Policy Management of Multiple Security Domains

US 20130283338A1
Filed: 04/24/2012
Published: 10/24/2013
Est. Priority Date: 04/24/2012
Status: Active Grant

First Claim

Patent Images

1. A method, in a data processing system, for centralized policy management of multiple security domains in accordance with an illustrative embodiment, the method comprising:

receiving an access request at a policy enforcement point component in the data processing system, wherein the policy enforcement point component is managed by a plurality of security domains;

querying, by the policy enforcement point component, a policy broker component in the data processing system;

determining, by the policy broker component, an access decision that complies with policies of the plurality of security domains; and

returning, by the policy broker component, the access decision to the policy enforcement point component.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A mechanism is provided in a data processing system for centralized policy management of multiple security domains in accordance with an illustrative embodiment. A policy enforcement point component in the data processing system receives an access request. The policy enforcement point component is managed by a plurality of security domains. The policy enforcement point component queries a policy broker component in the data processing system. The policy broker component determines an access decision that complies with policies of the plurality of security domains. It does so by orchestrating a workflow that involves the policy decision, administration, and information components of those domains. The policy broker component returns the access decision to the policy enforcement point component.

16 Citations

View as Search Results

20 Claims

1. A method, in a data processing system, for centralized policy management of multiple security domains in accordance with an illustrative embodiment, the method comprising:
- receiving an access request at a policy enforcement point component in the data processing system, wherein the policy enforcement point component is managed by a plurality of security domains;
  
  querying, by the policy enforcement point component, a policy broker component in the data processing system;
  
  determining, by the policy broker component, an access decision that complies with policies of the plurality of security domains; and
  
  returning, by the policy broker component, the access decision to the policy enforcement point component.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein determining an access decision comprises:
    - determining, by the policy broker component, whether a policy decision point component is co-located on the data processing system;
      
      responsive to determining a policy decision point component is co-located on the data processing system, receiving an access decision from the policy decision point component; and
      
      responsive to determining a policy decision point component is not co-located on the data processing system, determining a reconciled access decision,
  - 3. The method of claim 2, wherein determining an access decision further comprises:
    - responsive to determining a policy decision point component is co-located on the data processing system, selecting the policy decision point component, wherein the selected policy decision point component makes the access decision.
  - 4. The method of claim 3, wherein the selected policy decision point component registers with a policy administration point component of every other security domain within the plurality of security domains.
  - 5. The method of claim 4, wherein the policy information point components of all other security domain within the plurality of security domains register with the selected policy decision point component.
  - 6. The method of claim 2, wherein determining an access decision further comprises:
    - responsive to determining a policy decision point component is not co-located. on the data processing system, sending queries to policy decision point components of the plurality of security domains;
      
      receiving independent access decisions from the policy decision point components of the plurality of security domains; and
      
      determining a reconciled access decision based on the independent access decisions.
  - 7. The method of claim 6, wherein determining the reconciled access decision comprises:
    - running a reconciliation algorithm on the independent access decisions to form the reconciled access decision,
  - 8. The method of claim 7, wherein the reconciliation algorithm is a consensus algorithm or a majority algorithm.

9. A computer program product comprising a computer readable storage medium having a computer readable program stored therein, wherein the computer readable program, when executed on a computing device, causes the computing device to:
- receive an access request at a policy enforcement point component in the computing device, wherein the policy enforcement point component is managed by a plurality of security domains;
  
  query, by the policy enforcement point component, a policy broker component in the data processing system;
  
  determine, by the policy broker component, an access decision that complies with policies of the plurality of security domains; and
  
  return, by the policy broker component, the access decision to the policy enforcement point component.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computer program product of claim 9, wherein determining an access decision comprises:
    - determining, by the policy broker component, whether a policy decision point component is co-located on the computing device;
      
      responsive to determining a policy decision point component is co-located on the computing device, receiving an access decision from the policy decision point component; and
      
      responsive to determining a policy decision point component is not co-located on the computing device, determining a reconciled access decision.
  - 11. The computer program product of claim 10, wherein determining an access decision further comprises:
    - responsive to determining a policy decision point component is co-located on the computing device, selecting the policy decision point component, wherein the selected policy decision point component makes the access decision.
  - 12. The computer program product of claim 11, wherein the selected policy decision point component registers with a policy administration point component of every other security domain within the plurality of security domains.
  - 13. The computer program product of claim 12, wherein the policy information point components of all other security domain within the plurality of security domains register with the selected policy decision point component.
  - 14. The computer program product of claim 10, wherein determining an access decision further comprises:
    - responsive to determining a policy decision point component is not co-located on the computing device, sending queries to policy decision point components of the plurality of security domains;
      
      receiving independent access decisions from the policy decision point components of the plurality of security domains; and
      
      determining a reconciled access decision based on the independent access decisions.
  - 15. The computer program product of claim 14, wherein determining the reconciled access decision comprises:
    - running a reconciliation algorithm on the independent access decisions to form the reconciled access decision.
  - 16. The computer program product of claim 15, wherein the reconciliation algorithm is a consensus algorithm or a majority algorithm.

17. A data processing system, comprising:
- a processor; and
  
  a memory coupled to the processor, wherein the memory comprises instructions which, when executed by the processor, cause the processor to;
  
  receiving an access request at a policy enforcement point component in the data processing system, wherein the policy enforcement point component is managed by a plurality of security domains;
  
  querying, by the policy enforcement point component, a policy broker component in the data processing system;
  
  determining, by the policy broker component, an access decision that complies with policies of the plurality of security domains; and
  
  returning, by the policy broker component, the access decision to the policy enforcement point component.
- View Dependent Claims (18, 19, 20)
- - 18. The data processing system of claim 17, wherein determining an access decision comprises:
    - determining, by the policy broker component, whether a policy decision point component is co-located on the data processing system;
      
      responsive to determining a policy decision point component is co-located on the data processing system, receiving an access decision from the policy decision point component; and
      
      responsive to determining a policy decision point component is not co-located on the data processing system, determining a reconciled access decision.
  - 19. The data processing system of claim 18, wherein determining an access decision further comprises:
    - responsive to determining a policy decision point component is co-located on the data processing system, selecting the policy decision point component, wherein the selected policy decision point component makes the access decision.
  - 20. The data processing system of claim 18, wherein determining an access decision further comprises:
    - responsive to determining a policy decision point component is not co-located on the data processing system, sending queries to policy decision point components of the plurality of security domains;
      
      receiving independent access decisions from the policy decision point components of the plurality of security domains; and
      
      determining a reconciled access decision based on the independent access decisions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Kumar, Apurva, Mukherjea, Sougata, Ramakrishna, Venkatraman

Granted Patent

US 9,054,971 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 63/20   for managing network securi...

Policy Management of Multiple Security Domains

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

16 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Policy Management of Multiple Security Domains

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links