System and method for multi-context policy management

US 7,987,495 B2
Filed: 12/26/2007
Issued: 07/26/2011
Est. Priority Date: 12/26/2006
Status: Active Grant

First Claim

Patent Images

1. A method for multi-context policy management, comprising:

generating multiple security contexts relating to a computing device communicating with a networked computing infrastructure, wherein the multiple security contexts include a first security context based on one or more first security attributes relating to the computing device communicating with the computing infrastructure and a second security context based on one or more second security attributes relating to the computing device communicating with the computing infrastructure;

receiving a request to access one or more elements in the computing infrastructure from the computing device;

receiving one or more security policy definitions that define one or more conditions associated with accessing the one or more elements in the computing infrastructure;

determining whether to grant the computing device access to the one or more elements in the computing infrastructure based on the first security context, the second security context, and the one or more security policy definitions; and

sending a response indicating that the computing device has not been granted the requested access to the one or more elements in the computing infrastructure, wherein the response includes one or more remediation messages that instruct the computing device to alter anti-virus protection associated with the computing device or increase an authentication level associated with the computing device by re-challenging a user with one or more secure authentication methods prior to any further requests to access the one or more elements.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The system and method described herein provides multi-context security policy management in a networked computing infrastructure. The system and method may generate a plurality of security contexts regarding different security characteristics of the communication between a computing device and the networked computing infrastructure. The computing device then requests access to at least one specific element of the computing infrastructure. The security policy definitions of the at least one specific element are compared with one or more of the security contexts to determine whether access to the specific elements should be granted.

45 Citations

View as Search Results

23 Claims

1. A method for multi-context policy management, comprising:
- generating multiple security contexts relating to a computing device communicating with a networked computing infrastructure, wherein the multiple security contexts include a first security context based on one or more first security attributes relating to the computing device communicating with the computing infrastructure and a second security context based on one or more second security attributes relating to the computing device communicating with the computing infrastructure;
  
  receiving a request to access one or more elements in the computing infrastructure from the computing device;
  
  receiving one or more security policy definitions that define one or more conditions associated with accessing the one or more elements in the computing infrastructure;
  
  determining whether to grant the computing device access to the one or more elements in the computing infrastructure based on the first security context, the second security context, and the one or more security policy definitions; and
  
  sending a response indicating that the computing device has not been granted the requested access to the one or more elements in the computing infrastructure, wherein the response includes one or more remediation messages that instruct the computing device to alter anti-virus protection associated with the computing device or increase an authentication level associated with the computing device by re-challenging a user with one or more secure authentication methods prior to any further requests to access the one or more elements.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the one or more security policy definitions specify an access level to grant computing devices meeting the one or more defined conditions.
  - 3. The method of claim 1, wherein the one or more elements associated with the requested access include a software application and the one or more security policy definitions specify different access levels to grant computing devices having different security attribute combinations used to generate one or more of the first security context or the second security context.
  - 4. The method of claim 1, wherein the first security context includes a first security score relating to the computing device communicating with the computing infrastructure and the second security context includes a second security score relating to the computing device communicating with the computing infrastructure.
  - 5. The method of claim 1, wherein determining whether to grant the computing device access to the one or more elements comprises using the first security context and the second security context to generate a normalized aggregate security score and comparing the normalized aggregate security score to the one or more security policy definitions.
  - 6. The method of claim 1, wherein the one or more first security attributes or the one or more second security attributes provide a user-based security context that relates to characteristics associated with the user.
  - 7. The method of claim 1, wherein the one or more first security attributes or the one or more second security attributes provide a connection-based security context that relates to characteristics associated with a data connection between the computing device and the computing infrastructure.
  - 8. The method of claim 1, wherein the one or more first security attributes or the one or more second security attributes provide a device-based security context that relates to characteristics associated with the computing device.
  - 9. The method of claim 1, wherein determining whether to grant the computing device access to the one or more elements includes generating the response indicating that the requested access has not been granted in response to either the first security context or the second security context failing to comply with the one or more security policy definitions.
  - 10. The method of claim 1, wherein determining whether to grant the computing device access to the one or more elements, includes granting the computing device access to the one or more elements in response to the first security context and the second security context complying with the one or more security policy definitions.
  - 11. The method of claim 1, further comprising updating one or more of the first security context or the second security context in response to determining that the computing device has an altered security posture indicating that the computing device has complied with the one or more remediation instructions.
  - 12. The method of claim 11, further comprising:
    - receiving a further request to access the one or more elements in the computing infrastructure from the computing device; and
      
      determining whether to grant the computing device access to the one or more elements in the computing infrastructure based on the altered security posture and the one or more security policy definitions, wherein the altered security posture includes the updated first or second security context.

13. A method for multi-context security policy management in a networked computing infrastructure, the networked computing infrastructure having one or more elements, the method comprising:
- generating a device-based security context based at least in part on one or more device-based security attributes regarding a computing device in communication with the computing infrastructure;
  
  generating a user-based security context based at least in part on one or more user-based security attributes regarding an identified user of the computing device;
  
  generating a connection-based security context based at least in part on one or more connection-based security attributes regarding the data connection between the computing device and the computing infrastructure;
  
  receiving a request from the computing device for access to at least one of the one or more elements of the computing infrastructure;
  
  receiving one or more security policy definitions for the at least one of the one or more elements, wherein the one or more security policy definitions define one or more sets of conditions for access to the at least one of the one of the one or more elements, each set of conditions including specified device-based attributes, user-based attributes, and connection based attributes, wherein for each set of conditions, the level of access to be granted to the at least one element is defined; and
  
  determining whether to grant the computing device access to the at least one of one or more elements based on the device-based security context, the user-based security context, the connection-based security context, and the one or more security policy definitions of the at least one of the one or more elements.

14. A system for multi-context policy management, comprising:
- a networked computing infrastructure having one or more processing devices;
  
  a security context module configured to run on the one or more processing devices and generate multiple security contexts relating to a computing device communicating with the computing infrastructure, wherein the multiple security contexts include a first security context based on one or more first security attributes relating to the computing device communicating with the computing infrastructure and a second security context based on one or more second security attributes relating to the computing device communicating with the computing infrastructure;
  
  an element policy module configured to run on the one or more processing devices, receive a request to access one or more elements in the computing infrastructure from the computing device, and receive one or more security policy definitions that define one or more conditions associated with accessing the one or more elements in the computing infrastructure;
  
  an access module configured to run on the one or more processing devices and determine whether to grant the computing device access to the one or more elements in the computing infrastructure based on the first security context, the second security context, and the one or more security policy definitions; and
  
  a remediation message module configured to run on the one or more processing devices and send a response having one or more remediation messages that instruct the computing device to alter a security posture prior to further requesting access to the one or more elements in response to the access module not granting the computing device access to the one or more elements, wherein the security context module is further configured to update one or more of the first security context or the second security context in response to determining that the computing device has altered the security posture to comply with the one or more remediation instructions.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 15. The system of claim 14, wherein the at least one of the one or more elements associated with the requested access include a software application and the one or more security policy definitions specify different levels access levels to grant computing devices having different security attribute combinations used to generate one or more of the first security context or the second security context.
  - 16. The system of claim 14, wherein the first security context includes of a first security score relating to the computing device communicating with the computing infrastructure and the second security context includes a second security score relating to the computing device communicating with the computing infrastructure.
  - 17. The system of claim 14, wherein to determine whether to grant the computing device access to the one or more elements, the access module is further configured to use the first security context and the second security context to generate a normalized aggregate security score and compare the normalized aggregate security score to the one or more security policy definitions.
  - 18. The system of claim 14, wherein the one or more first security attributes or the one or more second security attributes a user-based security context that relates to characteristics associated with a user.
  - 19. The system of claim 14, wherein the one or more first security attributes or the one or more second security attributes provide a connection-based security context that relates to characteristics associated with a data connection between the computing device and the computing infrastructure.
  - 20. The system of claim 14, wherein the one or more first security attributes or the one or more second security attributes provide a device-based security context that relates to characteristics associated with the computing device.
  - 21. The system of claim 14, wherein the access module is further configured to generate the response indicating that the requested access has not been granted in response to either the first security context or the second security context failing to comply with the one or more security policy definitions.
  - 22. The system of claim 14, wherein the access module is further configured to grant the computing device access to the one or more elements in response to the first security context and the second security context complying with the one or more security policy definitions.
  - 23. The system of claim 14, wherein the element policy module is further configured to receive a further request to access the one or more elements in the computing infrastructure from the computing device, the access module is further configured to determine whether to grant the computing device access to the one of one or more elements in the computing infrastructure based on the altered security posture, and the altered security posture includes the updated first or second security context.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Computer Associates Think Inc. (Broadcom, Inc.)
Original Assignee
Computer Associates Think Inc. (Broadcom, Inc.)
Inventors
Maler, Sophia, Rappaport, Andrew, Lander, Vadim
Primary Examiner(s)
Dada; Beemnet W

Application Number

US11/964,471
Publication Number

US 20080155649A1
Time in Patent Office

1,308 Days
Field of Search

713/169, 713/171, 713/168, 713/182, 726/1, 726/4, 726/5, 726 17- 19, 726/23, 726/27
US Class Current

726/1
CPC Class Codes

G06F 21/6218 to a system of files or obj...

H04L 63/20 for managing network securi...

System and method for multi-context policy management

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

45 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for multi-context policy management

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

45 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links