Policy directed security-centric model driven architecture to secure client and cloud hosted web service enabled processes

US 9,037,711 B2
Filed: 05/12/2010
Issued: 05/19/2015
Est. Priority Date: 12/02/2009
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a processor; and

a storage device coupled to the processor and storing an executable web service, an executable web security service, and an executable data dictionary, all executable by the processor, the data dictionary implementing an instance of a hierarchical class tree that includes a plurality of class and data objects;

wherein the data dictionary receives a portion of a hierarchical class tree comprising client segments from another system hosting a peer data dictionary instance, said received portion includes class definitions and security profile information that specifies restrictions on use of data objects identified by the received portion and wherein said web service cannot access said data objects without the use of the web security service and without the received hierarchical class tree portion;

wherein the data dictionary attaches the received portion to its own hierarchical class tree instance at a boundary node that is replaced with an identity node of the received portion, the identity node identifying ownership of the received portion;

wherein, upon executing the web service, the processor generates an access request for a data object identified by the received portion and invokes the web security service to access the security profile information to validate the access request; and

wherein, upon executing the invoked web security service, the processor, before transmitting the access request across a network, validates the access request using a security profile associated with said request performing at least three verifications;

a first verification to determine whether the web service is authorized to send the access request, a second verification to determine whether the data object requested is permitted to be requested by the web service, and a third verification to determine whether a web service intended to receive the access request is authorized to receive the access request; and

wherein the processor transmits the access request based on the web security service, via the processor, successfully performing each of the first, second, and third verifications.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A policy directed, security-centric model driven architecture is described to secure internal web services, such as those implementing service-oriented architecture (SOA), and external web services such as those hosted on a cloud computing platform. A distributed data dictionary hosted across multiple dictionary engines and operating in conjunction with web security services are used to embed security profiles in web services messages and to validate messages that contain such security profiles.

Citations

9 Claims

1. A system, comprising:
- a processor; and
  
  a storage device coupled to the processor and storing an executable web service, an executable web security service, and an executable data dictionary, all executable by the processor, the data dictionary implementing an instance of a hierarchical class tree that includes a plurality of class and data objects;
  
  wherein the data dictionary receives a portion of a hierarchical class tree comprising client segments from another system hosting a peer data dictionary instance, said received portion includes class definitions and security profile information that specifies restrictions on use of data objects identified by the received portion and wherein said web service cannot access said data objects without the use of the web security service and without the received hierarchical class tree portion;
  
  wherein the data dictionary attaches the received portion to its own hierarchical class tree instance at a boundary node that is replaced with an identity node of the received portion, the identity node identifying ownership of the received portion;
  
  wherein, upon executing the web service, the processor generates an access request for a data object identified by the received portion and invokes the web security service to access the security profile information to validate the access request; and
  
  wherein, upon executing the invoked web security service, the processor, before transmitting the access request across a network, validates the access request using a security profile associated with said request performing at least three verifications;
  
  a first verification to determine whether the web service is authorized to send the access request, a second verification to determine whether the data object requested is permitted to be requested by the web service, and a third verification to determine whether a web service intended to receive the access request is authorized to receive the access request; and
  
  wherein the processor transmits the access request based on the web security service, via the processor, successfully performing each of the first, second, and third verifications.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The system of claim 1 wherein the hierarchical class tree includes system segments and client segments;
    - wherein the system segments comprise system-based security policy metadata objects and system-based enterprise business metadata objects; and
      
      wherein the client segments comprise client-based security policy metadata objects, client-based enterprise business metadata objects, client-based security policy data objects, and the client-based enterprise business data object, the client-based security policy data objects integrated with the client-based enterprise business data object located at a terminal node of the hierarchical class tree.
  - 3. The system of claim 2 wherein the boundary node is replaced with the identity node of the received hierarchical class tree portion with a security profile structure.
  - 4. The system of claim 1 wherein the hierarchical class tree comprises a plurality of nodes, some nodes being child nodes connected to parent nodes and each child node inheriting the security policies of its parent node.
  - 5. The system of claim 1 wherein the received hierarchical class tree portion includes segments that are owned by an entity other than the system receiving the received hierarchical class tree portion and the system hosting the peer data dictionary instance that provides said received hierarchical class tree portion.

6. A system, comprising:
- a processor; and
  
  a storage device coupled to the processor and storing an executable web service, an executable web security service, and an executable data dictionary, all executable by the processor, the data dictionary implementing an instance of a hierarchical class tree that includes a plurality of class and data objects;
  
  wherein the data dictionary receives a request for a targeted portion of the hierarchical class tree instance from another system hosting a peer data dictionary instance, said targeted portion includes an identity node that identifies the ownership of the targeted portion and class definitions and security profile information that specifies restrictions on use of data objects identified by the targeted portion;
  
  wherein the data dictionary transmits the targeted portion of the hierarchical class tree to the other system for attachment of the targeted portion to the hierarchical class tree instance of the other system at a boundary node, wherein the boundary node is replaced with an identity node identifying ownership of the objects contained in the targeted portion;
  
  wherein, upon execution by the processor, the web service receives an incoming message and, in response, invokes the web security service to validate the incoming message and wherein the web service cannot access said data objects without the use of the web security service and without the hierarchical class tree;
  
  wherein, upon execution by the processor, the web security service validates the incoming message by performing at least three verifications including a first verification to determine whether the web service is authorized to receive the incoming message, a second verification to determine whether any data targeted by the message is permitted to be accessed by the web service, and a third verification to determine whether an entity that provided the message was permitted to provide the message; and
  
  wherein, upon all of said verifications being successfully performed, the web service generates a response message and again invokes the web security service to validate the response message, before it is transmitted to the entity, by performing at least three verifications including a fourth verification to determine whether the web service is authorized to transmit the response message, a fifth verification to determine whether any data included in the response message is permitted to be accessed by the web service, and a sixth verification to determine whether the entity is permitted to receive the response message; and
  
  wherein the processor transmits the response message to said entity based on the web security service, via the processor, successfully performing each of the fourth, fifth, and sixth verifications.
- View Dependent Claims (7, 8)
- - 7. The system of claim 6 wherein the hierarchical class tree includes system segments and client segments;
    - wherein the system segments comprise system-based security policy metadata objects and system-based enterprise business metadata objects; and
      
      wherein the client segments comprise client-based security policy metadata objects, client-based enterprise business metadata objects, client-based security policy data objects, and the client-based enterprise business data object, the client-based security policy data objects integrated with the client-based enterprise business data object located at a terminal node of the hierarchical class tree.
  - 8. The system of claim 6 wherein the hierarchical class tree comprises a plurality of nodes, some nodes being child nodes connected to parent nodes and each child node inheriting the security policies of its parent node.

9. A method, comprising:
- requesting, by a client data dictionary, a portion of a hierarchical class tree including client segments from another system hosting a peer data dictionary instance;
  
  receiving the requested portion, the received portion includes class definitions and security profile information that specifies restrictions on use of data objects identified by the received portion and wherein said web service cannot access said data objects without the use of the web security service and without the received hierarchical class tree portion;
  
  attaching the requested portion to a boundary node;
  
  replacing the boundary node with an identity node that identifies ownership of the received portion; and
  
  generating an access request, by a web service, for a data object identified by the received and attached portion;
  
  invoking, by the web service, a web security service based on the generated request to validate the access request by performing at least three verifications;
  
  a first verification to determine whether the web service is authorized to send the access request, a second verification to determine whether the data object requested is permitted to be requested by the web service, and a third verification to determine whether a web service intended to receive the access request is authorized to receive the access request; and
  
  transmitting the access request based on the web security service successfully performing each of the first, second, and third verifications.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Metasecure Corporation
Original Assignee
Metasecure Corporation
Inventors
Maida-Smith, Kathy J., Nieves, Michael J., Engle, Steven E.
Primary Examiner(s)
SISON, JUNE Y

Application Number

US12/778,750
Publication Number

US 20110131275A1
Time in Patent Office

1,833 Days
Field of Search

709/204
US Class Current

709/225
CPC Class Codes

G06F 21/6209   to a single file or object,...

H04L 63/0281   Proxies

H04L 63/168   above the transport layer

H04L 63/20   for managing network securi...

H04L 67/306   User profiles

H04L 67/51   Discovery or management the...

Policy directed security-centric model driven architecture to secure client and cloud hosted web service enabled processes

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

Policy directed security-centric model driven architecture to secure client and cloud hosted web service enabled processes

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links