1. Field of the Invention
The present invention relates to software, computer network communications, and VPN gateway components. More specifically, it relates to security and authentication between apps on a client device and a VPN gateway.
2. Description of the Related Art
There is an increasing need for mobile security in enterprises that have users utilizing mobile devices and mobile apps for work or to access services behind the enterprise firewall. Although there is conventional software that provides for a VPN from a mobile device to a VPN gateway, the level of security is often insufficient and provides little information to the enterprise about enterprise-enabled app usage. In this conventional scenario, one VPN is used by all the data from all enterprise apps to the VPN gateway. In other words, the VPN is at the device level. Given the growing number of users executing work-related apps on their personal mobile devices and having to connect to work-related or enterprise-related services through a secure tunnel, having a single VPN pipe for all the data going to and from a mobile device to an enterprise VPN gateway does not provide the level of security needed to prevent hackers and other bad actors from stealing and manipulating the data or from planting malware on the mobile devices that could eventually harm enterprises.
A higher level of security would involve not having multiple apps (let alone an entire device) share a single VPN, in other words, not using a device-level secure VPN tunnel. A better level of security would be to have each app have its own dedicated VPN to a gateway, one that is secure and only transports data for that app or at least one that only transmits data for a federation of apps. In one scenario, each enterprise app on a personal mobile device has its own VPN connection to the enterprise gateway (operated by the user's employer, client, supplier, or the like).
Currently, a mobile app user can be authenticated by a gateway component using conventional means, such as Active Directory or any suitable authentication, authorization, and accounting (AAA) means. A device can be authenticated when the user attempts to access a network, such as an enterprise network, using the device. That is, when a user on a mobile device tries to log on to an enterprise network, the network authenticates that specific device. The network makes sure that the device is known and registered with the enterprise. It also ensures that the specific device is authorized to access the gateway. As such, the authentication stops there. That is, presently, networks are able to determine who the user is, in some cases where the user is, what the back-end security authentication means is (e.g., Active Directory, Radius, etc.) and which device the user is using to connect to the gateway. Conventionally, this information can be obtained and reported to an enterprise security administrator as needed. It would be desirable to have an authentication platform that goes beyond merely authenticating a client device and the device user. It would also be desirable to have richer, real-time data that extends beyond high-level device and user information.