Join
today

Boliven PRO is more than just patent search

  • Build and save lists using the powerful Lists feature
  • Analyze and download your search results
  • Share patent search results with your clients

Patents »

US6209101: Adaptive security system having a hierarchy of security servers

Share

Filing Information

Inventor(s) Terrance Mitchem · Michael R. Carney · Brian J. Loe ·
Assignee(s) Secure Computing Corporation ·
Attorney/Agent(s) Schwegman, Lundberg, Woessner & Kluth, P.A. ·
Primary Examiner Tod R. Swann ·
Assistant Examiner Ronald F. Sulpizio, Jr. ·
Application Number US9118537
Filing date 07/17/1998
Issue date 03/27/2001
Predicted expiration date 07/17/2018
U.S. Classifications 713/200  · 713/151  · 713/164  · 713/201  ·
International Classifications --
Kind CodeB1
International Classifications 713200 · 713201 · 713164 · 713151 ·
27 Claims, 5 Drawings


Abstract

An adaptive security system having a hierarchy of security servers. The security system maintains a primary security server for each task or process executing within a computing environment. An enforcement mechanism receives resource requests from the tasks and queries the corresponding primary security server which resolves the request based on a set of security associations. If the primary security server is unable to resolve the request, the enforcement mechanism queries a parent security server. Security servers are dynamically created and terminated in response to changing organizational policies. The present invention facilitates the dynamic creation and termination of security servers to adapt to organizational policy changes.

Independent Claims | See all claims (27)

  1. 1. A security system for controlling access to a plurality of resources within a computing environment comprising: a plurality of security servers, wherein each security server includes a set of security associations; and an enforcement mechanism communicatively coupled to the plurality of security servers, wherein the enforcement mechanism enforces a request to access one of the plurality of resources by querying one of the security servers.
  2. 6. A security system for controlling access to a plurality of resources within a computing environment comprising: a plurality of security servers, wherein each security server includes a set of security associations; and an enforcement mechanism communicatively coupled to the plurality of security servers, wherein the enforcement mechanism enforces a request to access one of the plurality of resources by querying one of the security servers, wherein the enforcement mechanism includes an operating system kernel having a task control block for each of a plurality of tasks executing in the computing environment, wherein the enforcement mechanism queries a primary security server identified in the task control block of the corresponding task, wherein each primary security server is a task executing within the computing environment, wherein the task control block of each primary security server identifies a parent security server for resolving resource requests that the primary security server is unable to resolve, wherein each security server includes a data structure defining an execution period, wherein the kernel creates a security server based on a command from one of the tasks in the computing environment, and further wherein the kernel sets the parent security server of the created security server to the primary security server of the commanding task.
  3. 7. A security system for controlling access to a plurality of resources within a computing environment comprising: a plurality of security servers, wherein each security server includes a set of security associations; and an enforcement mechanism communicatively coupled to the plurality of security servers, wherein the enforcement mechanism enforces a request to access one of the plurality of resources by querying one of the security servers, wherein the enforcement mechanism includes an operating system kernel having a task control block for each of a plurality of tasks executing in the computing environment, wherein the enforcement mechanism queries a primary security server identified in the task control block of the corresponding task, wherein each primary security server is a task executing within the computing environment, wherein the task control block of each primary security server identifies a parent security server for resolving resource requests that the primary security server is unable to resolve, wherein each security server includes a data structure defining an execution period, wherein the kernel terminates a security server by identifying the tasks that have the terminated security server as a primary security server, and further wherein the kernel sets the primary security server of each identified task to the parent security server of the terminated security server.
  4. 9. A security system for controlling access to a plurality of resources within a computing environment comprising: a plurality of security severs, wherein each security server includes a set of security associations; and an enforcement mechanism communicatively coupled to the plurality of security servers, wherein the enforcement mechanism enforces a request to access one of the plurality of resources by querying one of the security servers, wherein the enforcement mechanism includes an operating system kernel having a task control block for each of a plurality of tasks executing in the computing environment, wherein the enforcement mechanism queries a primary security server identified in the task control block of the corresponding task, and wherein the operating system kernel includes a cache containing policy queries previously resolved by the security servers.
  5. 11. A security system for controlling access to a plurality of resources within a computing environment comprising: a plurality of security severs, wherein each security server includes a set of security associations; and an enforcement mechanism communicatively coupled to the plurality of security servers, wherein the enforcement mechanism enforces a request to access one of the plurality of resources by querying one of the security servers, wherein the enforcement mechanism includes an operating system kernel having a task control block for each of a plurality of tasks executing in the computing environment, wherein the enforcement mechanism queries a primary security server identified in the task control block of the corresponding task, and wherein each security association maps the requesting task and the requested resources to a response that is selected from the set of (I) access granted, (ii) access denied and (iii) security fault.
  6. 14. A method for controlling access to a plurality of resources in a computing environment comprising the steps of: receiving a user request to access one of the resources of the computing environment; querying at least one of a plurality of security servers to resolve the resource request based on a set of security associations; and enforcing the request as a function of a response from the queried security server.
  7. 17. A method for controlling access to a plurality of resources in a computing environment that includes an operating system kernel having a task control block for each of a plurality of tasks executing in the computing environment, comprising the steps of: receiving a user request to access one of the resources of the computing environment; querying at least one of a plurality of security servers to resolve the resource request based on a set of security associations, wherein each security server is a task executing within the computing environment, wherein the querying step includes the steps of: examining the task control block to determine a primary security server for a task requesting one of the resources; querying the primary security server to resolve the resource request; and when the primary security server is unable to resolve the resource request, identifying a parent security server identified in the task control block of the primary security server; and querying the parent security server to resolve the resource request; enforcing the request as a function of a response from the queried security server; creating a security server upon receiving a first command from one of the tasks; and terminating a security server upon receiving a second command from one of the tasks.
  8. 23. A method for controlling access to a plurality of resources in a computing environment comprising the steps of: receiving a user request to access one of the resources of the computing environment; querying at least one of a plurality of security servers to resolve the resource request based on a set of security associations, wherein the querying step includes the step of selecting the response from the set of: (I) access granted, (ii) access denied and (iii) security fault; and enforcing the request as a function of a response from the queried security server.
  9. 26. A computer-readable medium encoded with a software program for processing user requests for resources in a computing environment, the software program executing the steps of: creating a hierarchy of security servers, wherein each user is assigned a primary security server; and enforcing each of a plurality of user requests by querying the corresponding primary security server to resolve the resource request based on a set of security associations.

References Cited

U.S. Patent Documents

Document NumberAssigneesInventorsIssue/Pub Date
US5758077* Hewlett-Packard Company Danahy et al. May 1998
US5761380* International Business Machines Corporation Lewis et al. Jun 1998
US5764887* International Business Machines Corporation Kells et al. Jun 1998
US5784612* International Business Machines Corporation Crane et al. Jul 1998
* cited by examiner

Referenced By

Document NumberAssigneeInventorsIssue/Pub Date
EP1793323 Efunds Corporation Charles Bram et al. Jun 2007
US8316025 Oracle International Corporation Ryan Sean McVeigh et al. Nov 2012
US8463852 --
US7490154 International Business Machines Corporation Logan M. Colby et al. Feb 2009
US7496687 BEA Systems, Inc. Philip B. Griffin et al. Feb 2009
US7506357 Bea Systems, Inc. Mark Moriconi et al. Mar 2009
US7499948 BEA Systems, Inc. Greg Smith et al. Mar 2009
US7367014 BEA Systems, Inc. Philip B. Griffin Apr 2008
US7415478 BEA Systems, Inc. James Owen et al. Aug 2008
US7236975 BEA Systems, Inc. Rodney McCauley et al. Jun 2007
US7380267 Hitachi, Ltd. Masato Arai et al. May 2008
US7236990 BEA Systems, Inc. Rodney McCauley et al. Jun 2007
US7318237 Bea Systems, Inc. Mark Moriconi et al. Jan 2008
US7350226 BEA Systems, Inc. Mark S. Moriconi et al. Mar 2008
US7392546 BEA Systems, Inc. Paul Patrick Jun 2008
US7483904 BEA Systems, Inc. James Owen et al. Jan 2009
US7487207 BEA Systems, Inc. Neil Smithline et al. Feb 2009
US7246138 BEA Systems, Inc. Rodney McCauley et al. Jul 2007
US7580953 BEA Systems, Inc. Rodney McCauley et al. Aug 2009
US7594224 BEA Systems, Inc. Paul Patrick et al. Sep 2009
US7036148 International Business Machines Corporation Ashley Anderson Brook et al. Apr 2006
US7240280 Bea Systems, Inc. Chris Jolley et al. Jul 2007
US7349966 International Business Machines Corporation Logan M. Colby et al. Mar 2008
US7082530 Intel Corporation Nimrod Diamant Jul 2006
US7451163 BEA Systems, Inc. Daniel Selman et al. Nov 2008
US7562298 BEA Systems, Inc. Jalpesh Patadia et al. Jul 2009
US7433896 BEA Systems, Inc. James Owen et al. Oct 2008
US7472342 BEA Systems, Inc. John Haut et al. Dec 2008
US7483893 BAE Systems, Inc. Ryan Sean McVeigh et al. Jan 2009
US7591000 Oracle International Corporation Philip B. Griffin et al. Sep 2009
US7124293 Intel Corporation Avraham Mualem et al. Oct 2006
US7236989 Bea Systems, Inc. Rodney McCauley et al. Jun 2007
US7451477 BEA Systems, Inc. Philip B. Griffin et al. Nov 2008
US7516167 BEA Systems, Inc. Daniel Selman et al. Apr 2009
US7171684 Alcatel Bertrand Marquet et al. Jan 2007
US7240076 BEA Systems, Inc. Rodney McCauley et al. Jul 2007
US7426548 BEA Systems, Inc. Philip B. Griffin et al. Sep 2008
US7603547 BEA Systems, Inc. Paul Patrick et al. Oct 2009
US7603548 BEA Systems, Inc. Paul Patrick et al. Oct 2009
US7594112 BEA Systems, Inc. Paul Patrick et al. Sep 2009
US7890315 Microsoft Corporation John D. Meier et al. Feb 2011
US7644432 BEA Systems, Inc. Paul Patrick et al. Jan 2010
US7653930 BEA Systems, Inc. Philip B. Griffin et al. Jan 2010
US7673323 BEA Systems, Inc. Mark S. Moriconi Mar 2010
US7712137 Microsoft Corporation John D. Meier May 2010
US7725560 BEA Systems Inc. Christopher E. Bales et al. May 2010
US7752205 BEA Systems, Inc. Ryan Sean McVeigh et al. Jul 2010
US7774601 BEA Systems, Inc. Manish Devgan et al. Aug 2010
US7810036 BEA Systems, Inc. Christopher E. Bales et al. Oct 2010
US7818788 Microsoft Corporation John D. Meier Oct 2010
US7818344 BEA Systems, Inc. Ryan Sean McVeigh et al. Oct 2010
US7840614 Bea Systems, Inc. James Owen et al. Nov 2010
US7849512 Fortressware, Inc. Annsheng Chien Ting et al. Dec 2010
US7363650 BEA Systems, Inc. Mark S. Moriconi et al. Apr 2008
US7475091 BEA Systems, Inc. Rodney McCauley et al. Jan 2009
US7917537 Oracle International Corporation Ryan Sean McVeigh et al. Mar 2011
US7953734 Oracle International Corporation Ryan Sean McVeigh et al. May 2011
US7992189 Oracle International Corporation Philip B. Griffin et al. Aug 2011
US8032623 International Business Machines Corporation Logan M. Colby et al. Oct 2011
US8099779 Oracle International Corporation James Owen et al. Jan 2012
US8199916 International Business Machines Corporation Christopher Meyer et al. Jun 2012

Patent Family

The current document is not in a family.