Managing security agents in a distributed environment

US 10,505,982 B2
Filed: 10/21/2016
Issued: 12/10/2019
Est. Priority Date: 10/23/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

upon start-up of a physical environment in which a security agent resides, initializing, by the security agent, using a bootstrap configuration packaged in a file, wherein the file is provided to the security agent by an identity management system upon registration of the security agent with a policy server of the identity management system, wherein the security agent resides outside of the identity management system, wherein the policy server includes a policy for controlling access to a resource in a distributed environment server, wherein the registration includes issuance of an access token to the security agent, which creates a trust mechanism between the security agent and the identity management system, and wherein the file further includes security information that allows the security agent to subsequently connect to the identity management system in a secure manner;

connecting, by the security agent, to the policy server of the identity management system through a default port using a default protocol based on the security information and the trust mechanism created between the security agent and the identity management system;

obtaining, by the security agent, a configuration file from the policy server using the default port and the default protocol, wherein includes contextual information regarding the physical environment of the security agent such that the security agent can initialize and determine the physical environment in which the security agent resides, and wherein the configuration file or metadata associated with the security agent comprises a port mapping, which includes a mapping between port identifiers, ports of communication within the physical environment, and protocols used by the ports;

analyzing, by the security agent, the ports of communication within the physical environment to identify a preferred port that is available for connection to the policy server, wherein the preferred port provides a more secure connection than that of the default port;

receiving, by the security agent, a request from a user for access to the resource provided in the distributed environment server;

connecting, by the security agent, to the policy server through the preferred port using a corresponding protocol to delegate authentication tasks to the identity management system and work with the policy server to access the policy for controlling the access to the resource;

requesting, by the security agent, a determination be made by the policy server as to whether authentication of the user is required for access to the resource, wherein the request is sent from the security agent to the policy server via the preferred port;

checking, by the security agent, the authentication of the user when the authentication of the user is required for access to the resource;

requesting, by the security agent, a determination be made by the policy server as to whether the user is authorized to access the resource when the authentication of the user is verified, wherein the request is sent from the security agent to the policy server via the preferred port; and

allowing, by the security agent, the user access to the resource when the user is authorized to access the resource.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure relates generally to techniques for controlling access to resources accessible in a distributed environment. One of the techniques includes connecting a security agent to a policy server through a default port using a default protocol. The security agent is configured to intercept requests for access to a resource in a distributed environment, and work with the policy server to control access to the resource based on policies stored on the policy server. The technique further includes obtaining a configuration file from the policy server such that the security agent can initialize and determine the distributed environment in which the security agent resides, analyzing ports of communication within the distributed environment to identify a preferred port that is available for connection to the policy server, and connecting to the policy server through the preferred port to access the policies for controlling the access to the resource.

112 Citations

View as Search Results

16 Claims

1. A method comprising:
- upon start-up of a physical environment in which a security agent resides, initializing, by the security agent, using a bootstrap configuration packaged in a file, wherein the file is provided to the security agent by an identity management system upon registration of the security agent with a policy server of the identity management system, wherein the security agent resides outside of the identity management system, wherein the policy server includes a policy for controlling access to a resource in a distributed environment server, wherein the registration includes issuance of an access token to the security agent, which creates a trust mechanism between the security agent and the identity management system, and wherein the file further includes security information that allows the security agent to subsequently connect to the identity management system in a secure manner;
  
  connecting, by the security agent, to the policy server of the identity management system through a default port using a default protocol based on the security information and the trust mechanism created between the security agent and the identity management system;
  
  obtaining, by the security agent, a configuration file from the policy server using the default port and the default protocol, wherein includes contextual information regarding the physical environment of the security agent such that the security agent can initialize and determine the physical environment in which the security agent resides, and wherein the configuration file or metadata associated with the security agent comprises a port mapping, which includes a mapping between port identifiers, ports of communication within the physical environment, and protocols used by the ports;
  
  analyzing, by the security agent, the ports of communication within the physical environment to identify a preferred port that is available for connection to the policy server, wherein the preferred port provides a more secure connection than that of the default port;
  
  receiving, by the security agent, a request from a user for access to the resource provided in the distributed environment server;
  
  connecting, by the security agent, to the policy server through the preferred port using a corresponding protocol to delegate authentication tasks to the identity management system and work with the policy server to access the policy for controlling the access to the resource;
  
  requesting, by the security agent, a determination be made by the policy server as to whether authentication of the user is required for access to the resource, wherein the request is sent from the security agent to the policy server via the preferred port;
  
  checking, by the security agent, the authentication of the user when the authentication of the user is required for access to the resource;
  
  requesting, by the security agent, a determination be made by the policy server as to whether the user is authorized to access the resource when the authentication of the user is verified, wherein the request is sent from the security agent to the policy server via the preferred port; and
  
  allowing, by the security agent, the user access to the resource when the user is authorized to access the resource.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the analyzing includes:
    - identifying, by the security agent, a subset of ports that are available from all the ports of communication; and
      
      identifying, by the security agent, the preferred port that is within the identified subset of ports and provides the more secure connection than that of the default port.
  - 3. The method of claim 2, wherein the identifying the preferred port includes searching, by the security agent, the subset of ports for a proprietary port that uses a proprietary protocol;
    - andwhen the proprietary port is identified in the subset of ports, connecting, by the security agent, to the policy server through the proprietary port using the proprietary protocol to access the policies for controlling the access to the resource.
  - 4. The method of claim 3, wherein when the proprietary port is not identified in the subset of ports, searching, by the security agent, the subset of ports for a non-proprietary port that uses a non-proprietary protocol and provides the more secure connection than that of the default port;
    - andconnecting, by the security agent, to the policy server through the non-proprietary port using the non-proprietary protocol to access the policies for controlling the access to the resource.
  - 5. The method of claim 1, wherein the analyzing includes identifying, by the security agent, the preferred port using the port mapping.
  - 6. The method of claim 5, wherein the identifying the preferred port includes searching, by the security agent, the port mapping for a proprietary port that uses a proprietary protocol;
    - when the proprietary port is identified in the port mapping, connecting, by the security agent, to the policy server through the proprietary port using the proprietary protocol to access the policies for controlling the access to the resource;
      
      when the proprietary port is not identified in the port mapping, searching, by the security agent, the port mapping for a non-proprietary port that uses a non-proprietary protocol and provides the more secure connection than that of the default port; and
      
      connecting, by the security agent, to the policy server through the non-proprietary port using the non-proprietary protocol to access the policies for controlling the access to the resource.

7. A system comprising:
- one or more processors and non-transitory machine readable storage medium;
  
  a distributed environment server that includes a resource;
  
  a policy server of an identity management system that includes one or more policies for controlling access to the resource and resides outside of the distributed environment server;
  
  a security agent that resides inside a physical environment and outside of the identity management system, and the security agent is configured to intercept requests for access to the resource from a local application and work with the policy server to control access to the resource;
  
  program instructions to, upon start-up of the physical environment in which the security agent resides, initialize the security agent using a bootstrap configuration packaged in a file, wherein the file is provided to the security agent by the identity management system upon registration of the security agent with the policy server of the identity management system, wherein the registration includes issuance of an access token to the security agent, which creates a trust mechanism between the security agent and the identity management system, and wherein the file further includes security information that allows the security agent to subsequently connect to the identity management system in a secure manner;
  
  program instructions to connect the security agent to the policy server through a default port using a default protocol based on the security information and the trust mechanism created between the security agent and the identity management system;
  
  program instructions to obtain a configuration file from the policy server using the default port and the default protocol, wherein the configuration file includes contextual information regarding the physical environment of the security agent such that the security agent can initialize and determine the physical environment in which the security agent resides, and wherein the configuration file or metadata associated with the security agent comprises a port mapping, which includes a mapping between port identifiers, ports of communication within the physical environment, and protocols used by the ports;
  
  program instructions to analyze the ports of communication within the physical environment to identify a preferred port that is available for connection to the policy server, wherein the preferred port provides a more secure connection than that of the default port;
  
  program instruction to receive a request from a user for access to the resource provided in the distributed environment server;
  
  program instructions to connect the security agent to the policy server through the preferred port using a corresponding protocol to delegate authentication tasks to the identity management system and work with the policy server to access the one or more policies for controlling the access to the resource;
  
  program instruction to request a determination be made by the policy server as to whether authentication of the user is required for access to the resource, wherein the request is sent from the security agent to the policy server via the preferred port;
  
  program instruction to check the authentication of the user when the authentication of the user is required for access to the resource;
  
  program instruction to request a determination be made by the policy server as to whether the user is authorized to access the resource when the authentication of the user is verified, wherein the request is sent from the security agent to the policy server via the preferred port; and
  
  program instruction to allow the user access to the resource when the user is authorized to access the resource,wherein the program instructions are stored on the non-transitory machine readable storage medium for execution by the one or more processors.
- View Dependent Claims (8, 9, 10)
- - 8. The system of claim 7, wherein the analyzing includes:
    - identifying a subset of ports that are available from all the ports of communication; and
      
      identifying the preferred port that is within the identified subset of ports and provides the more secure connection than that of the default port.
  - 9. The system of claim 8, wherein the identifying the preferred port includes searching the subset of ports for a proprietary port that uses a proprietary protocol;
    - andwhen the proprietary port is identified in the subset of ports, connecting to the policy server through the proprietary port using the proprietary protocol to access the policies for controlling the access to the resource.
  - 10. The system of claim 9, wherein when the proprietary port is not identified in the subset of ports, searching the subset of ports for a non-proprietary port that uses a non-proprietary protocol and provides the more secure connection than that of the default port;
    - andconnecting to the policy server through the non-proprietary port using the non-proprietary protocol to access the policies for controlling the access to the resource.

11. A non-transitory machine readable storage medium having instructions stored thereon that when executed by one or more processors cause the one or more processors to perform a method comprising:
- upon start-up of a physical environment in which a security agent resides, initializing the security agent using a bootstrap configuration packaged in a file, wherein the file is provided to the security agent by an identity management system upon registration of the security agent with a policy server of the identity management system, wherein the security agent resides outside of the identity management system, wherein the policy server includes one or more policies for controlling access to a resource in a distributed environment server, wherein the registration includes issuance of an access token to the security agent, which creates a trust mechanism between the security agent and the identity management system, and wherein the file further includes security information that allows the security agent to subsequently connect to the identity management system in a secure manner;
  
  connecting the security agent to the policy server of the identity management system through a default port using a default protocol based on the security information and the trust mechanism created between the security agent and the identity management system;
  
  obtaining a configuration file from the policy server using the default port and the default protocol, wherein the configuration file includes contextual information regarding the physical environment of the security agent such that the security agent can initialize and determine the physical environment in which the security agent resides, and wherein the configuration file or metadata associated with the security agent comprises a port mapping, which includes a mapping between port identifiers, ports of communication within the physical environment, and protocols used by the ports;
  
  analyzing the ports of communication within the physical environment to identify a preferred port that is available for connection from the security agent to the policy server, wherein the preferred port provides a more secure connection than that of the default port;
  
  receiving a request from a user for access to the resource provided in the distributed environment server;
  
  connecting to the policy server through the preferred port using a corresponding protocol to access the one or more policies for controlling the access to the resource;
  
  requesting a determination be made by the policy server as to whether authentication of the user is required for access to the resource, wherein the request is sent from the security agent to the policy server via the preferred port;
  
  checking the authentication of the user when the authentication of the user is required for access to the resource;
  
  requesting a determination be made by the policy server as to whether the user is authorized to access the resource when the authentication of the user is verified, wherein the request is sent from the security agent to the policy server via the preferred port; and
  
  allowing the user access to the resource when the user is authorized to access the resource.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The non-transitory machine readable storage medium of claim 11, the method further comprises prior to connecting to the policy server through the preferred port, obtaining a configuration file from the policy server using the default port and a default protocol such that the security agent can initialize and determine the physical environment in which the security agent resides.
  - 13. The non-transitory machine readable storage medium of claim 12, wherein the analyzing includes:
    - determining all ports and corresponding protocols of the physical environment;
      
      identifying a subset of ports that are available from all the determined ports; and
      
      identifying the preferred port that is within the identified subset of ports and provides the more secure connection than that of the default port.
  - 14. The non-transitory machine readable storage medium of claim 13, wherein the identifying the preferred port includes searching the subset of ports for a proprietary port that uses a proprietary protocol;
    - andwhen the proprietary port is identified in the subset of ports, connecting to the policy server through the proprietary port using the proprietary protocol to access the policies for controlling the access to the resource.
  - 15. The non-transitory machine readable storage medium of claim 14, wherein when the proprietary port is not identified in the subset of ports, searching the subset of ports for a non-proprietary port that uses a non-proprietary protocol and provides the more secure connection than that of the default port;
    - andconnecting to the policy server through the non-proprietary port using the non-proprietary protocol to access the policies for controlling the access to the resource.
  - 16. The non-transitory machine readable storage medium of claim 11, wherein the analyzing includes identifying the preferred port using the port mapping, and the identifying the preferred port includes searching the port mapping for a proprietary port that uses a proprietary protocol;
    - when the proprietary port is identified in the port mapping, connecting to the policy server through the proprietary port using the proprietary protocol to access the policies for controlling the access to the resource;
      
      when the proprietary port is not identified in the port mapping, searching the port mapping for a non-proprietary port that uses a non-proprietary protocol and provides the more secure connection than that of the default port; and
      
      connecting to the policy server through the non-proprietary port using the non-proprietary protocol to access the policies for controlling the access to the resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Motukuru, Vamsi, Kolli, Ashish
Primary Examiner(s)
Huang, Cheng-Feng

Application Number

US15/331,211
Publication Number

US 20170118249A1
Time in Patent Office

1,145 Days
Field of Search
US Class Current
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 63/0272   Virtual private networks

H04L 63/08   for authentication of entit...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

Managing security agents in a distributed environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

112 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Managing security agents in a distributed environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

112 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links