Policy-based physical security system for restricting access to computer resources and data flow through network equipment

US 9,111,088 B2
Filed: 08/14/2007
Issued: 08/18/2015
Est. Priority Date: 08/14/2006
Status: Active Grant

- Alert
- Pin

Associated Case

Associated Defendants

First Claim

Patent Images

1. A system comprising:

a plurality of network resources distributed throughout a site, the network resources comprising proprietary and Internet Protocol (IP) enabled security system components including sensors, actuators, alarms and monitoring devices, utilizing physical and Information Technology (IT) security data,wherein each sensor of the sensors is configured to generate a signal in response to a defined event, and in accordance with a proprietary data format defined specifically for a device by a respective manufacturer of the device;

a single integration layer component that is configured to receive signals from each of the plurality of network resources in the proprietary data format of a respective security component and integrate disparate proprietary data formats for aggregation and processing in other components;

the network resources comprising HVAC, lighting, building, video, alarms, identity management, and event security system components;

a central network device security management processor coupled to the plurality of network resources, configured to receive signals from the integration layer by extracting security data and events from network traffic and the security system components to build a continually updated security state of the entire system through a physical security state engine, and a daemon process to generate active access lists and states for physical access control systems, wherein the active access lists define at runtime access privileges for individuals or groups of individuals defined within the system, and further wherein the alarm event messages are generated by a protocol defined trap message and log further wherein the daemon process aggregates all states and event messages;

a normalization component in the central network device security management processor normalizing the signal data from the integration layer component in accordance with a defined data mapping scheme to transform the received signals from the proprietary data format to a corresponding Extensible Markup Language (XML) document configured to describe system policies through the use of virtual objects that comprise components of executable rules, and conforming to a schema that represents relationships between the virtual objects and corresponding devices, objects and processes, wherein the schema definesone or more attributes of the executable rules including inputs from the system components, actions to be taken based on the input, addresses of system components performing the actions, and states to be maintained by the coupled network resources;

a rules definition component defining actionable events definitions and responses to actionable events, physical security policies comprising definitional rules consisting of the virtual objects representing network devices and physical security states used by the plurality of network resources;

a policy manager component defining policies that control a data flow in accordance with the executable rules that are organized into types of policies comprising system, user, and sensor state related policies, and wherein the policies reference the attributes of data objects for each security system component;

a communication integration interface integrating the security data with information technology (IT) data of an entity deploying the system; and

a signal processing component applying the executable rules to the normalized signal data and physical security states to generate control signals that invoke the defined responses to the actionable events and to control the security system components in accordance with policies established for entity personnel defined by the integrated security data and access control rules, and transmitting the control signals to the security system components in the respective proprietary format in order to effect network access, data flow and application security and update the security state of the system.

View all claims

3 Assignments

Timeline View

Assignment View

Litigations

0 Petitions

Accused Products

Abstract

Embodiments are directed to systems and methods for integration and normalization of physical security data, states and events to and from disparate physical security systems to maintain in real-time rules based policy state information to enforce physical security policies uniformly across network and information technology (IT) systems. Moreover it pertains specifically to such apparatus for providing an integration platform, methods and processes for normalizing data from physical security systems, to maintain physical security states, mapping to network access and either directly affecting the network equipment through standard programming commands or providing interfaces for network equipment and IT applications to query and determine physical security access states thus enforcing rules in real-time based on security systems data and events.

Citations

20 Claims

1. A system comprising:
- a plurality of network resources distributed throughout a site, the network resources comprising proprietary and Internet Protocol (IP) enabled security system components including sensors, actuators, alarms and monitoring devices, utilizing physical and Information Technology (IT) security data,wherein each sensor of the sensors is configured to generate a signal in response to a defined event, and in accordance with a proprietary data format defined specifically for a device by a respective manufacturer of the device;
  
  a single integration layer component that is configured to receive signals from each of the plurality of network resources in the proprietary data format of a respective security component and integrate disparate proprietary data formats for aggregation and processing in other components;
  
  the network resources comprising HVAC, lighting, building, video, alarms, identity management, and event security system components;
  
  a central network device security management processor coupled to the plurality of network resources, configured to receive signals from the integration layer by extracting security data and events from network traffic and the security system components to build a continually updated security state of the entire system through a physical security state engine, and a daemon process to generate active access lists and states for physical access control systems, wherein the active access lists define at runtime access privileges for individuals or groups of individuals defined within the system, and further wherein the alarm event messages are generated by a protocol defined trap message and log further wherein the daemon process aggregates all states and event messages;
  
  a normalization component in the central network device security management processor normalizing the signal data from the integration layer component in accordance with a defined data mapping scheme to transform the received signals from the proprietary data format to a corresponding Extensible Markup Language (XML) document configured to describe system policies through the use of virtual objects that comprise components of executable rules, and conforming to a schema that represents relationships between the virtual objects and corresponding devices, objects and processes, wherein the schema definesone or more attributes of the executable rules including inputs from the system components, actions to be taken based on the input, addresses of system components performing the actions, and states to be maintained by the coupled network resources;
  
  a rules definition component defining actionable events definitions and responses to actionable events, physical security policies comprising definitional rules consisting of the virtual objects representing network devices and physical security states used by the plurality of network resources;
  
  a policy manager component defining policies that control a data flow in accordance with the executable rules that are organized into types of policies comprising system, user, and sensor state related policies, and wherein the policies reference the attributes of data objects for each security system component;
  
  a communication integration interface integrating the security data with information technology (IT) data of an entity deploying the system; and
  
  a signal processing component applying the executable rules to the normalized signal data and physical security states to generate control signals that invoke the defined responses to the actionable events and to control the security system components in accordance with policies established for entity personnel defined by the integrated security data and access control rules, and transmitting the control signals to the security system components in the respective proprietary format in order to effect network access, data flow and application security and update the security state of the system.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The system of claim 1 wherein the network resources comprise network management systems for centralized alarm monitoring, event response, and application of policies for the protection of network resources, wherein the integrated security data reflects the physical security states and comprises a portion of the IT network traffic of the entity, the system further comprising a physical security equipment module coupled to the plurality of network resources and configured to extract the security data from the network traffic to build the physical security states of the system defined by the access control rules, and wherein the security states and their relationships with network resources are managed and depicted through a visual policy editor that processes the virtual objects.
  - 3. The system of claim 1 wherein the network resources comprise subscriber and services provisioning systems for provisioning system users and assigning privileges and granting access to resources based on assigned privileges, and wherein the policies serve to control management of the system in a distributed computing environment by providing at least one of:
    - an oversight mechanism over data changes in the system, enforcement of corporate policies by defining the system policies in accord with security guidelines, monitoring compliance by tracking violations, generating alarms on violations, and task assignments for personnel to resolve policy violations.
  - 4. The system of claim 1 wherein the network resources comprise network services configured to prioritize network traffic and automatically respond to security events, and wherein the system policies are defined by a sending or receiving system and define the flow of data from and to the sending receiving system and are applied to data objects for each unique system level actions and data flows, and wherein the user policies apply to attributes within a data object and are executed based on object attributes other policies, and wherein the user policies are configurable by users to detect policy violations, user actions and data flow actions to raise alarms, and further wherein the policy manager controls changes triggered by one type of policy and effects data flow changes to another type of policy and related data objects to determine state changes of the system.
  - 5. The system of claim 4 wherein each policy of the policies is a user-defined logical entity that serves as a container for executable rules that are contained in a policy definition, and each rule is a lowest level combination of condition-action statements that are applied to the data objects processed by the system, and wherein policies are applied when a data object change is detected from any of the sending or receiving systems, and the policy affects the dataflow of messages destined for any external system or the system itself.

6. A system comprising:
- a physical security interface module interfacing to a plurality of security sensors to a plurality of network resources distributed throughout a site, each sensor configured to respond to a corresponding type of actionable event and utilize physical security data including command and content data in accordance with a proprietary data format defined specifically for a sensor by a respective manufacturer of the sensor;
  
  a single integration layer component that is configured to receive signals from each of the plurality of security sensors in the respective proprietary data format and integrate disparate proprietary data formats for aggregation and processing in other components;
  
  the network resources comprising HVAC, lighting, building, video, alarms, identity management, and event security system components;
  
  a central network device security management processor coupled to the plurality of network resources, and configured to receive signals from the integration layer component by extracting physical security data and events from network traffic and the network resources to build a continually updated security state of the entire system through a physical state security engine, and a daemon process to generate active access lists and states for physical access control systems, wherein the active access lists define at runtime access information for individuals or groups of individuals defined within the system, and further wherein the alarm event messages are generated by a protocol defined trap message and further wherein the daemon process aggregates the alarm event messages, and to define physical security states used by the plurality of network resources;
  
  an integration module within the integration layer component including an agent for each type of security sensor to accept the physical security data from each security sensor in the respective proprietary format, and to integrate the physical security data with information objects and processes, wherein the schema defines one or more attributes of the executable rules including inputs from the devices, actions to be taken based on the input, addresses of system components performing the actions, and states to be maintained by the plurality of network resources;
  
  a signal processing component applying executable rules to the normalized signal data and physical security states to generate control signals that invoke defined responses to actionable events and to control the sensors in accordance with policies established for entity personnel defined by the IT data and with physical access control rules, and transmitting the control signals to the sensors in their respective proprietary format;
  
  a policy manager component policies that control a data flow in accordance with the executable rules that are organized into two or more types of policies comprising system, user, and sensor state related policies, and wherein the policies reference attributes of data objects for each sensor; and
  
  a physical security equipment module coupled to the plurality of network resources and configured to extract the physical security data from network traffic to build the physical security states of the system defined by physical access control rules and update the security state of the system, and wherein the physical security states and their relationships with network resources are managed and depicted through a visual policy editor that processes the virtual objects through a user interface.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14)
- - 7. The system of claim 6 wherein the plurality of sensor types comprise physical access, intrusion, and environmental conditions.
  - 8. The system of claim 6 wherein the normalization module converts the proprietary data format for each security sensor into XML format.
  - 9. The system of claim 6 further comprising a rules engine applying the executable rules on the content data and commands from each security sensor, and wherein each policy of the policies is a user-defined logical entity that serves as a container for executable rules that are contained in a policy definition, and each rule is a lowest level combination of condition-action statements that are applied to the data objects processed by the system, and wherein policies are applied when a data object change is detected from any of the sending or receiving systems, and the policy affects the dataflow of messages destined for any external system or the system itself.
  - 10. The system of claim 6 wherein the network resources comprise network management systems for centralized alarm monitoring, event response, and application of policies for the protection of network resources, and wherein the policies serve to control management of the physical security system in a distributed computing environment by providing at least one of:
    - an oversight mechanism over data changes in the system, enforcement of corporate policies by defining the system policies in accord with security guidelines, monitoring compliance by tracking violations, generating alarms on violations, and task assignments for personnel to resolve policy violations.
  - 11. The system of claim 6 wherein the network resources comprise subscriber and services provisioning systems for provisioning system users and assigning privileges and granting access to resources based on assigned privileges.
  - 12. The system of claim 6 wherein the network resources comprise network services configured to prioritize network traffic and automatically respond to security events.
  - 13. The system of claim 6 wherein the network resources comprise communication systems selected from the group consisting of:
    - telephonic communication, radio communication, and internet protocol (IP) communication.
  - 14. The system of claim 6 wherein the visual editor represents each normalized physical sensor as an object containing one or more attributes that define a spatial relationship to other objects through one or more executable rules.

15. A method of managing data and events related to information technology security, in a security management process comprising:
- defining a first plurality of objects representing actors, facilities, physical security states, and network resources within a managed site comprising security components utilizing physical security data and information technology (IT) data;
  
  defining a second plurality of objects representing actions, conditions and references;
  
  constructing a rule from the first plurality of objects and second plurality of objects through connectors that dictate process flow by the first and second plurality of objects;
  
  receiving a plurality of signals from disparate security devices distributed throughout the site, wherein each signal of the plurality of signals is formatted in accordance with a proprietary format defined specifically for a device specified by a manufacturer of each respective security device;
  
  the network resources comprising HVAC, lighting, building, video, alarms, identity management, and event security system components;
  
  receiving, in a single integration layer component from each of the plurality of objects in the proprietary data format of a respective security component and integrate disparate proprietary data formats for aggregation and processing in other components;
  
  extracting physical security data and events from network traffic and the security components to build a continually updated security state of the entire system through alarm event messages generated by the network resources, wherein the alarm event messages are generated by a protocol defined trap message and a system log daemon process aggregates the alarm event messages;
  
  building, in a physical security state engine, active access lists and states for physical access control systems through the extracted physical security data and the daemon process, wherein the active access lists define at runtime access information for individuals or groups of individuals defined within the system;
  
  normalizing the plurality of signals from each proprietary format to an Extensible Markup Language (XML) format to produce normalized signal data, wherein the XML format is configured to describe system policies through the use of virtual objects that comprise components of executable rules, and represents relationships between the virtual objects and corresponding devices, objects and processes, and wherein the schema defines one or more attributes of the executable rules including inputs from the system components,actions to be taken based on the input, addresses of system components performing the actions, and states to be maintained by the network resources;
  
  integrating the physical security data with the information technology (IT) data of an entity within the managed site;
  
  processing the signals and physical security states through the rule to perform an action in accordance with the rule, wherein the action effects a change in one or more settings for the network resources to control the security system components in accordance with policies established for entity personnel defined by the IT data and with physical access control rules of the managed site;
  
  defining policies that control a data flow in accordance with the physical access control rules that are organized into two or more types of policies comprising system, user, and sensor state related policies, and wherein the policies reference attributes of data objects for each security system component;
  
  applying the rule to the normalized signal data and the first plurality of objects to generate control signals that invoke defined responses to actionable events and control the security system components in accordance with defined policies;
  
  transmitting the control signals to the security system components in their respective proprietary format; and
  
  extracting the physical security data from the network traffic to build the security states defined by the physical access control rules and update the security state of the system.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15 wherein the rule is constructed using a graphical visual policy editor that processes virtual objects, and wherein the physical security states and their relationships with network resources are managed and depicted as the virtual objects.
  - 17. The method of claim 15 wherein the rule dictates a response to a physical intrusion event, and wherein the action is selected from the group consisting of:
    - generating an alarm, providing an alert to official personnel, or preventing access to areas of the site, and wherein the policies serve to control management of the security system in a distributed computing environment by providing at least one of;
      
      an oversight mechanism over data changes in the system, enforcement of corporate policies by defining the system policies in accord with security guidelines, monitoring compliance by tracking violations, generating alarms on violations, and task assignments for personnel to resolve policy violations.
  - 18. The method of claim 15 wherein the rule dictates a network backup action within the network resources.
  - 19. The method of claim 15 wherein the action comprises one of:
    - restricting access of personnel to one or more devices of the network resources, and wherein the policies serve to control management of the security system in a distributed computing environment by providing at least one of;
      
      an oversight mechanism over data changes in the system, enforcement of corporate policies by defining the system policies in accord with security guidelines, monitoring compliance by tracking violations, generating alarms on violations, and task assignments for personnel to resolve policy violations.
  - 20. The method of claim 15 wherein the disparate security devices are selected from the group consisting of:
    - proximity alarms, infrared detectors, motion sensors, smoke detectors, bar code readers, and biometric sensors.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
HID Global Corporation (Assa Abloy AB)
Original Assignee
Quantum Security Incorporated
Inventors
Ghai, Vikrant, Sharma, Shailendra, Jain, Ajay
Primary Examiner(s)
Zecher, Dede
Assistant Examiner(s)
MCCOY, RICHARD ANTHONY

Application Number

US11/893,056
Publication Number

US 20080209505A1
Time in Patent Office

2,926 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/604   Tools and structures for ma...

G06F 2221/034   Test or assess a computer o...

G06Q 10/06   Resources, workflows, human...

G07C 9/37   using biometric data, e.g. ...

H04L 41/28   Restricting access to netwo...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/20   for managing network securi...

Policy-based physical security system for restricting access to computer resources and data flow through network equipment

First Claim

3 Assignments

Litigations

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Policy-based physical security system for restricting access to computer resources and data flow through network equipment

First Claim

3 Assignments

Subscription Required

Subscription Required

Litigations

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links