Before an endpoint gains access to corporate enterprise network infrastructure and resources, it is increasingly becoming necessary to determine that the endpoint has undergone host security checks and audits to verify that it meets corporate information technology policies. Examples of such checks include, without limitation, verifying that the anti-virus software on the endpoint is up to date, that the latest operating system patches have been installed and that no malicious software is executing on the endpoint. Performing these checks minimizes the infection of other connected corporate assets by a compromised endpoint.
Conventional methods of access control typically require receipt and evaluation of authentication credentials from a client prior to granting access. The credentials are typically presented to an access infrastructure or other security gateway, which determines what types of access may be provided to the client. Methods for requesting and receiving these credentials typically generate additional administrative burdens. For example, if a user is entering the credentials into a user interface, the request for the required credentials must be translated into a format understandable the user, for example from the expression in which the policy was added to a request identifying the explicit credentials required for evaluation of the policy. When the credentials are received from the user, in some methods, a policy engine applies a policy to the credentials in making an access control decision. This typically requires transmission from a component receiving the credentials to the component making the access control decision, generating additional delay in situations where the components are remotely located from each other and from the client.
A method minimizing administrative burden in requesting user credentials by transmitting an expression of a policy to a client without modifying the format of the expression would be desirable. A method for evaluating such an expression by the client, minimizing the number of components required to reach an access control decision would also be desirable.