System and method for incrementally distributing a security policy in a computer network
First Claim
1. A system for updating a security policy in a distributed computing environment, comprising:
- a policy manager, coupled to a network, includinga global version of a security policy;
tracking means for recording a sequence of incremental changes to be made to the global version of the security policy at the policy manager;
computing means for pre-computing an accumulated delta based on the sequence of incremental changes to the global version of the security policy, said pre-computing being executed prior to updating the security policy;
updating means for combining the accumulated delta with the global version of the security policy to generate a second version of the security policy; and
a policy distributor for determining which application guard the sequence of incremental changes is applicable to and for transmitting the accumulated delta to the application guard through the network; and
the application guard, coupled to the network, forstoring a local version of the security policy, said local version being a subset of the global version of the security policy;
receiving the accumulated delta distributed through the network;
updating the local version of the security policy by combining the received accumulated delta with the local version of the security policy to generate a copy of an updated local version of the security policy based on the sequence of incremental chances to the global version of the security policy; and
storing the undated local version of the security policy.
3 Assignments
0 Petitions
Accused Products
Abstract
A system and method for generating an updated version of, or reconstructing a previously enforced version of, a local client security policy stored in an application guard. A policy manager distributes a change (or an accumulation of changes) to the currently enforced version of the security policy through a network to the application guard. The application guard uses the distributed change to update the currently enforced version of the local client security policy. To reconstruct a previously enforced version of a local security policy, the policy manager generates a reversing delta equal to the reverse of the change (or accumulation of changes) from a previously enforced version to the currently enforced version of the security policy, and distributes the reversing delta through the network to the application guard. The application guard applies the distributed reversing delta to the currently enforced version to reconstruct the previously enforced version.
-
Citations
32 Claims
-
1. A system for updating a security policy in a distributed computing environment, comprising:
-
a policy manager, coupled to a network, including a global version of a security policy; tracking means for recording a sequence of incremental changes to be made to the global version of the security policy at the policy manager; computing means for pre-computing an accumulated delta based on the sequence of incremental changes to the global version of the security policy, said pre-computing being executed prior to updating the security policy; updating means for combining the accumulated delta with the global version of the security policy to generate a second version of the security policy; and a policy distributor for determining which application guard the sequence of incremental changes is applicable to and for transmitting the accumulated delta to the application guard through the network; and the application guard, coupled to the network, for storing a local version of the security policy, said local version being a subset of the global version of the security policy; receiving the accumulated delta distributed through the network; updating the local version of the security policy by combining the received accumulated delta with the local version of the security policy to generate a copy of an updated local version of the security policy based on the sequence of incremental chances to the global version of the security policy; and storing the undated local version of the security policy. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A system for updating a plurality of security policies in a distributed computing environment, comprising:
-
a policy manager, coupled to a network, including a first version of each of a plurality of security policies; tracking means for recording a sequence of incremental changes to be made to the first version of each security policy; computing means for pre-computing a respective accumulated delta for each sequence of incremental changes, said pre-computing being executed prior to updating the first version of the security policy; updating means for combining each accumulated delta with the first version of its respective security policy to generate a second version of the respective security policy; and a policy distributor for determining which of a plurality of application guards the sequence of incremental changes is applicable to and for distributing each of the accumulated deltas to the application guards through the network; and the plurality of application guards, coupled to the network, each storing a copy of the first version of one the plurality of security policies; receiving a respective accumulated delta distributed through the network; updating the first version at each of the application guards by combining the received accumulated delta with the copy of the respective first version of the security policy to generate a copy of the respective second version of the security policy based on the sequence of incremental chances to the first version at the policy manager; and storing the copy of the respective second version of the security policy. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A system for reconstructing a security policy in a distributed computing environment, comprising:
-
a policy manager, coupled to a network, including a global version of a security policy; tracking means for recording a sequence of incremental changes to be made to the global version of the security policy; computing means for pre-computing an accumulated delta based on the sequence of incremental changes to the global version of the security policy said pre-computing being executed prior to updating the global version of the security policy; a policy change tracking table for storing the accumulated delta; updating means for combining the accumulated delta with the global version of the security policy to generate a second version of the security policy stored in an enterprise policy data file; reversing means for generating an accumulated reversing delta based on the sequence of incremental changes to the global version of the security policy; updating means for combining the accumulated reversing delta with the second version of the security policy to reconstruct the global version of the security policy; and a policy distributor for determining which application guard the sequence of incremental chances is applicable to and for distributing the accumulated delta and the accumulated reversing delta to the application guard through the network; and the application guard, coupled to the network, for storing a copy of the local version of the security policy; receiving the accumulated delta and the accumulated reversing delta distributed through the network; updating the copy of the local version at the application guard by combining the accumulated delta with the copy of the local version of the security policy to generate a copy of an updated local version of the security policy in the application guard based on the sequence of incremental chances to the global security policy; and combining the accumulated reversing delta with a copy of the updated local version of the security policy to reconstruct a copy of the local version of the security policy in the application guard. - View Dependent Claims (12, 13, 14, 15)
-
-
16. A system for reconstructing a plurality of security policies in a distributed computing environment, comprising:
-
a policy manager, coupled to a network, including a first version of each of a plurality of security policies; tracking means for recording a sequence of incremental changes to the first version of each security policy; computing means for pre-computing an accumulated delta for each sequence of incremental changes said pre-computing being executed prior to updating the first version of each security policy; updating means for combining each accumulated delta with the first version of its respective security policy to generate a second version of the respective security policy; reversing means for generating a plurality of accumulated reversing deltas, each based on a sequence of incremental changes to the first version of a respective security policy; updating means for combining each accumulated reversing delta with the second version of its respective security policy to reconstruct the first version of the respective security policy; and a policy distributor for determining which of a plurality of application guards the sequence of incremental chances is applicable to and for distributing each accumulated delta and each accumulated reversing delta to the application guards through the network; and the plurality of application guards, coupled to the network, each storing a copy of the first version of one of the security policies; receiving a respective accumulated delta and a respective accumulated reversing delta distributed through the network; and
capable ofupdating the copy of the first version stored at each application guard by combining the received respective accumulated delta with the copy of the first version of the security policy stored in the application guard to generate a copy of the second version of the security policy in the application guard based on the sequence of incremental changes to the first version at the policy manager; and combining the respective accumulated reversing delta with the copy of the second version of the security policy stored in the application guard to reconstruct a copy of the first version of the security policy in the application guard. - View Dependent Claims (17, 18, 19, 20)
-
-
21. A method for incrementally distributing a security policy in a distributed computing environment, comprising:
-
storing a global version of a security policy in a policy manager coupled to a network, and a local version of the security policy in an application guard coupled to the network; recording a sequence of incremental changes to the global version of the security policy at the policy manager; pre-computing an accumulated delta based on the sequence of incremental changes, said pre-computing being executed prior to updating the local version of the security policy stored in the application guard; combining the accumulated delta with the global version of the security policy to generate a updated global version of the security policy; determining by the policy manager, which application guard the incremental changes are applicable to, based on the local version of the security policy stored on the application guard; distributing the accumulated delta through the network to the application guard in order to update the local version of the security policy stored at the application guard; receiving in the application guard the accumulated delta distributed through the network; and updating the local version of the security policy at the application guard by combining the received accumulated delta with the copy of the local version of the security policy stored in the application guard to generate a copy of the updated local version of the security policy based on the series of incremental changes to the global version of the security policy. - View Dependent Claims (22, 23)
-
-
24. A method for incrementally distributing a plurality of security policies in a distributed computing environment, comprising:
-
storing a first version of each of a plurality of security policies in a policy manager coupled to a network; storing a copy of the first version of each security policy in a respective application guard coupled to the network; recording a sequence of incremental changes to the first version of each security policy at the policy manager; pre-computing a plurality of accumulated deltas based on respective sequences of incremental changes, said pre-computing being executed prior to updating the security policy at the respective application guard; combining each accumulated delta with the first version of its respective security policy to generate a second version of the respective security policy; determining which of the application guards, the sequence of incremental chances is applicable to; distributing each of the accumulated deltas to the application guards through the network in order to update the security policy at the application guards; receiving in each of the application guards a respective accumulated delta distributed through the network; and updating the first version of the security policy by combining the respective accumulated delta with the copy of the first version of the security policy stored in the application guard to generate a copy of the second version of the security policy based on the sequence of incremental changes at the policy manager. - View Dependent Claims (25, 26)
-
-
27. A method for reconstructing a security policy in a distributed computing environment, comprising:
-
storing a global version of a security policy in a policy manager coupled to a network, and a local version in an application guard coupled to the network; recording a sequence of incremental changes to be made to the global version of the security policy; pre-computing an accumulated delta based on the sequence of incremental changes, said pre-computing being executed prior to updating the local version of the security policy at the application guard; combining the accumulated delta with the global version of the security policy to generate a second global version of the security policy; determining which application guard the sequence of incremental chances is applicable to; distributing the accumulated delta through the network to the application guard in order to update the security policy at the application guard; receiving the distributed accumulated delta in the application guard; combining the accumulated delta with the local version of the security policy to generate a copy of an updated version of the security policy based on the sequence of incremental chances to the global security policy; generating an accumulated reversing delta based on the sequence of incremental changes to the global version of the security policy; combining the accumulated reversing delta with the updated global version of the security policy to reconstruct the global version of the security policy in the policy manager; distributing the accumulated reversing delta through the network; and receiving the distributed accumulated reversing delta in the application guard; combining the accumulated reversing delta with the updated local version of the security policy to reconstruct the copy of the local version of the security policy in the application guard. - View Dependent Claims (28, 29)
-
-
30. A method for reconstructing a plurality of security policies in a distributed computing environment, comprising:
-
storing a first version of each of a plurality of security policies in a policy manager coupled to a network; storing the first version of each security policy in a respective application guard coupled to the network; recording a respective sequence of incremental changes to the first version of each security policy; pre-computing a respective accumulated delta for each sequence of incremental changes, said pre-computing being executed prior to updating the first version of the security policy at the respective application guard; combining each accumulated delta with the first version of its respective security policy to generate a second version of the respective security policy; determining which application guards the sequence of incremental changes is applicable to; distributing each of the accumulated deltas through the network to the application guards in order to update the security policy at the application guards; receiving in each of the application guards a respective accumulated delta distributed through the network; combining the received accumulated delta with the copy of the first version of the security policy to generate a copy of the second version of the security policy in each application guard based on the sequence of incremental changes at the policy manager; generating a plurality of accumulated reversing deltas, each based on an accumulation of incremental changes to the first version of a respective security policy; combining each accumulated reversing delta with the second version of its respective security policy to reconstruct the first version of the respective security policy; distributing the each of the accumulated reversing deltas through the network; receiving in each of the application guards a respective accumulated reversing delta distributed through the network; and combining the received accumulated reversing delta with the copy of the second version of the security policy to reconstruct the copy of the first version of the security policy in the application guard. - View Dependent Claims (31, 32)
-
Specification