Please download the dossier by clicking on the dossier button x
×

Policy enforcement via attestations

  • US 10,275,723 B2
  • Filed: 12/13/2006
  • Issued: 04/30/2019
  • Est. Priority Date: 09/14/2005
  • Status: Active Grant
First Claim
Patent Images

1. A method comprising:

  • configuring a security enforcement service with a policy-based attestation service on a computer network architecture at least in part by;

    authenticating, by a computer system, a true identity of a principal;

    creating, by the computer system in response to authenticating the true identity of the principal, a first data structure representing a crafted identity for the principal, the crafted identity concealing the true identity of the principal and comprising one or more identifiers and secrets that provide a statement specifying one or more roles and one or more permissions that the principal has in relation to one or more resources but which permits the principal'"'"'s true identity to remain anonymous to the one or more resources;

    detecting, by the computer system, the crafted identity of a session of interaction of the principal within an environment, and enforcing global policy limitations to recognize or trap a condition within the environment that corresponds to a current operation of the principal during the session of interaction of the principal, where the current operation corresponds to a definition of a previously defined activity;

    in response to the recognizing or trapping the condition, acquiring, by the computer system, at least one attestation for the principal from at least one attesting resource at least in part by;

    generating a notification comprising condition information specifying one or more characteristics of the condition occurring within the environment;

    sending the notification to at least one attesting resource, the at least one attesting resource being a particular resource that has permission and authority to generate and transfer the at least one attestation, the at least one attesting resource generating the at least one attestation for the principal based on the crafted identity in response to the condition, the at least one attestation corresponding to a second data structure created to include;

    a policy for altering access permissions of the principal during the session of interaction of the principal within the environment, the access permissions allowing access to resources based on a role of the principal,a statement including an indication as to the at least one attesting resource that is attesting for the principal and under what authority the at least one attestation is being made, and a signature of the at least one attesting resource that is attesting for the principal; and

    enforcing, by the computer system, the policy included in the at least one attestation against the principal within the environment at least in part by;

    altering the one or more permissions of the principal specified by the statement in relation to the one or more resources to create one or more altered permissions during the session of interaction of the principal within the environment; and

    restricting resource access of the principal in accordance with the one or more altered permissions for at least part of the session of interaction of the principal within the environment.

View all claims
  • 3 Assignments
Timeline View
Assignment View
    ×
    ×