Authentication in a globally distributed infrastructure for secure content management

US 8,935,742 B2
Filed: 08/18/2008
Issued: 01/13/2015
Est. Priority Date: 01/08/2008
Status: Active Grant

First Claim

Patent Images

1. A method for providing a Secure Content Management (SCM) service to users of information technology (IT) devices, the method comprising the steps of:

utilizing, to support the SCM service, a distributed infrastructure that is accessible by the users over an Internet connection, the infrastructure including a plurality of points-of-presence (POPs), each POP in the plurality including at least a forward proxy server for forwarding traffic from the IT devices to resource servers that are accessible on the Internet and further including one or more policy databases that are non-centralized within the infrastructure for storing security policies, each of the non-centralized policy databases including non-centralized and duplicated security policies;

authenticating the users of the IT devices to the SCM service;

redirecting a user to a co-located POP, a POP being co-located when a set of parameters is optimized including network latency compared with non-co-located POPs and localization of a user experience is implementable; and

providing the SCM service to the authenticated users through the co-located POP, the SCM service a) implementing security monitoring of the authenticated user'"'"'s interactions with resources that are accessed over the Internet connection and applying the non-centralized and duplicated security policies to govern the authenticated user'"'"'s interactions with the resources once accessed so that an authenticated user is subject to identical security policy enforcement irrespective of which of the co-located POPs is utilized to provide the SCM service, the security monitoring including content filtering between the users'"'"' IT devices and the resource servers, the content filtering being implemented subsequent to a user being authenticated, and the security monitoring further including anti-virus protection and intrusion detection, and b) content caching based on a profile of a user, the user profile being generated responsively to the monitored interactions.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Secure content management is enabled as a cloud-based service through which security protection and policy enforcement may be implemented for both on-premise network users and roaming users. The global SCM service integrates the security functionalities—such as anti-virus, spyware, and phishing protection, firewall, intrusion detection, centralized management, and the like—that are typically provided by enterprise network SCM appliance hardware or servers into a cloud-based service that users reach via Internet-based points-of-presence (“POPs”). The POPs are configured with forward proxy servers, and in some implementations, caching and network acceleration components, and coupled to hubs which provide configuration management and identity management services such as active directory services.

89 Citations

View as Search Results

20 Claims

1. A method for providing a Secure Content Management (SCM) service to users of information technology (IT) devices, the method comprising the steps of:
- utilizing, to support the SCM service, a distributed infrastructure that is accessible by the users over an Internet connection, the infrastructure including a plurality of points-of-presence (POPs), each POP in the plurality including at least a forward proxy server for forwarding traffic from the IT devices to resource servers that are accessible on the Internet and further including one or more policy databases that are non-centralized within the infrastructure for storing security policies, each of the non-centralized policy databases including non-centralized and duplicated security policies;
  
  authenticating the users of the IT devices to the SCM service;
  
  redirecting a user to a co-located POP, a POP being co-located when a set of parameters is optimized including network latency compared with non-co-located POPs and localization of a user experience is implementable; and
  
  providing the SCM service to the authenticated users through the co-located POP, the SCM service a) implementing security monitoring of the authenticated user'"'"'s interactions with resources that are accessed over the Internet connection and applying the non-centralized and duplicated security policies to govern the authenticated user'"'"'s interactions with the resources once accessed so that an authenticated user is subject to identical security policy enforcement irrespective of which of the co-located POPs is utilized to provide the SCM service, the security monitoring including content filtering between the users'"'"' IT devices and the resource servers, the content filtering being implemented subsequent to a user being authenticated, and the security monitoring further including anti-virus protection and intrusion detection, and b) content caching based on a profile of a user, the user profile being generated responsively to the monitored interactions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 including a further step of securing user interaction with the Secure Content Management (SCM) service according to predefined security policies, at least a subset of such security policies being part of security policies pertaining to an enterprise or business.
  - 3. The method of claim 1 including a further step of securing user interaction with the Secure Content Management (SCM) service according to predefined security policies, at least a subset of such security policies being part of security policies pertaining to a consumer or household.
  - 4. The method of claim 1 including a further step of managing the forward proxy servers in the points-of-presence (POPs) using an enterprise management subsystem located in a hub that is coupled to one or more POPs.
  - 5. The method of claim 1 in which the authenticating is performed with user credentials which are utilized when the user authenticates to a local network.
  - 6. The method of claim 1 including a further step of implementing a client on an information technology (IT) device, the client being arranged as a local forward proxy for performing authentication to the Secure Content Management (SCM) service.
  - 7. The method of claim 1 in which the authenticating is performed using one of integrated operating system-enabled authentication, federated identity authentication, single-sign-on authentication, two-factor authentication, forms authentication, custom authentication, or Radius authentication.
  - 8. The method of claim 1 including a further step of initiating authentication using one of HyperText Transfer Protocol (HTTP) proxy authentication, Internet Protocol Security (IPSec) authentication, or virtual private network (VPN) authentication.

9. A method of providing identity management in a Secure Content Management (SCM) service, the method comprising the steps of:
- utilizing a distributed infrastructure to provide the SCM service that is accessible by users over an Internet connection, the SCM service a) in accordance with stored security policies, implementing security monitoring of interactions between service users and Internet-based resources, the security monitoring including content filtering between the users'"'"' information technology (IT) devices and the resource servers, the content filtering being implemented subsequent to a user being authenticated, and the security monitoring further including anti-virus protection and intrusion detection, and b) content caching based on a profile of a user, the user profile being generated responsively to the monitored interactions, the infrastructure including a plurality of points-of-presence (POPs), each POP in the plurality including at least a forward proxy server for forwarding traffic from IT devices to resource servers that are accessible on the Internet and further including one or more policy databases that are non-centralized within the infrastructure for storing the security policies, each of the non-centralized policy databases including non-centralized and duplicated security policies, and the infrastructure further including a hub operatively coupled to one or more POPs, the hub providing i) configuration management for forward proxy servers, and ii) identity management;
  
  receiving authentication credentials associated with users of the IT devices; and
  
  performing authentication of a user seeking access to the SCM service in accordance with the received authentication credentials by applying the non-centralized and duplicated security policies to govern the authenticated user'"'"'s interactions with the resources once accessed so that the authenticated user is subject to identical security policy enforcement irrespective of which of the co-located POPs is utilized to provide the SCM service.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The method of claim 9 in which the authentication credentials are verified using a one-way or two-way trust.
  - 11. The method of claim 10 including a further step of establishing a pipeline over which the one-way or two-way trust is operated.
  - 12. The method of claim 11 in which the pipeline is implemented using virtual private network (VPN).
  - 13. The method of claim 11 in which the pipeline is implemented using a secure network connection using one of multi-protocol label switching (MPLS), Internet Protocol Security (IPSec), or Internet Protocol version 6 (IPv6) global addressing.
  - 14. The method of claim 9 including a further step of utilizing the authenticating as part of a single-sign-on procedure.
  - 15. The method of claim 14 in which the single-sign-on is supported by one of operating system-enabled authentication.
  - 16. The method of claim 14 in which the single-sign-on is implemented using federated access.

17. A method for authenticating users to a Secure Content Management (SCM) service, the method comprising the steps of:
- providing the SCM service using a cloud-based distributed infrastructure including a plurality of points-of-presence (POPs), each POP including a forward proxy through which users access and interact with resources available via an Internet connection and further including one or more policy databases that are non-centralized within the infrastructure for storing security policies, each of the non-centralized policy databases including non-centralized and duplicated security policies, the SCM service implementing a) security monitoring of user'"'"'s interactions with resources on a click-by-click basis by applying the non-centralized and duplicated security policies to govern the user'"'"'s interactions with the resources once so that a user is subject to identical security policy enforcement irrespective of which of the POPs is utilized to provide the SCM service, the security monitoring including content filtering between the users'"'"' information technology (IT) devices and the resource servers, the content filtering being implemented subsequent to a user being authenticated, and the security monitoring further including anti-virus protection and intrusion detection, and b) content caching based on a profile of a user, the user profile being generated responsively to the monitored interactions; and
  
  authenticating the users to the SCM service using pre-existing credentials supported by an identity metasystem.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17 including a further step of performing network optimization in a point-of-presence (POP), the network optimization including one of caching, HyperText Transfer Protocol (HTTP) compression, or quality of service (QoS) enforcement.
  - 19. The method of claim 17 including a further step of redirecting a user to a co-located point-of-presence (POP), a POP being co-located when network latency is minimized compared with non-co-located POPs and localization of a user experience is implementable.
  - 20. The method of claim 19 in which the localization is performed with at least one of language, time zone, currency, or character set.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Nice, Nir, Ananiev, Oleg, Wohlfert, John, Finkelstein, Amit, Teplitsky, Alik
Primary Examiner(s)
Kim, Jung
Assistant Examiner(s)
Ho, Thomas

Application Number

US12/193,070
Publication Number

US 20090178109A1
Time in Patent Office

2,339 Days
Field of Search

726/3, 726/1, 726/11, 726/12, 726/13
US Class Current

726/1
CPC Class Codes

G06F 16/9535   Search customisation based ...

G06F 21/55   Detecting local intrusion o...

G06F 21/56   Computer malware detection ...

G06F 21/629   to features or functions of...

G06F 2221/2115   Third party

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2149   Restricted operating enviro...

G06F 2221/2151   Time stamp

G06Q 30/0204   Market segmentation

G06Q 30/0215   Including financial accounts

H04L 63/0281   Proxies

H04L 63/14   for detecting or protecting...

H04L 63/20   for managing network securi...

Authentication in a globally distributed infrastructure for secure content management

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

89 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Authentication in a globally distributed infrastructure for secure content management

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

89 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links