Please type a plus sign(+) inside this box -+ [!I
`
`Revised PTO/SB/18 (8--00)
`Approved for use through 10/31/2002. 0MB 0651--0032
`Patent and Trademark Office; U.S. DEPARTMENT OF COMMERCE
`Under the Paperwork Reduction Act of 1995, no persons are required to respond to a collection of information unless it displays a valid 0MB control number .
`Attorney Docket No. 40732-199833
`PROVISIONAL APPLICATION FOR PA TENT COVER SHEET
`This Is a r quest for filing a PROVISIONAL APPLICATION FOR PATENT und r 37 CFR 1.53 (c).
`INVENTORS
`
`Given Name (first and middle [if any])
`
`Family Name or Surname
`
`Ci
`
`MAJID
`
`SHAHBAZI
`
`FAIRFAX, VIRGINIA
`
`........
`O">
`........
`c..,,
`
`(.0
`
`C: en
`
`-0
`--I
`C>
`
`D Additional inventors are being named on the __ separately numbered sheets attached hereto
`TITLE OF THE INVENTION (280 characters max)
`
`SYSTEM AND METHOD FOR SECURING DATA IN MOBILE COMPUTERS
`
`0
`
`C')
`Oi
`C') •
`C\J '
`C\J '
`,,_. I
`
`CORRESPONDENCE ADDRESS
`
`Direct all correspondence to:
`
`~ Customer Number
`OR
`18'1
`Address
`
`Firm or
`Individual Name
`
`26694
`
`Type Customer Number here
`
`VENABLE
`
`P.O. Box 34385
`
`26694
`PA TENT TRADEMARK OFFICE
`
`Washington
`
`State
`
`34
`
`DC
`202.344.4000
`Tele hone
`U.S.A.
`ENCLOSED APPLICATION PARTS (check all that apply)
`D CD(s), Number~-~
`18'1 Specification Number of Pages
`D Other (specify) ._I _
`!8'J Drawing(s) Number of Sheets
`I 9
`!8'J Application Data Sheet. See 37 CFR 1. 76
`
`ZIP
`Fax
`
`20043-9998
`
`202.344.8300
`
`___,
`
`METHOD OF PAYMENT OF FILING FEES FOR THIS PROVISIONAL APPLICATION FOR PATENT (check one)
`!8'J Applicant claims small entity status. See 37 CFR 1.27.
`18'1 A check or money order is enclosed to cover the filing fees
`[g] The Commissioner is hereby authorized to charge filing
`fees or credit any overpayment to Deposit Account Number:
`D Payment by credit card. Form PTO-2038 is attached.
`The invention was made by an agency of the United States Government or under a contract with an agency of
`the United States Government.
`
`22-0261
`
`80.00
`
`FILING FEE
`AMOUNT($)
`
`~No.
`D Yes, the name of the u.s~o1"1'1l'tffl.l
`
`' I .
`
`TELEPHONE
`
`202-344-4045
`
`e Government contract number are: __ .
`
`Date
`
`I 12-23-03 I
`---;::==-------,
`REGISTRATION NO. I 33,471
`I 40732-199833
`
`(if appropriate)
`Docket Number:
`
`USE ONLY FOR FILING A PROVISIONAL APPL/CAT/ON FOR PA TENT
`This collection of information is required by 37 CFR 1.51, and is used by the public to file (and by the PTO to process) a prol/isional application. Confidentiality is
`governed by 35 U.S.C. 122 and 37 CFR 1.14. SEND TO: Box Provisional Appllcatlon, Commissioner for Patents. P.O. Box 1450, Alexandria, VA 22313-1450.
`
`1
`
`APPLE 1011
`
`

`

`40732-199833
`
`SYSTEM AND METHOD FOR SECURING DATA IN MOBILE
`
`COMPUTERS
`
`TECHNICAL FIELD
`
`The present invention relates in general to the field of data security and
`
`more particularly to providing data security to mobile devices.
`
`BACKGROUND
`
`Recent advances in hardware and communication technologies have
`
`brought about the proliferation of powerful mobile devices ranging from notebook
`
`computers to much smaller personal digital assistants (PDAs) that operate over
`
`wired and wireless networks. These mobile devices (also known as handheld
`
`devices) operate on various platforms, such as palm computing platform,
`
`Windows CE, etc. Other types of mobile devices include paging and messaging
`
`devices, laptop computers, data-capable smart phones, etc. These devices can
`
`provide users with network access connectivity, which allows users to be quickly
`
`notified of changing events, and provide them with the resources necessary to
`
`respond even when in transit. In this way, users can be given the power to access
`
`mission critical information in quick and reliable manner. For example, data
`
`generated by client applications running on a wide variety of mobile devices may
`
`be transported over networks having various access protocols and wired and
`
`wireless links. One such protocol is Transmission Control Protocol/Internet
`
`Protocol (TCP/IP), which is designed to connect computer systems that use
`
`different operating systems and network technologies. Many popular network
`
`applications have been built directly on top of the TCP over the past decade,
`
`making TCP/IP a de-facto network access protocol standard.
`
`Many personal computer users use Personal Information Management
`
`(PIM) applications such as an address book, a daily organizer, and a To-Do list
`
`application-on their personal computers and mobile devices. The data for these
`
`PIMS are stored in corresponding databases at the personal computers and mobile
`
`devices. Often, data in these databases must be synchronized in order to maintain
`
`data uniformity. The synchronization of data between devices of this type is
`
`known. For example, U.S. Patent Number 6,006,274 describes a "Method and
`
`Apparatus Using a Pass Through Personal Computer Connected to Both a Local
`
`- 1 -
`
`2
`
`

`

`,,..
`
`40732-199833
`
`Communication Link and a Computer Network for Identifying and Synchronizing
`
`a Preferred Computer with a Portable Computer". Also, U.S. Patent Numbers
`
`6,000,000 and 5,884,323 both describe an "Extendible Method and Apparatus for
`
`Synchronizing Multiple Files on Two Different Computer Systems." Generally,
`
`the synchronization process is activated either by detecting a mobile device on a
`
`cradle or by manual press of a button. The synchronization process proceeds to
`
`synchronize data for several different applications that run on the mobile devices
`
`with data for corresponding application on other computers.
`
`As society continues to adopt handheld devices as a standard computing
`
`platform and applications become more powerful with the standardization of
`
`wired and wireless computing, security threats to data stored in these types of
`
`mobile devices have become a serious concern and have created a heightened
`
`awareness and increased need for security. In fact, the U.S. A.ir Force Research
`
`Laboratory (AFRL), which develops some of the government's most advanced
`
`technologies, is crafting a policy to deal with security risks for data stored in
`
`mobile devices.
`
`Various types of security software incorporating different data security
`
`encryption standards have been used in the past for securing network, desktop;
`
`laptop and PDA environments. On such suit of software is called Trusted
`
`Mobility Suite™ offered by Trust Digital™, which is used to set access control,
`
`encryption, and other parameters and push them to such mobile devices as Palm
`
`Pilot™, Pocket PC™ ,Blackberry™ or Symbian OS devices to protect against
`
`fraud and theft, sabotage, malicious hacking and other adverse exposure caused
`
`by data compromise. For example, at a network level, PDASecure™ Virtual
`
`Private Network provides secure communication among mobile devices or
`
`between mobile devices and routers and servers. Mobile DesktopSecure™ is a
`
`security and encryption software designed to protect files, data, applications,
`
`databases, directories, or an entire hard drive. It is also used to push security
`
`profiles containing defined security policies from a server to protect laptops and
`
`desktops within a network. Generally, Trusted Mobility Suite™ implements
`
`security using a graphical user interface (GUI) that allows administrators and
`
`users to secure all or selected applications. In this way, the users and
`
`- 2 -
`
`3
`
`

`

`40732-199833
`
`administrators can selectively secure application(s) from unwanted and
`
`unauthorized access.
`
`Trusted Mobility Suite™ manages data security for mobile devices at
`
`different levels. At a higher server level, Trusted Mobility Server™ deploys,
`
`manages, and secures networks containing mobile devices using a centralized
`
`management solution. A policy-profile editor is used to set security parameters
`
`for groups of users based on defined security policies. At a lower device level,
`
`PDASecure™ encrypts the data on the mobile device itself and offers-security
`
`management for those devices through the Trust Mobility Server. Once installed
`
`on a mobile device, PDASecure™ provides for universal integration with all
`
`available mobile devices on the network, without the requirement for moving data
`
`into separate, secured applications. Also, Trusted Mobility Software
`
`Development Kit™ allows software developers to incorporate Trust Digital's
`
`Mobility Framework, comprising security, encryption, and centralized rule-based
`
`management technologies into their products, for mobile / PDA users.
`
`Also, U.S. Patent No. 6,158,010 discloses a system and method for
`
`maintaining security in a distributed computing environment that comprises a
`
`policy manager located on a server for managing and distributing a security
`
`r, ,
`
`policy, and an application guard located on a client for managing access to
`
`securable components as specified by the security policy. A global policy
`
`specifies access privileges of the user to securable components. The policy
`
`manager may then preferably distribute a local client policy based on the global
`
`policy to the client. An application guard located on the client then manages
`
`access to the securable components as specified by the local policy.
`
`Implementation of comprehensive security policies in networks that
`
`supports large number of mobile devices has become an important issue for many
`
`enterprises, particularly in view of complexities associated with supporting
`
`various hardware and software platforms in terms of network architectures,
`
`protocols, device types, etc. Add to this complexity, the various situations under
`
`which data security may be breached, either on the network side or on the device
`
`side. Additionally, due to availability of limited memory and processing
`
`resources, creating security programs for mobile devices is much more
`
`complicated than that of larger computers. Therefore, there exists a need for an
`
`- 3 -
`
`4
`
`

`

`40732-199833
`
`efficient and flexible system and method for securing data in mobile devices used
`
`under varying operating environments.
`
`BRIEF DESCRIPTION OF DRAWINGS
`
`FIG. 1 is a diagram of a system that implements security control and
`
`management of the present invention.
`
`FIG. 2 is a block diagram of a computing node and devices that operate
`
`within the system shown in FIG. 1.
`
`FIG. 3 is an exemplary security profile for setting security parameters for
`
`the computing node and device.
`
`FIG. 4 is an exemplary diagram of an interface for setting security
`
`parameters for a computing node.
`
`FIG. 5 is a diagram for interfacing with applications in a mobile device.
`
`FIG. 6 is a diagram of an interface for setting security parameters in a
`
`mobile device.
`
`FIG. 7 is a block diagram of a an exemplary security system in accordance
`
`with the present invention.
`
`FIG. 8 is a diagram for applying a·discovery method in accordance with
`
`one aspect of the present invention to a network.
`
`FIG. 9 is a diagram of an interface for information discovered in the
`
`discovery method of the invention.
`
`FIG. 10 is a diagram of a reporting interface based on information
`
`gathered by the discovery method of the invention.
`
`SUMMARY OF THE INVENTION
`
`Briefly, according to one aspect, the present invention relates to securing
`
`a computer system that includes one or more mobile devices and a computing
`
`node. A node security program executed in the computing node interprets a node
`
`security profile. The node security profile has a format, including text, .ini.,
`
`binary, XML, etc. that allows for interpretive processing by the node security
`
`program to determine one or more security parameters. The present invention
`
`then manages the security processes between the computing node and one or more
`
`mobile devices based on the security parameters as determined by interpreting the
`
`node security profile. The security processes can include any one of securing a
`
`storage device, data, file, program and application in either one of the computing
`
`-4-
`
`5
`
`

`

`40732-199833
`
`node and the one or more mobile devices or other resources such as removable
`
`storage media that can be connected to the computing node or mobile devices. In
`
`effect, the computing node, based on the security parameters specified by the node
`
`security profile, protects both the computing node and the mobile devices ( or
`
`other resources) from unauthorized incoming and outgoing data processes. These
`
`processes are secured by authorizing, denying, preventing, disabling, locking and
`
`password protecting data synchronization, data transfer, data query, data
`
`collection, network access, program execution, and data manipulation, including
`
`unauthorized deletions and additions.
`
`According to some of the more detailed features of the present invention,
`
`security parameters can have attributes relating to a data, file, security profile,
`
`application and program. Such attributes can be expressed in terms of size and
`
`type. The security parameter can relate to temporal or position attributes.
`
`Temporal attributes include date, minute, hour, week, month and year. Position
`
`attributes include position determined by various positioning techniques, e.g.
`
`GPS, zip code, address, region, and location. The security parameters can also be
`
`expressed in terms of a serial number, a model number, a software license
`
`number, mobile device type, computing node type, connection type and network
`
`type, wither wired or wireless network. The connection types supported by the
`
`invention include direct connection and an off-line connection between the
`
`computing node and the one or more mobile devices or resources. The security
`
`parameter can also be expressed in terms physical address, network resource ID,
`
`IP address, domain name, client station ID, mobile device ID or server ID. The
`
`security parameters can also relate to handling guest and unknown devices as well
`
`as managing a VPN.
`
`According yet other more detailed features of the present invention, a
`
`device security profile, which sets device security parameters, can be transferred
`
`to the mobile devices by accessing a server station, central station or computing
`
`node. The device security profile is interpreted by a device security program
`
`running on the mobile device to determine the security parameters that control the
`
`mobile device. The device security profile can also be transferred based on
`
`temporal or position attributes and be periodically updated as necessary. The
`
`device security profile can also be transferred as a part of a data synchronization
`
`- 5 -
`
`6
`
`

`

`40732-199833
`
`process between the computing node and a mobile device. The present invention
`
`can lock unauthorized or under some circumstances even authorized mobile
`
`devices attempting to access the system, for example by transmitting a security
`
`software that locks the intruding device. The node security profile and device
`
`security profiles can be transmitted using push or pull technology or an over the
`
`air protocol.
`
`According to another aspect of the present invention a discovery method
`
`for mobile devices discovers information regarding the mobile devices by running
`
`a discovery program either remotely or locally. The discovery method of the
`
`invention includes detecting mobile device types, connection profiles, and
`
`location of mobile devices, among other things. The mobile device information
`
`are detected based on a registry resource, a file resource, a process resource, a
`
`network management parameter, a data format, a packet format, a synchronization
`
`log entry, a directory structure or a database entry.
`
`According to other more detailed features of this aspect of the present
`
`invention, the discovery method requires scanning the computer system based on
`
`a scan profile to detect the one or more mobile devices. The scan profile defines
`
`discovery rules such as network, domain, IP address, netmask, and computer
`
`identity to be scanned ( or not to be scanned). The gathered information can be
`
`grouped in a variety of formats, such as based on mobile devices types. The
`
`information gathered as a result can be analyzed, stored, reported or displayed.
`
`DETAILED DESCRIPTION OF THE INVENTION
`
`Overview of the Present Invention
`
`The system and method for securing data in mobile devices of the present
`
`invention includes a computing node and a plurality of mobile devices, as later
`
`defined below. A node security program or agent executed in the computing node
`
`interfaces with a device security program executed at a mobile device, if one
`
`exists or interface with device resources. The node security program or agent can
`
`also interface with a node security program executed at another computing node.
`
`The computing node or alternatively a security server can be responsible for
`
`sending information and created profiles to other devices, nodes, or agents, and
`
`for controlling the flow of information and data with devices, nodes or agents.
`
`-6-
`
`7
`
`

`

`40732-199833
`
`The node security program interprets a node security profile to control
`
`data synchronization, data transfer, data query, data collection, file and program
`
`access and execution or device discovery (as further described below) in
`
`connection with one or more mobile devices or other external resource discovery,
`
`for example external storage discovery like USB flash cards and memory. For
`
`example, the node security program can prevent synchronization of data between
`
`the mobile device and the computing node if not authorized in accordance with
`
`the node security profile information. Also, the node security program can
`
`prevent the mobile device from collecting data, run programs and access files
`
`from a connected network. The node security program can also prevent any
`
`resource on the network or computing node to access resources, files, execute
`
`program, collect and query data on the mobile device, if not authorized in
`
`accordance with the security profile information.
`
`The information contained in the node security profile can be used to
`
`determine whether a client station acting as a computing node is authorized to
`
`transfer a device security profile that sets the security parameters for a mobile
`
`device. If authorized, the device security. profile is transferred or otherwise copied
`
`"
`
`from the computing·node to the mobile'device. A device security program, which
`
`is executed in the mobile device, interpre!s the device security profile, for
`
`example, as an .ini or XML file, to set the transferred security parameters for the
`
`mobile device. If not authorized, the node security program can lock the
`
`unauthorized mobile device, for example, by transmitting a device security
`
`application to be executed at the unauthorized mobile device, among other things.
`
`The device security profile can lock the device for usage, disable IR beam,
`
`Bluetooth, networking, sound and voice information.
`
`The node and device security profiles can define the security parameters in
`
`accordance with a defined security policy. As such, the device and/or node
`
`security profiles can be created at a central station, such as a server station, using
`
`a policy editor program. The security policy can also be created , maintained and
`
`enforced at the computing nodes or mobile devices. The created device and node
`
`security profiles can be transferred to the computing node or the mobile devices
`
`over a network using a push technology, for example. Alternatively, upon
`
`request, a pull technology may be used, for example in a wired/wireless network,
`
`- 7 -
`
`8
`
`

`

`40732-199833
`
`to transfer the node and device security profiles to wired/wireless mobile devices
`
`and computing nodes. Under any one of these arrangements, the computing node
`
`security profile and the device security profile can be updated periodically by
`
`checking one or more designated web sites or accessing a central station or server
`
`station, for example LDAP/Active, database, file directory repository. In a similar
`
`manner, the device security profile can be updated by accessing the computing
`
`node or accessing a central station or server station. Also, more than one security
`
`profiles can be created, transferred and stored on the mobile device.
`
`Another aspect of the present invention is a discovery system and method
`
`for managing a computer network which involves scanning the network based on
`
`a scan profile to locate one or more mobile devices or device types belonging to
`
`the network. For example, the scan profile can contain information regarding at
`
`least one of network, domain and computer identity to be scanned. In the
`
`discovery process of the invention, a node, computing node, IP address, or domain
`
`can be either included or excluded from being scanned. As such, the scan profile
`
`can contain information regarding at least one of network, domain and computer
`
`identity not to be scanned,. The type of the located mobile device is determined
`
`·. , . ·
`
`based on entries in an application registry, synchronization log, directory
`
`structure, a database or.other protocols for example SNMP. The mobile device
`
`type information gathered through the discovery process can be used for
`
`managing security in the computer network. The located mobile devices can be
`
`grouped by type, domain, IP address for reporting and display purposes,
`
`identifying welcomed and un-welcomed mobile device as well as risk and
`
`vulnerability status.
`
`Security Management System
`
`Referring to FIG. 1, an exemplary system 100 that advantageously
`
`implements the present invention in a network is shown. The system of the
`invention supports security amongst computing nodes 102 and mobile devices
`
`104, which are also referred to as user-devices. The computing nodes 102 can be
`
`any type of wired or wireless network node, a client station connected to a
`
`security application server 106 directly or via a network 122. The computing node
`
`102 can also be a stand alone computer. The mobile devices 104 can be of any
`
`type. Under one feature of the present invention, various types of mobile devices
`
`- 8 -
`
`9
`
`

`

`40732-199833
`
`operating within the system 100 can be discovered, located or detected for
`
`managing security. For example, the present invention can support any handheld
`
`device, personal digital assistant, phone, smart phone, pager, etc.
`
`Under the present invention various types of data, files and profiles can be
`
`transferred between the computing nodes 102 and mobile devices 104 over any
`
`supported transport layer, link, or physical connection. The transport protocol can
`
`be any suitable protocol, including TCP/IP, various telephony transport protocols,
`
`etc. The links can be wired or wireless links 110, 112. The wired links 110 can
`
`be twisted pair, coaxial cable, optical cable, etc. As described later in more detail,
`
`the wireless links 112 can support any number of over-the-air protocols.
`
`In an exemplary embodiment, the system 100 of the invention is
`
`implemented over a network that includes server stations 114, client stations 1 16,
`
`and a host or central station 118 either directly or via any collection of
`
`interconnected (public and/or private) networks that are linked together by a set of
`
`standard or proprietary protocols. The system of the present invention can also
`
`support various wireless links with defined protocols. Examples of such protocols
`
`include any one of IEEE 802.X, GSM, IS-136, IS-95, Bluetooth, etc.
`
`• The present invention may also be implemented over the Internet, a
`
`distributed network tp.at supports the World Wide Web ("Web"). The Web refers
`
`generally to both (i) a distributed collection of inter-linked, user-viewable
`
`hypertext documents that are accessible via the Internet, and (ii) the user and
`
`server software components which provide user access to such documents using
`
`standardized Internet protocols. A Web Site is a computer system that serves
`
`informational content over a network using the standard protocols of the World
`
`Wide Web. Typically, a Web site corresponds to a particular Internet domain
`
`name and includes the content associated with a particular organization.
`
`As shown in FIG. 1, the security application server 106 can access a
`
`security database 120, which stores various data, including security profiles for
`
`the computing nodes 102 and mobile devices 104. The database 120 can also store
`
`collected and discovered information from computing nodes 102 and mobile
`
`devices 104, including event log and audit log information, etc. The security
`
`application server 106 communicates with such devices through a network layer
`
`interface 122. The network used in connection with the present invention can use
`
`-9-
`
`10
`
`

`

`40732-199833
`
`any one of open- or proprietary- network standards. In a preferred embodiment,
`
`the system interconnections are based on an open system interconnection (OSI)
`
`model as proposed.by the International Standards Organization (ISO).
`
`It should be noted that the present invention need not be implemented over
`
`a network. In fact, the present invention can use a computing node alone or as a
`
`part of a network as long as it possesses the processing power to execute programs
`
`and applications in accordance with the present invention. When the computing
`
`node is not connected to any network the mobile device access between the
`
`computing node I 02 and the mobile device I 04 is an off-line access.
`
`Managing Security Between Computing Node and Mobile Devices
`
`Referring to FIG. 2, a block diagram for managing security between the
`
`computing node 102, mobile devices 104 and the resource device 124 is shown.
`
`A node security program or agent 202 is executed in the computing node 102 for
`
`interfacing with a corresponding device security program or agent 204 executed at
`
`the mobile device 104 or resource device 124. The mobile device security is
`
`dictated·.by a, device security profile 206 that is interpreted by the device security
`
`program;204: The node security program 202 interprets a node security profile,,:· · _.
`
`, ..
`
`208 to determine one or more security parameters for managing the security
`
`between the computing node 102, resource device 124 and mobile devices 104,
`
`including controlling transfer of data, files, device profiles, applications and
`
`programs between the computing node 102, resource device 124 and the mobile
`
`devices 104. For example, the security parameters derived from interpreting the
`
`node security profile 208 may require preventing data synchronization between
`
`one or both of the mobile device 104 and resource device 124. The computing
`
`node 102 acts as a single point communication gateway between the mobile
`
`devices 104 and other network resources 124. One such resource can be a
`
`storage device, e.g., a USB enabled flash or SD card. Such resources can include
`
`a synchronization program. The node security profile 208 can enable the
`
`computing node security program 202 to monitor,scan, query, accept,deny,
`
`password protect a request to create, maintain, terminate, modify, a
`
`communication link or activity. Based on security parameters determined by
`
`interpreting the node security profile 208, the node security program 202 can
`
`- 10 -
`
`11
`
`

`

`40732-199833
`
`prevent remote execution, utilization of any application or file on the mobile
`
`device 104 or resources 124. Based on the determined security parameters, the
`
`computing node security program 202 can enable or disable synchronizing
`
`particular kind of data. For example, the interpreted security parameters can
`
`specify that address book data cannot be synchronized.
`
`As such, the security parameter can relates to authorizing synchronization
`
`with the computing node 102 or other types of transfer of data, files and programs
`
`applications between the computing node 102 and devices 104 and 124. The
`
`information contained in the node security profile 208 can include information
`
`that alone or in combination identify an authorized or unauthorized computing
`
`node, an authorized or unauthorized user, an authorized or unauthorized mobile
`
`device, an authorized or unauthorized central station, or an authorized or
`
`unauthorized network or resource, such as an external storage devices. The
`
`identity may be specified by physical address, serial number, model number,
`
`device type, server or a network resource ID, software license number
`
`. (registration number), user ID etc. The authorized or unauthorized computing , ·:
`
`· .:•
`
`. node can be specified relative to mobile device parameters, such as device type,. · i::
`
`· etc .. For example, certain computing nodes 102 may be authorized to synchronize
`
`data with certain specified mobile device types, but not authorized to synchronize
`
`data with other device types and vice versa.
`
`Computing Node Security
`
`The computing node 102 manages all aspect of data, file, application, and
`
`device profile transfer acting as a gateway for all types of device security
`
`management. Among other things, the computing node 102 is responsible for
`
`control of mobile device data in to and out of the computing node based on
`
`security parameters contained in the node security profile 208.
`
`As stated above, the computing node 102 can be any type of wired or
`
`wireless network node, including a client station connected to the security server
`
`106 directly or via a wired or wireless network. In its simplest form, the
`
`computing node 102 can be a stand alone computer station. Also, the computing
`
`node 102 can itself be a mobile device 102 that is responsible for managing
`
`security for other mobile devices 104. As stated above, the security parameters of
`
`- 11 -
`
`12
`
`

`

`40732-199833
`
`the computing node 102 is defined by the node security profile 208. For example,
`
`the node security profile 208 can set user access rights by enabling/disabling or
`
`password protecting users' ability to configure the computing node 104 and/or its
`
`profile. Depending upon the security parameters set in the node security profile
`
`208, corresponding changes are made to the registry key, file, or database entries
`
`of the computing node 102 or its configuration file to enforce the node security
`
`profile parameters. Registry key, file, or database entries along with functionality
`
`associated with the computing node 102 are used to control and monitor all data
`
`synchronization, transfer, access, modification, or execution of files, applications,
`
`programs., profiles (e.g., security profiles) and processes that occur through the
`
`computing node by any data transport that relates to applications that synchronize
`
`data with the devices 104 and 124. The computing node security program 202
`
`can also check, for example, periodically, for security profile updates.
`
`Under another arrangement, the computing node security program 202 can
`
`be deployed for a given IP range, network domain or user list automatically. For
`
`example, the security server 106 can detect and identify the computing nodes 102
`
`that do not have or execute corresponding node security programs 202 within an
`
`: •>~·:··
`
`IP range, network domain or user list. Once such determination is made, the
`
`server 106 can automatically transmit the node security programs 208 to the so
`
`detected IP range, network domain or user list.
`
`The computing node profile can also have a validation life span that could
`
`indicate a time frame that the profile can be used or applied. This life span can be
`
`indefinite meaning that it can be used at any time or can have a range of date and
`
`time.
`
`Device Security
`
`In contrast with the node security profile 208, which sets the computing
`
`node security parameters, the device security profile 206 sets the security
`
`parameters for the devices 104 and 124, as interpreted by the device security
`
`programs 204. The device security parameters include encryption preferences,
`
`global (device) password, local (application or resource) password, access control
`
`to applications and resources, access control to the device, integrity protection
`
`against hackers and traps, file encryption options, port protection, communication
`
`protection (i.e., send and receive), ability to use wireless connections like Wi-Fi,
`
`- 12 -
`
`13
`
`

`

`40732-199833
`
`802.11, Bluetooth, controlling the content of the device like restricting installing
`
`of some applications, etc.
`
`In one embodiment of the invention, the information contained in the node
`
`security profile 208 can be used to d