Locally adaptable central security management in a heterogeneous network environment

US 7,308,702 B1
Filed: 01/14/2000
Issued: 12/11/2007
Est. Priority Date: 01/14/2000
Status: Expired due to Fees

First Claim

Patent Images

1. In a system having a computer and one or more security mechanisms, a computer-implemented method of defining and enforcing a security policy, the method comprising:

encapsulating security mechanism application specific information for each security mechanism, wherein encapsulating includes forming a key for each security mechanism using an application layer;

combining keys to form key chains;

encapsulating key chains as keys and passing the key chain keys to another semantic layer;

defining the security policy, wherein defining includes forming key chains from keys and associating users with key chains;

importing a key from the semantic layer to a local policy layer;

executing, within a computer, translation software, wherein the translation software translates the security policy and exports the translated security policy to the security mechanisms; and

enforcing the security policy via the security mechanisms.

View all claims

14 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for defining and enforcing a security policy. Security mechanism application specific information for each security mechanism is encapsulated as a key and exported to a semantic layer. Keys are combined to form key chains within the semantic layer. The key chains are in turn encapsulated as keys and passed to another semantic layer. A security policy is defined by forming key chains from keys and associating users with the key chains. The security policy is translated and exported to the security mechanisms. The security policy is then enforced via the security mechanisms.

Citations

34 Claims

1. In a system having a computer and one or more security mechanisms, a computer-implemented method of defining and enforcing a security policy, the method comprising:
- encapsulating security mechanism application specific information for each security mechanism, wherein encapsulating includes forming a key for each security mechanism using an application layer;
  
  combining keys to form key chains;
  
  encapsulating key chains as keys and passing the key chain keys to another semantic layer;
  
  defining the security policy, wherein defining includes forming key chains from keys and associating users with key chains;
  
  importing a key from the semantic layer to a local policy layer;
  
  executing, within a computer, translation software, wherein the translation software translates the security policy and exports the translated security policy to the security mechanisms; and
  
  enforcing the security policy via the security mechanisms.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 wherein the security mechanisms are located on one or more distributed computer networks.
  - 3. The method of claim 1 wherein the security mechanisms are heterogeneous.
  - 4. The method of claim 1, wherein defining the security policy further includes drilling down into a next lower semantic layer to form a new key chain.
  - 5. The method of claim 1 wherein the security policy is defined using a graphical user interface.
  - 6. An article comprising a computer readable medium having instructions thereon, wherein the instructions, when executed in a computer, create a system for executing the method of claim 1.

7. A computer-based security system for a computer network, the computer-based security system comprising:
- a computer;
  
  a plurality of security mechanisms;
  
  a plurality of semantic layers within a model implemented on the computer network, wherein the two or more of the semantic layers include keys combinable into key chains, the key chains are able to be encapsulated as key chain keys, and the key chain keys are exportable to another semantic layer, wherein the model also includes an application layer to encapsulate a security mechanism into a key and a local policy layer to associate a user to a key wherein each key encapsulates security mechanism application specific information for a security mechanism;
  
  a user interface for defining a security policy as a function of keys received from a lower semantic layer; and
  
  a translator, implemented on the computer, for translating the security policy to the security mechanisms.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The system according to claim 7 wherein the user interface is a graphical user interface.
  - 9. The system according to claim 7 wherein the security policy is a role-based access control model.
  - 10. The system of claim 7 wherein the semantic layers form a poset.
  - 11. The system of claim 7 wherein the user interface includes means for drilling down into a lower semantic layer to form a new key chain.

12. A computer-based security system for a computer network, the computer-based security system comprising:
- a computer;
  
  a model implemented on the computer network, the model comprising semantic layers for defining different security policies and constraints for each type of user, wherein the model comprises a static application policy layer, two or more semantic policy layers, and a dynamic local policy layer;
  
  a tool for manipulating the model, wherein the tool is configured to;
  
  encapsulate security mechanism application specific information for each security mechanism, wherein encapsulating includes forming a key for each security mechanism;
  
  combine keys to form key chains;
  
  encapsulate key chains as key chain keys within two or more semantic layers;
  
  pass the key chain keys to other semantic layers;
  
  form user key chains from the key chain keys; and
  
  associate users with the user key chains; and
  
  a translator, implemented on the computer, for translating security policies from the model to security mechanisms in one or more computer resources.
- View Dependent Claims (13)
- - 13. The system of claim 12 wherein the model represents a set of access rights for a computer resource as a key and the model represents a set of keys as a key chain.

14. A computer-implemented method of defining a security policy, the method comprising:
- defining an application policy layer and a plurality of semantic policy layers, including a first semantic policy layer and a second semantic layer;
  
  encapsulating a set of access rights for a computer resource as a key;
  
  combining keys to form one or more key chains within the application policy layer;
  
  executing software within a computer to export key chains in the application policy layer as a key;
  
  importing at least one key from the application policy layer into the first semantic policy layer;
  
  combining one or more keys in the first semantic policy layer to form a key chain;
  
  exporting key chains in the first semantic policy layer as keys;
  
  importing at least one key into the second semantic policy layer;
  
  combining one or more keys in the second semantic policy layer to form a key chain;
  
  exporting key chains in the second semantic policy layer as keys;
  
  importing at least one key from the second semantic policy layer to a local policy layer;
  
  combining one or more keys in the local policy layer to form one or more local policy key chains; and
  
  assigning users to local policy key chains in the local policy layer.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22)
- - 15. The method of claim 14 wherein combining one or more keys to form a key chain includes combining a key chain with the one or more keys to form another key chain.
  - 16. The method of claim 14 wherein combining one or more keys in the first semantic layer includes combining a key chain with the one or more keys to form another key chain.
  - 17. The method of claim 14 wherein combining one or more keys to form a key chain includes associating a constraint with the key chain, wherein the constraint must be satisfied before access to a computer resource governed by the key chain is granted.
  - 18. The method of claim 14 wherein encapsulating includes grouping methods into handles and handles into keys.
  - 19. The method of claim 18 wherein each key chain includes handles for different computer resources.
  - 20. The method of claim 14 wherein combining one or more keys to form a key chain includes marking the key chain as abstract, wherein key chains marked as abstract are not exported to other layers.
  - 21. The method of claim 14 further comprising combining one or more keys and key chains in the local policy layer to form a new key chain in the local policy layer.
  - 22. An article comprising a computer readable medium having instructions thereon, wherein the instructions, when executed in a computer, create a system for executing the method of claim 14.

23. A computer-implemented method of defining a security policy, the method comprising:
- defining an application policy layer and a semantic policy layer;
  
  encapsulating a set of access rights for a computer resource as a key;
  
  combining keys to form one or more key chains within the application policy layer;
  
  executing software within a computer to export key chains in the application policy layer as a key;
  
  importing at least one key from the application policy layer into the semantic policy layer;
  
  combining one or more keys in the semantic policy layer to form a key chain;
  
  exporting key chains in the semantic policy layer as keys;
  
  importing at least one key from the semantic policy layer to a local policy layer;
  
  combining one or more keys in the local policy layer to form one or more local policy key chains; and
  
  assigning users to local policy key chains in the local policy layer.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 24. The method of claim 23 wherein combining one or more keys in the semantic policy layer to form a key chain includes combining a key chain with the one or more keys to form another key chain.
  - 25. The method of claim 23 wherein combining one or more keys in the local policy layer to form a key chain includes combining a key chain with the one or more keys to form another key chain.
  - 26. The method of claim 23 wherein combining one or more keys in the semantic policy layer to form a key chain includes associating a constraint with the key chain, wherein the constraint must be satisfied before access to a computer resource governed by the key chain is granted.
  - 27. The method of claim 23 wherein combining one or more keys in the local policy layer to form a key chain includes associating a constraint with the key chain, wherein the constraint must be satisfied before access to a computer resource governed by the key chain is granted.
  - 28. The method of claim 23 wherein encapsulating includes grouping methods into handles and handles into keys.
  - 29. The method of claim 28 wherein each key chain includes handles for different computer resources.
  - 30. The method of claim 23 wherein combining one or more keys to form a key chain includes marking the key chain as abstract, wherein key chains marked as abstract are not exported to other layers.
  - 31. The method of claim 23 further comprising combining one or more keys and key chains in the local policy layer to form a new key chain in the local policy layer.
  - 32. An article comprising a computer readable medium having instructions thereon, wherein the instructions, when executed in a computer, create a system for executing the method of claim 23.

33. A computer-implemented method of modifying a security policy, the method comprising:
- defining an application policy layer and a semantic policy layer;
  
  encapsulating a set of access rights for a computer resource as a key;
  
  combining keys to form one or more key chains within the application policy layer;
  
  executing software within a computer to export key chains in the application policy layer as a key;
  
  importing at least one key from the application policy layer into the semantic policy layer;
  
  combining one or more keys in the semantic policy layer to form a key chain;
  
  exporting key chains in the semantic policy layer as keys;
  
  importing at least one key from the semantic policy layer to a local policy layer;
  
  combining one or more keys in the local policy layer to form one or more local policy key chains;
  
  assigning users to local policy key chains in the local policy layer;
  
  constructing a role hierarchy by sorting the key chains into a partial ordering based on set containment;
  
  displaying the partial ordering as a role hierarchy graph; and
  
  adding and deleting keys from the role hierarchy graph.
- View Dependent Claims (34)
- - 34. An article comprising a computer readable medium having instructions thereon, wherein the instructions, when executed in a computer, create a system for executing the method of claim 33.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
Secure Computing Corporation (McAfee, LLC)
Inventors
O'Brien, Richard, Payne, Charles, Thomsen, Daniel Jay, Bogle, Jessica
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Simitoski; Michael J

Application Number

US09/483,164
Time in Patent Office

2,888 Days
Field of Search

707 6- 9, 713200-201, 713164-167, 705 6- 9, 709/229, 726/1, 726/6
US Class Current

726/1
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/6236   between heterogeneous systems

G06Q 10/06   Resources, workflows, human...

H04L 63/06   for supporting key manageme...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

Y10S 707/99939   Privileged access

Locally adaptable central security management in a heterogeneous network environment

First Claim

14 Assignments

0 Petitions

Accused Products

Abstract

Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Locally adaptable central security management in a heterogeneous network environment

First Claim

14 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links