WO2006102442A2 - Method and system to create secure virtual project room - Google Patents
Method and system to create secure virtual project room Download PDFInfo
- Publication number
- WO2006102442A2 WO2006102442A2 PCT/US2006/010453 US2006010453W WO2006102442A2 WO 2006102442 A2 WO2006102442 A2 WO 2006102442A2 US 2006010453 W US2006010453 W US 2006010453W WO 2006102442 A2 WO2006102442 A2 WO 2006102442A2
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- secure
- project
- content
- access policy
- computing device
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 43
- 238000004891 communication Methods 0.000 claims description 8
- 238000012544 monitoring process Methods 0.000 claims description 8
- 239000002775 capsule Substances 0.000 claims description 7
- 238000012545 processing Methods 0.000 claims description 7
- 238000004806 packaging method and process Methods 0.000 claims 3
- 230000001902 propagating effect Effects 0.000 claims 2
- 238000011161 development Methods 0.000 abstract description 36
- 238000013439 planning Methods 0.000 abstract description 10
- 238000007726 management method Methods 0.000 description 6
- 230000008569 process Effects 0.000 description 6
- 230000009471 action Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 238000010200 validation analysis Methods 0.000 description 2
- 238000012038 vulnerability analysis Methods 0.000 description 2
- 238000012550 audit Methods 0.000 description 1
- 238000013474 audit trail Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000000295 complement effect Effects 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000011109 contamination Methods 0.000 description 1
- 238000007418 data mining Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 229940004975 interceptor Drugs 0.000 description 1
- 238000012552 review Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/06—Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/062—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
Definitions
- This invention relates to a set of distributed project development tools to manage the files and tasks of the project with the focus on protecting the data and/or intellectual properties developed or licensed during the project life cycle. This invention is also related to the trusted operating environment field.
- a method and system for creating secure virtual project rooms may have a set of distributed project development tools to manage the files and tasks of the development project with the focus on protecting the intellectual properties developed or licensed during the development of the project.
- the intellectual properties of the project may include the software code, business process in the form of software code, data that may reveal the trade secret of the business, or other forms of the data that is protectable.
- the system incorporates a trusted operating environment that relies on but does not replace a typical operating system.
- the system creates an infrastructure to augment the planning tools and analytic tools, as well as provide a development environment for an IP -protected distributed project development.
- the system is able to discover IP -protection information, such as the vulnerability of the source files, create a vulnerability score based on the protection information and then allows users to have a flexible modeling method by adjusting the criteria for evaluating the vulnerability factor.
- the system may also provide a graphical user interface to review the result of the discovery that increases the visibility of the executed plans and a new plan, which is established based on the integrated information. Using the system, a manager can then manually adjust the recommended plan and the adjustment is communicated back to the system for continuously improving the plan.
- the specific IP-protection control schemes and configuration targeted for each team is created. Then, according to the control and configuration specifically given to the team, the team carries out their development independently at any location (including both remote and/or local locations.)
- the access policy and control derived from the plan and the configuration is used to validate the configuration and control the identity, the tools, and the access of the IP files using the tools.
- the system also permits the monitoring and tracking to be turned on and off at various levels.
- the monitoring provided by the system may also be supplemented with event triggering for immediate notification of the IP access violation.
- the system may also generate tracking reports for policy adjustment and quality improvement measures.
- a method of securing a distributed proj ect environment on a computing device is provided.
- a particular secure project is defined on the computing device wherein the particular secure project includes a plurality of pieces of content of the project where the content is secured so that only a user with a proper access privilege can access the content, one or more validated applications that are validated for use with the particular secure project and an access policy for a set of users.
- a validated application a user can access the secured content that is a member of the access policy wherein the content is decrypted while being accessed by the validated application.
- the application is first validated as a validated application.
- the method disallows the operation if the application is not a validated application or, if the copy operation is not disallowed, the piece of content is copied within the particular secure project so that the copied piece of content is stored in secured format.
- Figure 1 illustrates an example of a secure project development environment using a secure project room system in accordance with the invention
- Figure 2 illustrates an example of the architecture of a preferred implementation of the secure project room system
- Figure 3 illustrates an example of an implementation of a secure project room on a computing device
- Figure 4 illustrates an example of a secure project room system with at least two computing devices
- Figure 5 illustrates further details of a secure project room application residing on a computing device
- Figure 6 illustrates an example of a network security method using the secure project room system
- Figure 7 illustrates an example of a desktop security method using the secure project room system
- Figure 8 illustrates an example of a file system security method using the secure project room system
- Figure 9 illustrates an example of a device security method using the secure project room system
- Figure 10 illustrates an example of a project vulnerability tool for security focused planning that is part of the secure project room system.
- the invention is particularly applicable to a computing device based system wherein the secure project room application is a software application being executed by the computing device and it is in this context that the invention will be described. It will be appreciated, however, that the system and method in accordance with the invention has greater utility since the secure project room application can also be implemented in hardware or as a combination of hardware and software and the secure project system can be implemented on various different types of computing devices.
- the system provides a set of distributed project development tools to manage the files and tasks of the project with the focus on protecting the intellectual properties developed or licensed during the development of the project.
- the intellectual properties may include, but are not limited to the software code, business process in the form of software code, and data that may reveal the trade secret of the business, or other data that can be protected.
- the system also provides a trusted operating environment
- the system includes a set of tools that is compatible and interoperable with all of the existing tools and applications executable on the computing devices, and allows those tools/applications to be used in a system with a security focused plan.
- the system leverages the infonnation obtained from them to address the protection by tightening the control of the distributed teams.
- the system also has additional controls that manage the communication and execution of the distributed project environment that they have never had before when using the existing tools. During execution time, the system first validates the identity of the user prior to the user using the requesting tools to access the requesting files. The system then controls the access of the files by just-in-time decrypting the files in as- needed basis.
- Figure 1 illustrates an example of a secure project development environment 20 using a secure project room system in accordance with the invention.
- the system may be used to allow project/development teams in different locations to share confidential project and development information and data, such as source code, product specifications, etc. between the different locations.
- project information may be shared between a headquarters 22 ls a development team in remote location A 22 2 and a development team in remote location B 22 3 as shown in Figure 1.
- the Forward module (which is preferably a piece of software executed on a computing device at the highly privileged location) is a command center to rapidly create, administer, manage and replicate a "Fortress Capsule" which defines the scope of each project and the secure virtual project room for that project.
- the Forward module 24 may generate two project capsules 2O 1 and 26 2 that may then be delivered to the Location A and location B to provide the secure virtual project room for the project.
- Figure 2 illustrates an example of the architecture of a preferred implementation of a secure project room system 28 that is implemented on a computing device 40 and other components.
- the computing device may be a typical personal computer that has network connectivity, sufficient processing power, sufficient storage and sufficient memory to operate a software-based version of a the secure project room.
- the computing device 40 may also be any other processing unit based device that has sufficient processing power, memory, storage and network connectivity to implement the secure room system, such as for example, a mobile phone, a personal digital assistant, various forms of computer systems including laptops, desktops, tablet computer and the like, a set-top box or any other computing device with the characteristics set forth in which it would be desirable to provide a secure project room that permits the secure sharing of information during a project.
- a mobile phone a personal digital assistant
- various forms of computer systems including laptops, desktops, tablet computer and the like
- a set-top box or any other computing device with the characteristics set forth in which it would be desirable to provide a secure project room that permits the secure sharing of information during a project.
- the computing device 40 may store and execute one or more software applications or development tools 42, such as Adobe Acrobat, Microsoft Word or the like that the user of the computing device may use during the project and may execute an operating system (OS) 44 such as Windows XP.
- the computing device may also include a supervisor unit 46 that preferably is one or more pieces of software that are executed by the processing unit of the computing device to implement various functions and processes of the secure virtual project room as described in more detail below.
- the computing device 40 may be coupled to (via any type of network or directly connected) a policy server 45 that controls the security and access to the capsules and the secure virtual project rooms and may interact with the Forward module that may forward the capsule 26 to the computing device so that the computing device can implement the secure virtual project room.
- the computing device may also be coupled to (over any type of network or directly connected) to one or more proxy servers 47.
- proxy servers 47 For server sites that desire to have project team sites connecting to them securely to perform tasks like checking in and checking out source files interactively in real time when developing software using the secure virtual project room, a project team site may interact through the proxy server.
- the proxy server serves as a "tunnel" between a network-connected destination server (e.g., a Perforce server running on a Solaris box in a preferred embodiment which is a preferred implementation of the destination server) and a client application on the computing device, hi accordance with the invention, the proxy server operates like a network proxy server except that it maintains an encrypted connection to the remote client application within the secure virtual project room and maintains an unencrypted connection to one or more destination servers 49.
- the destination servers may include one or more database servers 49a that may contain data to be used by the project and a source code management system 49b that can be used to control the source code for the project as well as other development systems.
- FIG 3 illustrates an example of an implementation of a secure project room 38 on the computing device 40.
- the secure project room 38 is implemented by the supervisor unit 46, that may be implemented as privileged code on the computing device 40 that implements the secure virtual project room.
- the applications 42 operate with decrypted data. However, any project data leaving the application is again encrypted.
- the applications inside the secure room may include the various existing project management and project tools used by a user. Simultaneously, those applications and tools can operate outside of the secure room with un-encrypted data in conjunction with the secure project room 38 of the invention.
- the secure project room 38 When a secure project 48 (shown as the capsule 26 in Figure 1) is opened by the user of the computing device, the secure project room 38 is automatically activated (shown by the dotted line in Figure 3) wherein the data exchanged is encrypted until the moment when the application is to use the data to maintain the security of the information about the project.
- the secure project room 38 also maintains the security of the communication of data between the secure project room and anything outside of the secure project room.
- Figure 4 illustrates an example of a secure project room system 50 with at least two computing devices 40] , 4O 2 wherein each computing device is executing its secure project room 38i and 38 2 to form a secure project room system in which the computing devices are able to securely exchange data (encrypted data) between the secure project rooms 38i and 38 2 operating on each computing device.
- each user has launched a secure project 48i and 48 2 to form a secure project team community is which the IP of the project is protected while permitting each user to user the project tools and applications known to the user in conjunction with the secure project room system.
- the two projects are the same project except for the locations and the devices that they are o ⁇ i.
- FIG. 5 illustrates further details of a secure project room application 38 residing on a computing device and in particular the supervisor application 46.
- the supervisor application 46 may further comprise one or more modules that may preferably each be a piece of software that performs a certain function as described below.
- the supervisor in the preferred embodiment, further comprises a service interceptor module 60, a sentry module 62, access policy manager module 64, an encryption module 66 and a platform development layer 68.
- the supervisor intercepts the data and communications between the applications 42 and the operating system services 44 to ensure the security of the data and those communications within the secure virtual project room.
- the interceptor module 60 also known as an operating system wrapper may intercept data and communications between the applications and the operating system 44.
- the operating system (OS) wrapper intercepts the execution flow of a program executable, without the need to change, recompile, relink the program itself or the underlying OS, and then to validate the caller, and enforce the access policy set by the policy server of the secure virtual project room system.
- the interceptor module 60 is a thin layer between the core OS services and the applications that intercepts the applications' service requests (e.g., file I/O, network access, copy and paste request, etc.) and the delegates to the access policy manager module 64 for access control and secure auditing. Further details of the interceptor module 60 are shown below with reference to Figures 7-10 that show security method implemented by the interceptor module.
- the sentry module 62 during the execution of the project management system, monitors and maintains the access policy and control derived for the particular project and the configuration is used to validate the configuration and control the identity, the tools, and the access of the IP files using the tools.
- the access policy manager module 64 may include a right management runtime that can be laid over a virtual machine, such as Java virtual machine, to ensure the execution is secure even within the virtual machine.
- the access policy manager module 64 provides rule- based access control as well as based on the ability to identify a contaminated applications and take action on a contaminated application.
- a contaminated application is an application that has had contact with any secured data. Once an application is contaminated, the application data cannot leave the secured virtual project room to maintain the security of that data.
- the access policy manager module 64 also grants or denies access to secure data by an application based on the access policy and the contamination state of the application.
- the access policy manager module 64 may also generate a secured audit trail that records a user's access history and violations.
- One of the functions of the access policy manager module is to develop a fmgerprint that uniquely identifies a tool executable.
- a fingerprint is created during planning time for each tool needed during development time, and used to validate the tool invoked during development time is the exact tool allowed at planning time.
- the encryption module 66 ensures that the data and communications are encrypted. IQ more detail, the system encrypts files for general protection, and after validation, carries out just-in-time and as needed basis decryption.
- the encryption key and the distribution method are securely managed to ensure the files are securely contained in the repository until the right user who uses the right tool to access the content of the right file makes the request.
- the encryption is per project so that each project is secured by a unique encryption key.
- the encryption key for each project is automatically generated when new secure virtual project room is generated.
- the encryption module may also create an encrypted virtual file system (described below with reference to Figure 8) that securely mounts a virtual disk after user login validation, encrypts all files inside of the virtual drive and performs just-in-time decryption when access policy are granted.
- the platform development layer 68 in some instances of the supervisor 46 delivered to certain users, permits the user to perform some development work.
- FIG 6 illustrates an example of a network security method 80 using the secure project room system that has the applications 42 1 , 42 2 accessing decrypted data inside 43 of the secure virtual project room that includes a network interceptor portion of the interceptor module 60, the access policy manager 64 and the encryption module 66.
- each secure virtual project has defined "secured connections" contained in the access policy for the project, hi the example shown in Figure 7, the connection "p4svr:1666" is a secure connection to a perforce server 84.
- the interceptor 60 monitors all network traffic and performs just-in-time encryption/decryption (using the encryption module 66) before sending/receiving from the secured connections.
- an application reads data/information from a secured connection
- the application has been contaminated and, once contaminated, the application cannot send the secured data to an un-secured connection (such as www.yahoo.com) as shown in Figure 6 because that connection is blocked for the contaminated application.
- an uncontaminated application can still access the un-secured connections while the secure virtual project room is operating.
- Figure 7 illustrates an example of a desktop security method 90 using the secure project room system that includes the applications 42 ⁇ , 42 2 , a desktop service interceptor portion of the interceptor module 60 and the access policy manager module 64.
- the desktop service interceptor intercepts service requests of the application, such as any copy and paste requests as shown in Figure 7.
- the application 42 2 marks and copies some data and the access policy manager module 64 records the copied source of the clipboard data.
- a non-contaminated application (application 42i) requests a paste from the contaminated source (application 42 2 )
- a confirmation alter is displayed confirming the paste request since the non-contaminated application (application 42i) will become contaminated if the data is pasted from the contaminated source.
- This methodology maintains the security of the secure data on the desktop even when the data is being shared between two applications on the computing device.
- Figure 8 illustrates an example of a file system security method 100 using the secure project room system that has the applications 42 1 , 42 2 , a file system portion of the interceptor module 60 and the access policy manager module 64.
- the supervisor unit may also include an encrypted virtual file system 102 that is part of the encryption module described above.
- Figure 9 illustrates an example of a device security method 110 using the secure project room system that has the applications 421, 42 2 , a device service interceptor that is part of the interceptor 60 and the access policy manager 64.
- the method controls the access of a device 112 to the secure virtual project room.
- the device service interceptor intercepts all device access requests.
- a contaminated application cannot output any data to any device whereas a non-contaminated application can freely access any device.
- the method controls the security of secure data, but freely permits applications without any secure data access to operate on the computing device in the typical manner so that the secure virtual project system is invisible to the user of the computing device in most circumstances and works in harmony with any other applications executed by the computing device.
- the supervisor in combination with the capsule 26 provides a secure virtual project room.
- the secure virtual project room has a monitoring and logging capability for all operations happening inside the room.
- As an additional tool to complement the secure project room there is a Foresee module as indicated in Figure 10.
- Foresee provides a user interface wherein the user interface is customizable and configurable since each project is different and the user interface is customized so project managers can view the project in their own way.
- the user interface also presents the data using three dimensional graphics and the data can be the aggregate of the information collected from many of the existing tools.
- the system may also include processes to extrapolate the collected data and then form a new projection.
- the system may also provide rules based modeling wherein the goal of the data mining is to provide a business operation model for managers to follow when planning their next distributed project development without having to worry about loss of IP.
- the modeling may provide an initial model to users as well as allow users to adjust the model to leverage the past productivity data, quality data, and the current understanding of the teams.
- the project vulnerability tool (which may preferably be one or more pieces of software executing on the computing device) may draw information from one or more data sources 72 such as source code control system and monitor data, a system software stack, a specification source, a file infrastructure and a human resources base. Using the data from these data sources, the tool 70 may generate a user interface 74 that permits the user of the system, based on the vulnerability analysis, to re-plan the project. The changes to the project due to the re- planning may then be distributed out to the project management tools as shown.
- data sources 72 such as source code control system and monitor data, a system software stack, a specification source, a file infrastructure and a human resources base.
- the tool 70 may generate a user interface 74 that permits the user of the system, based on the vulnerability analysis, to re-plan the project.
- the changes to the project due to the re- planning may then be distributed out to the project management tools as shown.
- the tool In addition, depending on the vulnerability score, the tool generates a list of "bill of goods" to create the content and access policy of the secure project room.
- the vulnerability score is based on the input from the manager who is to describe the parameters that affect why certain modules are more vulnerable than others. The score is calculated based on these parameters and is therefore useful in deciding what content and access rights should be associated with the secure project room. And in this way, Foresee can be used as a pre-processor for Forward in order to go through a proper and complete planning process.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Business, Economics & Management (AREA)
- Theoretical Computer Science (AREA)
- Strategic Management (AREA)
- Physics & Mathematics (AREA)
- Entrepreneurship & Innovation (AREA)
- Software Systems (AREA)
- Human Resources & Organizations (AREA)
- Economics (AREA)
- General Physics & Mathematics (AREA)
- Tourism & Hospitality (AREA)
- Quality & Reliability (AREA)
- Educational Administration (AREA)
- Operations Research (AREA)
- General Business, Economics & Management (AREA)
- Marketing (AREA)
- Development Economics (AREA)
- Multimedia (AREA)
- Game Theory and Decision Science (AREA)
- Technology Law (AREA)
- Storage Device Security (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Stored Programmes (AREA)
Abstract
A method and system for creating secure virtual project rooms is provided. The system creates a security focused development infrastructure to augment existing planning tools, existing development environment, and provide analytics for adjusting the plans to carry out a secure distributed project development.
Description
METHOD AND SYSTEM TO CREATE SECURE VIRTUAL PROJECT ROOM
Ann Ting Tipin Ben Chang
Priority Claim
This application claims priority under 35 USC 119(e) and 120 to US Provisional Patent Application Serial No. 60/663,584, filed on March 21, 2005 and entitled "IP-protected Distributed Project Development Environment and Tools" the entirely of which is incorporated herein by reference.
Field of the Invention
This invention relates to a set of distributed project development tools to manage the files and tasks of the project with the focus on protecting the data and/or intellectual properties developed or licensed during the project life cycle. This invention is also related to the trusted operating environment field.
Background of the Invention
There are many project development tools developed and commercialized in the past ten years. However, most of these tools' architecture is designed for development by teams located at the same location. Most of these tools do not provide any mechanism to protect the intellectual property (IP) assets created during the project. With the recent momentum for companies to use globally distributed teams and suppliers, the problems caused by a lack of a mechanism to protect the IP assets is exacerbated because other countries do not have the legal mechanisms to pursue people that have stolen the IP assets. Thus, it is desirable to provide a system that provides IP asset protection within a project development tool. More recently, commercial tools became available where data collected from other development tools, called from the development process, are integrated to better estimate the productivity. These tools usually provide Web-based user interfaces for the convenience of sharing the views by the distributed teams. However, none of these tools has included the
important capability of source code IP or data protection especially during the development time. The lack of focus on IP protection in the planning phase can create two problems when executing the plan:
The concern of losing source code IP will arise when dispatching tasks to remote teams, and the plan will then become one that does not leverage the true potential of the remote team.
During execution time, there are few actions that a user can take to fully mitigate the risk of losing the source code IP and the available actions are mostly rigid and make the project development un-flexible and more costly.
Thus, it is desirable to provide a method and system for creating secure virtual project rooms that overcomes the limitations of the typical project development tools and it is to this end that the present invention is directed.
Summary of the Invention
A method and system for creating secure virtual project rooms is provided. The system may have a set of distributed project development tools to manage the files and tasks of the development project with the focus on protecting the intellectual properties developed or licensed during the development of the project. The intellectual properties of the project may include the software code, business process in the form of software code, data that may reveal the trade secret of the business, or other forms of the data that is protectable. The system incorporates a trusted operating environment that relies on but does not replace a typical operating system.
The system creates an infrastructure to augment the planning tools and analytic tools, as well as provide a development environment for an IP -protected distributed project development. The system is able to discover IP -protection information, such as the vulnerability of the source files, create a vulnerability score based on the protection information and then allows users to have a flexible modeling method by adjusting the criteria for evaluating the vulnerability factor. The system may also provide a graphical user interface
to review the result of the discovery that increases the visibility of the executed plans and a new plan, which is established based on the integrated information. Using the system, a manager can then manually adjust the recommended plan and the adjustment is communicated back to the system for continuously improving the plan. Based on the finalized plan, the specific IP-protection control schemes and configuration targeted for each team is created. Then, according to the control and configuration specifically given to the team, the team carries out their development independently at any location (including both remote and/or local locations.) During the execution of the project management, the access policy and control derived from the plan and the configuration is used to validate the configuration and control the identity, the tools, and the access of the IP files using the tools. The system also permits the monitoring and tracking to be turned on and off at various levels. The monitoring provided by the system may also be supplemented with event triggering for immediate notification of the IP access violation. The system may also generate tracking reports for policy adjustment and quality improvement measures.
Thus, in accordance with the invention, a method of securing a distributed proj ect environment on a computing device is provided. In the method, a particular secure project is defined on the computing device wherein the particular secure project includes a plurality of pieces of content of the project where the content is secured so that only a user with a proper access privilege can access the content, one or more validated applications that are validated for use with the particular secure project and an access policy for a set of users. Using a validated application, a user can access the secured content that is a member of the access policy wherein the content is decrypted while being accessed by the validated application. When a piece of content is accessed by an application, the application is first validated as a validated application. During the period when the piece of secured content is decrypted, operations of the computing device that are capable of producing one of a complete copy and a partial copy of the piece of content are monitored. When an operation capable of producing one of a complete copy and a partial copy of the piece of content occurs, the method disallows the operation if the application is not a validated application or, if the copy operation is not
disallowed, the piece of content is copied within the particular secure project so that the copied piece of content is stored in secured format.
Brief Description of the Drawings
Figure 1 illustrates an example of a secure project development environment using a secure project room system in accordance with the invention;
Figure 2 illustrates an example of the architecture of a preferred implementation of the secure project room system;
Figure 3 illustrates an example of an implementation of a secure project room on a computing device;
Figure 4 illustrates an example of a secure project room system with at least two computing devices;
Figure 5 illustrates further details of a secure project room application residing on a computing device;
Figure 6 illustrates an example of a network security method using the secure project room system;
Figure 7 illustrates an example of a desktop security method using the secure project room system;
Figure 8 illustrates an example of a file system security method using the secure project room system;
Figure 9 illustrates an example of a device security method using the secure project room system;
Figure 10 illustrates an example of a project vulnerability tool for security focused planning that is part of the secure project room system.
Detailed Description of a Preferred Embodiment
The invention is particularly applicable to a computing device based system wherein the secure project room application is a software application being executed by the computing device and it is in this context that the invention will be described. It will be appreciated, however, that the system and method in accordance with the invention has greater utility since the secure project room application can also be implemented in hardware or as a combination of hardware and software and the secure project system can be implemented on various different types of computing devices.
Broadly, the system provides a set of distributed project development tools to manage the files and tasks of the project with the focus on protecting the intellectual properties developed or licensed during the development of the project. For purposes of this description, the intellectual properties may include, but are not limited to the software code, business process in the form of software code, and data that may reveal the trade secret of the business, or other data that can be protected. The system also provides a trusted operating environment
The system includes a set of tools that is compatible and interoperable with all of the existing tools and applications executable on the computing devices, and allows those tools/applications to be used in a system with a security focused plan. Thus, while customers can continue to use the tools, which they already purchased and familiar with, the system leverages the infonnation obtained from them to address the protection by tightening the control of the distributed teams. The system also has additional controls that manage the communication and execution of the distributed project environment that they have never had before when using the existing tools. During execution time, the system first validates the identity of the user prior to the user using the requesting tools to access the requesting files. The system then controls the access of the files by just-in-time decrypting the files in as- needed basis. It also monitors and tracks the user activities with records for audits. The system also ensures the tool pass the "fingerprint" checking. This checking ensures the tool is not a Trojan horse, or is of the wrong version inadvertently. Now, an implementation of the secure project room system is described.
Figure 1 illustrates an example of a secure project development environment 20 using a secure project room system in accordance with the invention. The system may be used to allow project/development teams in different locations to share confidential project and development information and data, such as source code, product specifications, etc. between the different locations. For example, project information may be shared between a headquarters 22 ls a development team in remote location A 222 and a development team in remote location B 223 as shown in Figure 1. To accomplish the secure sharing of the project information and data, an administrator with high privilege may use a Forward module 24. The Forward module (which is preferably a piece of software executed on a computing device at the highly privileged location) is a command center to rapidly create, administer, manage and replicate a "Fortress Capsule" which defines the scope of each project and the secure virtual project room for that project. In order to share project information with location A and location B, the Forward module 24 may generate two project capsules 2O1 and 262 that may then be delivered to the Location A and location B to provide the secure virtual project room for the project.
Figure 2 illustrates an example of the architecture of a preferred implementation of a secure project room system 28 that is implemented on a computing device 40 and other components. In this example, the computing device may be a typical personal computer that has network connectivity, sufficient processing power, sufficient storage and sufficient memory to operate a software-based version of a the secure project room. The elements of a personal computer with these attributes are well known and are not described further here, hi accordance with the invention, the computing device 40 may also be any other processing unit based device that has sufficient processing power, memory, storage and network connectivity to implement the secure room system, such as for example, a mobile phone, a personal digital assistant, various forms of computer systems including laptops, desktops, tablet computer and the like, a set-top box or any other computing device with the characteristics set forth in which it would be desirable to provide a secure project room that permits the secure sharing of information during a project.
When the computing device 40 is being used to implement the secure virtual project room, the computing device 40 may store and execute one or more software applications or development tools 42, such as Adobe Acrobat, Microsoft Word or the like that the user of the computing device may use during the project and may execute an operating system (OS) 44 such as Windows XP. The computing device may also include a supervisor unit 46 that preferably is one or more pieces of software that are executed by the processing unit of the computing device to implement various functions and processes of the secure virtual project room as described in more detail below.
The computing device 40 may be coupled to (via any type of network or directly connected) a policy server 45 that controls the security and access to the capsules and the secure virtual project rooms and may interact with the Forward module that may forward the capsule 26 to the computing device so that the computing device can implement the secure virtual project room. The computing device may also be coupled to (over any type of network or directly connected) to one or more proxy servers 47. For server sites that desire to have project team sites connecting to them securely to perform tasks like checking in and checking out source files interactively in real time when developing software using the secure virtual project room, a project team site may interact through the proxy server. The proxy server serves as a "tunnel" between a network-connected destination server (e.g., a Perforce server running on a Solaris box in a preferred embodiment which is a preferred implementation of the destination server) and a client application on the computing device, hi accordance with the invention, the proxy server operates like a network proxy server except that it maintains an encrypted connection to the remote client application within the secure virtual project room and maintains an unencrypted connection to one or more destination servers 49. hi the example shown in Figure 2, the destination servers may include one or more database servers 49a that may contain data to be used by the project and a source code management system 49b that can be used to control the source code for the project as well as other development systems.
Figure 3 illustrates an example of an implementation of a secure project room 38 on the computing device 40. The secure project room 38 is implemented by the supervisor unit 46, that may be implemented as privileged code on the computing device 40 that implements the secure virtual project room. As shown in Figure 3, the applications 42 operate with decrypted data. However, any project data leaving the application is again encrypted. The applications inside the secure room may include the various existing project management and project tools used by a user. Simultaneously, those applications and tools can operate outside of the secure room with un-encrypted data in conjunction with the secure project room 38 of the invention. When a secure project 48 (shown as the capsule 26 in Figure 1) is opened by the user of the computing device, the secure project room 38 is automatically activated (shown by the dotted line in Figure 3) wherein the data exchanged is encrypted until the moment when the application is to use the data to maintain the security of the information about the project. The secure project room 38 also maintains the security of the communication of data between the secure project room and anything outside of the secure project room.
Figure 4 illustrates an example of a secure project room system 50 with at least two computing devices 40] , 4O2 wherein each computing device is executing its secure project room 38i and 382 to form a secure project room system in which the computing devices are able to securely exchange data (encrypted data) between the secure project rooms 38i and 382 operating on each computing device. In the example shown in Figure 4, each user has launched a secure project 48i and 482 to form a secure project team community is which the IP of the project is protected while permitting each user to user the project tools and applications known to the user in conjunction with the secure project room system. The two projects are the same project except for the locations and the devices that they are oϊi. Figure 5 illustrates further details of a secure project room application 38 residing on a computing device and in particular the supervisor application 46. The supervisor application 46 may further comprise one or more modules that may preferably each be a piece of software that performs a certain function as described below. The supervisor, in the preferred embodiment, further comprises a service interceptor module 60, a sentry module 62, access
policy manager module 64, an encryption module 66 and a platform development layer 68. In general, the supervisor intercepts the data and communications between the applications 42 and the operating system services 44 to ensure the security of the data and those communications within the secure virtual project room. The interceptor module 60 (also known as an operating system wrapper may intercept data and communications between the applications and the operating system 44. In more detail, the operating system (OS) wrapper intercepts the execution flow of a program executable, without the need to change, recompile, relink the program itself or the underlying OS, and then to validate the caller, and enforce the access policy set by the policy server of the secure virtual project room system. The interceptor module 60 is a thin layer between the core OS services and the applications that intercepts the applications' service requests (e.g., file I/O, network access, copy and paste request, etc.) and the delegates to the access policy manager module 64 for access control and secure auditing. Further details of the interceptor module 60 are shown below with reference to Figures 7-10 that show security method implemented by the interceptor module. The sentry module 62, during the execution of the project management system, monitors and maintains the access policy and control derived for the particular project and the configuration is used to validate the configuration and control the identity, the tools, and the access of the IP files using the tools.
The access policy manager module 64 may include a right management runtime that can be laid over a virtual machine, such as Java virtual machine, to ensure the execution is secure even within the virtual machine. The access policy manager module 64 provides rule- based access control as well as based on the ability to identify a contaminated applications and take action on a contaminated application. A contaminated application is an application that has had contact with any secured data. Once an application is contaminated, the application data cannot leave the secured virtual project room to maintain the security of that data. The access policy manager module 64 also grants or denies access to secure data by an application based on the access policy and the contamination state of the application. The access policy manager module 64 may also generate a secured audit trail that records a user's access history and violations. One of the functions of the access policy manager module is to develop a
fmgerprint that uniquely identifies a tool executable. In the system, a fingerprint is created during planning time for each tool needed during development time, and used to validate the tool invoked during development time is the exact tool allowed at planning time.
The encryption module 66 ensures that the data and communications are encrypted. IQ more detail, the system encrypts files for general protection, and after validation, carries out just-in-time and as needed basis decryption. The encryption key and the distribution method are securely managed to ensure the files are securely contained in the repository until the right user who uses the right tool to access the content of the right file makes the request. The encryption is per project so that each project is secured by a unique encryption key. The encryption key for each project is automatically generated when new secure virtual project room is generated. The encryption module may also create an encrypted virtual file system (described below with reference to Figure 8) that securely mounts a virtual disk after user login validation, encrypts all files inside of the virtual drive and performs just-in-time decryption when access policy are granted. The platform development layer 68, in some instances of the supervisor 46 delivered to certain users, permits the user to perform some development work.
Figure 6 illustrates an example of a network security method 80 using the secure project room system that has the applications 421, 422 accessing decrypted data inside 43 of the secure virtual project room that includes a network interceptor portion of the interceptor module 60, the access policy manager 64 and the encryption module 66. To provide secure communications over a network 82, each secure virtual project has defined "secured connections" contained in the access policy for the project, hi the example shown in Figure 7, the connection "p4svr:1666" is a secure connection to a perforce server 84. During the secure virtual project room operation, the interceptor 60 monitors all network traffic and performs just-in-time encryption/decryption (using the encryption module 66) before sending/receiving from the secured connections. Once an application reads data/information from a secured connection, the application has been contaminated and, once contaminated, the application cannot send the secured data to an un-secured connection (such as www.yahoo.com) as shown
in Figure 6 because that connection is blocked for the contaminated application. However, an uncontaminated application can still access the un-secured connections while the secure virtual project room is operating.
Figure 7 illustrates an example of a desktop security method 90 using the secure project room system that includes the applications 42 \, 422, a desktop service interceptor portion of the interceptor module 60 and the access policy manager module 64. To maintain desktop security, the desktop service interceptor intercepts service requests of the application, such as any copy and paste requests as shown in Figure 7. In this example, the application 422 marks and copies some data and the access policy manager module 64 records the copied source of the clipboard data. Then, if a non-contaminated application (application 42i) requests a paste from the contaminated source (application 422 ), a confirmation alter is displayed confirming the paste request since the non-contaminated application (application 42i) will become contaminated if the data is pasted from the contaminated source. This methodology maintains the security of the secure data on the desktop even when the data is being shared between two applications on the computing device.
Figure 8 illustrates an example of a file system security method 100 using the secure project room system that has the applications 421, 422, a file system portion of the interceptor module 60 and the access policy manager module 64. To provide file system security, the supervisor unit may also include an encrypted virtual file system 102 that is part of the encryption module described above. Once a project 108 is opened successfully (from a storage device 104), an encrypted virtual drive, X:\ 106, is mounted with a per project encryption key. During the project, the file system Service Interceptor monitors all file I/O access. Once an Application reads a secured file on the virtual drive X:\, the application is considered "contaminated". Once contaminated, the Application cannot write the secure data outside of X:\ (or send data to unsecured connection). However, a non-contaminated application can still freely access data outside of X:\.
Figure 9 illustrates an example of a device security method 110 using the secure project room system that has the applications 421, 422, a device service interceptor that is part
of the interceptor 60 and the access policy manager 64. The method controls the access of a device 112 to the secure virtual project room. To accomplish this, the device service interceptor intercepts all device access requests. As above, a contaminated application cannot output any data to any device whereas a non-contaminated application can freely access any device. As with all of the security methods described above, the method controls the security of secure data, but freely permits applications without any secure data access to operate on the computing device in the typical manner so that the secure virtual project system is invisible to the user of the computing device in most circumstances and works in harmony with any other applications executed by the computing device. The supervisor in combination with the capsule 26 (shown in Figure 1) provides a secure virtual project room. The secure virtual project room has a monitoring and logging capability for all operations happening inside the room. When the logs are accumulated, they are sent to the privilege site for access violation analysis and for future project planning. As an additional tool to complement the secure project room, there is a Foresee module as indicated in Figure 10. To ease the adaptability of examining the proj ect plan for the specific project, Foresee provides a user interface wherein the user interface is customizable and configurable since each project is different and the user interface is customized so project managers can view the project in their own way. The user interface also presents the data using three dimensional graphics and the data can be the aggregate of the information collected from many of the existing tools. To view the 3-D graphics, users can easily zoom and drill-down from the visual display for details as needed, hi addition, after the data is aggregated from the various tools, the combined data will be used to give a retrospective view of the project development as well as a prospective view of an improved project plan. The system may also include processes to extrapolate the collected data and then form a new projection. The system may also provide rules based modeling wherein the goal of the data mining is to provide a business operation model for managers to follow when planning their next distributed project development without having to worry about loss of IP. The modeling may provide an initial model to users as well as allow users to adjust the model to leverage the past productivity data, quality data, and the current understanding of the teams.
Inside the Foresee, there is a vulnerability analysis tool which can help managers decide the content of the secure project room in optimizing both the security and productivity. The project vulnerability tool (which may preferably be one or more pieces of software executing on the computing device) may draw information from one or more data sources 72 such as source code control system and monitor data, a system software stack, a specification source, a file infrastructure and a human resources base. Using the data from these data sources, the tool 70 may generate a user interface 74 that permits the user of the system, based on the vulnerability analysis, to re-plan the project. The changes to the project due to the re- planning may then be distributed out to the project management tools as shown. In addition, depending on the vulnerability score, the tool generates a list of "bill of goods" to create the content and access policy of the secure project room. For each project, there are various vulnerability measures which are totally project dependent. The vulnerability score is based on the input from the manager who is to describe the parameters that affect why certain modules are more vulnerable than others. The score is calculated based on these parameters and is therefore useful in deciding what content and access rights should be associated with the secure project room. And in this way, Foresee can be used as a pre-processor for Forward in order to go through a proper and complete planning process.
While the foregoing has been with reference to a particular embodiment of the invention, it will be appreciated by those skilled in the art that changes in this embodiment may be made without departing from the principles and spirit of the invention, the scope of which is defined by the appended claims.
Claims
1. A method of securing a distributed project environment on a computing device, the method comprising: defining a particular secure project on the computing device, the particular secure project including a plurality of pieces of content of the project where the content is secured so that only a user with a proper access privilege can access the content, one or more validated applications that are validated for use with the particular secure project and an access policy for a set of users; accessing, using a validated application, the secured content by a user that is a member of the access policy wherein the content is decrypted while being accessed by the validated application; verifying, when a piece of content is accessed by an application, that the application is a validated application; monitoring, during the period when the piece of content is decrypted, operations of the computing device that are capable of producing one of a complete copy and a partial copy of the piece of content; determining, when an operation to produce a copy of the content is detected, to disallow the operation if the application is not a validated application; and copying, if the copy operation is not disallowed, the piece of content within the particular secure project so that the copied piece of content is stored in secured format.
2. The method of claim 1 further comprising creating a security layer on the computing device, the accessing, verifying, monitoring, determining and copying steps being performed by the security layer wherein the security layer has a local copy of the access policy so that the access policy is validated during the operation of the particular secure project.
3. The method of claim 2 further comprising communicating, with a remote access policy computing device, to receive the access policy.
4. The method of claim 3, wherein the access policy further comprises a set of rules that define a set of access policy using one or more factors wherein the one or more factors further comprises one or more of an identity of the user, an identity of the program, a previous access history of a running program instance, a time, a place where the access takes place, and a path of accessing the file.
5. The method of claim 4 further comprising automatically propagating the access policy to one of a new piece of content and a contaminated application not currently controlled by the access policy so that the new piece of content and the.contaminated application are controlled by the access policy wherein the new piece of content incorporates a secure piece of content and wherein the contaminated application has already accessed a secure piece of content.
6. The method of claim 3, wherein defining the particular secure project further comprises packaging the pieces of content and the local copy of the access policy into a secure package and storing the secure package at the remote access policy computing device.
7. The method of claim 6 further comprising transferred the secure package from the remote access policy computing device to the computing device to operate the particular secure project, the secure package having an expiration date after which the particular secure project cannot be accessed.
8. The method of claim 7 further comprising renewing, at the remote access policy computing device, the secure capsule to establish a new expiration date and access policy and communicating the updates to the computing device when it connects to the remote access policy computing device.
9. The method of claim 1, wherein the securing the project, content and package further comprising encrypting the project, content 'and package using an encryption key.
10. The method of claim 9, wherein encrypting the proj ect, content and package using an encryption key further comprises storing a generated encryption key at the remote access policy computing device and embedding the encryption key into the secure package.
11. The method of claim 9, wherein encrypting the project, content and package using an encryption key further comprising generating a unique encryption key for each secure project so that the secure environment is separated by project.
12. The method of claim 11 further comprising communication over a pre-defined set secure channels due to the unique encryption key for the users of a particular secure project wherein the secure channels further comprises one of a network channel and an email channel.
13. An apparatus for securing a distributed project environment on a computing device, the apparatus comprising: one or more applications executed by a processing unit of the computing device that perform operations on a secure project in the distributed project environment; an operating system executed by the processing unit of the computing device; a supervisor unit being executed by the processing unit of the computing device, the supervisor unit in between the one or more applications and the operating system to maintain the security of the secure project, the secure project including a plurality of pieces of content of the secure project where the content is secured so that only a user with a proper access privilege can access the content, one or more validated applications that are validated for use with the secure project and an access policy for a set of users associated with the secure project that defines access privileges of each user; the supervisor unit further comprising means for accessing, using a validated application, the secured content by a user in access policy wherein the content is decrypted while being accessed by the validated application, means for verifying, when a piece of content is accessed by an application, that the application is a validated application, means for monitoring, during the period when the piece of content is decrypted, operations of the computing device that are capable of producing one of a complete copy and a partial copy of the piece of content, means for determining, when an operation to produce a copy of the content is detected, to disallow the operation if the application is not a validated application, and means for copying, if the copy operation is not disallowed, the piece of content within the particular secure project so that the copied piece of content is stored in secured format.
14. The apparatus of claim 13 further comprising a supervisor unit on the computing device, the supervisor unit having a local copy of the access, policy for the secure project, the supervisor unit including the accessing means, the verifying means, the monitoring means, the determining means and the copying means.
15. The apparatus of claim 14 further comprising a remote access policy computing device and wherein the supervisor unit further comprises means for communicating, with the remote access policy computing device, to receive the access policy.
16. The apparatus of claim 15, wherein the remote access policy computing device further comprises a database management system that stores one or more access policies for one or more secure projects and a web user interface that permits a user to manage the remote access policy computing device.
17. The apparatus of claim 16, wherein each access policy further comprises one or more rules that determine a set of access policy of a particular user using a set of factors, the , set of factors further comprising an identity of each user, an identity of an application, a previous access history of the running application instance, a time, a place where the access takes place, and a path of accessing the piece of content.
18. The apparatus of claim 17, wherein1 the monitoring means further comprises means for automatically propagating the access policy to one of a new piece of content and a contaminated application not currently controlled by the access policy so that the new piece of content and the contaminated application are controlled by the access policy wherein the new piece of content incorporates a secure piece of content and wherein the contaminated application has already accessed a secure piece of content.
19. The apparatus of claim 15, wherein the remote access policy computing device further comprising means for packaging the pieces of content and a local access policy for a secure project into a secure package wherein the secure package has an- expiration date and means for transferring the secure package to the supervisor unit wherein the secure package cannot be accessed after the expiration date.
20. The apparatus of claim 19, wherein the remote access policy computing device further comprising means for renewing the expiration date and local access policy of a particular secure package and means for transferring the renewed expiration date and local access policy of the particular secure package when the supervisor unit connects to the remote access policy computing device.
21. The apparatus of claim 19, wherein the packaging means further comprises means for encrypting the secure package using an encryption key wherein the encryption key is embedded in the secure package and stored at the remote access policy computing device.
22. The apparatus of claim 21 , wherein the encryption means further comprises means for generating a unique encryption key for each secure package containing a particular secure project so that each secure project is separately secured.
23. The apparatus of claim 22 further comprising two or more computing devices whose users are each a member of a secure project with a unique encryption key and a set of secure channels between the two or more computing device using the unique encryption key, wherein the secure channels further comprises one of a network channel and an email channel.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2008503142A JP4790793B2 (en) | 2005-03-21 | 2006-03-21 | Method and system for creating a secure virtual project room |
EP06739303A EP1867095A2 (en) | 2005-03-21 | 2006-03-21 | Method and system to create secure virtual project room |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US66358405P | 2005-03-21 | 2005-03-21 | |
US60/663,584 | 2005-03-21 | ||
US11/385,293 US7849512B2 (en) | 2005-03-21 | 2006-03-20 | Method and system to create secure virtual project room |
US11/385,293 | 2006-03-20 |
Publications (2)
Publication Number | Publication Date |
---|---|
WO2006102442A2 true WO2006102442A2 (en) | 2006-09-28 |
WO2006102442A3 WO2006102442A3 (en) | 2008-01-24 |
Family
ID=37011745
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US2006/010453 WO2006102442A2 (en) | 2005-03-21 | 2006-03-21 | Method and system to create secure virtual project room |
Country Status (4)
Country | Link |
---|---|
US (1) | US7849512B2 (en) |
EP (1) | EP1867095A2 (en) |
JP (1) | JP4790793B2 (en) |
WO (1) | WO2006102442A2 (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2009295118A (en) * | 2008-06-09 | 2009-12-17 | Obic Business Consultants Ltd | Information processing apparatus |
US7849512B2 (en) | 2005-03-21 | 2010-12-07 | Fortressware, Inc. | Method and system to create secure virtual project room |
US9424160B2 (en) | 2014-03-18 | 2016-08-23 | International Business Machines Corporation | Detection of data flow bottlenecks and disruptions based on operator timing profiles in a parallel processing environment |
US9501377B2 (en) | 2014-03-18 | 2016-11-22 | International Business Machines Corporation | Generating and implementing data integration job execution design recommendations |
US9575916B2 (en) | 2014-01-06 | 2017-02-21 | International Business Machines Corporation | Apparatus and method for identifying performance bottlenecks in pipeline parallel processing environment |
US20200226680A1 (en) * | 2004-09-21 | 2020-07-16 | Refinitiv Us Organization Llc | Financial market trading system |
Families Citing this family (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7954135B2 (en) * | 2007-06-20 | 2011-05-31 | Novell, Inc. | Techniques for project lifecycle staged-based access control |
US20090048888A1 (en) * | 2007-08-14 | 2009-02-19 | Michel Shane Simpson | Techniques for claim staking in a project stage-based environment |
US9111108B2 (en) * | 2008-02-25 | 2015-08-18 | Telefonaktiebolaget L M Ericsson (Publ) | System, method and program for controlling access rights |
US20090260050A1 (en) * | 2008-04-14 | 2009-10-15 | George Madathilparambil George | Authenticating device for controlling application security environments |
US8402542B2 (en) * | 2009-08-24 | 2013-03-19 | Palo Alto Research Center Incorporated | Non-sensitive-passage database for cut-and-paste attack detection systems |
US20140173759A1 (en) * | 2012-12-17 | 2014-06-19 | Microsoft Corporation | Rights-managed code |
US9483646B2 (en) * | 2013-09-19 | 2016-11-01 | Remotium, Inc. | Data exfiltration prevention from mobile platforms |
US11392898B2 (en) * | 2019-02-06 | 2022-07-19 | Rolls-Royce Corporation | Secure cloud collaboration platform |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6209101B1 (en) * | 1998-07-17 | 2001-03-27 | Secure Computing Corporation | Adaptive security system having a hierarchy of security servers |
US20030187932A1 (en) * | 2002-03-28 | 2003-10-02 | Kennedy Bruce C. | Network project development system and method |
US20050044380A1 (en) * | 2003-08-21 | 2005-02-24 | International Business Machines Corporation | Method and system to enable access to multiple restricted applications through user's host application |
Family Cites Families (37)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5588147A (en) * | 1994-01-14 | 1996-12-24 | Microsoft Corporation | Replication facility |
US5862346A (en) * | 1996-06-28 | 1999-01-19 | Metadigm | Distributed group activity data network system and corresponding method |
US6272631B1 (en) * | 1997-06-30 | 2001-08-07 | Microsoft Corporation | Protected storage of core data secrets |
US7167844B1 (en) * | 1999-12-22 | 2007-01-23 | Accenture Llp | Electronic menu document creator in a virtual financial environment |
JP2001229282A (en) * | 2000-02-15 | 2001-08-24 | Sony Corp | Information processor, information processing method, and recording medium |
US6591278B1 (en) * | 2000-03-03 | 2003-07-08 | R-Objects, Inc. | Project data management system and method |
WO2001095161A2 (en) * | 2000-06-02 | 2001-12-13 | Virtio Corporation | Method and system for virtual prototyping |
US7155435B1 (en) * | 2000-08-14 | 2006-12-26 | Ford Motor Company | Method for resolving issues within a team environment |
US7072940B1 (en) * | 2000-08-14 | 2006-07-04 | Ford Motor Company | System and method for managing communications and collaboration among team members |
US6760734B1 (en) * | 2001-05-09 | 2004-07-06 | Bellsouth Intellectual Property Corporation | Framework for storing metadata in a common access repository |
US7130774B2 (en) * | 2001-05-15 | 2006-10-31 | Metron Media, Inc. | System for creating measured drawings |
US7725490B2 (en) * | 2001-11-16 | 2010-05-25 | Crucian Global Services, Inc. | Collaborative file access management system |
US7395436B1 (en) * | 2002-01-31 | 2008-07-01 | Kerry Nemovicher | Methods, software programs, and systems for electronic information security |
US7107285B2 (en) * | 2002-03-16 | 2006-09-12 | Questerra Corporation | Method, system, and program for an improved enterprise spatial system |
US20030192038A1 (en) * | 2002-04-09 | 2003-10-09 | Thomas Hagmann | Linking data objects to a project development system |
US7464400B2 (en) * | 2002-04-24 | 2008-12-09 | International Business Machines Corporation | Distributed environment controlled access facility |
US7092942B2 (en) * | 2002-05-31 | 2006-08-15 | Bea Systems, Inc. | Managing secure resources in web resources that are accessed by multiple portals |
AU2003243543A1 (en) * | 2002-06-12 | 2003-12-31 | Fslogic Inc. | Layered computing systems and methods |
CN100354786C (en) * | 2002-07-09 | 2007-12-12 | 富士通株式会社 | Open type general-purpose attack-resistant CPU and application system thereof |
US7877607B2 (en) * | 2002-08-30 | 2011-01-25 | Hewlett-Packard Development Company, L.P. | Tamper-evident data management |
US7143288B2 (en) * | 2002-10-16 | 2006-11-28 | Vormetric, Inc. | Secure file system server architecture and methods |
JP4321203B2 (en) * | 2002-10-29 | 2009-08-26 | 富士ゼロックス株式会社 | Remote conference system, remote conference support method, and computer program |
JP4218336B2 (en) * | 2002-12-12 | 2009-02-04 | ソニー株式会社 | Information processing system, service providing apparatus and method, information processing apparatus and method, and program |
US20040181425A1 (en) * | 2003-03-14 | 2004-09-16 | Sven Schwerin-Wenzel | Change Management |
JP2004334566A (en) * | 2003-05-08 | 2004-11-25 | Canon Inc | Information processing method and information processor |
JP2005010957A (en) * | 2003-06-17 | 2005-01-13 | Trinity Security Systems Inc | Content protection system, content protection method, and program which makes computer perform its method |
AU2003903309A0 (en) * | 2003-06-30 | 2003-07-10 | Catalyst On Line Solutions Pty Limited | An information system |
US7493387B2 (en) * | 2003-09-19 | 2009-02-17 | International Business Machines Corporation | Validating software in a grid environment using ghost agents |
US7424620B2 (en) * | 2003-09-25 | 2008-09-09 | Sun Microsystems, Inc. | Interleaved data and instruction streams for application program obfuscation |
US8127366B2 (en) * | 2003-09-30 | 2012-02-28 | Guardian Data Storage, Llc | Method and apparatus for transitioning between states of security policies used to secure electronic documents |
US20050114475A1 (en) * | 2003-11-24 | 2005-05-26 | Hung-Yang Chang | System and method for collaborative development environments |
JP2005182331A (en) * | 2003-12-18 | 2005-07-07 | Sony Corp | Information processing system, service providing device and method, information processor and information processing method, program and recording medium |
US8312267B2 (en) * | 2004-07-20 | 2012-11-13 | Time Warner Cable Inc. | Technique for securely communicating programming content |
US7467373B2 (en) * | 2004-10-18 | 2008-12-16 | Microsoft Corporation | Global object system |
US8156488B2 (en) * | 2004-10-20 | 2012-04-10 | Nokia Corporation | Terminal, method and computer program product for validating a software application |
US7505482B2 (en) * | 2004-11-15 | 2009-03-17 | At&T Intellectual Property I, L.P. | Application services infrastructure for next generation networks |
US7849512B2 (en) | 2005-03-21 | 2010-12-07 | Fortressware, Inc. | Method and system to create secure virtual project room |
-
2006
- 2006-03-20 US US11/385,293 patent/US7849512B2/en not_active Expired - Fee Related
- 2006-03-21 JP JP2008503142A patent/JP4790793B2/en not_active Expired - Fee Related
- 2006-03-21 EP EP06739303A patent/EP1867095A2/en not_active Withdrawn
- 2006-03-21 WO PCT/US2006/010453 patent/WO2006102442A2/en active Application Filing
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6209101B1 (en) * | 1998-07-17 | 2001-03-27 | Secure Computing Corporation | Adaptive security system having a hierarchy of security servers |
US20030187932A1 (en) * | 2002-03-28 | 2003-10-02 | Kennedy Bruce C. | Network project development system and method |
US20050044380A1 (en) * | 2003-08-21 | 2005-02-24 | International Business Machines Corporation | Method and system to enable access to multiple restricted applications through user's host application |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20200226680A1 (en) * | 2004-09-21 | 2020-07-16 | Refinitiv Us Organization Llc | Financial market trading system |
US7849512B2 (en) | 2005-03-21 | 2010-12-07 | Fortressware, Inc. | Method and system to create secure virtual project room |
JP2009295118A (en) * | 2008-06-09 | 2009-12-17 | Obic Business Consultants Ltd | Information processing apparatus |
US9575916B2 (en) | 2014-01-06 | 2017-02-21 | International Business Machines Corporation | Apparatus and method for identifying performance bottlenecks in pipeline parallel processing environment |
US9424160B2 (en) | 2014-03-18 | 2016-08-23 | International Business Machines Corporation | Detection of data flow bottlenecks and disruptions based on operator timing profiles in a parallel processing environment |
US9501377B2 (en) | 2014-03-18 | 2016-11-22 | International Business Machines Corporation | Generating and implementing data integration job execution design recommendations |
Also Published As
Publication number | Publication date |
---|---|
JP2008533629A (en) | 2008-08-21 |
WO2006102442A3 (en) | 2008-01-24 |
JP4790793B2 (en) | 2011-10-12 |
US7849512B2 (en) | 2010-12-07 |
US20060212714A1 (en) | 2006-09-21 |
EP1867095A2 (en) | 2007-12-19 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7849512B2 (en) | Method and system to create secure virtual project room | |
KR100971854B1 (en) | Systems and methods for providing secure server key operations | |
US8275709B2 (en) | Digital rights management of content when content is a future live event | |
CN101512490B (en) | Securing data in a networked environment | |
EP1686504B1 (en) | Flexible licensing architecture in content rights management systems | |
KR100423797B1 (en) | Method of protecting digital information and system thereof | |
US11290446B2 (en) | Access to data stored in a cloud | |
EP1452941A2 (en) | Publishing digital content within a defined universe such as an organization in accordance with a digital rights management (DRM) system | |
EP1457860A1 (en) | Publishing digital content within a defined universe such as an organization in accordance with a digital rights management (DRM) system | |
JP4502002B2 (en) | Information usage control system and information usage control device | |
EP1571524A2 (en) | Using a flexible rights template to obtain a signed rights label (SRL) for digital content in a rights management system | |
US20090259591A1 (en) | Information Rights Management | |
US8776258B2 (en) | Providing access rights to portions of a software application | |
CN103763313A (en) | File protection method and system | |
KR101377352B1 (en) | Digital rights management (drm) method and equipment in small and medium enterprise (sme) and method for providing drm service | |
AU2021347175B2 (en) | Encrypted file control | |
RU2530303C2 (en) | Method and system for processing data of health care | |
Tiwari et al. | Cloud virtual image security for medical data processing | |
Gupta et al. | Data Security Threats Arising Between a Cloud and Its Users | |
Sanchez et al. | AuditTrust: Blockchain-Based Audit Trail for Sharing Data in a Distributed Environment | |
Wikberg | Software license management from system-integrator viewpoint | |
Borz | SystemWeaver License Manager A business aware license scheme and implementation | |
JP2008242959A (en) | Apparatus and method for managing information to be used, and program therefor |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
ENP | Entry into the national phase |
Ref document number: 2008503142 Country of ref document: JP Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2006739303 Country of ref document: EP |
|
NENP | Non-entry into the national phase |
Ref country code: RU |