AUTOMATED SECURITY ANALYSIS FOR FEDERATED RELATIONSHIP

US 20110239269A1
Filed: 03/24/2010
Published: 09/29/2011
Est. Priority Date: 03/24/2010
Status: Active Grant

First Claim

Patent Images

1. A method performed on a computer processor, said method comprising:

receiving first security descriptors conforming to a security schema, said first security descriptors being received from a recipient domain in a proposed federation;

comparing said first security descriptors to a provider federation policy to create a federation access policy, said provider federation policy being defined for a provider domain, said federation access policy comprising at least common security access definitions between said first security descriptors and said provider federation policy;

creating a shared repository conforming to said federation access policy; and

permitting access to said shared repository for users from said recipient domain and said provider domain.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer monitoring system uses a set of parameterized models to gather information about monitored devices. The models include scripts for gathering information, as well as type validation and data validation functions. The parameters within the model are used to generate user interface prompts and to populate discovery scripts as well as data validation scripts. In some cases, the models may include localization settings that may customize the user interface and validation output for different languages. A processing engine may generate a user interface from the parameters defined in the models, customize the scripts from the user input, and cause the scripts to be executed. The data gathered by the scripts may be analyzed using type validation and data validation.

32 Citations

View as Search Results

20 Claims

1. A method performed on a computer processor, said method comprising:
- receiving first security descriptors conforming to a security schema, said first security descriptors being received from a recipient domain in a proposed federation;
  
  comparing said first security descriptors to a provider federation policy to create a federation access policy, said provider federation policy being defined for a provider domain, said federation access policy comprising at least common security access definitions between said first security descriptors and said provider federation policy;
  
  creating a shared repository conforming to said federation access policy; and
  
  permitting access to said shared repository for users from said recipient domain and said provider domain.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 further comprising:
    - receiving provider security descriptors conforming to said security schema, said provider security descriptors describing security components in said provider domain.
  - 3. The method of claim 2 further comprising:
    - identifying a first set of differences between said provider security descriptors and said federation access policy; and
      
      configuring an input filter on said shared repository, said input filter comprising at least a portion of said set of differences and being configured to restrict access to said shared repository for documents from said provider domain having a more stringent security classification than said federation access policy.
  - 4. The method of claim 3, said input filter being configured to modify said documents from said provider domain to conform to said federation access policy.
  - 5. The method of claim 4, said modify comprising removing at least one item from said documents.
  - 6. The method of claim 2 further comprising:
    - identifying a first set of differences between said provider security descriptors and said federation access policy; and
      
      configuring an output filter on said shared repository, said output filter comprising at least a portion of said set of differences and being configured to restrict document removal from said shared repository for documents having a more stringent security classification than said first security descriptors.
  - 7. The method of claim 6, said output filter allowing a user from said recipient domain to view a first document and not copy said first document into said recipient domain.
  - 8. The method of claim 1 further comprising:
    - receiving a request from said recipient domain for a first document created in said provider domain, said first document having a digital rights management mechanism;
      
      transmitting said first document into said recipient domain;
      
      receiving a digital rights management request for said first document from said recipient domain;
      
      transmitting said digital rights management request to said provider domain;
      
      receiving a digital rights management response from said provider domain; and
      
      transmitting said digital rights management response to said recipient domain.

9. A system comprising:
- a network connection to a provider domain;
  
  a network connection to a recipient domain;
  
  a security gathering mechanism that receives security descriptors from said recipient domain and from said provider domain;
  
  a security analyzer that analyzes said security descriptors from said recipient domain and from said provider domain to create a federated security policy; and
  
  a repository engine that creates a shared repository accessible from said provider domain and from said recipient domain, said shared repository conforming to said federated security policy.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, said security gathering mechanism receiving a digitally signed document comprising said security descriptors from said recipient domain.
  - 11. The system of claim 10, said digitally signed document being generated from a digital form transmitted from said provider domain to said recipient domain.
  - 12. The system of claim 9, said security gathering mechanism receiving a digitally signed document comprising said security descriptors from said provider domain.
  - 13. The system of claim 9, said repository engine further creating an output filter between said shared repository and said recipient domain, said output filter being configured to restrict moving at least one document from said shared repository to said recipient domain.
  - 14. The system of claim 9, said repository engine further creating an output filter between said shared repository and said provider domain, said output filter being configured to restrict moving at least one document from said shared repository to said provider domain.
  - 15. The system of claim 9, said security descriptors comprising compliance with a predefined security standard.
  - 16. The system of claim 9 further comprising:
    - a network connection to a second recipient domain;
      
      said shared repository additionally accessible from said second recipient domain.

17. A method performed on a computer processor, said method comprising:
- transmitting a digital form to a recipient organization, said recipient organization having a recipient domain;
  
  receiving a digital results document from said recipient organization, said digital results document being generated using said digital form;
  
  receiving a local security policy;
  
  generating a federation policy based on comparing said digital results document with said local security policy;
  
  creating a shared repository; and
  
  setting a set of security functions on said shared repository to comply with said federation policy.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17 further comprising:
    - creating an input filter for said shared repository, said input filter restricting placement of a first document class into said shared repository.
  - 19. The method of claim 18 further comprising:
    - creating an output filter for said shared repository, said output filter restricting removal of a second document class from said shared repository.
  - 20. The method of claim 19, said digital results document being digitally signed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Penarczyk, Matthew, Weinert, Alex, Stradling, Phil, Shute, Dave, Wahl, Mark, Wittenberg, Craig

Granted Patent

US 8,713,688 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 63/0815   providing single-sign-on or...

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

AUTOMATED SECURITY ANALYSIS FOR FEDERATED RELATIONSHIP

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

32 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

AUTOMATED SECURITY ANALYSIS FOR FEDERATED RELATIONSHIP

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

32 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links