Method and apparatus for securely and dynamically modifying security policy configurations in a distributed system

US 20020138726A1
Filed: 05/22/2001
Published: 09/26/2002
Est. Priority Date: 03/20/2001
Status: Active Grant

First Claim

Patent Images

1. A method for managing security policies in a distributed computing system, wherein security policies determine access rights to a computer application, the method comprising:

creating a plurality of security policies, wherein each security policy specifies a level of security for the distributed computing system;

distributing the plurality of security policies to each computer in the distributed computing system;

selecting a specific security policy from the plurality of security policies for use across the distributed computing system; and

informing each computer in the distributed computing system to use the specific security policy.

View all claims

14 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment of the present invention provides a system for managing security policies in a distributed computing system. Security policies include, but are not limited to, a firewall policy, a policy for file access, a policy for application access, a policy for an encryption algorithm, a policy for audit trails, and a policy for activity logging. These security policies determine access rights to a computer application. The system operates by creating multiple security policies with individual security policies specifying a differing level of security for the distributed computing system. These security policies are then distributed to each computer in the distributed computing system. Next, a specific security policy is selected for use across the distributed computing system, and each computer in the distributed computing system is directed to use the specified security policy enforcing a selected security posture.

Citations

24 Claims

1. A method for managing security policies in a distributed computing system, wherein security policies determine access rights to a computer application, the method comprising:
- creating a plurality of security policies, wherein each security policy specifies a level of security for the distributed computing system;
  
  distributing the plurality of security policies to each computer in the distributed computing system;
  
  selecting a specific security policy from the plurality of security policies for use across the distributed computing system; and
  
  informing each computer in the distributed computing system to use the specific security policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the level of security includes a specific security posture.
  - 3. The method of claim 1, further comprising using secure communications for distributing the plurality of security policies to each computer in the distributed computing system.
  - 4. The method of claim 1, further comprising signing each security policy in the plurality of security policies with a cryptographic signature to allow detection of unauthorized changes.
  - 5. The method of claim 1, further comprising distributing the plurality of security policies from a computer in the distributed computing system to a subordinate computer.
  - 6. The method of claim 1, wherein selecting the specific security policy for use includes selecting the specific security policy based on a security posture.
  - 7. The method of claim 6, wherein informing each computer in the distributed computing system to use the specific security policy includes using secure communications for distributing the security posture indicator to each computer in the distributed computing system.
  - 8. The method of claim 1, wherein the plurality of security policies includes a default security policy, wherein the default security policy is selected by a computer within the distributed computing system if the specific security policy is defective on that host.

9. A computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for managing security policies in a distributed computing system, wherein security policies determine access rights to a computer application, the method comprising:
- creating a plurality of security policies, wherein each security policy specifies a level of security for the distributed computing system;
  
  distributing the plurality of security policies to each computer in the distributed computing system;
  
  selecting a specific security policy from the plurality of security policies for use across the distributed computing system; and
  
  informing each computer in the distributed computing system to use the specific security policy.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 18, 19, 20, 21, 22, 23, 24)
- - 10. The computer-readable storage medium of claim 9, wherein the level of security includes a specific security posture.
  - 11. The computer-readable storage medium of claim 9, wherein the method further comprises using secure communications for distributing the plurality of security policies to each computer in the distributed computing system.
  - 12. The computer-readable storage medium of claim 9, wherein the method further comprises signing each security policy in the plurality of security policies with a cryptographic signature to allow detection of unauthorized changes.
  - 13. The computer-readable storage medium of claim 9, wherein the method further comprises distributing the plurality of security policies from a computer in the distributed computing system to a subordinate computer.
  - 14. The computer-readable storage medium of claim 9, wherein selecting the specific security policy for use includes selecting the specific security policy based on a security posture.
  - 15. The computer-readable storage medium of claim 14, wherein informing each computer in the distributed computing system to use the specific security policy includes using secure communications for distributing the security posture to each computer in the distributed computing system.
  - 16. The computer-readable storage medium of claim 9, wherein the plurality of security policies includes a default security policy, wherein the default security policy is selected by a computer within the distributed computing system if the specific security policy is defective on that host.
  - 18. The apparatus of claim 17, wherein the level of security includes a specific security posture.
  - 19. The apparatus of claim 17, further comprising a secure communications mechanism that is configured to distribute the plurality of security policies to each computer in the distributed computing system.
  - 20. The apparatus of claim 17, further comprising a signing mechanism that is configured to sign each security policy in the plurality of security policies with a cryptographic signature to allow detection of unauthorized changes.
  - 21. The apparatus of claim 17, wherein the distributing mechanism is further configured to distribute the plurality of security policies from a computer in the distributed computing system to a subordinate computer.
  - 22. The apparatus of claim 17, wherein the selecting mechanism includes a policy selecting mechanism that is configured to select the specific security policy based on the security posture.
  - 23. The apparatus of claim 22, wherein the informing mechanism includes a secure communications mechanism for distributing the security posture to each computer in the distributed computing system.
  - 24. The apparatus of claim 17, wherein the plurality of security policies includes a default security policy, wherein the default security policy is selected by a computer within the distributed computing system if the specific security policy is defective on that host.

17. An apparatus that facilitates managing security policies in a distributed computing system, wherein security policies determine access rights to a computer application, the apparatus comprising:
- a creating mechanism configured to create a plurality of security policies, wherein each security policy specifies a level of security for the distributed computing system;
  
  a distributing mechanism configured to distribute the plurality of security policies to each computer in the distributed computing system;
  
  a selecting mechanism configured to select a specific security policy from the plurality of security policies for use across the distributed computing system; and
  
  an informing mechanism configured to inform each computer in the distributed computing system to use the specific security policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Whitmore, Brent S., Tally, Gregg W., Sames, David L., Niebuhr, Brian S.

Granted Patent

US 6,920,558 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/166
CPC Class Codes

H04L 63/14   for detecting or protecting...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/20   for managing network securi...

Method and apparatus for securely and dynamically modifying security policy configurations in a distributed system

First Claim

14 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for securely and dynamically modifying security policy configurations in a distributed system

First Claim

14 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links