UTILIZING VIRTUAL PRIVATE NETWORKS TO PROVIDE OBJECT LEVEL SECURITY ON A MULTI-NODE COMPUTER SYSTEM

US 20090300752A1
Filed: 05/27/2008
Published: 12/03/2009
Est. Priority Date: 05/27/2008
Status: Active Grant

First Claim

Patent Images

1. A multi-node computer system comprising:

a plurality of compute nodes that each comprise a processor and memory connected by a plurality of virtual networks;

an access setup mechanism that configures access control data on the compute nodes to indicate a security class associated with a virtual network and one or more users on the multi-node computer system, and where the access control data further includes a security class attribute associated with database objects in the memory; and

an access control mechanism that controls access to the database objects over the virtual network by sending a query to a particular security class so the query is only seen by those nodes that are authorized by the equivalent security class indicated in the access control data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosure herein provides data security on a parallel computer system using virtual private networks connecting the nodes of the system. A mechanism sets up access control data in the nodes that describes a number of security classes. Each security class is associated with a virtual network. Each user on the system is associated with one of the security classes. Each database object to be protected is given an attribute of a security class. Database objects are loaded into the system nodes that match the security class of the database object. When a query executes on the system, the query is sent to a particular class or set of classes such that the query is only seen by those nodes that are authorized by the equivalent security class. In this way, the network is used to isolate data from users that do not have proper authorization to access the data.

6 Citations

View as Search Results

20 Claims

1. A multi-node computer system comprising:
- a plurality of compute nodes that each comprise a processor and memory connected by a plurality of virtual networks;
  
  an access setup mechanism that configures access control data on the compute nodes to indicate a security class associated with a virtual network and one or more users on the multi-node computer system, and where the access control data further includes a security class attribute associated with database objects in the memory; and
  
  an access control mechanism that controls access to the database objects over the virtual network by sending a query to a particular security class so the query is only seen by those nodes that are authorized by the equivalent security class indicated in the access control data.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The multi-node computer system of claim 1 wherein the multi-node computer system is a massively parallel computer system.
  - 3. The multi-node computer system of claim 2 wherein the access control mechanism is part of a system kernel in a compute node.
  - 4. The multi-node computer system of claim 1 wherein the access setup mechanism configures a class routing table to set up the plurality of virtual networks.
  - 5. The multi-node computer system of claim 1 wherein the access control data is selected from the following:
    - virtual network identification;
      
      security class, user, and a database object associated with a security class.
  - 6. The multi-node computer system of claim 1 wherein the database objects include a security class attribute to indicate in what security class to store the database object in the database.
  - 7. The multi-node computer system of claim 1 wherein the plurality of compute nodes are arranged in a virtual tree network and further comprising an I/O node that connects to the top of the tree network to allow the compute nodes to communicate with a service node of a massively parallel computer system.

8. A computer implemented method for data security using virtual networks in a multi-node computer system, the method comprising the steps of:
- setting up a virtual private network to make determined nodes become protected nodes by configuring access control data on the compute nodes to indicate one of a plurality of virtual networks is a virtual private network;
  
  loading a database in the multi-node computer system; and
  
  executing a query to access the database objects over the virtual network by sending a query to a particular security class so the query is only seen by those nodes that are authorized by the equivalent security class indicated in the access control data.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The computer implemented method of claim 8 wherein the multi-node computer system is a massively parallel computer system.
  - 10. The computer implemented method of claim 8 further comprising the steps of:
    - determining a security user class of a user from the access control data;
      
      selecting the virtual network based on the security class of the user;
      
      sending the query on the selected network; and
      
      collecting results for the query from the nodes and displaying a result to the user.
  - 11. The computer implemented method of claim 8 wherein the step of setting up the virtual private network includes configuring a class routing table to set up the plurality of virtual networks.
  - 12. The computer implemented method of claim 8 wherein the access control data is selected from the following:
    - virtual network identification;
      
      security class, user, and a database object associated with a security class.
  - 13. The computer implemented method of claim 8 wherein the database objects include a security class attribute to indicate in what security class to store the database object in the database.

14. A computer implemented method for data security using virtual networks in a massively parallel computer system, the method comprising the steps of:
- setting up a virtual private network to make determined nodes become protected nodes by configuring access control data on the compute nodes to indicate one of a plurality of virtual networks is a virtual private network, wherein the access control data includes a virtual network identification, security class, user, and a database object associated with a security class;
  
  loading a database in the multi-node computer system by performing the steps of;
  
  for each data object, perform the steps of;
  
  determine security class corresponding to the data object; and
  
  choose a node from a network associates with the determined security class;
  
  determining security class of a user;
  
  selecting the virtual network based on the security class of the user;
  
  executing a query by the user on the selected network to access the database objects over the virtual network by sending a query to a particular security class so the query is only seen by those nodes that are authorized by the equivalent security class indicated in the access control data; and
  
  collecting results for the query from the nodes and displaying a result to the user.

15. A computer-readable article of manufacture comprising:
- an access setup mechanism that configures access control data on a plurality of compute nodes in a multi-node computer system to indicate a security class associated with a virtual network and one or more users on the multi-node computer system, and where the access control data further includes a security class attribute associated with database objects in the memory;
  
  an access control mechanism that controls access to the database objects over the virtual network by sending a query to a particular security class so the query is only seen by those nodes that are authorized by the equivalent security class indicated in the access control data; and
  
  tangible computer recordable media bearing the access setup mechanism and the access control mechanism.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The article of manufacture of claim 15 wherein the access setup mechanism configures a class routing table to set up the plurality of virtual networks.
  - 17. The article of manufacture of claim 15 wherein the access control data is selected from the following:
    - virtual network identification;
      
      security class, user, and a database object associated with a security class.
  - 18. The article of manufacture of claim 15 wherein the database objects include a security class attribute to indicate in what security class to store the database object in the database.
  - 19. The article of manufacture of claim 15 wherein the access control mechanism is part of a system kernel in the compute node of a massively parallel computer system.
  - 20. The article of manufacture of claim 15 wherein the plurality of compute nodes are arranged in a virtual tree network and further comprising an I/O node that connects to the top of the tree network to allow the compute nodes to communicate with a service node of a massively parallel computer system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Barsness, Eric Lawrence, Santosuosso, John Matthew, Darrington, David L., Peters, Amanda

Granted Patent

US 8,424,076 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/15
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 63/0272   Virtual private networks

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

UTILIZING VIRTUAL PRIVATE NETWORKS TO PROVIDE OBJECT LEVEL SECURITY ON A MULTI-NODE COMPUTER SYSTEM

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

6 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

UTILIZING VIRTUAL PRIVATE NETWORKS TO PROVIDE OBJECT LEVEL SECURITY ON A MULTI-NODE COMPUTER SYSTEM

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

6 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others