Locally adaptable central security management in a heterogeneous network environment

US 20080066151A1
Filed: 10/31/2007
Published: 03/13/2008
Est. Priority Date: 12/02/1999
Status: Active Grant

First Claim

Patent Images

1. In a system having a workflow management system and a central policy management system, a computer-implemented method of controlling workflow, comprising:

creating a workflow class definition;

exporting the workflow class definition to the central policy management system;

binding resources and roles to steps within the central policy management system;

creating a workflow instance in both the workflow management system and the central policy management system; and

executing the workflow instance within a computer.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for defining and enforcing a security policy. Security mechanism application specific information for each security mechanism is encapsulated as a key and exported to a semantic layer. Keys are combined to form key chains within the semantic layer. The key chains are in turn encapsulated as keys and passed to another semantic layer. A security policy is defined by forming key chains from keys and associating users with the key chains. The security policy is translated and exported to the security mechanisms. The security policy is then enforced via the security mechanisms.

71 Citations

View as Search Results

22 Claims

1. In a system having a workflow management system and a central policy management system, a computer-implemented method of controlling workflow, comprising:
- creating a workflow class definition;
  
  exporting the workflow class definition to the central policy management system;
  
  binding resources and roles to steps within the central policy management system;
  
  creating a workflow instance in both the workflow management system and the central policy management system; and
  
  executing the workflow instance within a computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein creating a workflow class definition includes creating an access control policy for the workflow class, and wherein binding resources and roles to steps within the central policy management system includes:
    - encapsulating security mechanism application specific information for each security mechanism, wherein encapsulating includes forming a key for each security mechanism;
      
      combining keys to form key chains; and
      
      associating workflow steps with the key chains.
  - 3. The method of claim 2, wherein binding resources and roles to steps within the central policy management system includes:
    - importing a key chain from a first semantic layer to a local access policy layer; and
      
      enforcing the access control policy on the computer via the security mechanisms.
  - 4. The method of claim 3, including encapsulating key chains as keys and passing the key chain keys from a second semantic layer to the first semantic layer.
  - 5. The method of claim 1, wherein creating a workflow instance includes determining an appropriate workflow in response to a triggering event and generating the appropriate workflow instance in both the workflow management system and the central policy management system.
  - 6. The method of claim 5, wherein creating a workflow instance includes:
    - generating a workflow instance policy that identifies specific objects that can be accessed and specific users that may access the objects; and
      
      storing the workflow instance policy in the workflow management system.
  - 7. The method of claim 1, wherein executing the workflow instance includes activating a workflow step according to the workflow management system and granting access control for the workflow step according to the central policy management system.
  - 8. The method of claim 7, wherein executing the workflow instance includes deactivating a workflow step according to the workflow management system and revoking access control for the workflow step according to the central policy management system.

9. An article comprising a computer readable medium having instructions thereon, wherein the instructions, when executed in a computer, create a system for executing the method comprising:
- creating a workflow class definition;
  
  exporting the workflow class definition to the central policy management system;
  
  binding resources and roles to steps within the central policy management system;
  
  creating a workflow instance in both the workflow management system and the central policy management system; and
  
  executing the workflow instance.
- View Dependent Claims (10)
- - 10. The article of claim 9, further including instruction which, when executed on the computer, create a system for executing the method further including:
    - encapsulating security mechanism application specific information for each security mechanism, wherein encapsulating includes forming a key for each security mechanism;
      
      combining keys to form key chains;
      
      associating workflow steps with the key chains;
      
      importing a key chain from a first semantic layer to a local access policy layer; and
      
      enforcing the access control policy on the computer via the security mechanisms.

11. A workflow control system, comprising:
- a workflow management system; and
  
  a central policy management system;
  
  wherein the workflow management system is configured to create a workflow class definition and export the workflow class definition to the central policy management system; and
  
  wherein the central policy management system is configured to bind resources and roles to workflow steps.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The system of claim 11, wherein the central policy management system is configured to:
    - encapsulate security mechanism application specific information for each security mechanism, including forming a key for each security mechanism;
      
      combine keys into key chains;
      
      associate workflow steps with the key chains; and
      
      assign roles to the workflow steps.
  - 13. The system of claim 12, wherein the central policy management system is configured to:
    - import a key chain from a first semantic layer to a local access policy layer; and
      
      enforce the local access policy via the security mechanisms.
  - 14. The system of claim 13, wherein the central policy management system is configured to encapsulate key chains as keys and pass the key chain keys from a second semantic layer to the first semantic layer.
  - 15. The system of claim 11, wherein the workflow management system is configured to:
    - receive a trigger for workflow;
      
      determine an appropriate workflow in response to the trigger; and
      
      generate an instance of the appropriate workflow in both the workflow management system and the central policy management system.
  - 16. The system of claim 15, wherein the workflow management system is configured to:
    - generate a workflow instance policy that identifies specific objects that can be accessed and identifies specific users that may access the objects; and
      
      store the workflow instance policy in a memory of the workflow management system.
  - 17. The system of claim 11, wherein the workflow management system is configured to activate a workflow step to execute a workflow instance, and wherein the central policy management system is configured to grant access control for the workflow step.
  - 18. The system of claim 11, wherein the workflow management system is configured to deactivate a workflow step, and wherein the central policy management system is configured to revoke access control for the workflow step when the workflow is completed.

19. An apparatus comprising:
- a network interface; and
  
  a processing unit communicatively coupled to the interface, wherein the processing unit is configured to implement a workflow manager that creates a workflow class definition and exports the workflow class definition to a remote central policy management system that is configured to bind resources and roles to workflow steps.
- View Dependent Claims (20, 21, 22)
- - 20. The apparatus of claim 19, including a memory coupled to the processing unit, wherein the processing unit is configured to:
    - generate a workflow instance that includes a workflow instance policy that identifies specific objects that can be accessed and specific users that may access the objects;
      
      store the workflow instance policy in the memory; and
      
      activate a workflow step according to the workflow instance, wherein access to a resource needed for the workflow step is granted by the central policy management system.
  - 21. The apparatus of claim 19, including an input configured to receive a trigger for workflow, and wherein the processing unit is configured to:
    - determine an appropriate workflow in response to the trigger;
      
      generate a workflow instance of the appropriate workflow; and
      
      export the workflow instance to the central policy management system.
  - 22. The apparatus of claim 21, wherein the processing unit is configured to:
    - activate a workflow step according to the triggered workflow, wherein access to a resource needed for the workflow step is granted by the central policy management system;
      
      deactivate the workflow step when the workflow step is completed, wherein the central policy management system is configured to revoke the access to the resource, and activate a subsequent workflow step according to the workflow instance.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
Secure Computing Corporation (McAfee, LLC)
Inventors
O'Brien, Richard, Payne, Charles, Bogle, Jessica, Thomsen, Daniel

Granted Patent

US 8,181,222 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/604   Tools and structures for ma...

H04L 63/0263   Rule management

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

Locally adaptable central security management in a heterogeneous network environment

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

71 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Locally adaptable central security management in a heterogeneous network environment

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

71 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links