Security policy applied to common data security architecture
First Claim
1. A security architecture for a computer platform comprising at least one data processor and at least one memory means said architecture comprising:
- an applications layer for containing a plurality of user security applications;
a layered services layer for containing a plurality of security services protocols;
a common security services manager (CSSM) layer underlying the layered services layer comprising a plurality of security services management means, a set of integrity services, a manager of security contexts, and a plurality of interfaces for interfacing with add-in security modules; and
an add-in security modules layer underlying the common security services manager layer, configured to accept a plurality of add-in security modules implementing a set of standard security services;
a generic trust policy library within the add-in security modules layer and supporting a set of standard trust policy Application Programming Interfaces (APIs);
a trust policy description file containing a set of domain-specific trust policies written in a policy description language common to said architecture; and
a policy interpreter, said policy interpreter operating to interpret a set of policies contained in said policy description file.
2 Assignments
0 Petitions
Accused Products
Abstract
An improved architecture is provided, based upon the prior art common data security architecture, with the modification of adding in a generic trust policy library (217) at an add-in security modules layer (215) and a policy interpreter (224) at a common security services manager layer (202), so that individual users may provide sets of trust policies in the form of a trust policy description file (223), which uses a generic policy description language provided by the architecture. The architecture provides a generic method of incorporating trust policies into a computing platform in a manner which avoids a prior art problem of the semantics of trust policies which are hard-coded in prior art trust policy modules (117). The architecture also improves management flexibility. In the present disclosure, a generic policy description language is provided, which enables different users to define the semantics of a plurality of trust policies.
-
Citations
9 Claims
-
1. A security architecture for a computer platform comprising at least one data processor and at least one memory means said architecture comprising:
-
an applications layer for containing a plurality of user security applications;
a layered services layer for containing a plurality of security services protocols;
a common security services manager (CSSM) layer underlying the layered services layer comprising a plurality of security services management means, a set of integrity services, a manager of security contexts, and a plurality of interfaces for interfacing with add-in security modules; and
an add-in security modules layer underlying the common security services manager layer, configured to accept a plurality of add-in security modules implementing a set of standard security services;
a generic trust policy library within the add-in security modules layer and supporting a set of standard trust policy Application Programming Interfaces (APIs);
a trust policy description file containing a set of domain-specific trust policies written in a policy description language common to said architecture; and
a policy interpreter, said policy interpreter operating to interpret a set of policies contained in said policy description file. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
Specification
-
- Resources
-
Current AssigneeHewlett-Packard Development Company, L.P. (HP Inc.)
-
Original AssigneeHewlett-Packard Development Company, L.P. (HP Inc.)
-
InventorsLin, Along
-
Primary Examiner(s)Morse, Gregory
-
Assistant Examiner(s)Tran, Tongoc
-
Application NumberUS09/761,959Publication NumberTime in Patent Office1,693 DaysField of Search713/191, 713/189, 713/200, 713/187US Class Current726/1CPC Class CodesG06F 21/6218 to a system of files or obj...G06F 2211/009 TrustH04L 63/104 Grouping of entities
