System and method for incrementally distributing a security policy in a computer network
First Claim
1. A system for maintaining security in a distributed computing environment, comprising:
- (1) a business logic manager, coupled to a network, including a database for storing a security policy including a plurality of rules; and
a policy distributor, coupled to the database, for distributing the rules through the network;
(2) a security engine, coupled to the network, for storing a set of rules received through the network from the policy distributor and for enforcing the rules; and
(3) an application, coupled to the security engine.
3 Assignments
0 Petitions
Accused Products
Abstract
A system and method for generating an updated version of, or reconstructing a previously enforced version of, a local client security policy stored in an application guard. To update a local security policy, a policy manager distributes a change (or an accumulation of changes) to the currently enforced version of the security policy through a network to the application guard. The application guard uses the distributed change to update the currently enforced version of the local client security policy. To reconstruct a previously enforced version of a local security policy, the policy manager generates a reversing delta equal to the reverse of the change (or accumulation of changes) from the previously enforced version to the currently enforced version of the security policy, and distributes the reversing delta through the network to the application guard. The application guard applies the distributed reversing delta to the currently enforced version of the local client security policy to reconstruct the previously enforced version of the security policy.
297 Citations
33 Claims
-
1. A system for maintaining security in a distributed computing environment, comprising:
-
(1) a business logic manager, coupled to a network, including a database for storing a security policy including a plurality of rules; and
a policy distributor, coupled to the database, for distributing the rules through the network;
(2) a security engine, coupled to the network, for storing a set of rules received through the network from the policy distributor and for enforcing the rules; and
(3) an application, coupled to the security engine. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A system for maintaining security for an application in a distributed computing environment, comprising:
-
an engine, coupled to a network, for storing a set of rules received through the network from a centralized location and for enforcing the rules;
an interface coupled to the engine; and
an application, coupled to the interface to enable the application to communicate with the engine. - View Dependent Claims (8, 9)
-
-
10. A system for maintaining security in a distributed computing environment, comprising
(1) a policy manager, coupled to a network, including a database for storing a security policy including a plurality of rules; -
a policy distributor for distributing the rules through the network;
(2) a plurality of security engines, each coupled to the network, for receiving a set of rules through the network from the policy distributor, storing the set of rules, and enforcing the set of rules; and
(3) a plurality of applications, each application being coupled to a respective security engine, each security engine being able to enforce a set of rules for its respective application. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. A system for maintaining security for a plurality of applications in a distributed computing environment, comprising:
-
an engine, coupled to a network, for storing a set of rules received through the network from a centralized location, and for enforcing the rules;
a plurality of interfaces coupled to the engine; and
a plurality of applications, each application being coupled to a respective interface to enable the application to communicate with the engine through its respective interface, wherein the engines enforcing the rules for the application. - View Dependent Claims (17, 18)
-
-
19. A system for distributing a security policy in a distributed computing environment, comprising:
-
(1) a policy manager, coupled to a network, including a database for storing a first version of a policy including a plurality of rules;
updating means for entering a sequence of incremental changes to the rules in the first version of policy to generate a second version of a policy;
tracking means for tracking each of the incremental changes and for compiling a changed portion of the first version of the policy; and
a policy distributor for distributing the changed portion through the network;
(2) a security engine, coupled to the network, for storing the first version of the policy and for receiving the changed portion through the network, the security engine including means for using the changed portion to update the first version of the policy to create the second version of the policy, and for enforcing the second version of the policy for applications; and
(3) an application coupled to the security engine. - View Dependent Claims (20, 21)
-
-
22. A system for distributing a security policy in a distributed computing environment, comprising:
-
(1) a policy manager, coupled to a network, including;
a database for storing a first version of a policy including a plurality of rules;
means for entering a sequence of incremental changes to the rules in the first version of the policy to generate a second version of a policy;
means for tracking each of the incremental changes of the rules in the first version of the policy and for compiling a changed portion in the first version of the policy;
a policy distributor for distributing the changed portion through the network;
(2) a plurality of security engines, each security engine being coupled to the network, receiving the changed portion of the policy from the policy distributor through the network, storing a set of rules in the first version policy, and including means for updating the first version of the policy to the second version of the policy based on the changed portion of the first version of the policy; and
(3) a plurality of applications, each application being coupled to its respective security engine which enforces the second version of the policy for the application. - View Dependent Claims (23, 24)
-
-
25. A system for distributing a security policy in a distributed computing environment, comprising:
-
(1) a policy manager, coupled to a network, including a database for storing a first version of a policy including a plurality rules;
updating means for entering a sequence of incremental changes to the rules in the first version of the policy to generate a second version of a policy;
tracking means for recording a respective delta change for each of the incremental changes;
reversing means for generating a reversed portion of the second version of the policy based on the sequence of delta changes;
a policy distributor for distributing the reversed portion through the network;
(2) a security engine, coupled to the network, for storing the second version of the policy and for receiving the reversed portion through the network from the policy distributor, the security engine including means for restoring the second version of the policy to the first version of the policy based on the reversed portion, the security engine enforcing the restored first version of the policy for the applications; and
(3) an application coupled to the security engine. - View Dependent Claims (26, 27)
-
-
28. A system for analyzing a security policy in a distributed computing environment, comprising:
-
(1) a business logic manager, coupled to a network, including a database for storing a security policy including a plurality of rules;
a policy analysis engine for analyzing a policy analysis query, the policy analysis engine further including (i) an interpret module for interpreting the policy analysis query, (ii) a search module for searching the policy stored in the database, in response to the interpreted policy analysis query, to provide an answer to the policy analysis query, and (iii) a displaying module for displaying the answer; and
a policy distributor for distributing the rules through the network;
(2) a security engine, coupled to the network, for storing a set of rules received through the network from the policy distributor and for enforcing the set of the rules; and
(3) an application, coupled to the security engine. - View Dependent Claims (29, 30)
-
-
31. A system for analyzing a security policy in a distributed computing environment, comprising:
-
(1) a business logic manager, coupled to a network, including a global database for storing a global security policy including a plurality of rules; and
a policy distributor, coupled to the database, for distributing the rules through the network;
(2) a business logic engine, coupled to the network, including (i) a local policy database for storing a local security database including a set of the rules, received from the policy distributor through network, in the global security polity, (ii) a policy analysis engine for analyzing a policy analysis query, (iii) an interpret module for interpreting the policy analysis query, (iv) a search module for searching the local security policy stored in the local policy database, in response to the interpreted policy analysis query, to provide an answer to the policy analysis query, and (v) a displaying module for displaying the answer; and
(3) an application, coupled to the security engine. - View Dependent Claims (32, 33)
-
Specification