System and method for incrementally distributing a security policy in a computer network

US 20030115484A1
Filed: 09/13/2002
Published: 06/19/2003
Est. Priority Date: 10/28/1998
Status: Active Grant

First Claim

Patent Images

1. A system for maintaining security in a distributed computing environment, comprising:

(1) a business logic manager, coupled to a network, including a database for storing a security policy including a plurality of rules; and

a policy distributor, coupled to the database, for distributing the rules through the network;

(2) a security engine, coupled to the network, for storing a set of rules received through the network from the policy distributor and for enforcing the rules; and

(3) an application, coupled to the security engine.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for generating an updated version of, or reconstructing a previously enforced version of, a local client security policy stored in an application guard. To update a local security policy, a policy manager distributes a change (or an accumulation of changes) to the currently enforced version of the security policy through a network to the application guard. The application guard uses the distributed change to update the currently enforced version of the local client security policy. To reconstruct a previously enforced version of a local security policy, the policy manager generates a reversing delta equal to the reverse of the change (or accumulation of changes) from the previously enforced version to the currently enforced version of the security policy, and distributes the reversing delta through the network to the application guard. The application guard applies the distributed reversing delta to the currently enforced version of the local client security policy to reconstruct the previously enforced version of the security policy.

297 Citations

33 Claims

1. A system for maintaining security in a distributed computing environment, comprising:
- (1) a business logic manager, coupled to a network, including a database for storing a security policy including a plurality of rules; and
  
  a policy distributor, coupled to the database, for distributing the rules through the network;
  
  (2) a security engine, coupled to the network, for storing a set of rules received through the network from the policy distributor and for enforcing the rules; and
  
  (3) an application, coupled to the security engine.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system of claim 1, wherein the rules are separate from the application.
  - 3. The system of claim 1, wherein the security engine further comprises:
    - an engine for, based on the rules, evaluating a request to access the application; and
      
      an application programming interface (API) for enabling the application to communicate with the engine.
  - 4. The system of claim 3, wherein the security engine further comprises:
    - a plug-in application programming interface (plug-in API) for extending capabilities of the security engine.
  - 5. The system of claim 1, further comprising:
    - location means for enabling components in the system to locate each other through the network.
  - 6. The system of claim 1, wherein the policy manager and the policy distributor are hosted on a first server, the security engine and the application are hosted on a second server, and the first and second servers are communicatively coupled to each other through the network.

7. A system for maintaining security for an application in a distributed computing environment, comprising:
- an engine, coupled to a network, for storing a set of rules received through the network from a centralized location and for enforcing the rules;
  
  an interface coupled to the engine; and
  
  an application, coupled to the interface to enable the application to communicate with the engine.
- View Dependent Claims (8, 9)
- - 8. The system of claim 7, wherein the rules are separate from the application.
  - 9. The system of claim 7, further comprising:
    - a plug-in application programming interface (plug-in API) for extending capabilities of the security engine.

10. A system for maintaining security in a distributed computing environment, comprising (1) a policy manager, coupled to a network, including a database for storing a security policy including a plurality of rules;
- a policy distributor for distributing the rules through the network;
  
  (2) a plurality of security engines, each coupled to the network, for receiving a set of rules through the network from the policy distributor, storing the set of rules, and enforcing the set of rules; and
  
  (3) a plurality of applications, each application being coupled to a respective security engine, each security engine being able to enforce a set of rules for its respective application.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The system of claim 10, wherein the rules are separate from each application.
  - 12. The system of claim 10, wherein each security engine further comprises:
    - an engine for, based on a set of rules, evaluating a request to access a particular application; and
      
      an application programming interface (API) for enabling a respective application to communicate with a respective engine.
  - 13. The system of claim 12, wherein each security engine further comprises:
    - a plug-in application programming interface (plug-in API) for extending capabilities of the security engine.
  - 14. The system of claim 10, further comprising:
    - location means for enabling components in the system to locate each other through the network.
  - 15. The system of claim 10, wherein the policy manager and the policy distributor are hosted on a policy server, the plurality of security engines and the plurality of applications are hosted on at least one separate server, and the policy server is communicatively coupled through the network to the separate server.

16. A system for maintaining security for a plurality of applications in a distributed computing environment, comprising:
- an engine, coupled to a network, for storing a set of rules received through the network from a centralized location, and for enforcing the rules;
  
  a plurality of interfaces coupled to the engine; and
  
  a plurality of applications, each application being coupled to a respective interface to enable the application to communicate with the engine through its respective interface, wherein the engines enforcing the rules for the application.
- View Dependent Claims (17, 18)
- - 17. The system of claim 16, wherein the rules are separate from each application.
  - 18. The system of claim 17, further comprising:
    - a plug-in application programming interface (plug-in API) for extending capabilities of the engine.

19. A system for distributing a security policy in a distributed computing environment, comprising:
- (1) a policy manager, coupled to a network, including a database for storing a first version of a policy including a plurality of rules;
  
  updating means for entering a sequence of incremental changes to the rules in the first version of policy to generate a second version of a policy;
  
  tracking means for tracking each of the incremental changes and for compiling a changed portion of the first version of the policy; and
  
  a policy distributor for distributing the changed portion through the network;
  
  (2) a security engine, coupled to the network, for storing the first version of the policy and for receiving the changed portion through the network, the security engine including means for using the changed portion to update the first version of the policy to create the second version of the policy, and for enforcing the second version of the policy for applications; and
  
  (3) an application coupled to the security engine.
- View Dependent Claims (20, 21)
- - 20. The system of claim 19, wherein each of the incremental changes of the current policy includes rule deletions, rule additions, or rule amendments.
  - 21. The system of claim 19, further comprising:
    - location means for enabling components in the system to locate each other through the network.

22. A system for distributing a security policy in a distributed computing environment, comprising:
- (1) a policy manager, coupled to a network, including;
  
  a database for storing a first version of a policy including a plurality of rules;
  
  means for entering a sequence of incremental changes to the rules in the first version of the policy to generate a second version of a policy;
  
  means for tracking each of the incremental changes of the rules in the first version of the policy and for compiling a changed portion in the first version of the policy;
  
  a policy distributor for distributing the changed portion through the network;
  
  (2) a plurality of security engines, each security engine being coupled to the network, receiving the changed portion of the policy from the policy distributor through the network, storing a set of rules in the first version policy, and including means for updating the first version of the policy to the second version of the policy based on the changed portion of the first version of the policy; and
  
  (3) a plurality of applications, each application being coupled to its respective security engine which enforces the second version of the policy for the application.
- View Dependent Claims (23, 24)
- - 23. The system of claim 22, wherein each of the incremental changes of the current policy includes rule deletions, rule additions, or rule amendments.
  - 24. The system of claim 23, further comprising:
    - location means for enabling components in the system to locate each other through the network.

25. A system for distributing a security policy in a distributed computing environment, comprising:
- (1) a policy manager, coupled to a network, including a database for storing a first version of a policy including a plurality rules;
  
  updating means for entering a sequence of incremental changes to the rules in the first version of the policy to generate a second version of a policy;
  
  tracking means for recording a respective delta change for each of the incremental changes;
  
  reversing means for generating a reversed portion of the second version of the policy based on the sequence of delta changes;
  
  a policy distributor for distributing the reversed portion through the network;
  
  (2) a security engine, coupled to the network, for storing the second version of the policy and for receiving the reversed portion through the network from the policy distributor, the security engine including means for restoring the second version of the policy to the first version of the policy based on the reversed portion, the security engine enforcing the restored first version of the policy for the applications; and
  
  (3) an application coupled to the security engine.
- View Dependent Claims (26, 27)
- - 26. The system of claim 25, wherein each of the incremental changes of the current policy includes rule deletions, rule additions, or rule amendments.
  - 27. The system of claim 26, further comprising:
    - location means for allowing components in the system to locate each other through the network.

28. A system for analyzing a security policy in a distributed computing environment, comprising:
- (1) a business logic manager, coupled to a network, including a database for storing a security policy including a plurality of rules;
  
  a policy analysis engine for analyzing a policy analysis query, the policy analysis engine further including (i) an interpret module for interpreting the policy analysis query, (ii) a search module for searching the policy stored in the database, in response to the interpreted policy analysis query, to provide an answer to the policy analysis query, and (iii) a displaying module for displaying the answer; and
  
  a policy distributor for distributing the rules through the network;
  
  (2) a security engine, coupled to the network, for storing a set of rules received through the network from the policy distributor and for enforcing the set of the rules; and
  
  (3) an application, coupled to the security engine.
- View Dependent Claims (29, 30)
- - 29. The system of claim 28, wherein the policy analysis query contains a subject filed, a privilege field, or a resource filed, and the interpreter module interprets the policy query based on the resource field, the privilege field, or the resource field.
  - 30. The system of claim 29, wherein the policy analysis query is a policy query, a verification query, or a cross-referencing query.

31. A system for analyzing a security policy in a distributed computing environment, comprising:
- (1) a business logic manager, coupled to a network, including a global database for storing a global security policy including a plurality of rules; and
  
  a policy distributor, coupled to the database, for distributing the rules through the network;
  
  (2) a business logic engine, coupled to the network, including (i) a local policy database for storing a local security database including a set of the rules, received from the policy distributor through network, in the global security polity, (ii) a policy analysis engine for analyzing a policy analysis query, (iii) an interpret module for interpreting the policy analysis query, (iv) a search module for searching the local security policy stored in the local policy database, in response to the interpreted policy analysis query, to provide an answer to the policy analysis query, and (v) a displaying module for displaying the answer; and
  
  (3) an application, coupled to the security engine.
- View Dependent Claims (32, 33)
- - 32. The system of claim 31, wherein the policy analysis query contains a subject filed, a privilege field, or a resource filed, and the interpreter module interprets the policy query based on the resource field, the privilege field, or the resource field.
  - 33. The system of claim 31, wherein the policy analysis query is a policy query, a verification query, or a cross-referencing query.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
BEA Systems Incorporated (Oracle Corporation)
Inventors
Xu, Mingde, Moriconi, Mark S., Godik, Simon, Yagen, Ken

Granted Patent

US 7,363,650 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

G02B 6/132   by deposition of thin films

G06F 21/50   Monitoring users, programs ...

G06F 21/57   Certifying or maintaining t...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2141   Access rights, e.g. capabil...

H01L 21/02164   the material being a silico...

H01L 21/31111   by chemical means

H01L 21/31608   Deposition of SiO2 H01L21/3...

H04L 63/0263   Rule management

H04L 63/102   Entity profiles

H04L 63/104   Grouping of entities

H04L 63/105   Multiple levels of security

H04L 63/1408   by monitoring network traff...

H04L 63/20   for managing network securi...

System and method for incrementally distributing a security policy in a computer network

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

297 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for incrementally distributing a security policy in a computer network

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

297 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links