APPLYING SECURITY POLICY TO AN APPLICATION SESSION
First Claim
1. A method for applying a security policy to an application session, comprising:
- recognizing the application session between a network and an application via a security gateway;
retrieving by the security gateway an application session record for the application session, the application session record comprising a first user identity used for accessing the application through a first host, a first host identity for the first host, and an application session time;
recognizing by the security gateway an access session between a second host and the network;
retrieving by the security gateway an access session record for the access session, the access session record comprising a second user identity used for accessing the network through the second host, a second host identity for the second host, and an access session time;
querying, by the security gateway, an identity server by sending the first host identity and the application session time in the application session record, the identity server comprising the access session record for the access session between the second host and the network;
comparing, by the identity server, the first host identity in the application session record with the second host identity in the access session record, and comparing the access session time with the application session time;
returning, by the identity server, the second user identity in the access session record if the first host identity in the application session record matches the second host identity in the access session record, and if the access session time matches the application session time;
storing, at the identity server, the second user identity as a network user identity used for accessing the network in the application session record;
determining by the security gateway at least one security policy applicable to the application session based on a group identity; and
applying the at least one security policy to the application session by the security gateway if the network user identity is a member of the group identity.
1 Assignment
0 Petitions
Accused Products
Abstract
Applying a security policy to an application session, includes: recognizing the application session between a network and an application via a security gateway; determining by the security gateway a user identity of the application session using information about the application session; obtaining by the security gateway the security policy comprising network parameters mapped to the user identity; and applying the security policy to the application session by the security gateway. The user identity may be a network user identity or an application user identity recognized from packets of the application session. The security policy may comprise a network traffic policy mapped and/or a document access policy mapped to the user identity, where the network traffic policy is applied to the application session. The security gateway may further generate a security report concerning the application of the security policy to the application session.
-
Citations
27 Claims
-
1. A method for applying a security policy to an application session, comprising:
-
recognizing the application session between a network and an application via a security gateway; retrieving by the security gateway an application session record for the application session, the application session record comprising a first user identity used for accessing the application through a first host, a first host identity for the first host, and an application session time; recognizing by the security gateway an access session between a second host and the network; retrieving by the security gateway an access session record for the access session, the access session record comprising a second user identity used for accessing the network through the second host, a second host identity for the second host, and an access session time; querying, by the security gateway, an identity server by sending the first host identity and the application session time in the application session record, the identity server comprising the access session record for the access session between the second host and the network; comparing, by the identity server, the first host identity in the application session record with the second host identity in the access session record, and comparing the access session time with the application session time; returning, by the identity server, the second user identity in the access session record if the first host identity in the application session record matches the second host identity in the access session record, and if the access session time matches the application session time; storing, at the identity server, the second user identity as a network user identity used for accessing the network in the application session record; determining by the security gateway at least one security policy applicable to the application session based on a group identity; and applying the at least one security policy to the application session by the security gateway if the network user identity is a member of the group identity. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer program product for applying a security policy to an application session, the computer program product comprising:
a non-transitory computer readable storage medium having computer readable program code embodied therewith, the computer readable program code configured to; recognize the application session between a network and an application via a security gateway; retrieve by the security gateway an application session record for the application session, the application session record comprising a first user identity used for accessing the application through a first host, a first host identity for the first host, and an application session time; recognize by the security gateway an access session between a second host and the network; retrieve by the security gateway an access session record for the access session, the access session record comprising a second user identity used for accessing the network through the second host, a second host identity for the second host, and an access session time; query, by the security gateway, an identity server, by sending the first host identity and the application session time in the application session record, the identity server comprising the access session record for the access session between the second host and the network; compare, by the identity server, the first host identity in the application session record with the second host identity in the access session record, and compare the access session time with the application session time; return, by the identity server, the second user identity in the access session record if the first host identity in the application session record matches the second host identity in the access session record, and if the access session time matches the application session time; store, at the identity server, the second user identity as a network user identity used for accessing the network in the application session record; determine, by the security gateway, at least one security policy applicable to the application session based on a group identity; and apply the at least one security policy to the application session by the security gateway, if the network user identity is a member of the group identity. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
19. A system, comprising:
-
a corporate directory comprising at least one security policy; and a security gateway, wherein the security gateway; recognizes an application session between a network and an application via a security gateway; retrieves an application session record for the application session, the application session record comprising a first user identity used for accessing the application through a first host, a first host identity for the first host, and an application session time; recognizes an access session between a second host and the network; retrieves an access session record for the access session, the access session record comprising a second user identity used for accessing the network through the second host, a second host identity for the second host, and an access session time; queries an identity server by sending the first host identity and the application session time in the application session record, the identity server comprising the access session record for the access session between the second host and the network, wherein the identity server; compares the first host identity in the application session record with the second host identity in the access session record, and compares the access session time with the application session time; returns the second user identity in the access session record if the first host identity in the application session record matches the second host identity in the access session record, and if the access session time matches the application session time; and stores the second user identity as a network user identity used for accessing the network in the application session record; determines at least one security policy applicable to the application session based on a group identity; and applies the at least one security policy to the application session if the network user identity is a member of the group identity. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
-
Specification