Centralized secure offload of cryptographic security services for distributed security enforcement points
First Claim
1. A computer-implemented method within and by a security enforcement point located between a first zone of protection and a second zone of protection, comprising:
- controlling communication flows between a device in the first zone and a device in the second zone;
performing a cryptographic security service on the communication flows; and
offloading a portion of the cryptographic security service to a security server in a third zone of protection, whereinthe third zone of protection isdisposed separately from the first and second zones of protection anda higher zone of protection than the first and second zones of protection,wherein the security server is connected to a plurality of security enforcement points and the security enforcement points define the boundaries of the zones.
1 Assignment
0 Petitions
Accused Products
Abstract
Embodiments of the present invention address deficiencies of the art in respect to network security and provide a method, system and computer program product for centralized secure offload of key exchange services for distributed security enforcement points. In one embodiment, a data processing system for centralized secure offload of key exchange services for distributed security enforcement points can be provided. The system can include a security enforcement point controlling communication flows between devices in different less trusted zones of protection, and a security server communicatively coupled to the security enforcement point and hosting key exchange services disposed in a more trusted zone of protection. The security enforcement point can include an interface to the key exchange services and program code enabled to offload at least one portion of a key exchange through the interface to the key exchange services disposed in the more trusted zone of protection.
25 Citations
15 Claims
-
1. A computer-implemented method within and by a security enforcement point located between a first zone of protection and a second zone of protection, comprising:
-
controlling communication flows between a device in the first zone and a device in the second zone; performing a cryptographic security service on the communication flows; and offloading a portion of the cryptographic security service to a security server in a third zone of protection, wherein the third zone of protection is disposed separately from the first and second zones of protection and a higher zone of protection than the first and second zones of protection, wherein the security server is connected to a plurality of security enforcement points and the security enforcement points define the boundaries of the zones. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A security enforcement point located between a first zone of protection and a second zone of protection, comprising:
-
at least one processor, wherein the at least one processor is configured to perform; controlling communication flows between a device in the first zone and a device in the second zone; performing a cryptographic security service on the communication flows; and offloading a portion of the cryptographic security service to a security server in a third zone of protection, wherein the third zone of protection is disposed separately from the first and second zones of protection and; a higher zone of protection than the first and second zones of protection, wherein the security server is connected to a plurality of security enforcement points and the security enforcement points define the boundaries of the zones. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A computer program product, comprising:
-
a computer usable storage device having stored therein computer-readable program code, which when executed by a computer hardware system including a security enforcement point located between a first zone of protection and a second zone of protection, causes the security enforcement point to perform; controlling communication flows between a device in the first zone and a device in the second zone; performing a cryptographic security service on the communication flows; and offloading a portion of the cryptographic security service to a security server in a third zone of protection, wherein the third zone of protection is disposed separately from the first and second zones of protection and a higher zone of protection than the first and second zones of protection, wherein the computer usable storage device is not a transitory, propagating signal per se and wherein the security server is connected to a plurality of security enforcement points and the security enforcement points define the boundaries of the zones. - View Dependent Claims (12, 13, 14, 15)
-
Specification