WO2013017394A1 - Régulation d'accès pour des données ou des applications d'un réseau - Google Patents

Régulation d'accès pour des données ou des applications d'un réseau Download PDF

Info

Publication number
WO2013017394A1
WO2013017394A1 PCT/EP2012/063808 EP2012063808W WO2013017394A1 WO 2013017394 A1 WO2013017394 A1 WO 2013017394A1 EP 2012063808 W EP2012063808 W EP 2012063808W WO 2013017394 A1 WO2013017394 A1 WO 2013017394A1
Authority
WO
WIPO (PCT)
Prior art keywords
endpoint
status
terminal
access
class
Prior art date
Application number
PCT/EP2012/063808
Other languages
German (de)
English (en)
Inventor
Monika Maidl
Original Assignee
Siemens Aktiengesellschaft
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens Aktiengesellschaft filed Critical Siemens Aktiengesellschaft
Publication of WO2013017394A1 publication Critical patent/WO2013017394A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6236Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database between heterogeneous systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/305Authentication, i.e. establishing the identity or authorisation of security principals by remotely controlling device operation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6281Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database at program execution time, where the protection is within the operating system
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Definitions

  • the invention relates to a method and a device for regulating access to data or applications of a network. Furthermore, a corresponding system or a computer program product are proposed.
  • the term "cloud computing” describes an approach to provide abstracted information technology (IT) infrastructures (for example computing capacity, data storage, network capacities or even finished software) dynamically adapted to the needs via a network. From the user's point of view, the infrastructure provided seems remote and opaque, as if wrapped in a "cloud”.
  • IT information technology
  • a part of the IT landscape is no longer operated, or (in this context about hardware such as data center, data storage and software) on the user side provided the user at the site, but rented as a service, for example when one or more providers, with the ⁇ se Provider may be located geographically distant.
  • the applications or data are no longer (only) on the local computer or a (corporate) data center, but in the "cloud", hereinafter referred to as cloud.
  • the cloud can be part of the Internet or include this.
  • Cloud computing offers the opportunity to offer network-based applications in new business models. Services in the cloud can be provided at various levels:
  • Cloud Computing uses data centers that are either concentrated in one location or used to provide flexible len services distributed can be interconnected. These machines are running virtual machines. The customers load data (eg pictures) in the
  • the customer gets access to a platform that holds the egg ⁇ nen the infrastructure for the provision of a service as well as certain software components (eg, middleware) environmentally by which services can be created.
  • the service thus created is for example, a Web application ⁇ .
  • a cloud provider (also referred to as a cloud provider) offers a web-based application that the customer uses via his browser.
  • documents or data records can be created or edited by the customer via the browser.
  • the outsourcing of applications and data can pose a security threat, because data and documents are stored in the cloud provider and - depending on the type of cloud or implementation of the service - there also proces ⁇ tet (ie this data is in the cloud accessed).
  • SAML short A Security Assertion Markup Language (SAML short) is be ⁇ known as an XML framework for exchanging authentication and authorization information rungs-. It provides functions to describe and transmit safety-related information. When developing SAML, the following use cases were considered:
  • SAML includes so-called SAML assertions, a SAML protocol, SAML bindings, and profiles.
  • SAML assertions are transferred from an identity provider to a service provider.
  • the SAML assertions is statements ( "Statements") / provider uses the service to determine whether access should be allowed.
  • the following types of statements are used by SAML:
  • Attributes Statements Zusiche ⁇ tion that a subject S has an attribute A with ei ⁇ nem value a has (for a distributed Transakti ⁇ on / authorization).
  • network endpoint assessment Network Endpoint Assessment
  • RFC 5209 An approach for assessing network endpoints (NEA: “Network Endpoint Assessment” here also referred to as network endpoint assessment) according to RFC 5209 is known [http://tools.ietf.Org/html//rfc5209] .
  • network endpoints can be classified and evaluated and it Based on such an assessment, access to networks at OSI layers 2 and 3 can be controlled.
  • corporate networks eg so-called intranets
  • intranets corporate networks
  • the devices gain access to the company network or to what ⁇ separate network within the corporate network the device is connected.
  • ISPs Internet service providers
  • the network end point judgment is not carried out at the application layer, for example, when it is on services of the Internet, for example by means of a network browser ⁇ accessed;
  • access control usually takes place via an authentication by means of user name and password.
  • Such services protect against misuse by requiring users to authenticate themselves (at the application level).
  • a service may be compromised or misused by malicious software running on a user's computer (so-called "malware", including, for example, viruses, Trojans, etc.), with correspondingly negative effects on users and operators.
  • malicious software including, for example, viruses, Trojans, etc.
  • malicious software could be at ⁇ wenderrechner also suitable on the attack the service itself.
  • SAML provides a framework for exchanging authentication and authorization information.
  • the user authenticates with an entity providing a credential or token (e.g., an electronic trademark for access or access).
  • a credential or token e.g., an electronic trademark for access or access
  • This instance is also called a token provider.
  • the token provider may be e.g. to be the user's company (or an independent third party).
  • the user receives a time-limited token (i.e., a SAML assertion) containing identity information, other attributes, and the type of authentication mechanism used.
  • the token has the format of an XML file.
  • a server checks the user's token and grants access if the token could be verified.
  • An infrastructure for a known Network Endpoint Assessment includes:
  • a NEA client which is provided on the user's device and determines the device's properties, eg an update status (patch level) or a virus protection status (eg if an antivirus program is installed and if so in which version this virus Protection program installed or if the correct virus protection program is installed);
  • a NEA server in the network e.g., a RADIUS
  • the object of the invention is to avoid the abovementioned disadvantage and, in particular, to provide a solution in order to increase the security of services that are stored in a network, in particular a cloud, and the data stored there.
  • a method for regulating access to data or applications of a network
  • the authorization information may, for example, be authentication information of a user (at the terminal) or the terminal.
  • the endpoint status is preferably the status of the terminal.
  • access control may be for different data or applications (e.g., programs) that are at least partially stored in or run on the network.
  • the network can be the Internet or any cloud. Access is e.g. from a user terminal (e.g., a computer or a telephone).
  • a user terminal e.g., a computer or a telephone.
  • computers a variety of devices are suitable, e.g. a workstation, a notebook, a portable device, a device with a radio interface
  • ⁇ play can not access, carried out limited access or full access to the resources of the network.
  • the access here also includes, by way of example, access to such resources of the network.
  • access may be regulated depending on the endpoint status and any associated user status (if the user has authenticated at the endpoint).
  • access may be regulated depending on the endpoint status and any associated user status (if the user has authenticated at the endpoint).
  • access may only a specific part of the network, for example certain predefined data and / or applications, depending on the endpoint class and / or the endpoint status.
  • the authorization information can be checked and then the endpoint class can be determined or, conversely, the terminal point class and then the authorization information is checked.
  • the present approach allows service providers to consider not only the identity of the user or the terminal, but also a network endpoint assessment, that is, an endpoint assessment of the user equipment for deciding whether or not access should occur.
  • a network endpoint assessment that is, an endpoint assessment of the user equipment for deciding whether or not access should occur.
  • the service provider can effectively restrict access to such devices that meet a certain specification, e.g. include a particular version of an update software or other program (e.g., an anti-virus program).
  • the endpoint has the status Be ⁇ computationally tists information.
  • the terminal is authenticated to an authorization provisioning entity and
  • the authorization information is provided by the authorization providing entity to the terminal.
  • the authorization information may be, for example, a token that is valid for a predetermined period of time.
  • the authorization deployment instance can be exemplified in the following embodiment as a credential Pro ⁇ vider designated component.
  • the authorization provisioning entity provides the endpoint status to a rating server
  • the endpoint class is determined by the assessment server based on the endpoint status
  • the access control provides an assessment server with the endpoint status
  • the endpoint class is determined by the assessment server based on the endpoint status
  • the endpoint class is provided by the access control assessment server
  • the judging server is preferably an endpoint judging server.
  • the judging server performs a network endpoint judgment according to a classification scheme and determines an endpoint class based on the classification scheme.
  • Example ⁇ as may be divided, the classification scheme in "easy", “medium” and “high”.
  • the endpoint class will play as stored in ⁇ in XML. It is also a further development that the endpoint class is determined based on the endpoint status by means of a classi ⁇ fikations agreement. An assignment of an endpoint status to the endpoint class is determined, for example, by means of a classification agreement.
  • the endpoint status is determined by means of a status agreement.
  • an endpoint status structure can be specified in an XML schema and referred to as a status agreement.
  • An endpoint assessment agreement can be used to define actions for the endpoint assessment client according to a given status agreement.
  • a next development is that a terminal assessment client is executed on the terminal, which determines the endpoint status.
  • the terminal assessment client may initiate, take over, or coordinate the communications described herein with the terminal, the authorization providing entity, and / or the access control.
  • the endpoint status Minim ⁇ least includes the following information:
  • the above object is also achieved by means of a device for regulating access to data or applications. on a network comprising a processing unit which is set up such that
  • An authorization information of a terminal is verifiable and
  • an end ⁇ point class is determined and the access is controlled by the endpoint class.
  • the processing unit may be a processor unit and / or an at least partially hard-wired or logical circuit arrangement, which is set up, for example, such that the method can be carried out as described herein.
  • Said processing unit may be or include any type of processor or computer or computer with correspondingly necessary peripherals (memory, input / output interfaces, input / output devices, etc.).
  • the above explanations regarding the method apply to the device accordingly.
  • the device may be implemented in one component or distributed in several components.
  • angebun ⁇ eg, the Internet
  • Computer network proposed comprising at least one of the devices described herein.
  • the solution presented herein further includes a computer program product directly loadable into a memory of a digital computer comprising program code portions adapted to perform steps of the method described herein. Furthermore, the above-mentioned problem is solved by means of a computer-readable storage medium, eg of any memory, comprising computer-executable instructions (eg in the form of program code) which are suitable for the computer performs steps of the method described herein.
  • FIG. 1 is a schematic diagram illustrating a network endpoint assessment provided to a credential provider
  • Fig. 2 is a schematic diagram based on Fig. 1, wherein the assessment of the endpoint may be performed by an organization associated with the user or terminal of the user (e.g., a company where the user is employed).
  • the present proposal uses the following (functional) components:
  • An endpoint assessment client This is, for example, a program that runs on the user's device and this beur ⁇ shares. Different In ⁇ formations or states can be detected and stored, for example:
  • This information corresponds to a status of the endpoint (here the user's device) and is stored, for example, in a document or in a file. Before ⁇ geous this may be an XML document (XML: Extensible Markup Language to German: “extensible Auszeich ⁇ voltage language”) are used.
  • a structure of endpoint status in an XML Schema (also referred to as a state policy) referred to ⁇ .
  • An endpoint assessment agreement (also referred to as an endpoint assessment policy) may be used to define actions for the endpoint assessment client according to a predetermined status agreement.
  • the end point judgment server performs a network endpoint assessment in accordance with a classification scheme and determines an end point class basie ⁇ rend on the classification scheme.
  • the classification scheme may be divided into "simple”, “medium” and "high”.
  • the endpoint class will vomit chert ⁇ example, in XML.
  • An assignment of an endpoint status at the end ⁇ point class is a classification agreement (also referred to as a classification policy) set.
  • Credential Provider for simplicity's sake:
  • the credential provider receives the endpoint status from the endpoint assessment client running on the device.
  • the credential provider may also be used to obtain the current version of the endpoint assessment agreement from the endpoint assessment server and transmit it to the endpoint assessment client.
  • the credential provider requests a classification of the endpoint status from the endpoint assessment server.
  • the credential provider provides information about the endpoint, for example, by means of a token generated by it.
  • the token designated deputy ⁇ kicking any kind provided by the Credential Provider is available in this example an authority.
  • two options can be distinguished:
  • the credential provider can use the
  • the full endpoint status as determined by the endpoint assessment Client was provided as an XML entry in the token.
  • An access control component An access control component:
  • the access control component of the service receives the token and verifies its signature. If the signature is successfully verified, decides thecontentskon ⁇ troll component if and to what extent access should be granted (in which access may also be an example access to data or applications).
  • access can be restricted.
  • the access can be limited to certain components or data or can be specified that only certain actions are allowed.
  • the decision on the extent of access is based on the information contained in the authorization, e.g. the identity, the authentication status, and / or the endpoint class.
  • an endpoint class "simply” indicate ⁇ that access to a read-only access will be limited and may only be on such components or data that are intended for general public access.
  • Admi ⁇ trators can be obtained to a plurality of or to all components or data by means of an end point class "high" full access.
  • FIG. 1 is a schematic diagram illustrating a network endpoint assessment provided to a credential provider 103.
  • a user authenticates with the credential provider 103 via a user terminal 101.
  • An endpoint judging client 102 running on the user terminal 101 collects information about the status of the operating system and the application programs according to a specification of a status agreement, and transmits an end point status generated therefrom to the credential provider 103.
  • the endpoint assessment client 102 could have requested (and received) the most recent version of an endpoint assessment agreement from the credential provider 103 or from an endpoint assessment server 104.
  • the credential provider 103 provides an endpoint status (eg, as an XML entry) in a token to the user terminal 101.
  • the user terminal 101 sends the token along with a request regarding a service or a program to an access control component 105.
  • the access control component 105 checks the token, extracts the endpoint status, and transmits it to the endpoint judgment server 104.
  • the endpoint assessment server 104 assigns the endpoint status to an endpoint class and transmits that endpoint class to the access control component 105.
  • the access control component 105 makes the decision-making ⁇ on access to a service 106 based on the user's identity, the authentication status and endpoint class.
  • the access control component 105 is for this preference ⁇ , with an access-control store (also referred to as the access-control policy) is configured using the same classification scheme as the end point judgment server 104th
  • the endpoint judgment server 104 is operated, for example, by the service provider who can set the classification scheme and the access control agreement according to his requirements, i. depending on factors that are crucial for the decision on access (and the type of access).
  • Figure 2 is a schematic diagram based on Figure 1 wherein the endpoint assessment may be performed by an organization associated with the user (e.g., a company employing the user).
  • an organization associated with the user e.g., a company employing the user.
  • a user authenticates with the credential provider 103 via a user terminal 101.
  • the end point judging client 101 collects Informatio ⁇ nen on the status of the operating system and the applications training programs according to a specification of the status agreement and transmits an endpoint status generated therefrom to the credential provider 103.
  • the endpoint assessment client 102 could have requested (and received) the most recent version of the endpoint assessment agreement from the credential provider 103 or from the endpoint assessment server 104.
  • the credential provider 103 transmits an endpoint status to the endpoint assessment server and receives the associated endpoint class.
  • the credential provider 103 provides the endpoint class (e.g., as an XML entry) in the token to the user terminal 101.
  • the user terminal 101 sends the token to the access control component 105 together with a request regarding a service or a program.
  • the access control component 105 checks the token and makes the decision about access to a service 106 based on the user's identity, the authentication status, and the endpoint class.
  • the access control component 105 is for this preference ⁇ example configured with the access-control arrangement, which uses the same classification scheme as the end point judgment server 104th
  • the credential provider 103 knows preferably the Klas ⁇ s Budapest Service, that the association between the endpoint status and endpoint class. (Associated with the user) is thus preferably a form of information ⁇ exchange or agreement between the organization and the provider.
  • Organisati ⁇ one can specify which aspects of the device to be considered for the access control ⁇ . This gives the mechanisms Or ⁇ tion additional control over thebocuri-, which is especially for safety-related services and data organizing advantage.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Databases & Information Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

L'invention concerne un contrôle d'accès à des données et à des applications qui sont enregistrées par exemple dans un nuage, qui sont basées elles-mêmes sur l'identité d'un utilisateur ou d'un terminal et sur un « état de terminal » dudit terminal. Cela combine les possibilités de l'évaluation de l'extrémité de réseau (NEA) avec des données et des programmes d'application qui sont dans le nuage. De cette façon, un prestataire de services peut activement limiter l'accès à des appareils qui satisfont une certaine condition prédéfinie, par exemple une certaine version d'un logiciel d'actualisation, ou qui contiennent un programme particulier (par exemple un programme anti-virus). Cela augmente la sécurité en ce qui concerne le traitement des données dans le nuage. Cette approche fonctionne par exemple pour la gestion de documents ainsi que pour les banques de données ou applications transférées dans le nuage. L'invention peut être mise en œuvre pour chaque type de traitement de données distribué dans lequel les données ou les applications doivent être protégées contre des accès non autorisés.
PCT/EP2012/063808 2011-08-04 2012-07-13 Régulation d'accès pour des données ou des applications d'un réseau WO2013017394A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE102011080467.6 2011-08-04
DE102011080467A DE102011080467A1 (de) 2011-08-04 2011-08-04 Zugangsregelung für Daten oder Applikationen eines Netzwerks

Publications (1)

Publication Number Publication Date
WO2013017394A1 true WO2013017394A1 (fr) 2013-02-07

Family

ID=46516747

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2012/063808 WO2013017394A1 (fr) 2011-08-04 2012-07-13 Régulation d'accès pour des données ou des applications d'un réseau

Country Status (2)

Country Link
DE (1) DE102011080467A1 (fr)
WO (1) WO2013017394A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10686957B2 (en) * 2018-05-30 2020-06-16 Konica Minolta, Inc. Image processing apparatus and method of controlling the same

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2965247A4 (fr) * 2013-03-09 2016-10-12 Intel Corp Authentification d'utilisateur sécurisée avec vérification améliorée par code d'accès à utilisation unique
US9313203B2 (en) 2013-03-15 2016-04-12 Symantec Corporation Systems and methods for identifying a secure application when connecting to a network
DE102013018596A1 (de) 2013-11-07 2015-05-07 Phoenix Contact Gmbh & Co. Kg Netzwerksystem, Koppeleinheit und Verfahren zum Betreiben eines Netzwerksystems
CN106657214A (zh) * 2016-09-14 2017-05-10 广东欧珀移动通信有限公司 一种数据迁移的方法及终端
EP3767505B1 (fr) * 2019-07-18 2022-08-24 Siemens Aktiengesellschaft Procédé et système de fourniture des informations de sécurité sur un récipient d'application pour un terminal industriel

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011091313A1 (fr) * 2010-01-22 2011-07-28 Interdigital Patent Holdings, Inc. Procédé et appareil de gestion d'identité fédérée de confiance et d'autorisation d'accès aux données

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011091313A1 (fr) * 2010-01-22 2011-07-28 Interdigital Patent Holdings, Inc. Procédé et appareil de gestion d'identité fédérée de confiance et d'autorisation d'accès aux données

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
GEORGE COKER ET AL: "Principles of remote attestation", INTERNATIONAL JOURNAL OF INFORMATION SECURITY, SPRINGER, BERLIN, DE, vol. 10, no. 2, 23 April 2011 (2011-04-23), pages 63 - 81, XP019905825, ISSN: 1615-5270, DOI: 10.1007/S10207-011-0124-7 *
KAIN M ET AL: "SAML 2.0, ein Tutorium- Teil 1: Theorie", vol. 5/2007, 31 May 2007 (2007-05-31), pages 55 - 59, XP002598178, Retrieved from the Internet <URL:http://www.acando.de/Global/GER/fachartikel_ger/kain_keller_JS_05_07.pdf> [retrieved on 20100826] *
SANGSTER SYMANTEC H KHOSRAVI INTEL M MANI AVAYA K NARAYAN CISCO SYSTEMS J TARDO NEVIS NETWORKS P: "Network Endpoint Assessment (NEA): Overview and Requirements; rfc5209.txt", 20080601, 1 June 2008 (2008-06-01), XP015057204, ISSN: 0000-0003 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10686957B2 (en) * 2018-05-30 2020-06-16 Konica Minolta, Inc. Image processing apparatus and method of controlling the same

Also Published As

Publication number Publication date
DE102011080467A1 (de) 2013-02-07

Similar Documents

Publication Publication Date Title
DE112011101729B4 (de) Verwaltung von Ressourcenzugriff
DE60205289T2 (de) System und Verfahren zur gesicherte Funkübertragung von Konfigurationsdaten
DE602004012870T2 (de) Verfahren und system zur benutzerauthentifizierung in einer benutzer-anbieterumgebung
DE112020000538T5 (de) Feinkörnige zugriffskontrolle auf token-grundlage
DE60308692T2 (de) Verfahren und system für benutzerbestimmte authentifizierung und einmalige anmeldung in einer föderalisierten umgebung
DE60220718T2 (de) Verfahren und system zur sicheren behandlung von elektronischen geschäften im internet
DE112012002741T5 (de) Identitäts- und Berechtigungsprüfungsverfahren für die Sicherheit einer Cloud-Datenverarbeitungsplattform
DE112012003977T5 (de) Eingriffsfreies Verfahren und Vorrichtung zum automatischen Zuteilen von Sicherheitsregelnin einer Cloud-Umgebung
DE602004012300T2 (de) Verfahren und vorrichtungen für skalierbaren sicheren fern-desktop-zugriff
EP3764614B1 (fr) Système d&#39;authentification distribué
DE102007012749A1 (de) Verfahren und System zur Bereitstellung von Diensten für Endgeräte
WO2013017394A1 (fr) Régulation d&#39;accès pour des données ou des applications d&#39;un réseau
DE10296804T5 (de) Verfahren und System zum Autorisieren des Zugriffs auf Betriebsmittel auf einem Server
DE112011102224B4 (de) Identitätsvermittlung zwischen Client- und Server-Anwendungen
DE102011077218B4 (de) Zugriff auf in einer Cloud gespeicherte Daten
DE112022004486T5 (de) Schrittweises überprüfen von zugriffs-token
WO2020229537A1 (fr) Procédé d&#39;exécution sélective d&#39;un conteneur et agencement de réseau
DE112021005026T5 (de) Persistente quellwerte für angenommene alternative identitäten
EP2575385A1 (fr) Procédé d&#39;initialisation et/ou d&#39;activation d&#39;au moins un compte d&#39;utilisateur, de réalisation d&#39;une transaction, ainsi que terminal
DE102014204344B4 (de) Authentifizierungsvorrichtung, Authentifizierungssystem und Authentifizierungsverfahren
DE102012007217A1 (de) IT-Verfahren für den sicheren Umgang mit Sensitiven Daten im Kontext des Cloud Computings
WO2008006889A2 (fr) Procédé et système pour mettre en place des réseaux d&#39;accès à un réseau public
DE202016008055U1 (de) Sichere Konfiguration von Cloud-Computerknoten
DE102005050336B4 (de) Verfahren und Anordnung zum Betreiben eines Sicherheitsgateways
DE602004009570T2 (de) Politik- und attribut-basierter Zugriff zu einem Betriebsmittel

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12735870

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12735870

Country of ref document: EP

Kind code of ref document: A1