Authorizing Information Flows
First Claim
1. A method, in a data processing system, for authorizing information flows between devices of the data processing system, the method comprising:
- receiving an information flow request from a first device to authorize an information flow from the first device to a second device, wherein the information flow request includes an identifier of the second device;
retrieving, based on an identification of the first device and the identifier of the second device, security information identifying an authorization level of the first device and second device;
determining a sensitivity of an information object that is to be transferred in the information flow; and
authorizing or denying the information flow based only on the sensitivity of the information object and the authorization level of the first and second devices irregardless of the particular action being performed on the information object as part of the information flow.
0 Assignments
0 Petitions
Accused Products
Abstract
Authorizing information flows between devices of a data processing system is provided. In one illustrative embodiment, an information flow request is received from a first device to authorize an information flow from the first device to a second device. The information flow request includes an identifier of the second device. Based on an identifier of the first device and the second device, security information identifying an authorization level of the first device and second device is retrieved. A sensitivity of an information object that is to be transferred in the information flow is determined and the information flow is authorized or denied based only on the sensitivity of the information object and the authorization level of the first and second devices irregardless of the particular action being performed on the information object as part of the information flow.
-
Citations
38 Claims
-
1. A method, in a data processing system, for authorizing information flows between devices of the data processing system, the method comprising:
-
receiving an information flow request from a first device to authorize an information flow from the first device to a second device, wherein the information flow request includes an identifier of the second device; retrieving, based on an identification of the first device and the identifier of the second device, security information identifying an authorization level of the first device and second device; determining a sensitivity of an information object that is to be transferred in the information flow; and authorizing or denying the information flow based only on the sensitivity of the information object and the authorization level of the first and second devices irregardless of the particular action being performed on the information object as part of the information flow. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A computer program product comprising a computer usable medium including a computer readable program, wherein the computer readable program, when executed on a computing device, causes the computing device to:
-
receive an information flow request from a first device to authorize an information flow from the first device to a second device, wherein the information flow request includes an identifier the second device; retrieve, based on an identification of the first device and the identifier of the second device, security information identifying an authorization level of the first device and second device; determine a sensitivity of an information object that is to be transferred in the information flow; and authorize or deny the information flow based only on the sensitivity of the information object and the authorization level of the first and second devices irregardless of the particular action being performed on the information object as part of the information flow. - View Dependent Claims (16, 17, 19, 21)
-
-
14-15. -15. (canceled)
-
18. (canceled)
-
20. (canceled)
-
22-24. -24. (canceled)
-
25. An apparatus for authorizing information flows between devices of a data processing system, comprising:
-
a communication manager having a listener for listening for information flow requests from devices of the data processing system; an information flow mediator coupled to the communication manager for determining whether an information flow is to be authorized or denied; and a security information storage device coupled to the information flow mediator that stores security information for devices of the data processing system, wherein; the communication manager receives an information flow request from a first device to authorize an information flow from the first device to a second device, wherein the information flow request includes an identifier of the second device, the information flow mediator retrieves, based on an identification of the first device and the identifier of the second device, security information, from the security information storage device, identifying an authorization level of the first device and second device, the information flow mediator determines a sensitivity of an information object that is to be transferred in the information flow, and the information flow mediator authorizes or denies the information flow based only on the sensitivity of the information object and the authorization level of the first and second devices irregardless of the particular action being performed on the information object as part of the information flow. - View Dependent Claims (28, 29, 31, 33)
-
-
26-27. -27. (canceled)
-
30. (canceled)
-
32. (canceled)
-
34-35. -35. (canceled)
-
36. A data processing system for authorizing information flows between devices, comprising:
-
a first computing device in a first partition of the data processing system, wherein the first computing device has a source element for communicating information to a target element; a second computing device in a second partition of the data processing system, wherein the second computing device has the target element; and a reference monitor, coupled to the first computing device and the second computing device, that monitors information flows between the first partition and the second partition, wherein the reference monitor; receives an information flow request from the first computing device to authorize an information flow from the source element to the target element, wherein the information flow request includes an identifier of the target element, retrieves, based on an identification of the source element and the identifier of the target element, security information identifying an authorization level of the source element and target element, determines a sensitivity of an information object that is to be transferred in the information flow, and authorizes or denies the information flow based only on the sensitivity of the information object and the authorization level of the source element and target element irregardless of the particular action being performed on the information object as part of the information flow. - View Dependent Claims (37)
-
-
38. A computing device, comprising:
-
a processor; and a memory, wherein the memory contains instructions which, when executed by the processor, cause the processor to; receive an information flow request from a first device to authorize an information flow from the first device to a second device, wherein the information flow request includes an identifier of the second device; retrieve, based on an identification of the first device and the identifier of the second device, security information identifying an authorization level of the first device and second device; determine a sensitivity of an information object that is to be transferred in the information flow; and authorize or deny the information flow based only on the sensitivity of the information object and the authorization level of the first and second devices irregardless of the particular action being performed on the information object as part of the information flow.
-
Specification