US20130326581A1 - Client Side Security Management for an Operations, Administrations and Maintenance System for Wireless Clients - Google Patents
Client Side Security Management for an Operations, Administrations and Maintenance System for Wireless Clients Download PDFInfo
- Publication number
- US20130326581A1 US20130326581A1 US13/962,131 US201313962131A US2013326581A1 US 20130326581 A1 US20130326581 A1 US 20130326581A1 US 201313962131 A US201313962131 A US 201313962131A US 2013326581 A1 US2013326581 A1 US 2013326581A1
- Authority
- US
- United States
- Prior art keywords
- managed
- different levels
- include applying
- security policies
- objects
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
- H04W12/084—Access security using delegated authorisation, e.g. open authorisation [OAuth] protocol
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W88/00—Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
- H04W88/02—Terminal devices
Definitions
- handheld wireless devices such as cellular phones are typically viewed as an end point of a network and little or no management of these devices occurs.
- security protection for such devices to prevent malicious intruders from exploiting improperly secured or unsecured wireless LANs or WiFi networks typically has been nonexistent.
- the “terminal elements” are highly sophisticated, complex devices (servers, desktop PCs, laptops, and the like) with many levels of built-in security.
- a rich platform management model and implementation has security features to better serve both administrators and protect end users.
- FIG. 1 illustrates security features of the present invention incorporated into a wireless communications device
- FIG. 2 illustrates a diagram of an embodiment for an Operations, Administration, and Maintenance (OA&M) block having security management for wireless clients in accordance with the present invention
- OA&M Operations, Administration, and Maintenance
- FIG. 3 illustrates the security policy, access control and monitor components of the security management system
- FIG. 4 shows details of the objects and interfaces of the security policy
- FIG. 5 is a block diagram illustrating multiple levels of managed object collections to which management security may be applied in accordance with the present invention
- FIG. 6 shows details of the objects and interfaces of the access control
- FIG. 7 shows details of the objects and interfaces of the monitor.
- Coupled may mean that two or more elements are in direct physical or electrical contact. However, “coupled” may also mean that two or more elements are not in direct contact with each other, but yet still co-operate or interact with each other.
- Wireless communications device 10 has a transceiver 12 that either receives or transmits a modulated signal from one or more antennas.
- the analog front end transceiver may be provided as a stand-alone.
- Radio Frequency (RF) integrated analog circuit or alternatively, be embedded with processor 14 as a mixed-mode integrated circuit.
- the received modulated signal is frequency down-converted, filtered, and then converted to a digital signal.
- the digital data for the baseband signal processed by processor 14 may be transferred across an interface 18 for storage by a memory device 20 .
- Memory device 20 may be connected to processor 14 to store data and/or instructions used by processor 14 .
- memory device 20 may be a volatile memory and in alternate embodiments, memory device 20 may be a nonvolatile memory.
- processor 14 includes an Operations, Administration, and Maintenance (OA&M) system 16 for wireless clients.
- OA&M denotes broad functionality classes across a wireless handheld platform.
- Operations refers to activities that provide services to the end user of wireless communications device 10 and the associated functions required to support those, services, such as provisioning (of resources and services), performance management, account management, and billing.
- Administration is related to the management of components that deliver required levels of service, and thus is associated with concepts such as Quality of Service (QoS), performance management, and traffic management where applicable.
- QoS Quality of Service
- Maintenance is subdivided into corrective maintenance and preventive maintenance.
- OA&M system 16 includes various management systems or “managers” having hardware, software code and one or more objects to perform the desired functions.
- the architecture presented for wireless communications device 10 may be used in a variety of applications, with the claimed subject matter incorporated into microcontrollers, general-purpose microprocessors, Digital Signal Processors (DSPs), Reduced Instruction-Set Computing (RISC), Complex Instruction-Set Computing (CISC), among other electronic components.
- DSPs Digital Signal Processors
- RISC Reduced Instruction-Set Computing
- CISC Complex Instruction-Set Computing
- OA&M system 16 may be incorporated into these devices and encompass a layered system approach to the management of platform resources (e.g., devices, device or network components, peripherals, etc.).
- the resources to be managed on a handheld platform of wireless communications device 10 are commonly referred to as managed resources and are instantiated in software as Managed Objects (MOs).
- MOs Managed Objects
- FIG. 2 shows one embodiment of OA&M system 16 which may be described based on its relation within wireless communications device 10 . It should be pointed out that OA&M system 16 may be resident on the wireless communications device 10 , or alternatively, portions of OA&M system 16 may be resident at a network location. OA&M system 16 may include an account management block 210 , a performance management block 212 , an event management block 214 , a configuration management block 216 , a notification management block 218 , a fault management block 220 , a managed object database 222 and a security management block 224 . Although OA&M system 16 is shown and described having all of these blocks, other embodiments may have fewer blocks without limiting the claimed subject matter of the present invention.
- Account management block 210 may record information pertaining to billing and communicate session detail records with a remote billing function.
- Performance management block 212 may define functionality for end-user and business-level usage designed to achieve the highest levels of local and network performance, physical and logical configurations, preventative maintenance, avoidance of service outages, as well as measures of quality delivery from service providers and client applications operation.
- Event management block 214 may provide a model for the capture and delivery of platform events, such as any instantaneous change in a managed object. These events may be the foundation upon which platform monitoring, performance tuning, fault management, power management, and configuration are built.
- Configuration management block 216 may provide various operations to define and maintain configuration data. Data may be added to create new resources, data may be deleted to remove unused resources, and data relating to existing resources may be modified for resource optimization.
- Notification management block 218 may be used to package and deliver event details to interested system components.
- Such information may include, for example, the Managed Object (MO) generating the event, its class and instantiation, the time of the event, and optional information related to the particular MO, its function, and relationships to other MO's in the platform, if applicable.
- MO Managed Object
- Fault management block 220 may detect alarms and faults as they occur and notify other components, subsystems, or human operators upon receipt; isolate faults and limit the fault's effects; use test routines, diagnosis and correlation techniques to determine the cause of the fault; and repair or eliminate failures using maintenance routines (or human intervention).
- Managed object database 222 may contain files, tables, or other representations corresponding to each of the managed objects of OA&M system 16 .
- the managed objects represent the platform resources managed by OA&M system 16 .
- managed resource are those real-world things within a system that one wishes to manage, that is, to create, modify, discover, or examine.
- these managed resources may include various hardware and software components (or portions thereof) including, for example, processor 14 , memory device 20 , other semiconductor devices, an operating program, a communications program, other software or firmware components, etc.
- Managed objects are thus abstractions, usually in software, of the managed objects and represent the data and relationships contained within the managed resources.
- a single managed resource may be represented by a single managed object, this is not usually the case, since the managed resources are typically complex and require decomposition into multiple objects.
- additional managed objects may exist to, for instance, represent relationships amongst a managed resource's components or between separate managed resources. A glimpse of such complexity may be discerned in FIG. 5 .
- FIG. 4 and FIG. 6 the point above will aid understanding that the single block labeled “MO” is used to represent from one to a number N of actual managed objects.
- managed objects may take various forms and exist under the rules of specific schema, standardized or proprietary, but that various embodiments will have no effect on the practice of the invention described herein.
- security management block 224 is an integral part of OA&M system 16 and provides a platform management security subsystem for wireless handheld devices. Security management block 224 may, in general, protect the OA&M managed resources from tampering or its data from disclosure to untrusted parties or unauthorized control operations.
- FIG. 3 illustrates the three components of a security management system 300 under the control of security management block 224 ; namely, a security policy block 310 , an access control block 312 and a monitor block 314 .
- Security policy block 310 sets the policy for authentication and encryption of the managed resources at the managed object and managed object attribute level.
- Security access control, block 312 provides a mechanism for the authentication, delegation, and definition of access permissions for managed resources.
- Security monitor block 314 provides a reporting mechanism for security alerts, reporting events such as modifications or access to managed objects, new management authorization and information on any security key used to gain access. Propagation of such alarms depends on the OA&M system's alarm management facilities. With these components in wireless communications device 10 , trusted users of the resources may be authenticated, access control of the resources may be protected, and data that is potentially accessible may be encrypted.
- Security policy block 310 applies access control mechanisms to managed objects and sets policy for encryption of the managed objects data on and off the platform.
- the Application Program Interface (API) for security policy block 310 is a set of routines, protocols and tools for building software applications, and includes a SecurityPolicy interface 410 , a SecurityPolicy 412 , an AttributeSecurity 414 and managed objects 416 (from configuration management block 216 ) (see FIG. 2 ).
- Security policy block 310 allows for the adjustment of security policies used for the purposes of authentication and encryption as supplied to the entire managed object to which the policy object is associated or individual attributes of the managed object.
- a single managed object may be the root of a collection of managed objects that represent a managed resource.
- security management of resources may actually occur at three levels of granularity, namely, managed object collections, individual managed objects, and individual managed object attributes.
- the security policies that apply to authentication and encryption for managed objects or managed object collections are represented by SecurityPolicy objects associated to managed objects 416 .
- SecurityPolicy 412 contains policy attributes for each authentication and encryption which may be as simple as “Off” and “On” or a regular expression for more sophisticated applications of the policy to a particular managed object. SecurityPolicy 412 also contains attributes to override authentication and encryption policies for individual managed objects which indicate if the policy being applied is local to the managed object or collection, or inherited from the system or managed object collection.
- AttributeSecurity 414 creates individual attribute security objects with their own authentication and encryption settings. Individual settings may at any time be overridden by the global policies en masse.
- Managed object 416 may include name attributes, class attributes, parent and child associations and status attributes, with capabilities to create, initialize, delete, modify and query.
- FIG. 5 is a block diagram illustrating multiple levels of managed object collections to which management security may be applied in accordance with the present invention.
- each block represents a managed object.
- One or more managed objects may be necessary to represent a managed resource. Where there is more than one managed object to represent a managed resource, the managed objects are associated with one another in some manner (as represented by the lines between objects in the diagram). Different embodiments of a managed object representation may or may not allow or restrict such relationships to be, for example, tree-like hierarchies, cycles, collections, or other associations.
- the diagram is intended to explain the distinct levels of application of the invention in relation to the representation of the managed resources.
- the example managed resource in the diagram is a service application that may be installed to run on the managed platform.
- This service has sub-functions of Logging and Accounting.
- the ellipses outline a single attribute 540 , a single managed object 530 , a collection of managed objects representing the accounting sub-function 520 , the entire managed resource of the service application 510 , and outline the four possible levels of application of security policy (authorization and encryption) that are possible with the present invention.
- the scope of the security policy when applied to the “root” object of the entire service application 514 applies that policy to the entire set of managed object collections representing that application.
- the security policy is applied to a sub-collection of the entire managed resource, such as 524 , this is a single managed object collection policy. More specific security policy may be applied to, say, particularly sensitive managed objects individually, such as 534 .
- the most specific application of security policy may occur at a single attribute level as well, as presented by the MaxLogSize attribute 544 within the Log Administration managed object in the example diagram.
- FIG. 6 shows details of the objects and interfaces of security access control block 312 (see FIG. 3 ).
- Security access control block 312 includes an Owner Interface 610 , a list of device owners 612 , a SecurityConsole interface 614 , a SecurityConsole 616 , ControlPoints 618 , an Access Control List (ACL) entry 620 , a CertificateCache 622 , a ProfileManager 624 and a Profile 626 that may implement permissions profiles as a convenience.
- SecurityConsole 616 interface controls the lifecycle of ControlPoints 618 and the creation of ACL entry 620 objects in the system.
- ProfileManager 624 interface governs multiple ControlPoints 618 that may be collected in a single Profile 626 .
- Profile 626 and all associated ControlPoints 618 and ACL entry 620 , etc. may be coalesced and defined, installed, or removed as a single entity. Access control decisions may be made by a combination of SecurityPolicy 412 (see FIG. 4 ) and Control of access by the actions of SecurityConsole 616 .
- the API for Owner Interface 610 allows an initial SecurityConsole 616 to become the platform owner and delegate subsequent authority. If the device was already owned, the signature fails and the request is rejected without processing.
- the TakeOwnership( )in Owner Interface 610 permits SecurityConsole 616 to obtain a public key for the platform and claim ownership of an unowned, security-aware device via the public signing key.
- SecurityConsole 616 is listed as the device's Owner (see Owners in 612 ).
- An Owner is a ControlPoint 618 empowered to edit a device's Access Control List (ACL) entry 620 .
- the Security Console's interface may assign names to Control Points 618 and grant them permissions on managed resources. Once ownership of a device is granted to SecurityConsole 616 , it is possible for that Security Console to grant ownership through authority delegation to other Security Consoles.
- the list of device owners 612 is the list of, or the security hashes of, those signature keys that are permitted to edit ACL entry 620 of the device. By default, each of these signature keys is given total permission to modify managed objects. Typically, there would be only a single owner of the device. Owners may designate Control Points 618 , which according to their corresponding ACL entry 620 are granted less than full ownership privilege. This scheme allows the segregation of access to different areas of managed resources.
- Each ACL entry 620 contains a signature key and one or more permissions granted. Permissions may be defined by the device manufacturer or resource providers and are comprised of a set of allowable actions. An ACL entry 620 may limit the delegation of authority from one Control Point 618 to another and the valid duration of such authority based on date and time limits. These features are represented in ACL entry 620 by the attributes Delegate, Authority, and Validity. Thus, as managed resources such as device components, software, user preferences, etc., get installed at manufacture time or later, entries in ACL entry 620 are created that correspond to the authority to manage those resources.
- SecurityConsole 616 may convert an ACL entry and replace it with a certificate in CertificateCache 622 to grant that permission to the Control Point 618 . Since wireless communications device 10 may have limited storage capability for these entries, certificates are cached and associated with a Control Point for use when accessing managed resources.
- FIG. 7 shows details of the Objects and interfaces of security monitor block 314 (see FIG. 3 ).
- Security monitor block 314 may include a SecurityNotification Interface 710 , a SecurityNotification 712 , a callback notification 714 , an Alert objects 716 and an Alarm 718 .
- SecurityNotification 712 is a subscription point for security related alarms, maintaining a collection of such alarms and supplying a reporting function on these alarms.
- Security Management's monitoring function assumes the existence of an OA&M fault and alarm management system. It provides OA&M notifications of a Security Category. Due to the criticality of security notifications, the ability to sequester such alarms is expected.
- Security Alarms are defined within the client OA&M system and attached to the Security Monitor via a list of Alert objects 716 that track each alarm by ID and Type.
- the Security Notification interface provides a mechanism to report on the current security subsystem Alarms. Alarms are delivered via a Notify( )call back which the OA&M Alarm subsystem calls.
- Some of the key features of the present invention are an ability to define security for managed resources on a wireless client device at many levels of granularity, from the entire device, to subsystems, to software and hardware components, services and applications, down to individual attributes of the above. Furthermore, it includes mechanisms for the management of the access control and encryption specifications for these managed resources in profiles that can be applied to multiple managed resources at one time. The invention also encompasses the ability to monitor the “health” of the system by tying it to alarm capabilities within the overall OA&M device system.
- the invention allows for these security aspects to be implemented with efficiency in mind, for example, by permitting authentication and encryption granularity.
- Control of the applied security in the wireless device is provided to individual attributes on specific managed objects that are a sub-part of a single managed resource.
- the present invention supplies mechanisms for efficiently managing the representations of access control and profiles that manage collections of such access control representations.
Abstract
An Operations, Administration, and Maintenance (OA&M) 16 provides security for managed resources on a wireless client device 10 at many levels of granularity, from the entire device, to subsystems, to software and hardware components, services and applications, down to individual attributes.
Description
- In terms of resources to be managed, handheld wireless devices such as cellular phones are typically viewed as an end point of a network and little or no management of these devices occurs. For instance, security protection for such devices to prevent malicious intruders from exploiting improperly secured or unsecured wireless LANs or WiFi networks typically has been nonexistent.
- In contrast, in the Personal Computer (“PC”) environment, the “terminal elements” are highly sophisticated, complex devices (servers, desktop PCs, laptops, and the like) with many levels of built-in security. In the PC environment, a rich platform management model and implementation has security features to better serve both administrators and protect end users.
- These two environments, the wireless and PC worlds, are merging within new devices that offer both cellular communications and rich compute-intensive applications. As computational and communication abilities merge in more sophisticated and expensive wireless devices, security features and methods of security management become more desirable in the wireless space.
- Thus, the ability to locally and remotely manage such security features and provide intrusion detection and prevention in wireless devices is needed.
- The subject matter regarded as the invention is particularly pointed out and distinctly claimed in the concluding portion of the specification. The invention, however, both as to organization and method of operation, together with objects, features, and advantages thereof, may best be understood by reference to the following detailed description when read with the accompanying drawings in which:
-
FIG. 1 illustrates security features of the present invention incorporated into a wireless communications device; -
FIG. 2 illustrates a diagram of an embodiment for an Operations, Administration, and Maintenance (OA&M) block having security management for wireless clients in accordance with the present invention; -
FIG. 3 illustrates the security policy, access control and monitor components of the security management system; -
FIG. 4 shows details of the objects and interfaces of the security policy; -
FIG. 5 is a block diagram illustrating multiple levels of managed object collections to which management security may be applied in accordance with the present invention; -
FIG. 6 shows details of the objects and interfaces of the access control; and -
FIG. 7 shows details of the objects and interfaces of the monitor. - It will be appreciated that for simplicity and clarity of illustration, elements illustrated in the figures have not necessarily been drawn to scale. For example, the dimensions of some of the elements may be exaggerated relative to other elements for clarity. Further, where considered appropriate, reference numerals have been repeated among the figures to indicate corresponding or analogous elements.
- In the following detailed description, numerous specific details are set forth in order to provide a thorough understanding of the invention. However, it will be understood by those skilled in the art that the present invention may be practiced without these specific details. In other instances, well-known methods, procedures, components and circuits have not been described in detail so as not to obscure the present invention.
- In the following description and claims, the terms “coupled” and “connected,” along with their derivatives, may be used. It should be understood that these terms are not intended as synonyms for each other. Rather, in particular embodiments, “connected” may be used to indicate that two or more elements are in direct physical or electrical contact with each other. “Coupled” may mean that two or more elements are in direct physical or electrical contact. However, “coupled” may also mean that two or more elements are not in direct contact with each other, but yet still co-operate or interact with each other.
-
Wireless communications device 10 has atransceiver 12 that either receives or transmits a modulated signal from one or more antennas. The analog front end transceiver may be provided as a stand-alone. Radio Frequency (RF) integrated analog circuit, or alternatively, be embedded withprocessor 14 as a mixed-mode integrated circuit. The received modulated signal is frequency down-converted, filtered, and then converted to a digital signal. The digital data for the baseband signal processed byprocessor 14 may be transferred across aninterface 18 for storage by amemory device 20.Memory device 20 may be connected toprocessor 14 to store data and/or instructions used byprocessor 14. In some embodiments,memory device 20 may be a volatile memory and in alternate embodiments,memory device 20 may be a nonvolatile memory. - The architecture shown in
FIG. 1 forwireless communications device 10 includes security features of the present invention that may be used in a wireless product. As such,processor 14 includes an Operations, Administration, and Maintenance (OA&M)system 16 for wireless clients. OA&M denotes broad functionality classes across a wireless handheld platform. Operations refers to activities that provide services to the end user ofwireless communications device 10 and the associated functions required to support those, services, such as provisioning (of resources and services), performance management, account management, and billing. Administration is related to the management of components that deliver required levels of service, and thus is associated with concepts such as Quality of Service (QoS), performance management, and traffic management where applicable. Maintenance is subdivided into corrective maintenance and preventive maintenance. Corrective maintenance involves failure detection and recovery, whereas preventive maintenance is involved with the tracking and alerting of pending or possible fault conditions and the re-configuration of platform resources in that regard. OA&Msystem 16 includes various management systems or “managers” having hardware, software code and one or more objects to perform the desired functions. - The architecture presented for
wireless communications device 10 may be used in a variety of applications, with the claimed subject matter incorporated into microcontrollers, general-purpose microprocessors, Digital Signal Processors (DSPs), Reduced Instruction-Set Computing (RISC), Complex Instruction-Set Computing (CISC), among other electronic components. OA&Msystem 16 may be incorporated into these devices and encompass a layered system approach to the management of platform resources (e.g., devices, device or network components, peripherals, etc.). The resources to be managed on a handheld platform ofwireless communications device 10 are commonly referred to as managed resources and are instantiated in software as Managed Objects (MOs). -
FIG. 2 shows one embodiment ofOA&M system 16 which may be described based on its relation withinwireless communications device 10. It should be pointed out that OA&Msystem 16 may be resident on thewireless communications device 10, or alternatively, portions ofOA&M system 16 may be resident at a network location. OA&Msystem 16 may include anaccount management block 210, aperformance management block 212, anevent management block 214, aconfiguration management block 216, anotification management block 218, afault management block 220, a managedobject database 222 and asecurity management block 224. AlthoughOA&M system 16 is shown and described having all of these blocks, other embodiments may have fewer blocks without limiting the claimed subject matter of the present invention. -
Account management block 210 may record information pertaining to billing and communicate session detail records with a remote billing function. -
Performance management block 212 may define functionality for end-user and business-level usage designed to achieve the highest levels of local and network performance, physical and logical configurations, preventative maintenance, avoidance of service outages, as well as measures of quality delivery from service providers and client applications operation. -
Event management block 214 may provide a model for the capture and delivery of platform events, such as any instantaneous change in a managed object. These events may be the foundation upon which platform monitoring, performance tuning, fault management, power management, and configuration are built. -
Configuration management block 216 may provide various operations to define and maintain configuration data. Data may be added to create new resources, data may be deleted to remove unused resources, and data relating to existing resources may be modified for resource optimization. -
Notification management block 218 may be used to package and deliver event details to interested system components. Such information may include, for example, the Managed Object (MO) generating the event, its class and instantiation, the time of the event, and optional information related to the particular MO, its function, and relationships to other MO's in the platform, if applicable. -
Fault management block 220 may detect alarms and faults as they occur and notify other components, subsystems, or human operators upon receipt; isolate faults and limit the fault's effects; use test routines, diagnosis and correlation techniques to determine the cause of the fault; and repair or eliminate failures using maintenance routines (or human intervention). - Managed
object database 222 may contain files, tables, or other representations corresponding to each of the managed objects ofOA&M system 16. The managed objects represent the platform resources managed by OA&Msystem 16. In order to aid understanding of the invention, a distinction will be drawn between the meanings of “managed resource” and “managed object”. Managed resources are those real-world things within a system that one wishes to manage, that is, to create, modify, discover, or examine. In certain embodiments, these managed resources may include various hardware and software components (or portions thereof) including, for example,processor 14,memory device 20, other semiconductor devices, an operating program, a communications program, other software or firmware components, etc. - In order to manage these resources effectively and efficiently, representations of these resources are often embodied as managed objects. Managed objects are thus abstractions, usually in software, of the managed objects and represent the data and relationships contained within the managed resources.
- Note that though a single managed resource may be represented by a single managed object, this is not usually the case, since the managed resources are typically complex and require decomposition into multiple objects. Furthermore, additional managed objects may exist to, for instance, represent relationships amongst a managed resource's components or between separate managed resources. A glimpse of such complexity may be discerned in
FIG. 5 . InFIG. 4 andFIG. 6 , the point above will aid understanding that the single block labeled “MO” is used to represent from one to a number N of actual managed objects. - It will be obvious to one skilled in the art that managed objects may take various forms and exist under the rules of specific schema, standardized or proprietary, but that various embodiments will have no effect on the practice of the invention described herein.
- In accordance with the claimed subject matter,
security management block 224 is an integral part ofOA&M system 16 and provides a platform management security subsystem for wireless handheld devices.Security management block 224 may, in general, protect the OA&M managed resources from tampering or its data from disclosure to untrusted parties or unauthorized control operations. -
FIG. 3 illustrates the three components of asecurity management system 300 under the control ofsecurity management block 224; namely, asecurity policy block 310, anaccess control block 312 and amonitor block 314.Security policy block 310 sets the policy for authentication and encryption of the managed resources at the managed object and managed object attribute level. Security access control, block 312 provides a mechanism for the authentication, delegation, and definition of access permissions for managed resources.Security monitor block 314 provides a reporting mechanism for security alerts, reporting events such as modifications or access to managed objects, new management authorization and information on any security key used to gain access. Propagation of such alarms depends on the OA&M system's alarm management facilities. With these components inwireless communications device 10, trusted users of the resources may be authenticated, access control of the resources may be protected, and data that is potentially accessible may be encrypted. - Referring now to
FIG. 4 , shown is a block diagram of managed objects and interfaces ofsecurity policy block 310 in accordance with one embodiment of the present invention.Security policy block 310 applies access control mechanisms to managed objects and sets policy for encryption of the managed objects data on and off the platform. The Application Program Interface (API) forsecurity policy block 310 is a set of routines, protocols and tools for building software applications, and includes aSecurityPolicy interface 410, aSecurityPolicy 412, anAttributeSecurity 414 and managed objects 416 (from configuration management block 216) (seeFIG. 2 ). -
Security policy block 310 allows for the adjustment of security policies used for the purposes of authentication and encryption as supplied to the entire managed object to which the policy object is associated or individual attributes of the managed object. Note that a single managed object may be the root of a collection of managed objects that represent a managed resource. In this case, security management of resources may actually occur at three levels of granularity, namely, managed object collections, individual managed objects, and individual managed object attributes. The security policies that apply to authentication and encryption for managed objects or managed object collections are represented by SecurityPolicy objects associated to managedobjects 416. -
SecurityPolicy 412 contains policy attributes for each authentication and encryption which may be as simple as “Off” and “On” or a regular expression for more sophisticated applications of the policy to a particular managed object.SecurityPolicy 412 also contains attributes to override authentication and encryption policies for individual managed objects which indicate if the policy being applied is local to the managed object or collection, or inherited from the system or managed object collection. - For more fine-grained specification of security at the attribute level in some embodiments, individual attributes may be listed in
AttributeSecurity 414, which creates individual attribute security objects with their own authentication and encryption settings. Individual settings may at any time be overridden by the global policies en masse. Managedobject 416 may include name attributes, class attributes, parent and child associations and status attributes, with capabilities to create, initialize, delete, modify and query. -
FIG. 5 is a block diagram illustrating multiple levels of managed object collections to which management security may be applied in accordance with the present invention. In the diagram, each block represents a managed object. One or more managed objects may be necessary to represent a managed resource. Where there is more than one managed object to represent a managed resource, the managed objects are associated with one another in some manner (as represented by the lines between objects in the diagram). Different embodiments of a managed object representation may or may not allow or restrict such relationships to be, for example, tree-like hierarchies, cycles, collections, or other associations. The diagram is intended to explain the distinct levels of application of the invention in relation to the representation of the managed resources. - The example managed resource in the diagram is a service application that may be installed to run on the managed platform. This service has sub-functions of Logging and Accounting. The ellipses outline a
single attribute 540, a single managedobject 530, a collection of managed objects representing theaccounting sub-function 520, the entire managed resource of theservice application 510, and outline the four possible levels of application of security policy (authorization and encryption) that are possible with the present invention. - The scope of the security policy when applied to the “root” object of the
entire service application 514 applies that policy to the entire set of managed object collections representing that application. When the security policy is applied to a sub-collection of the entire managed resource, such as 524, this is a single managed object collection policy. More specific security policy may be applied to, say, particularly sensitive managed objects individually, such as 534. The most specific application of security policy may occur at a single attribute level as well, as presented by theMaxLogSize attribute 544 within the Log Administration managed object in the example diagram. -
FIG. 6 shows details of the objects and interfaces of security access control block 312 (seeFIG. 3 ). Securityaccess control block 312 includes anOwner Interface 610, a list ofdevice owners 612, aSecurityConsole interface 614, aSecurityConsole 616,ControlPoints 618, an Access Control List (ACL)entry 620, aCertificateCache 622, aProfileManager 624 and aProfile 626 that may implement permissions profiles as a convenience.SecurityConsole 616 interface controls the lifecycle ofControlPoints 618 and the creation ofACL entry 620 objects in the system.ProfileManager 624 interface governsmultiple ControlPoints 618 that may be collected in asingle Profile 626. Thus,Profile 626 and all associatedControlPoints 618 andACL entry 620, etc. may be coalesced and defined, installed, or removed as a single entity. Access control decisions may be made by a combination of SecurityPolicy 412 (seeFIG. 4 ) and Control of access by the actions ofSecurityConsole 616. - The API for
Owner Interface 610 allows aninitial SecurityConsole 616 to become the platform owner and delegate subsequent authority. If the device was already owned, the signature fails and the request is rejected without processing. The TakeOwnership( )inOwner Interface 610 permitsSecurityConsole 616 to obtain a public key for the platform and claim ownership of an unowned, security-aware device via the public signing key. As a result of a successful TakeOwnership( ) action,SecurityConsole 616 is listed as the device's Owner (see Owners in 612). An Owner is aControlPoint 618 empowered to edit a device's Access Control List (ACL)entry 620. The Security Console's interface may assign names toControl Points 618 and grant them permissions on managed resources. Once ownership of a device is granted toSecurityConsole 616, it is possible for that Security Console to grant ownership through authority delegation to other Security Consoles. - The list of
device owners 612 is the list of, or the security hashes of, those signature keys that are permitted to editACL entry 620 of the device. By default, each of these signature keys is given total permission to modify managed objects. Typically, there would be only a single owner of the device. Owners may designateControl Points 618, which according to theircorresponding ACL entry 620 are granted less than full ownership privilege. This scheme allows the segregation of access to different areas of managed resources. - Each
ACL entry 620 contains a signature key and one or more permissions granted. Permissions may be defined by the device manufacturer or resource providers and are comprised of a set of allowable actions. AnACL entry 620 may limit the delegation of authority from oneControl Point 618 to another and the valid duration of such authority based on date and time limits. These features are represented inACL entry 620 by the attributes Delegate, Authority, and Validity. Thus, as managed resources such as device components, software, user preferences, etc., get installed at manufacture time or later, entries inACL entry 620 are created that correspond to the authority to manage those resources. - Since a wireless client platform may have a large number of resources or attributes protected by an
ACL entry 620,SecurityConsole 616 may convert an ACL entry and replace it with a certificate inCertificateCache 622 to grant that permission to theControl Point 618. Sincewireless communications device 10 may have limited storage capability for these entries, certificates are cached and associated with a Control Point for use when accessing managed resources. -
FIG. 7 shows details of the Objects and interfaces of security monitor block 314 (seeFIG. 3 ).Security monitor block 314 may include aSecurityNotification Interface 710, aSecurityNotification 712, acallback notification 714, an Alert objects 716 and anAlarm 718.SecurityNotification 712 is a subscription point for security related alarms, maintaining a collection of such alarms and supplying a reporting function on these alarms. - Security Management's monitoring function assumes the existence of an OA&M fault and alarm management system. It provides OA&M notifications of a Security Category. Due to the criticality of security notifications, the ability to sequester such alarms is expected. Security Alarms are defined within the client OA&M system and attached to the Security Monitor via a list of Alert objects 716 that track each alarm by ID and Type. The Security Notification interface provides a mechanism to report on the current security subsystem Alarms. Alarms are delivered via a Notify( )call back which the OA&M Alarm subsystem calls.
- By now it should be apparent that a method and architecture have been presented for providing security in a wireless communications device by protecting OA&M managed resources from tampering or its data from disclosure to untrusted parties or unauthorized control operations. The protection provided by the present invention allows trusted users of the resources to be authenticated, provides access control of these resources and provides encryption of data that is or is potentially accessible “in the clear”.
- Some of the key features of the present invention are an ability to define security for managed resources on a wireless client device at many levels of granularity, from the entire device, to subsystems, to software and hardware components, services and applications, down to individual attributes of the above. Furthermore, it includes mechanisms for the management of the access control and encryption specifications for these managed resources in profiles that can be applied to multiple managed resources at one time. The invention also encompasses the ability to monitor the “health” of the system by tying it to alarm capabilities within the overall OA&M device system.
- Due to the relatively constrained environment of handheld devices, the invention allows for these security aspects to be implemented with efficiency in mind, for example, by permitting authentication and encryption granularity. Control of the applied security in the wireless device is provided to individual attributes on specific managed objects that are a sub-part of a single managed resource. In addition, the present invention supplies mechanisms for efficiently managing the representations of access control and profiles that manage collections of such access control representations.
- While certain features of the invention have been illustrated and described herein, many modifications, substitutions, changes, and equivalents will now occur to those skilled, in the art. It is, therefore, to be understood that the appended claims are intended to cover all such modifications and changes as fall within the true spirit of the invention.
Claims (21)
1-25. (canceled)
26. A method, comprising:
securing access to managed objects within one or more managed object databases in a wireless device at different levels of granularity; and
setting policies for authentication and encryption for access to the managed objects in the one or more managed object databases.
27. The method of claim 26 , wherein the different levels of granularity include applying security policies to each of the one or more managed object databases to which a policy object is associated.
28. The method of claim 26 , wherein the different levels of granularity include applying security policies to a specific managed object database.
29. The method of claim 26 , wherein the different levels of granularity include applying security policies to specific managed object collections that represent an entire managed resource.
30. The method of claim 26 , wherein the different levels of granularity include applying security policies to specific managed object collections that may represent a subset of a managed resource.
31. The method of claim 26 , wherein the different levels of granularity include applying security policies to specific managed objects.
32. The method of claim 26 , wherein the different levels of granularity include applying security policies to specific attributes of managed objects.
33. The method of claim 26 , wherein the security management comprises a layered system for to the management of platform resources.
34. The method of claim 33 , wherein the platform resources to be managed on the wireless device are instantiated in software as Managed Objects.
35. The method of claim 26 , further comprising providing a security policy that allows for an adjustment of authentication and encryption security policies.
36. The method of claim 26 , further comprising defining and maintaining configuration data.
37. The method of claim 36 , further comprising capturing and delivering platform events at the wireless device.
38. The method of claim 37 , wherein a platform event comprises an instantaneous change to a managed object.
39. The method of claim 36 , further comprising an account management module to record billing information and to communicate session detail records at the wireless device.
40. An article of manufacture comprising a machine-readable medium including data that, when accessed by a processor, cause the processor to perform operations comprising:
securing access to managed objects within one or more managed object databases in a wireless device at different levels of granularity; and
setting policies for authentication and encryption for access to the managed objects in the one or more managed object databases.
41. The article of manufacture of claim 40 , wherein the different levels of granularity include applying security policies to each of the one or more managed object databases to which a policy object is associated.
42. The article of manufacture of claim 40 , wherein the different levels of granularity include applying security policies to a specific managed object database.
43. The article of manufacture of claim 40 , wherein the different levels of granularity include applying security policies to specific managed object collections that represent an entire managed resource.
44. The article of manufacture of claim 40 , wherein the different levels of granularity include applying security policies to specific managed object collections that may represent a subset of a managed resource.
45. The article of manufacture of claim 40 , wherein the different levels of granularity include applying security policies to specific managed objects.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US13/962,131 US20130326581A1 (en) | 2003-12-18 | 2013-08-08 | Client Side Security Management for an Operations, Administrations and Maintenance System for Wireless Clients |
US15/630,802 US10313355B2 (en) | 2003-12-18 | 2017-06-22 | Client side security management for an operations, administration and maintenance system for wireless clients |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US10/742,225 US7434256B2 (en) | 2003-12-18 | 2003-12-18 | Security management for wireless clients |
US12/218,721 US7950054B2 (en) | 2003-12-18 | 2008-07-15 | Client-side security management for an operations, administration, and maintenance system for wireless clients |
US13/042,689 US8533810B2 (en) | 2003-12-18 | 2011-03-08 | Client-side security management for an operations, administration, and maintenance system for wireless clients |
US13/962,131 US20130326581A1 (en) | 2003-12-18 | 2013-08-08 | Client Side Security Management for an Operations, Administrations and Maintenance System for Wireless Clients |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/042,689 Continuation US8533810B2 (en) | 2003-12-18 | 2011-03-08 | Client-side security management for an operations, administration, and maintenance system for wireless clients |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/630,802 Continuation US10313355B2 (en) | 2003-12-18 | 2017-06-22 | Client side security management for an operations, administration and maintenance system for wireless clients |
Publications (1)
Publication Number | Publication Date |
---|---|
US20130326581A1 true US20130326581A1 (en) | 2013-12-05 |
Family
ID=34678397
Family Applications (6)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US10/742,225 Active 2025-11-29 US7434256B2 (en) | 2003-12-18 | 2003-12-18 | Security management for wireless clients |
US11/026,608 Abandoned US20050138169A1 (en) | 2003-12-18 | 2004-12-30 | Management of workspace devices |
US12/218,721 Active 2025-01-12 US7950054B2 (en) | 2003-12-18 | 2008-07-15 | Client-side security management for an operations, administration, and maintenance system for wireless clients |
US13/042,689 Active 2024-07-02 US8533810B2 (en) | 2003-12-18 | 2011-03-08 | Client-side security management for an operations, administration, and maintenance system for wireless clients |
US13/962,131 Abandoned US20130326581A1 (en) | 2003-12-18 | 2013-08-08 | Client Side Security Management for an Operations, Administrations and Maintenance System for Wireless Clients |
US15/630,802 Expired - Fee Related US10313355B2 (en) | 2003-12-18 | 2017-06-22 | Client side security management for an operations, administration and maintenance system for wireless clients |
Family Applications Before (4)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US10/742,225 Active 2025-11-29 US7434256B2 (en) | 2003-12-18 | 2003-12-18 | Security management for wireless clients |
US11/026,608 Abandoned US20050138169A1 (en) | 2003-12-18 | 2004-12-30 | Management of workspace devices |
US12/218,721 Active 2025-01-12 US7950054B2 (en) | 2003-12-18 | 2008-07-15 | Client-side security management for an operations, administration, and maintenance system for wireless clients |
US13/042,689 Active 2024-07-02 US8533810B2 (en) | 2003-12-18 | 2011-03-08 | Client-side security management for an operations, administration, and maintenance system for wireless clients |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/630,802 Expired - Fee Related US10313355B2 (en) | 2003-12-18 | 2017-06-22 | Client side security management for an operations, administration and maintenance system for wireless clients |
Country Status (4)
Country | Link |
---|---|
US (6) | US7434256B2 (en) |
EP (1) | EP1695245A1 (en) |
CN (1) | CN100449540C (en) |
WO (1) | WO2005064496A1 (en) |
Families Citing this family (26)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7506020B2 (en) | 1996-11-29 | 2009-03-17 | Frampton E Ellis | Global network computers |
US7926097B2 (en) | 1996-11-29 | 2011-04-12 | Ellis Iii Frampton E | Computer or microchip protected from the internet by internal hardware |
US20050180095A1 (en) | 1996-11-29 | 2005-08-18 | Ellis Frampton E. | Global network computers |
US7805756B2 (en) | 1996-11-29 | 2010-09-28 | Frampton E Ellis | Microchips with inner firewalls, faraday cages, and/or photovoltaic cells |
US8225003B2 (en) | 1996-11-29 | 2012-07-17 | Ellis Iii Frampton E | Computers and microchips with a portion protected by an internal hardware firewall |
US6725250B1 (en) * | 1996-11-29 | 2004-04-20 | Ellis, Iii Frampton E. | Global network computers |
US6167428A (en) | 1996-11-29 | 2000-12-26 | Ellis; Frampton E. | Personal computer microprocessor firewalls for internet distributed processing |
US9032192B2 (en) * | 2004-10-28 | 2015-05-12 | Broadcom Corporation | Method and system for policy based authentication |
KR100629448B1 (en) | 2005-06-01 | 2006-09-27 | 에스케이 텔레콤주식회사 | System for managing security data for use in wireless internet platform |
US20080155641A1 (en) * | 2006-12-20 | 2008-06-26 | International Business Machines Corporation | Method and system managing a database system using a policy framework |
US7900248B2 (en) * | 2007-05-31 | 2011-03-01 | Microsoft Corporation | Access control negation using negative groups |
US20080307486A1 (en) * | 2007-06-11 | 2008-12-11 | Microsoft Corporation | Entity based access management |
US8468579B2 (en) * | 2007-06-15 | 2013-06-18 | Microsoft Corporation | Transformation of sequential access control lists utilizing certificates |
US8627470B2 (en) * | 2007-11-13 | 2014-01-07 | Cisco Technology, Inc. | System and method for wireless network and physical system integration |
US8125796B2 (en) | 2007-11-21 | 2012-02-28 | Frampton E. Ellis | Devices with faraday cages and internal flexibility sipes |
CN101764798B (en) * | 2009-07-01 | 2012-10-24 | 北京华胜天成科技股份有限公司 | Safety management system and method based on client terminal |
US8255986B2 (en) | 2010-01-26 | 2012-08-28 | Frampton E. Ellis | Methods of securely controlling through one or more separate private networks an internet-connected computer having one or more hardware-based inner firewalls or access barriers |
US8429735B2 (en) | 2010-01-26 | 2013-04-23 | Frampton E. Ellis | Method of using one or more secure private networks to actively configure the hardware of a computer or microchip |
CN102244660B (en) * | 2011-07-12 | 2012-12-12 | 北京航空航天大学 | Encryption method for realizing support of FGAC (Fine Grained Access Control) |
CN102404706B (en) * | 2011-11-24 | 2014-08-13 | 中兴通讯股份有限公司 | Method for managing tariff safety and mobile terminal |
US20140137190A1 (en) * | 2012-11-09 | 2014-05-15 | Rapid7, Inc. | Methods and systems for passively detecting security levels in client devices |
JP6061633B2 (en) * | 2012-11-14 | 2017-01-18 | キヤノン株式会社 | Device apparatus, control method, and program thereof. |
DE102013226036A1 (en) * | 2013-11-05 | 2015-05-07 | Robert Bosch Gmbh | An end cap |
US9722703B2 (en) * | 2014-03-21 | 2017-08-01 | Commscope Technologies Llc | Digital distributed antenna systems and methods for advanced cellular communication protocols |
US10440537B1 (en) | 2018-12-11 | 2019-10-08 | Vmware, Inc. | Defining automations for enrolled user devices |
US11388239B2 (en) | 2019-06-10 | 2022-07-12 | Vmware, Inc. | Previewing impacted entities in automated device definitions |
Citations (47)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5577209A (en) * | 1991-07-11 | 1996-11-19 | Itt Corporation | Apparatus and method for providing multi-level security for communication among computers and terminals on a network |
US5584023A (en) * | 1993-12-27 | 1996-12-10 | Hsu; Mike S. C. | Computer system including a transparent and secure file transform mechanism |
US5864667A (en) * | 1995-04-05 | 1999-01-26 | Diversinet Corp. | Method for safe communications |
US5963642A (en) * | 1996-12-30 | 1999-10-05 | Goldstein; Benjamin D. | Method and apparatus for secure storage of data |
US6029247A (en) * | 1996-12-09 | 2000-02-22 | Novell, Inc. | Method and apparatus for transmitting secured data |
US6317490B1 (en) * | 1997-12-30 | 2001-11-13 | Nortel Networks Limited | Method and apparatus for real-time billing account query |
US20020010679A1 (en) * | 2000-07-06 | 2002-01-24 | Felsher David Paul | Information record infrastructure, system and method |
US20020078361A1 (en) * | 2000-12-15 | 2002-06-20 | David Giroux | Information security architecture for encrypting documents for remote access while maintaining access control |
US20020099944A1 (en) * | 2001-01-19 | 2002-07-25 | Bowlin Bradley Allen | Method and apparatus which enable a computer user to prevent unauthorized access to files stored on a computer |
US20020138828A1 (en) * | 2001-03-20 | 2002-09-26 | Robohm Kurt W. | Systems and methods for interfacing with a billing and account management unit |
US20020183030A1 (en) * | 2001-03-30 | 2002-12-05 | Morten Damgaard | Frequency plan |
US20020198892A1 (en) * | 2001-03-21 | 2002-12-26 | William Rychel | Method and system for point of purchase sign creation and delivery |
US20030033349A1 (en) * | 2001-07-30 | 2003-02-13 | International Business Machines Corporation | Method and apparatus for data transfer across a network |
US20030051039A1 (en) * | 2001-09-05 | 2003-03-13 | International Business Machines Corporation | Apparatus and method for awarding a user for accessing content based on access rights information |
US20030105950A1 (en) * | 2001-11-27 | 2003-06-05 | Fujitsu Limited | Document distribution method and document management method |
US20030110131A1 (en) * | 2001-12-12 | 2003-06-12 | Secretseal Inc. | Method and architecture for providing pervasive security to digital assets |
US20030110397A1 (en) * | 2001-12-12 | 2003-06-12 | Pervasive Security Systems, Inc. | Guaranteed delivery of changes to security policies in a distributed system |
US20030110169A1 (en) * | 2001-12-12 | 2003-06-12 | Secretseal Inc. | System and method for providing manageability to security information for secured items |
US20030115150A1 (en) * | 2001-11-21 | 2003-06-19 | Dave Hamilton | System and method of secure electronic commerce transactions including tracking and recording the distribution and usage of assets |
US20030112977A1 (en) * | 2001-12-18 | 2003-06-19 | Dipankar Ray | Communicating data securely within a mobile communications network |
US20030135754A1 (en) * | 2002-01-11 | 2003-07-17 | Chaucer Chiu | Database expanding system and method |
US20030154413A1 (en) * | 2002-02-05 | 2003-08-14 | Canon Kabushiki Kaisha | Information processing device, information processing system, authentication method, storage medium and program |
US20030154381A1 (en) * | 2002-02-12 | 2003-08-14 | Pervasive Security Systems, Inc. | Managing file access via a designated place |
US20030236788A1 (en) * | 2002-06-03 | 2003-12-25 | Nick Kanellos | Life-cycle management engine |
US20040015701A1 (en) * | 2002-07-16 | 2004-01-22 | Flyntz Terence T. | Multi-level and multi-category data labeling system |
US20040030768A1 (en) * | 1999-05-25 | 2004-02-12 | Suban Krishnamoorthy | Unified system and method for downloading code to heterogeneous devices in distributed storage area networks |
US20040036623A1 (en) * | 2000-10-11 | 2004-02-26 | Chung Kevin Kwong-Tai | Tracking system and method employing plural smart tags |
US20040083286A1 (en) * | 1996-07-30 | 2004-04-29 | Micron Technology, Inc. | Mixed enclave operation in a computer network |
US6754820B1 (en) * | 2001-01-30 | 2004-06-22 | Tecsec, Inc. | Multiple level access system |
US6789195B1 (en) * | 1999-06-07 | 2004-09-07 | Siemens Aktiengesellschaft | Secure data processing method |
US20040221174A1 (en) * | 2003-04-29 | 2004-11-04 | Eric Le Saint | Uniform modular framework for a host computer system |
US20040243816A1 (en) * | 2003-05-30 | 2004-12-02 | International Business Machines Corporation | Querying encrypted data in a relational database system |
US6834341B1 (en) * | 2000-02-22 | 2004-12-21 | Microsoft Corporation | Authentication methods and systems for accessing networks, authentication methods and systems for accessing the internet |
US20040268146A1 (en) * | 2003-06-25 | 2004-12-30 | Microsoft Corporation | Distributed expression-based access control |
US6845448B1 (en) * | 2000-01-07 | 2005-01-18 | Pennar Software Corporation | Online repository for personal information |
US6889321B1 (en) * | 1999-12-30 | 2005-05-03 | At&T Corp. | Protected IP telephony calls using encryption |
US6976017B1 (en) * | 2001-02-27 | 2005-12-13 | Verizon Data Services Inc. | Method and apparatus for context based querying |
US7120927B1 (en) * | 1999-06-09 | 2006-10-10 | Siemens Communications, Inc. | System and method for e-mail alias registration |
US7167855B1 (en) * | 1999-10-15 | 2007-01-23 | Richard Koenig | Internet-based matching service for expert consultants and customers with matching of qualifications and times of availability |
US7231517B1 (en) * | 2000-03-03 | 2007-06-12 | Novell, Inc. | Apparatus and method for automatically authenticating a network client |
US7308703B2 (en) * | 2002-12-18 | 2007-12-11 | Novell, Inc. | Protection of data accessible by a mobile device |
US7380120B1 (en) * | 2001-12-12 | 2008-05-27 | Guardian Data Storage, Llc | Secured data format for access control |
US7395423B1 (en) * | 2003-08-25 | 2008-07-01 | Nortel Networks Limited | Security association storage and recovery in group key management |
US7512810B1 (en) * | 2002-09-11 | 2009-03-31 | Guardian Data Storage Llc | Method and system for protecting encrypted files transmitted over a network |
US7730543B1 (en) * | 2003-06-30 | 2010-06-01 | Satyajit Nath | Method and system for enabling users of a group shared across multiple file security systems to access secured files |
US7921284B1 (en) * | 2001-12-12 | 2011-04-05 | Gary Mark Kinghorn | Method and system for protecting electronic data in enterprise environment |
US7921450B1 (en) * | 2001-12-12 | 2011-04-05 | Klimenty Vainstein | Security system using indirect key generation from access rules and methods therefor |
Family Cites Families (36)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4584639A (en) * | 1983-12-23 | 1986-04-22 | Key Logic, Inc. | Computer security system |
US5265221A (en) * | 1989-03-20 | 1993-11-23 | Tandem Computers | Access restriction facility method and apparatus |
DE69031191T2 (en) | 1989-05-15 | 1998-02-12 | Ibm | System for controlling access privileges |
US5414844A (en) * | 1990-05-24 | 1995-05-09 | International Business Machines Corporation | Method and system for controlling public access to a plurality of data objects within a data processing system |
US5224163A (en) * | 1990-09-28 | 1993-06-29 | Digital Equipment Corporation | Method for delegating authorization from one entity to another through the use of session encryption keys |
US5649099A (en) * | 1993-06-04 | 1997-07-15 | Xerox Corporation | Method for delegating access rights through executable access control program without delegating access rights not in a specification to any intermediary nor comprising server security |
US7327688B2 (en) * | 1994-01-21 | 2008-02-05 | Alcatel Canada Inc. | Digital communications system |
US5948094A (en) * | 1995-09-29 | 1999-09-07 | Intel Corporation | Method and apparatus for executing multiple transactions within a single arbitration cycle |
US6112085A (en) * | 1995-11-30 | 2000-08-29 | Amsc Subsidiary Corporation | Virtual network configuration and management system for satellite communication system |
US5875327A (en) * | 1997-02-18 | 1999-02-23 | International Business Machines Corporation | Hierarchy of preferences and preference groups |
US6408336B1 (en) * | 1997-03-10 | 2002-06-18 | David S. Schneider | Distributed administration of access to information |
US6023467A (en) * | 1997-05-08 | 2000-02-08 | Ericsson, Inc. | Operations and maintenance data flows over a point to multipoint broadband access network |
US6618366B1 (en) * | 1997-12-05 | 2003-09-09 | The Distribution Systems Research Institute | Integrated information communication system |
US6192361B1 (en) * | 1997-12-23 | 2001-02-20 | Alcatel Usa Sourcing, L.P. | Full group privileges access system providing user access security protection for a telecommunications switching system |
US6427071B1 (en) * | 1998-12-08 | 2002-07-30 | At&T Wireless Services, Inc. | Apparatus and method for providing transporting for a control signal |
US6317584B1 (en) * | 1998-12-21 | 2001-11-13 | Nortel Networks Limited | Controlling communication in wireless and satellite networks |
US6782412B2 (en) * | 1999-08-24 | 2004-08-24 | Verizon Laboratories Inc. | Systems and methods for providing unified multimedia communication services |
US20040088560A1 (en) * | 2000-04-20 | 2004-05-06 | Danks David Hilton | Secure system access |
US7237114B1 (en) * | 2000-04-26 | 2007-06-26 | Pronvest, Inc. | Method and system for signing and authenticating electronic documents |
US7266595B1 (en) * | 2000-05-20 | 2007-09-04 | Ciena Corporation | Accessing network device data through user profiles |
SE520489C2 (en) * | 2001-03-16 | 2003-07-15 | Smarttrust Systems Oy | Procedure and arrangement in a database |
US7114178B2 (en) * | 2001-05-22 | 2006-09-26 | Ericsson Inc. | Security system |
US7065783B2 (en) * | 2001-07-06 | 2006-06-20 | Aramira Corporation | Mobile application access control list security system |
AU2002343424A1 (en) * | 2001-09-28 | 2003-04-14 | Bluesocket, Inc. | Method and system for managing data traffic in wireless networks |
US7681034B1 (en) * | 2001-12-12 | 2010-03-16 | Chang-Ping Lee | Method and apparatus for securing electronic data |
US9087319B2 (en) * | 2002-03-11 | 2015-07-21 | Oracle America, Inc. | System and method for designing, developing and implementing internet service provider architectures |
US20070169073A1 (en) * | 2002-04-12 | 2007-07-19 | O'neill Patrick | Update package generation and distribution network |
GB0212314D0 (en) * | 2002-05-28 | 2002-07-10 | Symbian Ltd | Secure mobile wireless device |
US7206851B2 (en) * | 2002-07-11 | 2007-04-17 | Oracle International Corporation | Identifying dynamic groups |
US7526800B2 (en) * | 2003-02-28 | 2009-04-28 | Novell, Inc. | Administration of protection of data accessible by a mobile device |
ATE346447T1 (en) * | 2003-02-28 | 2006-12-15 | Research In Motion Ltd | SYSTEM AND METHOD FOR PROTECTING DATA IN A COMMUNICATIONS DEVICE |
CA2464430A1 (en) * | 2003-04-16 | 2004-10-16 | Wms Gaming Inc. | Layered security methods and apparatus in a gaming system environment |
US7827595B2 (en) * | 2003-08-28 | 2010-11-02 | Microsoft Corporation | Delegated administration of a hosted resource |
US7472422B1 (en) * | 2003-09-10 | 2008-12-30 | Symantec Corporation | Security management system including feedback and control |
US20050079859A1 (en) * | 2003-10-14 | 2005-04-14 | Eakin William Joseph | System and method for remotely accessing a private database |
US7565696B1 (en) * | 2003-12-10 | 2009-07-21 | Arcsight, Inc. | Synchronizing network security devices within a network security system |
-
2003
- 2003-12-18 US US10/742,225 patent/US7434256B2/en active Active
-
2004
- 2004-12-01 EP EP04812726A patent/EP1695245A1/en not_active Ceased
- 2004-12-01 CN CNB2004800368516A patent/CN100449540C/en not_active Expired - Fee Related
- 2004-12-01 WO PCT/US2004/040278 patent/WO2005064496A1/en not_active Application Discontinuation
- 2004-12-30 US US11/026,608 patent/US20050138169A1/en not_active Abandoned
-
2008
- 2008-07-15 US US12/218,721 patent/US7950054B2/en active Active
-
2011
- 2011-03-08 US US13/042,689 patent/US8533810B2/en active Active
-
2013
- 2013-08-08 US US13/962,131 patent/US20130326581A1/en not_active Abandoned
-
2017
- 2017-06-22 US US15/630,802 patent/US10313355B2/en not_active Expired - Fee Related
Patent Citations (47)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5577209A (en) * | 1991-07-11 | 1996-11-19 | Itt Corporation | Apparatus and method for providing multi-level security for communication among computers and terminals on a network |
US5584023A (en) * | 1993-12-27 | 1996-12-10 | Hsu; Mike S. C. | Computer system including a transparent and secure file transform mechanism |
US5864667A (en) * | 1995-04-05 | 1999-01-26 | Diversinet Corp. | Method for safe communications |
US20040083286A1 (en) * | 1996-07-30 | 2004-04-29 | Micron Technology, Inc. | Mixed enclave operation in a computer network |
US6029247A (en) * | 1996-12-09 | 2000-02-22 | Novell, Inc. | Method and apparatus for transmitting secured data |
US5963642A (en) * | 1996-12-30 | 1999-10-05 | Goldstein; Benjamin D. | Method and apparatus for secure storage of data |
US6317490B1 (en) * | 1997-12-30 | 2001-11-13 | Nortel Networks Limited | Method and apparatus for real-time billing account query |
US20040030768A1 (en) * | 1999-05-25 | 2004-02-12 | Suban Krishnamoorthy | Unified system and method for downloading code to heterogeneous devices in distributed storage area networks |
US6789195B1 (en) * | 1999-06-07 | 2004-09-07 | Siemens Aktiengesellschaft | Secure data processing method |
US7120927B1 (en) * | 1999-06-09 | 2006-10-10 | Siemens Communications, Inc. | System and method for e-mail alias registration |
US7167855B1 (en) * | 1999-10-15 | 2007-01-23 | Richard Koenig | Internet-based matching service for expert consultants and customers with matching of qualifications and times of availability |
US6889321B1 (en) * | 1999-12-30 | 2005-05-03 | At&T Corp. | Protected IP telephony calls using encryption |
US6845448B1 (en) * | 2000-01-07 | 2005-01-18 | Pennar Software Corporation | Online repository for personal information |
US6834341B1 (en) * | 2000-02-22 | 2004-12-21 | Microsoft Corporation | Authentication methods and systems for accessing networks, authentication methods and systems for accessing the internet |
US7231517B1 (en) * | 2000-03-03 | 2007-06-12 | Novell, Inc. | Apparatus and method for automatically authenticating a network client |
US20020010679A1 (en) * | 2000-07-06 | 2002-01-24 | Felsher David Paul | Information record infrastructure, system and method |
US20040036623A1 (en) * | 2000-10-11 | 2004-02-26 | Chung Kevin Kwong-Tai | Tracking system and method employing plural smart tags |
US20020078361A1 (en) * | 2000-12-15 | 2002-06-20 | David Giroux | Information security architecture for encrypting documents for remote access while maintaining access control |
US20020099944A1 (en) * | 2001-01-19 | 2002-07-25 | Bowlin Bradley Allen | Method and apparatus which enable a computer user to prevent unauthorized access to files stored on a computer |
US6754820B1 (en) * | 2001-01-30 | 2004-06-22 | Tecsec, Inc. | Multiple level access system |
US6976017B1 (en) * | 2001-02-27 | 2005-12-13 | Verizon Data Services Inc. | Method and apparatus for context based querying |
US20020138828A1 (en) * | 2001-03-20 | 2002-09-26 | Robohm Kurt W. | Systems and methods for interfacing with a billing and account management unit |
US20020198892A1 (en) * | 2001-03-21 | 2002-12-26 | William Rychel | Method and system for point of purchase sign creation and delivery |
US20020183030A1 (en) * | 2001-03-30 | 2002-12-05 | Morten Damgaard | Frequency plan |
US20030033349A1 (en) * | 2001-07-30 | 2003-02-13 | International Business Machines Corporation | Method and apparatus for data transfer across a network |
US20030051039A1 (en) * | 2001-09-05 | 2003-03-13 | International Business Machines Corporation | Apparatus and method for awarding a user for accessing content based on access rights information |
US20030115150A1 (en) * | 2001-11-21 | 2003-06-19 | Dave Hamilton | System and method of secure electronic commerce transactions including tracking and recording the distribution and usage of assets |
US20030105950A1 (en) * | 2001-11-27 | 2003-06-05 | Fujitsu Limited | Document distribution method and document management method |
US20030110131A1 (en) * | 2001-12-12 | 2003-06-12 | Secretseal Inc. | Method and architecture for providing pervasive security to digital assets |
US20030110397A1 (en) * | 2001-12-12 | 2003-06-12 | Pervasive Security Systems, Inc. | Guaranteed delivery of changes to security policies in a distributed system |
US7380120B1 (en) * | 2001-12-12 | 2008-05-27 | Guardian Data Storage, Llc | Secured data format for access control |
US20030110169A1 (en) * | 2001-12-12 | 2003-06-12 | Secretseal Inc. | System and method for providing manageability to security information for secured items |
US7921284B1 (en) * | 2001-12-12 | 2011-04-05 | Gary Mark Kinghorn | Method and system for protecting electronic data in enterprise environment |
US7921450B1 (en) * | 2001-12-12 | 2011-04-05 | Klimenty Vainstein | Security system using indirect key generation from access rules and methods therefor |
US20030112977A1 (en) * | 2001-12-18 | 2003-06-19 | Dipankar Ray | Communicating data securely within a mobile communications network |
US20030135754A1 (en) * | 2002-01-11 | 2003-07-17 | Chaucer Chiu | Database expanding system and method |
US20030154413A1 (en) * | 2002-02-05 | 2003-08-14 | Canon Kabushiki Kaisha | Information processing device, information processing system, authentication method, storage medium and program |
US20030154381A1 (en) * | 2002-02-12 | 2003-08-14 | Pervasive Security Systems, Inc. | Managing file access via a designated place |
US20030236788A1 (en) * | 2002-06-03 | 2003-12-25 | Nick Kanellos | Life-cycle management engine |
US20040015701A1 (en) * | 2002-07-16 | 2004-01-22 | Flyntz Terence T. | Multi-level and multi-category data labeling system |
US7512810B1 (en) * | 2002-09-11 | 2009-03-31 | Guardian Data Storage Llc | Method and system for protecting encrypted files transmitted over a network |
US7308703B2 (en) * | 2002-12-18 | 2007-12-11 | Novell, Inc. | Protection of data accessible by a mobile device |
US20040221174A1 (en) * | 2003-04-29 | 2004-11-04 | Eric Le Saint | Uniform modular framework for a host computer system |
US20040243816A1 (en) * | 2003-05-30 | 2004-12-02 | International Business Machines Corporation | Querying encrypted data in a relational database system |
US20040268146A1 (en) * | 2003-06-25 | 2004-12-30 | Microsoft Corporation | Distributed expression-based access control |
US7730543B1 (en) * | 2003-06-30 | 2010-06-01 | Satyajit Nath | Method and system for enabling users of a group shared across multiple file security systems to access secured files |
US7395423B1 (en) * | 2003-08-25 | 2008-07-01 | Nortel Networks Limited | Security association storage and recovery in group key management |
Also Published As
Publication number | Publication date |
---|---|
CN100449540C (en) | 2009-01-07 |
US10313355B2 (en) | 2019-06-04 |
US7950054B2 (en) | 2011-05-24 |
EP1695245A1 (en) | 2006-08-30 |
US20050135623A1 (en) | 2005-06-23 |
WO2005064496A1 (en) | 2005-07-14 |
US20180020352A1 (en) | 2018-01-18 |
CN1890667A (en) | 2007-01-03 |
US8533810B2 (en) | 2013-09-10 |
US7434256B2 (en) | 2008-10-07 |
US20050138169A1 (en) | 2005-06-23 |
US20110179464A1 (en) | 2011-07-21 |
US20100024027A1 (en) | 2010-01-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10313355B2 (en) | Client side security management for an operations, administration and maintenance system for wireless clients | |
US11489879B2 (en) | Method and apparatus for centralized policy programming and distributive policy enforcement | |
US8935398B2 (en) | Access control in client-server systems | |
US9049195B2 (en) | Cross-domain security for data vault | |
CN103413083B (en) | Unit security protection system | |
US7814075B2 (en) | Dynamic auditing | |
US7814076B2 (en) | Data vault | |
US20060248083A1 (en) | Mandatory access control base | |
US11212285B2 (en) | Access control system and method | |
US20220255947A1 (en) | Gradual Credential Disablement | |
CN103069767B (en) | Consigning authentication method | |
CN116089970A (en) | Power distribution operation and maintenance user dynamic access control system and method based on identity management | |
KR20200071811A (en) | Security Service system based on cloud | |
CN112769784A (en) | Text processing method and device, computer readable storage medium and processor | |
Olsson et al. | 5G zero trust–A Zero-Trust Architecture for Telecom | |
Sodiya et al. | AN ADAPTIVE HIERARCHICAL ACCESS CONTROL ARCHITECTURE FOR ENTERPRISE NETWORK USING COMPLIANCE VARIANCE |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |