Browse Prior Art Database

Methodology and Procedure for Secure Granular Authorization and Audit Implementation in Distributed Enterprise Computing Environment

IP.com Disclosure Number: IPCOM000237293D
Publication Date: 2014-Jun-11

Publishing Venue

The IP.com Prior Art Database

Abstract

A system and method for secure granular authorization and audit implementation in a distributed enterprise computing environment is disclosed.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 13% of the total text.

Page 01 of 17

Methodology and Procedure for Secure Granular Authorization and Audit Implementation in Distributed Enterprise Computing Environment

Disclosed is a system and method for secure granular authorization and audit implementation in a distributed enterprise computing environment.

Implementing an effective security policy in a distributed computing environment has proven to be a difficult challenge. Often the computer systems are heterogeneous and loosely federated, which means that a centralized security administrative function may not be feasible from an organizational standpoint. Nevertheless, there must be a guarantee that all command requests which flow through the environment (1) carry the originating user's identity, (2) are tamper-proof, (3) permit authorization checking at the endpoint where the command will execute, and (4) leave an audit trail.

Ideally, a distributed network security solution should ensure that only an authorized user, acting in one or more defined security roles, can perform a known operation on a system entity at an enterprise resource.

An enterprise security policy defines security roles, such as System Administrator, Database Administrator, Network Operator, and so on as a method of indirectly grouping security responsibility and authority. An end user identity is assigned one or more security roles so that members of those roles can perform authorized tasks.

A user is authenticated upon log-in entry to the distributed enterprise computing system:

User creates a transaction work request within the scope of his/her assigned


A.

security role. The transaction's execution permissions encapsulate the user identity, targeted enterprise resource, specific operation, and target system identifier into a security capsule.

The security capsule travels through the network with the work request, transported


B.

securely through the enterprise distributed computing infrastructure to the targeted system endpoint.

The targeted system independently authenticates the security capsule, validates


C.

authorization contents, and carries out the transaction work request, limiting what can be done to the permission contexts of the originating user.

The transaction work request creates audit trail records, from the source system that


D.

instrumented the request. Audit trail records are created In each hop in the traversal through the distributed enterprise infrastructure, and at the target system where the request is allowed or denied. The audit trail includes the author's identity and execution results which can be readily identified anywhere in the distributed enterprise environment.

A transaction is only allowed to execute if it came from an authenticated and authorized user. The security instrumentation made available by the Identity Manager (IM) c omponent creates security capsule encoding of user identity and transaction authorization permission data. The distributed enterprise environment securely transports the transacti...