POLICY DIRECTED SECURITY-CENTRIC MODEL DRIVEN ARCHITECTURE TO SECURE CLIENT AND CLOUD HOSTED WEB SERVICE ENABLED PROCESSES

US 20110131275A1
Filed: 05/12/2010
Published: 06/02/2011
Est. Priority Date: 12/02/2009
Status: Active Grant

First Claim

Patent Images

1. A system of securing a cloud computing or service-oriented architecture automated business process of internal and external hosted web services, said web services exchanging web service messages, said system comprising:

a plurality of data dictionary engines;

a security-centric model driven architecture that is instantiated by a hierarchical class tree of security policy object class information and enterprise business object class information, wherein the security policy object class information comprises a tree hierarchy structure of security model objects representing security policy and said tree hierarchy structure comprises a plurality of security profile objects stored throughout a plurality of data dictionary engines, and wherein the enterprise business object class information comprises a tree hierarchy structure of business process model objects representing a prescribed operation of the secured automated business process and comprising a plurality of enterprise business objects stored throughout the plurality of data dictionary engines;

wherein each security profile object comprises a data security profile, a service security profile, and a user security profile, and each web service message is assigned a data security profile identifying scope, ownerships, and allowed/disallowed actions, each web service defined has a service security profile to establish how such web service is regulated, and each defined user entity has an associated user security profile identifying roles, responsibilities, and privileges;

wherein each enterprise business object describes a component datum or interoperation of the automated business process being secured;

wherein each data dictionary engine is associated with a plurality of web security services, each data dictionary engine containing at least one instance of a metadata repository containing a subset of the plurality of security profile objects and enterprise business objects, and said data dictionary engines communicating with each other to exchange information and functionality as defined by the security-centric model driven architecture; and

wherein said data dictionary engines and metadata repositories are executed on a computer network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A policy directed, security-centric model driven architecture is described to secure internal web services, such as those implementing service-oriented architecture (SOA), and external web services such as those hosted on a cloud computing platform. A distributed data dictionary hosted across multiple dictionary engines and operating in conjunction with web security services are used to embed security profiles in web services messages and to validate messages that contain such security profiles.

167 Citations

16 Claims

1. A system of securing a cloud computing or service-oriented architecture automated business process of internal and external hosted web services, said web services exchanging web service messages, said system comprising:
- a plurality of data dictionary engines;
  
  a security-centric model driven architecture that is instantiated by a hierarchical class tree of security policy object class information and enterprise business object class information, wherein the security policy object class information comprises a tree hierarchy structure of security model objects representing security policy and said tree hierarchy structure comprises a plurality of security profile objects stored throughout a plurality of data dictionary engines, and wherein the enterprise business object class information comprises a tree hierarchy structure of business process model objects representing a prescribed operation of the secured automated business process and comprising a plurality of enterprise business objects stored throughout the plurality of data dictionary engines;
  
  wherein each security profile object comprises a data security profile, a service security profile, and a user security profile, and each web service message is assigned a data security profile identifying scope, ownerships, and allowed/disallowed actions, each web service defined has a service security profile to establish how such web service is regulated, and each defined user entity has an associated user security profile identifying roles, responsibilities, and privileges;
  
  wherein each enterprise business object describes a component datum or interoperation of the automated business process being secured;
  
  wherein each data dictionary engine is associated with a plurality of web security services, each data dictionary engine containing at least one instance of a metadata repository containing a subset of the plurality of security profile objects and enterprise business objects, and said data dictionary engines communicating with each other to exchange information and functionality as defined by the security-centric model driven architecture; and
  
  wherein said data dictionary engines and metadata repositories are executed on a computer network.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1 wherein each web security service extracts at least one security profile object from an associated data dictionary engine and adds said extracted security profile object to an outgoing web service message.
  - 3. The system of claim 2 wherein each web security service also receives an incoming web service message and validates the message by comparing a security profile object embedded in the message to an associated security profile object contained in the data dictionary engine associated with the receiving web service.
  - 4. The system of claim 1 wherein said hierarchical class tree comprises (1) an absolute root node from which all hierarchical class tree branches emanate, (2) a system-based security policy level containing a plurality of system-based security policy object classes and a plurality of enterprise business object classes, and (3) a client-based security policy level containing a plurality of client-based security policy object classes, a plurality of security policy object instances, a plurality of enterprise business object classes, and a plurality of enterprise business object instances.
  - 5. The system of claim 4 further comprising a system security policy hierarchy that comprises a system-based security policy level tree branch from, but not including, the absolute root node to, but not including, the client-based security policy level of a first cloud hosting service provider, wherein said system-based security policy level tree branch is exported to a second cloud hosting service provider, and wherein at the second cloud hosting service provider, the imported branch is the system security policy hierarchy component of the security model for a client'"'"'s web services enabled process, and the exported system-based security policy level tree branch can include one or a plurality of third-party tree segments that did not belong to the first cloud hosting service provider.
  - 6. The system of claim 5 wherein migration control of third party tree segments is maintained by the contributing third-party such that the second cloud hosting service provider has visibility to the third-party tree segments of the system-based security policy level tree branch of the first cloud hosting service provider, but only the first cloud hosting service provider'"'"'s data is exported, and wherein a third party exports its system-based security policy level tree branch hierarchy.
  - 7. The system of claim 5, wherein the import and export of hierarchical tree branches between data dictionaries allows secure client process web services messaging, and wherein for a web service message security profile that does not exist or is invalid in the security policy hierarchy, the web security service invokes an exception.

8. A method, comprising:
- an invoking client process web service generating a message;
  
  the invoking client process web service causing a source web security service to be invoked for the message;
  
  the invoking client process web service sending the message with embedded security profile to the invoked client process web service;
  
  the invoked client process web service causing a destination web security service to be invoked for the message; and
  
  the invoked client process web service processing the message returned by the destination web security service;
  
  wherein said invoking and invoked client process web services execute on a computer network.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
- - 9. The method of claim 8, wherein, the source web security service queries an associated data dictionary instance for a reference model security profile that aligns with the message, user entity, and destination invoked client process web service.
  - 10. The method of claim 9 wherein if no aligning reference model security profile is found for the message, user entity, and destination invoked client process web service, performing, by the source web security service, exception processing.
  - 11. The method of claim 10 wherein exception processing includes precluding the message from being sent to the invoked client process web service.
  - 12. The method of claim 9 wherein if an aligned reference model security profile is found for the message, user entity, and destination invoked client process web service, the source web security service embedding the located reference model security profile into the message and returning the message to the invoking client process web service.
  - 13. The method of claim 8 further comprising the destination web security services querying its associated data dictionary instance for a security model security profile that aligns with the reference model security profile embedded in the message.
  - 14. The method of claim 13, further comprising if no aligned security model security profile is found for message embedded security profile, the destination web security service performing exception processing.
  - 15. The method of claim 14 wherein exception processing includes precluding the message from being returned to the invoked client process web service.
  - 16. The method of claim 13 further comprising, if the message embedded security profile does align with a security model security profile, removing the embedded security profile from the message and returning the message to the invoked client process web service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Metasecure Corporation
Original Assignee
Metasecure Corporation
Inventors
ENGLE, Steven E., NIEVES, Michael J., MAIDA-SMITH, Kathy J.

Granted Patent

US 9,037,711 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/204
CPC Class Codes

G06F 21/6209   to a single file or object,...

H04L 63/0281   Proxies

H04L 63/168   above the transport layer

H04L 63/20   for managing network securi...

H04L 67/306   User profiles

H04L 67/51   Discovery or management the...

POLICY DIRECTED SECURITY-CENTRIC MODEL DRIVEN ARCHITECTURE TO SECURE CLIENT AND CLOUD HOSTED WEB SERVICE ENABLED PROCESSES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

167 Citations

16 Claims

Specification

Use Cases

Quick Links

Others

POLICY DIRECTED SECURITY-CENTRIC MODEL DRIVEN ARCHITECTURE TO SECURE CLIENT AND CLOUD HOSTED WEB SERVICE ENABLED PROCESSES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

167 Citations

16 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others