CA2395494A1 - Virtual resource attribute directory - Google Patents

Virtual resource attribute directory Download PDF

Info

Publication number
CA2395494A1
CA2395494A1 CA002395494A CA2395494A CA2395494A1 CA 2395494 A1 CA2395494 A1 CA 2395494A1 CA 002395494 A CA002395494 A CA 002395494A CA 2395494 A CA2395494 A CA 2395494A CA 2395494 A1 CA2395494 A1 CA 2395494A1
Authority
CA
Canada
Prior art keywords
file system
attributes
stored
entity
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
CA002395494A
Other languages
French (fr)
Inventor
Eugen Bacic
Tony White
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
TEXAR SOFTWARE CORP
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by TEXAR SOFTWARE CORP filed Critical TEXAR SOFTWARE CORP
Publication of CA2395494A1 publication Critical patent/CA2395494A1/en
Abandoned legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

Computer data is stored in a real file system. Attributes pertaining to the files in the real file system are stored at corresponding locations in the virtual file system, thereby decoupling the storage of attribute information from the data. Typically the file attributes relate to security information.

Description

WO 01/48634 CA 02395494 2002-06-25 pCT/CA00/01568 Virtual Resource Attribute Directory Field of the Invention This invention relates to computer security, and in particular a method of controlling access to files in a computer system.
Background of the Invention Computer operating systems, such as Unix, MS DOS and Windows, typically organize files in a tree structure. These files are given attributes, which are stored along with the files in the directory structure. Such attributes can include security controls determining who is permitted to access the files.
o The tight binding of security attributes with the information that they secure found in traditional operating systems leads to a restrictive and inflexible security policy implementation that varies from operating system to operating system. As a result, especially in networks running multiple operating systems, this inflexibility makes it difficult to permit central administration of security policy within a system.
15 Summary of the Invention According to the present invention there is provided a method of controlling access to computer data, comprising the steps of:
creating a real file system in a computer for storing said data;
creating a virtual file system that mirrors said real file system but lacks the stored 2o data; and storing attributes pertaining to the files in said file system at corresponding locations in said virtual file system.
Typically the attributes contain security information determining who is permitted access to the files. The virtual file system is known as a virtual resource attribute directory.
25 The essence of the invention is that it abstracts security away from the simple, fixed attributes that are available within particular operating systems.. The invention ensures that enterprise security policies are defined outside of the operating system, are administered centrally and applied to a single type of structure, the entity.
This uniformity ensures policy coherence within an enterprise.

WO 01/48634 CA 02395494 2002-06-25 pCT/CA00/01568 In another aspect the invention provides a virtual resource attribute directory comprising a shadow directory structure mirroring a real file structure and storing attributes of files in said real file structure without the associated data.
The Virtual Resource Attribute Directory (VRAD) defines the structure of the virtualized elements of the information being protected. The principal function of the VRAD is to mediate access to information elements. The VRAD provides a mechanism to ensure that the security attributes required for proper functioning of a security system exist and are accessible. The VRAD is unique for a variety of reasons:
~ Non-intrusive to the virtualized system ~ Full mapping of extant security controls to security attributes ~ Additional security attributes per entity protected for fully realizable security policies ~ Portable, non-system dependent ~ Extensible and user configurable ~ 5 ~ Easily manipulatable The Virtual Resource Attribute Directory manages the security of information elements stored within it. The VRAD is thus a shadow of the real file system. For example, if the file system is a UNIX file system, then the VRAD would be a virtualization of the UNIX
file system. At no point are the actual files modified in any way. No information is stored 20 on the virtualized system other than that associated with the operational agents. There is a clear separation of security and information in a VRAD-managed system. The importance of the security features built into the operating system is significantly diminished.
Brief Description of the Drawings The invention will now be described in more detail, by way of example only, with 25 reference to the accompanying drawings, in which:-Figure 1 is an example showing linked security servers; and Figure 2 is an example showing cross linking of VRAD file systems.
_2_ Detailed Description of the Invention Referring to Figure 1, it will be seen that the Virtual Resource Attribute Directory (VRAD) 10, typically stored on a hard disk, resembles a rooted tree structure 12. This tree structure 12 represents the parent-child relationships that are found in the directory structures of all important file systems. The root 14 of a VRAD can be a security server also known as a generic policy engine, which controls all aspects of security on a network. All elements in the VRAD are represented by entities and proxy entities.
All the VRADs 10 are connected by a super-tree which has at its terminals the VRADs of the virtualized systems as shown in Figure 2.
1o The various VRADs need not be from the same type of operating system. The VRAD is utilized to create a homogenous representation of all the information that resides within a security controlled realm. This includes unified user and group lists to assist in single sign-on and Authentication Server services.
There remains, at all times, a one-to-one mapping between the physical machine with the ~5 resources being protected and a VRAD with the associated security attributes. The two are updated synchronously, via the use of agents, a security server, and message protocol to ensure that each remains perfectly synchronized.
The VRAD 10 stores entities. An entity is the data structure that forms the starting point for all security-related activities. As such, it describes a minimal set of properties that are 2o considered essential for effective security while being fully extensible.
Every entity in a VRAD has a unique key generated without relation to the information that it represents;
i.e., nothing concerning the data can be inferred from a knowledge of the information and vice versa. The unique key associated with an entity is called the entity identifier, or eid.
The eid is represented using a number of bits, n, making the maximum size of the realm 25 2° entities. The entity has a security policy associated with it, the security policy being represented by a name in order that policies may be shared by multiple entities in the VRAD. The actual policy is stored in a private part of the VRAD that may only be accessed by security officers.
The attributes that are part of the entity are name, owner, data type, creation timestamp, 30 last modified timestamp and last access timestamp and security policy. The data type attribute points at a data structure that stores attributes particular to the name of the resource that the entity represents. For example, an entity representing a machine would have the data type machine-ID. A machine-ID instance would store the location of the machine, its IP address, and operating system type.
Another type of data structure stored in a VRAD is a proxy entity. This provides a reference to an entity or another proxy entity that is managed outside of the realm in which the proxy is defined. The function of a proxy entity is to allow a security server to have access to entities outside of the realm without being responsible for their management and to remove the need for the generation of globally-unique entity identifiers across all realms within the enterprise. A proxy entity has a unique key (eid) similar to an entity and a URL that stores the location of the VRAD where the actual entity is stored. The URL consists of two pieces of information. First, the protocol, host and port for a remote security server is present. Second, the eid in the remote VRAD is present. A proxy entity can be thought of as a "pointer" to the actual entity.
It should be noted that eids are unique within the realm, i.e., no two entities, proxy entities or an entity and a proxy entity can have the same eid.
When information on the actual entity is required, the GPE server managing the realm in which the entity is actually stored is contacted and the information retrieved using the InterRealm Security Protocol (IRSP).
2o All relationships between entities are stored in a single data structure known as the Entity Relationship (ER) data structure. A one-to-one relation between two entities is stored as a single instance of an ER data structure. A one-to-many, many-to-one or many-to-many relationship is represented as several instances of ER data structures. The ER
data structure stores the two entities involved in a relationship, the name of the relationship and a qualifying operator. For example, an ER data structure can be used to store the relationships, "A may read B" and "A may not read B." The difference in representation between the examples in the previous sentence in the value of the associated ER operator.
Relationship data structures are used in policies associated with entities to respond to requests for access to an entity. The parent-child relationships that define the structure of 3o a VRAD are stored using ER data structures.

WO 01/48634 CA 02395494 2002-06-25 pCT/CA00/01568 A combination of one or more VRADs is called a Realm. A Realm contains all resources being protected, all users allowed access to those resources, all groups with which those users can be associated, and all physical machines (and their addresses) that represent the Realm. A realm defines a default security policy that is used when individual entities do not have a policy defined for them. This policy ensures that requests for access to resources will always be resolved.
Realms may act as containers for other realms managed by other security servers. The enterprise realm is special in that it acts as a container for all other realms in the enterprise. If an entity is stored within a particular realm, its security is managed by that realm.
Each entity stored within the VRAD has additional attributes and relationships to other entities associated with it. These include unique name, Entity ID, mandatory controls, etc.
An entity includes a reference to another data structure by name that contains non-security specific information. For example, the physical location of a machine might be stored and ~5 used in a mediation function to prevent information legal in one country from being transmitted to a country in which that information is illegal.
Since the structure is tree-like, it is easy to manipulate the structure via security messaging protocol designed to assist in walking a tree-like structure, and performing actions against it. Any tree-traversal algorithms can be utilized to manipulate the 2o information stored within a VRAD.
VRAD trees can be linked across security servers in order to provide a security solution across an enterprise. The proxy entity concept is used to achieve this.
VRAD trees contain only entity or proxy entity data structures. The VRADs for the resources associated with each machine are stored as subtrees within the VRAD
for the 25 realm. The root of this tree is always an entity representing the GPE
itself. This entity is called the realm root. The parent of the realm root is a proxy entity that represents the realm root, which is one level up in the enterprise security hierarchy. In the case of the enterprise realm root, it is its own parent. It is possible to walk to any realm in the enterprise by walking to the parent of the realm root given appropriate security 3o permissions.

WO 01/48634 CA 02395494 2002-06-25 pCT/CA00/01568 When the parent of the realm root is requested, the proxy entity for the parent is retrieved.
The IRSP is used to retrieve the eid of the remote entity if the requesting user has permission to do so. Referring to Figure 2, two realms 10" 102 are represented. Realms 10, and 102 are managed by GPE, and GPEZ respectively. When an agent walks from Machine, to Files" GPE, (realm root), then to the parent GPE (realm root of a parent realm), and finally to Users2 on the remote GPE, the eid of Usersz under GPEz is returned.
This eid is served up to the user and a new proxy created within realm,.
Garbage collection of this proxy entity occurs when the user no longer needs to access the remote entity.
While the above example has demonstrated linking of realms through the realm root entity, cross linking of VRADs at other points within the realm is possible.
For example, in Figure 2, a child directory of machine4 in realm2 is managed by realm,. A
proxy for dir22 is maintained in realmz and a proxy for the root directory of machine4 is stored in realm,. Walking from the root directory of machine4 takes the user to dirz2 in realm,.
~5 Walking to the children of dir22 causes proxy entities to be generated in realm2 that are removed when the user tells the system that they may be discarded or when the user logs out from the system.
The invention provides a flexible approach to file security that is consistent across different operating systems.

Claims (17)

We claim:
1. A method of controlling access to computer data, comprising the steps of:
creating a real file system for storing said data;
creating a virtual file system that minors said real file system but lacks the stored data; and storing attributes pertaining to the files in said file system at corresponding locations in said virtual file system.
2. A method as claimed in claim 1, wherein said attributes are security attributes.
3. A method as claimed in claim 2, wherein said virtual file system manages the security attributes stored within it.
4. A method as claimed in claim 3, wherein said virtual file system mediates access to said computer data in said real file system based on said stored attributes in said virtual file system.
5. A method as claimed in claim 4, wherein said virtual file system is organized in a tree structure representing parent-child relationships found in said real file system.
6. A method as claimed in claim 5, wherein said attributes are stored as entities describing the security properties of a corresponding file in said real file structure.
7. A method as claimed in claim 6, wherein each said entity has a unique key generated without relation to the data whose attributes it describes.
8. A method as claimed in claim 7, wherein each said key has a security policy associated with into permit policies to be shared by multiple entities within the virtual file system.
9. A method as claimed in claim 7, wherein each said entity stores the following attributes: name, owner, data type, creation timestamp, last modified timestamp, last access timestamp, and security policy.
10. A method as claimed in claim 7, wherein said virtual file system also stores proxy entities referencing an actual entity stored in a different virtual file system to permit access to entities stored in said different virtual file system without requiring said first mentioned file system to be responsible for its management.
11. A method as claimed in claim 7, wherein all relationships between entities are stored in a single entity data structure.
12. A method as claimed in claim 7, wherein a plurality of said virtual file systems are linked through their roots.
13. A method as claimed in claim 7, wherein a plurality of said virtual file systems are cross linked at points on the tree structure.
14. A virtual resource attribute directory comprising a shadow directory structure mirroring a real file structure and storing attributes of files in said real file structure without the associated data.
15. A virtual resource attribute directory as claimed in claim 14, wherein said shadow directory structure is a tree structure.
16. A virtual resource attribute directory as claimed in claim 14, wherein said attributes are stored as entities describing the security properties of a corresponding file in said real file structure.
17. A virtual resource attribute directory as claimed in claim 16, wherein each said entity has a unique key generated without relation to the information whose attributes it describes.
CA002395494A 1999-12-27 2000-12-21 Virtual resource attribute directory Abandoned CA2395494A1 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US47260999A 1999-12-27 1999-12-27
US09/472,609 1999-12-27
PCT/CA2000/001568 WO2001048634A2 (en) 1999-12-27 2000-12-21 Virtual resource attribute directory

Publications (1)

Publication Number Publication Date
CA2395494A1 true CA2395494A1 (en) 2001-07-05

Family

ID=23876217

Family Applications (1)

Application Number Title Priority Date Filing Date
CA002395494A Abandoned CA2395494A1 (en) 1999-12-27 2000-12-21 Virtual resource attribute directory

Country Status (3)

Country Link
AU (1) AU2336901A (en)
CA (1) CA2395494A1 (en)
WO (1) WO2001048634A2 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7039594B1 (en) 2000-07-26 2006-05-02 Accenture, Llp Method and system for content management assessment, planning and delivery
GB2372116A (en) * 2001-02-08 2002-08-14 Accenture Multi-media management systems
US8984636B2 (en) 2005-07-29 2015-03-17 Bit9, Inc. Content extractor and analysis system

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPS63100562A (en) * 1986-10-17 1988-05-02 Hitachi Ltd File system control method
CA1323448C (en) * 1989-02-24 1993-10-19 Terrence C. Miller Method and apparatus for translucent file system
EP0615192B1 (en) * 1993-03-09 1997-05-28 Kabushiki Kaisha Toshiba Method and apparatus for object traversing suitable for structured memory formed by linked objects
JP2912840B2 (en) * 1994-12-07 1999-06-28 富士通株式会社 File management system
US5897638A (en) * 1997-06-16 1999-04-27 Ab Initio Software Corporation Parallel virtual file system
FR2774190B1 (en) * 1998-01-29 2001-10-19 Gemplus Card Int SYSTEM AND METHOD FOR SECURITY MANAGEMENT OF COMPUTER APPLICATIONS

Also Published As

Publication number Publication date
WO2001048634A3 (en) 2004-02-26
WO2001048634A2 (en) 2001-07-05
AU2336901A (en) 2001-07-09

Similar Documents

Publication Publication Date Title
WO2022126968A1 (en) Micro-service access method, apparatus and device, and storage medium
US6061740A (en) Method and apparatus for heterogeneous network management
US6920455B1 (en) Mechanism and method for managing service-specified data in a profile service
JP3696639B2 (en) Unification of directory service with file system service
Pfaff et al. The open vswitch database management protocol
US9384361B2 (en) Distributed event system for relational models
US7165182B2 (en) Multiple password policies in a directory server system
US7404203B2 (en) Distributed capability-based authorization architecture
US6785713B1 (en) Method and apparatus for communicating among a network of servers utilizing a transport mechanism
US6785726B1 (en) Method and apparatus for delivering local and remote server events in a similar fashion
US20030088656A1 (en) Directory server software architecture
US20070011136A1 (en) Employing an identifier for an account of one domain in another domain to facilitate access of data on shared storage media
US6651047B1 (en) Automated referential integrity maintenance
US20040225893A1 (en) Distributed capability-based authorization architecture using roles
US20080034438A1 (en) Multiple hierarchy access control method
US20040250120A1 (en) System and method for permission administration using meta-permissions
JP2000035949A (en) System and method for supplying database access control in secure distributed network
US8380806B2 (en) System and method for absolute path discovery by a storage virtualization system
US20040254912A1 (en) Method and apparatus for managing publication and sharing of data
US20020103761A1 (en) Method and apparatus for managing and administering licensing of multi-function offering applications
CA2395494A1 (en) Virtual resource attribute directory
JP3481867B2 (en) Network management system for multiple management protocols
Satyanarayanan On the influence of scale in a distributed system
US9965496B2 (en) Method and apparatus for creating compliant zone records in an LDAP directory without schema extensions
Pratten et al. Design and implementation of a trader-based resource management system.

Legal Events

Date Code Title Description
FZDE Discontinued