Adaptive security system having a hierarchy of security servers
First Claim
1. A security system for controlling access to a plurality of resources within a computing environment comprising:
- a plurality of security servers, wherein each security server includes a set of security associations; and
an enforcement mechanism communicatively coupled to the plurality of security servers, wherein the enforcement mechanism enforces a request to access one of the plurality of resources by querying one of the security servers.
17 Assignments
0 Petitions
Accused Products
Abstract
An adaptive security system having a hierarchy of security servers. The security system maintains a primary security server for each task or process executing within a computing environment. An enforcement mechanism receives resource requests from the tasks and queries the corresponding primary security server which resolves the request based on a set of security associations. If the primary security server is unable to resolve the request, the enforcement mechanism queries a parent security server. Security servers are dynamically created and terminated in response to changing organizational policies. The present invention facilitates the dynamic creation and termination of security servers to adapt to organizational policy changes.
150 Citations
27 Claims
-
1. A security system for controlling access to a plurality of resources within a computing environment comprising:
-
a plurality of security servers, wherein each security server includes a set of security associations; and
an enforcement mechanism communicatively coupled to the plurality of security servers, wherein the enforcement mechanism enforces a request to access one of the plurality of resources by querying one of the security servers. - View Dependent Claims (2, 3, 4, 5, 8, 12, 13)
-
-
6. A security system for controlling access to a plurality of resources within a computing environment comprising:
-
a plurality of security servers, wherein each security server includes a set of security associations; and
an enforcement mechanism communicatively coupled to the plurality of security servers, wherein the enforcement mechanism enforces a request to access one of the plurality of resources by querying one of the security servers, wherein the enforcement mechanism includes an operating system kernel having a task control block for each of a plurality of tasks executing in the computing environment, wherein the enforcement mechanism queries a primary security server identified in the task control block of the corresponding task, wherein each primary security server is a task executing within the computing environment, wherein the task control block of each primary security server identifies a parent security server for resolving resource requests that the primary security server is unable to resolve, wherein each security server includes a data structure defining an execution period, wherein the kernel creates a security server based on a command from one of the tasks in the computing environment, and further wherein the kernel sets the parent security server of the created security server to the primary security server of the commanding task.
-
-
7. A security system for controlling access to a plurality of resources within a computing environment comprising:
-
a plurality of security servers, wherein each security server includes a set of security associations; and
an enforcement mechanism communicatively coupled to the plurality of security servers, wherein the enforcement mechanism enforces a request to access one of the plurality of resources by querying one of the security servers, wherein the enforcement mechanism includes an operating system kernel having a task control block for each of a plurality of tasks executing in the computing environment, wherein the enforcement mechanism queries a primary security server identified in the task control block of the corresponding task, wherein each primary security server is a task executing within the computing environment, wherein the task control block of each primary security server identifies a parent security server for resolving resource requests that the primary security server is unable to resolve, wherein each security server includes a data structure defining an execution period, wherein the kernel terminates a security server by identifying the tasks that have the terminated security server as a primary security server, and further wherein the kernel sets the primary security server of each identified task to the parent security server of the terminated security server.
-
-
9. A security system for controlling access to a plurality of resources within a computing environment comprising:
-
a plurality of security severs, wherein each security server includes a set of security associations; and
an enforcement mechanism communicatively coupled to the plurality of security servers, wherein the enforcement mechanism enforces a request to access one of the plurality of resources by querying one of the security servers, wherein the enforcement mechanism includes an operating system kernel having a task control block for each of a plurality of tasks executing in the computing environment, wherein the enforcement mechanism queries a primary security server identified in the task control block of the corresponding task, and wherein the operating system kernel includes a cache containing policy queries previously resolved by the security servers. - View Dependent Claims (10)
-
-
11. A security system for controlling access to a plurality of resources within a computing environment comprising:
-
a plurality of security severs, wherein each security server includes a set of security associations; and
an enforcement mechanism communicatively coupled to the plurality of security servers, wherein the enforcement mechanism enforces a request to access one of the plurality of resources by querying one of the security servers, wherein the enforcement mechanism includes an operating system kernel having a task control block for each of a plurality of tasks executing in the computing environment, wherein the enforcement mechanism queries a primary security server identified in the task control block of the corresponding task, and wherein each security association maps the requesting task and the requested resources to a response that is selected from the set of (I) access granted, (ii) access denied and (iii) security fault.
-
-
14. A method for controlling access to a plurality of resources in a computing environment comprising the steps of:
-
receiving a user request to access one of the resources of the computing environment;
querying at least one of a plurality of security servers to resolve the resource request based on a set of security associations; and
enforcing the request as a function of a response from the queried security server. - View Dependent Claims (15, 16, 22, 24, 25)
examining the task control block to determine a primary security server for a task requesting one of the resources; and
querying the primary security server to resolve the resource request.
-
-
16. The method of claim 15, wherein each security server is a task executing within the computing environment, and wherein the querying step further performs the following steps when the primary security server is unable to resolve the resource request:
-
identifying a parent security server identified in the task control block of the primary security server; and
querying the parent security server to resolve the resource request.
-
-
22. The method of claim 14, wherein the querying step includes the step of querying one or more security servers distributed across a plurality of computers.
-
24. The method of claim 14, wherein the querying step includes the step of generating an encrypted message and communicating the encrypted message to the queried security server.
-
25. The method of claim 14, wherein the querying step includes the step of generating a digitally signed message and communicating the digitally signed message to the queried security server.
-
17. A method for controlling access to a plurality of resources in a computing environment that includes an operating system kernel having a task control block for each of a plurality of tasks executing in the computing environment, comprising the steps of:
-
receiving a user request to access one of the resources of the computing environment;
querying at least one of a plurality of security servers to resolve the resource request based on a set of security associations, wherein each security server is a task executing within the computing environment, wherein the querying step includes the steps of;
examining the task control block to determine a primary security server for a task requesting one of the resources;
querying the primary security server to resolve the resource request; and
when the primary security server is unable to resolve the resource request, identifying a parent security server identified in the task control block of the primary security server; and
querying the parent security server to resolve the resource request;
enforcing the request as a function of a response from the queried security server;
creating a security server upon receiving a first command from one of the tasks; and
terminating a security server upon receiving a second command from one of the tasks. - View Dependent Claims (18, 19, 20, 21)
examining each task control structure of the operating system kernel to identify a set of tasks having the terminated security server as the primary security server; and
changing the primary security server for each identified task to the parent security server of the terminated security server.
-
-
20. The method of claim 17, wherein the operating system kernel includes a cache containing security associations for previously resolved policy queries.
-
21. The method of claim 20, wherein each security server maintains a list of registered tasks, and further wherein the terminating step includes the step of notifying each of the identified tasks that the terminated security server has been terminated.
-
23. A method for controlling access to a plurality of resources in a computing environment comprising the steps of:
-
receiving a user request to access one of the resources of the computing environment;
querying at least one of a plurality of security servers to resolve the resource request based on a set of security associations, wherein the querying step includes the step of selecting the response from the set of;
(I) access granted, (ii) access denied and (iii) security fault; and
enforcing the request as a function of a response from the queried security server.
-
-
26. A computer-readable medium encoded with a software program for processing user requests for resources in a computing environment, the software program executing the steps of:
-
creating a hierarchy of security servers, wherein each user is assigned a primary security server; and
enforcing each of a plurality of user requests by querying the corresponding primary security server to resolve the resource request based on a set of security associations. - View Dependent Claims (27)
-
Specification