumentViewerl Module Editor Storage \ 1440 Encryption Averail Module Application 410 -/ Document-level encryption based on document-level policy
Policy (document) Document Offline and local storage 1420 ------Y- File System encryption
Device-level hardware encryption / 1430 FIG. 14 U.S. Patent US 8,863,298 B2
U.S. Patent Oct. 14, 2014 Sheet 20 of 36 US 8,863.298 B2
01919"{OIH[
/
U.S. Patent US 8,863.298 B2
U.S. Patent Oct. 14, 2014 Sheet 22 of 36 US 8,863,298 B2
Secure Virtual Document Management System
Secure Document Secured by Averail
Document Security Validation Stamp FIG. 18 U.S. Patent Oct. 14, 2014 Sheet 23 of 36 US 8,863,298 B2
1930
Application 1 Averal 1940 Application
1930
w 1960 Y, 1940 – Application 2 s
Dropboxp
AL = ACXS Library
ACXS - SWFMS Cloud Service
1920 FIG. 19 U.S. Patent Oct. 14, 2014 Sheet 24 of 36 US 8,863,298 B2
200 - s Editor Application
- 2020
AL = ACXS Library
Virtual File 2030 System
Cloud Storage
2040 U.S. Patent Oct. 14, 2014 Sheet 25 of 36 US 8,863,298 B2
2OO Company/Enterprise Policies
Additional 2200 PhoneDevice Policies
Additional UserlGroup Policies 2300
inherited Policies
FIG 21 U.S. Patent US 8,863.298 B2
"OIHZZ U.S. Patent Oct. 14, 2014 Sheet 27 of 36 US 8,863.298 B2
WebProxy
Client Server
IO Proxy ACXS Server
HTTP GET, PUT, POST, DELETE FIG. 23 U.S. Patent Oct. 14, 2014 Sheet 28 of 36 US 8,863,298 B2
IO Proxy Establish Connection with ACXS
2420 ACXSAWaits Event
User Initiates Request 2430
ACXS Detects 2440 Request
ACXS issues Reverse HTTP N - 2450 Commands
IO Proxy Retrieves Content from Sharepoint
IO Proxy Returns 2470 Content to ACXS
ACXS Returns Content to User
FIG. 24
U.S. Patent Oct. 14, 2014 Sheet 30 of 36 US 8,863.298 B2
| | | | | | | | | | | |
U.S. Patent Oct. 14, 2014 Sheet 31 of 36 US 8,863,298 B2
Layer 5 SharePoint, CFSINFS, AD
GetMetadata, CreateDoc/Folder, GetPolicy, Layer 4 GetContent, SnycChanges, CheckReachability Security: Authorization Layer3 Authentication Encryption
Layer 2 -O Protocol
Layer 1 HTTP, Polling
FIG. 26 U.S. Patent US 8,863,298 B2
LZ'OIH
U.S. Patent US 8,863,298 B2
OIH8Z,
U.S. Patent US 8,863,298 B2
U.S. Patent US 8,863.298 B2
U.S. Patent Oct. 14, 2014 Sheet 36 of 36 US 8,863,298 B2
&
US 8,863,298 B2 1. 2 SECURE VIRTUAL FILE MANAGEMENT operating system (e.g., WindowsTM)—dominant IT environ SYSTEM ments using enterprise content management services (e.g., SharePointTM) and directory services (e.g., Active Direc RELATED APPLICATIONS toryTM). In some cases, users are explicitly blocked from accessing enterprise content. For example, IT may block This application claims the benefit of Application No. mobile devices from access to enterprise content rather than 61/584,112, filed Jan. 6, 2012. granting selective access under right policies and permis This application claims the benefit of Application No. sions. System configurations and device or server-specific 61/724,966, filed Nov. 10, 2012. issues may further limit accessibility, hamper ease of use or This application claims the benefit of Application No. 10 reduce functionality. For example, users without single sign 61/725,004, filed Nov. 11, 2012. on capabilities have to repeatedly enter different credentials This application claims the benefit of Application No. to access separate systems (if they can even get to them). 61/725,007, filed Nov. 11, 2012. Internet add-on (e.g., ActiveXTM) controls that are widely 15 used in browser based interfaces for enterprise content man TECHNICAL FIELD agement services (e.g., SharePointTM) are not supported on The embodiments described herein relate generally to the certain mobile device operating systems (e.g., iOSTM and control of enterprise content across and among a plurality of Android TM). Additionally, user interfaces designed for access communication storage locations including on-premise con from web browsers on personal computers (PCs) do not map tent management systems, cloud based enterprise content easily to the newer, touch based user interfaces (UIs) preva management systems, and cloud based storage services. The lent on mobile devices. To address these problems, many end embodiments described herein provide secure access from users take matters into their own hands and manually manage mobile devices to content across these endpoints while and copy content between their notebook or desktop PC and enforcing policies and monitoring/tracking/controlling their mobile devices. This creates unnecessary work for end mobile device use of managed content. 25 users, and puts the burden on them to manage synchroniza tion to ensure possession of the right files at the right time. BACKGROUND The end result of all of these challenges is that mobile device users receive a degraded experience and level of service on Users and organizations are increasingly adopting a bring their mobile devices. your-own-device plan in the enterprise environment 30 While users get frustrated at their degraded level of service, (BYOD). A BYOD plan comprises enterprise accommoda IT has its own headaches. For example, users who take things tion of personal mobile device operation (including smart under their control to bypass IT/enterprise policies create new phones and tablets) within the enterprise. These devices are problems in terms of governance and information security. either managed by company Information Technology (IT) When users bypass approved processes and systems, they personnel using Mobile Device Management (MDM) solu 35 compromise business governance, compliance, auditing tions or remain unmanaged. In the IT managed scenario, requirements, record management policies and information managed devices a) are securely provisioned in the enterprise confidentiality and privacy. These problems become worse as environment, b) receive IT-approved configurations for enter users get more experience with a multitude of consumer prise Wi-Fi including authentication, access, password pro centric tools and services ranging from mobile applications tections and other enterprise configuration settings, c) are 40 (“apps') to cloud services (e.g., BoxTM, DropboxTM, Subject to monitoring for compliance with IT policies, and d) iCloudTM). The boundary between a user's personal content may be remotely wiped and locked. When mobile devices are and enterprise information is becoming increasingly blurry. unmanaged, the onus falls on the user to configure settings on There is a need to balance improved user experience (UX) and the device and Support it. choice of cloud services, against enterprise requirements to In either the managed or unmanaged scenario, mobile 45 enforce information security, policy compliance and confi devices are typically deemed 'second class' and/or unsecure dentiality. devices and are not granted similar permissions to other com puting endpoints within an organization. Mobile device users INCORPORATION BY REFERENCE may receive access to email, contacts and calendarthrough an email application (e.g., Microsoft ExchangeTM) and mobile 50 Each patent, patent application, and/or publication men data synchronization applications (e.g., Active SyncM), but tioned in this specification is hereinincorporated by reference that's it. Obviously, as the number of newer, full featured in its entirety to the same extent as if each individual patent, mobile devices continues to grow inside organizations, there patent application, and/or publication was specifically and will be increasing pressure from employees to access more individually indicated to be incorporated by reference. content and more services within the enterprise. The Averail 55 system (e.g., also referred to herein as Averail) described BRIEF DESCRIPTION OF THE DRAWINGS herein focuses specifically on delivering a key building block to empower mobile device users with access to enterprise FIG. 1 is an example of an end-to-end view of the ACXS content while maintaining necessary security and control for service, under an embodiment. organizations. 60 FIG. 2A is an example of a logical federated identity data In a typical enterprise environment users, both managed model, under an embodiment. and unmanaged mobile devices enjoy less access to enterprise FIG. 2B is an example of a logical federated content forest content (e.g. files, documents) contained in on-premise enter metadata model, under an embodiment. prise content management (ECM) systems than IT approved FIG. 2C is an example of logical device management date desktop/laptops. The limitations become more obvious as 65 model, under an embodiment. users bring in mobile devices including mobile device oper FIG. 2D is an example of a logical policy and authorization ating systems (e.g., iOSTM and AndroidTM) devices to desktop model, under an embodiment. US 8,863,298 B2 3 4 FIG. 3 is an example of the ACXS implemented control FIG. 30 shows a cloud web proxy service, under an plane, under an embodiment. embodiment. FIG. 4 is a description of Averail managed containers, FIG. 31 shows an end-to-end view of IRM, under an under an embodiment. embodiment. FIG. 5 shows an embodiment of an ACXS system that 5 restricts cross-domain routing across and among cloud and DETAILED DESCRIPTION ECM locations, under an embodiment. FIG. 6 shows a federated set of user identity and credentials Averail Cloud Content Exchange (“CloudXchange' or corresponding to the federated ECM and cloud storage ser ACXS) service, also referred to herein as Averail or the vices, under an embodiment. 10 Averail system, is a cloud-hosted service that provides secure FIG. 7 shows the key components of the SVFM system as access from mobile devices (Smartphones and tablets) to an implemented within ACXS cloud based architecture, under aggregated set of on-premise Enterprise Content Manage an embodiment. ment (“ECM) and/or storage systems and cloud storage FIG. 8 shows key components of the Averail application services. These ECM and cloud storage services can include, running on a mobile device, under an embodiment. 15 FIG. 9 shows groups federated from underlying storage for example, on-premise SharePointTM, Office 365TM with domains under an embodiment. SharePoint OnlineTM, DropboxTM, iCloudTM, Google DocsTM FIG. 10 is an example of a policy/service management and BOX NetTM. console under an embodiment. FIG. 1 is an example of an end-to-end view of the ACXS FIG. 11 illustrates the use of the administrative console to service. The figure shows a device node 140, a cloud storage define groupS/sites, under an embodiment. node 150, an enterprise node 130 and a cloud service node FIG. 12 is an example of a policy management Screen of 180. The device node 140 includes one or more of a smart administrative console, under an embodiment. phone, a tablet or a web browser client. A smartphone device FIG. 13 is an example of a policy management system of may an iPhoneTM device running a mobile device operating the ACXSSVFM system under an embodiment. 25 system (e.g., iOSTM), an AndroidTM device running a mobile FIG. 14 illustrates the varying levels of encryption applied device operating system (e.g., the Android TM operating sys under the ACXSSVFM system, under an embodiment. tem) or a WindowsTM phone running a mobile device operat FIG. 15 is an example of Averail document encryption, ing system (e.g., the WindowsTM operating system). A tablet under an embodiment. device may include any mobile tablet platform running any FIG. 16 shows the secure lockbox maintained on the 30 one of the above referenced operating systems (for example, ACXS, under an embodiment. the iPadTM running iOSTM). The enterprise node 130 includes FIG. 17 shows secure transfer of content to third party enterprise content management services (e.g., Windows application, under an embodiment. Server Active DirectoryTM, Microsoft SharePointTM). The FIG. 18 shows delivery of secured documents to client enterprise node may also include local shared drive solutions applications using a document security validation stamp or a 35 that provide shared access to enterprise content/files. Such trusted document icon, under an embodiment. systems include Network File System (NFS), Distributed File FIG. 19 is an example of third party applications using the System (DFS), and/or Server Message Block (SMB), also Averail client library, under an embodiment. known as Common Internet File System (CIFS). The cloud FIG. 20 is an example of an editor application using the node 150 includes cloud based storage services and/or appli Averail client library, under an embodiment. 40 cations including, for example, DropboxTM, iCloudTM, FIG. 21 is an example of ACXS system algorithmically Google DocsTM and Box.NetTM. The cloud node 150 also generating a policy, under an embodiment. includes cloud hosted enterprise content management solu FIG. 22 shows the “inside out” proxy system, under an tions such as Microsoft Office 365TM. The device node 140, embodiment. cloud storage node 150, and an enterprise node 130 are FIG. 23 displays the communication framework in place 45 coupled to the cloud services node 180. The cloud services between the IO proxy and the ACXS, under an embodiment. node includes the ACXS cloud based service 110 hosted in a FIG. 24 shows flow diagram of communications between public or private cloud under an embodiment. The Smart ACXS and enterprise storage (e.g., SharePointTM) using IO phone, tablets and web browser as seen in FIG. 1 run Proxy, under an embodiment. instances of the Averail application that broker user commu FIG. 25A shows establishment of communication between 50 nications with enterprise and cloud content through the ACXS and enterprise storage (e.g., SharePointTM) using IO ACXS Service. Proxy, under an embodiment. The Averail cloud based service implements a cloud based FIG.25B shows establishment of communication between secure virtual file management system/service 120 (SVFM) ACXS and enterprise storage (e.g., SharePointTM) using IO as described in greater detail below. In the descriptions and Proxy, under an embodiment. 55 embodiments set forth below, the SVFM system/service may FIG. 26 shows communication layers that provide HTTP be referred to as the ACXSSVFM system/service, the Averail protocol access to enterprise documents and data sitting CloudXchange system/service or ACXS system/service. One behind a firewall using existing enterprise communications skilled in the art will understand that the ACXS cloud based and storage infrastructures, under an embodiment. service in cooperation with the Averail mobile application FIG. 27 shows movement of content from enterprise stor 60 provides the core functionality of the secure virtual file man age (e.g., SharePointTM) to ACXS servers (and Averail appli agement system. Accordingly, each of the terms SVFM sys cation) together with enforcement of policies and encryption, tem/service, the Averail CloudXchange system/service or under an embodiment. ACXS system/service contemplate interaction with the FIG. 28 shows risk/leak vectors under existing enterprise Averail mobile application and its functionality. Further, the deployed ILP/DLP solutions, under an embodiment. 65 term secure virtual file management (SVFM) may under an FIG. 29 shows risk/leak vectors under existing enterprise embodiment be used interchangeably with secure virtual deployed ILP/DLP solutions, under an embodiment. document management (SVDM). US 8,863,298 B2 5 6 As indicated above, the Averail CloudXchange service in node comprising mobile devices, tablets and/or web clients. cooperation with the Averail mobile application enables a The mobile devices include the Averail mobile application secure virtual file management system with a wide range of running on a mobile device operating system (e.g., iOSTM, mobile device user functionalities. The ACXSSVFM enables AndroidTM, Windows PhoneTM and Windows 8TM platforms). mobile users (of Smartphones and tablets) to easily and The Averail system includes a cloud based node which imple securely access and manage content (documents, media, ments the Averail CloudXchange service (ACXS). The cloud workspaces, sites) across both on-premise ECM and cloud based ACXS is deployed and operated on public and/or pri storage services. The ACXSSVFM enables mobile users to vate cloud computing platforms. The Averail ACXS service collaborate with other users (partners, customers, offsite uses the primitives and services of an underlying cloud based employees) and share content across on-premise and cloud 10 computing platform. As one example these underlying Ser storage services seamlessly and securely. The ACXSSVFM vices may include computing, storage, relational databases, enables first class experience for enterprise mobile device structured and blob Storage stores, and virtual private cloud users (for both IT managed and non-IT managed) who want to services. The Averail end-to-end system further includes an access and manage on-premise ECM Systems and docu enterprise node environment containing enterprise applica ments. The Averail mobile application is a “full client' that 15 tions, ECM systems, file storage systems, Active Directory enables users to view, edit, annotate and share (with other domain/federation servers and virtual private network (VPN) applications and users) documents. The ACXS SVFM appliances. Finally the Averail system includes one or more ensures that enterprise/IT requirements and policies for cloud storage services and ECM Systems. Examples include authentication, authorization, access control, auditing, busi Box.netTM, DropboxTM, iCloudTM, Office365.comTM, Google ness and IT policy compliance, records management, privacy DocsTM, and Microsoft SkyDriveTM, etc. and information management are not compromised. Users Each node represents an architected collection of sub can access content under different access and topology sce systems and components that provides a defined set of Ser narios—whether offsite on mobile cellular network, on-site vices and functionality as part of the overall system. A node on WiFi or offline. The ACXSSVFM enables IT administra connects and interfaces (using different technologies—for tors and enterprise content administrators to define policies, 25 example, Representational State Transfer (REST) web ser groups, permissions, configuration settings for secure content vices interfaces over Hypertext Transfer Protocol (HTTP) management. between Averail mobile application and ACXS cloud service) The SVFM implements a suite of encryption and policy with one or more other nodes to define the overall end-to-end control Solutions across a plurality of traditionally siloed architecture. The system architecture specifies the normative storage services, ECM Systems and applications. Under con 30 reference architecture for each node, interfaces and interac ventional document management systems, policy enforce tions across nodes and the entire end-to-end system. This ment, encryption methods and authentication/access controls reference architecture can be realized using different software are tightly coupled with the underlying system itself. A technologies (for example: Amazon Web ServiceTM (AWS) or decoupling of content from the document management sys Windows AzureTM can be the underlying cloud computing tem degrades or eliminates the efficacy of security controls. 35 platform, public or private cloud) and conforms to the overall As one example, existing encrypted file systems including system requirements and architecture framework. encFS and ecryptFS are tightly integrated with OS-specific The ACXS architecture described below focuses on both file system and encryption mechanisms or are device specific logical model and physical deployment model. Depending on in case of hardware encryption. The movement of content the scale of the Averail services, logical components can be from encrypted file system to other systems/repositories and 40 deployed in different physical topologies and configurations. devices breaks the security by decoupling the content from its In the following description, numerous specific details are security controls (encryption, policies and permissions) and introduced to provide a thorough understanding of, and thereby increasing vectors for information leakage. As enabling description for, the ACXS systems and methods another example, existing Enterprise content management described. One skilled in the relevant art, however, will rec systems and cloud-based storage systems enforce controls 45 ognize that these embodiments can be practiced without one within a “fenced' perimeter. Users see each system as an or more of the specific details, or with other components, end-to-end silo: Each system has its own mobile/desktop/web systems, etc. In other instances, well known structures or application that is tightly coupled with underlying Storage operations are not shown, or are not described in detail, to repository and security mechanisms. Security controls (en avoid obscuring aspects of the disclosed embodiments. cryption, policies, permissions, rights management), content 50 The AXCS service maintains a logical data model for each management and storage/repository are tightly coupled and enterprise customer of the Averail service. FIGS. 2A-2D are specific to each system. Movement of content from Source show the logical data model under an embodiment. The logi system to other systems/repositories and devices breaks the cal data model includes a federated identity model, a policy security by decoupling the content from its security controls and authorization model, a federated content forest model, and thereby increasing vectors for information leakage. 55 and a device management model. The ACXS service com The Averail CloudXchange service is a secure virtual file bines information from the logical data models (on a per management system that is cloud-hosted service and provides customer basis) to perform its cloud-side part of the function secure access from mobile devices (Smartphones and tablets) ality related to federation of cloud storage and on-premise to a federated set of on-premise ECM/storage system and ECM, Secure content management, policy management and cloud storage services. These ECM and cloud storage ser 60 enforcement, and monitoring, reporting and analytics. vices can include, for example, on-premise SharePointTM, The federated content forest model maintains a metadata Office 365TM with SharePoint OnlineTM, DropboxTM, based forest of storage domains (a storage domain is either a iCloudTM, Google DocsTM, Google DriveTM and Box.NetTM. federated ECM or cloud storage system) and corresponding Each such ECM and cloud storage domain integrated within content hierarchy. As seen in FIG. 2B, the content forest the Averail system is referred to as a storage domain. 65 maintains such information under an embodiment for a plu FIG. 1 shows the system architecture of the Averail end rality of storage domains. As one example, FIG. 2B shows to-end system. The Averail system includes a mobile device that the content forest includes data regarding an enterprise US 8,863,298 B2 7 8 content management service (e.g., SharePointTM) team site this information using secure and trusted REST interfaces hierarchy 220 with respect to an instance of on-premise (e.g., exposed by ACXS service. However, any access and opera SharePointTM) storage solution. The displayed content forest tions on the content from mobile device itself happen directly also includes metadata information of cloud storage domains between the application on mobile device and storage domain (e.g., iCloudTM 222 and BoxTM domains 224). services. As seen in FIG. 2C, the device management model FIG. 3 is an example of the ACXS implemented control includes data for all user devices enrolled and managed for an plane under an embodiment. The ACXS maintains (in ACXS enterprise customeras part of the Averail service. Device data cloud based storage) document metadata 310, policy docu includes information about the configuration and settings of ment 320, source policy document 330 and a permissions all devices, device posture, and device management policies 10 document 340. Under one embodiment the policy and per defined by that customer for its set of device. If an enterprise missions documents store policy and permission definitions customer has a mobile device management (MDM) service created by an administrator through a policy management and Averail integrates with that MDM server, then the physi console coupled to the ACXS. Under this embodiment, the cal representation of this model is in the MDM server; other Source policy document inherits policies and permissions wise Averail maintains the physical model also. Devices that 15 from a source storage domain, (e.g. policies and permissions participate in sharing and collaboration scenario (except administered by SharePointTM at an enterprise level). As seen anonymous users and devices) are also tracked in the device in FIG.3, the ACXS service secures or contains documents on management model. The device management policies for the control plane 350 by supervising a document control these non-customer devices are derived from user role (ex plane. As one example, enterprise content is transferable to a ample: partner, customer, contractor, guest) relative to this mobile device and further to cloud based storage locations if enterprise customer. allowed by “control plane' policies. However, direct access FIG. 2A shows the federated identity model under an 360 and operations on the content from mobile device itself embodiment. The federated identity model maintains a map happens directly between the Averail application on mobile ping of userprincipals 210 within an enterprise customer. The device and storage domain services except as defined under identity model includes the user's Averail identity and cre 25 alternative scenarios described below. dentials, the users associated device(s) unique identifier(s), FIG. 4 is a description of Averail managed containers under and user identity and credentials for each federated Storage an embodiment. As seen in FIG.4, Averail provides the notion domain. This identity information is associated with enter of a secure and managed storage/content management con prise customer account and administrator roles. FIG. 2A tainer to the mobile device users. This managed container shows a federated identity model that maintains under an 30 provides secure environment for access/sharing/collabora embodiment user identities with respect to an enterprise tion of documents from multiple federated storage domains, cloud storage service 211 (e.g., Microsoft Office 365TM), enforces policies and permissions (as inherited from source enterprise content management system 212 (e.g., Active storage domains and defined through ACXS service) and DirectoryTM), and cloud storage services 213 (e.g., iCloudTM, prevents document leakage. FIG. 4 shows a number of storage BoxTM, and DropboxTM). In addition, all this information is 35 domains and applications available to the user. Mobile device stored in a multi-layer strongly encrypted manner (Advanced user may store content among a plurality of locations. For Encryption Standard (AES) 256 bit encryption) with require example, user storage domains include, for example, (e.g., ment to ensure that no user information is ever in the clear or iCloudTM, DropboxTM and BoxTM. subject to security threats. The ACXS service only stores The Averail system provides a managed storage/content credentials that are needed to synchronize content forest 40 management container 410 to the mobile device user. The metadata with storage domains, if so done from the cloud managed container under an embodiment include a combi service. nation of cloud based storage services, cloud based ECM FIG. 2D shows an example of the Policy and Authorization services (e.g., Microsoft 365TM) and on-premise ECM ser Model under an embodiment. The model under an embodi vices (e.g., SharePointTM). While a user can continue to store ment includes information of policies and permissions. The 45 and manage personal content 420 (music, videos, photos, Averail service administrator uses a service management documents) from a Smartphone or tablet onto cloud storage/ application/console to define security policies/definitions ECM service of his/her own choice, Averail ensures that any 240 that are applicable to the Averail managed storage content (that is stored or imported into underlying federated domains. Averail CloudXchange service stores these policies cloud storage and/or on-premise ECM services) within the in an underlying secure policy store. The Averail system 50 Averail domain is secure and adheres/complies to policy and implements broad classes of management policies including permissions defined by enterprise content administrators and information management, collaboration and sharing, compli Averail service administrators. ance and auditing, cross-domain routing across storage Under the SVFM concept and service, the user has the domains, synchronization, mobile application-specific poli option to import or move documents from other applications cies, device management policies, and/or information rights 55 on the device into the Averail managed domain and make management policies. The policy and authorization model these Averail managed documents. User can share Averail also inherits policies 242 from federated storage domains. managed documents with other users and devices directly via The requirement is to ensure that inherited policies are always the Averail service 430 or indirectly via 3.sup.rd party appli enforced and cannot be overridden (but may be augmented) cations 440 (e.g., ChatterTM, SalesForceTM, Google AppsTM) by Averail-specific policies. CloudXchange service also 60 provided policies and permissions allow Such sharing. If user models groups and permissions 244 for both those inherited shares content or exports content from Averail managed from storage domains, directory services (e.g., Active Direc domain with other users/applications, then the content is still toryTM) and those defined within Averail context. managed as per requirements (example: audit trail), policy The Averail service stores content metadata (accessed from and permissions for Averail managed domain. For example, if its federated storage domains to and ECM domains), permis 65 Averail document sharing policy doesn't allow an Averail sions and policies definitions securely in its databases and managed document to be shared with an anonymous user, structured storage. The Averail mobile application can access Averail enforces that policy on document sharing. US 8,863,298 B2 9 10 Under an embodiment, the ACXS system provides cross tiple storage domains with an Averail managed user principal domain routing across storage domains. Given that Averail identity. For example, some cloud storage platforms (e.g., service federates multiple cloud storage and ECM services, a iCloudTM) support a single user identity model. Under this user has the option of copying/moving or do export/import model, there is no notion of an enterprise account. Each user (for example: “Openin...” on iPhoneTM or iPadTM moves the is represented with an identifier (e.g., Apple IDTM) that is also document to local sandboxed file system of the target appli associated with the device as part of operating system (e.g., cation) of the content across these storage domains. For iOSTM) initial setup. Averail enables a user principal to asso example, a user can move a document from on-premise data ciate an identifier (e.g., Apple IDTM) with a federated Averail storage (e.g., SharePointTM site) (that doesn't allow external identity for access to a cloud storage platform (e.g., access to non-employees) to cloud storage (e.g., Box.Net) so 10 iCloudTM). As another example, other cloud storage plat that user can provide access to this document to a customer. forms (e.g., Box.NetTM and DropboxTM for teams) enable However, such cross-domain routing is Subjected to policies enterprises or group of users to setup a common administra and permissions defined within the Averail service. FIG. 5 tive account and manage users and groups within that shows an embodiment of a SVFM system that restricts cross account. Through federated identity mapping, Averail man domain routing across and among cloud and ECM locations 15 ages the association of user principal with the corresponding including, for example, iCloudTM, DropboxTM, BoxTM, cloud storage platforms (e.g., Box.NetTM and DropboxTM) Microsoft Office 365TM and SharePointTM. A later section user identity associations within the context of associated specifies the scenarios related to cross-domain routing poli account. Averail also supports single user accounts for cloud cies. storage platforms (e.g., DropboxTM and Box.netTM). The Averail service provides security for data at rest for It should be noted that the ACXS service does not store documents on both mobile device and ACXS federated cloud username and passwords for federated Storage domains. A storage service. user authenticates separately with the ACXS service and stor Averail services enable service administrator and mobile age domains. For example, the Averail application user users to set policy to ensure that any content stored on public authenticates with the ACXS service and sets up trust cloud storage services is always encrypted using keys man 25 between application and ACXS (subject to session timeout aged and controlled by either the user or Averail customer. policy). With respect to storage domains, a user authenticates Given Averail CloudXchange service of an embodiment is directly with target storage domains. The authentication not on the data plane, the content encryption and decryption tokens may then be cached on the device under an embodi happens on the mobile device by Averail mobile applications. ment. Also, Secure Sockets Layer/Transport Layer Security (SSL/ 30 As seen in FIG. 1, the mobile devices within the mobile TLS) is used during communication between device and node of the Averail system run the Averail mobile application. cloud storage service. The goal is to ensure that content is Under an embodiment, the Averail mobile application uses never in clear either at rest or in transit as it goes from device rich platform-specific mobile application or an HTML5 to public cloud storage services. application to access Averail services for secure mobile con The Averail ACXS (CloudXchange) service federates a 35 tent access and management, cloud storage aggregation and user's identity across multiple on-premise ECM and cloud document collaboration. With respect to mobile devices and storage services. Under an embodiment, Averail uses a cus tablets, the mobile applications are platform-specific native tomer account owner to create an Averail customer account mobile applications distributed through public app stores or and then create users or user principals within that Averail enterprise app stores. Averail Supports mobile device operat acCOunt. 40 ing systems including, for example, iOSTM (for iPhoneTM and FIG. 6 shows a federated set of user identity and credentials iPadTM), AndroidTM (tablet & phone) and Windows PhoneTM corresponding to the federated ECM and cloud storage ser applications. The Averail application may also run as an vices. Under this embodiment, the ACXS service maintains a HTML5 application that can be accessed using HTML5 user principal's identity within online Software applications capable browser. Note that HTML5 mobile applications may (e.g., a Microsoft Office 365TM customer account domain), 45 have limitations including limitations in terms of device within an enterprise directory service (e.g., Active Direc native UX, local storage and access to native OS APIs for toryTM) domain, and within cloud storage platforms (e.g., encryption. iCloudTM (Apple IdTM), within a BoxTM account and within a The Averail application provides users an easy to use UX to DropboxTM account. A user principal in Averail domain has access Averail services and its federated set of ECM and multiple identities and associated credentials for authentica 50 cloud storage services without introducing complexities tion and authorization for access to respective storage related to service administration and policy definition func domains. The user principal has a unique Averail identity tions. A user can perform at least the following functions within the domain of the corresponding Averail customer using the Averail mobile application. account. The Averail ACXS service associates the unique The Averail application provides capability to view, edit, Averail identity with a customer account using an enterprise 55 create and manage content hierarchy (document libraries, directory management system. An Averail customer account folders etc.), metadata and content itself can have any number of users. As one example, a single user The Averail application provides capability to export docu creates a trial account on Averail. As another example, a large ment from Averail mobile application to other viewer and enterprise customer may create accounts for over 100,000 collaboration/email applications, under an embodiment. employees. 60 The Averail application provides capability to import docu A user principal can have one or more directory service ment from other applications to Averail application, under an (e.g., Active DirectoryTM) accounts across different domains. embodiment. For example, a user can be a vendor in one directory service The Averail application provides capability to share across (e.g., Active DirectoryTM) domain and employee in employ multiple storage domains securely, under an embodiment. er's directory service (e.g., Active DirectoryTM) domain. 65 The Averail application provides capability to share docu Under an embodiment, the Averail system associates a user ments across standard/custom groups and users, under an principal's identity as implemented within a plurality of mul embodiment. US 8,863,298 B2 11 12 The Averail application provides capability to search for Persistence or Hibernate to effect an object relational map document within/across folders, sites and storage domains, ping to facilitate data storage in an SQL database. However, under an embodiment. embodiments are not so limited. The SVFM/ACXS compo The Averail application provides capability to manage and nents as seen in FIG.7 may under an embodiment be imple tag items for offline access, under an embodiment. 5 mented within an open source Software implementation of The Averail application provides capability to subscribe to servlets including, for example, Java ServletTM and JavaSer notifications or alerts for conditions/events related to content, ver PagesTM technologies known as Apache Tomcat TM. Under folders, sharing, workflow or system events, under an an embodiment, TomcatTM provides a “pure Java” HTTPJava embodiment. servlet environment in which to run Java code. As indicated above, the secure virtual file management 10 The Averail system allows movement of content between system (SVFM) of the Averail system manages content communication endpoints distributed among a federated set within the Averail system through a combination of metadata of storage locations while maintaining enterprise control over capture/analysis, policy/permission definition and enforce the content. At its most fundamental level, the SVFM enables ment, encryption methods and identity federation/manage all of these functionalities through a node based communica ment systems. FIG.7 shows the key components of the SVFM 15 tions paradigm which routes communications from any one system as implemented within ACXS cloud based architec node to any other node using logical and/or physical ele ture. FIG. 8 shows key components of the Averail application ments/controls of the central ACXS core. The components of running on a mobile device. The components of the SVFM the SVFM cooperate with the components of an Averail appli system and the Averail application are now briefly described cation running on a mobile device to provide certain func to provide a general framework for discussing the ACXS tionalities of the SVFM system. As just one example, the service. Greater detail is provided as needed during the sub policy management system of the ACXS (as further described sequent detailed discussion of the ACXS service. below) cooperates with policy enforcement module of the The SVFM includes a policy management system 710, and Averail application to implement policy definitions across a encryption system 720, and a metadata module 730. The plurality of heterogeneous document management systems encryption system 720 further includes a secure lockbox 722 25 and manage their enforcement. and key management/key distribution component 724. The The policy management system is further coupled to policy systems and components of the SVFM cooperate with the management console that allows administrators ability to components of an Averail application running on a mobile define policy controls that augment existing policies and per device in order to provide certain functionalities of the SVFM missions defined at the level of enterprise storage systems and system as described below. FIG. 8 shows key components of 30 associate policies with groups of users. FIG. 9 shows groups the Averail application 810 running on a mobile device. The federated from underlying storage domains under an embodi Averail application includes a policy enforcement module ment. The Averail policy management console provides users 820, a device side encryption system 830 and a document and administrators an ability to create groups. The Averail viewer/editor 840. The device side encryption system 830 service allows an administrator to group users under either further includes a key management module 833 and an 35 standard groups or custom groups. Under an embodiment, encryption module 836. The Averail application maintains a custom groups may also be created by a service administrator. local sandboxed file system 850 on the mobile device. Standard groups include owners, members, visitors and view The SVFM includes communication modules 740. The ers. Custom groups include on-premise employees, offsite communication modules include communication interfaces employees, partners and customers. Each group is associated to cloud based storage services and/or ECM services. For 40 with a set of permissions and policies. As one example, example, the communication module includes under an viewer group users do not have edit capabilities of owner user. embodiment a connector (e.g., SharePointTM connector) for The Averail service also associates users with the groups that communication with enterprise data storage (e.g., Share are defined and managed within the context of federated PointTM) systems through data storage domain (e.g., Share storage domains. For example, some cloud storage domains PointTM) Representational State Transfer (REST) services 45 (e.g., Box.NetTM) enable their users to create and manage and Simple Object Access Protocol (SOAP) APIs. The com groups and permissions within enterprise accounts. Averail munications module includes under an embodiment a con imports these domain-specific groups and permissions, and nector (e.g., a DropboxTM connector) providing an interface also enables administrators/users to define additional groups with cloud storage platform APIs (e.g., DropboxTM APIs) and permissions. As another example, certain directory ser from the ACXS cloud based service. The communications 50 vices (e.g., Active DirectoryTM) enable distribution group and module includes under an embodimentaproxy connector that security group definitions for directory service (e.g., Active provides an interface with ECM systems using reverse REST/ DirectoryTM) managed users. Averail imports these directory HTTP protocol communications as described in greater detail service (e.g., Active DirectoryTM) groups and associates per below. The SVFM exposes ACXS content/services to the missions as part of its group management. Averail mobile application through REST web services using 55 FIG. 10 is an example of a policy/service management HTTP communications 750. Such REST Services include console under an embodiment. The displayed administrative CustomManager, UserManager, RoleManager, GroupMan console or portal simultaneously functions as the user Web ager, DocManager, StorageIDomainManager, MetadataMan UX client with similar functionality as Averail mobile appli ager, DeviceManager, EventManager, PolicyManager, Key cation. FIG. 11 demonstrates the use of the administrative Manager and ActivityManager. 60 console or service management portal to define groupS/sites, The SVFM includes a metadata module 730. The metadata under an embodiment. As seen in FIG. 11, an administrator module collects/maintains/tracks data including information uses the console to define groups that are then are then pub of customers, users, groups, roles, document metadata, Stor lished and visible to users on the client side. FIG. 12 is an age domains, sites, permissions, policies and policy tem example of a policy management screen of administrative plates, mobile devices, and mobile device user events/activi 65 console, under an embodiment. ties. The ACXS may under an embodiment implement the The policy management system of the ACXSSVFM sys metadata module as a Data Access Object (DAO) using Java tem is coupled to policy management console that allows US 8,863,298 B2 13 14 administrators ability to define policy controls that augment rules, elements or components), actions, policy item values, existing policies and permissions defined at the level of enter capability, policy definition entities, and policy managed/ prise storage systems. The Averail CloudXchange service enforced entity. Policies are defined by storage domain enables service administrator to define a set of permissions administrator and/or enterprise/account owner. A policy fea and associate/grant those with groups and users. The Averail 5 ture comprises a logical collection of rules and actions that are CloudXchange service also inherits policies from Source associated with a policy item. A policy item comprises a ECM storage domains and integrates with those defined policy definition associated with a single policy feature. As within the Averail service. For example, inherited permis one example, apolicy item value may include a Boolean value sions from some data storage domain (e.g., SharePointTM) include but are not limited to "Full is Control' users can 10 that indicates if the policy is required or not required. Capa view, add, update, delete, share, approve and customize; bility includes software or device level features that are “Contribute’ users can view, add, update, delete and down needed to Support a policy feature. A policy definition entity load documents; "Read' users can view pages, list items and includes an information/content entity on which policy is download documents: “Limited Access' users can view defined including one or more of Customer, Device. User, specific lists, document libraries, list items, folders and docu- 15 Storage domain, Site and subsite. Folder, Document Library, ments when given permissions; “View Only' users can List, and Document. A policy managed/enforced entity view pages, list items and documents. includes an information/content entity on which actions cor The ACXS SVFM system enables a document-aware responding to policy are applied and enforced including one policy definition and enforcement system. A policy is a or more of storage Domain, Site and subsites, Folder, Docu statement or rule that defines one or more permission applied 20 ment Library, List, Document, Device and user/application. to a user or user group. Under an embodiment, an Averail A non-exclusive list of Averail managed policies is set forth service administrator uses the policy management console to below. The list includes policy feature, actions, policy item define security policies that can be applied to overall cus values, and capability. One skilled in the art understands that tomer account, groups, users, devices, storage domains and many multiple policy definition entities and policy enforced documents in a hierarchical manner. Averail CloudXchange 25 entities may be defined for each of the policies set forth below. service stores these policies in an underlying secure policy Policy Feature includes Device Local Encryption. Policy store. The ACXS servers may implement the policy store as a requires document or list to be encrypted when stored locally data access object as described above. on the device—either on cache or device local storage. This In addition, each underlying storage domain has its own policy is only applicable to Software encryption. Policy is specific security policies that are defined, managed and 30 enforced prior to downloading of the document locally to the enforced within that specific domain. For example, some storage domains (e.g., a SharePointTM server with its site device. If the document cannot be encrypted, then do not collection and sites) have a corresponding hierarchy of con download the document. Policy Item Value includes required figuration settings and policies that are enforced by the Stor (if policy item specified). Capability includes software age domain (e.g., SharePointTM) itself. The same is the case 35 encryption in Averail mobile application with customer-spe with other storage domains (e.g., SharePointTM online on cific crypto keys. Office365TM). Policy Feature includes Hardware Encryption. Policy Security policies defined at the level of the Averail Cloud requires hardware-level encryption and secure storage for the Xchange service are in addition to storage domain specific document or list when stored locally on the device. Policy is policies. Given a managed object is owned by its container 40 enforced prior to downloading of the document locally to the storage domain, Averail security policies can augment device. If the document cannot be encrypted (example, device domain policies without being less restrictive than the Source doesn't store hardware-level encryption), then do not down security policies for a specific managed object. load the document. Policy Item Value includes required (if FIG. 13 is an example of a policy management system of policy item specified). Capability includes hardware encryp the ACXSSVFM system under an embodiment. The ACXS 45 tion and secure storage on the device with customer-specific cloud based node 1310 is coupled to an on-premise ECM crypto keys. system 1312. The source policy document 1314 contains the Policy Feature includes Access to Cloud Storage. Policy policy and permission definitions that exist at the level of the determines whether user/device can add and configure cloud on-premise ECM system. The ACXS includes a policy man storage domains (for example: DropboxTM or BoxTM) on the agement system 1316. The policy management system inher- 50 Averail mobile application. Policy Item Value includes allow its the policies and permissions defined at the enterprise level or disallow with a list of cloud storage domains. and stores/maintains these security definitions in a policy Policy Feature includes Encrypt on Cloud Storage. Policy store as a source policy document residing on the ACXS requires document to be encrypted on the device and then cloud. The ACXS is coupled to a policy management console stored in encrypted form on cloud storage (e.g., BoxTM, Drop 1322. An Averail service administrator uses the policy man- 55 boxTM). For this policy to be supported, both encryption and agement console to define security policies that are applicable decryption of documents must be supported. Policy is to the Averail managed domain. The administratively defined enforced prior to uploading of the document to the cloud security policies are maintained on the ACXS cloud in a storage. Policy Item Value includes required (if policy item policy store as a policy document 1318. Averail system specified). Capability includes software encryption in Averail enables policies and features to be defined and managed at 60 application with customer-specific crypto keys. least at the level of Averail service, federated storage Policy Feature includes Upload to Cloud Storage. Policy domains, sites, folders, documents, users and devices. determines whether policy managed document can be As already indicated above, a policy represents a set of uploaded to the cloud storage (e.g., BoxTM, DropboxTM) for persistent rules associated with an information entity (also sharing via cloud storage scenarios. Policy is enforced when referred to as a content entity) to govern and control actions 65 user chooses the action “Move/Upload to Cloud' for upload on that entity. Policies are associated with policy features ing a specific entity to the cloud. User MUST have configured (also referred to under alternative embodiments as policy one or more cloud storage domains for this policy to be US 8,863,298 B2 15 16 applied. Policy Item Value includes allow or disallow. Capa includes mechanism to map document classification to bility includes support for cloud storage (e.g., BoxTM/Drop policy-enforced actions on the device. boxTM) integration. Policy Feature includes Document Expiration. This policy Policy Feature includes Offline Access. Policy determines if enabled specifies the time limit after which the document whether document or list can be tagged for offline access expires and is deleted from all Averail managed applications (disconnected mode) and hence stored locally on device. including offline and cached document locations managed by Policy is enforced when user chooses the action “Mark for the mobile application and the ACXS service. Offline access'. Policy Item Value includes allow or disallow. Policy Feature includes Network Usage. Policy places Capability includes offline device storage Supported. restrictions on document download while on cellular connec Policy Feature includes Local caching. Policy determines 10 whether document can be stored in local cache after being tion (specific for cases where there are data usage limits). downloaded on to the device. If local caching is specified as Restrictions include do not download document above X size disabled at the device level, then Local caching of document while on cellular, do not send audit reports while on cellular, is disabled on Averail application—document gets deleted synchronize with Averail ACXS service only on cellular, and after application exits out of an active user session and the 15 do not download/sync when roaming. Policy Item Value cache doesn't persist across sessions. Policy is enforced at includes policy specification with allow/disallow. Capability application lifecycle events (including exiting active user ses includes mechanism to detect network connection type: WiFi sion). Policy Item Value includes allow or disallow. Capabil Vfs cellular network. ity includes local caching mechanism for documents down Policy Feature includes Cache Expiration. Policy requires loaded. that local document cache (where documents are downloaded Policy Feature includes Export to other applications. for viewing) expires and is cleaned up after user closes the Policy determines whether document can be exported to other application session. Policy Item Value includes required (if applications on the device using a content export protocol (for policy item specified). Capability includes mechanism to example, “Open In... protocol on iPhone/iPad). Policy is clean-up mobile device (e.g., iPadTM) application cache after enforced when user chooses the export action such as "Open 25 application session ends. In . . . . Policy Item Value includes whitelist of applications. Policy Feature includes Autodiscovery of storage domains. Capability includes Support for document export across Policy Supports auto-discovery of storage domains for user applications as Supported by an operating system of a device. when the user starts the application session on Averail appli Policy Feature includes Audit log required. Policy requires cation. The auto-discovery pre-populates the storage domains audit log to be maintained for every action on the information/ 30 for this user as setup by Averail service administrator/user content entity and the policy managed/enforced entity by the using Averail service administration console. Policy Item Averail ACXS service. Policy is enforced on every action Value includes required (if policy item specified). Capability performed on the information/content entity and the policy includes Averail application calls ACXS service REST API to managed/enforcedentity. Audit logs can be batched and must get the list of storage domains for a user. work in offline model also. Policy Item Value includes 35 Policy Feature includes Document Size Limitation. Policy required (if policy item specified). Capability includes inte limits the size of downloaded document to X number of bytes. gration with Averail ACXS Monitoring and Reporting Ser Policy Item Value includes size limit expressed in MB. Capa Vice and Auditing service. bility includes checking the document metadata for the size Policy Feature includes Sharing via Cloud Storage. Policy prior to downloading the document locally. specifies mechanisms allowed for sharing on documents via 40 Policy Feature includes Always require SSL. Policy cloud storage. Policy is enforced when user chooses “Share' requires that storage domains are always accessed using for sharing the document via cloud storage. Policy Item Value Hypertext Transfer Protocol Secure (HTTPS). Any non-HT includes mechanisms comprising public share, password pro TPS domain is not allowed to be configured and accessed tected vault, time-bound uniform resource locator (URL) from Averail application. Policy is enforced when storage with access control, encryption required, and Information 45 domains are being added/discovered on the Averail applica Rights Management (IRM) protection. Capability includes tion. Policy Item Value includes required (if policy item support for encryption, password protected vault and IRM specified). Capability includes support for HTTPS for storage protection. domain access from Averail application. Policy Feature includes Viewers. Policy restricts viewers Policy Feature includes Document media types. Policy that can be used on the device to view the document. This 50 specifies document media types Supported for a specific cus policy is a refinement on “Export to other applications' policy tomer/device/user. If a specific media type (for example: feature. Policy is enforced when user exports the document VisioTM document type, MP3, MPEG) is not supported, then for viewing on another application on the device. Policy Item Averail application MUST NOT download these. Policy Item Value includes whitelist of viewers allowed to view the docu Value includes list of media types Supported. ment. 55 Policy Feature includes Cut-Copy-paste. Policy requires Policy Feature includes Editors. Policy restricts editors that that Cut-Copy-Paste actions cannot be performed on a docu can be used on the device to edit the document. This policy is ment when being viewed or edited using Averail application. a refinement on “Export to other applications' policy feature. Policy Item Value includes required (if policy item specified). Policy is enforced when user exports the document for editing Capability includes mechanism to restrict Cut-Copy-Paste on on another application on the device. Policy Item Value 60 document viewer/editor embedded within the Averail appli includes whitelist of editors allowed to edit the document. cation. Policy Feature includes Document Classification policy. Policy Feature includes Do not override Group Policy. Under this policy, documents can be classified as: public, Policy restricts users from overriding Group Policies setup by Confidential and Proprietary, Legal Hold, Records Manage Averail service/site administrator. Settings on Averail appli ment. Such policy includes additional rules restricting actions 65 cation cannot change settings that overlap with Group Poli on documents according to document classification. Policy cies if this policy is set to be required. Policy Item Value Item Value includes document classification. Capability includes required (if policy item specified). US 8,863,298 B2 17 18 Policy Feature includes Averail application level Passcode can be accessed while user is in office premises only. So, in for Averail mobile application. Policy decision is made on the this case even though a document is downloaded and cached ACXS side and is communicated to the device as a decision on user's device, user can not access outside the office loca for enforcement. Policy Item Value includes restricted with tions. Averail client application uses the device (phone/tablet) policy decision detail. Capability includes configuration via 5 shardware/software GPS capabilities to get the current loca MDM mechanism. tion and applies the policies. Also, the locations that user Policy Feature includes restriction on access to cloud stor opens the document will be tracked on Averail servers. age domains (e.g., iCloudTM) from Averail mobile applica Another example is while users are travelling, then users can tion. Policy decision is made on the ACXS/MDM side and is set the location policy on particular documents to openin only communicated to the device as a decision for enforcement. 10 Policy Item Value includes restricted with policy decision in the places that user is going to use that document. While detail. Capability includes configuration via MDM mecha attending conferences, user can set the policy to open the nism. document in the conference location. While attending meet Policy Feature includes restriction on access to enterprise ings with customers, users can set to open the document in storage domain (for example: SharePointTM) if cloud storage 15 only meeting locations etc. If a device does not have any way (e.g., DropboxTM/BoxTM) user applications exist on the to find the current location, then the location protected docu device. Policy decision is made on the ACXS/MDM side and ments cannot be accessed on those devices. Users can set the is communicated to the device as a decision for enforcement. policies on a document to let it open only during a particular Policy Item Value includes restricted with policy decision time. For example a confidential document prepared for pre detail. Capability includes use of MDM configuration set sentation at a meeting may have a policy to open the docu tings to detect if cloud storage (e.g., BoxTM/DropboxTM) ment on the set date only. installed on the device. The Averail system stores policy definitions on the ACXS. Policy Feature includes VPN-on-demand that controls However, Averail system enforces the Averail security poli setup of virtual private network (VPN) policy and settings cies either at the level of the mobile application or the Averail prior to access to enterprise storage domains. Policy decision 25 ACXS service. Under an embodiment, the Averail ACXS is made on the ACXS/MDM side and is communicated to the service acts as a cloud-based policy definition and decision device as a decision for enforcement. Policy Item Value point (PDP) while on device-side, the Averail application acts includes restricted with policy decision detail. Capability as the policy enforcement point (PEP). The Averail system includes device configuration for VPN via MDM mechanism. defines and implements an HTTP-based Secure File Control Policy Feature includes Device Restrictions. Under policy, 30 device can be restricted from access to enterprise storage Protocol (SFCP) between the ACXS node (PDP) and device domains based on one or more of settings including operating side Averail mobile application (PEP). With reference to FIG. system (e.g., iOSTM) and Build number, Model name and 13, policy enforcement module 1320 of the Averail applica number, Capacity and space available, Current Carrier net tion enables the PEP on the device side. work, Subscriber carrier network, Data roaming (on/off), 35 The SFCP supports setup of certificate-based trust between Hardware encryption capabilities, passcode present, certifi PDP and PEP for policy control mechanisms under an cates installed with expiry dates, List of restrictions enforced, embodiment. The SFCP supports HTTPS based RESTful Applications installed, Provisioning profiles installed with Create, Read, Update, Delete (CRUD) style access to policy expiry date, and Web Proxy settings. Policy decision is made definitions from PEP. Typically, PEP only has READ access on the ACXS/MDM side and is communicated to the device 40 to policy definitions. However, a device-side application can as a decision for enforcement. Policy Item Value includes also act as both PEP and PDP that communicates with the restricted with policy decision detail. Capability includes cloud-based PDP for policy definition and management. The configuration of settings detected via MDM mechanism. SFCP supports offline and online modes for PEP points to Policy Feature includes Policy Compliance. Under policy, access policy definitions and perform policy enforcements. Averail application is restricted from access to enterprise 45 As seen in FIG. 13 the Averail system provides under an storage domains if device doesn’t pass the MDM-level policy embodiment local storage of policy definitions 1314, 1318 on compliance required by the enterprises. Policy decision is the device side. With respect to offline-mode, the device-side made on the ACXS/MDM side and is communicated to the policy enforcement module uses locally cached policy docu device as a decision for enforcement. Policy Item Value ments for enforcement. These policy documents are refreshed includes restricted with policy decision detail. Capability 50 when device? application comes back online and connects includes configuration of settings detected via MDM mecha back to ACXS. The SFCP supports synchronization of policy nism. definitions across multiple device-side PEP. Policy Feature includes Domain Joined. Under policy, The Averail system may under an embodiment use the Averail application is restricted from access to enterprise policy management system to enable other applications to storage domains if device is not domain-joined to enterprise 55 enforce policies defined on ACXS. Under this embodiment, directory service (e.g., Active DirectoryTM) infrastructure. the Averail system enables a trusted 2" party application to Other policy features and policy actions may include loca use SFCP to access policy definitions from Averail CloudX tion and time based access restrictions. With cloud based change PDP. This supports scenarios where other client appli systems and mobile devices, users can access the documents cations can integrate with Averail CloudXchange service and pretty much from anywhere. There could be some places 60 Support fine-grained document level policy control and track where companies do not want their employees to open the ing. In this case, Averail becomes a “headless' service on the documents for several reasons. One example is, companies do device side. not want their employees to open the documents in places like The Averail CloudXchange service enables a secure shar clubs and bars. In some cases they do not want their employ ing and document vault functionality. Averail enables users to ees to open outside their office. Averail policies enable the 65 share documents (managed within Averail storage domains) fine grained control over where employee can access a docu with a) users/groups within the enterprise identity domain, ment. For example admin user can specify that a document and b) with users/groups outside the enterprise. The Averail US 8,863,298 B2 19 20 system enables this functionality according to policy and Network information: current carrier network, phone num permissions defined for documents and associated Storage ber domains. Compliance and security information: configuration pro Under an embodiment, the Averail system user can asso files installed, certificates installed with expiry dates, list ciate policies with documents that are being shared. For of restrictions enforced, hardware encryption capabili example, a user may require that documents be private and ties, passcode present always require authentication prior to access by other users. A Applications installed (app ID, name, version, size, app user may create a signed access signature for access to the data size) document. This access signature includes query parameters Provisioning profiles installed with expiry date 10 The CloudXchange Service analyzes these queried settings for time expiration, permissions (read, update, delete) and from the enrolled devices. The CloudXchange Service then signed identifier. A user (or administrator) can revoke this creates a configuration profile using the queried settings. signed access signature. A user may create a document vault Configuration profiles are XML files that contain device secu for sharing with a set of users. Creation/management of the rity policies and restrictions, VPN configuration information, document vault comprises use of a master key based encryp 15 Wi-Fi settings, email and calendar accounts, and authentica tion in cooperation with the ACXS as further described below. tion credentials that permit some mobile devices (e.g., iOSTM The Averail system manages content using awareness of devices) to work with ECM systems. The CloudXchange the document metadata, users, policies and permissions. In service performs such dynamic analysis in the context of contrast, mobile device management Solutions (MDM) man requirements and policies for secure mobile content manage age the device. Traditional MDM solutions enable IT/enter ment and cloud storage aggregation. In addition, CloudX prises to securely enroll mobile devices in enterprise environ change service can configure additional configuration set ment, wirelessly configure device configuration and settings, tings and policies (in addition to the MDM settings) on the monitor compliance with enterprise policies and also device via Averail Mobile application. These additional con remotely wipe/restore devices. Under an embodiment, the figuration settings include: typical scenario in MDM includes device enrollment (com 25 Sites and folders pre-configured on the Averail Mobile prising user authentication, certificate enrollment to render a application for access based on user's identity, groups, device as MDM managed), device configuration (to configure permissions and policies. For example, SharePoint site configuration settings and policies), device query (to get spe administrator can configure access to user's MySites cific configuration and settings from the managed device) and and TeamSites using the service management console so device management (comprising remote wipe, password 30 that user gets these as part of initial experience with policies, remote lock, clear passcode). Averail application. These sites and folders can also be Traditional MDM solutions today are horizontal device revoked. level management Solutions that configure and secure a Certificates used to setup trust between Averail mobile device with limited application or content awareness. Enter application and CloudXchange service. prise applications, content and workflows remain black box 35 Certificates and credentials used for access to storage relative to these MDM solutions. For example, MDM solu domains being managed by Averail CloudXchange ser tions tend to offer only application block/allow capability. W1C. These MDM solutions are not able to restrict a mobile user Policies that are enforced on the device side by Averail from exporting documents received by email to cloud storage Mobile application. (e.g., Box.netTM or DropboxTM) or restrict offline storage of a 40 Averail CloudXchange service also supports the following specific document library or enforce policies discussed functionality through the Averail Mobile application as its above. Hence, MDM solutions leave the onus on IT and device agent: MDM administrators to define and enforce policies and con Grant/deny or revoke access to sites, document libraries figuration settings as applicable to an environment. While and folders MDM solutions provide an essential base level security for 45 Selective wipe of documents and folders that are part of mobile devices used in enterprises, these tools do not address Averail managed storage domains the problem of secure and fine-grained access and permis Backup and restore of documents and folders that are part sions and audit control within enterprise applications and of Averail managed storage domains and stored on the content management systems. However, the Averail CloudX remote device as per the document retention policies. change service described herein provides such capabilities. 50 The Averail mobile application supports policy based The Averail system operates under an inheritance model export and import of content. Averail application enables that allows Averail to incorporate or inherit existing security users to view and annotate policy-controlled documents and definitions in place at the level of enterprise content manage content. Further export/transfer of these documents to other ment solutions. Under an inheritance model, the Averail applications (e.g., GoodReaderTM, PagesTM, NumbersTM, policy management system enables integration with existing 55 KeynoteTM, etc.) outside Averail managed domain on the MDM mechanisms (for example: MobileIronTM, ZenpriseTM, device may be policy restricted under an embodiment. For AirWatchTM, Good MDMTM) to add intelligence and fine some devices (e.g., iOSTM devices), the Averail mobile appli grained controls used for secure mobile content management, cation uses UIWebView class and PDF class libraries for document collaboration/sharing and cloud storage/ECM viewing of most common formats. UIWebView supports the aggregation. Averail integrates with MDM solutions and Veri 60 following document types including, for example, Excel fies proper configuration of underlying device security. On (.xls), Keynote (key.Zip), Numbers (numbers.Zip), Pages certain devices (e.g., iOSTM devices, under an embodiment, (pages.zip), PDF (pdf), Powerpoint (ppt), and Word (.doc). the CloudXchange service queries the following information: Averail mobile application allows public documents or Device name policy-allowed documents to be exported to other document Operating system (e.g., iOSTM) and build version 65 viewers and editors on the device. For example, user can Model name and number “Open in . . . . a document in an email application from Capacity and space available Averail mobile application. Averail application requests US 8,863,298 B2 21 22 policy definitions from the ACXS policy documents (main application to check permissions and policies prior to retriev tained by policy management system) or under an alternative ing a document directly from a source domain, e.g. Share embodiment requests policy definitions from the Averail PointTM or DropboxTM. In the case of Averail web application, application's local file system. Averail mobile application the document is retrieved via the storage domain (e.g., Share under yet another embodiment Supports policy-controlled 5 PointTM) connector. For web application client, all calls to export and import of documents from other third party appli SharePoint under an embodiment are made via the storage cations. Averail application provides rich functionality on the domain (e.g., SharePointTM) connector in ACXS. client device in cases where confidential documents cannot be The Averail system provides a federated search across opened in other applications. As an example, Averail mobile domain repositories. The ACXS service performs the search application provides under an embodiment editing and com 10 on the source domains (e.g., SharePointTM and DropboxTM) menting operations on documents. using the API exposed by the corresponding domain. For Web Averail service or storage domain administrator may under UX, ACXS connectors perform these API calls, while for the an embodiment use the policy management system to setup device application, the API calls are made from connectors in policies that turn on audit logs for managed objects included the device application logic. Storage domains (e.g., Share within Averail managed security domains. A storage domain 15 PointTM and DropboxTM) have search APIs. The particular administrator or enterprise customer may use the policy man search call pathways depend on whether the ACXS service agement console coupled to the policy management system to uses an inside out proxy system (IO Proxy) to manage com view/monitor these audit logs/report. munications between ACXS and ECM, e.g. SharePointTM. The Averail service provides a wide range of searching The IO Proxy system is described in detail below and is capabilities. The system enables searching for documents and referenced here simply to enable a description of search call associated hierarchy content follows a three level search pathways initiating from WebUX (or web based client) versus model as follows. The search levels include device-local iPad client (i.e., Averail application running on a mobile search, ACXS search and a federated search across domain device (e.g., iPadTM)) under an embodiment. Such pathways repositories. The capabilities of search depend on what meta include data/content is available and searchable at each level. A 25 1. Mobile device (e.g., iPadTM)->direct to storage domain description of device-local, ACXS and federated search fol (e.g., SharePointTM) in case there is no IO proxy system in lows. Thereafter, a search mechanism that combines these place. three types of searches is also described. 2. Web UX-sACXS/SharePoint connector-estorage A device-local search is only applicable to searches con domain (e.g., SharePointTM). ducted by the device application. First, the Averail application 30 3. Mobile device (e.g., iPadTM)/WebUX->ACXS->IO performs a local search on the document/content model main Proxy->storage domain (e.g., SharePointTM) in the case of tained in the content forest on the device. The scope of this inside-out proxy being used. search extends across local device domain, favorites/offline The decision to use one topology versus another depends files and content model/cache for domains/sites configured under an embodiment on whether a storage domain (e.g., on the application. The search mechanism integrates with the 35 SharePointTM) is reachable via a mobile device application device's document cache management. If a document is found in the document data model or rather the device-local (e.g., an iPadTM application) or ACXS. document model, then the application checks if the document In case of public cloud storage locations, (e.g., DropboxTM), is in the local cache or documents folder. If the document is the paths are: not cached or stored offline, then the Averail application 1. Mobile device (e.g., iPadTM)->direct to cloud storage (e.g., issues a GET request to retrieve the document from the asso 40 DropboxTM) ciated domain. 2. WebUX->ACXS/cloud storage (e.g., DropboxTM) The Averail service provides searching capabilities at the connector->cloud storage (e.g., DropboxTM) ACXS level. Averail CloudXchange service (ACXS) main A search can be performed at global level across all tains a metadata module that contains document metadata. domains using the search icon on the application dashboard Under an embodiment, the ACXS pulls document metadata 45 within the current container context (domain/subsite/docu from the Source ECM/storage domains and application meta ment library/folder/Favorites/Recents) by using a search text data synchronized from applications across multiple user field displayed at the top of a navigation view controller on a devices. As already described above, the Averail service mobile device application (e.g., an iPadTM application). maintains content forest metadata across a federated set of Analogous searching interface is provided on Android/Win storage domains. The ACXS maintains the content metadata 50 dows applications and through web UX under alternative in a cloud based ACXS metadata module. embodiments. When a user performs/initiates a global search ACXS exposes a REST search API that returns a list of from the mobile device (e.g., iOSTM device) application UX, document metadata for entities based on the following input the application initiates three concurrent searches—1) device parameters. The ACXS REST search API may under an local search, 2) ACXS CFM search, and 3) federated search embodiment be modeled on a storage domain (e.g., Share 55 across repositories. The ACXS CFM search and the federated PointTM) search API. Query string: Structured Query Language (SQL) or key search are conducted through asynchronous non-blocking word based operations in background. With respect to web UX, the device Fields to return in entity metadata: Uniform Resource local search is not applicable. The Web UX performs the Identifier (URI) for document access, Content Forest ACXS CFM search and federated search across repositories Metadata (CFM) entity id, domain type. 60 via the ACXS REST APIs. Under one embodiment, the ACXS Type of query simply exposes a single search REST API and abstracts Number of entities to return CFMs and federated search underneath that single REST Type of entities: Lists Sites Folders Documents API. Path to search from The search results are limited to a configurable Small num The document metadata returned from search REST API 65 ber (20 as an example) in a single batch. As search results are (“the CFM) returns the metadata fields requested. fetched across these 3 concurrent searches, these are UNION Under an embodiment, this metadata is sufficient for Averail ed together and shown to the user based on the location (local US 8,863,298 B2 23 24 to device or a source domain) and type of domain (local My The sequence of steps to encrypt a document from a client AccessTM, SharePointTM server or DropboxTM). In order to include the following: provide the experience of a fast interactive search, results are 1. Client app(phone/tablet/any other device) generates a sym shown incrementally. The Averail application posts a first set metric key D. of results retrieved from local search while in parallel a search 2. Encrypts the document with DRsynam Represented as is being performed on the level of CFM/ACXS and federated D. (Document)- E. repositories. As the results are being fetched, local search 3. Encrypt the symmetric key D, with user certificate's results are shown mapped to the associated domains. For public key. i.e. UC(D) and sends it to ACXS. example, if a search is looking for “Design, then documents 4. ACXS decrypts the UCKe(Ds) with UCK to get found locally on device (either in My AccessTM, device-local 10 the Dism, i.e. UCervKe UCeubke (Dismm)l Disnn. caches for sites/domains or in offline) are shown first. 5. ACXS encrypts the D isymm with M. represented as The Averail system maintains monitoring, compliance and Mism f (Dism m) usage insights. Under an embodiment, Averail collects logs, 6. ACXS sends back M.,(D) after encrypting it with event traces, alerts and usage data on operations and events 15 UCke, represented as UC key (Minn,(Don)). related to content access and management, policy compliance 7. Client app receives UCK (Mn(D)) and and other operations performed on Averail managed objects. decrypts it with UC, the master key encrypted docu An administrator can see these logs, reports and insights using the service management console coupled to the ACXS. ment symmetric key. Represented as UCIUC. The Averail system applies different levels of encryption (Ms,(Don))l M.,(Ds). Client stores the according to polices associated with a document. FIG. 14 M.,(D) along with the document on the device/ shows the varying levels of encryption under an embodiment. storage server. The Averail system applies document/file level encryption The sequence of steps to decrypt a document from a client based on document/file level policy 1410. One level of include the following. encryption includes hardware encryption 1430 applied to 1. Client app encrypts the M.,(Ds) with UCice, documents on a mobile device. Under an embodiment, all 25 and sends it to ACXS. Represented as UC(M. documents stored in a device's temporary cache are (D.symm) encrypted using hardware encryption. Another level of 2. ACXS decrypts the UCKe(Mn(D)) with encryption includes local encryption 1420 and may under an UCprivkey to get M.,(Dsymm v1 is 'nan ). Represented as UC. rvRey embodiment apply to files/documents stored in local folders IUCeubke (Misymm (D.symm))l (Mismo (Dismm). on a device. Under this embodiment, local encryption com 30 3. ACXS checks the metadata to see if user requesting this has prises generating a symmetric key based on user credentials access to the document. (Either user is owner or has and using the symmetrickey to encrypt locally stored content. access). With respect to a mobile device (e.g., an iOSTM device), the symmetric key is then stored securely in a key chain system 4. Once ACXS has (M.,(D), it decrypts it with (e.g., an iOSTM key chain system). Averail also applies ACXS Mism, to get Dism. Represented as Ms.M., managed encryption 1440. This level of encryption places 35 (Dismm) D.symm contentina'secure vault' for secure storage in public storage 5. ACXS encrypts the D., user certificate's private key locations using a master key system. The ACXS managed or and sends it to client. Represented as UC(D). master key based encryption is described in greater detail 6. Client receives UC(D) and decrypts it with user below. certificate's public key. Represented as UCIUC rvRey The Averail system ensures that enterprise content never 40 (Dismm) D.symm sits in the clear in a managed domain. Averail managed docu 7. Client decrypts the encrypted document with D. Rep ments are encrypted using a per document unique 256 bit AES resented as D. D., (E)->Decrypted Document. key which is generated on the client side Averail mobile FIG. 15 is an example of Averail document encryption application where the encryption is being applied. The 256 bit under an embodiment. Under the first step 1510, the Averail AES symmetric key used to encrypt the document on the 45 application generates a symmetric key on the device side for client side will be encrypted with an Averail server side mas a document. As the second step 1520, the Averail application ter key. The master key encrypted document key and then encrypts/stores a document on the client side using the encrypted document are then stored in an envelope under an symmetric key. Under step three 1530, the key management embodiment. The file including the envelope ends with an module of the Averail application sends the symmetric key to .acXS extension. Once this envelope is created, authorized 50 the key management and distribution module maintained on Averail clients can parse this envelope and communicate with the ACXS service using a secure key distribution and man the ACXS servers to view the document. Steps to encrypt/ agement protocol. The ACXS then encrypts the symmetric decrypt a document from client application are explained key with a master key, and the key management and distribu below. In order to facilitate an explanation of the encryption/ tion module returns the wrapped symmetric key back to the decryption process, key terms of the process are defined. 55 key management model using a secure key distribution and management protocol. As the fourth step 1540, the Averail TERMS application stores the wrapped symmetrickey (i.e., the master D. Symmetric key to encrypt the document. It is a 256 key encrypted symmetric key) along with the symmetric key bit AES key. encrypted document in an Averail encryption.acxS envelope. UC: User Certificate's public key that client application 60 The Averail encryption system uses an acxS file (envelope) got from ACXS and stored on client side application. format under an embodiment. The Averail encrypted file com UC: User Certificate's private key stored on ACXS. prises a multi-layer encrypted document key, other key infor M. Symmetric master key to encrypt the document mation including length of key and metadata to identify the access key D. This resides on ACXS. For example, there class of the master key used to decrypt, and the encrypted could be one or more M., for all customer documents. 65 document itself. Once this envelope is created, authorized (): Parenthesis to represents encryption action Averail client application understands this format and II: Square brackets to represents decryption action “opens' this envelope to display the file. US 8,863,298 B2 25 26 The Averail ACXS server maintains several classes of mas Move from cloud storage to local disk: Based on the policy ter keys. Master keys never go out of servers. Master keys are definitions, the appropriate encryption (e.g., local symmetric used to encrypt the per document key. Based on the class of key based) will be applied to files stored locally. document (confidential, Proprietary etc), policies around Move from one application to other application on a encryption, based on the storage domain and based on the device: Each application communicates with the ACXS serv client application master key will be used to encrypt docu ers to obtain required keys in order to encrypt/decrypt accord ment keys. This gives the flexibility in managing the master ing to policy definitions. keys. To enable/disable access to a particular cloud storage, Averail client on a mobile device provides a secure docu user group, device group etc., a particular class of master key ment container—which is a secure encrypted common file 10 system (backed by Averail ACXS service for policy manage on the server side may be disabled. ment and crypto functions) for others applications to use. This The Averail may adopt varying approaches to key manage secure document container on a mobile device enables secure ment. Under one embodiment, the Averail system stores mas access to documents from other applications through secure ter key classes in a secure ACXS lockbox component. Under document/file exchange protocol using the Averail secure an embodiment, the secure lockbox component encrypts/de 15 access client library. This enables other applications on a crypts symmetric keys using the master keys. Under this mobile device to use the secure document container provided system, the enterprise customer creates master key classes by the Averail client. Averail secure document container and may revoke them. The Averail service manages the mas keeps the documents encrypted, enforces passcode-based ter keys on behalf of the customer. However, an enterprise authentication and authorization for document access, and customer may wish that master keys are never stored on the enforces policies thereby ensuring that any access to these cloud. Rather the customer may wish to maintain all master documents is secure whether from Averail mobile application keys on-premise or on public cloud using a Hardware Secu or other applications. Under an embodiment the Averail rity Module (HSM). Under an embodiment, the Averail ser application maintains the client side library for the secure Vice may implement an on-premise pluggability module that document container. Averail client side library enables the allows secure lockbox to encrypt and decrypt symmetric keys 25 client to communicate with Averail cloud system to perform using master keys from on premise or public cloud HSM. various activities. Client side library is typically embedded FIG. 16 shows the secure lockbox maintained on the ACXS into the application that needs to interact with ACXS cloud under an embodiment. FIG. 16 shows the secure lockbox based system to secure files. Under one embodiment, an coupled to the customersecure HSM-based lockbox. FIG. 16 application embeds the library by using a protocol to com shows the secure document at the source 1610 and the secure 30 municate with the client library of the Averail application. document on the device 1620. Each application will need to be authorized to access the The Averail system may use its encryption methods to cloud system. Client applications makes calls on the cloud block misbehaving applications, users or devices from based system to protect/encrypt the files, view/decrypt the accessing documents. According to policy and permission, a protected files, view and enforce the policies etc. This client user may under an embodiment move documents from one 35 library will be available for multiple supported operating application to other applications on a mobile device. Accord systems including AndroidTM, iOSTM, and Windows ingly, documents can reside with multiple applications. But at MobileTM thereby exposing the client side library to multiple Some point, if an application is misbehaving, then the appli devices and corresponding software platforms. cation will not be able to decrypt the documents or access the FIG. 17 shows the secure transfer of content to another documents any more. These applications will be blocked 40 application under an embodiment. As seen in the figure, the from server side by disabling the corresponding class of mas Averail application transfers 1710 a document 1705 from the ter key on serverside and application identification key. Once Averail application to application B. The encrypted document an application is marked as misbehaving on serverside, it will now resides in the sandboxed file system of application B no longer be able to decrypt any of the documents that are 1720. When application B wishes to view/access the docu stored locally with the application. All the calls to server to 45 ment, application B must communicate with the ACXS serv decrypt the document keys would fail. ers to obtain the necessary key to decrypt the document. As The Averail system encrypts documents as they move seen in FIG. 17, application B comprises an Averail Secure across federated domains. The Averail clients & ACXS serv Document/File Exchange Module 1730 which embeds the ers apply appropriate encryption to documents automatically Averail secure access client library by using a secure docu based on the source and destination properties, and policies 50 ment/file exchange protocol 1740 to access/communicate that are in place for that user and target device. The Averail with the library 1750. The Secure Document/File Exchange system maintains document encryption during the following Module communicates with the ACXS servers 1780 using a content transfers: Secure Key Distribution and Management Protocol 1760 to Upload document from client application on mobile device retrieve decrypted symmetric keys required to decrypt the to cloud storage: Averail client automatically decrypts the 55 document. encryption applied on client side and applies the encryption Once a document is encrypted with Averail encryption, that is required for that particular cloud storage, e.g. master then the document can be opened with Averail application or key encryption. trusted third party application on any device. Averail Move document from one cloud storage to another cloud encrypted documents (.acxS files) are accessible to third party storage: The client application that’s interacting with Source 60 applications under the following examples but embodiments cloud storage and destination cloud storage automatically are not so limited. applies appropriate decryption based on the source storage Averail Client application: Averail client application uses domain policies and applies appropriate encryption based on the client side library to interface with Averail ACXS destination storage domain policies. Policy definitions are service to encrypt/decrypt documents. defined at different levels (Customer, User, device, storage 65 Trusted third party client applications: Trusted client appli domain, document) and affect the kind of encryption be cations on the devices may integrate Averail secure applied to a document in a particular scenario. access library. This library provides an interface with the US 8,863,298 B2 27 28 ACXS service to enable Averail encrypt/decrypt opera Under an embodiment, an Averail protected file (including tions using the trusted applications. This secure access files carrying an acxs extension for example) can always be library understands the .acxS files format and communi traced back to the source irrespective of which application cates securely with Averail ACXS service to get docu opens the file, which user opens the file and which device is ments decrypted. Also, this secure access library ensures used to open the file. The ACXSSVFM intelligently com that the copy of the decrypted file is not stored with the bines several activities of the Averail application. Such activi client application. ties of the Averail application include calls to the client library Untrusted client applications: Untrusted client applica under an embodiment. tions receiving.acxS files can not open themselves. They As one example, assume that a first user downloads a file need to export the document to Averail application or 10 from a first storage domain (for example, SharePointTM) to a trusted third party client application. mobile device (e.g., an iPadTM device) and shares the file with The Averail mobile application provides offline access of a second user who then opens the file on the second user's protected documents under an embodiment. Onan authorized phone and transfers the document from the Averail applica client, if the policy defined for a particular file allows it to be tion to a second application (for example by using Open-into offline, then client application can make appropriate calls on 15 open the file in the second application). Now the second user client side library to get the offline access. When offline shares the file with a third user from the second application. access is requested, the Averail cloud system generates spe The third user uploads the document to a second storage cial keys which are active for a predefined amount of time. domain (for example, DropBoxTM). A fourth user then down These special keys will be securely placed on hardware secu loads the document from the second storage domain and rity element, operating system provided key chain. The opens the file in a third application. secure access client library enforces the offline policy for In the above example one observes that the outlined trans those files over an amount of time allowed to be offline actions/transfers/actions include multiple storage domains, (number of days). Once the device comes online, the client multiple users, and multiple applications and devices. At the library gets the latest policy and metadata information from end of all the transactions/transfers/actions described in the ACXS cloud system including updates regarding locally 25 above example, the fourth user may obtain information about valid keys distributed by ACXS for local storage. where the document came from and the path the document When authorized client applications access the ACXS traveled. The fourth user may obtain this information by cloud system to view protected documents, all the operations interacting with a trusted document icon associated with the required will be seamless to user. Meaning, under the hood file and may therefore see the entire path along with corre client applications manage all the required operations 30 sponding transactions/transfers/actions. Under an alternative through client side library to decrypt the document and show embodiment, the trusted document icon may visually encode to user. To show the document is trusted and coming from an information of the path and the associated transactions/trans identified source (in this case, trusted and protected by Averail fers/actions using any combination of colors, shapes, icons, service), a document stamp (a graphic icon) will be shown graphics, fonts, design and presentation formats to encode visually on the client application. FIG. 18 shows delivery of 35 such information into the trusted document icon. It should be secured documents to client applications using a document noted that under the example provided above regarding the security validation stamp or a trusted document icon. Appli transactions/transfers/actions of a file, the ACXS SVFM cation users may obtain the Source and other information traces the document path and associated activity even when about the document by interacting with the trusted document the file moves physically from one application to another icon. This trusted document graphic will be similar to a 40 application. trusted Certification Authority graphic symbol displayed on Under alternative embodiments, the ACXSSVFM traces web sites. files under its management as the file moves from one user to The trusted document icon parallels the notion of secure other user, one application to other applications and one browsing. When documents are downloaded and viewed device to other devices. The ACXSSVFM intelligently com from common browser applications, browsers do not have 45 bines the activities of users, the Averail application and calls any restrictions on accessing the documents, maintaining to the client side library to track activities associated with a cache and restricting other applications from accessing file thereby enabling a trace of the file and activities associ downloaded documents. Once the document is downloaded, ated with the file back to a source. Under this embodiment, the any application understands the format can open the applica document always moves as URI which is constructed and tion. There is no way to track how many copies of a document 50 tracked by the ACXS SVFM, the Averail application and are lying around with applications. client side libraries. Averail client application provides notion of secure brows An embodiment of a SVFM system is described herein. A ing by providing following features: SVFM system is secure cloud-based virtual file management The documents that are downloaded are encrypted locally system for mobile OS platforms that federates multiple physi based on the policy. 55 cal file systems, content management systems and storage Only Averail trusted 2"/3" applications can access the repositories. Under an embodiment, the goal of SVFM sys downloaded files. tem is to virtualize heterogeneous file and storage systems Averail application keeps the temporarily cached files also and expose a secure federated file system to mobile users and as encrypted files based on the policy. applications. ASVFM system exposes a virtual file system to Since only trusted applications can access the document, 60 Smartphone and tablet applications such that these applica Averail can track the document. tions can access files from underlying federated systems in a Downloaded and cached documents expire after policy SCU al. allowed time while user is offline. User need to renew the The SVFM system is based on the following mechanisms authentication token to view the documents. and security controls: Also, the Averail client application controls policy permit 65 The SVFM system maintains a pluggable mechanism for ted/restricted actions that may be taken on documents interfacing with various physical file systems, content man like cut/copy/paste, print, email and save offline. agement systems and storage repositories irrespective of US 8,863,298 B2 29 30 whether Such repositories are cloud based or on-premise sys copy/move a file to some cloud storage and for other appli tems. The SVFM system uses public interfaces (REST, SOAP cations to then access that file via the same cloud storage or proprietary API) or protocols (WebDAV. CIFS, NFS) to location. SVFM system changes this by offering a common access these underlying federated systems. The SVFM sys facility of secure virtual file system to mobile applications tem layers on top of one or more such federated file systems. and services on the OS platform and device. This is done via The SVFM system interfaces with the federated domains to a lightweight SVFM library that is linked with each applica collect metadata of the content stored across the federated tion (including the Averail application), thereby enabling domains and to collect information of file system access Such application running on a mobile device to hook into primitives of the federated domains. The SVFM system maps SVFM services for virtualized file system management and file system access primitives to corresponding content resid 10 policy controlled access to files. Each Such application (in ing in the underlying storage domains. The virtual file man cluding the Averail application) makes calls upon or commu agement system maintains information of the access primi nicates with the library to access the virtual file system and tives for accessing content residing on the underlying communicate with the ACXS. physical file systems and organizes such information together On mobile device OS, each application has its own sand with collected metadata of the federated physical file systems 15 boxed file system. Under this configuration, the device OS to create a virtual file system for the underlying federated/ fails to provide a common file system to all of the hosted managed content. applications. Accordingly, mobile device OS limits/restricts Unlike other physical file systems that store files on under an application's visibility to its own Sandboxed file system. lying file storage (typically tightly coupled with the file sys Document transfers across applications running on mobile tem and/or specific OS), the SVFM system is a virtual file device occur through platform defined document/file system that overlays a security control plane on top of mul exchange protocols. Under an embodiment, an application tiple underlying physical file systems and storage reposito moves a document by transferring the document to a common ries. The SVFM system doesn't store any file content at rest. area where the document is then further moved to a target The SVFM system only integrates with underlying federated location. systems at a control plane level by extracting file metadata 25 The SVFM system creates a virtualized view of content (example: name of document, creation date, owner etc.) and across multiple storage domains and exposes the virtual file associated policies and permissions. The SVFM system system to third party applications running on a mobile device. stores this metadata, policies and permissions and uses these Third party applications may then access the managed con to provide security around file access and operations while tent (of the federated domains) and associated operations letting the file contents remain on the corresponding source? 30 exposed by the SVFM system. As one example, assume that originating file system. The SVFM system ensures that all an editor application runs on a mobile device alongside the this user/device/policy/permissions/file metadata is protected Averail application. The editor application sees into its sand at rest on SVFM system cloud service. boxed portion of the device memory. However, the editor The SVFM system is distributed across two parts including application has no capability to reach content stored on a cloud and mobile-side. The SVFM cloud service (or ACXS) 35 shared storage of an enterprise behind a firewall, e.g. Share can be deployed on public or private cloud. SVFM cloud Point. The editor application may integrate or make calls to a service a) integrates with multiple file systems, b) acts as a lightweight SVFM library in order to access the virtual file policy definition and decision point for secure file access from system and its functionality. In other words, the editor appli mobile devices, and c) models users, devices, policies and cation may use the exposed SVFM system to obtain a single content meta-model of underlying file systems. 40 view into the federated storage domains of the virtual file The SVFM system separates control plane from the data system. The editor application may then perform create, read, plane for secure access to files (from a mobile device) from update, and delete operations on the federated content using the underlying federated file systems. The SVFM system only the virtual file system exposed by the SVFM system. comes in to play during authentication, authorization, policy Under an embodiment, once the editor application inte and permissions enforcements on file operations. The access 45 grates the SVFM library, the editor application may use the to file content happens transparent to the SVFM system either virtual file system to access content residing on a storage direct to the underlying physical file system or on a secure domain (e.g., SharePointTM). The editor applications access overlay data plane on the SVFM system. to such content is policy and permission controlled. Each action primitive on the virtualized file system is As seen in FIG. 19, the Averail application 1910 is coupled access, policy and permission controlled by the SVFM sys 50 to the ACXS service 1920. Application 1 and Application 2 tem. Under an embodiment, the SVFM system inherits poli 1930 integrate with Averail application by integrating the cies and permissions associated with each file (as known to ACXS or the SVFM Library (AL) 1940. Application 1 and SVFM system) from its source? origin file system across the Application 2 may then interact with the ACXS service 1920 federated physical file systems. Next, the SVFM system aug to access content managed by the ACXS service. As seen in ments these policies by defining and enforcing additional 55 FIG. 19, Application 2 uses the ACXS library to access con policies that are mobile device and user-aware. Under an tent on a cloud storage domain (e.g., DropBoxTM) 1960 using embodiment, these policies control whether files are the policy controlled virtual file system exposed by the encrypted on mobile devices, whether these can be shared Averail application. As seen in FIG. 20, an editor application across applications, what actions (Create, Read, Update, 2010 may integrate the SVFM library 2020 thereby gaining Delete, Copy, Move) can be performed on a file and by whom, 60 visibility into the SVFM 2030 and access to its functionality. whether files can be shared across mobile applications or The editor application may then move content 2040 from an copied/moved across the federated physical file systems. enterprise content management domain to a cloud storage Most mobile OS platforms offer a sandbox view of file domain according to applicable policies and permissions. systems to applications. Each application receives its own The mobile side of SVFM system is implemented specific part of file system visible to that application only. Applica 65 to each mobile/tablet OS platform for example, SVFM sys tions exchange files by copying files from one application’s tem for iOSTM, for Android TM and for Windows 8/PhoneTM sandbox to another. Another option is for an application to platforms. The SVFM service acts a secure virtual file system US 8,863,298 B2 31 32 that a) functions as a policy enforcement point for policies cific policies, an administrator may further define an addi defined on SVFM cloud services, b) provides multi-layer tional set of user/group policies applicable to particular users encryption of files as per policies, c) provides interfaces for or groups (e.g. sales group or company CEO). The above other applications to access files exposed by the SVFM sys referenced administrator defined polices augment the inher tem. ited policies and permissions, i.e. the policies and permis On mobile side, SVFM service maintains virtual file sys sions associated with SVFM system managed content inher tem access primitives and exposes primitive operations for ited from corresponding source? origin file systems across the access to files from other applications and users. These primi federated storage domains. tive operations include—create, read, update, delete, rename, As indicated above, the SVFM cloud service uses a list, move, copy, get metadata, view, edit, annotate, copy/ 10 dynamic policy decision engine and algorithm to determine move across physical file systems, open in specific applica policy definitions that are to be enforced on a specific action. tions for editing/viewing. SVFM system also introduces According to Such algorithm and as seen in FIG. 21, the policy controlled actions around copy/move of files across SVFM system first applies the enterprise/company policies in different file systems. For example, whether a file can be step one 2100, the additional phone/device policies in step moved from an on-premise physical file system to cloud file 15 two 2200, the additional user/group policies in step three system is controlled by SVFM policies. Each of these opera 2300 and the inherited policies in step four 2400. The inher tions are policy controlled by SVFM cloud service with ited policies include the user/device/file level policies and SVFM mobile service acting as a policy enforcement point. permissions inherited from the federated Storage domains. SVFM system manages a secure file cache and offline The algorithm uses the principle of most restrictive policy storage for files on the mobile device. The file cache has cache derivation when there are multiple policy items applicable to expiration and file encryption policies defined on SVFM sys a specific action on a file entity. Under an embodiment, a tem cloud service and enforced on SVFM mobile service. The policy enforcement module of the Averail application controls on whether a file can be stored offline and for how retrieves policy definitions (policy update can be triggered to long (as in offline document expiration), and encrypted are Averail application by a push notification from the ACXS also controlled by SVFM system. The size and scavenging of 25 service) from the SVFM cloud service when the user file cache and offline store is also controlled by SVFM sys accesses/starts the Averail application. In addition, the tem. enforcement module automatically retrieves changes to the SVFM services also controls leakage of files from the policy definitions as changes occur on the server side of the mobile devices. Each action on a file around copy/move or SVFM system. sharing across users/applications/devices and file systems 30 SVFM system ensures traceability and auditing of actions can be controlled by SVFM policies. For example, SVFM on files that are managed by SVFM system. Each action system can block sharing or copy/move to cloud storage for a (primitive operation, authentication, authorization or policy/ secure confidential document that is accessed on a mobile permission control) is tracked by SVFM system mobile ser device from on-premise document management system. vice and is reported to SVFM system cloud service. SVFM The SVFM service controls and manages multiple layer 35 system cloud services can then be used to run logs/audit and encryption on the mobile device. It can enable device-level analytics reports for traceability and auditing purpose. encryption for all files stored/cached on mobile device, SVFM system supports mechanisms for selective remote encrypt files in cache, encrypt files stored offline in device wipe of a file (or delete of all files) from the mobile device. local file system and also encrypt files that are copied to other This action can be performed by an administrator from the applications or physical file systems intermediated by SVFM 40 SVFM cloud service. Also, a specific underlying file system control plane. can be disabled from access for a specific user/device. SVFM A SVFM system uses a Secure File Control Protocol system also Supports deactivating and blocking access to the (SFCP) between its mobile service (acting as policy enforce entire secure virtual file system for a specific user/device. ment point) and cloud service (acting as policy definition and SVFM system supports federated search across all under decision point). SFCP is secure REST based protocol that 45 lying federated physical file systems and repositories. The exposes an interface to GET, DELETE, PUT, POST policy federated search is a 3-layer mechanism—first, the search is definitions. SVFM cloud service uses a dynamic policy deci performed on the local secure cache, then on mobile cloud sion engine and algorithm to determine policy definition that service on file metadata and content graph, and on underlying is to be enforced on a specific action (on a specific file on the physical file systems. mobile device) based on applicable user, device, file entity 50 The SFMS service facilitates transfer of documents from a and associated metadata and defined or inherited user/device? Source location to a target location only as permitted by file level policies and permissions. The algorithm uses the policies and permissions administered by the ACXS cloud principle of most restrictive policy derivation when there are service and enforced by the mobile application. On the device multiple policy items applicable to a specific action on a file side, the Averail service provides access privileges to man entity. 55 aged content through a virtual file system exposed to the Under an embodiment, an administrator may define com mobile application and to trusted third party applications. pany or enterprise policies based on a combination of device, Each document transfer initiated by a user through either the user/group and storage domain parameters. Administrators mobile application or a third party application is policy and may then define an additional set of phone/device specific permission controlled. Therefore, the Averail system main polices and permissions relating to particular devices and 60 tains awareness of a document's transfer history including their corresponding configurations. For example, an addi information of a document's source, information of the user tional set of phone specific policies may apply to a device transferring the document and encryption applied to the docu configuration including OS type, OS version and device type/ ment. The Averail application and ACXS service track every name. One example configuration includes iOSTM, version action taken on content managed by the ACXS service. The 5.0 and iPadTM. Another example configuration includes 65 ACXS service then associates this tracked information with a Android TM, version 6.1 and phone. In addition to enterprise/ transferred document and Stamps the document with a trusted company policies and the additional set of phone/device spe document icon. A user accessing the document may interact US 8,863,298 B2 33 34 with the trusted document icon (e.g. clicking the icon) to approved company desktops and laptops. However, mobile obtain such information associated with a document. devices including AndroidTM and iOSTM devices are not con The Averail system allows movement of content between sidered trusted devices. Therefore, mobile devices are often communication nodes distributed among a federated set of not allowed access to trusted networks within the firewall storage locations while maintaining enterprise security con 5 perimeter. Accordingly, mobile devices are managed differ trols over the content. The Secure Virtual File Management ently within the enterprise. IT professionals may block System (SVFM) manages content within the system through mobile device access to enterprise resources altogether. IT a combination of metadata access and management, policy/ professionals may provide access to mobile device users by permission tracking, encryption methods and identity man forcing Such users onto guest Wi-Fi when operating within agement systems. At its most fundamental level, the SVFM 10 the enterprise firewall. Under an alternative embodiment, IT enables all of these functionalities through a node based com directly manages mobile devices within the enterprise. Under munications paradigm which routes communications among an embodiment, IT may securely provision the mobile device nodes while imposing logical and/or physical elements/con by configuring the device for Wi-Fi authentication, VPN trols/constraints of the central ACXS core. access, password protections and other enterprise settings, Under one embodiment, the Averail mobile application 15 monitoring the device for compliance with IT policies, and running on a mobile device communicates directly with pub remotely maintaining capabilities of wiping and/or locking lic cloud storage systems (e.g. BoxTM, DropboxTM), enter the device. Under this scenario, mobile device user would be prise cloud storage systems (Office365TM) and/or ECM sys given access to enterprise storage (e.g., SharePointTM), direc tems. Under this embodiment, the Averail application on a tory service(s) (e.g., Windows Server Active DirectoryTM), mobile device communicates directly with cloud storage and/ and shared drives. Even if the device is trusted and IT man or ECM systems as allowed by Averail enforced policies and aged, mobile devices are generally not domain joined and do permissions. Such pathways include for example mobile not enjoy single sign on access to all locally networked device (e.g., iPadTM)->direct to storage/ECM system. For resources. Under an alternative embodiment, managed example, Averail mobile application (running on iPadTM) mobile devices may receive access to email, contacts and accesses documents (e.g., from Office365TM) directly with 25 calendar through an email service (e.g., Microsoft the ACXS acting as policy engine. Policy enforcement hap ExchangeTM) and mobile data synchronization applications pens on the Averail secure document container on mobile (e.g., Active SynctM), but that's it. In the worst case scenario, device. As another example, Averail mobile application (run IT leaves the mobile device user to manage devices indepen ning on iPad TM) accesses documents on cloud storage (e.g., dently of company policies and permissions. DropboxTM) directly from the cloud storage platform (e.g., 30 IT professionals face security difficulties as mobile devices DropboxTM) with ACXS acting as policy engine. With respect migrate outside the firewall. As a threshold consideration, the to Web UX client, such pathways include enterprise may decide to refuse all remote access to company WebUX->ACXS->storage/ECM system. However, the data from outside the firewall. For most enterprises, this solu Averail application and/or WebUX client may not be able to tion is unrealistic given the increasing demand for mobile reach behind an enterprise firewall to reach ECM systems, 35 access from an ever increasing number of mobile device e.g. SharePointTM, directly. users. The enterprise may offer a variety of “outside in The existence of enterprise firewalls complicate the use of pathways for mobile device users. Conventional remote conventional client server requests to enable certain node to access solutions include Secure Sockets Layer VPN (SSL node communications within the Averail system, i.e. ACXS to VPN), Internet Protocol Security VPN (IPSec VPN), and enterprise storage (e.g., SharePointTM) residing behind a fire 40 access via a reverse proxy. Under an embodiment, a standard wall. An enterprise may segregate local storage systems from web server may expose enterprise data to the outside world open networks through various firewall solutions. A firewall through standard HTTP/S protocols. A web server may sit at is either software-based or hardware based and primarily the edge of an enterprise firewall and receive normal incom analyzes and monitors traffic leaving and entering a local area ing HTTP/S requests for enterprise data. The HTTP/S network. In a typical configuration, a firewall sits between an 45 requests are then routed to the targeted storage site where the Enterprise LAN and public networks. The firewall monitors requested data is retrieved. Under an alternative embodiment, outgoing traffic initiated by client computers, i.e. clients the enterprise may provide SSL Virtual Private Network within the enterprise initiating requests for information (VPN) access to corporate data. Under yet another embodi hosted by servers outside the firewall. Conversely, the firewall ment, a reverse proxy solution may be used to mediate outside also monitors incoming traffic, i.e. requests from clients out 50 in traffic at the edge of the enterprise firewall. A reverse proxy side the firewall for information hosted on the corporate serv receives request from clients outside the firewall for server CS. side enterprise resources within the firewall. The reverse An enterprise may under an embodiment maintains corpo proxy passes on requests that are approved according to rate data locally and behind the enterprise firewall using on defined policies to server (or locally cached) resources and premise share drives. An enterprise may provide distributed 55 returns the requested content to the client. As another file access to local computing devices within the firewall example, MicrosoftTM offers services (e.g., Unified Access through WindowsTM based systems such as SharePointTM or GatewayTM) to provide secure remote access to corporate Active DirectoryTM. Under alternative embodiments, an resources behind an enterprise firewall. All of the above ref enterprise may implement distributed file sharing systems erenced remote access Solutions provide an “outside in solu using Network File System (NFS), Distributed File System 60 tion to the remote access problem. In other words, Such solu (DFS), and/or Server Message Block (SMB), also known as tions provide a mechanism for exposing corporate data to Common Internet File System (CIFS). A company uses such client requests originating outside the firewall under distributed file systems to provide local network access to restricted conditions using encryption methods. company files, data, content, and/or computing resources However, these solutions offer limited access to end users within the firewall. 65 and expose enterprise content to leaks once a document Enterprises provide access to local file systems behind an resides on a mobile device outside the enterprise firewall. enterprise firewall to trusted devices including authorized/ Further, enterprise customers often refuse to adopt any of the US 8,863,298 B2 35 36 above reference solutions for fear of exposing enterprise data This underlying client server architecture as described in to the outside world. In other words, the enterprise may block FIGS. 22 and 23 is in direct contrast with the desired and “outside in client requests for corporate resources. The enabled (as later described in detail) data flow of the IO Proxy SVFM system overcomes the firewall issue through an system. In general operation of the IO Proxy system from the “inside out” proxy system (hereinafter the “IO proxy”) imple 5 vantage of logical data flow, the iPad client and/or the web mented between the ACXS and the enterprise content man browser client initiates a request for information residing on agement system. As described below, the IO Proxy system the enterprise content management system. The ACXS server allows the ACXS to reach behind an enterprise firewall and receives the client request. The ACXS would then become the securely request resources from firewall protected ECM sys reverse client that passes the request along to the IO Proxy. tems such as SharePointTM. 10 Within the enterprise, the IO Proxy receives the request and The SVFM provides an “inside out solution to the remote manages the server side response, i.e. the IO Proxy function access problem using an IO proxy mechanism that resides ally behaves like the server in the client server architecture within the enterprise firewall. FIG.22 shows the “inside out and provides a response to the ACXS client request. The IO proxy system under an embodiment. FIG.22 shows an enter 15 Proxy interacts with the enterprise content management sys prise data storage environment separated from the Internet by tem to provide the requested information. However, this logi a firewall 2210. As seen in FIG. 22, an enterprise uses Share cal data exchange does not physically map to the client server Point 2220 to maintain enterprise data under an embodiment. architecture between IO proxy and ACXS as seen in FIG. 23 Under alternative embodiments, the enterprise may also use a due to the fact that the IO Proxy is the client that requests directory service (e.g., Active DirectoryTM) or shared drives. resources from the ACXS. However, the IO proxy system FIG. 22 shows SharePoint drives coupled to the IO proxy uses the client server architecture as described in FIGS. 22 2230. The IO Proxy interacts with enterprise storage (e.g., and 23 to functionally reverse the role of client (IO Proxy)and SharePointTM) as further described below. server (ACXS Server) to allow the ACXS server to function The IO Proxy is coupled to the ACXS servers 2240 which ally behave as the client and the IO Proxy to functionally are in turn coupled to mobile devices or browsers 2250 run 25 behave as the server. Accordingly, the IO proxy system maps ning instances of the Averail application. The ACXS servers the logical data flow described above to the client server maintain a communications component 2260 which in turn constraints in place between IO proxy and ACXS. This func includes a proxy connector module (or proxy connector com tional reversal of client server architecture is described in ponent or proxy connector) that communicates with the IO greater detail below. Proxy. The communication protocols among the Averail 30 application, the ACXS servers, the proxy connector module, For sake of clarity in the following discussion, the terms IO Proxy and enterprise storage (e.g., SharePointTM) are client and server maintain their commonly understood mean described in detail below. ings within client server architectures. However, the func As indicated above, the ACXS resides in the cloud. On both tional reversal of client and server in the IO Proxy system the enterprise and client (Averail application) side, the ACXS 35 introduces functional versus literal operations of client server resources are accessible via standard HTTP requests. The IO communications. Therefore, the IO Proxy serving as func Proxy as client communicates with the ACXS proxy compo tional server is referred to as the IO Proxy acting as Reverse nent through HTTP/S communications. FIG. 23 displays the IO (or the “Reverse IO”) and the ACXS server performing communication framework in place between the IO proxy functionally as the client is referred to as the ACXS acting as and the ACXS under an embodiment. As seen in FIG. 23, the 40 the Reverse ACXS (or the “Reverse ACXS'). IO proxy is the client and the ACXS is the server. The IO Proxy system leverages the HTTP protocols to As seen in FIG. 22, the ACXS is coupled to an end user change the roles of client and server. In a conventional appli devices outside the firewall. These devices include mobile cation of HTTP communications, a client communicates with devices (e.g., an iPadTM) and a web browser but are not so resources outside the enterprise firewall using HTTP limited. The iPad as seen in FIG.22 runs the Averail applica 45 requests. With reference to FIG. 23, client IO proxy initiates tion and manages/issues the communication requests HTTP request using a GET, PUT, POST or DELETE com between the mobile device client and the ACXS server. The mand. As one example, the server responds to a client GET web browser interfaces with an HTML5 application that simi request by providing the particular resource or returning a larly manages communications between the browser client response to the client. The response contains completion sta and the ACXS. 50 tus information about the request and may also contain The firewall of FIG.22 includes a web proxy 2670. The IO requested content in its message body. The server may per Proxy is coupled to the ACXS through an enterprise customer form other functions on behalf of the client in response to managed web proxy. Under one embodiment, a web proxy is GET, PUT, POST and DELETE commands. a server dedicated to mediation of enterprise client requests The IO Proxy system leverages the HTTP protocols to for resources outside the Enterprise network. A web proxy 55 change the roles of client and server by sending GET, PUT, receives HTTP or HTTPS protocol requests from enterprise POST or DELETE commands to the client within the server clients, establishes a connection with a target server, passes response. As a simple example, the client IO proxy in FIG. 23 along the request and then receives the response. The web issues a GET command to the ACXS server. In response, the proxy then returns the response to the requesting client. As the ACXS responds to the GET command by embedding in the intermediate server, the web proxy may block certain client 60 response a GET, PUT, POST, or DELETE, i.e. by issuing a requests, file uploads, access to certain web services, etc. REVERSE GET, REVERSE PUT, REVERSE POST, or Under the embodiment of FIG. 22, the IO Proxy is a client REVERSE DELETE. Therefore, the ACXS server function within the enterprise firewall and the ACXS component is a ally behaves like a client by sending REVERSE HTTP com server residing in the cloud. As seen in FIGS. 22 and 23, the mands on top of an underlying response primitive of standard IO Proxy initiates requests. IO Proxy establishes a connection 65 HTTP communications. The functional reversal of client with the ACXS server, passes along the request to the ACXS server roles using underlying HTTP protocols allows the server and then receives the response. REVERSEACXS to “request” resources that reside on enter US 8,863,298 B2 37 38 prise storage (e.g., SharePointTM) by issuing reverse HTTP the ACXS forwards the request to the Proxy QA as a reverse commands to a REVERSE IO proxy "server” as described in HTTP GET command 2560 as described above. Under an detail below. embodiment, the reverse Getmetadata request includes the The ACXSSVFM integrates with on premise document user's enterprise storage (e.g., SharePointTM) user id and management systems running within the enterprise. Under an 5 password. The ACXS may send a request back to the Averail embodiment, the IO proxy layers on top of the HTTP protocol application for the enterprise storage (e.g., SharePointTM) in order to provide mobile device users access to enterprise user id and password at the time of the event. Under alterna documents and data sitting behind a firewall using existing tive embodiments the Averail application may present the enterprise communications and storage infrastructure. The user with a request to enter enterprise storage (e.g., Share SVFM system provides mobile device users access to enter 10 PointTM) credentials prior to the time the user initiates enter prise storage (e.g., SharePointTM) data in the manner prise storage (e.g., SharePointTM) access and send Such cre described in FIG. 24. The IO Proxy establishes a secure dentials to the ACXS at the time of the event (i.e. user's communication channel with the ACXS server 2410. The IO selection of enterprise storage (e.g., SharePointTM) folder on Proxy maintains this connection as a long polling occurrence the Averail application) but embodiments are not so limited. during which the IO Proxy awaits events 2420 from the 15 As indicated above, the ACXS sends the reverse Getmetadata Averail application running on a mobile device. The ACXS request using a reverse HTTP GET command as described server awaits a request 2420 from the Averail application above. The Proxy QAthen authenticates with enterprise stor running on a mobile device. The end user issues a request age (e.g., SharePointTM) using credentials comprising either 2430 for enterprise storage (e.g., SharePointTM) document user name and password or a Security Assertion Markup and the ACXS server detects the request 2440. The ACXS Language (SAML) token received from an identity provider. (acting as Reverse ACXS) issues reverse HTTP commands The Proxy QA authenticates with enterprise storage (e.g., 2450 to the IO proxy (acting as Reverse IO). The IO Proxy SharePointTM) using the credentials and receives cookies retrieves the requested resource from enterprise storage (e.g., from enterprise storage (e.g., SharePointTM) (not shown). The SharePointTM storage) 2460 and returns the resource to the Proxy QA may authenticate with enterprise storage (e.g., ACXS server 2470. The ACXS then returns the requested 25 SharePointTM) using the cookies 2570. If authentication fails resource 2480 to the mobile device as the final step. due to bad or stale cookies 2580, the Proxy QA provides As indicated above, the IO Proxy establishes a communi credentials 2582 again to enterprise storage (e.g., Share cation pathway with the ACXS. FIGS. 25A and 25B is a PointTM) and receives new cookies 2584. In the event the visual depiction of the steps involved in brokering this con SAML token is bad due to expiry, the Proxy QA authenticates nection. Assume that a Quality Assurance (QA) testing group 30 again to the SAML identify provider and uses the token to is created in the on-premise enterprise storage (e.g., Share authenticate with enterprise storage (e.g. SharePointTM) PointTM) content management system allowing QA group thereupon receiving new cookies from enterprise storage members access to a collection of stored content. Under the (e.g., SharePointTM). The Proxy QAthen issues a Getmeta ACXSSVFM, the IO proxy maintains a corresponding Proxy data request to enterprise storage (e.g., SharePointTM) using QA component (the “Proxy QA) behind the enterprise fire 35 the cookies 2591. Enterprise storage (e.g., SharePointTM) wall. The Proxy QA has connectivity to on-premise enterprise then provides the metadata to the Proxy QA in xml format storage (e.g., SharePointTM) documents in “QA group' con 2592. The Proxy QA forwards the metadata to the ACXS in tainer and is configured with http proxy credentials (url, port, JSON format 2593 together with the cookies which are stored username, password) to access the internet. Note that FIGS. in the ACXS. The Proxy QA then sends a token 2594 (i.e. 25A and 25B show an example for "sales' group as well. The 40 received during initial authentication between Proxy QA and following discussion uses the QA group example to provide a ACXS) to the ACXS server and waits for another event. The description of IO Proxy communications with the ACXS ACXS stores cookies received during Proxy QA Authentica SWCS. tion with enterprise storage (e.g., SharePointTM) 2595. These The Proxy QA authenticates itself to the ACXS using cookies are used in future exchanges between ACXS and Proxy QA credentials 2510 including user name and pass 45 Proxy QA so that Proxy QA may authenticate again to enter word but embodiments are not so limited. When the Proxy prise storage (e.g., SharePointTM) with the cookies in future QA authenticates to the ACXS using appropriate credentials, transactions. Under an embodiment, the ACXS may forward the ACXS then provides the Proxy QA a token or a cookie cookies to backup or alternative IO proxies (e.g., in the event which the Proxy QA stores locally 2520. In all subsequent of a failure of Proxy QA) thereby obviating the need to repeat requests to the ACXS, the Proxy QA provides this token or 50 authentication between alternative IO Proxies and enterprise cookie as authentication. The Proxy QA then provides the storage (e.g., SharePointTM). The requested metadata is sent token to the ACXS and waits for an event from a mobile to the client 2596. The client user (Averail application) may device user 2530. The authentication process provides the now browse metadata and request documents (using CRUD ACXS with location of the Proxy QA. When an event occurs, commands). i.e. when a mobile device user initiates a request (through the 55 The SVFM integrates with on premise document manage Averail application) for a QA group enterprise storage (e.g., ment systems running within the enterprise. The SVFM inte SharePointTM) document managed by the Proxy QA, the grates with on premise document management by imple ACXS know where to forward the request. menting an IO proxy protocol layer on top of the HTTP The user triggers an event by running the Averail applica protocol primitives. FIG. 26 displays the communication lay tion and selecting the on-premise enterprise storage (e.g., 60 ers that provide HTTP protocol access to enterprise docu SharePointTM) folder. The Averail application issues a request ments and data sitting behind a firewall using existing enter 2540 (GetMetadata) to the ACXS to retrieve information of prise communications and storage infrastructures. Layer 1 the content stored in the selected folder. When the ACXS represents standard HTTP communications between the IO receives the request, the ACXS looks up the requesting user's proxy and ACXS. The IO Proxy authenticates to the ACXS customer and group affiliation 2550. For example the user 65 using HTTP communications and establishes an open link to may work for Company Zand belong to the Proxy QA group. the ACXS referred to as a long polling occurrence. Layer 2 After identifying the user as member of the Proxy QA group, represents the IO protocol that sits atop the HTTPS protocols. US 8,863,298 B2 39 40 As already described above, the IO protocol leverages the restrictive. The IO Proxy system supports two way synchro HTTP protocols to change the conventional roles of client and nization. Change on the mobile device (e.g., iPadTM) (via server by sending REVERSE GET, PUT, POST or DELETE Averail application) are pushed to Storage Domain even commands to a client within the server response. Layer 3 when the client is outside the firewall. As indicated above, represents security and encryption methods implemented documents served by the IO Proxy are encrypted end-to-end alongside communications within the IO proxy server. As in Such a way that the Averail application requires keys from discussed above, the IO proxy authenticates to the ACXS in Averail system before documents may be decrypted. Further communications with the ACXS and authenticates to enter multiple IO proxies may increase throughput and availability. prise storage (e.g., SharePointTM) in communications with the In addition IO proxies may serve specific enterprise groups. enterprise content management system. The SVFM also 10 implements encryption and policy enforcement within the IO For example, a marketing group may under an embodiment Proxy system as further described below. Layer 4 represents have their own four proxies while sales may have their own reverse HTTP commands that issue from the Reverse ACXS four proxies. The proxies themselves may run unattended to the Reverse IO. The reverse HTTP commands include after initial configuration as they use certificates/credentials GetMetadata, CreateDoc/Folder, GetContent, SyncChanges, 15 from the ACXS to access on-premise systems. On the client CheckReachability, and GetPolicy but embodiments are not side (Averail application), the IO proxy is entirely transparent so limited. Layer 5 represents the underlying content reposi to the user. tory resident on premise and behind the enterprise firewall. The Averail system may implement IO Proxy system using FIG. 27 shows movement of content from enterprise stor multi-threaded Proxies running on a wide variety of platforms age (e.g., SharePointTM) to ACXS servers (and Averail appli from Vanilla desktops (2 to 4 cores) to mid-range servers to cation) together with enforcement of policies and encryption. enterprise servers (64 or more cores); therefore the capability In step 1, the IO Proxy authenticates to the ACXS servers and of a Proxy to serve hundreds of simultaneous requests varies to enterprise storage (e.g., SharePointTM) as described above. a lot. Under one embodiment, the Proxy will provide ACXS In step 2, the IO Proxy retrieves policies from the ACXS information about its capabilities (and current load) so that servers. In the IO Proxy system, the IO Proxy (behind the 25 ACXS can perform intelligent weighted load-balancing enterprise firewall) acts as the policy enforcement point among the ProXies that serve a group (e.g. Sales or Market (PEP) of policies defined by administrators and maintained ing) so as the maximize the resource utilization and minimize by the ACXS using the policy management system. In step 3. latency. Under another embodiment, ACXS can use the aver the ACXS and IO Proxy interact as described above to trans age round-trip time (and other performance metrics) of past fer enterprise content to the ACXS servers which is then 30 requests (sliding window) to decide which Proxy is most passed along to the Averail application. The content is likely to respond the fastest for the current request and route encrypted on the move from enterprise storage (e.g., Share the request accordingly. PointTM) to the client using the Averail master key method. In step 3.1, the IO Proxy generates a symmetric document key. While it is true that Proxies run in secure environments In step 3.2 the IO Proxy interacts with ACXS to receive a 35 inside the firewall, some installations may be more secure wrapped symmetric key, i.e. the symmetrickey encrypted by than others. For example. a Proxy running on a desktop in a ACXS with a master key. The IO Proxy then in step 3.3 lab (with access control), though secure, is relatively less encrypts the document with the symmetric document key. In secure than a Proxy running in a secure room with highly step 3.4, the IO Proxy creates the acxs envelope and then in limited access and multiple levels of protection (guard, step 3.5 the IO proxy sends the encrypted document together 40 badge, card access control, video monitoring etc). Under an with the wrapped key in the envelope to the ACXS servers. embodiment, the Proxy will provide this security information Under another embodiment, there is also a personal proxy to ACXS. (which is also known as Agent), which resides for example on Under one embodiment of the IO Proxy system, documents a laptop. This Agent is the equivalent of the IO Proxy. The can be classified as “unclassified”, “Restricted”, “Confiden Agent may run behind of or outside of a firewall. When the 45 tial”, “Top Secret” etc. The roles of the enterprise users could agent runs behind the firewall, the Agent may provide access be employee, engineer, human resources, attorney, director, to enterprise storage (e.g., SharePointTM) documents under an VP, board of directors etc. Under this embodiment, ACXS embodiment. The Agent may also provide access to locally can use the information about the user role (and perhaps stored files when the Agent operates within or outside the document type) to route the request to the appropriate Proxy. firewall. Under this embodiment, the Agent manages access 50 For example, the create/update/read/delete requests from to local folders allowing managed documents on the local users in the VP role will be routed to the Proxy which is in the folder to be shared between users. most secure location. The IO Proxy system provides a wide array of functional The ACXS service provides access to documents from ity. It allows user to access corporate (on-premise) documents enterprise document sources such as SharePoint through mul securely on mobile devices (tablets, laptop etc.) from any 55 tiple routes to mobile devices outside the firewall, while where, anytime with full tracking and auditing, end-to-end maintaining end-to-end security through encryption and encryption, current authorization. Current authorization authorization controls. The ACXS thus constructs a secure means that check for authorization is made at the time user "Virtual Document Circuit' for documents to flow from accesses the document as authorization may have been enterprise sources to BYO devices. revoked. The ACXS and IO Proxy cooperate to enforce poli 60 Some specific routes for document flows include but are cies. The Averail IO Proxy and ACXS never serve a document not limited to: for which the user is so unauthorized. As indicated above, the *Enterprise storage (e.g., SharePointTM)->Inside-Out-Proxy IO Proxy retrieves ACXS maintained policies and enforces installed by IT on server->ACXS->Device. them at the enterprise level. Of course, on-premise ECM *Enterprise storage (e.g., SharePointTM)->IOProxy installed systems enforce their own policies and permission defini 65 by user on desktop/laptop->ACXS->Device. tions. Averail system policies may augment such policies and *Enterprise storage (e.g., SharePointTM)->Averail app on permission and may therefore be more (and never less) desktop/laptop->ACXS->Device. US 8,863,298 B2 41 42 (The Averail system implements this pathway using a native A Smartphone can get private/confidential documents client for example on Windows 7TM and OSXTM platforms, through a) sync from laptops that have secure access to secure under an embodiment). enterprise information resources, such as on-premise enter * Enterprise storage (e.g., SharePointTM)->Averail app on prise storage (e.g., SharePointTM), b) as email attachments Device1->ACXS->Device2 (Under this embodiment, the using email application on the device, c) using browser or first device has locally cached an enterprise storage (e.g., enterprise storage (e.g., SharePointTM) application to access SharePointTM) doc). on-premise enterprise storage (e.g., SharePointTM) while All Such pathways/routes may be constructed real-time and device was “within' enterprise network with secure access to on-demand by the ACXS server based on the reachability/ enterprise storage (e.g., SharePointTM). Once a confidential connectivity of each node in the routing network, and based 10 document is on the device, the document can move across on the location(s) where the desired document resides. The from one application’s sandboxed file system to another. For ACXS service thus provides a convenient and secure method example, user can open a confidential document received via for users to search and browse for documents across the entire email with cloud storage (e.g., BoxTM/DropboxTM) applica Secure Virtual File Management System, which includes tion and these documents move to the corresponding sandbox documents cached in other users’ mobile devices or created 15 and can be uploaded to cloud storage—this is an information by other users on their desktops/laptops. The SVFM system leak vector. The same is the case for a document that is synced then transfers the desired document contents with end-to-end with other cloud storage (e.g. iCloudTM) into user's own encryption and authorization control from the source server/ storage. Similarly, user can also take a confidential document desktop/laptop/mobile device to the user's mobile device. to send it out as an email attachment. The ACXS system implements Mobile Information/Data Averail provides multiple mechanisms to protect against Leak Protection (ILP/DLP). The goal ofILP/DLP solutions is these added risk vectors. As described herein, Averail mobile to discover, detect, protect and manage confidential and sen application provides a secure document container on the sitive information throughout its lifecycle and storage loca device that enforces policies and permissions around encryp tions within the enterprise and as it gets shared with customer/ tion, cross-domain routing, sharing across applications, and partners. ILP also is used for regulatory compliance. 25 document collaboration. Any confidential document Presently, enterprises deploy ILP solutions either on the accessed using Averail application from enterprise enterprise network parameter or on PC/laptop endpoints. on-premise information sources is subject to applicable poli Examples include Microsoft Forefront Unified Access Gate cies. This covers the risk vectors around leak of documents wayTM, RSA DataLoss Prevention SuiteTM, BlueCoat DLPTM from Averail application to email or third party cloud storage and Symantec Vontu/DLPTM. Existing ILP solutions typically 30 applications on the device. perform the following functions: Averail also uses MDM mechanisms to configure device Discover and classify confidential, custodial or PII infor (as per enterprise policies) settings for a) network proxy mation during its lifecycle. This is done through docu settings (preferably using split IP tunneling so that traffic to ment Scanning, metadata analysis, digital fingerprinting public or private network domains is relayed according to etc. 35 company policies), b) credentials/certificates for VPN-based Enforce compliance with policies on information protec access from device to enterprise information sources, and/or tion. c) blocking of applications that are used for access to cloud Integrate with VPN and remote access solutions for off-site storage resources—for example, access to iCloud can be employees. In this case, remote employee/user can only turned offusing mobile device operating system (e.g., iOSTM) access on-premise information through VPN tunnel in 40 restrictions and cloud storage (e.g., BoxTM/DropboxTM) addition to endpoint ILP protection. applications can be blocked from being installed. The goal is Protect across different risk vectors at endpoint and net to restrict device access to public cloud storage services, if so work perimeter. The following diagram (FIG. 28) shows desired by an enterprise as per policies and compliance the risk vectors that are covered by existing ILP solu requirements. tions. These includea) endpoint-level ILP protection on 45 Averail also hosts a cloud proxy service as seen in FIG. 30. a laptop/desktop—this includes use of USB storage, This is a forward proxy for HTTP traffic and is integrated with syncing with mobile devices also, b) integration of ILP CloudXchange service (specifically, policy manager, content with proxy/gateway appliances on enterprise network forest manager services) for definition and enforcement of perimeters, c) off-site protection on remote laptops. policies related to HTTP traffic bound to cloud storage ser In the context of access to cloud storage services, enter 50 vices. The cloud proxy filters, intercepts and/or blocks HTTP prises can restrict access to cloud storage services by GET/PUT traffic from devices to cloud storage services and using perimeter ILP protection. However for this to specified domains while bypassing remaining traffic. The work information flow has to go through the ILP-en action on filtering and blocking is based on set of pre-defined abled gateways and proxies, which is the case for a) rules and dynamic analysis of URLs, domains, and docu on-site employees/devices and b) remote devices that 55 ments as part of HTTP traffic payload. HTTP/SSL traffic is by access cloud services only via VPN tunnel back to the default tunneled except in cases (example: based on policies enterprise and out through enterprise web proxies. around destination IP address, hostname in server certificate) Averail service integrates with existing enterprise where it needs to be intercepted or blocked. deployed ILP/DLP solutions to cover the risk vectors high Averail service administrator for an enterprise can define lighted in FIG. 28 above. Averail can use ICAP (Internet 60 policies to have HTTP traffic from Averail mobile application Content Adaptation Protocol) to couple in its own informa and all applications on device to be routed through Averail tion Scanning to existing proxy appliances. Smartphone?tab cloud proxy. This is done by setting network proxy settings to lets bring additional scenarios given the mobility aspect and Averail cloud proxy via configuration profiles or MDM the fact that users are more likely to use these remotely on mechanisms. public WiFi hotspots and cellular networks. FIG. 29 shows 65 Averail Supports IRM by enabling persistent usage rights, additional risk vectors for information leakage under an policies and permissions to be defined and enforced at the embodiment. document, library/folders or site levels. A rights managed US 8,863,298 B2 43 44 document has these policies and permissions associated with When a user accesses a rights-managed document using it throughout the time validity and duration of the associated Averail Mobile application, Averail IRM client uses the rights. Averail IRM license to get the end-user license from AVRMS The core scenario behind IRM is to ensure that as docu service and enforces usage rights, permissions and policies on ment moves during its lifecycle across on-premise ECM/ the encrypted document. Averail IRM client uses the crypto storage, third party apps, users/devices and cloud storage service and crypto key (from the end-user license) to decrypt services, policy controls associated with the document the document. Note that Averail IRM-managed document can remain with the document. only be opened by Averail IRM-enabled mobile application Averail supports IRM through Averail Rights Management from Averail or a 3" party. 10 The components described herein can be located together Server (AVRMS) hosted on public cloud (as part of CloudX or in separate locations. Communication paths couple the change service) and Averail IRM client code bundled with components and include any medium for communicating or Averail mobile application. The Averail IRM enables IRM transferring files among the components. The communica functionality for cloud storage and ECM services that do not tion paths include wireless connections, wired connections, have their own IRM support. 15 and hybrid wireless/wired connections. The communication Averail Supports integration with enterprise storage (e.g., paths also include couplings or connections to networks SharePointTM) IRM by integrating Averail IRM client on the including local area networks (LANs), metropolitan area net device with a directory service server (e.g., Active Directory works (MANs), wide area networks (WANs), proprietary Rights Management Server'TM (AD RMS)). An option is to networks, interoffice or backend networks, and the Internet. even provide IRM for SharePoint as a value-added service for Furthermore, the communication paths include removable customerS/users by hosting Averail’s own instances of AD fixed mediums like floppy disks, hard disk drives, and CD RMS on the compute Virtual Machines of the underlying ROM disks, as well as flash RAM, Universal Serial Bus public cloud platform. (USB) connections, RS-232 connections, telephone lines, FIG. 31 shows an end-to-end view of IRM, under an buses, and electronic mail messages. embodiment. AVRMS exposes APIs to Service Management 25 Aspects of the systems and methods described herein may console to enable IT/policy administrators to enable IRM at be implemented as functionality programmed into any of a document library/folder levels. AVRMS also supports follow variety of circuitry, including programmable logic devices ing functions: (PLDs), such as field programmable gate arrays (FPGAs), Enrolling user, device and its IRM client with the AVRMS programmable array logic (PAL) devices, electrically pro service by authenticating user identity with the Feder 30 grammable logic and memory devices and standard cell ated Identity Manager. based devices, as well as application specific integrated cir Setup of trust between Averail IRM client and AvRMS cuits (ASICs). Some other possibilities for implementing using certificates. aspects of the systems and methods include: microcontrollers Issuing end-user IRM license (with usage rights and per with memory (such as electronically erasable programmable missions) to the Averail IRM client. 35 read only memory (EEPROM)), embedded microprocessors, Managing distribution of certs (used for encryption and firmware, Software, etc. Furthermore, aspects of the systems decryption of rights managed document) to the Averail and methods may be embodied in microprocessors having IRM client. Software-based circuit emulation, discrete logic (sequential Averail Mobile IRM client performs as follows: and combinatorial), custom devices, fuzzy (neural) logic, IRM client enrolls with Averail RMS service and sets up 40 quantum devices, and hybrids of any of the above device trust using certificate (specific to RMS service) that have types. Of course the underlying device technologies may be been configured on the device through certificate distri provided in a variety of component types, e.g., metal-oxide bution and configuration mechanism. semiconductor field-effect transistor (MOSFET) technolo AVRMS validates the user identity with Federated Identity gies like complementary metal-oxide semiconductor Management Model (FIM) prior to user/IRM client 45 (CMOS), bipolar technologies like emitter-coupled logic being able to create/read/upload/download rights-man (ECL), polymer technologies (e.g., silicon-conjugated poly aged document. mer and metal-conjugated polymer-metal structures), mixed User can create a rights-managed document using Averail analog and digital, etc. mobile application UI. User can take an existing docu It should be noted that any system, method, and/or other ment and make it rights-managed. Alternatively, Averail 50 components disclosed herein may be described using com mobile application can enforce policy controls (speci puter aided design tools and expressed (or represented), as fied using Service Management console on document/ data and/or instructions embodied in various computer-read library basis that require IRM to be enabled prior to able media, in terms of their behavioral, register transfer, sharing cross-domain or across applications) transpar logic component, transistor, layout geometries, and/or other ent to the user. 55 characteristics. Computer-readable media in which such for Averail IRM client creates an Averail license with associ matted data and/or instructions may be embodied include, but ated information on usage rights (who can do what with are not limited to, non-volatile storage media in various forms the document), permissions and time validity/expiration (e.g., optical, magnetic or semiconductor Storage media) and of license. carrier waves that may be used to transfer such formatted data Averail IRM client uses the crypto services on the device to 60 and/or instructions through wireless, optical, or wired signal encrypt the document. The key for encryption is eithera) ing media or any combination thereof. Examples of transfers accessed from end-user license issued by AVRMS or b) of such formatted data and/or instructions by carrier waves distributed and configured on the device through certifi include, but are not limited to, transfers (uploads, downloads, cate distribution and configuration mechanism. e-mail, etc.) over the Internet and/or other computer networks Averail application uploads the encrypted document and 65 via one or more data transfer protocols (e.g., HTTP, HTTPs. IRM license to the target cloud storage service for shar FTP, SMTP, WAP, etc.). When received within a computer ing or cross-domain routing. system via one or more computer-readable media, Such data US 8,863,298 B2 45 46 and/or instruction-based expressions of the above described mobile applications that run on the one or more mobile components may be processed by a processing entity (e.g., devices and provides the access to the managed content one or more processors) within the computer system in con through the interface. junction with execution of one or more other computer pro Embodiments described herein include a virtual file man grams. agement system (VFMS) providing a user access to managed Unless the context clearly requires otherwise, throughout content on one or more mobile devices, the system compris the description and the claims, the words "comprise.” “com ing: a plurality of storage domains that store the managed prising.” and the like are to be construed in an inclusive sense content distributively using one or more file systems; at least as opposed to an exclusive or exhaustive sense; that is to say, one server hosting a data infrastructure that organizes the 10 managed content into a virtual file system that maintains in a sense of “including, but not limited to.” Words using the information of storage domain specific file system primitives singular or plural number also include the plural or singular for accessing corresponding portions of the managed content, number respectively. Additionally, the words “herein.” “here the data infrastructure collecting and maintaining metadata of under,” “above.” “below,” and words of similar import, when the plurality of storage domains and the one or more mobile used in this application, refer to this application as a whole 15 devices, wherein the data infrastructure comprises a policy and not to any particular portions of this application. When definition and decision component that generates and main the word 'or' is used in reference to a list of two or more tains policies defining controls for permissible operations on items, that word covers all of the following interpretations of the managed content with respect to the user on the one or the word: any of the items in the list, all of the items in the list more mobile devices, the permissible operations including and any combination of the items in the list. the file system primitives; a client application hosted on the The above description of embodiments of the systems and one or more mobile devices; the client application coupled to methods is not intended to be exhaustive or to limit the sys the data infrastructure and the plurality of storage domains tems and methods to the precise forms disclosed. While spe and including an enforcement component, wherein the cific embodiments of, and examples for, the systems and enforcement component communicates with the policy defi methods are described herein for illustrative purposes, vari 25 nition and decision component to retrieve and enforce the ous equivalent modifications are possible within the scope of policies by applying the controls on the one or more mobile the systems and methods, as those skilled in the relevant art devices, the client application retrieving information of the will recognize. The teachings of the systems and methods virtual file system from the data infrastructure and providing provided herein can be applied to other systems and methods, access to the managed content through an interface by pro not only for the systems and methods described above. 30 cessing data requests using the permissible operations, and The elements and acts of the various embodiments processing data requests through one or more of direct com described above can be combined to provide further embodi munication with the plurality of storage domains and secure ments. These and other changes can be made to the systems overlay communication with the plurality of storage domains and methods in light of the above detailed description. through the data infrastructure, wherein the client application Embodiments described herein include a virtual file man 35 exposes the permissible operations and the information of the agement system (VFMS) providing a user access to managed virtual file system to one or more mobile applications that run content on one or more mobile devices. The system comprises on the one or more mobile devices and provides the access to a plurality of storage domains that store the managed content the managed content through the interface. distributively using one or more file systems. The system The plurality of storage domains of an embodiment include comprises at least one server hosting a data infrastructure that 40 one or more of shared storage of an enterprise and cloudbased organizes the managed content into a virtual file system that Storage. maintains information of storage domain specific file system The shared storage of an enterprise of an embodiment primitives for accessing corresponding portions of the man includes enterprise content management systems including at aged content. The data infrastructure collects and maintains least one of enterprise storage (e.g., SharePointTM), shared metadata of the plurality of storage domains and the one or 45 drives and a directory service (e.g., Active DirectoryTM), more mobile devices. The data infrastructure comprises a wherein the shared drives include one or more of NFS, CIFS, policy definition and decision component that generates and and DFS based shared drives. maintains policies defining controls for permissible opera The cloud based storage includes one or more of iCloudTM, tions on the managed content with respect to the user on the DropBoxTM, and BoxTM. one or more mobile devices. The permissible operations 50 The client application of an embodiment comprises a include the file system primitives. The system comprises a native mobile application for the one or more mobile devices. client application hosted on the one or more mobile devices. The client application of an embodiment includes a web The client application is coupled to the data infrastructure and based HTML5 application, wherein the one or more mobile the plurality of storage domains and including an enforce devices includes a web browser client accessing the HTML5 ment component. The enforcement component communi 55 application cates with the policy definition and decision component to One or more mobile devices of an embodiment include a retrieve and enforce the policies by applying the controls on Smartphone device and a tablet, wherein the Smart phone the one or more mobile devices. The client application device includes an iPhoneTM device running iOSTM, an retrieves information of the virtual file system from the data Android TM device running AndroidTM operating system and a infrastructure and provides access to the managed content 60 WindowsTM phone running WindowsTM mobile operating through an interface by processing data requests using the system, wherein a tablet device includes a mobile tablet plat permissible operations, and processes data requests through form running the iOSTM, the AndroidTM operating system or one or more of direct communication with the plurality of the WindowsTM mobile operating system. storage domains and secure overlay communication with the One or more file systems of an embodiment include a first plurality of storage domains through the data infrastructure. 65 file system and a second file system, wherein a content hier The client application exposes the permissible operations and archy of the first file system is different than the content the information of the virtual file system to one or more hierarchy of the second file system. US 8,863,298 B2 47 48 The data infrastructure of an embodiment is one or more of The data infrastructure of an embodiment stores the iden a private and a public cloud based service. tity and credentials only as needed to synchronize informa The data infrastructure of an embodiment implements a tion of the content metadata component with the plurality of pluggable mechanism to couple with the plurality of storage storage domains. domains. The identity component of an embodiment associates the Coupling with the plurality of storage domains of an storage domain identities and the device identifiers with a embodiment includes interfacing with the plurality of storage system user identity in the data infrastructure, wherein the domains using one or more of a public interface and a proto system user identity is unique to each user. col. The identity component of an embodiment associates the The public interface of an embodiment includes REST 10 system user identity with an enterprise using an enterprise communications, SOAP communications and proprietary directory management system. APIs, wherein the protocol includes WebDAV. CIFS and NFS. The identity component of an embodiment maintains a plurality of system user identities associated with the enter Interfacing with the plurality of storage domains of an prise. embodiment includes collecting the storage domain specific 15 file system primitives, the data infrastructure mapping the At least one of the plurality of storage domains of an storage domain specific file system primitives to correspond embodiment include additional user and group associations, ing content of the plurality of storage domains. wherein the identity component associates the system user The information of the storage domain specific file system identify with the additional user and group associations. primitives of an embodiment includes a first and a second set Additional user and group associations of an embodiment of primitives, wherein the first set is different than the second include enterprise level associations including directory ser set, wherein the storage domain specific file system primi vice (e.g., Active DirectoryTM) distribution groups and secu tives include read, write, delete, update, copy, and move. rity groups and cloud storage system accounts (e.g., BoxTM Interfacing with the plurality of storage domains of an and DropboxTM accounts) that are established by enterprises embodiment comprises collecting the metadata. 25 or groups of users. Organizing the managed content into a virtual file system The content metadata component of an embodiment of an embodiment comprises using the information of the includes storage domain metadata of the managed content storage domain specific file system primitives, information of stored on each of the plurality of storage domains. the plurality of storage domains and the metadata. Storage domain metadata of an embodiment includes name The virtual file system of an embodiment provides virtual 30 file system primitives including one or more of create, read, of files, creation date of files, owner of files, and correspond update, delete, rename, list, move, copy, get metadata, view, ing storage domain content hierarchy, wherein the storage edit, annotate, copy and move across physical file systems, domain content hierarchy includes information of a file hier and open in specific applications for editing and viewing, archy. wherein the plurality of storage domains comprise the physi 35 Generating and maintaining the policies of an embodiment cal file systems. comprises the policy definition and decision component Metadata of an embodiment comprises at least one of an coupled to a management console configured to enable an identity component, a content metadata component, a device administrator an ability to define additional policies using component, and a policy component. information of the metadata, the additional policies defining The device component of an embodiment comprises infor 40 one or more additional controls for the permissible operations mation of mobile device configuration parameters of the one on the managed content. or more mobile devices, the mobile device configuration Additional policies of an embodiment are defined for an parameters including device specific policies and permis enterprise, wherein the additional policies define the one or sions in place for the one or more mobile devices. more additional controls for a user associated with the enter Configuration parameters of an embodiment include 45 prise, wherein the user associated with the enterprise com device posture and configuration settings. prises the user of the one or more mobile devices. The device component of an embodiment incorporates a Additional polices of an embodiment define the one or mobile device management policy from a third party service, more additional controls for groups of users associated with the mobile device management policy specifying the configu the enterprise, wherein the groups of users comprise the user ration settings. 50 associated with the enterprise. The mobile device management policy of an embodiment The administrator of an embodiment creates the groups of is defined for a set of enterprise devices, wherein the mobile users associated with the enterprise using custom groups and device management policy is defined according to a role of an standard groups, the groups of users including one or more of enterprise user. owners, members, visitors, viewers, on-premise employees, The policy component of an embodiment comprises Stor 55 offsite employees, partners and customers. age domain specific policies inherited from each of the plu Additional policies of an embodiment define the one or rality of storage domains, the storage domain specific policies more additional controls for a specific mobile device, wherein including user and group level permissions and policies with the specific mobile device includes the one or more mobile respect to the managed content. devices. The identity component of an embodiment includes unique 60 Additional policies of an embodiment define the one or device identifiers for each of the one or more mobile devices. more additional controls for the plurality of storage domains. The identity component of an embodiment includes Stor Additional policies of an embodiment define the one or age domain identities including identity and credentials of the more additional controls for a portion of the managed content. user for each of the plurality of storage domains, the identity Additional policies of an embodiment include a second set and credentials of the user enabling authentication and autho 65 of controls applicable to the specific mobile device, wherein rization of the user for access to each of the plurality of the specific mobile device includes a configuration of oper storage domains. ating system, operating system version and device type. US 8,863,298 B2 49 50 Additional policies of an embodiment includea third set of The settings of an embodiment include at least one of controls applicable to the user associated with the enterprise pre-configured sites and folders on the client application for or the groups of users associated with the enterprise. access to the managed content based on user identity, group, Maintaining and generating the policies of an embodiment permissions and policies, certificates used to setup trust include storing the additional policies, the device specific between the client application and the data infrastructure, policies and permissions and the storage domain specific certificates and credentials used for access to the plurality of policies in a policy store of the data infrastructure. storage domains, and the generated and maintained policies. Maintaining and generating the policies of an embodiment Configuring the settings of an embodiment comprise at comprise algorithmically compiling at least one of the addi least one of granting, denying and revoking access to a por tional policies for the user associated with the enterprise 10 tion of the managed content. accessing the portion of the managed content of the plurality Configuring the settings of an embodiment comprises of storage domains using the specific mobile device. selective wipe of the portion of the managed content. Compiling of an embodiment comprises retrieving and Configuring the settings of an embodiment comprises aggregating the one or more additional controls for the user backup and restore of the portion of the managed content, the and groups of users associated with the enterprise, the one or 15 portion comprising one or more of sites, documents, libraries more additional controls for the portion of the managed con and folders associated with the managed content. tent, the one or more additional controls for the plurality of Configuring the settings of an embodiment includes block storage domains, the one or more additional controls of the ing access of the user to the virtual file system. specific mobile device, the second set of controls, the third set Permissible operations of an embodiment include capabili of controls, the device specific policies and permissions and ties of a user to use the client application to at least one of the storage domain specific policies. view, edit, create, and manage content hierarchy of the man The ability of the administrator to define the additional aged content, wherein the content hierarchy includes one or policies of an embodiment comprises establishing manage more of document, libraries and folders. ment policies of the enterprise to enforce security controls for Permissible operations of an embodiment include capabili the managed content. 25 ties of a user to use the client application to at least one of Management policies of an embodiment include informa view, edit, create, and manage at least one of the metadata of tion management policies. the managed content and a portion of the managed content. Management policies of an embodiment include file col Permissible operations of an embodiment include capabili laboration and sharing policies. ties to export the portion of the managed content to a first Management policies of an embodiment include compli 30 application of the one or more mobile devices. ance and auditing policies, mobile application specific poli Permissible operations of an embodiment include capabili cies, device management policies, and information rights ties to import content from a second application to the client policies. application, wherein the managed content includes the Management policies of an embodiment include cross imported content, wherein the one or more mobile applica domain routing of the managed content across the plurality of 35 tions include the first application and the second application. storage domains. Permissible operations of an embodiment include capabili Management policies of an embodiment include synchro ties to share the portion of the managed content across the nization policies. plurality of storage domains, wherein the sharing the portion Generating and maintaining the policies of an embodiment of the managed content includes sharing directly using the comprises defining the controls according to a most restric 40 client application and sharing indirectly using other applica tive derivation, the most restrictive derivation comprising tions including, for example, ChatterTM. SalesForceTM and defining the most restrictive controls for the permissible Google AppsTM. operations on the managed content. Permissible operations of an embodiment include capabili Retrieving the policies of an embodiment includes retriev ties to share the portion of the managed content across groups ing the policies when the user accesses the client application 45 and users. on the one or more mobile devices, the retrieving the policies Permissible operations of an embodiment include cross including automatically retrieving changes to the policies. domain routing, the cross-domain routing comprising trans The data infrastructure of an embodiment communicates ferring the portion of the managed content from a first loca with the one or more mobile devices to verify proper configu tion to a second location, wherein the plurality of storage ration of the one or more mobile devices, the proper configu 50 domains includes the first location and the second location, ration including the configuration settings of the mobile wherein the first location is different than the second location. device management policy. Permissible operations of an embodiment include storing Verifying of an embodiment includes querying the one or the portion of the managed content locally on the one or more more mobile devices for at least one of device name, mobile mobile devices. device operating system (e.g., iOSTM) and build version, 55 Permissible operations of an embodiment include manag model name and number, capacity and space available, net ing and tagging items for offline access. work information including current carrier network and Permissible operations of an embodiment include capabil phone number, compliance and security information includ ity to subscribe to notifications or alerts for conditions and ing configuration profiles installed, certificates installed with events relating to the managed content including one or more expiry dates, list of restrictions enforced, hardware encryp 60 of sharing, workflow and system events. tion capabilities and passcode present, applications installed Permissible operations of an embodiment comprise apply including application ID, name, version, size, and application ing encryption to the managed content according to the poli data size, and provisioning profiles installed with expiry date. cies, the applying the encryption including applying hard The system of an embodiment comprises the data infra ware encryption to the portion of the managed content that is structure creating a configuration profile using information of 65 locally cached, applying symmetric key encryption to the the querying and communicating with the one or more mobile portion of the managed content stored in the local folders and devices to configure settings of the one or more devices. applying master key based encryption in cooperation with the US 8,863,298 B2 51 52 data infrastructure to at least a portion of the managed con of the client application comprising using connectors corre tent, the at least a portion including one or more of the sponding to the plurality of storage domains. exported, shared and cross-domain routed portions of the The searching of an embodiment comprises using an inside managed content. out proxy of the data infrastructure to issue search calls. The data infrastructure of an embodiment tracks actions on 5 The searching of an embodiment comprises a global the managed content, the actions including the permissible search. operations, the data infrastructure using the tracked actions to The global search of an embodiment includes conducting run audit logs, audit reports and analytics, wherein the audit the device local search, the remote search and the federated logs, audit reports and analytics provide traceability and search. auditing of the actions. 10 The global search of an embodiment unions results of the The client application of an embodiment searches the man device local search, the remote search and the federated aged content. search, wherein the global search presents the union-ed Searching of an embodiment includes a device local results together with corresponding location information of search, a remote search and a federated search across the the plurality of storage domains. plurality of storage domains. 15 The global search of an embodiment presents the results of The device local search of an embodiment comprises the device local search, the remote search and the federated searching for items in a local content model, wherein the search incrementally. managed content includes the searched items, wherein the Presenting the results of an embodiment incrementally local content model includes one or more of local device comprises initially presenting the device local results and domain information, local favorites and offline files and con continuing the remote search and the federated search while tent models corresponding to the plurality of storage presenting the device local results. domains. Presenting of the results of an embodiment incrementally The device local search of an embodiment comprises comprises posting the results of the federated and the remote retrieving identified items from a local cache or local content search with the results of the local search upon completion of folder of the client application and issuing a GET request to 25 the federated search and the remote search. retrieve the identified items from the plurality of storage The enforcement component of the client application of an domains when the device local search confirms absence of the embodiment communicates with the policy definition and identified items in the local cache or the local content folder. decision component using a secure file control protocol, The remote search of an embodiment comprises searching wherein the secure file control protocol Supports synchroni for items using the metadata. 30 Zation of the polices across the one or more mobile devices. The remote search of an embodiment comprises the data The secure file control protocol of an embodiment facili infrastructure exposing a REST search API to the client appli tates certificate-based trust between policy definition and cation, the remote search including the client application decision component and the enforcement component. submitting input parameters to the REST search API. The secure file control of an embodiment supports HTTPS Input parameters of an embodiment include query string 35 based REST communications, the HTTPS based REST com and metadata fields to return in entity metadata, the metadata munications including GET, DELETE, PUT, and POST. fields including one or more of URI for content access, a The secure file control protocol of an embodiment supports metadata entity id, and domain type. online and offline modes, the online mode comprising the Input parameters of an embodiment include type of query, enforcement component retrieving the policies from the number of entities to return, type of entities including one or 40 policy definition and decision component using the HTTPS more of lists, sites, folders and files, and search path. based REST communications, the offline mode comprising The REST search API of an embodiment returns the meta locally cached storage of the policies on the one or more data fields. mobile devices, the offline mode comprising the enforcement The remote search of an embodiment comprises retrieving component retrieving the policies from the locally cached identified items from the plurality of storage domains. 45 storage, wherein the locally cached polices are updated when The remote search of an embodiment comprises the client the one or more mobile devices establishes communications application retrieving the identified items directly from the with the policy definition and decision component using the plurality of storage domains. secure file control protocol. The remote search of an embodiment comprises the data Exposing of the permissible operations and the informa infrastructure retrieving the identified items on behalf of the 50 tion of the virtual file system of an embodiment comprises client application. exposing a lightweight virtual file management system Retrieving the identified items on behalf of the client appli library (VFMS library) on the one or more mobile devices, the cation of an embodiment comprises retrieving the identified exposing the permissible operations and the information of items using connectors corresponding the plurality of storage the virtual file system comprising the one or more mobile domains. 55 applications integrating the lightweight VFMS library. Retrieving the identified items of an embodiment comprise Exposing the permissible operations and the information retrieving the identified items using an inside out proxy of the of the virtual file system of an embodiment comprise the one data infrastructure. or more mobile applications communicating with the data The federated search of an embodiment comprises search infrastructure using the lightweight VFMS library. ing for the items across the plurality of storage domains. 60 Communicating with the data infrastructure of an embodi The federated search of an embodiment comprises the ment comprises communicating with the policy definition client application performing search calls to the exposed APIs and decision component using the secure file control protocol of the plurality of storage domains. to retrieve and enforce the policies by applying the controls The federated search of an embodiment comprises the data on the one or more mobile devices. infrastructure issuing search calls to the exposed APIs of the 65 Communicating with the data infrastructure of an embodi plurality of storage domains on behalf of the client applica ment comprises accessing the managed content using the tion, the data infrastructure issuing the search calls on behalf interface. US 8,863,298 B2 53 54 The secure overlay communication with the plurality of encrypted portion in a container and to retrieve the encrypted storage domains through the data infrastructure of an embodi portion from the container using one or more master keys ment comprises an inside out proxy system. maintained by the data infrastructure, the client application Embodiments described herein include a virtual file man exposing the client side library to one or more mobile appli agement system (VFMS) providing secure movement of 5 cations running on the one or more mobile devices, the one or managed content across a plurality of storage domains and more mobile applications using the client side library to apply one or more mobile devices. The system comprises a data the controlled encryption operations in accessing the con infrastructure coupled to and collecting metadata of the plu tainer. rality of storage domains and the one or more mobile devices. The plurality of storage domains of an embodiment include The plurality of storage domains distributively stores the 10 one or more of shared storage of an enterprise and cloudbased managed content. The data infrastructure organizes the man Storage. aged content into a virtual file system. The system comprises The shared storage of an enterprise of an embodiment a client application running on the one or more mobile includes enterprise content management systems including at devices configured to retrieve and use the virtual file system to least one of enterprise storage (e.g., SharePointTM), shared process a data request of a user. The data request comprises 15 drives and a directory service (e.g., Active DirectoryTM), the transfer of a portion of the managed content from a source wherein the shared drives include one or more of NFS, CIFS, location to a target location. The target location comprises and DFS based shared drives, wherein the cloudbased storage one or more of local storage of the one or more mobile devices includes one or more of iCloudTM, DropBoxTM, and BoxTM. and the plurality of storage domains. The data infrastructure The client application of an embodiment comprises a comprises a policy definition and decision component that native mobile application for the one or more mobile devices. generates and maintains policies defining controls for encryp The client application of an embodiment includes a web tion operations applied to the portion in connection with the based HTML5 application, wherein the one or more mobile transfer. The client application processes the data request devices includes a web browser client accessing the HTML5 using the virtual file system. The processing of the data application request includes retrieving the policies and enforcing the 25 One or more mobile devices of an embodiment include a policies by applying the controls on the one or more mobile Smartphone device and a tablet, the Smart phone device devices. The controlled encryption operations include apply including an iPhoneTM device running iOSTM, an Android TM ing one or more of a file level encryption and a master key device running AndroidTM operating system and a Win encryption. The master key encryption comprises the client dowsTM phone running WindowsTM mobile operating system, application encrypting the portion on the one or more devices 30 the tablet device including a mobile tablet platform running and interfacing with the data infrastructure using a client side the iOSTM, the Android TM operating system or the Win library to place the encrypted portion in a container and to dowsTM mobile operating system. retrieve the encrypted portion from the container using one or The plurality of storage domains of an embodiment include more master keys maintained by the data infrastructure. The one or more file systems, the one or more file systems includ client application exposes the client side library to one or 35 ing a first file system and a second file system, wherein a more mobile applications running on the one or more mobile content hierarchy of the first file system is different than the devices. The one or more mobile applications use the client content hierarchy of the second file system, the one or more side library to apply the controlled encryption operations in file systems including WindowsTM based file systems, accessing the container. MacOSTM based file systems, LinuxTM based file systems and Embodiments described herein include a virtual file man 40 UnixTM based file system. agement system (VFMS) providing secure movement of The data infrastructure of an embodiment is one or more of managed content across a plurality of storage domains and a private and public cloud based service. one or more mobile devices, the VFMS comprising: a data The data infrastructure of an embodiment interfacing with infrastructure coupled to and collecting metadata of the plu the plurality of storage domains using one or more of a public rality of storage domains and the one or more mobile devices, 45 interface and a protocol, wherein the public interface includes the plurality of storage domains distributively storing the REST communications, SOAP communications and propri managed content, the data infrastructure organizing the man etary APIs, wherein the protocol includes WebDAV. CIFS and aged content into a virtual file system; a client application NFS. running on the one or more mobile devices configured to Interfacing with the plurality of storage domains of an retrieve and use the virtual file system to process a data 50 embodiment includes collecting storage domain specific file request of a user, the data request comprising the transfer of a system primitives for accessing corresponding portions of the portion of the managed content from a source location to a managed content, the data infrastructure mapping the storage target location, the target location comprising one or more of domain specific file system primitives to corresponding con local storage of the one or more mobile devices and the tent of the plurality of storage domains. plurality of storage domains; the data infrastructure compris 55 Information of the storage domain specific file system ing a policy definition and decision component that generates primitives of an embodiment includes a first and a second set and maintains policies defining controls for encryption opera of primitives, wherein the first set is different than the second tions applied to the portion in connection with the transfer; the set, wherein the storage domain specific file system primi client application processing the data request using the virtual tives include read, write, delete, update, copy, and move. file system, the processing the data request including retriev 60 Organizing the managed content into a virtual file system ing the policies and enforcing the policies by applying the of an embodiment comprises using information of the storage controls on the one or more mobile devices, the controlled domain specific file system primitives, the plurality of storage encryption operations including applying one or more of a file domains and the metadata. level encryption and a master key encryption, the master key The virtual file system of an embodiment provides virtual encryption comprising the client application encrypting the 65 file system primitives including one or more of create, read, portion on the one or more devices and interfacing with the update, delete, rename, list, move, copy, get metadata, view, data infrastructure using a client side library to place the edit, annotate, copy and move across physical file systems, US 8,863,298 B2 55 56 and openinspecific applications for editing/viewing, wherein policies and permissions and the storage domain specific the plurality of storage domains comprise the physical file policies in a policy store of the data infrastructure. systems. Generating and maintaining the policies of an embodiment Metadata of an embodiment comprises at least one of an comprises algorithmically compiling at least one of the addi identity component, a content metadata component, a device tional policies for the user associated with the enterprise component, and a policy component. accessing the portion of the managed content of the plurality The device component of an embodiment comprises infor of storage domains using the specific mobile device. mation of mobile device configuration parameters of the one The compiling of an embodiment comprises retrieving and or more mobile devices, the mobile device configuration aggregating the one or more additional controls for the user parameters including device specific policies and permis 10 and groups of users associated with the enterprise, the one or more additional controls for the portion of the managed con sions in place for the one or more mobile devices. tent, the one or more controls for the plurality of storage The policy component of an embodiment comprises Stor domains, the one or more additional controls of the specific age domain specific policies inherited from each of the plu mobile device, the second set of controls, the third set of rality of storage domains, the storage domain specific policies 15 controls, the device specific policies and permissions and the including user and group level permissions and policies with storage domain specific policies. respect to the managed content. File level encryption of an embodiment includes hardware The identity component of an embodiment includes unique encryption applied to the portion on the one or more mobile device identifiers for each of the one or more mobile devices devices, wherein the portion comprises files stored in the and information of storage domain identities of the user for temporary cache of the one or more mobile devices. each of the plurality of storage domains, the identity compo File level encryption of an embodiment includes local nent associating the storage domain identities and the device encryption applied to the portion on the one or more mobile identifiers with a user identity. devices, wherein the portion comprises files and documents The metadata component of an embodiment includes Stor stored in local folders on the device. age domain metadata of managed content stored on each of 25 Local encryption of an embodiment comprises generating the plurality of storage domains, the storage domain metadata a symmetric key based on credentials of the user, the client including name of files, creation date of files, owner of files, application using the symmetric key to encrypt the portion, and corresponding storage domain content hierarchy. the client application storing the symmetric key in a mobile Generating and maintaining the policies of an embodiment device operating system key chain. comprises the policy definition and decision component 30 Encrypting the portion of an embodiment comprises using coupled to a management console that allows an administra symmetric key encryption, wherein the symmetric key tor an ability to define additional policies using the metadata, encryption comprises encrypting the portion using a symmet the additional policies defining one or more additional con ric key. trols for the encryption operations on the managed content. Placing the encrypted portion in the container of an Additional policies of an embodiment are defined for an 35 embodiment comprises sending the symmetric key to the data enterprise. infrastructure, the sending the symmetric key to the data Additional policies of an embodiment define the one or infrastructure comprising sending the key using a secure key more additional controls for a user associated with the enter distribution and management protocol. prise, wherein the user associated with the enterprise com Placing the encrypted portion in the container of an prises the user of the one or more mobile devices. 40 embodiment comprises the data infrastructure receiving and Additional polices of an embodiment define the one or encrypting the symmetrickey using a master key of the one or more additional controls for groups of users associated with more master keys, the data infrastructure returning a master the enterprise, wherein the groups of users comprise the user key encrypted symmetric key using the secure key distribu associated with the enterprise. tion and management protocol and the client application plac The administrator of an embodiment creates the groups of 45 ing the encrypted portion and the master key encrypted sym users using custom groups and standard groups, the groups of metric key in the container. users including one or more of owners, members, visitors, The container of an embodiment includes an envelope, the viewers, on-premise employees, offsite employees, partners envelope comprising an acxS data format, wherein the enve and customers. lope includes one or more of a class of the master key and a Additional policies of an embodiment define the one or 50 length of the master key. more additional controls for a specific mobile device, wherein Retrieving the encrypted portion from the container of an the specific mobile device includes the one or more mobile embodiment comprises retrieving the master key encrypted devices symmetric key from the envelope and sending the master key Additional policies of an embodiment define the one or encrypted symmetric key to the data infrastructure using the more additional controls for the plurality of storage domains. 55 secure key distribution and management protocol. Additional policies of an embodiment define the one or Retrieving the encrypted portion from the container of an more additional controls for the portion of the managed con embodiment comprises the data infrastructure receiving the tent. master key encrypted symmetric key and retrieving the sym Additional policies of an embodiment include a second set metric key, the retrieving the symmetric key comprising the of controls applicable to the specific mobile device, wherein 60 data infrastructure using the master key to decrypt the master the specific mobile device includes a configuration of oper key encrypted symmetric key. ating system, operating system version and device type. Retrieving the encrypted portion from the container of an Additional policies of an embodiment includea third set of embodiment comprises returning the symmetric key to the controls applicable to the user associated with the enterprise client application using the secure key distribution and man or the groups of users associated with the enterprise. 65 agement protocol, the client application receiving the sym Generating and maintaining the policies of an embodiment metric key and using the symmetric key to decrypt the includes storing the additional policies, the device specific encrypted portion. US 8,863,298 B2 57 58 The system of an embodiment comprises applying the container comprises the encrypted portion, wherein after the encryption operations to the portion during the transfer, the transfer, a copy of the container resides in the sandboxed file encryption operations including encrypting and decrypting system of the trusted application. the portion. A secure file exchange module of the trusted application of The source location of an embodiment comprises one or 5 an embodiment embeds the client side library by using a more of local storage of the one or more mobile devices and secure file exchange protocol to access the client side library. the plurality of storage domains. Accessing the container of an embodiment comprising the The transfer of an embodiment comprises decrypting the secure file exchange module using the client side library to portion according to a format applied at the Source location. communicate with the data infrastructure and retrieve from The format of an embodiment includes the file level 10 the data infrastructure information for decrypting the encryption. encrypted portion in the container and viewing the portion. The format of an embodiment includes the master key The data infrastructure of an embodiment manages the one encryption. or more master keys on behalf of an enterprise customer. Decrypting the master key encryption of an embodiment The one or more master keys of an embodiment include comprises retrieving the portion from the container. 15 one or more classes of master key. Encrypting the portion during the transfer of an embodi The one or more classes of master keys of an embodiment ment includes using the file level encryption. correspond to one or more of a user, a group of users, a device Encrypting the portion during the transfer of an embodi group, a storage domain and the one or more mobile applica ment includes using the master key encryption, the using the tions. master key encryption comprising placing the encrypted por The data infrastructure of an embodiment disables client tion in the container. side library calls to the data infrastructure by disabling the Encrypting the portion during the transfer of an embodi corresponding class of master key associated with the one or ment uses the master key encryption comprises storing the more of a user, a group of users, a device group, a storage container at the target location. domain and the one or more mobile applications. The client side library of an embodiment enables the client 25 The enterprise of an embodiment creates the one or more application to communicate with the data infrastructure, the classes, wherein the enterprise revokes the one or more communicating comprising issuing calls to the data infra classes. structure to one or more of retrieve information for applying The data infrastructure of an embodiment stores the one or at least one of the encrypted operations, retrieve the policies more master keys in a secure lockbox, wherein the Secure and enforce the policies. 30 lockbox encrypts and decrypts the symmetric key using the The one or more mobile applications of an embodiment one or more master keys. embed the client side library using a secure file exchange The enterprise of an embodiment maintains the one or protocol to access the client side library. more keys on-premise or on pubic cloud using hardware Exposing the client side library of an embodiment includes security module. exposing the client side library to additional devices and 35 The data infrastructure of an embodiment maintains an corresponding software platforms, the additional devices and on-premise pluggability module that allows the secure lock corresponding Software platforms embedding the client side box to encryptand decrypt the symmetrickey using the one or library using the secure file exchange protocol to access the more master keys from the on-premise or public cloud hard client side library. ware security module. One or more mobile applications of an embodiment use the 40 The client application of an embodiment cooperates with client side library to retrieve information from the data infra the data infrastructure to track information of the controlled structure for accessing the container. encrypted operations, the tracking the controlled encrypted Accessing the container of an embodiment includes operations includes tracking information of the data request decrypting and viewing the encrypted portion. to transfer the portion. One or more mobile applications of an embodiment 45 The information of the data request of an embodiment include trusted applications and unstrusted applications, the includes information of the user, information of the source container restricting access to the trusted applications, location and information of the controlled encrypted opera wherein the trusted applications embed the client side library, tions. the restricting the access including the client side library The client application of an embodiment cooperates with blocking communication of an untrusted application with the 50 the data infrastructure to associate a trusted file stamp with the client side library. information of the data request and Stamping the portion with The client application of an embodiment requests offline the trusted file stamp. access to the container, and in response to the request the data The trusted file stamp of an embodiment visually encodes infrastructure issuing special keys to the client application, the information of the data request using one or more of a wherein the special keys are valid for a predetermined amount 55 color and a symbol. of time. Users interact with the trusted file stamp of an embodiment The client application of an embodiment stores the special to obtain the information of the data request. keys on the one or more mobile devices using a hardware Tracking the controlled encrypted operations of an security element operating system provided key chain, the embodiment include tracking a series of data requests asso client application issuing calls on the client side library to 60 ciated with the portion, the series of data requests comprising obtain information of the special keys for accessing the con the data request. tainer. Embodiments described herein include a virtual file man Accessing the container of an embodiment comprises agement system (VFMS) providing a user access to managed decrypting and viewing the encrypted portion. content on one or more mobile devices. The system comprises The transfer of an embodiment comprises the transfer of 65 a plurality of storage domains that store the managed content the container from the client application to a trusted applica distributively using one or more file systems. The system tion of the one or more mobile applications, wherein the comprises at least one server hosting a data infrastructure that US 8,863,298 B2 59 60 organizes the managed content into a virtual file system that tent through the interface, the exposing the permissible opera maintains information of storage domain specific file system tions and the information of the virtual file system to the one primitives for accessing corresponding portions of the man or more mobile applications including the one or more mobile aged content. The data infrastructure collects and maintains applications retrieving and enforcing the polices. metadata of the plurality of storage domains and the one or 5 The plurality of storage domains of an embodiment include more mobile devices. The data infrastructure comprises a one or more of shared storage of an enterprise and cloudbased policy definition and decision component that generates and Storage. maintains policies defining controls for permissible opera A shared storage of an enterprise of an embodiment tions on the managed content with respect to the user on the includes enterprise content management systems including at one or more mobile devices. The permissible operations 10 least one of enterprise storage (e.g., SharePointTM), shared include the file system primitives. The generating and main drives and a directory service (e.g., Active DirectoryTM), taining the policies includes combining native policies asso wherein the shared drives include one or more of NFS, CIFS, ciated with the plurality of storage domains and the one or and DFS based shared drives, wherein the cloudbased storage more mobile devices with additional policies. The system includes one or more of iCloudTM, DropBoxTM, and BoxTM. comprises a client application hosted on the one or more 15 The client application of an embodiment comprises a mobile devices. The client application is coupled to the data native mobile application for the one or more mobile devices. infrastructure and the plurality of storage domains and One or more file systems of an embodiment include a first includes an enforcement component. The enforcement com file system and a second file system, wherein a content hier ponent communicates with the policy definition and decision archy of the first file system is different than the content component to retrieve and enforce the policies by applying hierarchy of the second file system. the controls on the one or more mobile devices. The client The data infrastructure of an embodiment is one or more of application retrieves information of the virtual file system a private and public cloud based service. from the data infrastructure and provides access to the man The data infrastructure of an embodiment implements a aged content through an interface by processing data requests pluggable mechanism to couple with the plurality of storage using the permissible operations. The client application 25 domains, wherein the coupling with the plurality of Storage exposes the permissible operations and the information of the domains includes interfacing with the plurality of Storage virtual file system to one or more mobile applications that run domains using one or more of a public interface and a proto on the one or more mobile devices and provides the access to col. the managed content through the interface. The exposing of Interfacing with the plurality of storage domains of an the permissible operations and the information of the virtual 30 embodiment includes collecting the storage domain specific file system to the one or more mobile applications includes file system primitives, the data infrastructure mapping the the one or more mobile applications retrieving and enforcing storage domain specific file system primitives to correspond the policies. ing content of the plurality of storage domains. Embodiments described herein include a virtual file man Information of the storage domain specific file system agement system (VFMS) providing a user access to managed 35 primitives of an embodiment includes a first and a second set content on one or more mobile devices, the system compris of primitives, wherein the first set is different than the second ing: a plurality of storage domains that store the managed set, wherein the storage domain specific file system primi content distributively using one or more file systems; at least tives include read, write, delete, update, copy, and move. one server hosting a data infrastructure that organizes the Interfacing with the plurality of storage domains of an managed content into a virtual file system that maintains 40 embodiment comprises collecting the metadata. information of storage domain specific file system primitives Organizing the managed content into a virtual file system for accessing corresponding portions of the managed content, of an embodiment comprises using the information of the the data infrastructure collecting and maintaining metadata of storage domain specific file system primitives, information of the plurality of storage domains and the one or more mobile the one or more storage domains and the metadata. devices, wherein the data infrastructure comprises a policy 45 The virtual file system providing virtual file system primi definition and decision component that generates and main tives of an embodiment includes one or more of create, read, tains policies defining controls for permissible operations on update, delete, rename, list, move, copy, get metadata, view, the managed content with respect to the user on the one or edit, annotate, copy and move across physical file systems, more mobile devices, the permissible operations including and openin specific applications for editing/viewing, wherein the file system primitives, wherein the generating and main 50 the plurality of storage domains comprise the physical file taining the policies includes combining native policies asso systems. ciated with the plurality of storage domains and the one or Metadata of an embodiment comprises at least one of an more mobile devices with additional policies; a client appli identity component, a content metadata component, a device cation hosted on the one or more mobile devices; the client component, and a policy component. application coupled to the data infrastructure and the plurality 55 The device component of an embodiment comprises infor of storage domains and including an enforcement compo mation of mobile device configuration parameters of the one nent, wherein the enforcement component communicates or more mobile devices, the mobile device configuration with the policy definition and decision component to retrieve parameters including device specific policies and permis and enforce the policies by applying the controls on the one or sions in place for the one or more mobile devices, wherein the more mobile devices, the client application retrieving infor 60 native policies include the device specific policies and per mation of the virtual file system from the data infrastructure missions. and providing access to the managed content through an The policy component of an embodiment comprises stor interface by processing data requests using the permissible age domain specific policies inherited from each of the plu operations, wherein the client application exposes the permis rality of storage domains, the storage domain specific policies sible operations and the information of the virtual file system 65 including user and group level permissions and policies with to one or more mobile applications that run on the one or more respect to the managed content, wherein the native policies mobile devices and provides the access to the managed con include the storage domain specific policies. US 8,863,298 B2 61 62 The identity component of an embodiment includes unique storage domains, the one or more additional controls of the device identifiers for each of the one or more mobile devices specific mobile device, the second set of controls, the third set and identity and credentials of the user for each of the plural of controls, the device specific policies and permissions and ity of storage domains, the data infrastructure storing the the storage domain specific policies. identity and credentials only as needed to synchronize infor 5 Generating and maintaining the policies of an embodiment mation of the content metadata component with the plurality comprises defining the controls according to a most restric of storage domains. tive derivation, the most restrictive derivation comprising The identity component of an embodiment associates the defining the most restrictive controls for the permissible storage domain identities and the device identifiers with a operations on the managed content. system user identity. 10 Retrieving the policies of an embodiment includes retriev The content metadata component of an embodiment ing the policies when the user accesses the client application includes storage domain metadata of the managed content on the one or more mobile devices, the retrieving the policies stored on each of the plurality of storage domains, wherein including automatically retrieving changes to the policies. the storage domain metadata includes name of files, creation A policy of the policies of an embodiment represents a set date of files, owner of files and corresponding storage domain 15 of persistent rules associated with a content entity to govern content hierarchy. and control actions on that entity, the policy including one or Generating and maintaining the policies of an embodiment more of policy rules, the actions, policy item value, capability, comprises the policy definition and decision component policy definition entity and policy enforced entity. coupled to a management console configured to allow an Policy rules of an embodiment include a logical collection administrator an ability to define additional policies using of the rules and the actions associated with the policy item information of the metadata, the additional policies defining value. one or more additional controls for the permissible operations The policy item value of an embodiment includes a policy on the managed content. specification associated with the policy rules. Additional policies of an embodiment are defined for an The capability of an embodiment includes software or enterprise, wherein the additional policies define the one or 25 device level functionality required for enforcing the policy more additional controls for a user associated with the enter rules. prise, wherein the user associated with the enterprise com The policy definition entity of an embodiment includes the prises the user of the one or more mobile devices. content entity on which the policy is defined including one or Additional polices of an embodiment define the one or more of groups and users, device of the one or more mobile more additional controls for groups of users associated with 30 devices, an application, storage domains of the plurality of the enterprise. storage domains, and a portion of the managed content Groups of users of an embodiment comprise the user asso including site and subsite, folder, document library, list, and ciated with the enterprise. document, wherein the groups and users comprise the user. The administrator of an embodiment creates the groups of A policy enforced entity of an embodiment includes the users using custom groups and standard groups, the groups of 35 content entity on which the actions corresponding to the users including one or more of owners, members, visitors, policy are applied and enforced. viewers, employees, offsite employees, partners and custom Policy rules of an embodiment include device local encryp CS. tion rules, the device local encryption rules specifying the Additional policies of an embodiment define the one or portion to be encrypted when stored locally on the device more additional controls for a specific mobile device, wherein 40 either on cache or device local storage, wherein the device the specific mobile device includes the one or more mobile local encryption includes Software encryption, wherein the devices. device local encryption rules comprise enforcing the Software Additional policies of an embodiment define the one or encryption prior to downloading of the portion locally to the more additional controls for the plurality of storage domains. device and blocking the download if the portion cannot be Additional policies of an embodiment define the one or 45 encrypted. more additional controls for a portion of the managed content. Policy rules of an embodiment include hardware encryp Additional policies of an embodiment include a second set tion rules, the hardware encryption rules specifying hardware of controls applicable to the specific mobile device, wherein encryption and corresponding secure storage for the portion the specific mobile device includes a configuration of oper when stored locally on the device, wherein the hardware ating system, operating system version and device type. 50 encryption rules comprise enforcing the hardware encryption Additional policies of an embodiment includea third set of prior to downloading of the portion locally to the device and controls applicable to the user associated with the enterprise blocking the download if the portion cannot be encrypted, or the groups of users associated with the enterprise. wherein the capability includes Support for hardware encryp Generating and maintaining the policies of an embodiment tion on the device. includes storing the additional policies, the device specific 55 Policy rules of an embodiment include access to cloud policies and permissions and the storage domain specific storage rules, the access to cloud storage rules indicating policies in a policy store of the data infrastructure. whether the user and the device can add and configure cloud Generating and maintaining the additional policies of an storage domains on the client application, wherein the storage embodiment comprises algorithmically compiling at least domains include the cloud storage domains. one of the additional policies for the user associated with the 60 Policy rules of an embodiment include requiring encryp enterprise accessing the portion of the managed content of the tion on cloud storage rules, the requiring encryption on cloud plurality of storage domains using the specific mobile device. storage rules specifying encrypting the portion on the device The compiling of an embodiment comprises retrieving and prior to uploading the portion to cloud storage and specifying aggregating the one or more additional controls for the user storing the portion in an encrypted form on the cloud storage. and groups of users associated with the enterprise, the one or 65 Policy rules of an embodiment include offline access rules, more additional controls for the portion of the managed con the offline access rules specifying whether the document can tent, the one or more additional controls for the plurality of be tagged for offline access in a disconnected mode of the US 8,863,298 B2 63 64 device and stored locally on the device, wherein the offline Policy rules of an embodiment include document size limi access rules are enforced when the user chooses an action to tation rules, wherein the document size limitation rules place mark the document for offline access on the device. upper limit on size of the document downloaded to the device. Policy rules of an embodiment include local caching rules, Policy rules of an embodiment include document media the local caching rules determining whether the portion can type rules, wherein the document media type rules specify be stored in local cache of the device after being downloaded document media types supported for a specific combination onto the device, wherein local caching of the client applica of the customer, the device and the user and blocking the tion is disabled if local caching is disabled at level of the download of non-specified document media types. device, the client application deleting the downloaded portion Policy rules of an embodiment include restriction on 10 access to enterprise storage domain including enterprise Stor after the client application exits out of an active user session age (e.g., SharePointTM) if cloud storage applications includ when the local caching is disabled. ing DropboxTM and BoxTM exist on the device, wherein the Policy rules of an embodiment include export rules for storage domains comprise the enterprise storage domains and exporting the portion from the client application to other the cloud storage domains. applications on the device, the export rules determining 15 Policy rules of an embodiment include virtual private net whether the portion can be exported to the other applications work (VPN) on demand rules, wherein the VPN on demand using a content export protocolas Supported by an operating rules control setup of VPN policy and settings prior to access system of the device, wherein the export rules are enforced of the device to enterprise storage domains, wherein the Stor when the user interacts with the export protocol of the device. age domains include the enterprise storage domains. Policy rules of an embodiment include audit log rules, Policy rules of an embodiment include device restriction wherein the audit log rules indicate audit log to be maintained rules, wherein the device restriction rules restrict the device by the data infrastructure for every action on the content from access to enterprise storage domains based on one or entity and the policy enforced entity. more of settings of the device including mobile device oper The audit log rules of an embodiment are enforced on every ating system (e.g., iOSTM) and build number, model name and action performed on the content entity and the policy 25 number, device capacity and space available, current carrier enforced entity. network, Subscriber carrier network, data roaming on or off. Policy rules of an embodiment include sharing via cloud hardware encryption capabilities, passcode present, certifi storage rules, wherein the sharing via cloud storage rules cates installed with expiry dates, list of restrictions enforced, specify mechanisms allowed for sharing of the portion via applications installed, provisioning profiles installed with cloud storage, wherein the sharing via cloud storage rules are 30 expiry date, and web proxy settings, wherein the storage enforced when the user chooses a share option on the device domains include the enterprise storage domains. for sharing the portion via the cloud storage. Policy rules of an embodiment include policy compliance Policy rules of an embodiment include viewers and editors rules, wherein the policy compliance rules restrict the device rules, wherein the viewers and editors rules restrict the view from access to enterprise storage domains if the device fails to ers and the editors that can be used on the device to view the 35 pass mobile device management level policy compliance of portion, wherein the viewers and editors rules are enforced an enterprise, wherein the storage domains include enterprise when the user interacts with an access protocol on the device storage domains. to export the portion for viewing or editing using the viewers Policy rules of an embodiment include domain joined or the editors. rules, the domain joined rules blocking access of the client Policy rules of an embodiment include document classifi 40 application to enterprise storage domains if the device is not cation rules, wherein the document classification rules domain joined to enterprise a directory service (e.g., Active include classifying the portion as public, confidential, propri DirectoryTM) infrastructure, wherein the storage domains etary, legal hold, or records management, wherein the docu include the enterprise storage domains. ment classification rules define additional rules that restrict Policy rules of an embodiment include location rules actions on the portion according to the document classifica 45 restricting access of the user to the portion based on a desig tion. nated location of the device, the restricting including block Policy rules of an embodiment include document expira ing access to the portion when client application determines tion rules, the document expiration rules specifying a time that the device is at a location other than the designated limit after which the document expires and is deleted from all location and blocking access to the portion when the client applications including offline and cached document locations 50 application cannot determine the location. managed by the client application and the data infrastructure. Policy rules of an embodiment include time based rules Policy rules of an embodiment include network usage restricting access of the user to the portion to a period of time. rules, wherein the network usage rules place at least one The enforcement component of the client application of an restriction on the device and the client application including embodiment communicates with the policy definition and an upper limit on downloads to the device while on cellular, 55 decision component using a secure file control protocol, prohibiting the sending of audit reports from the device while wherein the secure file control protocol facilitates certificate on cellular, synchronizing with the data infrastructure only on based trust between policy definition and decision component cellular, and prohibiting downloading or synchronization and enforcement component. when the device is roaming. Secure file control of an embodiment supports HTTPS Policy rules of an embodiment include cache expiration 60 based communications, wherein the HTTPS based REST rules, the cache expiration rules specifying that local cache of style communications include GET, DELETE, PUT, and the client application expires and is cleaned after the user POST. closes the client application and ends an active session. The secure file control protocol of an embodiment supports Policy rules of an embodiment include autodiscovery of online and offline modes, the online mode comprising the storage domain rules, wherein the autodiscovery rules indi 65 enforcement component retrieving the policies from the cate auto-discovery and setup of the storage domains for the policy definition and decision component using the HTTPS user when the user starts the client application. based REST communications, the offline mode comprising US 8,863,298 B2 65 66 locally cached storage of the policies on the one or more 2. The system of claim 1, wherein the plurality of storage mobile devices, the enforcement component retrieving the domains include one or more of shared storage of an enter policies from the locally cached storage. prise and cloud based storage. Locally cached polices of an embodiment are updated 3. The system of claim 2, wherein the shared storage of an when the one or more mobile devices establishes communi enterprise includes enterprise content management systems cations with the policy definition and decision component including at least one of an enterprise storage domain, shared using the secure file control protocol. drives, and a directory service, wherein the shared drives The secure file control protocol of an embodiment supports include one or more of Network File System (NFS), Common synchronization of the policies across the one or more mobile Internet File System CIFS), and Distributed File System devices. 10 Exposing the permissible operations and the information (DFS) based shared drives, wherein the cloud based storage of the virtual file system of an embodiment comprises expos includes a cloud based storage domain. ing a lightweight virtual file management system library 4. The system of claim 1, wherein the client application comprises a native mobile application for the one or more (VFMS library) on the one or more mobile devices. mobile devices. Exposing the permissible operations and the information 15 of the virtual file system of an embodiment comprises the one 5. The system of claim 4, wherein the client application or more mobile applications integrating the lightweight includes a web based Hypertext Markup Language 5 VFMS library. (HTML5) application, wherein the one or more mobile Exposing the permissible operations and the information devices includes a web browser client accessing the HTML5 of the virtual file system of an embodiment comprises the one application. or more mobile applications communicating with the data 6. The system of claim 1, wherein the one or more mobile infrastructure using the lightweight VFMS library, the com devices include a Smartphone device and a tablet. municating with the data infrastructure comprising one or 7. The system of claim 1, the plurality of storage domains more of retrieving and enforcing the policies and accessing including one or more file systems, the one or more file the managed content using the interface. 25 systems including a first file system and a second file system, wherein a content hierarchy of the first file system is different What is claimed is: than the content hierarchy of the second file system. 1. A virtual file management system (VFMS) providing 8. The system of claim 1, wherein the data infrastructure is secure movement of managed content across a plurality of one or more of a private and public cloud based service. storage domains and one or more mobile devices, the VFMS 30 9. The system of claim8, the data infrastructure interfacing comprising: with the plurality of storage domains using one or more of a a data infrastructure that is both coupled to and collecting public interface and a protocol, wherein the public interface metadata of the plurality of storage domains and the one includes Representational State Transfer (REST) communi or more mobile devices, the plurality of storage domains cations, Simple Object Access Protocol (SOAP) communica distributively storing the managed content, the data 35 tions and proprietary application programming interfaces infrastructure organizing the managed content into a (APIs), wherein the protocol includes Web Distributed virtual file system; Authoring and Versioning WebDAV), Common Internet File a client application running on the one or more mobile System (CIFS) and Network File System (NFS). devices configured to retrieve and use the virtual file 10. The system of claim 9, the interfacing with the plurality system to process a data request of a user, the data 40 of storage domains including collecting storage domain spe request comprising the transfer of a portion of the man cific file system primitives for accessing corresponding por aged content from a source location to a target location, tions of the managed content, the data infrastructure mapping the target location comprising one or more of a local the storage domain specific file system primitives to corre storage of the one or more mobile devices and at least sponding content of the plurality of storage domains. one of the plurality of storage domains; 45 11. The system of claim 10, the information of the storage the data infrastructure comprising a policy definition and domain specific file system primitives including a first and a decision component that generates and maintains poli second set of primitives, wherein the first set is different than cies defining controls for encryption operations applied the second set, wherein the storage domain specific file sys to the portion in connection with the transfer, and tem primitives include read, write, delete, update, copy, and the client application processing the data request using the 50 OW. virtual file system, the processing the data request 12. The system of claim 11, the organizing the managed including retrieving the policies and enforcing the poli content into a virtual file system comprising using informa cies by applying the controls on the one or more mobile tion of the storage domain specific file system primitives, the devices, the controlled encryption operations including plurality of storage domains and the metadata. applying one or more of a file level encryption and a 55 13. The system of claim 12, the virtual file system provid master key encryption, the master key encryption com ing virtual file system primitives including one or more of prising the client application encrypting the portion on create, read, update, delete, rename, list, move, copy, get the one or more devices and interfacing with the data metadata, view, edit, annotate, copy and move across physical infrastructure using a client side library to place the file systems, and open in specific applications for editing/ encrypted portion in a container and to retrieve the 60 viewing, wherein the plurality of storage domains comprise encrypted portion from the container using one or more the physical file systems. master keys maintained by the data infrastructure, the 14. The system of claim 1, wherein the metadata comprises client application exposing the client side library to one at least one of an identity component, a content metadata or more mobile applications running on the one or more component, a device component, and a policy component. mobile devices, the one or more mobile applications 65 15. The system of claim 14, wherein the device component using the client side library to apply the controlled comprises information of mobile device configuration encryption operations in accessing the container. parameters of the one or more mobile devices, the mobile US 8,863,298 B2 67 68 device configuration parameters including device specific 30. The system of claim 29, the generating and maintaining policies and permissions in place for the one or more mobile the policies comprising algorithmically compiling at least devices. one of the additional policies for the user associated with the 16. The system of claim 15, wherein the policy component enterprise accessing the portion of the managed content of the comprises storage domain specific policies inherited from plurality of storage domains using the specific mobile device. each of the plurality of storage domains, the storage domain 31. The system of claim 30, the compiling comprising specific policies including user and group level permissions retrieving and aggregating the one or more additional controls and policies with respect to the managed content. for the user and groups of users associated with the enterprise, 17. The system of claim 16, the identity component includ the one or more additional controls for the portion of the ing unique device identifiers for each of the one or more 10 mobile devices and information of storage domain identities managed content, the one or more controls for the plurality of of the user for each of the plurality of storage domains, the storage domains, the one or more additional controls of the identity component associating the storage domain identities specific mobile device, the second set of controls, the third set and the device identifiers with a user identity. of controls, the device specific policies and permissions and 18. The system of claim 17, the metadata component 15 the storage domain specific policies. including storage domain metadata of managed content 32. The system of claim 1, wherein the file level encryption stored on each of the plurality of storage domains, the storage includes hardware encryption applied to the portion on the domain metadata including name of files, creation date of one or more mobile devices, wherein the portion comprises files, owner of files, and corresponding storage domain con files stored in the temporary cache of the one or more mobile tent hierarchy. devices. 19. The system of claim 16, the generating and maintaining 33. The system of claim 1, wherein the file level encryption the policies comprising the policy definition and decision includes local encryption applied to the portion on the one or component coupled to a management console that allows an more mobile devices, wherein the portion comprises files and administrator an ability to define additional policies using the documents stored in local folders on the device. metadata, the additional policies defining one or more addi 25 34. The system of claim 33, wherein the local encryption tional controls for the encryption operations on the managed comprises generating a symmetrickey based on credentials of COntent. the user, the client application using the symmetric key to 20. The system of claim 19, wherein the additional policies encrypt the portion, the client application storing the sym are defined for an enterprise. metric key in a mobile device operating system key chain. 21. The system of claim 20, wherein the additional policies 30 35. The system of claim 1, wherein the encrypting the define the one or more additional controls for a user associ portion comprises using symmetric key encryption, wherein ated with the enterprise, wherein the user associated with the the symmetric key encryption comprises encrypting the por enterprise comprises the user of the one or more mobile tion using a symmetric key. devices. 36. The system of claim 35, wherein the placing the 22. The system of claim 21, wherein the additional policies 35 encrypted portion in the container comprises sending the define the one or more additional controls for groups of users symmetric key to the data infrastructure, the sending the associated with the enterprise, wherein the groups of users symmetric key to the data infrastructure comprising sending comprise the user associated with the enterprise. the key using a secure key distribution and management pro 23. The system of claim 22, the administrator creating the tocol. groups of users using custom groups and Standard groups, the 40 37. The system of claim 36, wherein the placing the groups of users including one or more of owners, members, encrypted portion in the container comprises the data infra visitors, viewers, on-premise employees, offsite employees, structure receiving and encrypting the symmetric key using a partners and customers. master key of the one or more master keys, the data infra 24. The system of claim 23, wherein the additional policies structure returning a master key encrypted symmetric key define the one or more additional controls for a specific 45 using the secure key distribution and management protocol mobile device, wherein the specific mobile device includes and the client application placing the encrypted portion and the one or more mobile devices. the master key encrypted symmetric key in the container. 25. The system of claim 24, wherein the additional policies 38. The system of claim 37, wherein the container includes define the one or more additional controls for the plurality of an envelope, the envelope comprising an acxS data format, storage domains. 50 wherein the envelope includes one or more of a class of the 26. The system of claim 25, wherein the additional policies master key and a length of the master key. define the one or more additional controls for the portion of 39. The system of claim 38, wherein the retrieving the the managed content. encrypted portion from the container comprises retrieving the 27. The system of claim 26, the additional policies includ master key encrypted symmetric key from the envelope and ing a second set of controls applicable to the specific mobile 55 sending the master key encrypted symmetric key to the data device, wherein the specific mobile device includes a con infrastructure using the secure key distribution and manage figuration of operating system, operating system version and ment protocol. device type. 40. The system of claim 39, wherein the retrieving the 28. The system of claim 27, the additional policies includ encrypted portion from the container comprises the data ing a third set of controls applicable to the user associated 60 infrastructure receiving the master key encrypted symmetric with the enterprise or the groups of users associated with the key and retrieving the symmetrickey, the retrieving the sym enterprise. metrickey comprising the data infrastructure using the master 29. The system of claim 28, the generating and maintaining key to decrypt the master key encrypted symmetric key. the policies including storing the additional policies, the 41. The system of claim 40, wherein the retrieving the device specific policies and permissions and the storage 65 encrypted portion from the container comprises returning the domain specific policies in a policy store of the data infra symmetric key to the client application using the secure key Structure. distribution and management protocol, the client application US 8,863,298 B2 69 70 receiving the symmetric key and using the symmetric key to 59. The system of claim 58, the accessing the container decrypt the encrypted portion. comprising decrypting and viewing the encrypted portion. 42. The system of claim 1, comprising applying the encryp 60. The system of claim 1, the transfer comprising the tion operations to the portion during the transfer, the encryp transfer of the container from the client application to a tion operations including encrypting and decrypting the por trusted application of the one or more mobile applications, tion. wherein the container comprises the encrypted portion, 43. The system of claim 42, the Source location comprising wherein after the transfer, a copy of the container resides in one or more of the local storage of the one or more mobile the sandboxed file system of the trusted application. devices and the plurality of storage domains. 61. The system of claim 60, wherein a secure file exchange 44. The system of claim 43, wherein the transfer comprises 10 module of the trusted application embeds the client side decrypting the portion according to a format applied at the library by using a secure file exchange protocol to access the Source location. client side library. 45. The system of claim 44, wherein the format includes 62. The system of claim 61, the accessing the container the file level encryption. 15 comprising the secure file exchange module using the client 46. The system of claim 44, wherein the format includes side library to communicate with the data infrastructure and the master key encryption. retrieve from the data infrastructure information for decrypt 47. The system of claim 46, wherein decrypting the master ing the encrypted portion in the container and viewing the key encryption comprises retrieving the portion from the portion. container. 63. The system of claim 35, wherein the data infrastructure 48. The system of claim 42, the encrypting the portion manages the one or more master keys on behalf of an enter during the transfer including using the file level encryption. prise customer. 49. The system of claim 42, the encrypting the portion 64. The system of claim 63, wherein the one or more master during the transfer including using the master key encryption, keys includes one or more classes of master key. the using the master key encryption comprising placing the 25 65. The system of claim 64, wherein the one or more encrypted portion in the container. classes of master keys correspond to one or more of a user, a 50. The system of claim 49, wherein the encrypting the group of users, a device group, a storage domain and the one portion during the transfer using the master key encryption or more mobile applications. comprises storing the container at the target location. 66. The system of claim 65, the data infrastructure dis 51. The system of claim 1, the client side library enabling 30 abling client side library calls to the data infrastructure by the client application to communicate with the data infra disabling the corresponding class of master key associated Structure, the communicating comprising issuing calls to the with the one or more of a user, a group of users, a device data infrastructure to one or more of retrieve information for group, a storage domain and the one or more mobile applica applying at least one of the encrypted operations, retrieve the tions. policies and enforce the policies. 35 67. The system of claim 66, wherein the enterprise creates 52. The system of claim 51, the one or more mobile appli the one or more classes, wherein the enterprise revokes the cations embedding the client side library using a secure file one or more classes. exchange protocol to access the client side library. 68. The system of claim 67, wherein the data infrastructure 53. The system of claim 52, the exposing the client side stores the one or more master keys in a secure lockbox, library including exposing the client side library to additional 40 wherein the secure lockbox encrypts and decrypts the sym devices and corresponding Software platforms, the additional metric key using the one or more master keys. devices and corresponding Software platforms embedding the 69. The system of claim 68, wherein the enterprise main client side library using the secure file exchange protocol to tains the one or more keys on-premise or on public cloud access the client side library. using hardware security module. 54. The system of claim 53, the one or more mobile appli 45 70. The system of claim 69, wherein the data infrastructure cations using the client side library to retrieve information maintains an on-premise pluggability module that allows the from the data infrastructure for accessing the container. secure lockbox to encrypt and decrypt the symmetric key 55. The system of claim 54, the accessing the container using the one or more master keys from the on-premise or including decrypting and viewing the encrypted portion. public cloud hardware security module. 56. The system of claim 55, wherein one or more mobile 50 71. The system of claim 1, wherein the client application applications include trusted applications and untrusted appli cooperates with the data infrastructure to track information of cations, the container restricting access to the trusted appli the controlled encrypted operations, the tracking the con cations, wherein the trusted applications embed the client side trolled encrypted operations includes tracking information of library, the restricting the access including the client side the data request to transfer the portion. library blocking communication of an untrusted application 55 72. The system of claim 71, the information of the data with the client side library. request including information of the user, information of the 57. The system of claim 1, the client application requesting Source location and information of the controlled encrypted offline access to the container, and in response to the request operations. the data infrastructure issuing special keys to the client appli 73. The system of claim 72, the client application cooper cation, wherein the special keys are valid for a predetermined 60 ating with the data infrastructure to associate a trusted file amount of time. stamp with the information of the data request and stamping 58. The system of claim 57, wherein the client application the portion with the trusted file stamp. stores the special keys on the one or more mobile devices 74. The system of claim 73, the trusted file stamp visually using a hardware security element operating system provided encoding the information of the data request using one or key chain, the client application issuing calls on the client side 65 more of a color and a symbol. library to obtain information of the special keys for accessing 75. The system of claim 74, wherein users interact with the the container. trusted file stamp to obtain the information of the data request. US 8,863,298 B2 71 72 76. The system of claim 73, the tracking the controlled encrypted operations including tracking a series of data requests associated with the portion, the series of data requests comprising the data request. k k k k k