Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
2002-02-13
2004-10-19
Smithers, Matthews (Department: 2139)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C713S152000, C713S152000, C713S153000, C713S167000
Reexamination Certificate
active
06807636
ABSTRACT:
FIELD OF THE INVENTION
The present invention relates to a method and apparatus for facilitating security in a network and, more particularly, embodiments of the present invention relate to methods, means, apparatus, and computer program code for facilitating security requests associated with applications and responded to by security services in a network.
BACKGROUND OF THE INVENTION
Many organizations face the problem of automating and streamlining software applications in order to increase revenues and profits, improve customer relations, etc. While allowing access to and use of such applications by authorized employees, contractors, or other users, the organizations also must prevent unauthorized access and use. For example, a bank may enhance its relationships with commercial customers by providing increased efficiency with on-line currency trading. This type of service may require real-time updates and links to back office transactional systems in order to function properly. At a minimum, the bank needs to protect the integrity of its core systems from unauthorized transfers or tampering. As another example, a manufacturer may accelerate the development and manufacturing cycle for new products by creating a centralized World Wide Web (“Web”) site that maintains development and manufacturing research and other information for use by its engineers and scientists. As a result, plant engineers on one continent can share process breakthroughs with their colleagues around the globe. As the manufacturer may want to limit disclosure of its trade secrets and methods, the manufacturer may want to ensure that its competitors or sub-contractors cannot access the Web site.
In general terms, in order to secure its information assets, an organization may want to provide several protections. First, the organization may want to safeguard user privacy and prevent the theft of information both while it is stored and while it is in transit. Second, the organization may want to ensure that electronic transactions and data resources are not tampered with at any point, either accidentally or maliciously. Third, the organization may want to detect attacks in progress or be able to trace any damage from successful attacks as well as be able to prevent users from later denying completed transactions. Fourth, the organization may want to ensure uninterrupted service to authorized users and prevent either accidental or maliciously caused service interruptions. In order to provide these key protections such that legitimate users can access applications while unauthorized access is barred, information security must be an integral part of the organizations network and system design and implementation.
An organization may use a distributed network architecture to allow disparately located users to access applications, data and other resource components. Unfortunately, making such applications, data and other resource components available across a wide network makes them harder to protect. Moreover, security functionality also may be distributed throughout the network rather than residing in a central location, thereby making it easier to bypass or spoof them. As a further complication, distributed networks are often heterogeneous; that is, they may use applications and security products from many different vendors and such applications and security products may be implemented differently on different platforms.
As one example of the difficultly in providing adequate security in a typical enterprise architecture, a user may access a Web based business application using a browser that in turn communicates with the business application via a Web server. A request from the user may be transmitted through a complex multi-tier chain of software applications operating on a variety of platforms before it reaches the back-office business application, which may then access databases on behalf of the user, process the user's request, and return the appropriate results. In order to provide end-to-end security, and to ensure that security safeguards cannot be bypassed, each link in the chain of requests and replies must be properly protected, i.e., from the initiating browser, through mid-tier business components, to the back-office business application and databases, and then back again to the browser. There are at least three security tiers that comprise an end-to-end security system for this example: (1) perimeter security technologies which are used between the browser and the Web server; (2) mid-tier security technologies which are used between the mid-tier business components; and (3) back-office security technologies which address protection of databases and operating system specific back-end systems (e.g., mainframes, UNIX and Windows NT server platforms).
As a result of all of this, security for different applications may be distributed across the network or performed by different security components (e.g., at a hardware level, by middleware, by an operating system). In addition, a particular distributed application may be secure, but confirmation of such security for the application may be difficult, or even impossible, to confirm.
It would be advantageous to provide a method and apparatus that overcame the drawbacks of the prior art. In particular, it would be desirable to provide methods and apparatus that facilitated integrated security across the perimeter, middle, and back-office security tiers while allowing the use of applications and security services that are from different vendors and/or that are based or operating on different platforms.
SUMMARY OF THE INVENTION
Embodiments of the present invention provide a system, method, apparatus, means, and computer program code for facilitating security in a network, particularly a distributed network.
According to some embodiments of the present invention, a system or security framework for facilitating security in a network may include an adapter associated with one or more applications, a manager, and/or one or more mappers associated with one or more security services. The manager may be capable of selecting a security request to handle or otherwise process a security request associated with an application.
The adapter may intercept or otherwise identify a security request associated with the application and provide data indicative of the security request to the manager. The manager may receive the data indicative of the security request from the adapter, determine a security service to process the security request, and provide the data indicative of the security request to the mapper associated with the selected security service.
The mapper called, loaded or otherwise selected by the manager may receive the data indicative of the security request from the manager, prepare a security service version of the security request, and call the security service to process the security service version of the security request. After the security service processes the security request and creates a response to the security request, the mapper may receive the response to the security service version of the security request from the security service and provide data indicative of the response to the manager.
After receiving the data indicative of the response from the mapper, the manager may provide data indicative of the response to the adapter. In turn, the adapter may prepare a response regarding the security request after receiving the data indicative of the response from the manager and provide the response to the application.
Additional advantages and novel features of the invention shall be set forth in part in the description that follows, and in part will become apparent to those skilled in the art upon examination of the following or may be learned by the practice of the invention.
According to some embodiments of the present invention, a method for facilitating security in a system, wherein the system includes a manager module used in routing a security request associated with an application to a security service module, may include receiving data i
Burghart, Jr. Theodore R.
Flinn Donald J.
Hartman Bret A.
Buckley Maschoff & Talwalkar LLC
Fields Courtney D.
Hitachi Computer Products (America ), Inc.
Smithers Matthews
LandOfFree
Methods and apparatus for facilitating security in a network does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Methods and apparatus for facilitating security in a network, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Methods and apparatus for facilitating security in a network will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3308647