System and method for maintaining security in a distributed computer network

US 7,506,357 B1
Filed: 11/22/2000
Issued: 03/17/2009
Est. Priority Date: 10/28/1998
Status: Expired due to Term

First Claim

Patent Images

1. A system for maintaining security in a distributed computing environment, comprising:

an application guard located at a client to manage access by individual transactions to securable components at a client level as specified by a local security policy, the securable components including at least one application wherein said application guard is integrated into said application and controls access to the application with which the application guard is integrated;

a policy manager stored on one or more nonvolatile memories located on a server to;

create a local security policy derived from a global security policy, said global security policy including a plurality of rules applicable to all application guards in the system, wherein creating the local security policy includes determining which of the plurality of rules of the global security policy are applicable to a particular application guard such that the local security policy contains a fewer number of rules than said global security policy; and

distribute the local security policy to said client wherein the local security policy includes the rules customized to the application guard, said rules including a set of grant rules that allow access to securable components and a set of deny rules that prevent access to said securable components; and

wherein the application guard receives an authorization request including a subject, an object and a privilege and evaluates said request by matching the rules received from the policy manager to said subject, said object and said privilege in order to control access to said application integrated with the application guard, andwherein the policy manager furtherreceives a modification on an existing global security policy;

computes any differences caused by the modification on the global security policy; and

commits only the changed portion of the global security policy to an appropriate application guard.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for maintaining security in a distributed computing environment comprises a policy manager located on a server for managing and distributing a security policy, and an application guard located on a client for managing access to securable components as specified by the security policy. In the preferred embodiment, a global policy specifies access privileges of the user to securable components. The policy manager may then preferably distribute a local client policy based on the global policy to the client. An application guard located on the client then manages access to the securable components as specified by the local policy.

240 Citations

32 Claims

1. A system for maintaining security in a distributed computing environment, comprising:
- an application guard located at a client to manage access by individual transactions to securable components at a client level as specified by a local security policy, the securable components including at least one application wherein said application guard is integrated into said application and controls access to the application with which the application guard is integrated;
  
  a policy manager stored on one or more nonvolatile memories located on a server to;
  
  create a local security policy derived from a global security policy, said global security policy including a plurality of rules applicable to all application guards in the system, wherein creating the local security policy includes determining which of the plurality of rules of the global security policy are applicable to a particular application guard such that the local security policy contains a fewer number of rules than said global security policy; and
  
  distribute the local security policy to said client wherein the local security policy includes the rules customized to the application guard, said rules including a set of grant rules that allow access to securable components and a set of deny rules that prevent access to said securable components; and
  
  wherein the application guard receives an authorization request including a subject, an object and a privilege and evaluates said request by matching the rules received from the policy manager to said subject, said object and said privilege in order to control access to said application integrated with the application guard, andwherein the policy manager furtherreceives a modification on an existing global security policy;
  
  computes any differences caused by the modification on the global security policy; and
  
  commits only the changed portion of the global security policy to an appropriate application guard.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1 wherein said securable components further include a function within the application as specified by the security policy.
  - 3. The system of claim 1 including a procedure within the application as specified by the security policy.
  - 4. The system of claim 1 including a data structure within the application as specified by the security policy.
  - 5. The system of claim 1 including a database object referenced by the application as specified by the security policy.
  - 6. The system of claim 1 including a file system object referenced by the application as specified by the security policy.
  - 7. The system of claim 1, wherein the application guard further allows for additional customized code to process and evaluate authorization requests based on the additional customized code.
  - 8. The system of claim 7, wherein the global policy specifies access privileges of a user to securable components.
  - 9. The system of claim 1 wherein said policy manager is further capable of optimizing said global security policy into an optimized form, wherein the optimized form only distributes attributes relevant to a specific application guard.
  - 10. The system of claim 1 wherein said application guard is further capable of being associated with plug-ins to allow for additional capabilities based on customized code.

11. A method for maintaining security in a distributed computing environment, comprising:
- receiving a global security policy that includes a plurality of rules for regulating access to securable components in the system, the securable components including at least one application wherein said rules of the global security policy apply to all application guards in the distributed computing environment;
  
  creating a local security policy via a policy manager located on a server, the local security policy including a plurality of rules customized to a client wherein creating the local security policy includes customizing the local security policy by determining which of the rules from the global security policy are applicable to a specific application guard located on the client such that the local security policy contains a fewer number of rules than said global security policy;
  
  distributing the local security policy to the client;
  
  receiving an authorization request by the application guard, the authorization request including a subject, an object and a privilege wherein said application guard is integrated into said application and controls access to the application with which the application guard is integrated;
  
  managing access as specified by the local security policy via the application guard located at the client to securable components wherein managing access includes comparing the subject, object and privilege to the rules of the local security policy;
  
  receiving a modification on an existing global security policy;
  
  computing any differences caused by the modification on the global security policy; and
  
  committing only the changed portion of the global security policy to an appropriate application guard.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The method of claim 11 wherein the securable components include a function within the application as specified by the security policy.
  - 13. The method of claim 11 including a procedure within the application as specified by the security policy.
  - 14. The method of claim 11 including a data structure within the application as specified by the security policy.
  - 15. The method of claim 11 including a database object referenced by the application as specified by the security policy.
  - 16. The method of claim 11 including a file system object referenced by the application as specified by the security policy.

17. A method for maintaining security in a distributed computing environment, comprising the steps of:
- receiving a global security policy that includes a plurality of rules for regulating access to securable components in the system, the securable components including at least one application wherein said rules of the global security policy apply to all application guards in the distributed computing environment;
  
  providing a policy manager located on a server to create a local security policy including a plurality of rules customized to a client wherein creating the local security policy includes customizing the local security policy by determining which of the rules from the global security policy are applicable to a specific application guard located on the client such that the local security policy contains a fewer number of rules than said global security policy;
  
  distributing the local security policy to the client;
  
  providing an application guard located at the client to manage access to securable components at a client level as specified by the local security policy, said application guard being integrated into said application and controlling access to the application with which the application guard is integrated;
  
  receiving an authorization request by the application guard, said authorization request including a subject, an object and a privilege; and
  
  controlling access to the securable components by matching the subject, object and privilege to the rules of the local security policy by the application guard;
  
  receiving a modification on an existing global security policy;
  
  computing any differences caused by the modification on the global security policy; and
  
  committing only the changed portion of the global security policy to an appropriate application guard.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The method of claim 17 wherein the securable components include a function within the application as specified by the security policy.
  - 19. The method of claim 17 including a procedure within the application as specified by the security policy.
  - 20. The method of claim 17 including a data structure within the application as specified by the security policy.
  - 21. The method of claim 17 including a database object referenced by the application as specified by the security policy.
  - 22. The method of claim 17 including a file system object referenced by the application as specified by the security policy.
  - 23. The method of claim 17, wherein the application guard further allows for additional customized code to process and evaluate authorization requests based on the additional customized code.
  - 24. The method of claim 23, wherein the global policy specifies access privileges of a user to securable components.

25. A computer readable storage medium having stored thereon a set of instructions to execute a method for maintaining security in a distributed computing environment comprising the steps of:
- receiving a global security policy that includes a plurality of rules for regulating access to securable components in the system, the securable components including at least one application wherein said rules of the global security policy apply to all application guards in the distributed computing environment;
  
  creating a local security policy via a policy manager located on a server, the local security policy including a plurality of rules customized to a client wherein creating the local security policy includes customizing the local security policy by determining which of the rules from the global security policy are applicable to an application guard located on the client such that the local security policy contains a fewer number of rules than said global security policy;
  
  distributing the local security policy to the client;
  
  receiving an access request by the application guard, said access request including a subject, an object and a privilege wherein said application guard is integrated into said application and controls access to the application with which the application guard is integrated;
  
  matching the access request to at least one rule selected from the rules of the local security policy in order to manage access as specified by the local security policy via the application guard located at the client to securable components;
  
  receiving a modification on an existing global security policy;
  
  computing any differences caused by the modification on the global security policy; and
  
  committing only the changed portion of the global security policy to an appropriate application guard.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32)
- - 26. The computer readable storage medium of claim 25 wherein the securable components include a function within the application as specified by the security policy.
  - 27. The computer readable storage medium of claim 25 including a procedure within the application as specified by the security policy.
  - 28. The computer readable storage medium of claim 25 including a data structure within the application as specified by the security policy.
  - 29. The computer readable storage medium of claim 25 including a database object referenced by the application as specified by the security policy.
  - 30. The computer readable storage medium of claim 25 including a file system object referenced by the application as specified by the security policy.
  - 31. The computer readable storage medium of claim 25, wherein the application guard further allows for additional customized code to process and evaluate authorization requests based on the additional customized code.
  - 32. The computer readable storage medium of claim 31, wherein the global policy specifies access privileges of a user to securable components.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
BEA Systems Incorporated (Oracle Corporation)
Inventors
Moriconi, Mark, Qian, Shelly
Primary Examiner(s)
Moise; Emmanuel L
Assistant Examiner(s)
PYZOCHA, MICHAEL J

Application Number

US09/721,557
Time in Patent Office

3,037 Days
Field of Search

713200-202, 713/189, 709/223, 726/1
US Class Current

726/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 2221/2111   Location-sensitive, e.g. ge...

G06F 2221/2117   User registration

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2145   Inheriting rights or proper...

G06F 2221/2149   Restricted operating enviro...

G06F 2221/2151   Time stamp

H04L 63/0263   Rule management

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

Y10S 707/99939   Privileged access

System and method for maintaining security in a distributed computer network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

240 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for maintaining security in a distributed computer network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

240 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links