Policy directed security-centric model driven architecture to secure client and cloud hosted web service enabled processes

US 9,667,654 B2
Filed: 01/08/2015
Issued: 05/30/2017
Est. Priority Date: 12/02/2009
Status: Active Grant

First Claim

Patent Images

1. A non-transitory storage device containing software that, when executed by a processor, causes the processor to:

implement a data dictionary that implements an instance of a hierarchical class tree that includes a plurality of class and data objects;

receive a portion of a hierarchical class tree comprising client segments from an external system hosting a peer data dictionary instance, said received portion includes class definitions and security profile information that specifies restrictions on use of data objects identified by the received portion and wherein the machine instructions preclude the processor from accessing the data objects without the use of the web security service and without the received hierarchical class tree portion;

attach the received portion to the instance of the hierarchical class tree;

receive an access request from a web service for a data object identified by the received portion;

validate the access request form the web service using the security profile information associated with the requested data object and by performing at least three verifications;

a first verification to determine whether the web service is authorized to send the access request, a second verification to determine whether the data object requested is permitted to be requested by the web service, and a third verification to determine whether a web service intended to receive the access request is authorized to receive the access request; and

transmit the access request based on successful completion of the first, second, and third verifications.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A policy directed, security-centric model driven architecture is described to secure internal web services, such as those implementing service-oriented architecture (SOA), and external web services such as those hosted on a cloud computing platform. A distributed data dictionary hosted across multiple dictionary engines and operating in conjunction with web security services are used to embed security profiles in web services messages and to validate messages that contain such security profiles.

49 Citations

7 Claims

1. A non-transitory storage device containing software that, when executed by a processor, causes the processor to:
- implement a data dictionary that implements an instance of a hierarchical class tree that includes a plurality of class and data objects;
  
  receive a portion of a hierarchical class tree comprising client segments from an external system hosting a peer data dictionary instance, said received portion includes class definitions and security profile information that specifies restrictions on use of data objects identified by the received portion and wherein the machine instructions preclude the processor from accessing the data objects without the use of the web security service and without the received hierarchical class tree portion;
  
  attach the received portion to the instance of the hierarchical class tree;
  
  receive an access request from a web service for a data object identified by the received portion;
  
  validate the access request form the web service using the security profile information associated with the requested data object and by performing at least three verifications;
  
  a first verification to determine whether the web service is authorized to send the access request, a second verification to determine whether the data object requested is permitted to be requested by the web service, and a third verification to determine whether a web service intended to receive the access request is authorized to receive the access request; and
  
  transmit the access request based on successful completion of the first, second, and third verifications.
- View Dependent Claims (2, 3, 4)
- - 2. The non-transitory storage device of claim 1 wherein:
    - the hierarchical class tree includes system segments and client segments and the system segments comprise system-based security policy metadata objects and system-based enterprise business metadata objects; and
      
      the client segments comprise client-based security policy metadata objects, client-based enterprise business metadata objects, client-based security policy data objects, and the client-based enterprise business data object, the client-based security policy data objects integrated with the client-based enterprise business data object located at a terminal node of the hierarchical class tree.
  - 3. The non-transitory storage device of claim 1 wherein the software, when executed, causes the processor to attach the received portion at a boundary node that is replaced with an identity node that identifies ownership of the received portion.
  - 4. The non-transitory storage device of claim 1 wherein the hierarchical class tree comprises a plurality of nodes, some nodes being child nodes connected to parent nodes and the software, when executed, causes the processor to cause each child node to inherit the security policies of its parent node.

5. A non-transitory storage device containing software that, when executed by a processor, causes the processor to:
- implement a data dictionary that implements an instance of a hierarchical class tree that includes a plurality of class and data objects;
  
  receive a request for a targeted portion of the hierarchical class tree, the targeted portion includes an identity node that identifies the ownership of the targeted portion and class definitions and security profile information that specifies restrictions on use of data objects identified by the targeted portion;
  
  transmit the targeted portion of the hierarchical class tree;
  
  validate an incoming message from a web service requesting access to a data object to permit a web service to access the data object, the data object not being accessible unless the message is validated and the hierarchical class tree is used, the validation including at least three verifications including a first verification to determine whether the web service is authorized to receive the incoming message, a second verification to determine whether any data targeted by the message is permitted to be accessed by the web service, and a third verification to determine whether an entity that provided the message was permitted to provide the message; and
  
  upon all of the verifications being successfully performed, receive a response message and validate the response message, before it is transmitted, by performing at least three verifications including a fourth verification to determine whether the web service is authorized to transmit the response message, a fifth verification to determine whether any data included in the response message is permitted to be accessed by the web service, and a sixth verification to determine whether the entity is permitted to receive the response message; and
  
  transmit the response message to the entity based on successfully performing each of the fourth, fifth, and sixth verifications.
- View Dependent Claims (6, 7)
- - 6. The non-transitory storage device of claim 5 wherein the hierarchical class tree includes system segments and client segments:
    - wherein the system segments comprise system-based security policy metadata objects and system-based enterprise business metadata objects; and
      
      wherein the client segments comprise client-based security policy metadata objects, client-based enterprise business metadata objects, client-based security policy data objects, and the client-based enterprise business data object, the client-based security policy data objects integrated with the client-based enterprise business data object located at a terminal node of the hierarchical class tree.
  - 7. The non-transitory storage device of claim 5 wherein the hierarchical class tree comprises a plurality of nodes, some nodes being child nodes connected to parent nodes and, the software, when executed, causes the processor to cause each child node to inherit the security policies of its parent node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Metasecure Corporation
Original Assignee
Metasecure Corporation
Inventors
Engle, Steven W., Nieves, Michael J., Maida-Smith, Kathy J.
Primary Examiner(s)
Sison, June

Application Number

US14/592,154
Publication Number

US 20150128214A1
Time in Patent Office

873 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/6209   to a single file or object,...

H04L 63/0281   Proxies

H04L 63/168   above the transport layer

H04L 63/20   for managing network securi...

H04L 67/306   User profiles

H04L 67/51   Discovery or management the...

Policy directed security-centric model driven architecture to secure client and cloud hosted web service enabled processes

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

49 Citations

7 Claims

Specification

Solutions

Use Cases

Quick Links

Policy directed security-centric model driven architecture to secure client and cloud hosted web service enabled processes

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

49 Citations

7 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links