System and method for maintaining security in a distributed computer network
First Claim
1. A system for maintaining security in a distributed computing environment, comprising:
- (1) a policy manager, coupled to a network, including a database for storing a security policy including a plurality of rules that control user access to applications; and
a policy distributor, coupled to the database, for distributing the plurality of rules through the network, wherein the policy manager comprises a processor;
(2) a security engine located on a client coupled to the network and stored on a computer readable storage medium, said security engine storing a set of the plurality of rules constituting a local customized security policy received through the network from the policy distributor, and enforcing the local customized security policy with respect to an application at the client wherein enforcing the local customized security policy includes evaluating an access request by matching it to one or more of the plurality of rules of the local customized security policy and granting or denying access to the application based on the evaluation; and
(3) the application, coupled to the security engine, wherein the security engine guards access to the particular application to which said security engine is coupled, each separate application in the system being guarded by a different access authorization service such that separate applications do not share authorization services; and
wherein the security policy is updated by recording a series of incremental changes to the security policy, determining which of said incremental changes are applicable to said security engine, computing an accumulated delta that reflects the series of incremental changes applicable to said security engine and sending the accumulated delta to the security engine from the policy manager such that the security engine uses the accumulated delta to update the local customized security policy,wherein a previously enforced version of the local customized security policy is reconstructed by generating an accumulated reversing delta at the policy manager and sending the accumulated reversing delta to the security engine, wherein the accumulated reversing delta comprises a sequence of incremental changes in a reverse order.
3 Assignments
0 Petitions
Accused Products
Abstract
A system and method for maintaining security in a distributed computing environment comprises a policy manager located on a server for managing and distributing a security policy, and an application guard located on a client for managing access to securable components as specified by the security policy. In the preferred embodiment, a global policy specifies access privileges of the user to securable components. The policy manager may then preferably distribute a local client policy based on the global policy to the client. An application guard located on the client then manages access to the securable components as specified by the local policy.
284 Citations
20 Claims
-
1. A system for maintaining security in a distributed computing environment, comprising:
-
(1) a policy manager, coupled to a network, including a database for storing a security policy including a plurality of rules that control user access to applications; and
a policy distributor, coupled to the database, for distributing the plurality of rules through the network, wherein the policy manager comprises a processor;(2) a security engine located on a client coupled to the network and stored on a computer readable storage medium, said security engine storing a set of the plurality of rules constituting a local customized security policy received through the network from the policy distributor, and enforcing the local customized security policy with respect to an application at the client wherein enforcing the local customized security policy includes evaluating an access request by matching it to one or more of the plurality of rules of the local customized security policy and granting or denying access to the application based on the evaluation; and (3) the application, coupled to the security engine, wherein the security engine guards access to the particular application to which said security engine is coupled, each separate application in the system being guarded by a different access authorization service such that separate applications do not share authorization services; and
wherein the security policy is updated by recording a series of incremental changes to the security policy, determining which of said incremental changes are applicable to said security engine, computing an accumulated delta that reflects the series of incremental changes applicable to said security engine and sending the accumulated delta to the security engine from the policy manager such that the security engine uses the accumulated delta to update the local customized security policy,wherein a previously enforced version of the local customized security policy is reconstructed by generating an accumulated reversing delta at the policy manager and sending the accumulated reversing delta to the security engine, wherein the accumulated reversing delta comprises a sequence of incremental changes in a reverse order. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A system for maintaining security for an application in a distributed computing environment, comprising:
-
an engine located at a client coupled to a network and stored on a computer readable storage medium, the engine storing a set of rules constituting a local customized policy received through the network from a centralized location, and enforcing the local customized policy at an application level of the client, wherein the centralized location comprises a processor; an interface coupled to the engine for evaluating the local customized policy in order to control access to an application at the client wherein evaluating the local customized policy includes matching an access request to one or more of the plurality of rules of the local customized policy and granting or denying access to the application based on the evaluation; and the application, coupled to the interface so as to communicate with the engine, wherein the engine guards access to the application that is coupled to said interface each separate application in the system being guarded by a different access authorization service such that separate applications do not share authorization services; wherein the local customized policy is updated by keeping track of incremental changes to the policy, determining which of said incremental changes are applicable to said engine, computing an accumulated delta that reflects all the incremental changes applicable to said engine and sending the accumulated delta to the engine from the centralized location such that the engine uses the delta to update the local customized policy, wherein a previously enforced version of the local customized security policy is reconstructed by generating an accumulated reversing delta at the centralized location and sending the accumulated reversing delta to the engine, wherein the accumulated reversing delta comprises a sequence of incremental changes in a reverse order. - View Dependent Claims (8, 9)
-
-
10. A computer implemented method for maintaining security in a distributed computing environment, comprising:
-
maintaining a policy manager coupled to a network, including a database for storing a security policy and a policy distributor, coupled to the database, for distributing a portion of the security policy through the network, wherein the policy manager comprises a processor; maintaining a security engine located on a client coupled to the network, storing a local customized security policy received through the network from the policy distributor, and enforcing the local customized security policy with respect to an application at the client wherein enforcing the local customized security policy includes evaluating an access request by matching it to one or more of the plurality of rules of the local customized security policy and granting or denying access to the application based on the evaluation; and
maintaining the application, coupled to the security engine, wherein the security engine guards access to the particular application to which said security engine is coupled, each separate application in the system being guarded by a different access authorization service such that separate applications do not share authorization services; andreceiving a series of incremental changes to the security policy at the policy manager; determining which of said series of incremental changes are applicable to said security engine; computing an accumulated delta that reflects the series of incremental changes that are applicable to said security engine; and distributing the accumulated delta to the security engine on the client wherein the security engine uses the delta to update the local customized security policy, wherein each incremental changes to a security policy includes one or more rule changes in a security policy, and wherein a previously enforced version of the local customized security policy is reconstructed by generating an accumulated reversing delta at the policy manager and sending the accumulated reversing delta to the security engine, wherein the accumulated reversing delta comprises a sequence of incremental changes in a reverse order. - View Dependent Claims (11, 12, 13, 14)
-
-
15. A computer implemented method for maintaining security in a distributed computing environment, comprising:
-
maintaining an engine at a client coupled to a network, the engine to store a set of rules constituting a local customized policy received through the network from a centralized location, and enforce the local customized policy at an application level of the client, wherein the centralized location comprises a processor; maintaining an interface coupled to the engine for evaluating the local customized policy in order to control access to securable components wherein evaluating the local customized policy includes matching an access request to one or more of the set of rules of the local customized security policy and granting or denying access to the application based on the evaluation; and maintaining the application, coupled to the interface so as to communicate with the engine, wherein the engine guards access to the application that is coupled to said interface each separate application being guarded by a different access authorization service such that separate applications do not share authorization services; receiving a series of incremental changes to the set of rules at the centralized location; determining which of said incremental changes are applicable to said engine; computing an accumulated delta to reflect the series of incremental changes that are applicable to said engine; and communicating the accumulated delta to the engine at the client such that the engine employs the accumulated delta to update the local customized policy, wherein each incremental change to a policy includes one or more rule changes in a policy, and wherein a previously enforced version of the local customized security policy is reconstructed by generating an accumulated reversing delta at the centralized location and sending the accumulated reversing delta to the engine, wherein the accumulated reversing delta comprises a sequence of incremental changes in a reverse order. - View Dependent Claims (16, 17, 18)
-
-
19. A non-transitory computer readable storage medium having instructions stored thereon which when executed by one or more processors cause a system to:
-
maintain a policy manager coupled to a network, including a database storing a security policy and a policy distributor, coupled to the database, for distributing a portion of the security policy through the network, wherein the policy manager comprises a processor; maintain a security engine located on a client coupled to the network, for storing a local customized security policy received through the network from the policy distributor, and enforcing the local customized security policy with respect to an application at the client wherein enforcing the local customized security policy includes evaluating an access request by matching it to one or more of the plurality of rules of the local customized security policy and granting or denying access to the application based on the evaluation; and maintain the application, coupled to the security engine, wherein the security engine guards access to the particular application to which said security engine is coupled, each separate application being guarded by a different access authorization service such that separate applications do not share authorization services; and
receive a series of incremental changes to the security policy at the policy manager;determine which of said series of incremental changes are applicable to said security engine; compute an accumulated delta that reflects the series of incremental changes applicable to said security engine; and distribute the accumulated delta to the security engine on the client wherein the security engine uses the delta to update the local customized security policy, wherein each incremental changes to a security policy includes one or more rule changes in a security policy, and wherein a previously enforced version of the local customized security policy is reconstructed by generating an accumulated reversing delta at the policy manager and sending the accumulated reversing delta to the security engine, wherein the accumulated reversing delta comprises a sequence of incremental changes in a reverse order.
-
-
20. A non-transitory computer readable storage medium having instructions stored thereon which when executed by one or more processors cause a system to:
-
maintain an engine at a client coupled to a network, the engine to store a set of rules constituting a local customized policy received through the network from a centralized location, and enforce the local customized policy at an application level of the client, wherein the centralized location comprises a processor; maintain an interface coupled to the engine evaluating the local customized policy in order to control access to securable components wherein evaluating the local customized policy includes matching an access request to one or more of the set of rules of the local customized security policy and granting or denying access to the application based on the evaluation; and maintain the application, coupled to the interface so as to communicate with the engine, wherein the engine guards access to the application that is coupled to said interface each separate application being guarded by a different access authorization service such that separate applications do not share authorization services; receive a series of incremental changes to the set of rules at the centralized location; determine which of said series of incremental changes are applicable to said engine; compute an accumulated delta to reflect the series of incremental changes applicable to said engine; and communicate the accumulated delta to the engine at the client such that the engine employs the accumulated delta to update the local customized policy, wherein each incremental changes to a policy includes one or more rule changes in a policy, and wherein a previously enforced version of the local customized security policy is reconstructed by generating an accumulated reversing delta and sending the accumulated reversing delta from the centralized location to the engine, wherein the accumulated reversing delta comprises a sequence of incremental changes in a reverse order.
-
Specification