`
`US0073 1 8237B2
`
`(I2) Ulllted States Patent
`Moriconi et al.
`
`(10) Patent No.:
`(45) Date of Patent:
`
`US 7,318,237 B2
`*Jan. 8, 2008
`
`(54) SYSTEM AND METHOD FOR MAINTAINING
`SECURITY IN A DISTRIBUTED COMPUTER
`NETWORK
`
`(56)
`
`References Cited
`,
`,.
`U.S. PAI1,Nl DOCUMENTS
`5,173,939 A
`l2/'l992 Abadi et al.
`
`(75)
`
`Inventors: Mark Moriconi Atherton, CA (US);
`Sh H 0..
`C ’ TI.
`CAHN
`° 3’
`“mi
`“I” ‘no’
`7
`‘ )
`‘
`_
`‘
`(73) Assign“? 39*‘ ~‘uVS‘°"‘S= 1”“-a San 1059: C/‘(U53
`0
`.
`_
`_
`_
`( * ) Notice:
`SllbJ€Cl
`to any disclaimer, the term ofthis
`patent is extended or adjusted under 35
`U.s.c:. 154(b) by 0 days.
`_
`.
`'
`Ellrijnyeilatent is SUIJJCCI
`i
`(21) A91” N" 11/171404
`(22)
`Filed:
`Jun. 30, 2005
`
`_
`'
`to a terminal d1s-
`
`(65)
`
`Prior Publication Data
`
`New 17.» 2005
`Us 2005/0257247 A1
`Related U.S. Application Data
`
`(50)
`
`(63) Continuation of application No. 09/767,610, filed on
`-Ian’ 22° ZOOL mw Pat No' 6~94I=472= which is 3
`continuation of application No. 09/721,557, filed on
`NOV 22> 2000» which I5 3 C0nt“‘“a“°n of appllcatmn
`No- 09/248788: filed 0“ Feb‘ 12> 1999» now P31 N".
`6~158v0lO'
`provisional application No_ 60/105,953: filed on 001.
`23‘ 1993‘
`'
`[n¢_ CL
`H04); 9/00
`(200001)
`(52) U.S. Cl.
`.............................
`726/27; 726/1; 709/223
`(58) Field of Classification Search ................. .. 726/27
`
`(51)
`
`5*237*6I4 A
`5,265,221 A
`5,347,653 A
`5,355,474 A
`5,369,702 A
`5,426,747 A
`5,431,700 A
`
`{M993 Weiss
`...................... .. 711/163
`11/1993 Miller
`9/1994 Flynn et al.
`10/1994 Th
`'
`h
`t
`l.
`11/1994
`......... .. 380/4
`6/1995 Weinreb eta].
`1/1996 ’1‘hura_[5jng]1am
`.
`(C°““““ed)
`FOREIGN PA'l‘ENT DOCUMENTS
`0 398 645 A2
`“/1990
`(Continued)
`OTHER PUBLl(ZA'l'IONS
`US. Appl. No. 09/721,557, filed Nov. 22, 2000, Moriconi.
`
`EP
`
`(Continued)
`'
`' VN .* M
`E V
`P '
`222733137;3f3$7,i?§?;mB‘iE§on‘édfféliém
`74 A
`~,A
`,,
`FT —~Fl'
`l M ‘ LLP
`(
`)
`flame}
`gem or Wm
`leg er By“
`
`ABSTRACT
`(57)
`A system and method for maintaining securitv in a distrib-
`med Computing envjmnmem comprises a pdlicy manager
`located on a server for managing and distributing a security
`policy, and an application guard located on a client for
`managing access to securable components as specified by
`the security policy. In the preferred embodiment, a global
`policy specifies access privileges of the user to securable
`components. The policy manager may then preferably dis-
`tribute a local client policy based on the global policy to the
`client. An application guard located on the client
`then
`L *
`th*
`bl
`‘
`*
`'fi db
`° Sew” 6’ components a” bpecl e
`y
`
`See application file for complete search history.
`
`21 Claims, 14 Drawing Sheets
`
`LotLc.r_nAnAce£t
`MANAGEMENT STATION 21?.
`
`/2:0
`
`
`
`SEARCH
`DISTRIBUTION
`.
`415
`478
`LOCAL
`APPLICATION
`LOG VIEWER
`ADMIN.
`
`GUARD 426
`424
`POLICY
`
`
`COMMUNICATION
`INTERFACE
` E
`434
`
`
`
`
`
`
`oélfisfleia
`
`
`
`' AUDIT
`/ LOG
`N._
`X.
`220
`
`/osmszeo
`Pdticv
`’222
`W
`
`
`
`
`
`ameapmsa
`POLICY
`224
`
`/F
`
` EXIBIT
`
`W 452 $1062»
`
`COMMUNICATION
`
`INTERFACE
`
`
`
`CLIENT AUDIT LOG
`
` 450
`
`
`
`LOCAL CLIENT POLICY
`318
`
`
`
`US 7,318,237 B2
`Page 2
`
`11.8. PATENT DOCUMENTS
`
`726/11
`
`. 709/224
`------------ -- 713/201
`
`8/1996 Cheng et al.
`5,544,322 A
`............ .. 709/223
`9/1996 Rogers et al.
`5.557,747 A
`5/1997 Bowman .................. .. 379/111
`5.627.886 A
`3/1998 Bimbaum
`5.797.138 A
`9/1998 Pcreira ..................... .. 713/200
`5,809,230 A
`10-"1998 A1‘°1111>a1d 6191-
`5.8258113 A
`10/1998 119111111011
`5.836.000 A
`10/1998 Schaefer
`5.826.263 A
`11/1998 Shwed ..................... .. 709/229
`5,835,726 A
`
`., 713/164
`11/1998 Mcrkling et al.
`5,841,869 A
`12/1993 Gerace ...................... .. 705/10
`5,848,396 A
`2/1999 15119119116191.
`5.367.667 A
`3/1999 Thebaute1=11-
`5.889.953 A
`5/1909 R<>Sen1ha1e1a1«
`5.918.210 A
`9/1999 Stockwell 01:11.
`5,95(),195 A
`9/1999 Chaum 6191-
`5956.400 A
`9/1999 Wang
`5.956.521 A
`10/1999 Van Hubcn ct al.
`5,966,707 A
`10/1999 Nessetlel 111.
`5,968,176 A "‘
`11/1999 Abraham ct al
`5,983,270 A
`11/1099 M19641 6131-
`5.983.350 A
`11/1999 Lewis 9191»
`5.987.469 A
`11/1999 Frcund
`5.937.511 A
`11/1999 Luckenbaugh ............ .. 713/200
`5,991,877 A
`
`~ - - -
`12/1999 Anga1e1a1» ~ V
`» » - ~- 709/229
`5999.978 A
`6,005,571 A "‘ 12/1999 Pachauri
`................... .. 715/764
`' 6.005.194 A
`12/1999 M0101
`6,009,507 A
`12/1999 Brooks et £11.
`6.029.144 A
`2/2000 Barrett 91 41.
`6,029,182 A
`2/2000 Nehab et al.
`6.029.246 A
`2/2000 Bahr
`6,035,399 A
`3/2000 Klemba 61 a1.
`6,055,515 A
`4/2000 Consentino et :11.
`,
`00731342 A
`0,0000 H0103’ 0”"
`......... .. 717/107
`6,083,276 A
`;./2000 1?1a.v1d.son e1'a1,
`,
`00081173 A
`‘Z000 0‘/5105” 0‘ ‘*1’
`6,141,010 A
`10/2000 Hoyle ...................... .. 715/854
`6141686 A
`m/2000 mkowskl. eta,‘
`‘
`’
`.
`6,148,333 A
`ll/2000 Gue/dal1a et a1.
`6,154,741 A
`11/2000 Feldman ...................... .. 707/9
`6,154,844 A
`11/2000 Touboul 6131.
`6,157,924 A
`12/2000 Austin ....................... .. 707/10
`6,158,010 A 1
`12/2000 Moriconi 61211.
`............ .. 726/1
`6,167,407 A
`12/2000 Nachenberg 61 £11.
`6,167,445 A
`12/2000 Gai C1'a1.
`6,170,009 B1
`1/2001 Mzmdal 6131.
`6,182,226 B1
`1/2001 Reid (318.1.
`................ .. 713/201
`6,182,277 B1
`1/2001 Degroot 61 a1.
`6,202,157 B1
`3/2001 Brown.1.ie etal.
`6,202,207 B1'‘‘
`3/2001 Donohue .................. .. 717/173
`5.209.101 B1
`3/7001
`011101101“ 9191.
`
`713/200
`E-352%; 3:
`‘£33:
`6,241,608 B1
`6/2001 Torango .................... .. 463/27
`6,253,321 B1
`6/2001 Nikander et a1.
`6260 050 B1
`7/2001 Yost et a1.
`.
`.
`..
`. 715/501.1
`‘
`’
`"""" "
`.
`6,269,393 B1
`7/2001 Yost et a1.
`................ .. 709/201
`65,69,456 B1
`77,200, Hodge”, a,‘
`6.275941 B1
`87/2001 Sajlo et
`9/2001
`or all
`9/2001 Horsttnann ................ .. 705/14
`9/2001
`Johnson
`..................... .. 705/8
`10/2001 Du et al.
`11/2001 Grimm e1 al.
`11/2001 Balassanian
`172002 Child et 61.
`3/2002 Howard 613.1,
`3/2002 Mose)‘ e1 111.
`5/2002 Eichcrt et 211.
`5/2002 Zellweger
`6/2002 Sc1mcide1‘eta.l.
`
`6,412,077 B1
`6,418,448 B1
`5453345 B2
`5457307 131
`5‘460‘141 B1
`6,466,239 B2
`5466947 B2
`6,473,791 B1
`6,477,575 B1
`6,484,177 B1
`5484261 B1
`6519547 B1
`655307024 B1
`6,539,375 B2
`6,539,414 B1
`6,571,247 B1
`6,534,454 31
`6,587,849 B1
`6.615.218 B2
`670513306 51
`55547747 31
`5,565,577 31
`6,668,354 B1
`6,678,827 B1
`6,684,369 B1
`5‘731,ggg B1
`6,735,586 B2
`6,735,701 B1
`6,738,789 B2
`6,751,659 B1
`6,754,672 B1
`6,769,113 B2
`6,779,002 B1
`6,789,202 B1
`6.880305 Bl
`6,904,454 B2
`6,920,457 B2
`6,922,695 B2
`6,934,934 B1
`6941 472 B2
`’
`’
`0950.335 B2
`01957301 B3
`6/965.999 B2
`6.970.876 B2
`7.062.490 B2
`7,096,224 B2
`7,174,563 B1
`2002/0059394 A1
`2002/0062451 A1
`2002/0069261 A1
`2902,/0107913 A1
`2002/0173971 A1
`2002/0178119 A1
`:1
`‘ ‘
`,
`7004/0205470 A1
`2004/0205557 A1
`_
`2004/0230546 A1
`
`A1
`2006/0085412 A1
`
`............. .. 707/201
`
`6/2002 Roden er a1.
`7/2002 Sarkar
`9,/2002 Trcka
`972002 Kikuchj at 51,
`10/2002 Olden
`10/2002 Ishikawa
`1()/2002 Amnold et fl1_
`10/2002 A1-Ghoscin C131.
`11/2002 Kocppel e1a1,
`11/2002 Van Hubcn 61 211.
`“/2002 Wicgcl
`2,/2003 Howard et a]_
`3/2003 proctor
`.................... .. 707/5
`3/2003 Kawasaki
`............... .. 7181101
`3/2003 Klein 618.1.
`............. .. 707/100
`5/2003 Danno et a1.
`572003 Hummel 67 a1_
`7/2003 Mason et a1.
`................ .. 707/5
`9/2003 Mandal e[é11.
`972003 Brown et a1_
`11/2003 Van Huben 5137
`127/2003 Waring CT ,11_
`12/2003 Chen 61 111.
`............... .. 715/517
`1/2004 Rothermcl 61 al.
`1/2004 Bernardo et 211.
`4/2004 Liu 61 a1_
`5/2004 '1‘imm0ns ..................... .. 707/3
`5/2004 Jacobson
`5/2004 Multer 61511.
`5,/3004 Fenger et 31‘
`6./2004
`.V1cLauch11n .............. .. 707/104
`7,/2004 Garrison et al‘
`8/2004 Mwaura ................... .. 707/203
`‘ 9/2004 K0 et a1_
`472005 Bell et 71].
`6/2005 Sticklcr
`77,2005 Pressmm
`............... .. 707/10
`7/2005 Skufca 61211.
`,
`8/2005 Osb0me,11e1a1.
`...... .. 717/126
`9/2005 Monconi e-1211.
`7
`V
`913005
`(311308 0131
`10/3005 WV
`11/2005
`FOX 61 41.
`11/2005
`11011153141.
`6/2006 Adya/5191.
`8/2006 Murthy 81111.
`2/2007 Brownlie et al.
`5/2002 Sanders
`5/2002 Scheidt et £11.
`6/2002 Be11a,re 619.1.
`3/2002 Rivera et al_
`11/2002 Slirpe et 1.1.
`11/2002 Grimn 6161,
`§1‘:°V°S ,0 5;"
`"
`',
`I “"g°”“
`102004 F‘S00’ 0‘ 01'
`10/2004 Bahrs 61 211,
`,
`11/2004 Rogers
`Boden 013.1.
`.10h1‘1S01'1 61:31.
`4/2006 Johnson 6141-
`
`FOREIGN pA1"EN'1‘ [)()(jUMENTS
`
`EP
`W0
`wo
`wo
`W0
`W0
`W0
`
`1 256 889 A2
`WO 98/40987
`wo 98/40992
`wo 98/54644
`W0 99/57624
`W0 00/38078
`WO 01/14962
`
`11/2002
`9/1998
`9/1998
`12/1998
`11/1999
`6/2000
`3/2001
`
`.............. .. 712/28
`
`............. .. 715/523
`
`713/200
`
`6,285,985 B1
`6,295,607 B1
`6,308,163 B1
`6,317,868 B1
`6,324,685 B1
`6,341,352 B1
`6,353,886 B1
`6,360,363 B1
`6,393,474 B1
`6,397,222 B1
`6,408,336 B1
`
`
`
`US 7,318,237 B2
`Page 3
`
`W0
`
`01/67285 A2
`
`9/2001
`
`OTIVIER PUBLICATIONS
`
`Eiji Okamoto, “Proposal for Integrated Security Systems", Jim.
`1992. IEEE Computer Society Press, p. 354-358.
`http:/«fiavasun.com’products./ejb/' (last visit: Dec. 7, 2004).
`http:«'/wwwjavaworld.com{javaworId[jw-I2-2002/jw-120%
`yesnoejb_p.html (last visit Dec. 7, 2004).
`Sunsted, Todd, “JNDI Overview, Part 1: An Introduction to Naming
`Services", JavaWorld, Jan. 2000, pp. 1-6, (downloaded from: www.
`javaworld.com/javaworld/jw-01-howto _ p.html).
`Moore, Bill et al., “Migrating Weblogic Applications to WebSphere
`Advanced Edition”, IBM Redbooks, Jan. 2001, pp. 1,3-4, 109-111
`and 181-195.
`
`Barrett, Alexandra, “Trying Out Transactions", SunExpe1t Maga-
`zine. Jan. 1999. pp. 57-59.
`Ayers, I)anny, et al., Professional Java Server Programming, Wrox
`Press, Ltd, Birmingham, UK, Dec. 1999, pp. 515-545.
`Ford, Nigel, Web Developercom Guide to Building Intelligent Web
`Sites with Javascript, Wiley Computer Publishing, New York, NY,
`© 1998, pp. 65-85, 96-98, 101-102, 245-250 and 324-327.
`Microsoft Computer Dictionary, 4”’ Edition, Microsoft Press,
`Redmond, WA © 1999. p. 489.
`Bankers Trust, “Authorization Manager-User Guide" Copyright
`Feb. 1997, Bankers Trust. Print Date: Aug. 13, 1997.
`Bankers Trust, “Security Instructions Services-User Guide” Copy-
`right Feb. 1997, Bankers Trust. Print Date: Oct. 1, 1997.
`Entitlenet, Inc., 6 Webpages from Website, URL: vvwwentitlenet.
`corn/ Publication Date Unknown, Download Date: Nov. 17, 2000.
`John Field, "lirom Authorization of Transactional Entitlement"
`Website of Transindigo,
`Ine., URL: www.transindigo.com/ Pub-
`lished: Sep. 2000.
`lrintitlement", Website of
`John Field,
`“Dynamic Enterprise
`Transindigo.
`Inc., URI .: wxwv.transindigo.com/ Published: Sep.
`2000.
`
`John Field, Using Iilara (TM), Website of Transindigo. Inc., URL:
`www.transindigo.coin/' Published: Sep. 2000.
`Author Unknown, “AppShield (TM Version 3.0,” (White Paper),
`Website of Sanctum, Inc., URL: www.sar1ctuminc.com Published
`Dec. 2000.
`
`second edition,
`
`"Java Servlet Prograirmiing”,
`Jason,
`Hunter,
`(_)’Reilly, Apr. 11, 2001.
`USDataCentcrs .
`. .cBusiness, Business Wire, p. 2079. Apr. 4, 2001.
`European Search Report for 027238740 dated Jun. 7, 2006 (3
`pages).
`Symborski, C.W., “Updating software and configuration data in a
`distributed communications network", Computer Networking Sym-
`posium, Washington, D.C., 1988, pp. 331-338.
`European Search Report for EP 02 77 3915 dated Oct. 5, 2006 (3
`pages).
`Zhang, Zheng, et al., “Designing a Robust Namespace for Distrib-
`uted File Services", Reliable Distributed System, 2001, Proceedings
`20th IEEE Symposium on Oct. 28-31, 2001, pp. 162-171.
`Adya, Atul, et al., “Farsite: Federated, Available, and Reliable
`Storage for an Incompletely Trusted Environment”A(.'M SIGOPS
`
`Operating Systems Review, vol. 36, Issue SI (Winter 2002), OSDI
`‘O2, Proceedings of the 5th Symposium on Operating Systems
`Design and Implementation, pp. 1-14.
`Adomavicius, Gedirninas, et al., “User Profiling in Personalization
`applications Through Rule Discovery and Validation”, KDD '99,
`San Diego, (TA, 1999, pp. 377-381.
`(lingil, Ibrahim, et al., "A Broader Approach to Personalization",
`Communications of the ACM, vol. 43. No. 6, Aug. 2000, pp.
`136-141.
`
`Stephanidis, Constantine, ct al., “Decision Making in Intelligent
`User Interfaces”, IUI ’97, Orlando, FL, 1997, pp. 195-202.
`Stiernerling, Oliver,
`et
`al.,
`“How to Make
`Software
`Softer——Designing Tailorable Applications”, DIS ’97, Amsterdam,
`The Netherlands, 1997, pp. 365-376.
`Freudenthal, Eric et al., “dRBAC: Distributed Role-Based Access:
`for Dynamic Coalition Envio1'nments”, Proceedings of the 22nd
`International Conference on Distributed Computing Systems
`(ICDCS ’02), IEEE 2002, 10 pages.
`Howes. T., “The String Representation of LDAP Search Filters,"
`Netscape Communications Corp., Request for Comments; 2254, 8
`pages (Dec. 1997).
`~
`Supplementary European Scacrh Report for EP 01 97 5484 dates
`Dec. 19, 2006, 2 pages.
`Kistler, Thomas, et al., “WebL————-»-A Programming Language for the
`Web,” Computer Networks and ISIJN Systems, North Holland
`Publishing, Amsterdam, NL, vol. 30, No. 1-7. pp. 259-270 (Apr.
`1998).
`Levy, Michael R., “Web Programming in Guide,” Software Practice
`& Experience, Wiley & Sons, Bognor Regis, GB, vol. 28, No. 15,
`pp. 1581-1603 (Dec. 25, 1998).
`Atkins, David L., et al., “Mawl: A Domain-Specific Language for
`Form-Based Services.” IEEE Transactions on Software Engineer-
`ing, IEEE Service Center, LosA1amitos, CA, US, vol. 25, No.3, pp.
`334-346 (May 1999).
`Parker, Elisabeth, The Complete Idiot’s Guide® to Microsoft®
`FrontPage 2000, QUE®, Indiananpolis, IN, pp. 7 and 52 (I999).
`Tanyi, Emmanuel, “Easy XML,” \W~rw.winsite.com, pp. 1-6 (Mar.
`2000).
`“Method and System for Visually Constructing Document Type
`Definitions and Related Artifacts Using a Reusable Object Model,”
`IBM Technical Disclosures Bulletin, May 31, 2001, 3 pages.
`Candan, K. S., “Enabling Dynamic Content Caching for Database-
`Driven Web Sites,” Proceedings of the 2001 ACM SIGMOD
`International Conference on Management of Dam, May 21-24.
`2001, Santa Barbara, CA, US, pp. 532-543.
`Catley, Christina, et 211., “Design of a Health Care Architecture for
`Medical Data Interoperability and Application Integration,” Pro-
`ceedings of the Second Joint EMBS/BMES Conference, Houston,
`Texas, US, Oct. 23-26. 2002, IEEE, vol. 3, pp. 1952-1953.
`Browne, Shirley, et al., “Location-Independent Naming for Virtual
`Distributed Software Repositories,” ACM Symposium on Software
`Reusability, Seattle, WA, US, vol. 20, Issue SI, pp. 179-185 (Aug.
`1995).
`
`* cited by examiner
`
`{-<
`
`
`
`U.S. Patent
`
`Jan. 8,2008
`
`Sheet 1 of 14
`
`US 7,318,237 B2
`
`130
`
`
`
`
`
`DIS1';'5AY I
`
`
`
`
`
`SERVER
`
`112
`
`CPU
`118
`
`E
`
`ROM
`120
`
`RAM
`122
`
`NON-VOLATlLE
`
`INPUT
`
`MEMORY
`
`124
`
`DEVICE
`
`126
`
`
`
`
`
`114
`
`CLIENT
`
`116
`
`CPU
`
`132
`
`142
`
`NON-VOLATILE
`
`MEMORY
`
`138
`
`INPUT
`
`DEVICE
`
`140
`
`DISPLAY I
`
`FIG.
`
`1
`
`
`
`U.S. Patent
`
`Jan. 8, 2008
`
`Sheet 2 of 14
`
`US 7,318,237 B2
`
`SERVER
`
`NON-VOLATILE MEMORY
`
`124
`
`.......................................................................outs.I
`{POLICY MANAGER 210
`MANAGEMENT STATION
`212
`DISTRIBUTOR
`214
`
`I
`I
`
`'
`
`LOGGER
`
`216
`
`DBMS
`
`218
`
`AUDIT LOG
`
`220
`
`OPTIMIZED POLICY
`222
`
`ENTERPRISE POLICY
`
`224
`
`I
`
`I
`
`ADMINISTRATIVE POLICY
`226
`
`LOCAL ADMINISTRATIVE
`
`POLICY
`
`228
`
`FIG. 2
`
`
`
`U.S. Patent
`
`Jan. 8,2008
`
`Sheet 3 of 14
`
`US 7,318,237 B2
`
`CLIENT
`
`NON-VOLATILE MEMORY
`
`138
`
`EAPPUCATION GUARD 310
`
`APPLICATION
`
`
`
`AUTHORIN UBRARY
`
`314
`
`UTHORIZATION ENGINE
`316
`LOCAL CLIENT POLICY I
`313
`
`I
`I
`
`FIG. 3
`
`
`
`U.S. Patent
`
`Jan. 8, 2008
`
`Sheet 4 of 14
`
`Us 7,318,237 B2
`
`POLICY MANAGER
`
`210
`
`MANAGEMENT STATION 212
`
`GUI
`
`410
`
`MANAGEMENT SERVICES 412
`
`NAVIGATION
`
`SEARCH
`
`DISTRIBUTION
`
`414
`
`416
`
`EDIT QUERY APPLICATION
`
`420
`
`422
`
`GUARD 426
`
`418
`
`LOG VIEWER
`
`424
`
`COMMUNICAHON
`INTEJEZACE
`
`PARSER/T12: CHECKER
`DB LAYER 430
`
`ODBC 432
`
`DBMS
`
`218
`
`""""""""""
`
`
`
`
`
`
`ENTERFIISE
`POUCY
`224
`
`226
`
`__’__ ...-—
`
`55‘V.R
`
`ADMIN.
`
`POLICY
`
`
`
`,»"'/TIAUDT
`{
`LOG
`xx.
`220
`
`OPTIMIZED
`POUCY
`222
`
`~-.-...,___
`
`LOGGER 216
`
`MESSAGE PROCESSING 456
`
`“COMMUNICATION
`INTERFACE
`
`452
`
`055340
`
`ISTRIBUTOR 214
`
`OPTIMIZIER 436 DIFFER 438
`
`
`
`COMMUNICATION
`
`INTERFACE
`442
`
`
`
`
`
`CUENT AUDIT LOG
`450
`
`LOCAL CLIENT POLICY
`318
`
`FIG. 4
`
`
`
`U.S. Patent
`
`Jan. 8, 2008
`
`Sheet 5 of 14
`
`US 7,318,237 B2
`
`APPUCATKMIGUARD
`
`APPLICATION
`
`312
`
`mo
`
`V4¢/
`
`APPLICATION GUARD INTERFACE
`
`512
`
`AUTHORIZATION LIBRARY
`
`314
`
`2
`:
`
`
`AUTHORIZATION ENGINE
`
`7
`
`
`
` LOCAL CLIENT
`POUCY
`318
`
`~
`
`A
`
`A
`
`
`
`PLUG-INS
`522
`EVALUATOR
`
`316
`PARSER/TYPE CHECKER
`514
`AUDIT
`
`H 58
`516
`T
`COMMUNICATION INTERFACE
`
`»
`
`Q
`
`520
`
`SERVER
`
`DISTRIBUTOR
`
`214
`
`SERVER
`
`216
`
`LOGGER
`
`FIG. 5
`
`
`
`U.S. Patent
`
`Jan. 8,2008
`
`Sheet 6 of 14
`
`US 7,318,237 B2
`
`610
`
`POLICY LOADER fj
`
`PARSER/TYPE CHECKER
`
`
`
`
`T
`
`T
`
`614
`
`DB LAYER
`
`616
`
`
`
`ENTERPFHSE
`
`POLICY
`
`224
`
`
`
`
`
`U.S. Patent
`
`Jan. 8, 2008
`
`Sheet 7 of 14
`
`US 7,318,237 B2
`
`CONFIGURE SYSTEM
`
`I
`
`START
`
`INSTALL POLICY MANAGER
`
`710
`
`ON SERVER
`
`
`
` W ENTER POLICY RULES
`
`
`USE POLICY
`
`LOADER
`
`716
`
`S
`
`
`
`712
`
`
`
`RUN POLICY LOADER
`
`718
`
`ENTER POLICY (EDIT)
`714
`
`INSTALL APPLICATION
`
`
`
`
`GUARDS
`720
`
`
`FIG. 7
`
`
`
`U.S. Patent
`
`Jan. 8,2008
`
`Sheet 8 of 14
`
`Us 7,318,237 B2
`
`MANAGE POLICY
`
`STAFIT
`
`LOGIN TO POLICY MANAGER
`
`810
`
`CHOOSE MODE
`
`
`
`(ADMINISTRATIVE/ENTERPRISE)
`812
`
`NAVIGATE TFIEE
`
`814
`
`ANALYZE POLICY
`
`816
`
`EDIT POLICY
`
`818
`
`DISTRIBUTE POLICY
`
`820
`
`
`
`VIEW. AUDIT LOG
`
`
`
`822
`
`EXIT
`
`824
`
`END
`
`FIG. 8
`
`
`
`U.S. Patent
`
`Jan. 8, 2008
`
`Sheet 9 of 14
`
`US 7,318,237 B2
`
`NAVIGATE TREE
`
`A
`
`START
`
`I ADD/DELETE/MODIFY GLOBAL -
`
`USERS 910
`
`ADD/DELETE/MODIFY GLOBAL
`
`ROLES
`
`912
`
`ADD/DELETE/MODIFY
`
`DIRECTORIES
`
`914
`
`ADD/DELETE/MODIFY LOCAL
`
`ROLES
`
`916
`
`ADD/DELETE/MODIFY LOCAL
`
`USERS
`
`918
`
`ADD/DELETE/MODIFY
`
`APPLICATIONS
`
`920
`
`ADD/DELETE/MODIFY
`
`APPLICATION GUARDS
`
`922
`
`ADD/DELETE/MODIFY
`DECLARATIONS
`924
`
`A
`
`[
`
`EXIT
`
`926
`
`END
`
`FIG. 9
`
`
`
`U.S. Patent
`
`Jan. 8,2008
`
`Sheet 10 of 14
`
`Us 7,318,237 B2
`
`ANALYZE POLICY
`
`
`
`QUERY POLICY
`
`1012
`
`FIG. 10
`
`
`
`SEARCH RULES
`
`1010
`
`
`
`U.S. Patent
`
`Jan. 8,2008
`
`Sheet 11 of 14
`
`US 7,318,237 B2
`
`EDIT POLICY
`
`1110
`
`T
`
`RULESETS
`
`I ADD/DELETE/MODIFY -
`
`ADD/DELETE/MODIFY
`1112 ACCESS
`
`
`
`ADD/DELETE/MODIFY
`
`
`
`PRIVILEGE 1114
`
`ADD/DELETE/MODIFY
`1116
`
`OBJECTS
`
`
`
`
`
`ADD/DELETE/MODIFY
`
`1118
`
`USER/ROLE
`
`
`
`
`ADD/DELETE/MODIFY
`
`M
`
`9° 1
`
`
`
`1 W UT
`
`FIG. 11
`
`
`
`U.S. Patent
`
`Jan. 8,2008
`
`Sheet 12 or 14
`
`US 7,318,237 B2
`
`DISTRIBUTE POLICY
`
`START"
`
`OPTIMIZE POLICY
`
`(DISTRIBUTOR)
`
`1210
`
`COMPUTE DIFFERENCES
`
`(DISTRIBUTOR)
`
`1212
`
`PUBLISH POLICY
`
`(DISTRIBUTOR)
`
`1214
`
`COMMIT POLICY
`
`(DISTRIBUTOR)
`
`1216
`
`RECEIVE POLICY
`
`(APPLICATION GUARD)
`
`I218
`
`MERGE NEW POLICY
`
`(APPLICATION GUARD)
`
`I220
`
`ACTIVATE POLICY
`
`(APPLICATION GUARD)
`
`I222
`
`END
`
`FIG. 12
`
`
`
`U.S. Patent
`
`Jan. 8, 2008
`
`Sheet 13 of 14
`
`US 7,318,237 B2
`
`CLIENT ACCESS AUTHORiZAT|ON
`
`START
`
`CONSTRUCT AND ISSUE AUTHlT|O1\T
`
`
`
`REQUEST
`
`‘
`
`
`
`1310
`
`EVALUATE AUTHOR|ZATlON REQUEST
`
`1312
`
`RECORD REQUEST 1N AUD1T LOG
`1314
`
`ERROR
`
`YES
`
`DENY ACCESS
`
`1318
`
`1316
`
`
`GRANTED
`
`ALLOW ACCESS
`
`1320
`
`1322
`
`NO
`
`DENYACCESS
`1324
`
`FIG. 13
`
`
`
`U.S. Patent
`
`Jan. 8,2008
`
`Sheet 14 of 14
`
`Us 7,318,237 B2
`
`EVALUATE AUTHORIZATION FIE UEST
`
` SEARCH GRANT RULES
`1420
`
`YES
`
`EVALUATE CONSTRNNTS
`
`
`
`ALLOW ACCESS
`
`1428
`
`YES
`
`1424
`
`TRUE
`1426
`
`F|G. 14
`
`N0
`
`DENY ACCESS
`1418
`
`
`
`US 7,3l8,237 B2
`
`1
`SYSTEM AND Ml1l'l'lI()I) FOR MAINTAINING
`SECURITY IN A DISTRIBUTEI) COMPUTER
`NETVVORK
`
`CLAIM OF PRIORITY AND
`CR()SS-REFERENCE TO RELATED
`APPI..I(IA'l‘lONS
`
`2
`
`To secure a complex and distributed computer system, the
`system may typically employ a combination of encryption,
`authentication, and authorization technologies. Encryption
`is a means of sending information between participants in a
`manner that prevents other parties from reading the infor-
`mation. Authentication is a process of verifying a party’s
`identity. Authorization is a technique for determining what
`actions a participant is allowed to perform.
`Encryption and authentication are well-understood and
`have led to effective network security products, whereas
`authorization technology is not as well developed, and is
`often inadequate
`for many enterprises. The
`security
`approach of most companies today is to focus on the
`authentication of users to ensure that those users are part of
`the organization or a member of a select group. Authenti-
`cation can be accomplished with a number of difierent
`approaches, from simple password or challenge response
`mechanisms to smart cards and biometric devices such as a
`fingerprint reader. Once users are authenticated, however,
`there is still a significant problem in managing and enforcing
`their set of privileges, which may be unique and vary widely
`between users. The same authentication mechanism can be
`used for every user, but different authorization mechanisms
`must be developed for most applications. Therefore, reliable
`and efiicient access control is a much more diflicult problem
`facing enterprises today.
`Authentication mechanisms often work together with
`some sort of access control facility that can protect infor-
`mation resources from unauthorized users. Examples of
`network security products include firewalls, digital certifi-
`cates, virtual private networks, and single sign-on systems.
`Some of these products provide limited support for resource-
`level authorization. For example, a firewall can screen
`access requests to an application or a database, but does not
`provide object-level authorization within an application or
`database. Single Sign-On (SSO) products, for example,
`maintain a list of resources an authenticated user can access
`by managing the login process to many dilferent applica-
`tions. However, firewalls, SSO and other related products
`are very limited in their ability to implement a sophisticated
`security policy characteristic ofmany of today’s enterprises.
`They are limited to attempting to manage access at a login,
`or “launch level”, which is an all or nothing approach that
`inherently cannot implement a business-level policy.
`A real-world security policy within a large enterprise is a
`detailed and dynamic knowledge base specific to that orga-
`ni7.ation. The authorization privileges are specific to the
`constantly evolving set of users, applications, partners, and
`global policies that the enterprise puts in place to protect its
`key information resources. A security policy within a large
`enterprise can consist of tens or hundreds of thousands of
`individual rules that cover which users are authorized to
`
`access particular applications, perform various operations,
`or manage the delegation and transfer of tasks. Many of
`these policy rules that implement the business practice of the
`organization have to be hard coded within custom-built
`applications or stored in the database.
`The key problem is that these policy rules are localized,
`scattered throughout
`the organization, and embedded in
`applications and databases. Such embedding is expensive
`and error-prone, and mitigates against efficient policy
`updates. An organization cannot effectively implement and
`manage the resulting policy.
`Inconsistencies arise and
`updates can quickly become unmanageable. Policy queries
`and analysis from a global perspective are nearly impos-
`sible. The resulting policy begins to diverge from the
`intended business practices of the organization. Compro-
`
`This application is a continuation ofU.S. application Ser.
`No. 09/767,610, filed Ian. 22, 2()0l, entitled “SYSTEM
`AND METHOD FOR MAINTAINING SECURITY IN A
`DISTRIBUTED COMPUTER NETWORK”, now US. Pat.
`No. 6,941,472, issued Sep. 6, 2005, which is a continuation
`of U.S. application Ser. No. 09/721,557, filed Nov. 22, 2000,
`entitled “SYS'l'I’,M AND METHOD FOR MAINTAINING ‘
`SECURITY IN A DISTRIBUTED COMPUTER NET-
`WORK”, which is a continuation of U.S. application Ser.
`No. 09/248,788, filed Feb. 12, 1999, now US. Pat. No.
`6,158,010,
`issued Dec. 5, 2000, entitled “SYSTEM AND
`METHOD FOR MAINTAINING SECURITY IN A DIS-
`TRIBUTED (T()MPU'fER NIT/l'WORK”. which claims the
`benefit ofU.S. Provisional Application No. 60/105,963, tiled
`Oct. 28, 1998 entitled "‘SYS"I‘l'F.M AND METHOD FOR
`MAINTAINING SECURITY IN A DISTRIBUTED COM-
`
`ltl
`
`20
`
`25
`
`PUTER NETWORK”, each of which applications are incor-
`porated herein by reference.
`
`BACKGROUND OF THE INVENTION
`
`1, liield of the Invention
`
`Ibis invention relates generally to computer security
`systems, and relates more particularly to a system and
`method for managing and enforcing complex security
`requirements in a distributed computer network.
`2. Description of the Background Art
`Computer security issues have become more complex
`with the continual evolution of contemporary computer
`systems. As corporations utilize increasingly distributed and
`open computing environments, the security requirements of
`an enterprise typically grow accordingly. The complexity of
`employee, customer and partner access to critical informa-
`tion assets, while assuring proper security, has proven to be
`a major hurdle.
`l“or example, many organizations deploy
`applications that allow their external business partners, as
`well as their own internal employees, to access sensitive
`information resources within the enterprise. In the absence
`of adequate security measures, an enterprise may thus be
`subject to the risk of decreased security and confidentiality.
`While most organizations focus their security concerns on
`protecting the internal network from the outside world, it is
`estimated that 80-90% of all corporate security breaches
`come from within an organization (source: Aberdeen Group,
`September 1997). This further underscores the need to
`specify and enforce an access control security policy within
`the enterprise network.
`In today’s complex business environment, specifying,
`stating, implementing and managing an enterprise access
`control policy may be both difiicult and inefiicient. When
`corporate data and applications revolved around a main-
`frame model, the problem of defining and managing access
`to corporate applications was relatively straightforward.
`Today, the complexity of business methods, as well as the
`complexity of distributed application architectures, may
`force companies to resort to manual, ineifective or highly
`custom approaches to access control
`in their attempts to
`implement the business process.
`
`30
`
`35
`
`40
`
`45
`
`50
`
`65
`
`
`
`3
`
`US 7,318,237 B2
`
`4
`SUMMARY OF THE lN'\/l}‘.N'I‘lON
`
`n1ises are made in the policy implementation at the depart-
`ment level, and auditors can quickly become frustrated.
`
`The increasing security risks associated with the prolif-
`eration of distributed computing.
`including Intranet and
`Extranet applications, are prompting many organizations to
`explore a broad range of security solutions for controlling
`access to their important information assets. Although orga-
`nizations have a number of solutions to choose from for
`
`authenticating users (determining and verifying who is
`attempting,
`to gain access to the network or individual
`applications), there is little choice when it comes to con-
`trolling what users can do and when they can do it to the
`extent necessary to implement the kinds of complex security
`policies required by modern organizations. Organizations
`have been forced to choose between custom authorization
`
`solutions that are costly, error—prone, and difiicult to manage,
`or third-party solutions that are very limited in their ability
`to control access to information across applications and
`databases.
`
`‘J1
`
`10
`
`l5
`
`In accordance with the present invention, a system and
`method are disclosed to manage and enforce complex secu-
`rity requirements for a computer system in a distributed
`computer network.
`
`It is therefore an object of the present invention to provide
`an access control system that can manage individual trans-
`actions by uscrs around well-defined, detailed objects within
`an application. It is also an object of the present invention to
`provide a policy manager that enables the creation, modi-
`fication, querying, and analysis of an enterprise access-
`control policy, as well as the configuration and monitoring
`of integrated audit logs, while delivering the performance
`and scalability required to meet the demands of any enter-
`prise. It is a further object of the present invention to provide
`a system that combines a centrally managed policy database
`with distributed authorization (access control) services that.
`enforce the policy for all applications across the organiza-
`tion.
`
`A real-world security policy within a large organization is
`a detailed and dynamic knowledge base that determines
`which users are authorized to access particular applications,
`perform various operations or manage the delegation and
`transfer of tasks, as well as when and under what circum-
`
`stances they are permitted to do so. Authorization privileges
`depend upon a constantly evolving set of users, applications,
`partners, and business polices that comprise the enterprise
`security policy. A typical enterprise environment consists of
`several
`thousand users, hundreds of applications, and a
`myriad of network resources, resulting in a security policy
`that can consist of tens or hundreds of thousands of inter-
`related policy rules.
`
`Typically, organizations attempt to control access to the
`internals of in-house applications through policy rules that
`are hard-coded in the application or through stored proce-
`dure statements in the database. But as the number of
`
`applications and databases grows, this patchwork approach
`to authorization quickly gets out of hand.
`liirst, organiza-
`tions must incur the costly and time-consuming overhead of
`developing customized security code for each application.
`But more importantly, once the code is developed and
`embedded in an application,
`the embedded policy rules
`become impossible to track, diflicult to update, and nearly
`impossible to manage because they are scattered throughout
`the organization.
`
`30
`
`35
`
`40
`
`45
`
`50
`
`With an estimated 80 percent of all security breaches
`coming from authorized users (source: Forrester Research),
`advanced policy features and enforcement mechanisms are
`needed to control access to sensitive information assets. To
`implement an enterprise policy, organizations need a cen— v
`tralized policy and a powerful way to specify policy rules to
`give them adequate access control security. At
`the same
`time, they need a distributed authorization infrastructure to
`provide authorization services to all applications with per-
`formance and scalability for modern distributed network
`environments.
`
`60
`
`Therefore, for the foregoing reasons, an improved system
`and method are needed to protect the distributed networks of
`enterprises against unauthorized access to their valuable
`information assets by managing and enforcing the complex
`security policy requirements of the organization.
`
`It is also an object of this invention to provide a system
`that works in conjunction with any authentication system,
`including digital certificates and smartcards, and obviates
`the need for single sign-on systems by letting organizations
`set detailed, dynamic rules for exactly who can access which
`applications, databases, and other network objects. lt is a
`still further object of this invention to provide a robust
`security policy and authorization service that can be imple-
`mented in very heterogeneous environments, across all
`applications and databases within the organization, thereby
`completely eliminating the need for embedded, custom
`security code within applications, and making it possible to
`centrally manage and administer a consistent, robust secti-
`rity policy for all applications, databases, and network
`resources. Furthermore, organizations would no longer have
`to rely on authorization mechanisms provided by packaged
`or web application vendors that do not integrate with in-
`house or other third-party products.
`In the preferred embodiment,
`the system comprises a
`policy manager located on a server for managing and
`distributing a local client policy based on a global security
`policy, and an application guard located on a client or server
`associated with one or more clients for managing access to
`securable components as specified by the local client policy.
`The global policy specifies access privileges of the user to
`securable components. The policy manager may then dis-
`tribute a local client policy based on the global policy to the
`client or server. An application guard located on the client or
`server then manages authorization requests to the securable
`components as specified by the local client policy. Each
`authorization request may be recorded in an audit log to keep
`track of the authorization requests, whether they were
`granted or denied, and other useful inlonnation.
`
`The system and method of the present invention supports
`centralized management and distributed authorization. A
`central policy server stores and manages the policy rules in
`a centrally administered database. A powerful graphical user
`interface is used to create, manage, and customize the
`elements of a policy. Security rules can be specified by both
`novice and expert users. A dedicated authorization service is
`associated with one or more applications. The central policy
`server automatically distributes (over the netw