Framework for maintaining information security in computer networks

US 20030177376A1
Filed: 01/30/2003
Published: 09/18/2003
Est. Priority Date: 01/30/2002
Status: Abandoned Application

First Claim

Patent Images

1. A system for controlling access to information technology assets in a computer network, the system comprising:

a ticket manager server configured to generate tickets based on user data in a master database; and

a ticket manager client resident on a workstation, the client being configured to receive tickets from the ticket manager server and distribute resource data obtained from the tickets to network security modules, wherein the user data comprises at least one resource register, each resource register including;

a type field designating a specific one of the security modules;

resource data for use by the designated security module; and

an execution domain field designating an exclusive execution environment in which the designated security module can use the resource data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system is provided for controlling access to information technology assets in a computer network. The system includes a ticket manager server configured to generate tickets based on user data in a master database. A ticket manager client, resident on a workstation, is configured to receive tickets from the ticket manager server and distribute resource data obtained from the tickets to network security modules. The user data includes resource registers, each of which has a type field designating a particular security module, resource data for use by the designated security module, and an execution domain field that exclusively designates an execution environment in which the designated security module can use the resource data.

Citations

64 Claims

1. A system for controlling access to information technology assets in a computer network, the system comprising:
- a ticket manager server configured to generate tickets based on user data in a master database; and
  
  a ticket manager client resident on a workstation, the client being configured to receive tickets from the ticket manager server and distribute resource data obtained from the tickets to network security modules, wherein the user data comprises at least one resource register, each resource register including;
  
  a type field designating a specific one of the security modules;
  
  resource data for use by the designated security module; and
  
  an execution domain field designating an exclusive execution environment in which the designated security module can use the resource data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein the user data further comprises:
    - user registers, each user register corresponding to a user; and
      
      profile registers, each profile register corresponding to one or more users, wherein the system allows each user register and each profile register to be associated with one or more resource registers.
  - 3. The system of claim 1, wherein the ticket manager server generates a ticket for a user by a method comprising the steps of:
    - searching the master database for a register for the user;
      
      separating the register into resource references and profile references;
      
      adding the referenced resources to the ticket;
      
      adding the referenced profiles to a local tree; and
      
      traversing the local tree using a breadth-first search algorithm, under which the resources associated with each profile are added to the ticket starting at a first branch level of the local tree and proceeding to sub-branch levels, if any.
  - 4. The system of claim 1, wherein the designated security module is a module for providing single sign-on capability, and the resource data comprises user password data.
  - 5. The system of claim 1, wherein the designated security module is a module for establishing logical access control for information stored in the computer network, and the resource data comprises file access parameters.
  - 6. The system of claim 1, wherein the designated security module is a module for providing encrypted communication between components of the computer network, and the resource data comprises encryption configuration information.
  - 7. The system of claim 1, wherein the designated security module is a module for controlling a computer network administrative procedure by defining nodes that represent steps that are performed in the procedure, and the resource data comprises a designated type of user that is authorized to complete each node.
  - 8. The system of claim 1, wherein the designated security module is a module for controlling generation of a network log, and the resource data comprises parameters relating to criteria for logging information and users to be included in the log.
  - 9. The system of claim 1, wherein the designated security module is a module for providing content-based control over transactions in the computer network, and the resource data comprises parameters relating to criteria for network transactions that are to be controlled.

10. A system for controlling access to information technology assets in a computer network, the system comprising:
- a ticket manager server configured to generate tickets based on user data in a master database; and
  
  a ticket manager client resident on a workstation, the client being configured to receive tickets from the ticket manager server and distribute resource data obtained from the tickets to network security modules, wherein the user data comprises;
  
  at least one resource register providing resource data for use by the security modules;
  
  at least one user register, each user register corresponding to a user; and
  
  at least one profile register, each profile register corresponding to one or more users;
  
  wherein the system allows each user register and each profile register to be associated with one or more resource registers.
- View Dependent Claims (11, 12, 13)
- - 11. The system of claim 10, wherein the ticket manager server generates a ticket for a user by a method comprising the steps of:
    - searching the master database for a register for the user;
      
      separating the register into resource references and profile references;
      
      adding the referenced resources to the ticket;
      
      adding the referenced profiles to a local tree; and
      
      traversing the local tree using a breadth-first search algorithm, under which the resources associated with each profile are added to the ticket starting at a first branch level of the local tree and proceeding to sub-branch levels, if any.
  - 12. The system of claim 10, wherein each resource register comprises a type field designating a specific one of the security modules for which the resource data of the resource register is configured to be used.
  - 13. The system of claim 12, wherein each resource register further comprises an execution domain field that exclusively designates an execution environment in which the designated security module can use the resource data.

14. A system for controlling access to information technology assets in a computer network, the system comprising:
- a ticket manager server configured to generate tickets based on user data in a master database;
  
  a plurality of ticket manager clients, each resident on one of a plurality of workstations, the clients being configured to receive tickets from the ticket manager server and distribute resource data obtained from the tickets to network security modules;
  
  a plurality of local ticket manager slave databases, each resident on one of the workstations, and configured to receive a copy of each of the tickets sent to a corresponding one of the ticket manager clients; and
  
  a global ticket manager slave database configured to receive a copy of each of the tickets sent to the ticket manager clients.
- View Dependent Claims (15)
- - 15. The system of claim 14, further comprising a mirror ticket manager server configured to generate tickets based on user data in a mirror database that is periodically copied from the master database of the ticket manager server.

16. A system for controlling access to information technology assets in a computer network, the system comprising:
- means for generating tickets based on user data in a master database of a ticket manager server, the user data including resource registers, each resource register including a type field designating a specific one of the security modules and resource data for use by the designated security module;
  
  means for sending tickets from the ticket manager server to a ticket manager client resident on a workstation;
  
  means for distributing resource data obtained from the tickets to network security modules; and
  
  means for designating an exclusive execution domain field that defines an execution environment in which the designated security module can use the resource data.
- View Dependent Claims (17, 18)
- - 17. The system of claim 16, wherein the user data further includes user registers that each correspond to a user and profile registers that each correspond to one or more users, the method further comprising the step of associating each user register and each profile register with one or more resource registers.
  - 18. The system of claim 16, further comprising:
    - means for searching the master database of the ticket manager server for a user register for the user;
      
      means for separating the user register into resource references and profile references;
      
      means for adding the referenced resources to the ticket;
      
      means for adding the referenced profiles to a local tree; and
      
      means for traversing the local tree using a breadth-first search algorithm, under which the resources associated with each profile are added to the ticket starting at a first branch level of the local tree and proceeding to sub-branch levels, if any.

19. A system for controlling access to information technology assets in a computer network, the system comprising:
- means for generating tickets based on user data in a master database of a ticket manager server, the user data including resource registers providing resource data for use by the security modules, user registers that each correspond to a user, and profile registers that each correspond to one or more users;
  
  means for sending tickets from the ticket manager server to a ticket manager client resident on a workstation;
  
  means for distributing resource data obtained from the tickets to network security modules; and
  
  means for associating each user register and each profile register with one or more resource registers.
- View Dependent Claims (20, 21, 22)
- - 20. The system of claim 19, further comprising:
    - means for searching the master database of the ticket manager server for a user register for the user;
      
      means for separating the user register into resource references and profile references;
      
      means for adding the referenced resources to the ticket;
      
      means for adding the referenced profiles to a local tree; and
      
      means for traversing the local tree using a breadth-first search algorithm, under which the resources associated with each profile are added to the ticket starting at a first branch level of the local tree and proceeding to sub-branch levels, if any.
  - 21. The system of claim 19, wherein each resource register comprises a type field designating a specific one of the security modules for which the resource data of the resource register is configured to be used.
  - 22. The system of claim 19, wherein each resource register further comprises an execution domain field that exclusively designates an execution environment in which the designated security module can use the resource data.

23. Computer code for controlling access to information technology assets in a computer network, the computer code comprising:
- code for generating tickets based on user data in a master database of a ticket manager server, the user data including resource registers, each resource register including a type field designating one of the security modules and resource data for use by the designated security module;
  
  code for sending tickets from the ticket manager server to a ticket manager client resident on a workstation;
  
  code for distributing resource data obtained from the tickets to network security modules; and
  
  code for designating an exclusive execution domain field that defines an execution environment in which the designated security module can use the resource data.
- View Dependent Claims (24, 46)
- - 24. The computer code of claim 23, wherein the user data further includes user registers that each correspond to a user and profile registers that each correspond to one or more users, the computer code further comprising code for associating each user register and each profile register with one or more resource registers.
  - 46. The computer code of claim 23, further comprising:
    - code for searching the master database of the ticket manager server for a user register for the user;
      
      code for separating the user register into resource references and profile references;
      
      code for adding the referenced resources to the ticket;
      
      code for adding the referenced profiles to a local tree; and
      
      code for traversing the local tree using a breadth-first search algorithm, under which the resources associated with each profile are added to the ticket starting at a first branch level of the local tree and proceeding to sub-branch levels, if any.

25. A method for controlling access to information technology assets in a computer network, the method comprising the steps of:
- generating tickets based on user data in a master database of a ticket manager server, the user data including resource registers, each resource register including a type field designating a specific one of the security modules and resource data for use by the designated security module;
  
  sending tickets from the ticket manager server to a ticket manager client resident on a workstation;
  
  distributing resource data obtained from the tickets to network security modules; and
  
  designating an exclusive execution domain field that defines an execution environment in which the designated security module can use the resource data.
- View Dependent Claims (26, 27)
- - 26. The method of claim 25, wherein the user data further includes user registers that each correspond to a user and profile registers that each correspond to one or more users, the method further comprising the step of associating each user register and each profile register with one or more resource registers.
  - 27. The method of claim 25, further comprising the steps of:
    - searching the master database of the ticket manager server for a user register for the user;
      
      separating the user register into resource references and profile references;
      
      adding the referenced resources to the ticket;
      
      adding the referenced profiles to a local tree; and
      
      traversing the local tree using a breadth-first search algorithm, under which the resources associated with each profile are added to the ticket starting at a first branch level of the local tree and proceeding to sub-branch levels, if any.

28. A method for controlling access to information technology assets in a computer network, the method comprising the steps of:
- generating tickets based on user data in a master database of a ticket manager server, the user data including resource registers providing resource data for use by the security modules, user registers that each correspond to a user, and profile registers that each correspond to one or more users;
  
  sending tickets from the ticket manager server to a ticket manager client resident on a workstation;
  
  distributing resource data obtained from the tickets to network security modules; and
  
  associating each user register and each profile register with one or more resource registers.
- View Dependent Claims (29, 30, 31)
- - 29. The method of claim 28, further comprising the steps of:
    - searching the master database of the ticket manager server for a user register for the user;
      
      separating the user register into resource references and profile references;
      
      adding the referenced resources to the ticket;
      
      adding the referenced profiles to a local tree; and
      
      traversing the local tree using a breadth-first search algorithm, under which the resources associated with each profile are added to the ticket starting at a first branch level of the local tree and proceeding to sub-branch levels, if any.
  - 30. The method of claim 28, wherein each resource register comprises a type field designating a specific one of the security modules for which the resource data of the resource register is configured to be used.
  - 31. The method of claim 28, wherein each resource register further comprises an execution domain field that exclusively designates an execution environment in which the designated security module can use the resource data.

32. A method for controlling access to information technology assets in a computer network, the method comprising the steps of:
- generating tickets based on user data in a master database of a ticket manager server;
  
  sending tickets from the ticket manager server to a plurality of ticket manager clients, each resident on one of a plurality of workstations, distributing resource data obtained from the tickets to network security modules;
  
  receiving a copy of each of the tickets sent to each of the ticket manager clients in a corresponding local ticket manager slave database resident on the workstation; and
  
  receiving, in a global ticket manager slave database, a copy of each of the tickets sent to the ticket manager clients.
- View Dependent Claims (33)
- - 33. The method of claim 32, further comprising the step of generating tickets in a mirror ticket manager server based on user data in a mirror database that is periodically copied from the master database of the ticket manager server.

34. A method for controlling access to information technology assets in a computer network, the method comprising the steps of:
- receiving a ticket request at a ticket manager server, the ticket manager server having user data in a master database;
  
  creating a ticket for the user containing resource data for use by network security modules;
  
  retrieving from the master database a user register corresponding to the user;
  
  determining whether the user register refers to any resource registers;
  
  if the user register refers to any resource registers, retrieving the referenced resource registers from the master database and adding any resource data in the retrieved resource registers to the ticket; and
  
  outputting the ticket from the ticket manager server in accordance with the ticket request.
- View Dependent Claims (35, 36)
- - 35. The method of claim 34, further comprising the steps of:
    - determining whether the user register refers to any profile registers;
      
      if the user register refers to any profile registers, retrieving the referenced profile registers from the master database;
      
      determining whether each of the referenced profile registers refers to any resource registers; and
      
      retrieving the resource registers referenced by the profile registers from the master database and adding any resource data in the retrieved resource registers referenced by the profile registers to the ticket.
  - 36. The method of claim 35, further comprising the steps of:
    - determining whether each of the referenced profile registers refers to any sub-profile registers;
      
      if the profile registers refer to any sub-profile registers, retrieving the sub-profile registers from the master database;
      
      determining whether each of the referenced sub-profile registers refers to any resource registers; and
      
      retrieving the resource registers referenced by the sub-profile registers from the master database and adding any resource data in the retrieved resource registers referenced by the sub-profile registers to the ticket.

37. A method for controlling access to information technology assets in a computer network, the method comprising the steps of:
- requesting a ticket from a ticket manager server;
  
  generating a ticket by retrieving from a master database a user register corresponding to a user, retrieving any referenced resource registers, and adding any resource data in the retrieved resource registers to the ticket;
  
  sending the ticket to a ticket manager client in a workstation; and
  
  retrieving the resource data from the ticket and distributing the resource data to network security modules.
- View Dependent Claims (38, 39, 40, 41, 42, 43, 44, 45)
- - 38. The method of claim 37, further comprising the steps of:
    - adding updated resource data to the ticket in the ticket manager client;
      
      sending the updated ticket to the ticket manager server; and
      
      retrieving the updated resource data from the ticket and storing the updated resource data in the master database.
  - 39. The method of claim 37, further comprising the steps of:
    - digitally signing the ticket after generating the ticket; and
      
      authenticating the ticket after the ticket is received by the ticket manager client.
  - 40. The method of claim 37, wherein one of the security modules provides single sign-on capability, and the resource data comprises user password data.
  - 41. The method of claim 37, wherein one of the security modules establishes logical access control for information stored in the computer network, and the resource data comprises file access parameters.
  - 42. The method of claim 37, wherein one of the security modules provides encrypted communication between components of the computer network, and the resource data comprises encryption configuration information.
  - 43. The method of claim 37, wherein one of the security module controls a computer network administrative procedure by defining nodes that represent steps that are performed in the procedure, and the resource data comprises a designated type of user that is authorized to complete each node.
  - 44. The method of claim 37, wherein the designated security module is a module for controlling generation of a network log, and the resource data comprises parameters relating to criteria for logging information and users to be included in the log.
  - 45. The method of claim 37, wherein the designated security module is a module for providing content-based control over transactions in the computer network, and the resource data comprises parameters relating to criteria for network transactions that are to be controlled.

47. Computer code for controlling access to information technology assets in a computer network, the computer code comprising:
- code for generating tickets based on user data in a master database of a ticket manager server, the user data including resource registers providing resource data for use by the security modules, user registers that each correspond to a user, and profile registers that each correspond to one or more users;
  
  code for sending tickets from the ticket manager server to a ticket manager client resident on a workstation;
  
  code for distributing resource data obtained from the tickets to network security modules; and
  
  code for associating each user register and each profile register with one or more resource registers.
- View Dependent Claims (48, 49, 50)
- - 48. The computer code of claim 47, further comprising:
    - code for searching the master database of the ticket manager server for a user register for the user;
      
      code for separating the user register into resource references and profile references;
      
      code for adding the referenced resources to the ticket;
      
      code for adding the referenced profiles to a local tree; and
      
      code for traversing the local tree using a breadth-first search algorithm, under which the resources associated with each profile are added to the ticket starting at a first branch level of the local tree and proceeding to sub-branch levels, if any.
  - 49. The computer code of claim 47, wherein each resource register comprises a type field designating a specific one of the security modules for which the resource data of the resource register is configured to be used.
  - 50. The computer code of claim 47, wherein each resource register further comprises an execution domain field that exclusively designates an execution environment in which the designated security module can use the resource data.

51. Computer code for controlling access to information technology assets in a computer network, the computer code comprising:
- code for generating tickets based on user data in a master database of a ticket manager server;
  
  code for sending tickets from the ticket manager server to a plurality of ticket manager clients, each resident on one of a plurality of workstations, code for distributing resource data obtained from the tickets to network security modules;
  
  code for receiving a copy of each of the tickets sent to each of the ticket manager clients in a corresponding local ticket manager slave database resident on the workstation; and
  
  code for receiving, in a global ticket manager slave database, a copy of each of the tickets sent to the ticket manager clients.
- View Dependent Claims (52)
- - 52. The computer code of claim 51, further comprising code for generating tickets in a mirror ticket manager server based on user data in a mirror database that is periodically copied from the master database of the ticket manager server.

53. Computer code for controlling access to information technology assets in a computer network, the computer code comprising:
- code for receiving a ticket request at a ticket manager server, the ticket manager server having user data in a master database;
  
  code for creating a ticket for the user containing resource data for use by network security modules;
  
  code for retrieving from the master database a user register corresponding to the user;
  
  code for determining whether the user register refers to any resource registers;
  
  code for, if the user register refers to any resource registers, retrieving the referenced resource registers from the master database and adding any resource data in the retrieved resource registers to the ticket; and
  
  code for outputting the ticket from the ticket manager server in accordance with the ticket request.
- View Dependent Claims (54, 55)
- - 54. The computer code of claim 53, further comprising:
    - code for determining whether the user register refers to any profile registers;
      
      code for, if the user register refers to any profile registers, retrieving the referenced profile registers from the master database;
      
      code for determining whether each of the referenced profile registers refers to any resource registers; and
      
      code for retrieving the resource registers referenced by the profile registers from the master database and adding any resource data in the retrieved resource registers referenced by the profile registers to the ticket.
  - 55. The computer code of claim 54, further comprising:
    - code for determining whether each of the referenced profile registers refers to any sub-profile registers;
      
      code for, if the profile registers refer to any sub-profile registers, retrieving the sub-profile registers from the master database;
      
      code for determining whether each of the referenced sub-profile registers refers to any resource registers; and
      
      code for retrieving the resource registers referenced by the sub-profile registers from the master database and adding any resource data in the retrieved resource registers referenced by the sub-profile registers to the ticket.

56. Computer code for controlling access to information technology assets in a computer network, the computer code comprising:
- code for requesting a ticket from a ticket manager server;
  
  code for generating a ticket by retrieving from a master database a user register corresponding to a user, retrieving any referenced resource registers, and adding any resource data in the retrieved resource registers to the ticket;
  
  code for sending the ticket to a ticket manager client in a workstation; and
  
  code for retrieving the resource data from the ticket and distributing the resource data to network security modules.
- View Dependent Claims (57, 58, 59, 60, 61, 62, 63, 64)
- - 57. The computer code of claim 56, further comprising:
    - code for adding updated resource data to the ticket in the ticket manager client;
      
      code for sending the updated ticket to the ticket manager server; and
      
      code for retrieving the updated resource data from the ticket and storing the updated resource data in the master database.
  - 58. The computer code of claim 56, further comprising:
    - code for digitally signing the ticket after generating the ticket; and
      
      code for authenticating the ticket after the ticket is received by the ticket manager client.
  - 59. The computer code of claim 56, wherein one of the security modules provides single sign-on capability, and the resource data comprises user password data.
  - 60. The computer code of claim 56, wherein one of the security modules establishes logical access control for information stored in the computer network, and the resource data comprises file access parameters.
  - 61. The computer code of claim 56, wherein one of the security modules provides encrypted communication between components of the computer network, and the resource data comprises encryption configuration information.
  - 62. The computer code of claim 56, wherein one of the security module controls a computer network administrative procedure by defining nodes that represent steps that are performed in the procedure, and the resource data comprises a designated type of user that is authorized to complete each node.
  - 63. The computer code of claim 56, wherein the designated security module is a module for controlling generation of a network log, and the resource data comprises parameters relating to criteria for logging information and users to be included in the log.
  - 64. The computer code of claim 56, wherein the designated security module is a module for providing content-based control over transactions in the computer network, and the resource data comprises parameters relating to criteria for network transactions that are to be controlled.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Core SDI, Inc.
Original Assignee
Core SDI, Inc.
Inventors
Arce Velleggia, Ivan Francisco Fernando, Ochoa, Carlos Hernan, Kargieman, Emiliano, Futoransky, Ariel, Richarte, Gerardo Gabriel

Application Number

US10/354,568
Publication Number

US 20030177376A1
Time in Patent Office

Days
Field of Search
US Class Current

713/189
CPC Class Codes

G06F 21/33 using certificates

Framework for maintaining information security in computer networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

64 Claims

Specification

Solutions

Use Cases

Quick Links

Framework for maintaining information security in computer networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

64 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links