GPRS and UMTS networks are an evolution of the global system for mobile communications (GSM) standards to provide packet switched data services to GSM mobile stations. Packet-switched data services are used for transmitting chunks of data or for data transfers of an intermittent or bursty nature. Typical applications for Third Generation Partnership Project (3GPP) packet services include Internet browsing, wireless e-mail, video streaming, credit card processing, etc. utilized by human users. 3GPP packet service could also be used to connect mobile devices to packet data networks owned by organizations such as government or enterprises. FIG. 1 shows 3GPP networks (3G UMTS and 4G LTE) connecting mobile devices to the Internet as well as a private data network. It also shows interworking with Wi-Fi access. Referring to FIG. 1, mobile devices 102 and 103 are communicatively coupled to a packet core network 110. For example, 3G/4G User Equipment (UE) 102 is coupled to packet core network 110 via a 3G Radio Access Network (RAN) 104 through, for example, node B (NB) and radio network controller (RNC) 105 and from there to the packet core node through the Serving GPRS Support Node (SGSN) 111. The UE 102 is additionally coupled to the core network 110 via a corresponding LTE access network (e.g., evolved UMTS terrestrial RAN (Evolved Universal Terrestrial Radio Access Network (E-UTRAN)) node B (eNB) 106. Finally the 3G/4G/Wi-Fi UE 103 is coupled to the packet core network 110 via RNC 105 or eNB 106 or via Wi-Fi access point 123. In order to communicate to a data service located in other networks such as the Internet 120 and/or private network enterprise (or enterprise premise) 121, UE data devices 102 and 103 have to go through packet core network 110. Typically, packet core network 110 includes SGSN 111 for the 3G network or serving gateway (S-GW) 113 for the LTE network 106 and a gateway GPRS support node (GGSN) 112 for the 3G network or packet data network (PDN-GW) 114 for the LTE network. The packet core network 110 also has evolved packet date gateway (ePDG) 122 and 3GPP AAA Server 113 when Wi-Fi access 123 is interworked. SGSN 111/S-GW 113 and GGSN 112/PDN-GW 114 relay communications between UE 102 and UE 103 and a destination (e.g. Internet 120 and enterprise server 121). A typical packet core network 110 also includes a home location register (HLR) or home subscriber server (HSS) 117 storing subscription profile and a policy and charging rule function (PCRF) 118.
Today mobile technology has permeated through all walks of life and mobile phone penetration is more than 100% in most developed markets. Advances in content delivery (applications (Apps), streaming media, interactive), screen resolution (e.g., high-definition (HD)) and user interface (e.g., multi-touch, voice interactive), etc. have led to a new phenomenon called “device loyalty” where consumers make buying choices irrespective of their service providers and employers. Open mobile operation systems (OS) like Android® allow devices makers to create fairly sophisticated devices and bring them to market pretty quickly. People assemble their favorite set of applications as they see fit from the App stores and other sources. Some of these applications could have questionable origins since the Android® app store does not validate or qualify apps based on their behavior.
Employers realize that mobile connectivity with employees leads to higher productivity. However, in the digital age where most of the knowhow, business strategies and product secrets exist as data, enterprises take security of their network quite seriously. In order to be productive the mobile employee will need access to the enterprise network. While enterprises can issue another mobile device to employees, it is neither cost effective nor productive. Rather it is burdensome since the mobile employee has not only to carry personal and enterprise devices all the time, but has to deal with logistics of partitioning their contacts and activities into personal and business which is ineffective and tedious if not impossible. This has lead to BYOD policies at the enterprise where employees bring their own mobile device and get enterprise's permission to access the corporate network. The decline of the enterprise specific Blackberry® is an indicator that this trend is strong. While it is convenient thing to do, it also opens up the enterprise network to attacks through variety of apps on the BYOD device. While this problem applies to all smartphones and mobile computing platforms, the problem is more acute for the Android® ecosystem, given the open nature of the Android® app store, the number of apps and the sheer number of devices running Android®.
Traditional security solutions such as Internet Protocol security (IPSec) virtual private networks (VPNs) are impractical for mobile devices. IPsec encryption is computer intensive and has an adverse effect on battery life. Moreover, such VPN solutions typically rely on the end device being under protection of “always on” virus or malware scanning software that are connected to an enterprise monitor. It may not be practical for the user or the enterprise to continuously manage BYOD devices in the same manner. Therefore once malicious apps are on the smartphone because of intentional or unintentional user action, they could get root access by tricking the user and after that could get unauthorized access to the enterprise network even if the VPN was on. Therefore, traditional VPN solutions are not only inefficient but inadequate as well in the context of BYOD.
Some have proposed virtualization based solutions whereby the mobile device runs personal and enterprise personality in a virtualized environment. The VMware®. Mobile Virtual Platform (MVP) is such an example. The enterprise personality is a self-contained virtual machine image and serves as the “enterprise container” for enterprise authorized apps and security policies. Just like in case of desktop virtualization, the enterprise container executes as a self-contained operating system. The personal and enterprise app containers may act as virtual machines (VM) on single user equipment (UE). The enterprise container is also expected to perform security procedures towards the enterprise and interact with the enterprise over the mobile network. Unfortunately, a traditional mobile network is not well suited for connecting to a large number of enterprises. The standard mechanism to interconnect a mobile network and an enterprise network is the Access Point Name (APN). The APN is part of the subscription profile. For APN-based enterprise access, the user first subscribes to that APN (i.e., the APN is put in subscriber profile at the HLR/HSS). In subsequent access requests, the UE includes the APN as part of the request. Upon receiving such a request, the SGSN/Mobility Management Entity (MME) first checks the subscription profile (downloaded from HLR/HSS) to confirm that the user is authorized to access the APN and upon success it passes this information to the Gateway GPRS Support Node (GGSN)/packet data gateway (P-GW). The P-GW typically has external networking setup to the enterprise for such an APN. It is obvious from this description that adding an APN subscription has many touch points in the mobile network and it is impractical or unsustainably expensive to do so as people join and leave hundreds or thousands of enterprises. Nodes like HLR/HSS, SGSN/MME, GGSN/P-GW and the like were not designed to be opened to each enterprise so that they can manage enterprise connectivity of their mobile employees. Clearly, there is a need for an enterprise managed element within the mobile network and for a method to steer signaling and traffic in a way that such an enterprise managed element can have control over enterprise access.