Combining smart phone and infrastructure sensors to improve security in enterprise settings

Abstract

There is an increasing trend among employees to bring in their own personal device to work, thereby making the enterprise more vulnerable to security attacks such as data leakage from phones. Additionally, users are increasingly running phone apps in a mixed-mode i.e. both for enterprise and personal commitments. For example, phone cameras and microphones are used to record business meetings, often resulting in the case that both employers and employees become unaware of the existence of business data on the phone at a later point in time. The lack of employer control over personal devices raises enterprise data leakage threats, when an employee's phone is lost or stolen. In this paper we describe a system that leverages sensors available on the phone as well as on the enterprise infrastructure to identify business data resident on the phone for further secure handling. Office spaces have traditionally been instrumented with badge swipe readers, cameras, wifi access points etc. that can be used to provide passive sensory data about employees. For example, badge swipes can be used provide approximate location information of an employee where as calendar entries provide information about their schedule and activities. We propose a distributed architecture that leverages the context of the user for speculatively identifying enterprise data from personal data. The basic idea is to understand whether a user is engaged in enterprise or personal work by inferring her context from a combination of phone and infrastructure sensors. The contextual attributes in our system, such as location, can be sourced from a plurality of sensors on the phone as well as on the infrastructure. We exploit this diversity and propose a cost optimized distributed rule execution framework that chooses the optimal set of predicates to sense on the phone as well as on the infrastructure to reduce sensing cost. Furthermore, the framework also chooses the appropriate site for rule evaluation, either on the infrastructure or phone, to optimize for network transfer cost incurred due to shipping of sensed predicates between the two sites. Combined together,the above two optimizations reduce the battery drain caused due to context inferencing on the phone.