Secure compartmented mode knowledge management portal

US 7,921,289 B2
Filed: 02/14/2007
Issued: 04/05/2011
Est. Priority Date: 06/30/2000
Status: Expired due to Term

First Claim

Patent Images

1. A layered defense-in-depth knowledge-based management system, comprising:

a reception zone including a first one or more computers operable to authenticate a user for access to the system, wherein the reception zone is further operable to;

determine a clearance level of a requested document;

determine a clearance level of the authenticated user;

compare the clearance level of the document with the clearance level of the authenticated user;

determine a number of document caveats associated with the requested document;

for each of the number of document caveats, obtain the respective document caveat for the requested document, the respective document caveat representing a necessary condition for access to the document;

determine a number of user caveats of the authenticated user;

for each of the number of user caveats, obtain the respective user caveat representing a condition necessary for the authenticated user to have access to a document having an associated document caveat;

for all combinations of the user caveats and the document caveats, compare the document caveat of the requested document to the user caveat of the authenticated user, wherein the comparison of the document caveat of the requested document to the user caveat of the authenticated user comprises a comparison of the necessary condition for access to the document and the condition necessary for the authenticated user to have access to the document having the associated document caveat; and

display the requested document to the authenticated user in response to the clearance level of the user dominating the clearance level of the requested document and the comparison of all combinations of the user caveats to the document caveats;

an operations zone including a second one or more computers operable to adjudicate on a user level access to data objects stored in a system database;

a security zone including a third one or more computers operable to issue certificates of accessibility for defined users; and

wherein the system prevents any modification of the clearance level and the document caveats after the clearance level and the document caveats have been associated with the requested document.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A layered defense-in-depth knowledge-based data management comprises a reception zone for authenticating a user for access to the system and an operations zone for adjudicating on a user level access to data objects stored in the system database. In addition, the data management comprises a security zone for issuing certificates of accessibility for defined users and a screening zone to interrogate data packets during processing thereof. The first line of defense is firewall protection and packet filtering preceding the reception zone.

Citations

18 Claims

1. A layered defense-in-depth knowledge-based management system, comprising:
- a reception zone including a first one or more computers operable to authenticate a user for access to the system, wherein the reception zone is further operable to;
  
  determine a clearance level of a requested document;
  
  determine a clearance level of the authenticated user;
  
  compare the clearance level of the document with the clearance level of the authenticated user;
  
  determine a number of document caveats associated with the requested document;
  
  for each of the number of document caveats, obtain the respective document caveat for the requested document, the respective document caveat representing a necessary condition for access to the document;
  
  determine a number of user caveats of the authenticated user;
  
  for each of the number of user caveats, obtain the respective user caveat representing a condition necessary for the authenticated user to have access to a document having an associated document caveat;
  
  for all combinations of the user caveats and the document caveats, compare the document caveat of the requested document to the user caveat of the authenticated user, wherein the comparison of the document caveat of the requested document to the user caveat of the authenticated user comprises a comparison of the necessary condition for access to the document and the condition necessary for the authenticated user to have access to the document having the associated document caveat; and
  
  display the requested document to the authenticated user in response to the clearance level of the user dominating the clearance level of the requested document and the comparison of all combinations of the user caveats to the document caveats;
  
  an operations zone including a second one or more computers operable to adjudicate on a user level access to data objects stored in a system database;
  
  a security zone including a third one or more computers operable to issue certificates of accessibility for defined users; and
  
  wherein the system prevents any modification of the clearance level and the document caveats after the clearance level and the document caveats have been associated with the requested document.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. A layered defense-in-depth knowledge-based management system as in claim 1, wherein the security zone is further operable to revoke certificates for users no longer allowed access to the system.
  - 3. A layered defense-in-depth knowledge-based management system as in claim 2, wherein the security zone is further operable to perform key recovery operations.
  - 4. A layered defense-in-depth knowledge-based management system as in claim 1, wherein the security zone comprises filters operable to control and limit access to a predefined set of user workstations.
  - 5. A layered defense-in-depth knowledge-based management system as in claim 1, wherein the reception zone comprises a public key infrastructure operable to authenticate users for accessing contents of the system.
  - 6. A layered defense-in-depth knowledge-based management system as in claim 1, wherein the reception zone is further operable to authenticate a server.
  - 7. A layered defense-in-depth knowledge-based management system as in claim 1, further comprising a screening zone operable to interrogate data packets during processing thereof.
  - 8. A layered defense-in-depth knowledge-based management system as in claim 1, wherein the operations zone is further operable to packet filter incoming and outgoing messages.
  - 9. A layered defense-in-depth knowledge-based management system as in claim 1, wherein the security zone is further operable to packet filter incoming and outgoing messages for access control.
  - 10. A layered defense-in-depth knowledge-based management system as in claim 1, wherein the operations zone comprises a document management server operable to establish access to data stored in a library of the management system.

11. A method of accessing an electronic support library for layered defense-in-depth knowledge-based management, comprising:
- authenticating, using one or more computers in a reception zone a user in response to a request for data;
  
  conducting, using the one or more computers, document manipulation and administration in an operations zone of a request by an authenticated user;
  
  issuing, using the one or more computers, authorization certificates in a security zone for users to allow access to data managed in the operations zone;
  
  determining, using the one or more computers, a clearance level of a requested document;
  
  determining, using the one or more computers, a clearance level of the authenticated user;
  
  comparing, using the one or more computers, the clearance level of the document with the clearance level of the authenticated user;
  
  determining, using the one or more computers, a number of document caveats associated with the requested document;
  
  for each of the number of document caveats, obtaining, using the one or more computers, the respective document caveat for the requested document, the respective document caveat representing a necessary condition for access to the document;
  
  determining, using the one or more computers, a number of user caveats of the authenticated user;
  
  for each of the number of user caveats, obtaining, using the one or more computers, the respective user caveat representing a condition necessary for the authenticated user to have access to a document having an associated document caveat;
  
  for all combinations of the user caveats and the document caveats, comparing, using the one or more computers, the document caveat of the requested document to the user caveat of the authenticated user, wherein the comparison of the document caveat of the requested document to the user caveat of the authenticated user comprises a comparison of the necessary condition for access to the document and the condition necessary for the authenticated user to have access to the document having the associated document caveat;
  
  displaying the requested document to the authenticated user in response to the clearance level of the user dominating the clearance level of the requested document and the comparison of all combinations of the user caveats to the document caveats; and
  
  preventing any modification of the clearance level and the document caveats after the clearance level and the document caveats have been associated with the requested document.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The method of accessing an electronic support library as in claim 11, wherein authenticating a user in the reception zone comprises authenticating the user to a public key infrastructure.
  - 13. The method of accessing an electronic support library as in claim 11, further comprising accessing data stored in the electronic support library by a document management server.
  - 14. The method of accessing an electronic support library as in claim 11, further comprising packet filtering incoming and outgoing messages in and through the operations zone.
  - 15. The method of accessing an electronic support library as in claim 14, further comprising packet filtering incoming and outgoing messages for access to authorization certificates issued by the security zone.
  - 16. The method of accessing an electronic support library as in claim 11, further comprising authenticating, in the reception zone, a server.
  - 17. The method of accessing an electronic support library as in claim 11, further comprising interrogating, in a screening zone, data packets during processing thereof.

18. A layered defense-in-depth knowledge-based management system, comprising:
- a reception zone including a first one or more computers operable to authenticate a user for access to the system, wherein the reception zone comprises a public key infrastructure operable to authenticate users for accessing contents of the system, the reception zone further operable to;
  
  authenticate a server;
  
  determine a clearance level of a requested document;
  
  determine a clearance level of the authenticated user;
  
  compare the clearance level of the document with the clearance level of the authenticated user;
  
  determine a number of document caveats associated with the requested document;
  
  for each of the number of document caveats, obtain the respective document caveat for the requested document, the respective document caveat representing a necessary condition for access to the document;
  
  determine a number of user caveats of the authenticated user;
  
  for each of the number of user caveats, obtain the respective user caveat representing a condition necessary for the authenticated user to have access to a document having an associated document caveat;
  
  for all combinations of the user caveats and the document caveats, compare the document caveat of the requested document to the user caveat of the authenticated user, wherein the comparison of the document caveat of the requested document to the user caveat of the authenticated user comprises a comparison of the necessary condition for access to the document and the condition necessary for the authenticated user to have access to the document having the associated document caveat; and
  
  display the requested document to the authenticated user in response to the clearance level of the user dominating the clearance level of the requested document and the comparison of all combinations of the user caveats to the document caveats;
  
  a screening zone including a second one or more computers operable to interrogate data packets during processing thereof;
  
  an operations zone including a third one or more computers operable to adjudicate on a user level access to data objects stored in a system database, wherein the operations zone is further operable to packet filter incoming and outgoing messages, wherein the operations zone comprises a document management server operable to establish access to data stored in a library of the management system; and
  
  a security zone including a fourth one or more computers operable to;
  
  issue certificates of accessibility for defined users;
  
  revoke certificates for users no longer allowed access to the system;
  
  perform key recovery operations; and
  
  wherein the security zone comprises filters operable to control and limit access to a predefined set of user workstations, wherein the security zone is further operable to packet filter incoming and outgoing messages for access control.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Raytheon Company (Rtx Corporation)
Original Assignee
Raytheon Company (Rtx Corporation)
Inventors
Moehl, Robert C., Silcox, Joseph M., Teijido, Daniel, Kobren, Craig H.
Primary Examiner(s)
Dinh; Minh
Assistant Examiner(s)
HO, VIRGINIA T

Application Number

US11/674,932
Publication Number

US 20070204336A1
Time in Patent Office

1,511 Days
Field of Search

713166-167, 726/2, 726 11- 13, 726/16, 726/27, 380/286
US Class Current

713/166
CPC Class Codes

H04L 63/0209   Architectural arrangements,...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0823   using certificates cryptogr...

H04L 63/0869   for achieving mutual authen...

H04L 63/101   Access control lists [ACL]

Secure compartmented mode knowledge management portal

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Secure compartmented mode knowledge management portal

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links