3.1 Field of the Invention
The present invention relates to the field of computing, and more particularly, to policy handling and distribution, and to policy-driven information (data) segregation in portable computing devices, such as, but not limited to, “smart” phones, tablet computers, and personal digital assistants (“PDAs”).
3.2 The Related Art
With the advent of a wide variety of portable computing devices, such as PDAs and smart phones, and the proliferation of these devices for business purposes, control over applications and information has become more difficult for central information technology (“IT”) departments. In particular, many employees desire to use their own devices in their jobs for a number of reasons, including: the greater merging of work and home lives leading to a need to include both personal and work-related information on a single device to avoid using multiple devices (e.g., having two cell phones or PDAs), the higher degree of technical sophistication of employees and their greater independence from IT departments, and the increasing use of technology as a means of self-expression. The trend towards BYOD (“bring your own device”) creates a challenge for IT departments, not only for maintaining control over multiple device types from a plurality of manufacturers, but also for protecting sensitive data and access to data on secure servers or other enterprise resources.
Application program (“app”) use typically involves one or more types of data, such as configuration settings for the application and/or the device, data to be manipulated or used by the application, or output from the application. (The term “data” is used herein to refer to any or all types of information associated with a specific application instance.) Regardless of ownership, portable computing devices often have a mix of enterprise and personal applications and information. It is difficult to maintain separation between enterprise information and personal information using currently available methods. In some cases, a portable computing device also may contain applications and information belonging to other entities, such as clubs, volunteer organizations, schools, etc. Therefore, it is useful to have a mechanism that can establish and manage one or more segregated application and information “domains” on portable computing devices, each such segregated domain encompassing a defined set of applications and information accessible within that domain that are kept isolated from the applications and information external to the domain unless permitted to be shared; the domain being further associated with a domain-specific policy that specifies required controls over the applications and information that are part of the segregated domain. Capability must exist to define the set of applications and information accessible within a domain in a flexible manner that is not necessarily tied to OS protection mechanisms such as user ID numbers, user groups, or file system access protection settings, or to storage locations such as directories. It is also useful to be able to independently extend such domains to encompass applications and information on other devices, such as enterprise servers, mobile devices of co-workers or friends, or third party services such as DropBox or SalesForce, while maintaining the defined application and information segregation in a policy-controlled manner.
Applications are typically run as “processes” on portable computing devices, and can be assigned various levels of resource usage, such as processor time or memory, by an operating system (OS) on the portable computing device. Applications call the OS or service daemons to provide various functions, such as access to data files or peripheral devices, network connections, inter-process communication, allocation of resources, etc. On some portable computing devices, these calls make direct reference to the OS. In other portable computing devices, these calls are made through dynamic or statically loaded library function calls, service processes, or other well-known methods. Applications running on portable computing devices may have OS-level protections applied to them (when these protections exist for the portable computing device). These OS-level protections provide access-controls to specific resources. OS-level protections do not limit how applications can share information (they limit access, not usage), nor do they limit how the data can be communicated and/or stored.
Some portable computing devices utilize virtualization technologies in which applications and their data are segregated into disparate virtual machines. Applications implemented using virtualization techniques can be isolated from each other and rendered unable to communicate and/or share information outside of the virtual machine by not provisioning the virtual machine with communication facilities or access to storage shared with other systems; this can provide control over applications and data But in many cases some level of sharing is desired, such as to transfer or share user interface preferences or authorizations, or to introduce data to process or to extract processed data, and provision of communication facilities or access to storage shared with other systems is necessary for these purposes. Once such connectivity or sharing is arranged, however, the isolation of the virtual machine is removed and control over applications and data becomes problematic.
Networking and storage sharing facilities do not typically provide application- or data-level access control, or control over use of data. If any control is provided, it is likely to be at the network node level, such as by limiting connectivity between nodes, or limited to OS-level data protections, such as user ID numbers, file protections, or user groups. These do not permit flexible specification of applications and data or the permitted uses of data. They can not specify, for example, that a particular file may be read by a first application, but not written to by it, that a second application may read or write the file, but that neither application may transfer the file over a network link unless that link goes over a virtual private network (VPN) to a specific destination. These limitations, and the typical need to provide networking or storage sharing facilities that exhibit them to virtual machines in order to make the virtual machines useful, result in virtualization alone being insufficient to solve the problem of application and data control.
Even when a portable computing device can be configured to maintain applications and data separately, the problem of controlling owned data still is not solved: The application can only enforce required policies on the data for itself while it is running; it cannot prevent other applications from treating the data in ways that violate the data owner's policies, especially when it is not running. Application enforcement of information policies thus is neither persistent nor pervasive, and is therefore inadequate for the needs described above. For example, if a Post Office Protocol (POP) e-mail client were written to keep messages received from a first mail server separate from those received from a second mail server, and to permit forwarding of a message only through the mail server it was received from, there may be nothing to prevent a different e-mail client or a file transfer application from sending the stored messages or message files to a third server. Policy enforcement must be both persistent and pervasive to be effective.
Summarizing, current portable computing devices do not:                Recognize a plurality of owners of the applications and data stored or used on the device;        Provide for a combination of external and locally resident policy elements to define and enforce application and information segregation;        Segregate applications and information in accordance with policy-defined requirements;        Provide mechanisms for persistent and pervasive control over applications and information subject to policy control; or        Provide mechanisms for fine-grained control over operations by and between applications operating on the device or between applications operating on the device and other applications or services that exist off of the device.        
What is needed is a computing solution that isolates application information according to policy requirements and provides distinct improvements over existing portable computing device architectures by dynamically enabling one or more policy controlled “domains,” each comprising one or more applications and their information. The present invention meets these and other needs.