Technologies for secure personalization of a security monitoring virtual network function
US-2016373474-A1 · Dec 22, 2016 · US
Providing a common security policy for a heterogeneous computer architecture environment
US9967288B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9967288-B2 |
| Application number | US-201514933179-A |
| Country | US |
| Kind code | B2 |
| Filing date | Nov 5, 2015 |
| Priority date | Nov 5, 2015 |
| Publication date | May 8, 2018 |
| Grant date | May 8, 2018 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A common security policy for a heterogeneous computer architecture environment is provided. A configuration of a security policy of a heterogeneous computer architecture is received from a management console. The security policy is stored on a policy server that is communicatively connected, by a management network, to a plurality of hardware platforms of the of the heterogeneous computer architecture. The security policy is distributed to a plurality of policy agents of the heterogeneous computer architecture over the management network. The security policy includes a security policy administrator role that permits management of (i) one or more subjects in a plurality of security zones and (ii) one or more objects in the plurality of security zones. The security policy also includes security zone administrator roles, wherein each security zone administrator role (i) is associated with a respective security zone and (ii) permits management of object(s) in the respective security zone.
First claim
Opening claim text (preview).
What is claimed is: 1. A method comprising: receiving from a management console, by one or more computer processors, a configuration of a security policy of a heterogeneous computer architecture; storing, by one or more computer processors, the security policy on a policy server of the heterogeneous computer architecture, wherein a management network communicatively connects the policy server to a plurality of hardware platforms of the heterogeneous computer architecture; and distributing, over the management network, the security policy to a plurality of policy agents of the heterogeneous computer architecture, wherein: the security policy includes a security policy administrator role, wherein (i) one or more subjects are associated with the security policy administrator role, and (ii) the security policy administrator role permits the one or more subjects that are associated with the security policy administrator role to manage: one or more subjects in a plurality of security zones; and one or more objects in the plurality of security zones; the security policy includes a plurality of security zone administrator roles, wherein each security zone administrator role (i) is associated with a respective security zone of the plurality of security zones and (ii) permits management of one or more objects in the respective security zone; the security policy includes a plurality of security label types, each security label type (i) being associated with at least one of the one or more subjects and at least one of the one or more objects of the plurality of security zones and (ii) identifying a respective security zone of the plurality of security zones; and the security policy identifies a security appliance of the heterogeneous computer architecture that is associated with at least two security label types, and wherein the security policy prohibits, for each of the one or more objects in the plurality of the security zones, with an exception for the security appliance, an association with more than one of the plurality of security label types. 2. The method of claim 1 , further comprising: receiving, by the security appliance, data from a first object of a first security zone of the plurality of security zones, wherein the first security zone is a source security zone; determining, by the security appliance, a sensitivity of the first security zone; identifying, by the security appliance, a second object in a second security zone of the plurality of security zones based, at least in part, on the data from the first object, wherein the second security zone is a target security zone; determining, by the security appliance, the sensitivity of the second security zone; and in response to determining, by the security appliance, that the sensitivity of the second security zone is higher than the sensitivity of the first security zone, permitting the first object to write information to the second object. 3. The method of claim 1 , further comprising: receiving, by the security appliance, data from a first object of a first security zone of the plurality of security zones, wherein the first security zone is a source security zone; determining, by the security appliance, a sensitivity of the first security zone; identifying, by the security appliance, a second object in a second security zone of the plurality of security zones based, at least in part, on the data from the first object, wherein the second security zone is a target security zone; determining, by the security appliance, the sensitivity of the second security zone; and in response to determining, by the security appliance, that the sensitivity of the second security zone is lower than the sensitivity of the first security zone, permitting the first object to read information from the second object. 4. The method of claim 1 , further comprising: receiving, by the security appliance, data from a first object of a first security zone of the plurality of security zones, wherein the first security zone is a source security zone; identifying, by the security appliance, a second object in a second security zone of the plurality of security zones based, at least in part, on the data from the first object, wherein the second security zone is a target security zone; and in response to determining, by the security appliance, that the first object is permitted to write to the second object based, at least in part, on a set of strictly defined rules that include one or more rules that indicate that objects of the first security zone are permitted to write to objects of the second security zone, permitting the first object to write information to the second object. 5. The method of claim 1 , further comprising: receiving, by the security appliance, data from a first object of a first security zone of the plurality of security zones, wherein the first security zone is a source security zone; identifying, by the security appliance, a second object in a second security zone of the plurality of security zones based, at least in part, on the data from the first object, wherein the second security zone is a target security zone; and in response to determining, by the security appliance, that the first object is permitted to read from the second object based, at least in part, on a set of strictly defined rules that include one or more rules that indicate that objects of the first security zone are permitted to read from objects of the second security zone, permitting the first object to read information from the second object. 6. The method of claim 1 , wherein the security policy permits a subject that is associated with a respective security zone administrator role of the plurality of security zone administrator roles to create one or more secondary security zones in a security zone that is associated with the respective security zone administrator role. 7. A computer program product comprising: a computer readable storage medium and program instructions stored on the computer readable storage medium, the program instructions comprising: program instructions to receive, from a management console, a configuration of a security policy of a heterogeneous computer architecture; program instructions to store the security policy on a policy server of the heterogeneous computer architecture, wherein a management network communicatively connects the policy server to a plurality of hardware platforms of the heterogeneous computer architecture; and program instructions to distribute, over the management network, the security policy to a plurality of policy agents of the heterogeneous computer architecture, wherein: the security policy includes a security policy administrator role, wherein (i) one or more subjects are associated with the security policy administrator role, and (ii) the security policy administrator role permits the one or more subjects that are associated with the security policy administrator role to manage: one or more subjects in a plurality of security zones; and one or more objects in the plurality of security zones; the security policy includes a plurality of security zone administrator roles, wherein each security zone administrator role (i) is associated with a respective security zone of the plurality of security zones and (ii) permits management of one or more objects in the respective security zone; the security policy includes a plurality of security label types, each security label type (i) being associated with at least one of the one or more subjects and at least one of the one or more objects of the plurality of security zones and (ii) identifying a respective security zone of the plurality of security zones; and the security policy identifies a security appliance of the heterogeneous c
Assignees
Inventors
Classifications
Multiple levels of security · CPC title
Rule management · CPC title
Distributed architectures, e.g. distributed firewalls · CPC title
Isolation or security of virtual machine instances · CPC title
Memory management, e.g. access or allocation · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9967288B2 cover?
- A common security policy for a heterogeneous computer architecture environment is provided. A configuration of a security policy of a heterogeneous computer architecture is received from a management console. The security policy is stored on a policy server that is communicatively connected, by a management network, to a plurality of hardware platforms of the of the heterogeneous computer archi…
- Who is the assignee on this patent?
- IBM
- What technology area does this patent fall under?
- Primary CPC classification H04L63/20. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue May 08 2018 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 7 related publications on this page (citations in our corpus or others sharing the same primary CPC).