System and method for ensuring proper implementation of computer security policies

US 7,178,164 B1
Filed: 12/18/2002
Issued: 02/13/2007
Est. Priority Date: 02/01/2002
Status: Active Grant

First Claim

Patent Images

1. A system for monitoring the processing of security commands related to security profiles in a computer system, comprising:

a profile monitor for receiving an input security command related to a security profile;

a profile verification unit for verifying the input security command using at least one reference security profile to generate a verified output security command; and

a profile processor for processing the output security command.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Security profiles generated, amended, or deleted by an administrator are monitored to determine whether the administrator'"'"'s actions are in compliance with known security policies. Out-of-compliance commands affecting the profiles are refused or otherwise modified to conform with the policies, depending on the circumstances. Feedback of the failure to comply may be provided and may take the form of a screen inquiry to the administrator, a notification to the administrator that the profile has been automatically modified, or a report of the transaction to a chief administrator. In this manner, negligent and intentional failures to comply with security policies by a local security administrator are mitigated or eliminated.

Citations

48 Claims

1. A system for monitoring the processing of security commands related to security profiles in a computer system, comprising:
- a profile monitor for receiving an input security command related to a security profile;
  
  a profile verification unit for verifying the input security command using at least one reference security profile to generate a verified output security command; and
  
  a profile processor for processing the output security command.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The system of claim 1 wherein the input security command comprises a command related to a new security profile.
  - 3. The system of claim 1 the input security command comprises a command related to an existing security profile.
  - 4. The system of claim 1 wherein the profile verification unit further comprises a profile modifier for modifying the input security profile command based on the verification to generate a modified command as the verified output security command.
  - 5. The system of claim 1 wherein the profile verification unit verifies the input security command by extracting information from the input security command and generating a verification request for the profile processor including the extracted information.
  - 6. The system of claim 5 wherein the information comprises a value of a parameter of the input security command, and wherein the verification request includes the value for verifying the value using the at least one reference security profile.
  - 7. The system of claim 5 wherein the profile processor processes the verification request by accessing the least one security profile to generate a response.
  - 8. The system of claim 7 wherein the profile verification unit further receives the response to the verification request from the profile processor and verifies the extracted information of the input security command based on the response.
  - 9. The system of claim 5 wherein the profile verification unit further comprises a profile modifier for modifying the input security profile command based on the verification of the extracted information to generate a modified command as the verified output security command.
  - 10. The system of claim 9 wherein the modified command includes a parameter field having a value that is designated by at least one field of the at least one reference profile.
  - 11. The system of claim 1 wherein the profile verification unit further comprises a command generator for generating at least one supplemental command that is provided prior to or following the output security command for providing a supplemental instruction to the profile processor.
  - 12. The system of claim 1 wherein the at least one reference profile comprises a set of security profiles that are accessible by the profile processor.
  - 13. The system of claim 12 wherein the computer system is based on the RACF security system, wherein the profile processor comprises a RACF processor, and wherein the at least one reference profile comprises a set of RACF profiles having a resource class that is independent of that of general system RACF profiles accessed by the profile processor.
  - 14. The system of claim 12 wherein the set of RACF profiles utilize a RACF generic qualifier.
  - 15. The system of claim 12 wherein the set of RACF profiles utilize symbols that specify a value that is used to modify the input security command.
  - 16. The system of claim 12 wherein the set of RACF profiles utilize symbols that specify that a predefined portion of a parameter value of the input security command matches the at least one reference profile, or that specify a subset of a plurality of the reference profiles, or for identifying or defining default values for parameters that are absent.

17. A method for monitoring the processing of security commands related to security profiles in a computer system, comprising:
- receiving an input security command related to a security profile;
  
  verifying the input security command using at least one reference security profile to generate a verified output security command; and
  
  processing at a profile processor, the output security command.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 18. The method of claim 17 wherein the input security command comprises a command related to a new security profile.
  - 19. The method of claim 17 wherein the input security command comprises a command related to an existing security profile.
  - 20. The method of claim 17 further comprising modifying the input security profile command based on the verification to generate a modified command as the verified output security command.
  - 21. The method of claim 17 wherein verifying the input security command comprises extracting information from the input security command and generating a verification request for the profile processor including the extracted information.
  - 22. The method of claim 21 wherein the information comprises a value of a parameter of the input security command, and wherein the verification request includes the value for verifying the value using the at least one reference security profile.
  - 23. The method of claim 21 wherein the profile processor processes the verification request by accessing the least one security profile to generate a response.
  - 24. The method of claim 23 wherein verifying further comprises receiving the response to the verification request and verifying the extracted information of the input security command based on the response.
  - 25. The method of claim 24 further comprising modifying the input security profile command based on the verification of the extracted information to generate a modified command as the verified output security command.
  - 26. The method of claim 25 wherein the modified command includes a parameter field having a value that is designated by at least one field of the at least one reference profile.
  - 27. The method of claim 17 further comprising generating at least one supplemental command that is provided prior to or following the output security command for providing a supplemental instruction to the profile processor.
  - 28. The method of claim 17 wherein the at least one reference profile comprises a set of security profiles that are accessible by the profile processor.
  - 29. The method of claim 28 wherein the computer system is based on the RACF security system, wherein the profile processor comprises a RACF processor, and wherein the at least one reference profile comprises a set of RACF profiles having a resource class that is independent of that of general system RACF profiles accessed by the profile processor.
  - 30. The method of claim 28 wherein the set of RACF profiles utilize a RACF generic qualifier.
  - 31. The method of claim 28 wherein the set of RACF profiles utilize symbols that specify a value that is used to modify the input security command.
  - 32. The method of claim 28 wherein the set of RACF profiles utilize symbols that specify that a predefined portion of a parameter value of the input security command matches the at least one reference profile, or that specify a subset of a plurality of the reference profiles, or for identifying or defining default values for parameters that are absent.

33. A computer program product comprising computer program code stored in at least one memory, when executed by at least one processor, the computer program product configured to perform a method for monitoring the processing of security commands related to security profiles in a computer system, the method comprising:
- receiving an input security command related to a security profile;
  
  verifying the input security command using at least one reference security profile to generate a verified output security command; and
  
  processing at a profile processor, the output security command.
- View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48)
- - 34. The computer program product of claim 33 wherein the input security command comprises a command related to a new security profile.
  - 35. The computer program product of claim 33 wherein the input security command comprises a command related to an existing security profile.
  - 36. The computer program product of claim 33, wherein the method further comprises modifying the input security profile command based on the verification to generate a modified command as the verified output security command.
  - 37. The computer program product of claim 33 wherein verifying the input security command comprises extracting information from the input security command and generating a verification request for the profile processor including the extracted information.
  - 38. The computer program product of claim 37 wherein the information comprises a value of a parameter of the input security command, and wherein the verification request includes the value for verifying the value using the at least one reference security profile.
  - 39. The computer program product of claim 37 wherein the profile processor processes the verification request by accessing the least one security profile to generate a response.
  - 40. The computer program product of claim 39 wherein verifying further comprises receiving the response to the verification request and verifying the extracted information of the input security command based on the response.
  - 41. The computer program product of claim 40 wherein the method further comprises modifying the input security profile command based on the verification of the extracted information to generate a modified command as the verified output security command.
  - 42. The computer program product of claim 41 wherein the modified command includes a parameter field having a value that is designated by at least one field of the at least one reference profile.
  - 43. The computer program product of claim 33 wherein the method further comprises generating at least one supplemental command that is provided prior to or following the output security command for providing a supplemental instruction to the profile processor.
  - 44. The computer program product of claim 33 wherein the at least one reference profile comprises a set of security profiles that are accessible by the profile processor.
  - 45. The computer program product of claim 44 wherein the computer system is based on the RACF security system, wherein the profile processor comprises a RACF processor, and wherein the at least one reference profile comprises a set of RACF profiles having a resource class that is independent of that of general system RACF profiles accessed by the profile processor.
  - 46. The computer program product of claim 44 wherein the set of RACF profiles utilize a RACF generic qualifier.
  - 47. The computer program product of claim 44 wherein the set of RACF profiles utilize symbols that specify a value that is used to modify the input security command.
  - 48. The computer program product of claim 44 wherein the set of RACF profiles utilize symbols that specify that a predefined portion of a parameter value of the input security command matches the at least one reference profile, or that specify a subset of a plurality of the reference profiles, or for identifying or defining default values for parameters that are absent.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SailPoint Technologies Holdings, Inc.
Original Assignee
Consul Risk Management International BV (International Business Machines Corporation)
Inventors
Bonnes, Augustinus Hubertus Joseph
Primary Examiner(s)
Smithers; Matthew

Application Number

US10/323,465
Time in Patent Office

1,518 Days
Field of Search

726/27, 726/28, 726/29, 726/25, 726/2
US Class Current

726/2
CPC Class Codes

G06F 21/604 Tools and structures for ma...

System and method for ensuring proper implementation of computer security policies

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

48 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for ensuring proper implementation of computer security policies

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

48 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links