Applying security policies to multiple systems and controlling policy propagation

US 8,296,820 B2
Filed: 01/18/2008
Issued: 10/23/2012
Est. Priority Date: 01/18/2008
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method to manage security policy propagation between a plurality of domains of secured computing systems and based on a policy-specific propagation flag and a domain-specific inheritance rule, the method comprising:

applying a security policy to a parent domain that includes a first secured computing system, wherein the security policy specifies a propagation flag that is policy-specific and not domain-specific and that indicates whether the security policy is to be propagated or isolated;

upon determining that the parent domain propagates the security policy on the basis of the propagation flag, identifying a child domain that includes a second secured computing system and that is associated with the parent domain in a hierarchical relationship specifying an inheritance rule that is domain-specific and not policy-specific and that indicates whether security policy propagation applies from the parent domain to the child domain, wherein the child domain is associated with a grandchild domain; and

upon determining that the inheritance rule includes a first rule code indicating that security policy propagation applies from the parent domain to the child domain, applying the security policy to the child domain by operation of one or more computer processors;

wherein the security policy is not applied to the child domain and not applied to the grandchild domain if the inheritance rule includes a second rule code indicating that security policy propagation is stopped at the child domain;

wherein the security policy is not applied to the child domain but applied to the grandchild domain if the inheritance rule includes a third rule code indicating that security propagation is bypassed at the child domain;

wherein the security policy is managed based on at least one of;

(i) a domain hierarchy specification including the hierarchical relationship;

(ii) a domain policy assignment specification including the domain-specific inheritance rule; and

(iii) a security policy propagation specification including the policy-specific propagation flag.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are disclosed for attaching security policies to secured computing systems. A security policy is attached to a parent domain. The parent domain includes a first secured computing system. The security policy is a natural language description for controlling access to the secured computing system. Upon determining that the parent domain propagates the security policy, a first generation child domain is identified. The first generation child domain includes a second secured computing system. The first generation child domain is associated with the parent domain in a hierarchical relationship. It is determined that the first generation child domain inherits the security policy based on an inheritance rule. The security policy is attached to the first generation child domain.

51 Citations

View as Search Results

21 Claims

1. A computer-implemented method to manage security policy propagation between a plurality of domains of secured computing systems and based on a policy-specific propagation flag and a domain-specific inheritance rule, the method comprising:
- applying a security policy to a parent domain that includes a first secured computing system, wherein the security policy specifies a propagation flag that is policy-specific and not domain-specific and that indicates whether the security policy is to be propagated or isolated;
  
  upon determining that the parent domain propagates the security policy on the basis of the propagation flag, identifying a child domain that includes a second secured computing system and that is associated with the parent domain in a hierarchical relationship specifying an inheritance rule that is domain-specific and not policy-specific and that indicates whether security policy propagation applies from the parent domain to the child domain, wherein the child domain is associated with a grandchild domain; and
  
  upon determining that the inheritance rule includes a first rule code indicating that security policy propagation applies from the parent domain to the child domain, applying the security policy to the child domain by operation of one or more computer processors;
  
  wherein the security policy is not applied to the child domain and not applied to the grandchild domain if the inheritance rule includes a second rule code indicating that security policy propagation is stopped at the child domain;
  
  wherein the security policy is not applied to the child domain but applied to the grandchild domain if the inheritance rule includes a third rule code indicating that security propagation is bypassed at the child domain;
  
  wherein the security policy is managed based on at least one of;
  
  (i) a domain hierarchy specification including the hierarchical relationship;
  
  (ii) a domain policy assignment specification including the domain-specific inheritance rule; and
  
  (iii) a security policy propagation specification including the policy-specific propagation flag.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the third rule code provides skipping inheritance of the security policy at the child domain while allowing the grandchild domain to specify whether to inherit the security policy.
  - 3. The method of claim 1, wherein the security policy includes a natural language description for controlling access to the first secured computing system, and wherein the method further comprises:
    - determining that the security policy is applied to the child domain based on the domain hierarchy specification;
      
      translating the security policy such that each of the first secured computing system and the second secured computing system enforce security policy.
  - 4. The method of claim 1, further comprising:
    - identifying a plurality of child domains including the child domain;
      
      determining whether each of the plurality of child domains inherits the security policy based on a plurality of inheritance rules respectively associated with the plurality of child domains; and
      
      if the respective child domain inherits the security policy, applying the security policy to the respective child domain.
  - 5. The method of claim 1, further comprising:
    - applying a second security policy to the parent domain and to the child domain, respectively.
  - 6. The method of claim 1, further comprising:
    - upon determining that the inheritance rule specifies that security policy propagation is bypassed at the child domain, applying the security policy to the grandchild domain.
  - 7. The method of claim 6,wherein each of the domain hierarchy specification, the domain policy assignment specification, and the security policy propagation specification is stored in a respective table;
    - wherein the domain hierarchy table maps a domain identifier field to a domain parent field, an inheritance rule field, and a system identifiers field, wherein the inheritance rule field stores a rule code selected from a plurality of predefined rule codes including the first rule code, the second rule code, the third rule code, and a fourth rule code specifying that a domain designated by the domain identifier field is not presently associated with any parent domain;
      
      wherein the domain policy assignment table maps a domain identifier field to a policy identifiers field;
      
      wherein the security policy propagation table stores the propagation flag and maps a policy identifier field to a propagation flag.

8. A non-transitory computer-readable storage medium containing a program which, when executed, performs an operation to manage security policy propagation between a plurality of domains of secured computing systems and based on a policy-specific propagation flag and a domain-specific inheritance rule, the operation comprising:
- applying a security policy to a parent domain that includes a first secured computing system, wherein the security policy specifies a propagation flag that is policy-specific and not domain-specific and that indicates whether the security policy is to be propagated or isolated;
  
  upon determining that the parent domain propagates the security policy on the basis of the propagation flag, identifying a child domain that includes a second secured computing system and that is associated with the parent domain in a hierarchical relationship specifying an inheritance rule that is domain-specific and not policy-specific and that indicates whether security policy propagation applies from the parent domain to the child domain, wherein the child domain is associated with a grandchild domain; and
  
  upon determining that the inheritance rule includes a first rule code indicating that security policy propagation applies from the parent domain to the child domain, applying the security policy to the child domain by operation of one or more computer processors when executing the program;
  
  wherein the security policy is not applied to the child domain and not applied to the grandchild domain if the inheritance rule includes a second rule code indicating that security policy propagation is stopped at the child domain;
  
  wherein the security policy is not applied to the child domain but is applied to the grandchild domain if the inheritance rule includes a third rule code indicating that security propagation is bypassed at the child domain;
  
  wherein the security policy is managed based on at least one of;
  
  (i) a domain hierarchy specification including the hierarchical relationship;
  
  (ii) a domain policy assignment specification including the domain-specific inheritance rule; and
  
  (iii) a security policy propagation specification including the policy-specific propagation flag.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory computer-readable storage medium of claim 8, whereinthe third rule code provides skipping inheritance of the security policy at the child domain while allowing the grandchild domain to specify whether to inherit the security policy.
  - 10. The non-transitory computer-readable storage medium of claim 8, wherein the security policy includes a natural language description for controlling access to the first secured computing system, and wherein the operation further comprises:
    - determining that the security policy is applied to the child domain based on the domain hierarchy specification;
      
      translating the security policy such that each of the first secured computing system and the second secured computing system enforce the security policy.
  - 11. The non-transitory computer-readable storage medium of claim 8, wherein the operation further comprises:
    - identifying a plurality of child domains including the child domain;
      
      determining whether each of the plurality of child domains inherits the security policy based on a plurality of inheritance rules respectively associated with the plurality of child domains; and
      
      if the respective child domain inherits the security policy, applying the security policy to the respective child domain.
  - 12. The non-transitory computer-readable storage medium of claim 8, wherein the operation further comprises:
    - applying a second security policy to the parent domain and to the child domain, respectively.
  - 13. The non-transitory computer-readable storage medium of claim 8, wherein the operation further comprises:
    - upon determining that the inheritance rule specifies that security policy propagation is bypassed at the child domain, applying the security policy to the grandchild domain.
  - 14. The non-transitory computer-readable storage medium of claim 13, whereineach of the domain hierarchy specification, the domain policy assignment specification, and the security policy propagation specification is stored in a respective table;
    - wherein the domain hierarchy table maps a domain identifier field to a domain parent field, an inheritance rule field, and a system identifiers field, wherein the inheritance rule field stores a rule code selected from a plurality of predefined rule codes including the first rule code, the second rule code, the third rule code, and a fourth rule code specifying that a domain designated by the domain identifier field is not presently associated with any parent domain;
      
      wherein the domain policy assignment table maps a domain identifier field to a policy identifiers field;
      
      wherein the security policy propagation table stores the propagation flag and maps a policy identifier field to a propagation flag.

15. A system to manage security policy propagation between a plurality of domains of secured computing systems and based on a policy-specific propagation flag and a domain-specific inheritance rule, the system comprising:
- a processor; and
  
  a memory containing a program which, when executed by the processor, performs an operation comprising;
  
  applying a security policy to a parent domain that includes a first secured computing system, wherein the security policy specifies a propagation flag that is policy-specific and not domain-specific and that indicates whether the security policy is to be propagated or isolated;
  
  upon determining that the parent domain propagates the security policy on the basis of the propagation flag, identifying a child domain that includes a second secured computing system and that is associated with the parent domain in a hierarchical relationship specifying an inheritance rule that is domain-specific and not policy-specific and that indicates whether security policy propagation applies from the parent domain to the child domain, wherein the child domain is associated with a grandchild domain; and
  
  upon determining that the inheritance rule includes a first rule code indicating that security policy propagation applies from the parent domain to the child domain, applying the security policy to the child domain;
  
  wherein the security policy is not applied to the child domain and not applied to the grandchild domain if the inheritance rule includes a second rule code indicating that security policy propagation is stopped at the child domain;
  
  wherein the security policy is not applied to the child domain but is applied to the grandchild domain if the inheritance rule includes a third rule code indicating that security propagation is bypassed at the child domain;
  
  wherein the security policy is managed based on at least one of;
  
  (i) a domain hierarchy specification including the hierarchical relationship;
  
  (ii) a domain policy assignment specification including the domain-specific inheritance rule; and
  
  (iii) a security policy propagation specification including the policy-specific propagation flag.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The system of claim 15, whereinthe third rule code provides skipping inheritance of the security policy at the child domain while allowing the grandchild domain to specify whether to inherit the security policy.
  - 17. The system of claim 15, wherein the security policy includes a natural language description for controlling access to the first secured computing system, and wherein the operation further comprises:
    - determining that the security policy is applied to the child domain based on the domain hierarchy specification;
      
      translating the security policy such that each of the first secured computing system and the second secured computing system enforce the security policy.
  - 18. The system of claim 15, wherein the operation further comprises:
    - identifying a plurality of child domains including the child domain;
      
      determining whether each of the plurality of child domains inherits the security policy based on a plurality of inheritance rules respectively associated with the plurality of child domains; and
      
      if the respective child domain inherits the security policy, applying the security policy to the respective child domain.
  - 19. The system of claim 15, wherein the operation further comprises:
    - applying a second security policy to the parent domain and to the child domain, respectively.
  - 20. The system of claim 15, wherein the operation further comprises:
    - upon determining that the inheritance rule specifies that security policy propagation is bypassed at the child domain, applying the security policy to the grandchild domain.
  - 21. The system of claim 20, whereineach of the domain hierarchy specification, the domain policy assignment specification, and the security policy propagation specification is stored in a respective table;
    - wherein the domain hierarchy table maps a domain identifier field to a domain parent field, an inheritance rule field, and a system identifiers field, wherein the inheritance rule field stores a rule code selected from a plurality of predefined rule codes including the first rule code, the second rule code, the third rule code, and a fourth rule code specifying that a domain designated by the domain identifier field is not presently associated with any parent domain;
      
      wherein the domain policy assignment table maps a domain identifier field to a policy identifiers field;
      
      wherein the security policy propagation table stores the propagation flag and maps a policy identifier field to a propagation flag.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Kao, I-Lung, Kolz, Daniel Paul
Primary Examiner(s)
KOSOWSKI, CAROLYN M

Application Number

US12/016,395
Publication Number

US 20090187964A1
Time in Patent Office

1,740 Days
Field of Search

726/1
US Class Current

726/1
CPC Class Codes

H04L 63/102 Entity profiles

Applying security policies to multiple systems and controlling policy propagation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

51 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Applying security policies to multiple systems and controlling policy propagation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

51 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links