Method and system for determining and enforcing security policy in a communication session
First Claim
1. A method for determining and enforcing security policy in a communication session for a group of participants, the method comprising:
- providing group and local policies wherein each local policy states a set of local requirements for the session for a participant and the group policy represents a set of conditional, security-relevant requirements to support the session;
generating a policy instance based on the group and local policies wherein the policy instance defines a configuration of security-related services used to implement the session and rules used for authorization and access control of participants to the session;
analyzing the policy instance with respect to a set of correctness principles;
distributing the policy instance to the participants; and
enforcing the security policy based on the rules throughout the session.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and system for determining and enforcing security policy in a communication session are provided in distributed systems. Policy encompasses the provisioning, authorization, and access control within the protected environment. Hence, all communication security requirements are explicitly stated through policy. A policy instantiation is constructed at run-time through policy determination. Conditional, abstract, and discretionary policies stated by communication participants are reconciled to arrive at an instantiation. The resulting instantiation is a concrete specification of the mechanisms, configurations, and access control model to be implemented by the session. The semantics of an instantiation are achieved through policy enforcement. The policy enforcement architecture implements session policies through the composition and configuration of security mechanisms using a novel event-bus architecture. Policy is enforced through the observation of and reaction to relevant events. The method and system of the invention diverges from past subscription-based event architectures by introducing additional infrastructure allowing significant implementation flexibility, robustness, and efficiency.
414 Citations
24 Claims
-
1. A method for determining and enforcing security policy in a communication session for a group of participants, the method comprising:
-
providing group and local policies wherein each local policy states a set of local requirements for the session for a participant and the group policy represents a set of conditional, security-relevant requirements to support the session;
generating a policy instance based on the group and local policies wherein the policy instance defines a configuration of security-related services used to implement the session and rules used for authorization and access control of participants to the session;
analyzing the policy instance with respect to a set of correctness principles;
distributing the policy instance to the participants; and
enforcing the security policy based on the rules throughout the session. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A system for determining and enforcing security policy in a communication session for a group of participants based on group and local policies wherein each local policy states a set of local requirements for the session for a participant and the group policy represents a set of conditional, security-relevant requirements to support the session, the system comprising:
-
means for generating a policy instance based on the group and local policies wherein the policy instance defines a configuration of security-related services used to implement the session and rules used for authorization and access control of participants to the session;
means for analyzing the policy instance with respect to a set of correctness principles;
means for distributing the policy instance to the participants; and
means for enforcing the security policy based on the rules throughout the session. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
Specification