Applying security policies to multiple systems and controlling policy propagation
First Claim
1. A computer-implemented method to manage security policy propagation between a plurality of domains of secured computing systems and based on a policy-specific propagation flag and a domain-specific inheritance rule, the method comprising:
- applying a security policy to a parent domain that includes a first secured computing system, wherein the security policy specifies a propagation flag that is policy-specific and not domain-specific and that indicates whether the security policy is to be propagated or isolated;
upon determining that the parent domain propagates the security policy on the basis of the propagation flag, identifying a child domain that includes a second secured computing system and that is associated with the parent domain in a hierarchical relationship specifying an inheritance rule that is domain-specific and not policy-specific and that indicates whether security policy propagation applies from the parent domain to the child domain, wherein the child domain is associated with a grandchild domain; and
upon determining that the inheritance rule includes a first rule code indicating that security policy propagation applies from the parent domain to the child domain, applying the security policy to the child domain by operation of one or more computer processors;
wherein the security policy is not applied to the child domain and not applied to the grandchild domain if the inheritance rule includes a second rule code indicating that security policy propagation is stopped at the child domain;
wherein the security policy is not applied to the child domain but applied to the grandchild domain if the inheritance rule includes a third rule code indicating that security propagation is bypassed at the child domain;
wherein the security policy is managed based on at least one of;
(i) a domain hierarchy specification including the hierarchical relationship;
(ii) a domain policy assignment specification including the domain-specific inheritance rule; and
(iii) a security policy propagation specification including the policy-specific propagation flag.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques are disclosed for attaching security policies to secured computing systems. A security policy is attached to a parent domain. The parent domain includes a first secured computing system. The security policy is a natural language description for controlling access to the secured computing system. Upon determining that the parent domain propagates the security policy, a first generation child domain is identified. The first generation child domain includes a second secured computing system. The first generation child domain is associated with the parent domain in a hierarchical relationship. It is determined that the first generation child domain inherits the security policy based on an inheritance rule. The security policy is attached to the first generation child domain.
51 Citations
21 Claims
-
1. A computer-implemented method to manage security policy propagation between a plurality of domains of secured computing systems and based on a policy-specific propagation flag and a domain-specific inheritance rule, the method comprising:
-
applying a security policy to a parent domain that includes a first secured computing system, wherein the security policy specifies a propagation flag that is policy-specific and not domain-specific and that indicates whether the security policy is to be propagated or isolated; upon determining that the parent domain propagates the security policy on the basis of the propagation flag, identifying a child domain that includes a second secured computing system and that is associated with the parent domain in a hierarchical relationship specifying an inheritance rule that is domain-specific and not policy-specific and that indicates whether security policy propagation applies from the parent domain to the child domain, wherein the child domain is associated with a grandchild domain; and upon determining that the inheritance rule includes a first rule code indicating that security policy propagation applies from the parent domain to the child domain, applying the security policy to the child domain by operation of one or more computer processors; wherein the security policy is not applied to the child domain and not applied to the grandchild domain if the inheritance rule includes a second rule code indicating that security policy propagation is stopped at the child domain; wherein the security policy is not applied to the child domain but applied to the grandchild domain if the inheritance rule includes a third rule code indicating that security propagation is bypassed at the child domain; wherein the security policy is managed based on at least one of;
(i) a domain hierarchy specification including the hierarchical relationship;
(ii) a domain policy assignment specification including the domain-specific inheritance rule; and
(iii) a security policy propagation specification including the policy-specific propagation flag. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A non-transitory computer-readable storage medium containing a program which, when executed, performs an operation to manage security policy propagation between a plurality of domains of secured computing systems and based on a policy-specific propagation flag and a domain-specific inheritance rule, the operation comprising:
-
applying a security policy to a parent domain that includes a first secured computing system, wherein the security policy specifies a propagation flag that is policy-specific and not domain-specific and that indicates whether the security policy is to be propagated or isolated; upon determining that the parent domain propagates the security policy on the basis of the propagation flag, identifying a child domain that includes a second secured computing system and that is associated with the parent domain in a hierarchical relationship specifying an inheritance rule that is domain-specific and not policy-specific and that indicates whether security policy propagation applies from the parent domain to the child domain, wherein the child domain is associated with a grandchild domain; and upon determining that the inheritance rule includes a first rule code indicating that security policy propagation applies from the parent domain to the child domain, applying the security policy to the child domain by operation of one or more computer processors when executing the program; wherein the security policy is not applied to the child domain and not applied to the grandchild domain if the inheritance rule includes a second rule code indicating that security policy propagation is stopped at the child domain; wherein the security policy is not applied to the child domain but is applied to the grandchild domain if the inheritance rule includes a third rule code indicating that security propagation is bypassed at the child domain; wherein the security policy is managed based on at least one of;
(i) a domain hierarchy specification including the hierarchical relationship;
(ii) a domain policy assignment specification including the domain-specific inheritance rule; and
(iii) a security policy propagation specification including the policy-specific propagation flag. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A system to manage security policy propagation between a plurality of domains of secured computing systems and based on a policy-specific propagation flag and a domain-specific inheritance rule, the system comprising:
-
a processor; and a memory containing a program which, when executed by the processor, performs an operation comprising; applying a security policy to a parent domain that includes a first secured computing system, wherein the security policy specifies a propagation flag that is policy-specific and not domain-specific and that indicates whether the security policy is to be propagated or isolated; upon determining that the parent domain propagates the security policy on the basis of the propagation flag, identifying a child domain that includes a second secured computing system and that is associated with the parent domain in a hierarchical relationship specifying an inheritance rule that is domain-specific and not policy-specific and that indicates whether security policy propagation applies from the parent domain to the child domain, wherein the child domain is associated with a grandchild domain; and upon determining that the inheritance rule includes a first rule code indicating that security policy propagation applies from the parent domain to the child domain, applying the security policy to the child domain; wherein the security policy is not applied to the child domain and not applied to the grandchild domain if the inheritance rule includes a second rule code indicating that security policy propagation is stopped at the child domain; wherein the security policy is not applied to the child domain but is applied to the grandchild domain if the inheritance rule includes a third rule code indicating that security propagation is bypassed at the child domain; wherein the security policy is managed based on at least one of;
(i) a domain hierarchy specification including the hierarchical relationship;
(ii) a domain policy assignment specification including the domain-specific inheritance rule; and
(iii) a security policy propagation specification including the policy-specific propagation flag. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
Specification