System and method for maintaining security in a distributed computer network

US 6,941,472 B2
Filed: 01/22/2001
Issued: 09/06/2005
Est. Priority Date: 10/28/1998
Status: Expired due to Term

First Claim

Patent Images

1. A system for maintaining security in a distributed computing environment comprising:

a central policy manager located at a server for managing and distributing a security policy; and

an application guard located at a client, said application guard including a customized local policy particular to that client, for managing access by a user of the client to software application components at the client, as specified by the security policy.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for maintaining security in a distributed computing environment comprises a policy manager located on a server for managing and distributing a security policy, and an application guard located on a client for managing access to securable components as specified by the security policy. In the preferred embodiment, a global policy specifies access privileges of the user to securable components. The policy manager may then preferably distribute a local client policy based on the global policy to the client. An application guard located on the client then manages access to the securable components as specified by the local policy.

Citations

29 Claims

1. A system for maintaining security in a distributed computing environment comprising:
- a central policy manager located at a server for managing and distributing a security policy; and
  
  an application guard located at a client, said application guard including a customized local policy particular to that client, for managing access by a user of the client to software application components at the client, as specified by the security policy.

2. A system for managing and enforcing complex security requirements to protect computer systems against unauthorized access in a distributed computer network comprising;
- a policy manager located on a server for managing and distributing a policy to a client; and
  
  an application guard located on the client, acting to grant or deny access by users of the client to various software application components of the client, as specified by the policy.
- View Dependent Claims (3, 4, 5, 6)
- - 3. The system of claim 2 wherein the client contains a program stored in non-volatile memory for granting or denying access to various software application components of the client, as specified by the policy distributed from the server.
  - 4. The system of claim 2 wherein the server includes a non-volatile memory storing the policy manager that specifies the security requirements for software applications and database objects;
    - said policy contains security rules that describe at least one constraint that constrains which software applications a particular user can access and which database objects within an software application a user can access.
  - 5. The system of claim 2 wherein the policy is organized into groups and hierarchies.
  - 6. The system of claim 2 wherein the policy includes access rules, which include:
    - a grant rule that grants a privilege to a first user on a software application component under a first constraint; and
      
      a deny rule that denies a privilege to a second user on the software application component under a second constraint.

7. A system for managing and enforcing complex security requirements to protect computer systems against unauthorized access in a distributed computer network comprising:
- a policy manager located on a server for managing and distributing a policy to a client; and
  
  an application guard located on the client, acting to grant or deny access to various software application components of the client, as specified by the policy;
  
  an audit log data flue to record authorization requests;
  
  an optimized policy data file;
  
  an enterprise policy data file;
  
  an administrative policy data file; and
  
  a local administrative policy data file.

8. A security system comprising:
- an application guard located within non-volatile memory of a client that is designed to reside along with each protected software application component on that client and supports transactional access control by allowing the software application to detect an authorization service and to make authorization requests at each user interaction, data request, and business level transaction by a user or application of the client.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The security system of claim 8 further comprising a distributor capable of distributing the application guard to clients located throughout an enterprise.
  - 10. The system of claim 8 wherein the application guard is coupled to the software application through an application programming interface (API) or authorization library that allows the software application components to request authorization services as needed through an application guard interface.
  - 11. The system of claim 8 further comprisingan authorization engine that processes an authorization request;
    - a checker that parses local client policy and stores the parsed local client policy in Random Access Memory (RAM); and
      
      an evaluator that evaluates the authorization request with the parsed local client policy in RAM to determine whether the authorization request should be granted or denied.
  - 12. The system of claim 11 wherein the authorization engine comprises plug-ins that at least allow for additional capabilities to process and evaluate authorization request based on customized code.
  - 13. The system of claim 8 wherein the system is capable of implementing at least:
    - the application guard locally to the software application; and
      
      the application guard as a remote authorization service through a remote procedure call to another server.

14. A method for maintaining security in a distributed computing environment comprising:
- managing a central security policy located at a server via a policy manager; and
  
  managing access by a user of the client via an application guard at a client to a transaction related with a software application component on that client, as specified by the security policy.

15. A method of granting client access authorization comprising:
- using an application guard located at a client that includes at least requesting access to a software securable component associated with an application protected by the application guard, wherein the application guard constructs and issues an authorization request, and evaluating the authorization request via the application guard according to its local client policy to determine whether to allow or deny the authorization request; and
  
  wherein evaluating the authorization request includes and evaluator searching deny rules in the local client policy, and if the evaluator finds a deny rule, then an evaluation is performed on an constraints on the deny rule, if the evaluation finds a presently valid constraint on the deny rule, then access is denied, and if the evaluation finds that all constraints on the deny rule are not presently valid, then a search for a grant rule is performed, and if no deny rules are found, then a search for a grant rule is performed;
  
  wherein after a search for a grant rule if no grant rule is found that would allow access for the user, then access is denied, and if a grant rule is found, then an evaluation is performed on any constraints in the grant rule wherein if the evaluated constraint is presently valid, then access is allowed, and if the evaluated constraint is not presently valid, then access is denied; and
  
  , and audit records the authorization request in an audit log;
  
  wherein if there is an error in the authorization request, or if the request is not valid, then access is denied;
  
  if the authorization request is valid, then a determination is made whether access should be granted, and if the evaluated authorization request does not deny access, then access is allowed, and if the evaluated authorization request denies access, then access is denied.

16. A system for maintaining security in a distributed computing environment, comprising:
- a policy manager located at a server for managing a security policy; and
  
  an application guard located either at a client or at a server, said application guard associated with the client or with a set of clients and including a customized local policy particular to said client or set of clients, for managing access to securable components as specified by the security policy, said securable components being selected from the group consisting of at least one application, a function within an application, a procedure within an application, a data structure within an application, a database object referenced by an application, or a file system object referenced by an application, wherein said system is scalable by further comprising a plurality of clients, including a local security policy for each of said plurality of clients, and an additional application guard associated with each or a set of said plurality of clients, for managing access to the securable components as specified by the local security policy for each client.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The system of claim 16, wherein said policy manager further comprises a distributor for distributing the security policy to a client.
  - 18. The system of claim 16, wherein said system is scalable by further comprising a plurality of clients, said policy manager further managing and distributing a customized local policy to each client, and at least one additional application guard located on each client for managing access toll the securable components as specified by each customized local policy.
  - 19. The system of claim 18, wherein said application guard includes an application guard interface coupled to an application for requesting access to the securable components, and at least one authorization engine for evaluating requests from the application guard interface as specified by a customized local policy based on the security policy.
  - 20. The system of claim 19, wherein said application guard interface is located on a client, and said at least one authorization engine and said customized local policy are located on a client server.

21. A system for controlling user access in a distributed computing environment, comprising:
- a global policy specifying access privileges of the user to securable components;
  
  a policy manager located on a server for managing and distributing a local client policy based on the global policy to a client, and an application guard located on the client or at a server, said application guard associated with the client or with a set of clients and including a customized local policy particular to said client or set of clients, for managing access to the securable components as specified by the local client policy, said securable components being selected from the group consisting of at least one application, a function within an application, a procedure within an application, a data structure within an application, a database object referenced by an application, or a file system object referenced by an application, wherein said system is scalable by further comprising a plurality of clients, including a local security policy for each of said plurality of clients, and an additional application guard associated with each or a set of said plurality of clients, for managing access to the securable components as specified by the local security policy for each client.
- View Dependent Claims (22, 23, 24)
- - 22. The system of claim 21, further comprising at least one additional client, said policy manager further managing and distributing a customized local policy based on the global policy to each additional client, and at least one additional application guard located on each additional client for managing access to the securable components as specified by the customized local policy.
  - 23. The system of claim 21, wherein said system is scalable by further comprising a plurality of clients, said policy manager further managing and distributing a customized local policy to each client, and at least one additional application guard located on each client for managing access to the securable components as specified by each customized local policy.
  - 24. The system of claim 21, wherein said application guard includes an application guard interface coupled to an application for requesting access to the securable components, and at least one authorization engine for evaluating requests from the application guard interface as specified by the local client policy.

25. A system for managing security in a distributed computing environment, comprising:
- a policy manager specifying access privileges to securable components selected from the group consisting of at least one application;
  
  a function within an application, a procedure within an application, a data structure within an application, a database object referenced by an application, or a file system object referenced by an application;
  
  an application guard located either at a client or at a server, said application guard associated with the client or with a set of clients and including a customized local policy particular to said client or set of clients, for managing access to securable components; and
  
  a processor coupled to said system, said processor executing said policy manager to manage and distribute a customized local policy based on a global policy to a client, wherein said system is scalable by further comprising a plurality of clients, including a local security policy for each of said plurality of clients, and an additional application guard associated with each or a set of said plurality of clients, for managing access to the securable components as specified by the local security policy for each client.

26. A method for maintaining security in a distributed computing environment, comprising the steps of:
- managing a policy using a policy manager located at a server by specifying access privileges of a user to securable components selected from the group consisting of at least one application, a function within an application, a procedure within an application, a data structure within an application, a database object referenced by an application, or a file system object referenced by an application; and
  
  distributing the policy to a client having an application guard, said application guard located either at a client or at a server, said application guard associated with the client or with a set of clients and including a customized local policy particular to said client or set of clients, whereby the application guard manages access to the securable components as specified by the policy, wherein said system is scalable by further comprising a plurality of clients, including a local security policy for each of said plurality of clients, and an additional application guard associated with each or a set of said plurality of clients, for managing access to the securable components as specified by the local security policy for each client.
- View Dependent Claims (27)
- - 27. A method as claimed in claim 26 for maintaining security on a client in a distributed computing environment, further comprising the steps of:
    - constructing and issuing an authorization request for a user to access to securable components located on the client using the application guard;
      
      evaluating the authorization request using the application guard to determine if the authorization request is valid or invalid; and
      
      allowing access to the user via the application guard if the evaluated authorization request was valid, and denying access to the user via the application guard if the authorization request was invalid.

28. A computer-readable medium comprising program instructions for maintaining security in a distributed computing environment by performing the steps of:
- managing a policy using a policy manager located at a server by specifying access privileges of a user to securable components selected from the group consisting of at least one application, a function within an application, a procedure within an application, a data structure within an application, a database object referenced by an application, or a file system object referenced by an application; and
  
  distributing the policy to a client having an application guard, said application guard located either at a client or at a server, said application guard associated with the client or with a set of clients and including a customized local policy particular to said client or set of clients, whereby the application guard manages access to the securable components as specified by the policy, executing said policy manager with a processor to manage and distribute the policy, wherein said system is scalable by further comprising a plurality of clients, including a local security policy for each of said plurality of clients, and an additional application guard associated with each or a set of said plurality of clients, for managing access to the securable components as specified by the local security policy for each client.

29. A system for maintaining security in a distributed computing environment, comprising the steps of:
- means for managing a policy using a policy manager located at a server by specifying access privileges of a user to securable components selected from the group consisting of at least one application, a function within an application, a procedure within an application, a data structure within an application, a database object referenced by an application, or a file system object referenced by an application; and
  
  means for distributing the policy to a client having an application guard, said application guard located either at a client or at a server, said application guard associated with the client or with a set of clients and including a customized local policy particular to said client or set of clients, whereby the application guard manages access to the securable components as specified by the policy, means for executing the policy manager to manage and distribute the policy, wherein said system is scalable by further comprising a plurality of clients, including a local security policy for each of said plurality of clients, and an additional application guard associated with each or a set of said plurality of clients, for managing access to the securable components as specified by the local security policy for each client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
BEA Systems Incorporated (Oracle Corporation)
Inventors
Moriconi, Mark, Qian, Shelly
Primary Examiner(s)
Vu, Kim
Assistant Examiner(s)
HOFFMAN, BRANDON S

Application Number

US09/767,610
Publication Number

US 20010007133A1
Time in Patent Office

1,688 Days
Field of Search

713/201, 709/223, 707/9
US Class Current

726/11
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 2221/2111   Location-sensitive, e.g. ge...

G06F 2221/2117   User registration

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2145   Inheriting rights or proper...

G06F 2221/2149   Restricted operating enviro...

G06F 2221/2151   Time stamp

H04L 63/0263   Rule management

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

Y10S 707/99939   Privileged access

System and method for maintaining security in a distributed computer network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for maintaining security in a distributed computer network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links