Integrated security framework and privacy database scheme

US 7,263,717 B1
Filed: 12/17/2003
Issued: 08/28/2007
Est. Priority Date: 12/17/2003
Status: Active Grant

First Claim

Patent Images

1. A method for bridging requests for access to resources between requesters in a distributed network and an authenticator servicing the distributed network for a privacy response:

storing in a secured datastore only security and privacy information;

accessing one of a plurality of application servers within the distributed network;

initiating one or more requests through the application server, wherein the requests are for access to the privacy information on the datastore;

intercepting the request for access to the privacy information on the datastore;

identifying an IP address of the application server initiating the request;

verifying the IP address has access to the privacy information through a naming service;

where the IP address is verified, forwarding some of the requests for privacy information directly to the datastore with the privacy information and further verifying some of the requests for privacy information.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for bridging requests for access to resources between requestors in a distributed network and an authenticator servicing the distributed network is provided. The bridging mechanism has security features including a naming service for machine authentication and machine process rules to authorize what process machines can perform. The security proxy bridge intercepts an access request, and checks the IP address for machine authentication as well as the machine process rules and if both verifications are successful, the bridge then forwards the request for access to the authenticator. The security proxy framework utilizes a data structure that provides a method for storing selected security information stored as data records supporting an authentication and authorization system for users to access resources on multiple components of a distributed network supporting multiple business units of an enterprise. Primary authentication information stored herein includes general user information, security, and contact information.

94 Citations

View as Search Results

29 Claims

1. A method for bridging requests for access to resources between requesters in a distributed network and an authenticator servicing the distributed network for a privacy response:
- storing in a secured datastore only security and privacy information;
  
  accessing one of a plurality of application servers within the distributed network;
  
  initiating one or more requests through the application server, wherein the requests are for access to the privacy information on the datastore;
  
  intercepting the request for access to the privacy information on the datastore;
  
  identifying an IP address of the application server initiating the request;
  
  verifying the IP address has access to the privacy information through a naming service;
  
  where the IP address is verified, forwarding some of the requests for privacy information directly to the datastore with the privacy information and further verifying some of the requests for privacy information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the requests for privacy information are further verified if multiple applications reside on the application server initiating the request.
  - 3. The method of claim 2, further comprising:
    - identifying an application executing on the application server to initiate the request;
      
      verifying the application has permission for the request;
      
      where the application is verified, forwarding the request for privacy information to the datastore with the privacy information.
  - 4. The method of claim 1, further comprising:
    - forwarding the requests for privacy information that require further verification to an authenticator.
  - 5. The method of claim 4, further comprising:
    - requesting identification and authentication information of a user that is accessing the application server;
      
      authenticating the identity of the user with an authenticator;
      
      comparing an authorization policy for the user with the request for privacy information with the authenticator;
      
      authorizing the request if the comparison is successful.
  - 6. The method of claim 5, further comprising:
    - identifying groups the user belongs to with the authenticator,wherein comparing the authorization policy for the user with the request for privacy information further comprises comparing the authorization policy for the user'"'"'s groups with the request for privacy information.
  - 7. The method of claim 1, wherein the request for privacy information is one of a request to view privacy information, delete privacy information, add privacy information, or to modify privacy information stored on the datastore with the privacy information.
  - 8. The method of claim 1, further comprising:
    - logging and monitoring the requests for access to the privacy information.

9. A method for bridging requests for access to resources between requesters in a distributed network and an authenticator servicing the distributed network:
- a user accessing one of a plurality of application servers within the distributed network;
  
  initiating at least one request through executing an application on the application server in accordance with inputs of the user, wherein the request is for access to privacy information;
  
  intercepting the request for access to the privacy information;
  
  identifying an IP address of the application server requesting the access the privacy information;
  
  verifying the IP address has access to the privacy information;
  
  identifying a type of the access in the request for the privacy information as one of a plurality of types of access;
  
  identifying the application making the request;
  
  verifying the application has permission for the type of the access in the request for the privacy information;
  
  identifying identification and authorization information of the user executing the application;
  
  verifying the identity of the user based on the identification and authorization information.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 10. The method of claim 9, further comprising:
    - comparing an authorization policy for the user with the privacy information and the requested type of access to the requested resource;
      
      authorizing the request if the comparison is successful.
  - 11. The method of claim 10, further comprising:
    - identifying groups the user belongs to,wherein comparing the authorization policy for the user with the privacy information and the requested type of access to the privacy information further comprises comparing the authorization policy for the user'"'"'s groups with the privacy information and the requested type of access to the privacy information.
  - 12. The method of claim 10 wherein the privacy information is contained in a directory service datastore and security information is contained in a relational datastore.
  - 13. The method of claim 12, further comprising:
    - migrating the information to be contained in the directory service datastore through inheritance; and
      
      creating auxiliary object classes in the directory service for holding properties of the security and privacy information in support of the authenticator.
  - 14. The method of claim 9, wherein the application is defined as a location-based services request and wherein the privacy information is defined as a customer location.
  - 15. The method of claim 9, wherein the application is defined as a service selected from a group of services consisting of push-to-talk, digital imaging, location-based services, internet access, text messaging, gaming services, ring-tone services, and a personalized web page.
  - 16. The method of claim 9, wherein the application is a push-to-talk application making the request and wherein the privacy information is defined as a buddy list.
  - 17. The method of claim 9, wherein the type of the access in the request for the privacy information is one of an access to view privacy information, delete privacy information, add privacy information, or to modify the privacy information.
  - 18. The method of claim 9, further comprising:
    - logging and monitoring the request for access to the privacy information.

19. A security proxy framework that bridges system requests for access to resources in a distributed network, comprising:
- one or more application servers, each configured to implement one or more applications that make requests for access to resources stored at a datastore in accordance a with inputs from one or more users, wherein the requested resource is privacy information;
  
  a security bridge configured to coupled to the one or more application servers and receive all of the requests for access to resources, to IP address of each application server making a request and identify an the application executing to make each request, and to verify using the ip address of each application server that each application server making a request has permission to access the requested resource, and that the application making a request has permission for a type of the request for the requested resource, wherein the type of the request is one of a plurality of types of requests;
  
  an authenticator server coupled to the security bridge configured to receive a portion of the requests from the security bridge to provide further verification; and
  
  the datastore coupled to the authenticator server and the security bridge and configured to receive the further verified requests from the authentication server and directly receive a remaining portion of the requests from the security bridge.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 20. The system of claim 19, wherein the resource is privacy information and the portion of requests that are further verified include requests made from the one or more of the application servers that implement multiple applications.
  - 21. The system of claim 19, wherein the datastore only stores security and privacy data.
  - 22. The system of claim 19, wherein the security bridge further comprises:
    - a naming service for storing the IP address of the one or more application servers;
      
      a process rules set for storing which applications are allowed to be implemented on each of the application servers; and
      
      a password rules set for storing and verifying a proper format for any user identification and authorization information provided through the user inputs.
  - 23. The system of claim 19, further comprising:
    - a web server coupled to the authenticator server configured to provide the authenticator server identification and authorization information for external users.
  - 24. The system of claim 23, wherein the web server is further coupled to at least one of the one or more application servers for enabling the external user to implement at least one of the applications.
  - 25. The system of claim 23, further comprising:
    - a main policy store coupled to the authenticator server for storing a proper format for user identification and authorization information,wherein the authenticator server is further configured to verify the format of user identification and authorization information for the external users in accordance with the proper format stored in the main policy store.
  - 26. The system of claim 23, wherein the datastore is further configured to retrieve correct authorization information based on the identification provided by the authenticator server.
  - 27. The system of claim 26, wherein the authenticator server verifies the identity of the external user by comparing the authorization information provided by the external user with the correct authorization information provided by the datastore.
  - 28. The system of claim 19, wherein at least one of the one or more application servers is exclusively accessible by internal users, andwherein at least one of the users is an internal user.
  - 29. The system of claim 28, wherein the internal user does not provide any identification and authorization information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
T-Mobile Innovations LLC (Deutsche Telekom AG)
Original Assignee
Sprint Communications Company LP (Deutsche Telekom AG)
Inventors
Boydstun, Kenneth C., Kuruvalli, Bharath N., Nguyen, Hiep
Primary Examiner(s)
Revak; Christopher

Application Number

US10/738,244
Time in Patent Office

1,350 Days
Field of Search

None
US Class Current

726/4
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/102   Entity profiles

Y10S 707/99939   Privileged access

Integrated security framework and privacy database scheme

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

94 Citations

29 Claims

Specification

Use Cases

Quick Links

Others

Integrated security framework and privacy database scheme

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

94 Citations

29 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others