Automated security analysis for federated relationship

US 8,713,688 B2
Filed: 03/24/2010
Issued: 04/29/2014
Est. Priority Date: 03/24/2010
Status: Active Grant

First Claim

Patent Images

1. At a computer system, the computer system including a processor, the computer system connection to a Wide Area Network (WAN) along with a first organization and a second organization, the first organization including a first gateway that separates a domain network for the first organization from the Wide Area Network (WAN), the second organization including a second gateway that separates a domain network for the second organization from the Wide Area Network (WAN), a method for configuring data sharing between the first organization and the second organization to perform a collaborative function, the method comprising:

comparing a first access policy organization for the first organization to a second access policy for the second organization;

determining the first access policy and the second access policy have one or more common security access definitions;

determining the first access policy and the second access policy have one or more differing security access definitions, at least one differing security access definition indicating a more restrictive data access policy for the first organization relative to the second organization, at least one other differing security access definition indicating a different more restrictive data access policy for the second organization relative to the first organization;

creating a federation data access policy, the federation data access policy representing the one or more common security access definitions;

the processor creating a separate shared repository on the Wide Area Network (WAN) for sharing data related to the collaborative function between the first organization and the second organization, the shared repository created to conform to the federation access policy;

the processor configuring the shared repository to;

take in data related to the collaborative function from the second organization for sharing with the first organization in accordance with the federation data access policy; and

take in data related to the collaborative function from the first organization for sharing with the second organization in accordance with federation data access policy;

the processor configuring an input filter between the first organization and the shared repository to limit what data related to the collaborative function can be sent from the first organization into the shared repository, the input filter compensating for the more restrictive data access policy for the first organization;

the processor configuring a second input filter between the second organization and the shared repository, the second input filter configured to limit what data related to the collaborative function can be sent from the second organization into the shared repository by removing at least one item from the data from the second organization so as to modify the data from the second organization to conform to the second access policy, the second input filter compensating for the different more restrictive data access policy for the second organization; and

the processor permitting users from both the first organization and the second organization to access data related to the collaborative function from the shared repository.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure collaboration mechanism between two organizations may be created based on a set of security system definitions provided by a receiving organization to a providing organization. The providing organization may create a shared portal that has a federated access between both organizations and has access and other security functions. The data collection process may be automated using digitally signed forms or other documents to analyze the security practices of the receiving organization and create a shared portal that has increased or decreased security provisions compared to the providing organization'"'"'s standard procedures. The collaboration mechanism may be implemented in a bilateral arrangement, a hub and spoke arrangement, and a multilateral arrangement.

12 Citations

View as Search Results

19 Claims

1. At a computer system, the computer system including a processor, the computer system connection to a Wide Area Network (WAN) along with a first organization and a second organization, the first organization including a first gateway that separates a domain network for the first organization from the Wide Area Network (WAN), the second organization including a second gateway that separates a domain network for the second organization from the Wide Area Network (WAN), a method for configuring data sharing between the first organization and the second organization to perform a collaborative function, the method comprising:
- comparing a first access policy organization for the first organization to a second access policy for the second organization;
  
  determining the first access policy and the second access policy have one or more common security access definitions;
  
  determining the first access policy and the second access policy have one or more differing security access definitions, at least one differing security access definition indicating a more restrictive data access policy for the first organization relative to the second organization, at least one other differing security access definition indicating a different more restrictive data access policy for the second organization relative to the first organization;
  
  creating a federation data access policy, the federation data access policy representing the one or more common security access definitions;
  
  the processor creating a separate shared repository on the Wide Area Network (WAN) for sharing data related to the collaborative function between the first organization and the second organization, the shared repository created to conform to the federation access policy;
  
  the processor configuring the shared repository to;
  
  take in data related to the collaborative function from the second organization for sharing with the first organization in accordance with the federation data access policy; and
  
  take in data related to the collaborative function from the first organization for sharing with the second organization in accordance with federation data access policy;
  
  the processor configuring an input filter between the first organization and the shared repository to limit what data related to the collaborative function can be sent from the first organization into the shared repository, the input filter compensating for the more restrictive data access policy for the first organization;
  
  the processor configuring a second input filter between the second organization and the shared repository, the second input filter configured to limit what data related to the collaborative function can be sent from the second organization into the shared repository by removing at least one item from the data from the second organization so as to modify the data from the second organization to conform to the second access policy, the second input filter compensating for the different more restrictive data access policy for the second organization; and
  
  the processor permitting users from both the first organization and the second organization to access data related to the collaborative function from the shared repository.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 further comprising:
    - the processor configuring an output filter between the first organization and the shared repository to limit what data related to the collaborative function can be sent from the shared repository to the first organization, the output filter compensating for at least one of the one or more differing security access definitions.
  - 3. The method of claim 1, further comprising:
    - configuring an output filter between the second organization and the shared repository to limit what data related to the collaborative function can be sent from the shared repository to the second organization, the output filter compensating for at least another of the one or more differing security access definitions.
  - 4. The method of claim 3, the output filter:
    - allowing a user from the second organization to view a portion of data from the first organization; and
      
      preventing the user from the second organization from copying the portion of data through the second gateway into the network domain for the second organization.
  - 5. The method of claim 1 further comprising:
    - receiving a request from the first organization for a first portion of data created in the second organization the first portion of data having a digital rights management mechanism;
      
      transmitting the portion of data into the network domain for the first organization;
      
      receiving a digital rights management request for the first portion of data from the network domain for the first organization;
      
      transmitting the digital rights management request to the network domain for the second organization;
      
      receiving a digital rights management response from the network domain for the second organization; and
      
      transmitting the digital rights management response to the network domain for the first organization.

6. A system for configuring data sharing between a provider domain and a recipient domain to perform collaborative function, the system comprising:
- a processor;
  
  system memory;
  
  a network connection to a first domain, the first domain having a provider gateway between the first domain and Wide Area Network (WAN);
  
  a network connection to a second domain, the second domain having a recipient gateway between the second domain and the Wide Area Network (WAN);
  
  a security gathering mechanism that receives security descriptors from the recipient domain and from the provider domain;
  
  a security analyzer that;
  
  analyzes the security descriptors from the recipient domain and from the provider domain to;
  
  determine that the security descriptors from the first domain and the security descriptors from the second domain have one or more common security descriptors; and
  
  determine that the security descriptors from the first domain and the security descriptors from the second domain have one or more differing security descriptors, at least one different security descriptor indicating a more restrictive data access policy for the first domain relative to the second domain, at least one other differing security access definition indicating a different more restrictive data access policy for the second domain relative to the first domain; and
  
  creates a federation data access policy, the federation data access policy representing the one or more common security descriptors; and
  
  a repository engine that;
  
  creates a separate shared repository on the Wide Area Network (WAN) for sharing data related to the collaborative function between the first domain and the second domain, the shared repository being;
  
  accessible from the first domain and from the second domain, configures the shared repository to take in data related to the collaborative function from the provider domain for sharing with the recipient domain in accordance with federation data access policy;
  
  configures an input filter between the provider organization first domain and the shared repository to limit what data related to the collaborative function can be sent from the first organization into the shared repository, the input filter compensating for the more restrictive data access policy for the first domain;
  
  configures a second input filter between the second organization and the shared repository, the second input filter configured to limit what data related to the collaborative function can be sent from the second organization into the shared repository by removing at least one item from the data from the second organization so as to modify the data from the second organization to conform to the second access policy, the second input filter compensating for the different more restrictive data access policy for the second organization; and
  
  permits users from both the first domain and the second domain to access data related to the collaborative function from the shared repository.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 18, 19)
- - 7. The system of claim 6, the security gathering mechanism receiving a digitally signed document comprising the security descriptors from the second domain.
  - 8. The system of claim 7, the digitally signed document being generated from a digital form transmitted from the first domain to the second domain.
  - 9. The system of claim 6, the security gathering mechanism receiving a digitally signed document comprising the security descriptors from the first domain.
  - 10. The system of claim 6, the repository engine further creating an output filter between the shared repository and the second domain, the output filter being configured to restrict what data related to the collaborative function can be sent from the shared repository to the second organization, the output filter compensating for at least one of the one more of differing security descriptors.
  - 11. The system of claim 6, wherein the security descriptors indicate compliance with a predefined security standard.
  - 12. The system of claim 6 further comprising:
    - a network connection to a third domain, the third domain having a gateway between the third domain and the Wide Area Network (WAN); and
      
      the repository engine making the shared repository additionally accessible from the third domain in accordance with the federation data access policy so as to share at least a portion of data related to the collaborative function with users in the third domain.
  - 18. The system of claim 6, wherein the repository engine configuring an output filter comprises the repository engine configuring an output filter to:
    - allow a user from the second organization to view a portion of data from the first organization; and
      
      prevent the user from the second organization from copying the portion of data through the second gateway into the network domain for the second organization.
  - 19. The system of claim 6, wherein the repository engine configuring a second input filter comprises the repository engine configuring the second input filter to remove at least one item from the data.

13. A computer-program product for use at computer system, the computer system connection to a Wide Area Network (WAN) along with a first organization and a second organization, the first organization including a first gateway that separates a domain network for the first organization from the Wide Area Network (WAN), the second organization including a second gateway that separates a domain network for the second organization from the Wide Area Network (WAN), the computer program product for implementing a method for configuring data sharing between the first organization and the second organization to perform a collaborative function, the computer program product comprising one or more computer storage devices having stored thereon computer-executable instructions that, when executed by a processor, cause the computer system to perform the method, including the following:
- compare a first access policy organization for the first organization to a second access policy for the second organization;
  
  determine the first access policy and the second access policy have one or more common security access definitions;
  
  determine the first access policy and the second access policy have one or more differing security access definitions, at least one differing security access definition indicating a more restrictive data access policy for the first organization relative to the second organization, at least one other differing security access definition indicating a different more restrictive data access policy for the second organization relative to the first organization;
  
  create a federation data access policy, the federation data access policy representing the one or more common security access definitions;
  
  create a separate shared repository on the Wide Area Network (WAN) for sharing data related to the collaborative function between the first organization and the second organization, the shared repository created to conform to the federation access policy;
  
  configure the shared repository to;
  
  take in data related to the collaborative function from the second organization for sharing with the first organization in accordance with the federation data access policy; and
  
  take in data related to the collaborative function from the first organization for sharing with the second organization in accordance with federation data access policy;
  
  configure an input filter on the Wide Area Network (WAN) between the first organization and the shared repository to limit what data related to the collaborative function can be sent from the first organization into the shared repository, the input filter compensating for the more restrictive data access policy for the first organization;
  
  configure a second input filter on the Wide Area Network (WAN) between the second organization and the shared repository to limit what data related to the collaborative function can be sent from the second organization into the shared repository by removing at least one item from the data from the second organization so as to modify the data from the second organization to conform to the second access policy, the second input filter compensating for the different more restrictive data access policy for the second organization; and
  
  permit users from both the first organization and the second organization to access data related to the collaborative function from the shared repository.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The computer-program product of claim 13, further comprising computer-executable instructions that, when executed, cause the computer system to configure an output filter between the first organization and the shared repository to limit what data related to the collaborative function can be sent from the shared repository to the first organization, the output filter compensating for at least one of the one or more differing security access definitions.
  - 15. The computer-program product of claim 13, further comprising computer-executable instructions that, when executed, cause the computer system to configure an output filter between the second organization and the shared repository to limit what data related to the collaborative function can be sent from the shared repository to the second organization, the output filter compensating for at least another of the one or more differing security access definitions.
  - 16. The computer-program product of claim 13, wherein computer-executable instructions that, when executed, cause the computer system to configure an output filter comprise computer-executable instructions that, when executed, cause the computer system to configure an output filter to:
    - allow a user from the second organization to view a portion of data from the first organization; and
      
      prevent the user from the second organization from copying the portion of data through the second gateway into the network domain for the second organization.
  - 17. The computer-program product of claim 13, wherein computer-executable instructions that, when executed, cause the computer system to configure a second input filter comprise wherein computer-executable instructions that, when executed, cause the computer system to configure a second input filter to remove at least one item from the data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Wahl, Mark, Weinert, Alex, Stradling, Phil, Penarczyk, Matthew, Wittenberg, Craig, Shute, Dave
Primary Examiner(s)
Kim, Tae
Assistant Examiner(s)
Gao, Shu Chun

Application Number

US12/731,133
Publication Number

US 20110239269A1
Time in Patent Office

1,497 Days
Field of Search

726/1, 726/26, 713/152, 713/166
US Class Current

726/26
CPC Class Codes

H04L 63/0815   providing single-sign-on or...

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

Automated security analysis for federated relationship

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

12 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Automated security analysis for federated relationship

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

12 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links