Join
today

Boliven PRO is more than just patent search

  • Build and save lists using the powerful Lists feature
  • Analyze and download your search results
  • Share patent search results with your clients

Patents »

US7308702: Locally adaptable central security management in a heterogeneous network environment

Share

Filing Information

Inventor(s) Daniel Jay Thomsen · Richard O'Brien · Jessica Bogle · Charles Payne ·
Assignee(s) Secure Computing Corporation ·
Attorney/Agent(s) Schwegman, Lundberg & Woessner, P.A. ·
Primary Examiner Kambiz Zand ·
Assistant Examiner Michael J Simitoski ·
Application Number US9483164
Filing date 01/14/2000
Issue date 12/11/2007
Predicted expiration date 01/14/2020
U.S. Classifications 726/1  · 707/9  · 726/6  ·
International Classifications G06F1516  · G06F1700  · G06F1730  · G06F700  · H04K100  · H04L900  ·
Kind CodeB1
34 Claims, 16 Drawings


Abstract

A system and method for defining and enforcing a security policy. Security mechanism application specific information for each security mechanism is encapsulated as a key and exported to a semantic layer. Keys are combined to form key chains within the semantic layer. The key chains are in turn encapsulated as keys and passed to another semantic layer. A security policy is defined by forming key chains from keys and associating users with the key chains. The security policy is translated and exported to the security mechanisms. The security policy is then enforced via the security mechanisms.

Independent Claims | See all claims (34)

  1. 1. In a system having a computer and one or more security mechanisms, a computer-implemented method of defining and enforcing a security policy, the method comprising: encapsulating security mechanism application specific information for each security mechanism, wherein encapsulating includes forming a key for each security mechanism using an application layer; combining keys to form key chains; encapsulating key chains as keys and passing the key chain keys to another semantic layer; defining the security policy, wherein defining includes forming key chains from keys and associating users with key chains; importing a key from the semantic layer to a local policy layer; executing, within a computer, translation software, wherein the translation software translates the security policy and exports the translated security policy to the security mechanisms; and enforcing the security policy via the security mechanisms.
  2. 7. A computer-based security system for a computer network, the computer-based security system comprising: a computer; a plurality of security mechanisms; a plurality of semantic layers within a model implemented on the computer network, wherein the two or more of the semantic layers include keys combinable into key chains, the key chains are able to be encapsulated as key chain keys, and the key chain keys are exportable to another semantic layer, wherein the model also includes an application layer to encapsulate a security mechanism into a key and a local policy layer to associate a user to a key wherein each key encapsulates security mechanism application specific information for a security mechanism; a user interface for defining a security policy as a function of keys received from a lower semantic layer; and a translator, implemented on the computer, for translating the security policy to the security mechanisms.
  3. 12. A computer-based security system for a computer network, the computer-based security system comprising: a computer; a model implemented on the computer network, the model comprising semantic layers for defining different security policies and constraints for each type of user, wherein the model comprises a static application policy layer, two or more semantic policy layers, and a dynamic local policy layer; a tool for manipulating the model, wherein the tool is configured to: encapsulate security mechanism application specific information for each security mechanism, wherein encapsulating includes forming a key for each security mechanism; combine keys to form key chains; encapsulate key chains as key chain keys within two or more semantic layers; pass the key chain keys to other semantic layers; form user key chains from the key chain keys; and associate users with the user key chains; and a translator, implemented on the computer, for translating security policies from the model to security mechanisms in one or more computer resources.
  4. 14. A computer-implemented method of defining a security policy, the method comprising: defining an application policy layer and a plurality of semantic policy layers, including a first semantic policy layer and a second semantic layer; encapsulating a set of access rights for a computer resource as a key; combining keys to form one or more key chains within the application policy layer; executing software within a computer to export key chains in the application policy layer as a key; importing at least one key from the application policy layer into the first semantic policy layer; combining one or more keys in the first semantic policy layer to form a key chain; exporting key chains in the first semantic policy layer as keys; importing at least one key into the second semantic policy layer; combining one or more keys in the second semantic policy layer to form a key chain; exporting key chains in the second semantic policy layer as keys; importing at least one key from the second semantic policy layer to a local policy layer; combining one or more keys in the local policy layer to form one or more local policy key chains; and assigning users to local policy key chains in the local policy layer.
  5. 23. A computer-implemented method of defining a security policy, the method comprising: defining an application policy layer and a semantic policy layer; encapsulating a set of access rights for a computer resource as a key; combining keys to form one or more key chains within the application policy layer; executing software within a computer to export key chains in the application policy layer as a key; importing at least one key from the application policy layer into the semantic policy layer; combining one or more keys in the semantic policy layer to form a key chain; exporting key chains in the semantic policy layer as keys; importing at least one key from the semantic policy layer to a local policy layer; combining one or more keys in the local policy layer to form one or more local policy key chains; and assigning users to local policy key chains in the local policy layer.
  6. 33. A computer-implemented method of modifying a security policy, the method comprising: defining an application policy layer and a semantic policy layer; encapsulating a set of access rights for a computer resource as a key; combining keys to form one or more key chains within the application policy layer; executing software within a computer to export key chains in the application policy layer as a key; importing at least one key from the application policy layer into the semantic policy layer; combining one or more keys in the semantic policy layer to form a key chain; exporting key chains in the semantic policy layer as keys; importing at least one key from the semantic policy layer to a local policy layer; combining one or more keys in the local policy layer to form one or more local policy key chains; assigning users to local policy key chains in the local policy layer; constructing a role hierarchy by sorting the key chains into a partial ordering based on set containment; displaying the partial ordering as a role hierarchy graph; and adding and deleting keys from the role hierarchy graph.

References Cited

U.S. Patent Documents

Document NumberAssigneesInventorsIssue/Pub Date
US5335346* International Business Machines Corporation Fabbio Aug 1994
US5745687* Hewlett-Packard Co Randell Apr 1998
US5826239 Hewlett-Packard Company Du et al. Oct 1998
US6035399* Hewlett-Packard Company Klemba et al. Mar 2000
US6088679* The United States of America as represented by the Secretary of Commerce Barkley Jul 2000
US6324647* Bowman-Amuah Nov 2001
US6357010* Secure Computing Corporation Viets et al. Mar 2002

Foreign Patent Documents

Document NumberAssigneesInventorsIssue/Pub Date
EP0854431International Business Machines CorporationJul 1998
* cited by examiner

Other Publications

Olivier, Martin S. “Specifying Application-level Security in Workflow Systems”, IEEE, Aug. 1998.*
Samarati, Pierangela., Ravi S. Sandhu. “Access Control: Principles and Practice”, Sep. 1994.*
Awischus, Roland. “Role Based Access Control with the Security Administration Manager (SAM)”, ACM, 1997.*
Sandhu, Ravi., Venkata Bhamidipati and Qamar Munawer. “The ARBAC97 Model for Role-Based Administration of Roles”, Feb. 1999.*
Black, Stewart., Vijah Varadharajan. “A Multilevel Security Model for a Distributed Object-Oriented System”, IEEE 1990.*
Gligor, Virgil. “Characteristics of Role-Based Access Control”, 1996.*
Greenwald, Steven J. “A New Security Policy for Distributed Resource Management and Access Control”, ACM, 1996.*
Lupu, Emil., Morris Sloman and Nicholas Yialelis. “Role-Based Security for Distributed Object Systems”, IEEE 1996.*
Moffett, Jonathan D., Morris S. Sloman. “Policy Hierarchies for Distributed Systems Management”, IEEE Journal on Selected Areas in Communications, vol. 11 No. 9, Dec. 1993.*
Munawer, Qamar., Ravi Sandhu. “The RRA97 Model for Role-Basd Administration of Role Hierarchies”, Dec. 1998.*
Nyanchama, Matunda et al. “The Role Graph Model and Conflict of Interest”, Feb. 1999, ACM, ACM Transactions on Information and System Security, vol. 2, No. 1, pp. 3-33.*
Chang, S. K., et al., “A Visual Language for Authorization Modeling”, IEEE, 110-118, (Sep. 1997).
Payne, C., et al., “Napolean: A Recipe for Workflow”, Proceedings of the 15th Annual Computer Security Applications Conference, pp. 1-9, (Dec. 1999).
Thomsen, D., et al., “Napoleon Network Application Policy Environment”, Proceedings of the 4th ACM Workshop on Role-Based Access Control, XP002163998, pp. 145-152, (Oct. 1999).
Thomsen, D., et al., “Role Based Access Control Frameworks for Network Enterprises”, 14th Annual Security Applications Conference, pp. 1-9, (Dec. 1998).
Varadharajan, V., et al., “Issues in the Design of Secure Authorization Service for Distributed Applications”, IEEE, Sydney, Australia, 874-879, (Nov. 1998).
* cited by examiner

Referenced By

Document NumberAssigneeInventorsIssue/Pub Date
US7512810 Guardian Data Storage LLC Nicholas M. Ryan Mar 2009
US7577838 Alain Rossmann Aug 2009
US7565683 Weiqing Huang et al. Jul 2009
US7555558 Michael Frederick Kenrich et al. Jun 2009
US7631184 Nicholas Ryan Dec 2009
US7562232 Patrick Zuili et al. Jul 2009
US7478418 Guardian Data Storage, LLC Senthilvasan Supramaniam et al. Jan 2009
US7581011 Oracle International Corporation Joan C. Teng Aug 2009
US7885847 SAP AG Dirk Wodtke et al. Feb 2011
US7890990 Klimenty Vainstein et al. Feb 2011
US7913311 Rossmann Alain et al. Mar 2011
US7673047 Oracle International Corporation Shawn P. Delany et al. Mar 2010
US7681034 Chang-Ping Lee et al. Mar 2010
US7703140 Guardian Data Storage, LLC Satyajit Nath et al. Apr 2010
US7707427 Michael Frederick Kenrich et al. Apr 2010
US7711818 Oracle International Corporation Chi-Cheng Lee et al. May 2010
US7730543 Satyajit Nath Jun 2010
US7729995 Rossmann Alain et al. Jun 2010
US7748045 Michael Frederick Kenrich et al. Jun 2010
US7765291 Ultimus, Inc. Rashid N. Khan et al. Jul 2010
USRE41546 Klimenty Vainstein Aug 2010
US7802174 Oracle International Corporation Joan C. Teng et al. Sep 2010
US7836310 Yevgeniy Gutnik Nov 2010
US7840658 Oracle International Corporation Richard P. Sinn Nov 2010
US7921288 Hal S. Hildebrand Apr 2011
US7921284 Gary Mark Kinghorn et al. Apr 2011
US7921450 Klimenty Vainstein et al. Apr 2011
US7930756 Steven Toye Crocker et al. Apr 2011
US7937655 Oracle International Corporation Joan C. Teng et al. May 2011
US7950066 Guardian Data Storage, LLC Patrick Zuili May 2011
US8015600 Oracle International Corporation Richard P. Sinn et al. Sep 2011
US8006280 Hal S. Hildebrand et al. Aug 2011
US8065713 Klimenty Vainstein et al. Nov 2011
US8181222 McAfee, Inc. Daniel Jay Thomsen et al. May 2012
US8176334 Guardian Data Storage, LLC Klimenty Vainstein May 2012
US8266674 Guardian Data Storage, LLC Weiqing Huang et al. Sep 2012
US8301896 Guardian Data Storage, LLC Michael Frederick Kenrich et al. Oct 2012
US8307067 Guardian Data Storage, LLC Nicholas M. Ryan Nov 2012
US8327138 Guardian Data Storage LLC Satyajit Nath et al. Dec 2012
US8417682 --
US8140691 International Business Machines Corporation Sandra L. Kogan et al. Mar 2012
US8543827 --
US8423394 --
US8458337 --
US8572404 --
US8478715 --
US8484714 --
US8601049 --
US8613102 --
US8640195 --
US8649399 --
US8707034 --
US8756191 --
US8887241 --

Patent Family

The current document is not in a family.