System for managing access to protected resources

US 9,438,559 B1
Filed: 08/30/2013
Issued: 09/06/2016
Est. Priority Date: 01/09/2003
Status: Expired due to Term

First Claim

Patent Images

1. A system for managing requests from at least one external network, the system comprising:

a firewall configured to determine one or more resources a requestor is attempting to access;

a policy repository;

one or more security policy management servers configured to;

receive an authorization request from the firewall, wherein the request comprises information about the requestor and a resource name;

retrieve, from the policy repository, a dynamically-loadable security access policy associated with the named resource, wherein the dynamically-loadable security access policy comprises one or more rules that indicate conditions under which a request to perform an action on the resource should be granted;

determine at least one attribute required by at least one of the rules of the dynamically-loadable security access policy retrieved from the policy repository and associated with the named resource;

for at least one of the attributes required by a rule of the dynamically-loadable security access policy retrieved from the policy repository and associated with the named resource, determine whether an attribute value must be requested from a remote data source;

request at least one of the attribute values required by a rule of the dynamically-loadable security access policy retrieved from the policy repository and associated with the named resource that must be requested from the remote data source;

retrieve from the remote data source the at least one of the attribute values;

evaluate the dynamically-loadable security access policy retrieved from the policy repository and associated with the named resource using the at least one of the attribute values from the remote data source; and

return an authorization decision to the firewall.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A rules evaluation engine that controls user'"'"'s security access to enterprise resources that have policies created for them. This engine allows real time authorization process to be performed with dynamic enrichment of the rules if necessary. Logging, alarm and administrative processes for granting or denying access to the user are also realized. The access encompasses computer and physical access to information and enterprise spaces.

176 Citations

15 Claims

1. A system for managing requests from at least one external network, the system comprising:
- a firewall configured to determine one or more resources a requestor is attempting to access;
  
  a policy repository;
  
  one or more security policy management servers configured to;
  
  receive an authorization request from the firewall, wherein the request comprises information about the requestor and a resource name;
  
  retrieve, from the policy repository, a dynamically-loadable security access policy associated with the named resource, wherein the dynamically-loadable security access policy comprises one or more rules that indicate conditions under which a request to perform an action on the resource should be granted;
  
  determine at least one attribute required by at least one of the rules of the dynamically-loadable security access policy retrieved from the policy repository and associated with the named resource;
  
  for at least one of the attributes required by a rule of the dynamically-loadable security access policy retrieved from the policy repository and associated with the named resource, determine whether an attribute value must be requested from a remote data source;
  
  request at least one of the attribute values required by a rule of the dynamically-loadable security access policy retrieved from the policy repository and associated with the named resource that must be requested from the remote data source;
  
  retrieve from the remote data source the at least one of the attribute values;
  
  evaluate the dynamically-loadable security access policy retrieved from the policy repository and associated with the named resource using the at least one of the attribute values from the remote data source; and
  
  return an authorization decision to the firewall.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 14)
- - 2. The system of claim 1, wherein the dynamically-loadable security access policy determines authorization to access an internal network.
  - 3. The system of claim 1, wherein the dynamically-loadable security access policy determines authorization to access a document.
  - 4. The system of claim 1, wherein the remote data source is an LDAP directory.
  - 5. The system of claim 1, wherein the remote data source is an SQL database.
  - 6. The system of claim 1, wherein the remote data source is a human resources database.
  - 7. The system of claim 1, wherein the determination of the one or more resources by the firewall further comprises using one or more transactional headers.
  - 14. The system of claim 1 wherein said one or more security policy management servers is configured to at least one of the attributes required by a rule of the dynamically-loadable security access policy, to dynamically determine whether an attribute value must be requested from a remote data source.

8. A method to process requests from at least one external network, the method comprising:
- receiving an authorization request from a firewall configured to determine one or more resources a requestor is attempting to access, wherein the request comprises information about the requestor and a resource name;
  
  retrieving from a policy repository a dynamically-loadable security access policy associated with the named resource, wherein the dynamically-loadable security access policy comprises one or more rules that indicate conditions under which a request to perform an action on the resource should be granted;
  
  determining at least one attribute required by at least one of the rules of the dynamically-loadable security access policy retrieved from the policy repository during said retrieving and associated with the named resource;
  
  determining, for at least one of the attributes required by a rule of the dynamically-loadable security access policy retrieved from the policy repository during said retrieving and associated with the named resource, whether an attribute value must be requested from a remote data source;
  
  requesting at least one of the attribute values that must be requested from the remote data source;
  
  retrieving from the remote data source the at least one of the attribute values;
  
  evaluating, by a security policy management server, the dynamically-loadable security access policy retrieved from the policy repository during said retrieving and associated with the named resource using the at least one of the attribute values from the remote data; and
  
  returning an authorization decision to the firewall.
- View Dependent Claims (9, 10, 11, 12, 13, 15)
- - 9. The method of claim 8, wherein the dynamically-loadable security access policy determines authorization to access an internal network.
  - 10. The method of claim 8, wherein the dynamically-loadable security access policy determines authorization to access a document.
  - 11. The method of claim 8, wherein the remote data source is an LDAP directory.
  - 12. The method of claim 8, wherein the remote data source is an SQL database.
  - 13. The method of claim 8, wherein the remote data source is a human resources database.
  - 15. The method of claim 8 wherein said determining whether an attribute value must be requested comprises dynamically determining whether an attribute value must be requested.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Crowdstrike, Inc. (CrowdStrike Holdings Incorporated)
Original Assignee
Jericho Systems Corporation
Inventors
Roegner, Michael W.
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
Holmes, Angela

Application Number

US14/014,354
Time in Patent Office

1,103 Days
Field of Search

726/1, 726/14
US Class Current

1/1
CPC Class Codes

G06F 16/22   Indexing; Data structures t...

G06F 21/6218   to a system of files or obj...

H04L 63/02   for separating internal fro...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

System for managing access to protected resources

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

176 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

System for managing access to protected resources

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

176 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links