Security Policy Generation Using Container Metadata
US-2017279770-A1 · Sep 28, 2017 · US
System for and method of determining data connections between software applications
US11057433B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11057433-B2 |
| Application number | US-201816051660-A |
| Country | US |
| Kind code | B2 |
| Filing date | Aug 1, 2018 |
| Priority date | Aug 1, 2018 |
| Publication date | Jul 6, 2021 |
| Grant date | Jul 6, 2021 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A system for and a method of regulating the data interconnections between applications running on an infrastructure are provided. The system/method records access permission data into metadata embedded in the source code of each such application that regulates the data that can be received or transmitted by that application. In addition to regulating the receipt or transmission of data, the metadata can serve to provide instruction to firewalls and other regulating systems in order to configure those systems to allow the applications to receive and transmit data for which permissions have been recorded.
First claim
Opening claim text (preview).
What is claimed is: 1. A method of controlling data connections of an application program, the method comprising: establishing a service definition for the application program corresponding to an application development phase; establishing definitions of allowed connections; storing the service definition and the definitions of allowed connections in an application service registry; embedding the definitions of allowed connections as metadata into a source code for the application program; automatically deriving firewall rules from the metadata by, identifying a plurality of communication endpoints, the plurality of communication endpoints including the application program; extracting the metadata corresponding to each of the plurality of communication endpoints; and determining whether a connection between each of the plurality of communication endpoints is permitted based on a comparison of the extracted metadata; automatically deriving an allowed application data listing from the metadata; and configuring an application interface manager using the allowed application data listing. 2. The method of claim 1 , wherein the definitions of allowed connections are also embedded as metadata in a corresponding application program. 3. The method of claim 2 , further comprising creating a definition of data publications and data sources and wherein a databook is created that comprises definitions of critical data elements and data sourcing rules derived from the definition of data publications and data sources. 4. The method of claim 1 , wherein the step of establishing definitions of allowed connections comprises identifying application types to which an application program is permitted to communicate. 5. The method of claim 1 , wherein the step of establishing definitions of allowed connections comprises identifying application environments to which the application program is permitted to communicate. 6. The method of claim 1 , wherein the step of establishing definitions of allowed connections comprises identifying ports through which the application program is permitted to communicate. 7. The method of claim 1 , wherein the step of establishing definitions of allowed connections comprises defining geographic locations with which the application program is permitted to communicate. 8. The method of claim 1 , wherein the step of establishing definitions of allowed connections comprises defining at least one data type from among an environmental variable, a location variable, a confidentiality variable, and a regulatory and compliance variable that may be communicated from the application program. 9. The method of claim 1 , further comprising the steps of: comparing an attempt to access a connection by an application program running in a test environment with the definitions of allowed connections; and recording each attempt to access a connection that is not included in the definition of allowed connections. 10. A system for automatically regulating data connections of an application program, the system comprising: an application service registry; a source data repository in communication with the application service registry; the application service registry comprising software instructions that when executed by a first processor cause the first processor to: extract metadata information pertaining to permitted application data connections; the source data repository comprising software instructions that when executed by a second processor, cause the second processor to: establish a software application requirements definition for the application program corresponding to an application development phase, the software application requirements definition comprises allowed connections with other applications and data sources; store the definitions of allowed connections to a metadata document; embed the definitions of allowed connections as metadata into a source code for the application program; automatically establish firewall rules from the metadata to, identify a plurality of communication endpoints, the plurality of communication endpoints including the application program; extract the metadata corresponding to each of the plurality of communication endpoints; and determine whether a connection between each of the plurality of communication endpoints is permitted based on a comparison of the extracted metadata; automatically establish an allowed application data listing from the metadata; and configure an application interface manager using the allowed application data listing. 11. The system of claim 10 , further comprising software instructions that cause the second processor to create a definition of data publications and data sources. 12. The system of claim 10 , further comprising software instructions that cause the second processor to create a databook that comprises definitions of critical data elements and data sourcing rules derived from the definition of data publications and data sources. 13. The system of claim 10 , wherein the step of establishing a software application requirements definition further comprises identifying allowed connections with other applications and data sources. 14. The system of claim 10 , wherein the step of establishing a software application requirements definition further comprises identifying application environments to which the application program is permitted to communicate. 15. The system of claim 10 , wherein the step of establishing a software application requirements definition further comprises defining ports through which the application program is permitted to communicate. 16. The system of claim 10 , wherein the step of establishing a software application requirements definition further comprises defining geographic locations from which the application program is permitted to communicate. 17. The system of claim 10 , wherein the step of establishing a software application requirements definition further comprises defining at least one data type from among an environmental variable, a location variable, a confidentiality variable, and a regulatory and compliance variable that may be communicated from the application program. 18. The system of claim 10 , further comprising an application interface manager, the application interface manager comprising software instructions that when executed by the application interface manager cause the application interface manager to: compare an attempt to access a connection by an application program running in a test environment with the definitions of allowed connections; and record access attempts to connections that are not including in the definition of allowed connections.
Assignees
Inventors
Classifications
wherein the security policies are location-dependent, e.g. entities privileges depend on current location or allowing specific operations only from locally connected terminals · CPC title
Filtering by address, protocol, port number or service, e.g. IP-address or URL · CPC title
Rule management · CPC title
- H04L63/20Primary
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11057433B2 cover?
- A system for and a method of regulating the data interconnections between applications running on an infrastructure are provided. The system/method records access permission data into metadata embedded in the source code of each such application that regulates the data that can be received or transmitted by that application. In addition to regulating the receipt or transmission of data, the met…
- Who is the assignee on this patent?
- Jpmorgan Chase Bank Na
- What technology area does this patent fall under?
- Primary CPC classification H04L63/20. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jul 06 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 2 related publications on this page (citations in our corpus or others sharing the same primary CPC).