System and method for maintaining security in a distributed computer network
First Claim
1. A system for maintaining security in a distributed computing environment, comprising:
- an application guard located at a client to manage access by individual transactions to securable components at a client level as specified by a local security policy, the securable components including at least one application wherein said application guard is integrated into said application and controls access to the application with which the application guard is integrated;
a policy manager stored on one or more nonvolatile memories located on a server to;
create a local security policy derived from a global security policy, said global security policy including a plurality of rules applicable to all application guards in the system, wherein creating the local security policy includes determining which of the plurality of rules of the global security policy are applicable to a particular application guard such that the local security policy contains a fewer number of rules than said global security policy; and
distribute the local security policy to said client wherein the local security policy includes the rules customized to the application guard, said rules including a set of grant rules that allow access to securable components and a set of deny rules that prevent access to said securable components; and
wherein the application guard receives an authorization request including a subject, an object and a privilege and evaluates said request by matching the rules received from the policy manager to said subject, said object and said privilege in order to control access to said application integrated with the application guard, andwherein the policy manager furtherreceives a modification on an existing global security policy;
computes any differences caused by the modification on the global security policy; and
commits only the changed portion of the global security policy to an appropriate application guard.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method for maintaining security in a distributed computing environment comprises a policy manager located on a server for managing and distributing a security policy, and an application guard located on a client for managing access to securable components as specified by the security policy. In the preferred embodiment, a global policy specifies access privileges of the user to securable components. The policy manager may then preferably distribute a local client policy based on the global policy to the client. An application guard located on the client then manages access to the securable components as specified by the local policy.
-
Citations
32 Claims
-
1. A system for maintaining security in a distributed computing environment, comprising:
-
an application guard located at a client to manage access by individual transactions to securable components at a client level as specified by a local security policy, the securable components including at least one application wherein said application guard is integrated into said application and controls access to the application with which the application guard is integrated; a policy manager stored on one or more nonvolatile memories located on a server to; create a local security policy derived from a global security policy, said global security policy including a plurality of rules applicable to all application guards in the system, wherein creating the local security policy includes determining which of the plurality of rules of the global security policy are applicable to a particular application guard such that the local security policy contains a fewer number of rules than said global security policy; and distribute the local security policy to said client wherein the local security policy includes the rules customized to the application guard, said rules including a set of grant rules that allow access to securable components and a set of deny rules that prevent access to said securable components; and wherein the application guard receives an authorization request including a subject, an object and a privilege and evaluates said request by matching the rules received from the policy manager to said subject, said object and said privilege in order to control access to said application integrated with the application guard, and wherein the policy manager further receives a modification on an existing global security policy; computes any differences caused by the modification on the global security policy; and commits only the changed portion of the global security policy to an appropriate application guard. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method for maintaining security in a distributed computing environment, comprising:
-
receiving a global security policy that includes a plurality of rules for regulating access to securable components in the system, the securable components including at least one application wherein said rules of the global security policy apply to all application guards in the distributed computing environment; creating a local security policy via a policy manager located on a server, the local security policy including a plurality of rules customized to a client wherein creating the local security policy includes customizing the local security policy by determining which of the rules from the global security policy are applicable to a specific application guard located on the client such that the local security policy contains a fewer number of rules than said global security policy; distributing the local security policy to the client; receiving an authorization request by the application guard, the authorization request including a subject, an object and a privilege wherein said application guard is integrated into said application and controls access to the application with which the application guard is integrated; managing access as specified by the local security policy via the application guard located at the client to securable components wherein managing access includes comparing the subject, object and privilege to the rules of the local security policy; receiving a modification on an existing global security policy; computing any differences caused by the modification on the global security policy; and committing only the changed portion of the global security policy to an appropriate application guard. - View Dependent Claims (12, 13, 14, 15, 16)
-
-
17. A method for maintaining security in a distributed computing environment, comprising the steps of:
-
receiving a global security policy that includes a plurality of rules for regulating access to securable components in the system, the securable components including at least one application wherein said rules of the global security policy apply to all application guards in the distributed computing environment; providing a policy manager located on a server to create a local security policy including a plurality of rules customized to a client wherein creating the local security policy includes customizing the local security policy by determining which of the rules from the global security policy are applicable to a specific application guard located on the client such that the local security policy contains a fewer number of rules than said global security policy; distributing the local security policy to the client; providing an application guard located at the client to manage access to securable components at a client level as specified by the local security policy, said application guard being integrated into said application and controlling access to the application with which the application guard is integrated; receiving an authorization request by the application guard, said authorization request including a subject, an object and a privilege; and controlling access to the securable components by matching the subject, object and privilege to the rules of the local security policy by the application guard; receiving a modification on an existing global security policy; computing any differences caused by the modification on the global security policy; and committing only the changed portion of the global security policy to an appropriate application guard. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
-
-
25. A computer readable storage medium having stored thereon a set of instructions to execute a method for maintaining security in a distributed computing environment comprising the steps of:
-
receiving a global security policy that includes a plurality of rules for regulating access to securable components in the system, the securable components including at least one application wherein said rules of the global security policy apply to all application guards in the distributed computing environment; creating a local security policy via a policy manager located on a server, the local security policy including a plurality of rules customized to a client wherein creating the local security policy includes customizing the local security policy by determining which of the rules from the global security policy are applicable to an application guard located on the client such that the local security policy contains a fewer number of rules than said global security policy; distributing the local security policy to the client; receiving an access request by the application guard, said access request including a subject, an object and a privilege wherein said application guard is integrated into said application and controls access to the application with which the application guard is integrated; matching the access request to at least one rule selected from the rules of the local security policy in order to manage access as specified by the local security policy via the application guard located at the client to securable components; receiving a modification on an existing global security policy; computing any differences caused by the modification on the global security policy; and committing only the changed portion of the global security policy to an appropriate application guard. - View Dependent Claims (26, 27, 28, 29, 30, 31, 32)
-
Specification