1. Field of the Invention
The field of the invention relates to computer-implemented policies for controlling access to private resources.
2. Related Art
In a corporate environment, users on an internal network (e.g., an Intranet) have access to resources that would not typically be accessible to users that are not connected to the internal network. By limiting the use of these resources to users connected to the internal network, a degree of security can be provided because only users inside the corporation can access the applications. Although somewhat secure, users can find this approach inconvenient, because some users need to access applications on a corporate server when they are not at the office (and thus not connected via an Intranet).
To overcome this problem, some networks are configured to allow remote access to a server over the Internet. To achieve secure remote access to a server, corporations create a “portal” for users to log into the server while not connected to the Intranet. Typically, a user will provide credentials such as a user name and password to gain access to the server over the Internet. Policies are defined and enforced that control access to particular resources available on the server, to prevent unauthorized use of those resources. These policies reside on a policy server. Once an authenticated user has been granted access to a server and requests access to a resource on the server, the server checks with the policy server to verify that the user is authorized to access the resource. Such a system can also be used to control access to resources when users access the server via the internal network.
Referring now to Prior Art FIG. 1, a block diagram of a portion of a general network system 10 is shown. The system 10 includes a remote node 20 coupled to a server 22 (e.g., a Web server). Residing on the server 22 is a resource, perhaps identified by some type of Uniform Resource Identifier or Uniform Resource Locator. Typically, a user at node 20 will attempt to access the resource over the Internet. In a corporate environment, the client node 20 could be connected to the server 22 by an internal network (e.g., an Intranet).
Before allowing access to the resource, the server 22 needs to verify that the user has the necessary authority to do so. To accomplish this, the server 22 accesses a policy server 24. The policy server evaluates the request against a defined policy, and returns to the server 22 a decision with regard to whether access is granted or not.
The approach just described is problematic because of its inefficiency. Usually, there are many client nodes and many servers, and consequently many requests for resources. Each request to server 22 results in back-and-forth communication between the server 22 and the policy server 24. In addition, each request to server 22 needs to be evaluated by the policy server 24. As a consequence, a measurable portion of network resources, including the computational resources of policy server 24 as well as communication bandwidth, are consumed in support of implementing access control policies.