System and method for maintaining security in a distributed computer network

US 7,673,323 B1
Filed: 12/13/2001
Issued: 03/02/2010
Est. Priority Date: 10/28/1998
Status: Expired due to Term

First Claim

Patent Images

1. A system for maintaining security in a distributed computing environment, comprising:

(1) a policy manager, coupled to a network, including a database for storing a security policy including a plurality of rules that control user access to applications; and

a policy distributor, coupled to the database, for distributing the plurality of rules through the network, wherein the policy manager comprises a processor;

(2) a security engine located on a client coupled to the network and stored on a computer readable storage medium, said security engine storing a set of the plurality of rules constituting a local customized security policy received through the network from the policy distributor, and enforcing the local customized security policy with respect to an application at the client wherein enforcing the local customized security policy includes evaluating an access request by matching it to one or more of the plurality of rules of the local customized security policy and granting or denying access to the application based on the evaluation; and

(3) the application, coupled to the security engine, wherein the security engine guards access to the particular application to which said security engine is coupled, each separate application in the system being guarded by a different access authorization service such that separate applications do not share authorization services; and

wherein the security policy is updated by recording a series of incremental changes to the security policy, determining which of said incremental changes are applicable to said security engine, computing an accumulated delta that reflects the series of incremental changes applicable to said security engine and sending the accumulated delta to the security engine from the policy manager such that the security engine uses the accumulated delta to update the local customized security policy,wherein a previously enforced version of the local customized security policy is reconstructed by generating an accumulated reversing delta at the policy manager and sending the accumulated reversing delta to the security engine, wherein the accumulated reversing delta comprises a sequence of incremental changes in a reverse order.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for maintaining security in a distributed computing environment comprises a policy manager located on a server for managing and distributing a security policy, and an application guard located on a client for managing access to securable components as specified by the security policy. In the preferred embodiment, a global policy specifies access privileges of the user to securable components. The policy manager may then preferably distribute a local client policy based on the global policy to the client. An application guard located on the client then manages access to the securable components as specified by the local policy.

284 Citations

20 Claims

1. A system for maintaining security in a distributed computing environment, comprising:
- (1) a policy manager, coupled to a network, including a database for storing a security policy including a plurality of rules that control user access to applications; and
  
  a policy distributor, coupled to the database, for distributing the plurality of rules through the network, wherein the policy manager comprises a processor;
  
  (2) a security engine located on a client coupled to the network and stored on a computer readable storage medium, said security engine storing a set of the plurality of rules constituting a local customized security policy received through the network from the policy distributor, and enforcing the local customized security policy with respect to an application at the client wherein enforcing the local customized security policy includes evaluating an access request by matching it to one or more of the plurality of rules of the local customized security policy and granting or denying access to the application based on the evaluation; and
  
  (3) the application, coupled to the security engine, wherein the security engine guards access to the particular application to which said security engine is coupled, each separate application in the system being guarded by a different access authorization service such that separate applications do not share authorization services; and
  
  wherein the security policy is updated by recording a series of incremental changes to the security policy, determining which of said incremental changes are applicable to said security engine, computing an accumulated delta that reflects the series of incremental changes applicable to said security engine and sending the accumulated delta to the security engine from the policy manager such that the security engine uses the accumulated delta to update the local customized security policy,wherein a previously enforced version of the local customized security policy is reconstructed by generating an accumulated reversing delta at the policy manager and sending the accumulated reversing delta to the security engine, wherein the accumulated reversing delta comprises a sequence of incremental changes in a reverse order.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system of claim 1, wherein the rules are stored separate from the application rather than being embedded in the application.
  - 3. The system of claim 1, wherein the security engine further comprises:
    - an engine for evaluating a request to access the application based on the set of the plurality of rules; and
      
      an application programming interface (API) for enabling the application and the engine to communicate.
  - 4. The system of claim 3, wherein the security engine further comprises:
    - a plug-in application programming interface (API) for extending capabilities of the security engine.
  - 5. The system of claim 1, further comprising location means for enabling components in the system to locate each other through the network.
  - 6. The system of claim 1, wherein the policy manager and the policy distributor are hosted on a first server, the security engine and the application are hosted on a second server, and the first and second servers are communicatively coupled to each other through the network.

7. A system for maintaining security for an application in a distributed computing environment, comprising:
- an engine located at a client coupled to a network and stored on a computer readable storage medium, the engine storing a set of rules constituting a local customized policy received through the network from a centralized location, and enforcing the local customized policy at an application level of the client, wherein the centralized location comprises a processor;
  
  an interface coupled to the engine for evaluating the local customized policy in order to control access to an application at the client wherein evaluating the local customized policy includes matching an access request to one or more of the plurality of rules of the local customized policy and granting or denying access to the application based on the evaluation; and
  
  the application, coupled to the interface so as to communicate with the engine, wherein the engine guards access to the application that is coupled to said interface each separate application in the system being guarded by a different access authorization service such that separate applications do not share authorization services;
  
  wherein the local customized policy is updated by keeping track of incremental changes to the policy, determining which of said incremental changes are applicable to said engine, computing an accumulated delta that reflects all the incremental changes applicable to said engine and sending the accumulated delta to the engine from the centralized location such that the engine uses the delta to update the local customized policy,wherein a previously enforced version of the local customized security policy is reconstructed by generating an accumulated reversing delta at the centralized location and sending the accumulated reversing delta to the engine, wherein the accumulated reversing delta comprises a sequence of incremental changes in a reverse order.
- View Dependent Claims (8, 9)
- - 8. The system of claim 7, wherein the engine stores the rules separate from the application rather than being embedded in the application.
  - 9. The system of claim 7, further comprising:
    - a plug-in application programming interface (plug-in API) for extending capabilities of the security engine.

10. A computer implemented method for maintaining security in a distributed computing environment, comprising:
- maintaining a policy manager coupled to a network, including a database for storing a security policy and a policy distributor, coupled to the database, for distributing a portion of the security policy through the network, wherein the policy manager comprises a processor;
  
  maintaining a security engine located on a client coupled to the network, storing a local customized security policy received through the network from the policy distributor, and enforcing the local customized security policy with respect to an application at the client wherein enforcing the local customized security policy includes evaluating an access request by matching it to one or more of the plurality of rules of the local customized security policy and granting or denying access to the application based on the evaluation; and
  
  maintaining the application, coupled to the security engine, wherein the security engine guards access to the particular application to which said security engine is coupled, each separate application in the system being guarded by a different access authorization service such that separate applications do not share authorization services; and
  
  receiving a series of incremental changes to the security policy at the policy manager;
  
  determining which of said series of incremental changes are applicable to said security engine;
  
  computing an accumulated delta that reflects the series of incremental changes that are applicable to said security engine; and
  
  distributing the accumulated delta to the security engine on the client wherein the security engine uses the delta to update the local customized security policy, wherein each incremental changes to a security policy includes one or more rule changes in a security policy, and wherein a previously enforced version of the local customized security policy is reconstructed by generating an accumulated reversing delta at the policy manager and sending the accumulated reversing delta to the security engine, wherein the accumulated reversing delta comprises a sequence of incremental changes in a reverse order.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The method of claim 10, further comprising:
    - storing the accumulated delta in a policy change tracking table before distributing it to the security engine.
  - 12. The method of claim 11, further comprising:
    - reconstructing an updated local customized security policy back to a previously distributed version by using the accumulated delta stored in the policy change tracking table.
  - 13. The method of claim 10 wherein the security policy includes a plurality of rules for controlling access to securable objects.
  - 14. The method of claim 13 wherein the series of incremental changes include at least one or more of adding a rule, deleting a rule and amending a rule.

15. A computer implemented method for maintaining security in a distributed computing environment, comprising:
- maintaining an engine at a client coupled to a network, the engine to store a set of rules constituting a local customized policy received through the network from a centralized location, and enforce the local customized policy at an application level of the client, wherein the centralized location comprises a processor;
  
  maintaining an interface coupled to the engine for evaluating the local customized policy in order to control access to securable components wherein evaluating the local customized policy includes matching an access request to one or more of the set of rules of the local customized security policy and granting or denying access to the application based on the evaluation; and
  
  maintaining the application, coupled to the interface so as to communicate with the engine, wherein the engine guards access to the application that is coupled to said interface each separate application being guarded by a different access authorization service such that separate applications do not share authorization services;
  
  receiving a series of incremental changes to the set of rules at the centralized location;
  
  determining which of said incremental changes are applicable to said engine;
  
  computing an accumulated delta to reflect the series of incremental changes that are applicable to said engine; and
  
  communicating the accumulated delta to the engine at the client such that the engine employs the accumulated delta to update the local customized policy,wherein each incremental change to a policy includes one or more rule changes in a policy, and wherein a previously enforced version of the local customized security policy is reconstructed by generating an accumulated reversing delta at the centralized location and sending the accumulated reversing delta to the engine, wherein the accumulated reversing delta comprises a sequence of incremental changes in a reverse order.
- View Dependent Claims (16, 17, 18)
- - 16. The method of claim 15, further comprising:
    - storing the accumulated delta in a policy change tracking table before distributing it to the engine.
  - 17. The method of claim 16, further comprising:
    - reconstructing an updated local customized policy back to a previously distributed version by employing the accumulated delta stored in the policy change tracking table.
  - 18. The method of claim 15 wherein the series of incremental changes include at least one or more of adding a rule, deleting a rule and amending a rule.

19. A non-transitory computer readable storage medium having instructions stored thereon which when executed by one or more processors cause a system to:
- maintain a policy manager coupled to a network, including a database storing a security policy and a policy distributor, coupled to the database, for distributing a portion of the security policy through the network, wherein the policy manager comprises a processor;
  
  maintain a security engine located on a client coupled to the network, for storing a local customized security policy received through the network from the policy distributor, and enforcing the local customized security policy with respect to an application at the client wherein enforcing the local customized security policy includes evaluating an access request by matching it to one or more of the plurality of rules of the local customized security policy and granting or denying access to the application based on the evaluation; and
  
  maintain the application, coupled to the security engine, wherein the security engine guards access to the particular application to which said security engine is coupled, each separate application being guarded by a different access authorization service such that separate applications do not share authorization services; and
  
  receive a series of incremental changes to the security policy at the policy manager;
  
  determine which of said series of incremental changes are applicable to said security engine;
  
  compute an accumulated delta that reflects the series of incremental changes applicable to said security engine; and
  
  distribute the accumulated delta to the security engine on the client wherein the security engine uses the delta to update the local customized security policy,wherein each incremental changes to a security policy includes one or more rule changes in a security policy, and wherein a previously enforced version of the local customized security policy is reconstructed by generating an accumulated reversing delta at the policy manager and sending the accumulated reversing delta to the security engine, wherein the accumulated reversing delta comprises a sequence of incremental changes in a reverse order.

20. A non-transitory computer readable storage medium having instructions stored thereon which when executed by one or more processors cause a system to:
- maintain an engine at a client coupled to a network, the engine to store a set of rules constituting a local customized policy received through the network from a centralized location, and enforce the local customized policy at an application level of the client, wherein the centralized location comprises a processor;
  
  maintain an interface coupled to the engine evaluating the local customized policy in order to control access to securable components wherein evaluating the local customized policy includes matching an access request to one or more of the set of rules of the local customized security policy and granting or denying access to the application based on the evaluation; and
  
  maintain the application, coupled to the interface so as to communicate with the engine,wherein the engine guards access to the application that is coupled to said interface each separate application being guarded by a different access authorization service such that separate applications do not share authorization services;
  
  receive a series of incremental changes to the set of rules at the centralized location;
  
  determine which of said series of incremental changes are applicable to said engine;
  
  compute an accumulated delta to reflect the series of incremental changes applicable to said engine; and
  
  communicate the accumulated delta to the engine at the client such that the engine employs the accumulated delta to update the local customized policy,wherein each incremental changes to a policy includes one or more rule changes in a policy, and wherein a previously enforced version of the local customized security policy is reconstructed by generating an accumulated reversing delta and sending the accumulated reversing delta from the centralized location to the engine, wherein the accumulated reversing delta comprises a sequence of incremental changes in a reverse order.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
BEA Systems Incorporated (Oracle Corporation)
Inventors
Moriconi, Mark S.
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
POLTORAK, PIOTR

Application Number

US10/017,368
Time in Patent Office

3,001 Days
Field of Search

713/200, 726 1- 2, 726/4, 726/16, 726/21, 717172-173
US Class Current

726/1
CPC Class Codes

G02B 6/132   by deposition of thin films

G06F 21/50   Monitoring users, programs ...

G06F 21/57   Certifying or maintaining t...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2141   Access rights, e.g. capabil...

H01L 21/02164   the material being a silico...

H01L 21/31111   by chemical means

H01L 21/31608   Deposition of SiO2 H01L21/3...

H04L 63/0263   Rule management

H04L 63/102   Entity profiles

H04L 63/104   Grouping of entities

H04L 63/105   Multiple levels of security

H04L 63/1408   by monitoring network traff...

H04L 63/20   for managing network securi...

System and method for maintaining security in a distributed computer network

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

284 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

System and method for maintaining security in a distributed computer network

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

284 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others