Method and system for determining and enforcing security policy in a communication session

US 20030126464A1
Filed: 12/04/2001
Published: 07/03/2003
Est. Priority Date: 12/04/2001
Status: Abandoned Application

First Claim

Patent Images

1. A method for determining and enforcing security policy in a communication session for a group of participants, the method comprising:

providing group and local policies wherein each local policy states a set of local requirements for the session for a participant and the group policy represents a set of conditional, security-relevant requirements to support the session;

generating a policy instance based on the group and local policies wherein the policy instance defines a configuration of security-related services used to implement the session and rules used for authorization and access control of participants to the session;

analyzing the policy instance with respect to a set of correctness principles;

distributing the policy instance to the participants; and

enforcing the security policy based on the rules throughout the session.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for determining and enforcing security policy in a communication session are provided in distributed systems. Policy encompasses the provisioning, authorization, and access control within the protected environment. Hence, all communication security requirements are explicitly stated through policy. A policy instantiation is constructed at run-time through policy determination. Conditional, abstract, and discretionary policies stated by communication participants are reconciled to arrive at an instantiation. The resulting instantiation is a concrete specification of the mechanisms, configurations, and access control model to be implemented by the session. The semantics of an instantiation are achieved through policy enforcement. The policy enforcement architecture implements session policies through the composition and configuration of security mechanisms using a novel event-bus architecture. Policy is enforced through the observation of and reaction to relevant events. The method and system of the invention diverges from past subscription-based event architectures by introducing additional infrastructure allowing significant implementation flexibility, robustness, and efficiency.

414 Citations

24 Claims

1. A method for determining and enforcing security policy in a communication session for a group of participants, the method comprising:
- providing group and local policies wherein each local policy states a set of local requirements for the session for a participant and the group policy represents a set of conditional, security-relevant requirements to support the session;
  
  generating a policy instance based on the group and local policies wherein the policy instance defines a configuration of security-related services used to implement the session and rules used for authorization and access control of participants to the session;
  
  analyzing the policy instance with respect to a set of correctness principles;
  
  distributing the policy instance to the participants; and
  
  enforcing the security policy based on the rules throughout the session.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method as claimed in claim 1 wherein the step of distributing includes the steps of authorizing a potential participant to participate in the session based on the rules and determining whether the potential participant has a right to view the security policy.
  - 3. The method as claimed in claim 1 wherein the step of analyzing verifies that the policy instance adheres to a set of principles defining legal construction and composition of the security policy.
  - 4. The method as claimed in claim 1 wherein the step of generating includes the step of reconciling the group and local policies to obtain the policy instance which is substantially compliant with each of the local policies and wherein the policy instance identifies relevant requirements of the session and how the relevant requirements are mapped into the configuration.
  - 5. The method as claimed in claim 1 further comprising verifying that the policy instance complies with the set of local requirements stated in the local policies.
  - 6. The method as claimed in claim 5 further comprising identifying parts of a local policy that are not compliant with the policy instance and determining modifications required to make the local policy compliant with the policy instance.
  - 7. The method as claimed in claim 5 further comprising preventing a potential participant from participating in the session if the policy instance does not comply with the set of local requirements of the potential participant.
  - 8. The method as claimed in claim 1 wherein the step of enforcing includes the steps of creating and processing events.
  - 9. The method as claimed in claim 8 wherein the step of enforcing includes delivering the events to security services via a real or software-emulated broadcast bus.
  - 10. The method as claimed in claim 8 wherein the step of creating events includes the step of translating application requests into the events.
  - 11. The method as claimed in claim 8 wherein the step of enforcing further includes the steps of creating and processing timers and messages.
  - 12. The method as claimed in claim 1 wherein the set of local requirements specifies provisioning and access control policies.

13. A system for determining and enforcing security policy in a communication session for a group of participants based on group and local policies wherein each local policy states a set of local requirements for the session for a participant and the group policy represents a set of conditional, security-relevant requirements to support the session, the system comprising:
- means for generating a policy instance based on the group and local policies wherein the policy instance defines a configuration of security-related services used to implement the session and rules used for authorization and access control of participants to the session;
  
  means for analyzing the policy instance with respect to a set of correctness principles;
  
  means for distributing the policy instance to the participants; and
  
  means for enforcing the security policy based on the rules throughout the session.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The system as claimed in claim 13 wherein the means for distributing includes means for authorizing a potential participant to participate in the session based on the rules and determining whether the potential participant has a right to view the security policy.
  - 15. The system as claimed in claim 13 wherein the means for analyzing verifies that the policy instance adheres to a set of principles defining legal construction and composition of the security policy.
  - 16. The system as claimed in claim 13 wherein the means for generating includes means for reconciling the group and local policies to obtain the policy instance which is substantially compliant with each of the local policies and wherein the policy instance identifies relevant requirements of the session and how the relevant requirements are mapped into the configuration.
  - 17. The system as claimed in claim 13 further comprising means for verifying that the policy instance complies with the set of local requirements stated in the local policies.
  - 18. The system as claimed in claim 17 further comprising means for identifying parts of a local policy that are not compliant with the policy instance and determining modifications required to make the local policy compliant with the policy instance.
  - 19. The system as claimed in claim 17 further comprising means for preventing a potential participant from participating in the session if the policy instance does not comply with the set of local requirements of the potential participant.
  - 20. The system as claimed in claim 13 wherein the means for enforcing includes means for creating and processing events.
  - 21. The system as claimed in claim 20 wherein the means for enforcing includes a real or software-emulated broadcast bus to deliver the events to security services.
  - 22. The system as claimed in claim 20 wherein the means for creating events includes means for translating application requests into the events.
  - 23. The system as claimed in claim 20 wherein the means for enforcing further includes means for creating and processing timers and messages.
  - 24. The system as claimed in claim 13 wherein the set of local requirements specifies provisioning and access control policies.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Board of Regents of the University of Michigan (University of Michigan)
Original Assignee
Board of Regents of the University of Michigan (University of Michigan)
Inventors
McDaniel, Patrick D., Prakash, Atul

Application Number

US10/006,552
Publication Number

US 20030126464A1
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

G06F 21/604   Tools and structures for ma...

H04L 12/185   with management of multicas...

H04L 63/065   for group communications cr...

H04L 63/20   for managing network securi...

Method and system for determining and enforcing security policy in a communication session

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

414 Citations

24 Claims

Specification

Use Cases

Quick Links

Others

Method and system for determining and enforcing security policy in a communication session

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

414 Citations

24 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others