Policy-based physical security system for restricting access to computer resources and data flow through network equipment
DCFirst Claim
1. A system comprising:
- a plurality of network resources distributed throughout a site, the network resources comprising proprietary and Internet Protocol (IP) enabled security system components including sensors, actuators, alarms and monitoring devices, utilizing physical and Information Technology (IT) security data,wherein each sensor of the sensors is configured to generate a signal in response to a defined event, and in accordance with a proprietary data format defined specifically for a device by a respective manufacturer of the device;
a single integration layer component that is configured to receive signals from each of the plurality of network resources in the proprietary data format of a respective security component and integrate disparate proprietary data formats for aggregation and processing in other components;
the network resources comprising HVAC, lighting, building, video, alarms, identity management, and event security system components;
a central network device security management processor coupled to the plurality of network resources, configured to receive signals from the integration layer by extracting security data and events from network traffic and the security system components to build a continually updated security state of the entire system through a physical security state engine, and a daemon process to generate active access lists and states for physical access control systems, wherein the active access lists define at runtime access privileges for individuals or groups of individuals defined within the system, and further wherein the alarm event messages are generated by a protocol defined trap message and log further wherein the daemon process aggregates all states and event messages;
a normalization component in the central network device security management processor normalizing the signal data from the integration layer component in accordance with a defined data mapping scheme to transform the received signals from the proprietary data format to a corresponding Extensible Markup Language (XML) document configured to describe system policies through the use of virtual objects that comprise components of executable rules, and conforming to a schema that represents relationships between the virtual objects and corresponding devices, objects and processes, wherein the schema definesone or more attributes of the executable rules including inputs from the system components, actions to be taken based on the input, addresses of system components performing the actions, and states to be maintained by the coupled network resources;
a rules definition component defining actionable events definitions and responses to actionable events, physical security policies comprising definitional rules consisting of the virtual objects representing network devices and physical security states used by the plurality of network resources;
a policy manager component defining policies that control a data flow in accordance with the executable rules that are organized into types of policies comprising system, user, and sensor state related policies, and wherein the policies reference the attributes of data objects for each security system component;
a communication integration interface integrating the security data with information technology (IT) data of an entity deploying the system; and
a signal processing component applying the executable rules to the normalized signal data and physical security states to generate control signals that invoke the defined responses to the actionable events and to control the security system components in accordance with policies established for entity personnel defined by the integrated security data and access control rules, and transmitting the control signals to the security system components in the respective proprietary format in order to effect network access, data flow and application security and update the security state of the system.
3 Assignments
Litigations
0 Petitions
Accused Products
Abstract
Embodiments are directed to systems and methods for integration and normalization of physical security data, states and events to and from disparate physical security systems to maintain in real-time rules based policy state information to enforce physical security policies uniformly across network and information technology (IT) systems. Moreover it pertains specifically to such apparatus for providing an integration platform, methods and processes for normalizing data from physical security systems, to maintain physical security states, mapping to network access and either directly affecting the network equipment through standard programming commands or providing interfaces for network equipment and IT applications to query and determine physical security access states thus enforcing rules in real-time based on security systems data and events.
-
Citations
20 Claims
-
1. A system comprising:
-
a plurality of network resources distributed throughout a site, the network resources comprising proprietary and Internet Protocol (IP) enabled security system components including sensors, actuators, alarms and monitoring devices, utilizing physical and Information Technology (IT) security data, wherein each sensor of the sensors is configured to generate a signal in response to a defined event, and in accordance with a proprietary data format defined specifically for a device by a respective manufacturer of the device; a single integration layer component that is configured to receive signals from each of the plurality of network resources in the proprietary data format of a respective security component and integrate disparate proprietary data formats for aggregation and processing in other components;
the network resources comprising HVAC, lighting, building, video, alarms, identity management, and event security system components;a central network device security management processor coupled to the plurality of network resources, configured to receive signals from the integration layer by extracting security data and events from network traffic and the security system components to build a continually updated security state of the entire system through a physical security state engine, and a daemon process to generate active access lists and states for physical access control systems, wherein the active access lists define at runtime access privileges for individuals or groups of individuals defined within the system, and further wherein the alarm event messages are generated by a protocol defined trap message and log further wherein the daemon process aggregates all states and event messages; a normalization component in the central network device security management processor normalizing the signal data from the integration layer component in accordance with a defined data mapping scheme to transform the received signals from the proprietary data format to a corresponding Extensible Markup Language (XML) document configured to describe system policies through the use of virtual objects that comprise components of executable rules, and conforming to a schema that represents relationships between the virtual objects and corresponding devices, objects and processes, wherein the schema defines one or more attributes of the executable rules including inputs from the system components, actions to be taken based on the input, addresses of system components performing the actions, and states to be maintained by the coupled network resources; a rules definition component defining actionable events definitions and responses to actionable events, physical security policies comprising definitional rules consisting of the virtual objects representing network devices and physical security states used by the plurality of network resources; a policy manager component defining policies that control a data flow in accordance with the executable rules that are organized into types of policies comprising system, user, and sensor state related policies, and wherein the policies reference the attributes of data objects for each security system component; a communication integration interface integrating the security data with information technology (IT) data of an entity deploying the system; and a signal processing component applying the executable rules to the normalized signal data and physical security states to generate control signals that invoke the defined responses to the actionable events and to control the security system components in accordance with policies established for entity personnel defined by the integrated security data and access control rules, and transmitting the control signals to the security system components in the respective proprietary format in order to effect network access, data flow and application security and update the security state of the system. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A system comprising:
-
a physical security interface module interfacing to a plurality of security sensors to a plurality of network resources distributed throughout a site, each sensor configured to respond to a corresponding type of actionable event and utilize physical security data including command and content data in accordance with a proprietary data format defined specifically for a sensor by a respective manufacturer of the sensor; a single integration layer component that is configured to receive signals from each of the plurality of security sensors in the respective proprietary data format and integrate disparate proprietary data formats for aggregation and processing in other components;
the network resources comprising HVAC, lighting, building, video, alarms, identity management, and event security system components;a central network device security management processor coupled to the plurality of network resources, and configured to receive signals from the integration layer component by extracting physical security data and events from network traffic and the network resources to build a continually updated security state of the entire system through a physical state security engine, and a daemon process to generate active access lists and states for physical access control systems, wherein the active access lists define at runtime access information for individuals or groups of individuals defined within the system, and further wherein the alarm event messages are generated by a protocol defined trap message and further wherein the daemon process aggregates the alarm event messages, and to define physical security states used by the plurality of network resources; an integration module within the integration layer component including an agent for each type of security sensor to accept the physical security data from each security sensor in the respective proprietary format, and to integrate the physical security data with information objects and processes, wherein the schema defines one or more attributes of the executable rules including inputs from the devices, actions to be taken based on the input, addresses of system components performing the actions, and states to be maintained by the plurality of network resources; a signal processing component applying executable rules to the normalized signal data and physical security states to generate control signals that invoke defined responses to actionable events and to control the sensors in accordance with policies established for entity personnel defined by the IT data and with physical access control rules, and transmitting the control signals to the sensors in their respective proprietary format; a policy manager component policies that control a data flow in accordance with the executable rules that are organized into two or more types of policies comprising system, user, and sensor state related policies, and wherein the policies reference attributes of data objects for each sensor; and a physical security equipment module coupled to the plurality of network resources and configured to extract the physical security data from network traffic to build the physical security states of the system defined by physical access control rules and update the security state of the system, and wherein the physical security states and their relationships with network resources are managed and depicted through a visual policy editor that processes the virtual objects through a user interface. - View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A method of managing data and events related to information technology security, in a security management process comprising:
-
defining a first plurality of objects representing actors, facilities, physical security states, and network resources within a managed site comprising security components utilizing physical security data and information technology (IT) data; defining a second plurality of objects representing actions, conditions and references; constructing a rule from the first plurality of objects and second plurality of objects through connectors that dictate process flow by the first and second plurality of objects; receiving a plurality of signals from disparate security devices distributed throughout the site, wherein each signal of the plurality of signals is formatted in accordance with a proprietary format defined specifically for a device specified by a manufacturer of each respective security device;
the network resources comprising HVAC, lighting, building, video, alarms, identity management, and event security system components;receiving, in a single integration layer component from each of the plurality of objects in the proprietary data format of a respective security component and integrate disparate proprietary data formats for aggregation and processing in other components; extracting physical security data and events from network traffic and the security components to build a continually updated security state of the entire system through alarm event messages generated by the network resources, wherein the alarm event messages are generated by a protocol defined trap message and a system log daemon process aggregates the alarm event messages; building, in a physical security state engine, active access lists and states for physical access control systems through the extracted physical security data and the daemon process, wherein the active access lists define at runtime access information for individuals or groups of individuals defined within the system; normalizing the plurality of signals from each proprietary format to an Extensible Markup Language (XML) format to produce normalized signal data, wherein the XML format is configured to describe system policies through the use of virtual objects that comprise components of executable rules, and represents relationships between the virtual objects and corresponding devices, objects and processes, and wherein the schema defines one or more attributes of the executable rules including inputs from the system components, actions to be taken based on the input, addresses of system components performing the actions, and states to be maintained by the network resources; integrating the physical security data with the information technology (IT) data of an entity within the managed site; processing the signals and physical security states through the rule to perform an action in accordance with the rule, wherein the action effects a change in one or more settings for the network resources to control the security system components in accordance with policies established for entity personnel defined by the IT data and with physical access control rules of the managed site; defining policies that control a data flow in accordance with the physical access control rules that are organized into two or more types of policies comprising system, user, and sensor state related policies, and wherein the policies reference attributes of data objects for each security system component; applying the rule to the normalized signal data and the first plurality of objects to generate control signals that invoke defined responses to actionable events and control the security system components in accordance with defined policies; transmitting the control signals to the security system components in their respective proprietary format; and extracting the physical security data from the network traffic to build the security states defined by the physical access control rules and update the security state of the system. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification