Method for managing data in a shared computing environment

US 8,352,999 B1
Filed: 07/21/2006
Issued: 01/08/2013
Est. Priority Date: 07/21/2006
Status: Expired due to Fees

First Claim

Patent Images

1. A computer implemented method of storing, protecting, and accessing secret data in a shared computing environment, comprising:

defining, for a piece of secret data, a security zone for one or more entities with a common security characteristic, wherein the security zone defines a plurality of groups of users that can access the piece of secret data, wherein the piece of secret data is used to access the one or more entities defined by the security zone, and wherein at least two groups of users of the plurality of groups of users can access the piece of secret data using different access privileges, the different access privileges allowing the at least two groups of users to perform different functions on the piece of secret data;

determining whether a request by a user to access the piece of secret data used to access the one or more entities defined by the security zone will be granted, whereinthe piece of secret data and one or more administration policies are centrally stored on a directory server,the one or more administration policies comprise one or more user authentication policies that are used to authenticate the requesting user on the directory server,the one or more administration policies further comprise the security zone, which defines the piece of secret data that is accessible by the requesting user;

the one or more administration policies further comprise one or more authorization policies that control access to the piece of secret data defined by the security zone, in which the requesting user is permitted to access the piece of secret data used to access the one or more entities defined by the security zone, without going to an external computing node, upon satisfaction of the one or more authorization policies,distributing the piece of secret data to the requesting user without pushing the piece of secret data to the requesting user, whereinthe requesting user shares the piece of secret data in the shared computing environment, anddefining one or more additional security zones, each additional security zone determining or identifying;

a group of users, and an additional piece of secret data that is accessible by the group of users.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of storing secret data in a shared computing environment includes defining secret data, such as a password and administration policies according to a schema of a directory server such as a LDAP server. The secret data and administration polices are centrally stored on the LDAP server. The secret data can be encrypted. Administration polices include authorization and authentication policies, and a security zone can be defined for a collection of entities with a common security characteristic, such as a common password. A security zone defines a group of users and the secret data that can be accessed by the group of users. Multiple security zones can be defined. The secret data can be accessed directly from the server of the directory service without accessing another server or data store assuming the administration policies are satisfied.

63 Citations

View as Search Results

24 Claims

1. A computer implemented method of storing, protecting, and accessing secret data in a shared computing environment, comprising:
- defining, for a piece of secret data, a security zone for one or more entities with a common security characteristic, wherein the security zone defines a plurality of groups of users that can access the piece of secret data, wherein the piece of secret data is used to access the one or more entities defined by the security zone, and wherein at least two groups of users of the plurality of groups of users can access the piece of secret data using different access privileges, the different access privileges allowing the at least two groups of users to perform different functions on the piece of secret data;
  
  determining whether a request by a user to access the piece of secret data used to access the one or more entities defined by the security zone will be granted, whereinthe piece of secret data and one or more administration policies are centrally stored on a directory server,the one or more administration policies comprise one or more user authentication policies that are used to authenticate the requesting user on the directory server,the one or more administration policies further comprise the security zone, which defines the piece of secret data that is accessible by the requesting user;
  
  the one or more administration policies further comprise one or more authorization policies that control access to the piece of secret data defined by the security zone, in which the requesting user is permitted to access the piece of secret data used to access the one or more entities defined by the security zone, without going to an external computing node, upon satisfaction of the one or more authorization policies,distributing the piece of secret data to the requesting user without pushing the piece of secret data to the requesting user, whereinthe requesting user shares the piece of secret data in the shared computing environment, anddefining one or more additional security zones, each additional security zone determining or identifying;
  
  a group of users, and an additional piece of secret data that is accessible by the group of users.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 15, 16, 17, 18, 19)
- - 2. The method of claim 1, wherein the piece of secret data comprises:
    - a password.
  - 3. The method of claim 1, wherein the act of determining whether a request by a user to access the piece of secret data used to access the one or more entities defined by the security zone will be granted further comprising:
    - determining or identifying an authorization policy; and
      
      determining or identifying an authentication policy.
  - 4. The method of claim 3, the act of determining or identifying the authentication policy further comprising determining or identifying an identity of the user.
  - 5. The method of claim 4, the act of determining or identifying the identity of the user further comprising:
    - determining or identifying a user name; and
      
      determining or identifying a password for the user name.
  - 6. The method of claim 3, the act of determining or identifying the authorization policy further comprising:
    - determining or identifying an authorization policy that determines whether the request to access the directory server will be granted.
  - 7. The method of claim 1, wherein the secret data is accessible by one group of users of the plurality of groups of users at a time.
  - 8. The method of claim 1, wherein one group of users of the plurality of groups of users includes one user.
  - 9. The method of claim 1, wherein one group of users of the plurality of groups of users includes a plurality of users.
  - 10. The method of claim 1, further comprising encrypting the piece of secret data.
  - 11. The method of claim 1, the user request is sent over the Internet through a web server.
  - 12. The method of claim 1, further comprising:
    - changing the piece of secret data; and
      
      maintaining the one or more administration policies administration policies so that the same one or more administration policies must be satisfied in order to access the changed piece of secret data.
  - 13. The method of claim 1, wherein the directory server is an LDAP server.
  - 15. The method of claim 1, wherein accessing the one or more entities defined by the security zone using the piece of secret data comprises administering the one or more entities.
  - 16. The method of claim 15, wherein the one or more entities defined by the security zone comprise a server.
  - 17. The method of claim 15, wherein the piece of secret data that is used to access the one or more entities defined by the security zone comprises an administration password.
  - 18. The method of claim 1, wherein accessing the one or more entities defined by the security zone using the piece of secret data comprises accessing data stored within the one or more entities.
  - 19. The method of claim 1, wherein the piece of secret data that is used to access the one or more entities defined by the security zone comprises a phrase for a private encryption key.

14. A system for storing, protecting, and accessing secret data in a shared computing environment, comprising:
- a computer server that is programmed for performing;
  
  defining, for a piece of secret data, a security zone for one or more entities with a common security characteristic, wherein the security zone defines a plurality of groups of users that can access the piece of secret data, wherein the piece of secret data is used to access the one or more entities defined by the security zone, and wherein at least two groups of users of the plurality of groups of users can access the piece of secret data using different access privileges, the different access privileges allowing the at least two groups of users to perform different functions on the piece of secret data;
  
  determining whether a request by a user to access the piece of secret data used to access the one or more entities defined by the security zone will be granted, whereinthe piece of secret data and one or more administration policies are centrally stored on a directory server,the one or more administration policies comprise one or more user authentication policies that are used to authenticate the requesting user on the directory server,the one or more administration policies further comprise the security zone, which defines the piece of secret data that is accessible by the requesting user;
  
  the one or more administration policies further comprise one or more authorization policies that control access to the piece of secret data defined by the security zone, in which the requesting user is permitted to access the piece of secret data used to access the one or more entities defined by the security zone, without going to an external computing node, upon satisfaction of the one or more authorization policies, anddistributing the piece of secret data to the requesting user without pushing the secret data to the requesting user, wherein the requesting user shares the piece of secret data in the shared computing environment, anddefining one or more additional security zones, each additional security zone determining or identifying;
  
  a group of users, and an additional piece of secret data that is accessible by the group of users.
- View Dependent Claims (20, 21, 22, 23, 24)
- - 20. The system of claim 14, wherein accessing the one or more entities defined by the security zone using the piece of secret data comprises administering the one or more entities.
  - 21. The system of claim 20, wherein the one or more entities defined by the security zone comprise a server.
  - 22. The system of claim 20, wherein the piece of secret data that is used to access the one or more entities defined by the security zone comprises an administration password.
  - 23. The system of claim 14, wherein accessing the one or more entities defined by the security zone using the piece of secret data comprises accessing data stored within the one or more entities.
  - 24. The system of claim 14, wherein the piece of secret data that is used to access the one or more entities defined by the security zone comprises a phrase for a private encryption key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cadence Design Systems Incorporated (Cadence Group)
Original Assignee
Cadence Design Systems Incorporated (Cadence Group)
Inventors
Zhan, Kaijun, Harper, James
Primary Examiner(s)
Truong, Thanhnga B
Assistant Examiner(s)
CHANG, KENNETH W

Application Number

US11/490,676
Time in Patent Office

2,363 Days
Field of Search

726/1
US Class Current

726/1
CPC Class Codes

H04L 63/083 using passwords cryptograph...

H04L 63/104 Grouping of entities

Method for managing data in a shared computing environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

63 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Method for managing data in a shared computing environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

63 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links