System and method for maintaining security in a distributed computer network
First Claim
1. A system for maintaining security in a distributed computing environment comprising:
- a central policy manager located at a server for managing and distributing a security policy; and
an application guard located at a client, said application guard including a customized local policy particular to that client, for managing access by a user of the client to software application components at the client, as specified by the security policy.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method for maintaining security in a distributed computing environment comprises a policy manager located on a server for managing and distributing a security policy, and an application guard located on a client for managing access to securable components as specified by the security policy. In the preferred embodiment, a global policy specifies access privileges of the user to securable components. The policy manager may then preferably distribute a local client policy based on the global policy to the client. An application guard located on the client then manages access to the securable components as specified by the local policy.
-
Citations
29 Claims
-
1. A system for maintaining security in a distributed computing environment comprising:
-
a central policy manager located at a server for managing and distributing a security policy; and
an application guard located at a client, said application guard including a customized local policy particular to that client, for managing access by a user of the client to software application components at the client, as specified by the security policy.
-
-
2. A system for managing and enforcing complex security requirements to protect computer systems against unauthorized access in a distributed computer network comprising;
-
a policy manager located on a server for managing and distributing a policy to a client; and
an application guard located on the client, acting to grant or deny access by users of the client to various software application components of the client, as specified by the policy. - View Dependent Claims (3, 4, 5, 6)
-
-
7. A system for managing and enforcing complex security requirements to protect computer systems against unauthorized access in a distributed computer network comprising:
-
a policy manager located on a server for managing and distributing a policy to a client; and
an application guard located on the client, acting to grant or deny access to various software application components of the client, as specified by the policy;
an audit log data flue to record authorization requests;
an optimized policy data file;
an enterprise policy data file;
an administrative policy data file; and
a local administrative policy data file.
-
-
8. A security system comprising:
an application guard located within non-volatile memory of a client that is designed to reside along with each protected software application component on that client and supports transactional access control by allowing the software application to detect an authorization service and to make authorization requests at each user interaction, data request, and business level transaction by a user or application of the client. - View Dependent Claims (9, 10, 11, 12, 13)
-
14. A method for maintaining security in a distributed computing environment comprising:
-
managing a central security policy located at a server via a policy manager; and
managing access by a user of the client via an application guard at a client to a transaction related with a software application component on that client, as specified by the security policy.
-
-
15. A method of granting client access authorization comprising:
-
using an application guard located at a client that includes at least requesting access to a software securable component associated with an application protected by the application guard, wherein the application guard constructs and issues an authorization request, and evaluating the authorization request via the application guard according to its local client policy to determine whether to allow or deny the authorization request; and
wherein evaluating the authorization request includes and evaluator searching deny rules in the local client policy, and if the evaluator finds a deny rule, then an evaluation is performed on an constraints on the deny rule, if the evaluation finds a presently valid constraint on the deny rule, then access is denied, and if the evaluation finds that all constraints on the deny rule are not presently valid, then a search for a grant rule is performed, and if no deny rules are found, then a search for a grant rule is performed;
wherein after a search for a grant rule if no grant rule is found that would allow access for the user, then access is denied, and if a grant rule is found, then an evaluation is performed on any constraints in the grant rule wherein if the evaluated constraint is presently valid, then access is allowed, and if the evaluated constraint is not presently valid, then access is denied; and
, and audit records the authorization request in an audit log;
wherein if there is an error in the authorization request, or if the request is not valid, then access is denied;
if the authorization request is valid, then a determination is made whether access should be granted, and if the evaluated authorization request does not deny access, then access is allowed, and if the evaluated authorization request denies access, then access is denied.
-
-
16. A system for maintaining security in a distributed computing environment, comprising:
-
a policy manager located at a server for managing a security policy; and
an application guard located either at a client or at a server, said application guard associated with the client or with a set of clients and including a customized local policy particular to said client or set of clients, for managing access to securable components as specified by the security policy, said securable components being selected from the group consisting of at least one application, a function within an application, a procedure within an application, a data structure within an application, a database object referenced by an application, or a file system object referenced by an application, wherein said system is scalable by further comprising a plurality of clients, including a local security policy for each of said plurality of clients, and an additional application guard associated with each or a set of said plurality of clients, for managing access to the securable components as specified by the local security policy for each client. - View Dependent Claims (17, 18, 19, 20)
-
-
21. A system for controlling user access in a distributed computing environment, comprising:
-
a global policy specifying access privileges of the user to securable components;
a policy manager located on a server for managing and distributing a local client policy based on the global policy to a client, and an application guard located on the client or at a server, said application guard associated with the client or with a set of clients and including a customized local policy particular to said client or set of clients, for managing access to the securable components as specified by the local client policy, said securable components being selected from the group consisting of at least one application, a function within an application, a procedure within an application, a data structure within an application, a database object referenced by an application, or a file system object referenced by an application, wherein said system is scalable by further comprising a plurality of clients, including a local security policy for each of said plurality of clients, and an additional application guard associated with each or a set of said plurality of clients, for managing access to the securable components as specified by the local security policy for each client. - View Dependent Claims (22, 23, 24)
-
-
25. A system for managing security in a distributed computing environment, comprising:
-
a policy manager specifying access privileges to securable components selected from the group consisting of at least one application;
a function within an application, a procedure within an application, a data structure within an application, a database object referenced by an application, or a file system object referenced by an application;
an application guard located either at a client or at a server, said application guard associated with the client or with a set of clients and including a customized local policy particular to said client or set of clients, for managing access to securable components; and
a processor coupled to said system, said processor executing said policy manager to manage and distribute a customized local policy based on a global policy to a client, wherein said system is scalable by further comprising a plurality of clients, including a local security policy for each of said plurality of clients, and an additional application guard associated with each or a set of said plurality of clients, for managing access to the securable components as specified by the local security policy for each client.
-
-
26. A method for maintaining security in a distributed computing environment, comprising the steps of:
-
managing a policy using a policy manager located at a server by specifying access privileges of a user to securable components selected from the group consisting of at least one application, a function within an application, a procedure within an application, a data structure within an application, a database object referenced by an application, or a file system object referenced by an application; and
distributing the policy to a client having an application guard, said application guard located either at a client or at a server, said application guard associated with the client or with a set of clients and including a customized local policy particular to said client or set of clients, whereby the application guard manages access to the securable components as specified by the policy, wherein said system is scalable by further comprising a plurality of clients, including a local security policy for each of said plurality of clients, and an additional application guard associated with each or a set of said plurality of clients, for managing access to the securable components as specified by the local security policy for each client. - View Dependent Claims (27)
-
-
28. A computer-readable medium comprising program instructions for maintaining security in a distributed computing environment by performing the steps of:
-
managing a policy using a policy manager located at a server by specifying access privileges of a user to securable components selected from the group consisting of at least one application, a function within an application, a procedure within an application, a data structure within an application, a database object referenced by an application, or a file system object referenced by an application; and
distributing the policy to a client having an application guard, said application guard located either at a client or at a server, said application guard associated with the client or with a set of clients and including a customized local policy particular to said client or set of clients, whereby the application guard manages access to the securable components as specified by the policy, executing said policy manager with a processor to manage and distribute the policy, wherein said system is scalable by further comprising a plurality of clients, including a local security policy for each of said plurality of clients, and an additional application guard associated with each or a set of said plurality of clients, for managing access to the securable components as specified by the local security policy for each client.
-
-
29. A system for maintaining security in a distributed computing environment, comprising the steps of:
-
means for managing a policy using a policy manager located at a server by specifying access privileges of a user to securable components selected from the group consisting of at least one application, a function within an application, a procedure within an application, a data structure within an application, a database object referenced by an application, or a file system object referenced by an application; and
means for distributing the policy to a client having an application guard, said application guard located either at a client or at a server, said application guard associated with the client or with a set of clients and including a customized local policy particular to said client or set of clients, whereby the application guard manages access to the securable components as specified by the policy, means for executing the policy manager to manage and distribute the policy, wherein said system is scalable by further comprising a plurality of clients, including a local security policy for each of said plurality of clients, and an additional application guard associated with each or a set of said plurality of clients, for managing access to the securable components as specified by the local security policy for each client.
-
Specification