The present invention relates to a method and apparatus for facilitating security in a network and, more particularly, embodiments of the present invention relate to methods, means, apparatus, and computer program code for facilitating security requests associated with applications and responded to by security services in a network.
Many organizations face the problem of automating and streamlining software applications in order to increase revenues and profits, improve customer relations, etc. While allowing access to and use of such applications by authorized employees, contractors, or other users, the organizations also must prevent unauthorized access and use. For example, a bank may enhance its relationships with commercial customers by providing increased efficiency with on-line currency trading. This type of service may require real-time updates and links to back office transactional systems in order to function properly. At a minimum, the bank needs to protect the integrity of its core systems from unauthorized transfers or tampering. As another example, a manufacturer may accelerate the development and manufacturing cycle for new products by creating a centralized World Wide Web (xe2x80x9cWebxe2x80x9d) site that maintains development and manufacturing research and other information for use by its engineers and scientists. As a result, plant engineers on one continent can share process breakthroughs with their colleagues around the globe. As the manufacturer may want to limit disclosure of its trade secrets and methods, the manufacturer may want to ensure that its competitors or sub-contractors cannot access the Web site.
In general terms, in order to secure its information assets, an organization may want to provide several protections. First, the organization may want to safeguard user privacy and prevent the theft of information both while it is stored and while it is in transit. Second, the organization may want to ensure that electronic transactions and data resources are not tampered with at any point, either accidentally or maliciously. Third, the organization may want to detect attacks in progress or be able to trace any damage from successful attacks as well as be able to prevent users from later denying completed transactions. Fourth, the organization may want to ensure uninterrupted service to authorized users and prevent either accidental or maliciously caused service interruptions. In order to provide these key protections such that legitimate users can access applications while unauthorized access is barred, information security must be an integral part of the organizations network and system design and implementation.
An organization may use a distributed network architecture to allow disparately located users to access applications, data and other resource components. Unfortunately, making such applications, data and other resource components available across a wide network makes them harder to protect. Moreover, security functionality also may be distributed throughout the network rather than residing in a central location, thereby making it easier to bypass or spoof them. As a further complication, distributed networks are often heterogeneous; that is, they may use applications and security products from many different vendors and such applications and security products may be implemented differently on different platforms.
As one example of the difficultly in providing adequate security in a typical enterprise architecture, a user may access a Web based business application using a browser that in turn communicates with the business application via a Web server. A request from the user may be transmitted through a complex multi-tier chain of software applications operating on a variety of platforms before it reaches the back-office business application, which may then access databases on behalf of the user, process the user""s request, and return the appropriate results. In order to provide end-to-end security, and to ensure that security safeguards cannot be bypassed, each link in the chain of requests and replies must be properly protected, i.e., from the initiating browser, through mid-tier business components, to the back-office business application and databases, and then back again to the browser. There are at least three security tiers that comprise an end-to-end security system for this example: (1) perimeter security technologies which are used between the browser and the Web server; (2) mid-tier security technologies which are used between the mid-tier business components; and (3) back-office security technologies which address protection of databases and operating system specific back-end systems (e.g., mainframes, UNIX and Windows NT server platforms).
As a result of all of this, security for different applications may be distributed across the network or performed by different security components (e.g., at a hardware level, by middleware, by an operating system). In addition, a particular distributed application may be secure, but confirmation of such security for the application may be difficult, or even impossible, to confirm.
It would be advantageous to provide a method and apparatus that overcame the drawbacks of the prior art. In particular, it would be desirable to provide methods and apparatus that facilitated integrated security across the perimeter, middle, and back-office security tiers while allowing the use of applications and security services that are from different vendors and/or that are based or operating on different platforms.
Embodiments of the present invention provide a system, method, apparatus, means, and computer program code for facilitating security in a network, particularly a distributed network.
According to some embodiments of the present invention, a system or security framework for facilitating security in a network may include an adapter associated with one or more applications, a manager, and/or one or more mappers associated with one or more security services. The manager may be capable of selecting a security request to handle or otherwise process a security request associated with an application.
The adapter may intercept or otherwise identify a security request associated with the application and provide data indicative of the security request to the manager. The manager may receive the data indicative of the security request from the adapter, determine a security service to process the security request, and provide the data indicative of the security request to the mapper associated with the selected security service.
The mapper called, loaded or otherwise selected by the manager may receive the data indicative of the security request from the manager, prepare a security service version of the security request, and call the security service to process the security service version of the security request. After the security service processes the security request and creates a response to the security request, the mapper may receive the response to the security service version of the security request from the security service and provide data indicative of the response to the manager.
After receiving the data indicative of the response from the mapper, the manager may provide data indicative of the response to the adapter. In turn, the adapter may prepare a response regarding the security request after receiving the data indicative of the response from the manager and provide the response to the application.
Additional advantages and novel features of the invention shall be set forth in part in the description that follows, and in part will become apparent to those skilled in the art upon examination of the following or may be learned by the practice of the invention.
According to some embodiments of the present invention, a method for facilitating security in a system, wherein the system includes a manager module used in routing a security request associated with an application to a security service module, may include receiving data indicative of a security request from a module associated with an application that identified the security request; selecting a security service module capable of processing the security request; and providing at least some of the data indicative of the security request to a module capable of calling the security service module to process the security request. According to some further embodiments of the present invention, a method for facilitating security in a system, wherein the system includes an adapter module associated with an application, may include identifying a security request associated with the application; and providing data indicative of the security request to a module in the system that can select a security service module to process the security request, wherein the data indicative of the security request is in a format independent of the application. According to some additional embodiments of the present invention, a method for facilitating security in a system, wherein the system includes a mapper module associated with a security service module, may include receiving data indicative of a security request associated with an application from a module capable of selecting the security service module to process the security request, wherein the data associated with the security request is in a format independent of the application; and providing data indicative of the security request to the security service module. According to some even further embodiments of the present invention, a method for facilitating security in system that includes an adapter module associated with an application, at least one mapper module associated with at least one respective security service module, and a manager module in communication with the adapter module and the at least one mapper module, may include the steps of identifying a security request associated with an application; determining a security service module that can process the security request; calling the security service module; receiving a response to the security request from the security service module; and providing the response to the application.
According to some additional embodiments of the present invention, a method for facilitating security in a system that includes an adapter module associated with an application, at least one mapper module associated with at least one respective security service module, and a manager module in communication with the adapter module and the at least one mapper module, may include the steps of identifying a first security request associated with an application; translating the first security request to create data indicative of the first security request; determining a security service module that can process the first security request; creating a second security request directed to the security service module and based on the data indicative of the first security request; calling the security service module; receiving a first response from the security service module regarding the second security request; translating the first response to create data indicative of the first response; creating a second response regarding the first security request based on the data indicative of the first response; and providing the second response to the application.
According to some embodiments of the present invention, an apparatus for facilitating security in a system, wherein the system includes a manager module used in routing a security request associated with an application to a security service module, may include means for obtaining data indicative of a security request from a module associated with an application that identified the security request; means for identifying a security service module capable of processing the security request; and means for sending at least some of the data indicative of the security request to a module capable of calling the security service module to process the security request. According to some further embodiments of the present invention, an apparatus for facilitating security in a system, wherein the system includes an adapter module associated with an application, may include means for obtaining a security request associated with the application; and means for sending data indicative of the security request to a module in the system that can select a security service module to process the security request, wherein the data indicative of the security request is in a format independent of the application. According to some additional embodiments of the present invention, an apparatus for facilitating security in a system, wherein the system includes a mapper module associated with a security service module, may include means for obtaining data indicative of a security request associated with an application from a module capable of selecting the security service module to process the security request, wherein the data associated with the security request is in a format independent of the application; and means for sending data indicative of the security request to the security service module. According to some even further embodiments of the present invention, an apparatus for facilitating security in system that includes an adapter module associated with an application, at least one mapper module associated with at least one respective security service module, and a manager module in communication with the adapter module and the at least one mapper module, may include means for obtaining a security request associated with an application; means for identifying security service module that can process the security request; calling the security service module; means for obtaining a response to the security request from the security service module; and means for sending the response to the application. According to some additional embodiments of the present invention, an apparatus for facilitating security in a system that includes an adapter module associated with an application, at least one mapper module associated with at least one respective security service module, and a manager module in communication with the adapter module and the at least one mapper module, may include means for obtaining a first security request associated with an application; means for parsing the first security request to create data indicative of the first security request; means for identifying a security service module that can process the first security request; means for generating a second security request directed to the security service module and based on the data indicative of the first security request; means for loading the security service module; means for obtaining a first response from the security service module regarding the second security request; means for parsing the first response to create data indicative of the first response; means for generating a second response regarding the first security request based on the data indicative of the first response; and means for sending the second response to the application.
According to some embodiments of the present invention, a computer program in a computer readable medium for facilitating security in a system, wherein the system includes a manager module used in routing a security request associated with an application to a security service module, may include first instructions for obtaining data indicative of a security request from a module associated with an application that identified the security request; second instructions for identifying a security service module capable of processing the security request; and third instructions for sending at least some of the data indicative of the security request to a module capable of calling the security service module to process the security request. According to some further embodiments of the present invention, a computer program in a computer readable medium for facilitating security in a system, wherein the system includes an adapter module associated with an application, may include first instructions for obtaining a security request associated with the application; and second instructions for sending data indicative of the security request to a module in the system that can select a security service module to process the security request, wherein the data indicative of the security request is in a format independent of the application. According to some additional embodiments of the present invention, a computer program in a computer readable medium for facilitating security in a system, wherein the system includes a mapper module associated with a security service module, may include first instructions for obtaining data indicative of a security request associated with an application from a module capable of selecting the security service module to process the security request, wherein the data associated with the security request is in a format independent of the application; and second instructions for sending data indicative of the security request to the security service module. According to some even further embodiments of the present invention, a computer program in a computer readable medium for facilitating security in a system that includes an adapter module associated with an application, at least one mapper module associated with at least one respective security service module, and a manager module in communication with the adapter module and the at least one mapper module, may include first instructions for obtaining a security request associated with an application; second instructions for identifying security service module that can process the security request; calling the security service module; third instructions for obtaining a response to the security request from the security service module; and fourth instructions for sending the response to the application. According to some additional embodiments of the present invention, a computer program in a computer readable medium for facilitating security in a system that includes an adapter module associated with an application, at least one mapper module associated with at least one respective security service module, and a manager module in communication with the adapter module and the at least one mapper module, may include first instructions for obtaining a first security request associated with an application; second instructions for parsing the first security request to create data indicative of the first security request; third instructions for identifying a security service module that can process the first security request; fourth instructions for generating a second security request directed to the security service module and based on the data indicative of the first security request; fifth instructions for loading the security service module; sixth instructions for obtaining a first response from the security service module regarding the second security request; seventh instructions for parsing the first response to create data indicative of the first response; eighth instructions for generating a second response regarding the first security request based on the data indicative of the first response; and ninth instructions for sending the second response to the application.
According to some embodiments of the present invention, a system for facilitating security in a system may include an adapter module associated with an application; a mapper module associated with a security service module; a manager module in communication with the adapter module and the mapper module; wherein the adapter module can identify a security request associated with the application, provide data indicative of the security request to the manager module, and provide a response to the application regarding the security request after receiving data indicative of the response from the manager module; wherein the manager module can receive the data indicative of the security request from the adapter module, provide the data indicative of the security request to the mapper module if the security service module associated with the mapper module can process the security request, and provide data indicative of the response to the adapter module after receiving the data indicative of the response from the mapper module; and wherein the mapper module can receive the data indicative of the security request from the manager module, prepare a security service module version of the security request, calls the security service module to process the security service module version of the security request, receives a response to the security service module version of the security request from the security service module, and provide data indicative of the response to the manager module.
According to some embodiments of the present invention, a module for facilitating security in a network may include an adapter module, wherein the adapter module is operative to identify a security request associated with an application, provide data indicative of the security request to a manager module capable of selecting a security service module to process the security request, and provide a response to the application regarding the security request after receiving data indicative of the response from the manager module.
According to some embodiments of the present invention, a module for facilitating security in a system may include a manager module, wherein the manager module is operative to receive data indicative of a security request associated with an application from an adapter module associated with the application, determine a security service module to process the security request, provide data indicative of the security request to a mapper module associated with the security service module, and provide data indicative of a response regarding the security request to the adapter module after receiving the data indicative of the response from the mapper module.
According to some embodiments of the present invention, a module for facilitating security in a system may include a mapper module associated with a security service module, wherein the mapper module is operative to receive from a manager module data indicative of a security request associated with an application, prepare a version of the security request specific to a security service module selected by the manager module, call the security service module to process the security service module specific version of the security request, receive a response to the security service module version of the security request from the security service module, and provide data indicative of the response to the manager module.
With these and other advantages and features of the invention that will become hereinafter apparent, the nature of the invention may be more clearly understood by reference to the following detailed description of the invention, the appended claims and to the several drawings attached herein.