Security model for network information service

US 9,922,181 B2
Filed: 06/22/2017
Issued: 03/20/2018
Est. Priority Date: 07/06/2012
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

initiating processing of an object, invoked by a user having a dynamically varying credential, by a security processor comparing instructions of a plurality of objects in a processing unit of a hardware layer with information in a security map provided by a tenant;

determining that the processing of the plurality of objects is authorized by the tenant based on the security map by determining the security map includes an association between at least one of the plurality of objects and a security code and an association between the object and a geographic region;

sending a message to the tenant requesting the security code;

comparing a response from the tenant with the security code in the security map; and

allowing the processing of the object based on results of the determining that the processing of the plurality of objects is authorized by the tenant.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for providing information security in a network environment are disclosed. The method includes initiating processing, invoked by a user, of at least one of a plurality of objects in a processing unit of a hardware layer, wherein the plurality of objects is hosted for a tenant. The method further includes determining that the processing of the at least one of the plurality of objects by the processing unit is authorized by the tenant based on a security map provided by the tenant and accessible by the processing unit within the hardware layer. The method further includes allowing the processing of the object based on a result of the determining.

44 Citations

20 Claims

1. A method, comprising:
- initiating processing of an object, invoked by a user having a dynamically varying credential, by a security processor comparing instructions of a plurality of objects in a processing unit of a hardware layer with information in a security map provided by a tenant;
  
  determining that the processing of the plurality of objects is authorized by the tenant based on the security map by determining the security map includes an association between at least one of the plurality of objects and a security code and an association between the object and a geographic region;
  
  sending a message to the tenant requesting the security code;
  
  comparing a response from the tenant with the security code in the security map; and
  
  allowing the processing of the object based on results of the determining that the processing of the plurality of objects is authorized by the tenant.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the determining that the processing of the plurality of objects is authorized by the tenant comprises determining that the at least one of the plurality of objects is identified in the security map.
  - 3. The method of claim 1, wherein the determining that the processing of the plurality of objects is authorized by the tenant comprises determining that the security map includes an association between the at least one of the plurality of objects and the credential of the user.
  - 4. The method of claim 1, wherein the plurality of objects is hosted by the tenant that provided the dynamically varying credential to the user.
  - 5. The method of claim 1, wherein the determining that the processing of the plurality of objects is authorized by the tenant is performed at more than one step of an instruction cycle.
  - 6. The method of claim 1, wherein the initiating processing of an object comprises initiating an instruction cycle by the processing unit comprising a fetch, a decode, and an execute.
  - 7. The method of claim 1, wherein invoking the initiating processing of an object includes compiling the object into a machine language.
  - 8. The method of claim 1, wherein the steps of claim 1 are at least one of created, maintained, deployed and supported by a service provider.
  - 9. The method of claim 1, wherein steps of claim 1 are provided by a service provider on a subscription, advertising, and/or fee basis.

10. A system for providing an information service to a tenant comprising:
- a security processor comprising an external communication interface; and
  
  a computer-readable memory storing a security map of a tenant and accessible by the security processor,wherein the security processor is configured to;
  
  access the security map;
  
  receive authorization by the tenant for access to the security map by a user;
  
  send a message to the tenant requesting a security code via the external communication interface;
  
  compare a response received from the tenant with the security code in the security map;
  
  determine that the security map includes an association between an object and the security code; and
  
  determine whether the security map includes an association between an object and a geographic region.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 11. The system of claim 10, wherein the security processor is configured to determine whether the object is identified in the security map.
  - 12. The system of claim 10, wherein the security processor is configured to determine whether the security map includes an association between an object and a credential of the user.
  - 13. The system of claim 10, further comprising the security processor is configured to determine that processing of the object is authorized by the tenant based on the security map.
  - 14. The system of claim 13, wherein the security processor is configured to determine whether processing of the object is authorized by the tenant occurs at more than one step of an instruction cycle.
  - 15. The system of claim 10, wherein the security processor and the computer-readable memory are located at a hardware layer.
  - 16. The system of claim 10, further comprising:
    - a service layer comprising a plurality of services, wherein a first of the plurality of services is hosted for a first tenant of the plurality of tenants;
      
      a hardware layer comprising;
      
      a central processing unit (CPU);
      
      the security processor having the external communication interface; and
      
      the computer-readable memory addressable by the security processor;
      
      wherein the external communication interface is configured to;
      
      receive the security map from the tenant via the external communication interface; and
      
      store the security map in the computer-readable memory.
  - 17. The system of claim 16, wherein the security map associates an object of the tenant with a credential of the user.
  - 18. The system of claim 17, wherein the credentials of the user dynamically vary and are provided by the tenant, and the security code dynamically varies and corresponds to a part of an object.
  - 19. The system of claim 18, wherein the security processor is configured to:
    - determine whether a response received from the tenant via the external communication interface matches the security code in the security map; and
      
      halt execution of the object.

20. A computer program product comprising a computer readable storage medium having readable program code embodied in the storage medium, the computer program product being operable to:
- provide access to one or more objects stored within a library by receiving dynamically varying security codes corresponding to the one or more objects, at a hardware layer;
  
  determine that a processing of the one or more objects is authorized by an owner of the one or more objects based on a security map provided by the owner by determining that the security map includes an association between the one or more objects and the security codes and an association between the one or more objects and a geographic region;
  
  sending a message to the owner requesting the security codes; and
  
  comparing a response from the owner to the security codes in the security map.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Jain, Bhushan P., Patil, Sandeep R., Ramanathan, Sri, Sivakumar, Gandhi, Trevathan, Matthew B., Wijayakumaran, Wijayaratnam
Primary Examiner(s)
Okeke, Izunna

Application Number

US15/630,248
Publication Number

US 20170286652A1
Time in Patent Office

271 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/31 User authentication

Security model for network information service

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

44 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Security model for network information service

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

44 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others