Method for managing data in a shared computing environment
First Claim
1. A computer implemented method of storing, protecting, and accessing secret data in a shared computing environment, comprising:
- defining, for a piece of secret data, a security zone for one or more entities with a common security characteristic, wherein the security zone defines a plurality of groups of users that can access the piece of secret data, wherein the piece of secret data is used to access the one or more entities defined by the security zone, and wherein at least two groups of users of the plurality of groups of users can access the piece of secret data using different access privileges, the different access privileges allowing the at least two groups of users to perform different functions on the piece of secret data;
determining whether a request by a user to access the piece of secret data used to access the one or more entities defined by the security zone will be granted, whereinthe piece of secret data and one or more administration policies are centrally stored on a directory server,the one or more administration policies comprise one or more user authentication policies that are used to authenticate the requesting user on the directory server,the one or more administration policies further comprise the security zone, which defines the piece of secret data that is accessible by the requesting user;
the one or more administration policies further comprise one or more authorization policies that control access to the piece of secret data defined by the security zone, in which the requesting user is permitted to access the piece of secret data used to access the one or more entities defined by the security zone, without going to an external computing node, upon satisfaction of the one or more authorization policies,distributing the piece of secret data to the requesting user without pushing the piece of secret data to the requesting user, whereinthe requesting user shares the piece of secret data in the shared computing environment, anddefining one or more additional security zones, each additional security zone determining or identifying;
a group of users, and an additional piece of secret data that is accessible by the group of users.
1 Assignment
0 Petitions
Accused Products
Abstract
A method of storing secret data in a shared computing environment includes defining secret data, such as a password and administration policies according to a schema of a directory server such as a LDAP server. The secret data and administration polices are centrally stored on the LDAP server. The secret data can be encrypted. Administration polices include authorization and authentication policies, and a security zone can be defined for a collection of entities with a common security characteristic, such as a common password. A security zone defines a group of users and the secret data that can be accessed by the group of users. Multiple security zones can be defined. The secret data can be accessed directly from the server of the directory service without accessing another server or data store assuming the administration policies are satisfied.
-
Citations
24 Claims
-
1. A computer implemented method of storing, protecting, and accessing secret data in a shared computing environment, comprising:
-
defining, for a piece of secret data, a security zone for one or more entities with a common security characteristic, wherein the security zone defines a plurality of groups of users that can access the piece of secret data, wherein the piece of secret data is used to access the one or more entities defined by the security zone, and wherein at least two groups of users of the plurality of groups of users can access the piece of secret data using different access privileges, the different access privileges allowing the at least two groups of users to perform different functions on the piece of secret data; determining whether a request by a user to access the piece of secret data used to access the one or more entities defined by the security zone will be granted, wherein the piece of secret data and one or more administration policies are centrally stored on a directory server, the one or more administration policies comprise one or more user authentication policies that are used to authenticate the requesting user on the directory server, the one or more administration policies further comprise the security zone, which defines the piece of secret data that is accessible by the requesting user;
the one or more administration policies further comprise one or more authorization policies that control access to the piece of secret data defined by the security zone, in which the requesting user is permitted to access the piece of secret data used to access the one or more entities defined by the security zone, without going to an external computing node, upon satisfaction of the one or more authorization policies,distributing the piece of secret data to the requesting user without pushing the piece of secret data to the requesting user, wherein the requesting user shares the piece of secret data in the shared computing environment, and defining one or more additional security zones, each additional security zone determining or identifying;
a group of users, and an additional piece of secret data that is accessible by the group of users. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 15, 16, 17, 18, 19)
-
-
14. A system for storing, protecting, and accessing secret data in a shared computing environment, comprising:
-
a computer server that is programmed for performing; defining, for a piece of secret data, a security zone for one or more entities with a common security characteristic, wherein the security zone defines a plurality of groups of users that can access the piece of secret data, wherein the piece of secret data is used to access the one or more entities defined by the security zone, and wherein at least two groups of users of the plurality of groups of users can access the piece of secret data using different access privileges, the different access privileges allowing the at least two groups of users to perform different functions on the piece of secret data; determining whether a request by a user to access the piece of secret data used to access the one or more entities defined by the security zone will be granted, wherein the piece of secret data and one or more administration policies are centrally stored on a directory server, the one or more administration policies comprise one or more user authentication policies that are used to authenticate the requesting user on the directory server, the one or more administration policies further comprise the security zone, which defines the piece of secret data that is accessible by the requesting user;
the one or more administration policies further comprise one or more authorization policies that control access to the piece of secret data defined by the security zone, in which the requesting user is permitted to access the piece of secret data used to access the one or more entities defined by the security zone, without going to an external computing node, upon satisfaction of the one or more authorization policies, anddistributing the piece of secret data to the requesting user without pushing the secret data to the requesting user, wherein the requesting user shares the piece of secret data in the shared computing environment, and defining one or more additional security zones, each additional security zone determining or identifying;
a group of users, and an additional piece of secret data that is accessible by the group of users. - View Dependent Claims (20, 21, 22, 23, 24)
-
Specification