System and methods for context-aware and situation-aware secure, policy-based access control for computing devices
First Claim
1. A context-aware policy-based access control system having at least one policy decision point for secure adjudication of access requests from a requesting client to protected resources on computing devices, the adjudication being completely hidden from the requesting client, the system comprising:
- a set of policy rules stored in a memory that describe allowable actions with all associated conditions, parameters, and contextual information for said policy rules;
an agent coupled to the memory for intercepting the access request from the requesting client and for collecting all conditions and parameters necessary for adjudication as required by the policy rules;
an incoming information interface for securely receiving external contextual information as required by the policy rules and for storing said external contextual information in at least one policy information point each having a local memory;
a connecting interface for connecting policy information points to each other and to the policy decision point, each policy information point having an analytic processing engine for computing inferred information from the information stored in said policy information point, whereby the analytic processing engine further includes one or more analytical processors, one or more calibrators for calibrating internal variables against reference or baseline standards, and one or more data type and format conversions;
an encrypted back-channel coupling the agent and the policy decision point for communicating the access request including all conditions and parameters to the policy decision point thereby hiding the adjudication process from the requesting client; and
at least one policy enforcement point for enforcing adjudicated decisions;
whereby the policy decision point applies the set of policy rules for adjudicating access to the protected resources in accordance with the policy rules for permitted operations on the resources.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and methods for context-aware and situation-aware secure, policy-based access control for computing devices. The invention enhances the previously disclosed policy-based control system by adding contextual information to the set of resources by which a policy decision point can adjudicate a query to execute a transaction or to access a secure resource. Policy information points are able to store information collected over time related to resources under the control of the system. The system can further include an analytical processing engine capable of inferring new information from existing information that also can be used by the decision points. The policy information points provide context to the decision. They are also able to consider and include information that is external to the system or detected outside the system itself.
121 Citations
10 Claims
-
1. A context-aware policy-based access control system having at least one policy decision point for secure adjudication of access requests from a requesting client to protected resources on computing devices, the adjudication being completely hidden from the requesting client, the system comprising:
- a set of policy rules stored in a memory that describe allowable actions with all associated conditions, parameters, and contextual information for said policy rules;
an agent coupled to the memory for intercepting the access request from the requesting client and for collecting all conditions and parameters necessary for adjudication as required by the policy rules; an incoming information interface for securely receiving external contextual information as required by the policy rules and for storing said external contextual information in at least one policy information point each having a local memory; a connecting interface for connecting policy information points to each other and to the policy decision point, each policy information point having an analytic processing engine for computing inferred information from the information stored in said policy information point, whereby the analytic processing engine further includes one or more analytical processors, one or more calibrators for calibrating internal variables against reference or baseline standards, and one or more data type and format conversions; an encrypted back-channel coupling the agent and the policy decision point for communicating the access request including all conditions and parameters to the policy decision point thereby hiding the adjudication process from the requesting client; and at least one policy enforcement point for enforcing adjudicated decisions; whereby the policy decision point applies the set of policy rules for adjudicating access to the protected resources in accordance with the policy rules for permitted operations on the resources. - View Dependent Claims (2, 3, 4, 5, 6, 7)
- a set of policy rules stored in a memory that describe allowable actions with all associated conditions, parameters, and contextual information for said policy rules;
-
8. A method for context-aware policy-based access control for securely adjudicating access requests from a requesting client to protected resources on computing devices, the adjudication being completely hidden from the requesting client comprising the steps of:
-
storing policy rules in a memory describing allowable actions and all associated conditions, parameters, and contextual information;
intercepting the access request from the requesting client at the agent;receiving secure contextual information from external sources at policy information points; storing said contextual information at the policy information points, each policy information point having an analytic processing engine for computing inferred information from the information stored in said policy information point, whereby the analytic processing engine further includes one or more analytical processors, one or more calibrators for calibrating internal variables against reference or baseline standards, and one or more data type and format conversions; connecting the policy information points to at least one policy decision point; transmitting the access request and all associated conditions and parameters as required by the policy rules to the at least one policy decision point via the encrypted back-channel;
transmitting the contextual information from the policy information points to the policy decision points as required by the policy rules;adjudicating the access request in accordance with the policy rules for permitted operations on the protected resource by evaluating the policy rules at the at least one policy decision point using contextual information from the policy information points; and enforcing the adjudicated decision by at least one policy enforcement point. - View Dependent Claims (9, 10)
-
Specification