Data transfer system and method with secure mapping of local system access rights to global identities

US 7,152,108 B1
Filed: 08/30/2002
Issued: 12/19/2006
Est. Priority Date: 08/30/2002
Status: Active Grant

First Claim

Patent Images

1. An apparatus for implementing security procedures during a data transfer process comprising:

means for transferring data from an initiating computer to a remote computer;

an authorization table associated with the initiating computer including at least;

i) a remote computer identifier;

ii) at least one local user identifier corresponding to the remote computer identifier; and

iii) qualifiers authorizing operations;

means for the initiating computer, acting as a local user, to request to establish a communication link to connect to the remote computer, to perform desired operations;

means for determining from at least the authorization table whether the remote computer is associated with the local user;

means for denying the request if the remote computer is determined not to be associated with the local user; and

means for permitting the request if the remote computer is determined to be associated with the local user.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention relates to a method and apparatus for providing security using an authorization process in connection with data transfers. Keyed certificates are used to authenticate remote computers. An authorization table maps remote computers to allowable local users and corresponding qualifiers. In order to complete a data transfer process, the system of the present invention authenticates the remote computer, determines its authority to act as a designated local user, and determines whether the remote computer, acting as the designated local user, can perform the actions required for the data transfer.

71 Citations

View as Search Results

24 Claims

1. An apparatus for implementing security procedures during a data transfer process comprising:
- means for transferring data from an initiating computer to a remote computer;
  
  an authorization table associated with the initiating computer including at least;
  
  i) a remote computer identifier;
  
  ii) at least one local user identifier corresponding to the remote computer identifier; and
  
  iii) qualifiers authorizing operations;
  
  means for the initiating computer, acting as a local user, to request to establish a communication link to connect to the remote computer, to perform desired operations;
  
  means for determining from at least the authorization table whether the remote computer is associated with the local user;
  
  means for denying the request if the remote computer is determined not to be associated with the local user; and
  
  means for permitting the request if the remote computer is determined to be associated with the local user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The apparatus for implementing security procedures during a data transfer process according to claim 1, further comprising:
    - means for receiving a keyed certificate at the remote computer from the initiating computer for establishing a secure communication link between the initiating computer and the receiving computer; and
      
      means for processing the keyed certificate to verify the initiating computer at the remote computer.
  - 3. The apparatus for implementing security procedures during a data transfer process according to claim 1, wherein the desired operation is transfer of data from the initiating computer.
  - 4. The apparatus for implementing security procedures during a data transfer process according to claim 1, wherein the desired operation is reception of data at the remote computer.
  - 5. The apparatus for implementing security procedures during a data transfer process according to claim 1, further comprisingmeans for transmitting a request for authorization to operate as the local user from the initiating computer;
    - means for determining, in association with the remote computer, whether the initiating computer is associated with the local user;
      
      means for terminating the communication link if the initiating computer is determined not to be associated with the local user; and
      
      means for maintaining the communications link and authorizing the initiating computer to perform certain operations at the remote computer if the initiating computer is determined to be associated with the local user, then.
  - 6. The apparatus for implementing security procedures during a data transfer process according to claim 1, wherein the means for transferring data from an initiating computer to a remote computer is based on a schedule or occurrence of an event.
  - 7. The apparatus for implementing security procedures during a data transfer process according to claim 1, wherein the authorized operation allows the initiating computer to send a distribution rule which includes a set of steps for execution on the remote computer in order to complete a data transfer.
  - 8. The apparatus for implementing security procedures during a data transfer process according to claim 1, further including a means for determining, at least from the qualifiers in the authorization table whether the desired operation is authorized;
    - means for authorizing the desired operation if the qualifier authorizes the operation;
      
      means for denying the desired operation if the qualifier does not authorize the operation.
  - 9. The apparatus for implementing security procedures during a data transfer process according to claim 1, wherein the steps for execution on the remote computer are chosen from a group comprising at least the following:
    - retrieval from a source computer;
      
      encryption and decryption of data, formatting of data, conversion of data to a different format firewall traversal process, and storage of data.

10. A method for implementing security procedures during a data transfer process comprising the steps of:
- receiving, over a communications link to a receiving computer, a request from a remote computer for authorization to perform desired operations at the receiving computer under a particular local user identifier;
  
  maintaining, in association with the receiving computer, an authorization table including at least a remote computer identifier and a corresponding local user identifier and qualifiers authorizing operations;
  
  determining whether the remote computer is associated with the requested local user using the authorization table;
  
  terminating the communications link if the requested local user is not associated with the corresponding local user identifier; and
  
  maintaining the communications link for the desired operations, if the requested local user is associated with the corresponding local user identifier.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The method for implementing security procedures during a data transfer process according to claim 10, wherein the authorized operation includes transferring data.
  - 12. The method for implementing security procedures during a data transfer process according to claim 10, wherein the authorized operation includes allowing the remote computer to modify the authorization table.
  - 13. The method for implementing security procedures during a data transfer process according to claim 10, wherein the authorized operation includes receiving data.
  - 14. The method implementing security procedures during a data transfer process according to claim 10, further comprising the step of receiving a keyed certificate from the remote computer;
    - andwherein the authorization of the remote computer is based on the keyed certificate.
  - 15. The method for implementing security procedures during a data transfer process according to claim 10, wherein the desired operation is transferring of a distribution rule and the authorized operation allows the remote computer to transfer the distribution rule.
  - 16. The method for implementing security procedures during a data transfer process according to claim 15, wherein the steps for execution on the receiving computer includes enabling at least one or more of the following steps:
    - retrieval from a source computer;
      
      encryption and decryption of data, formatting of data, conversion of data to a different format, firewall traversal process, and storage of data.
  - 17. The method implementing security procedures during in a data transfer process according to claim 10, further comprising the steps of:
    - authorizing the desired operation if the qualifier authorizes the operation;
      
      denying the desired operation if the qualifier does not authorize the operation.
  - 18. The method implementing security procedures during in a data transfer process according to claim 10, further comprising the steps of:
    - determining, before establishing a communications link to the receiving computer, whether the receiving computer is associated with the requested local user;
      
      if the receiving computer is not associated with the requested local user, then denying authorization to establish a communications link to the receiving computer; and
      
      if the receiving computer is associated with the requested local user, then authorizing a communications link to the receiving computer to transfer data.

19. A system for implementing security procedures during a data transfer process within a computer network which includes at least a central management computer for sending a distribution rule to a distribution agent of a primary computer for use in controlled data transfer between the primary computer distribution agent and a distribution agent of a secondary computer, the system further comprising:
- means for requesting authentication for the primary computer, acting as a local user to connect to the secondary computer;
  
  an authorization table associated with the primary computer including at least;
  
  i) a secondary computer identifier;
  
  ii) at least one local user identifier corresponding to the secondary computer identifier; and
  
  iii) qualifiers authorizing operations;
  
  means for the primary computer, acting as a local user to request to establish a communication link to connect to the secondary computer, to perform desired operations;
  
  means for determining from at least the authorization table whether the secondary computer is associated with the local user;
  
  means for denying the request if the secondary computer is determined not to be associated with the local user; and
  
  means for permitting the request if the secondary computer is determined to be associated with the local user.
- View Dependent Claims (20, 21, 22, 23, 24)
- - 20. The system of claim 19, further comprising:
    - means for transmitting a keyed certificate from the primary computer;
      
      means for transmitting a request for authorization to operate as the local user from the primary computer;
      
      means for determining, by the secondary computer distribution agent, whether the primary computer is associated with the local user;
      
      if the primary computer is not associated with the local user, then terminating the communications link; and
      
      if the primary computer is associated with the local user, then the communications link is maintained and the data transfer is executed in accordance with the distribution rule.
  - 21. The system of claim 19, wherein the data transfer is in order to transfer distribution rules to one or more secondary computers from a primary computer.
  - 22. The system of claim 19, wherein the data transfer is in order to transfer distribution rules from a secondary computer to a third computer.
  - 23. The system of claim 19, wherein the authentication table is accompanied by a digital signature computed on the authorization table by the primary computer distribution agent.
  - 24. The system of claim 19, wherein the data transfer process is a fan out process, replication process, multiple copy replication process, synchronization process, or aggregation process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Signiant Incorporated
Original Assignee
Signiant Incorporated
Inventors
Hamilton, Ian, Khan, Winston, Bowler, Ken
Primary Examiner(s)
Luu, Le Hien

Application Number

US10/231,181
Time in Patent Office

1,572 Days
Field of Search

709/225, 709/203, 709/229, 713/168, 713/200, 705/27, 340/5.74
US Class Current

709/225
CPC Class Codes

G06F 21/62   Protecting access to data v...

G06F 21/6218   to a system of files or obj...

G06F 2221/2129   Authenticate client device ...

H04L 63/0823   using certificates cryptogr...

Data transfer system and method with secure mapping of local system access rights to global identities

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

71 Citations

24 Claims

Specification

Use Cases

Quick Links

Others

Data transfer system and method with secure mapping of local system access rights to global identities

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

71 Citations

24 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others