Patents by Inventor Craig Robert William Forster
Craig Robert William Forster has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 10277566Abstract: This disclosure is directed to systems and methods for securely communicating authentication information in a networked environment such as one involving a client device, a cloud based computing platform, and an enterprise computing environment. Some embodiments may include encrypting, by a client device using a public key, authentication information provided by a user. The encrypted authentication information is sent to a cloud based service which then sends it to an on-premises component residing behind a firewall of an enterprise. The on-premises component decrypts the authentication information using a private key, validates the authentication information, and returns the result to the cloud based service over a network. If validated, the cloud based service establishes a secure connection between the client device and the on-premises component such that the user can access the enterprise's content without the enterprise having to share the authentication information with the cloud based service.Type: GrantFiled: June 14, 2017Date of Patent: April 30, 2019Assignee: SailPoint Technologies, Inc.Inventors: Craig Robert William Forster, Daniel Thomas Greff, Crandall B. T. Chow, Phillip Goldenburg
-
Publication number: 20170289116Abstract: This disclosure is directed to systems and methods for securely communicating authentication information in a networked environment such as one involving a client device, a cloud based computing platform, and an enterprise computing environment. Some embodiments may include encrypting, by a client device using a public key, authentication information provided by a user. The encrypted authentication information is sent to a cloud based service which then sends it to an on-premises component residing behind a firewall of an enterprise. The on-premises component decrypts the authentication information using a private key, validates the authentication information, and returns the result to the cloud based service over a network. If validated, the cloud based service establishes a secure connection between the client device and the on-premises component such that the user can access the enterprise's content without the enterprise having to share the authentication information with the cloud based service.Type: ApplicationFiled: June 14, 2017Publication date: October 5, 2017Inventors: Craig Robert William Forster, Daniel Thomas Greff, Crandall B.T. Chow, Phillip Goldenburg
-
Patent number: 9722980Abstract: This disclosure is directed to systems and methods for securely communicating authentication information in a networked environment such as one involving a client device, a cloud based computing platform, and an enterprise computing environment. Some embodiments may include encrypting, by a client device using a public key, authentication information provided by a user. The encrypted authentication information is sent to a cloud based service which then sends it to an on-premises component residing behind a firewall of an enterprise. The on-premises component decrypts the authentication information using a private key, validates the authentication information, and returns the result to the cloud based service over a network. If validated, the cloud based service establishes a secure connection between the client device and the on-premises component such that the user can access the enterprise's content without the enterprise having to share the authentication information with the cloud based service.Type: GrantFiled: March 15, 2016Date of Patent: August 1, 2017Assignee: Sailpoint Technologies, Inc.Inventors: Craig Robert William Forster, Daniel Thomas Greff, Crandall B. T. Chow, Phillip Goldenburg
-
Patent number: 9514286Abstract: A method, apparatus and computer program product for evaluating a context-based (e.g., XACML) policy having a set of attributes using a weighted index tree having one or more leaves extending from a root node. Each leaf of the tree represents a policy rule. A depth-first path down the leaf represents one or more attributes of the set of attributes that must be present in a request for the rule to be applicable. An input is evaluated against the weighted index tree to generate a response. One type of input is an authorization request, in which case the response is an authorization decision (e.g., permit or deny). Another type of input is a query for a set of entitlements, in which case the response is a set of entitlements.Type: GrantFiled: March 30, 2010Date of Patent: December 6, 2016Assignee: International Business Machines CorporationInventor: Craig Robert William Forster
-
Publication number: 20160197900Abstract: This disclosure is directed to systems and methods for securely communicating authentication information in a networked environment such as one involving a client device, a cloud based computing platform, and an enterprise computing environment. Some embodiments may include encrypting, by a client device using a public key, authentication information provided by a user. The encrypted authentication information is sent to a cloud based service which then sends it to an on-premises component residing behind a firewall of an enterprise. The on-premises component decrypts the authentication information using a private key, validates the authentication information, and returns the result to the cloud based service over a network. If validated, the cloud based service establishes a secure connection between the client device and the on-premises component such that the user can access the enterprise's content without the enterprise having to share the authentication information with the cloud based service.Type: ApplicationFiled: March 15, 2016Publication date: July 7, 2016Inventors: Craig Robert William Forster, Daniel Thomas Greff, Crandall B.T. Chow, Phillip Goldenburg
-
Patent number: 9319395Abstract: This disclosure is directed to systems and methods for securely communicating authentication information in a networked environment such as one involving a client device, a cloud based computing platform, and an enterprise computing environment. Some embodiments may include encrypting, by a client device using a public key, authentication information provided by a user. The encrypted authentication information is sent to a cloud based service which then sends it to an on-premises component residing behind a firewall of an enterprise. The on-premises component decrypts the authentication information using a private key, validates the authentication information, and returns the result to the cloud based service over a network. If validated, the cloud based service establishes a secure connection between the client device and the on-premises component such that the user can access the enterprise's content without the enterprise having to share the authentication information with the cloud based service.Type: GrantFiled: June 27, 2014Date of Patent: April 19, 2016Assignee: Sailpoint Technologies, Inc.Inventors: Craig Robert William Forster, Daniel Thomas Greff, Crandall B. T. Chow, Phillip Goldenburg
-
Patent number: 9231974Abstract: A machine-implemented method for evaluating a context-based (e.g., XACML) policy having a set of attributes formulates a search against one or more existing external repositories using a query that is dynamically-generated based on the security policy being evaluated. The approach shifts the building of a candidate set of potentially-allowable resources to the authorization engine (e.g., a Policy Decision Point (PDP)). In operation, an application calls the PDP using an entitlement request and, in response, the PDP builds the candidate set of values based on the defined security policy by generating a query to an external data repository and receiving the results of that query. This approach enables a policy-driven entitlement query at runtime.Type: GrantFiled: March 15, 2013Date of Patent: January 5, 2016Assignee: International Business Machines CorporationInventors: Miguel Pedroza, Craig Robert William Forster, Umesh Prithviraj Adtani, Yogesh Suresh Shukla
-
Publication number: 20150012751Abstract: This disclosure is directed to systems and methods for securely communicating authentication information in a networked environment such as one involving a client device, a cloud based computing platform, and an enterprise computing environment. Some embodiments may include encrypting, by a client device using a public key, authentication information provided by a user. The encrypted authentication information is sent to a cloud based service which then sends it to an on-premises component residing behind a firewall of an enterprise. The on-premises component decrypts the authentication information using a private key, validates the authentication information, and returns the result to the cloud based service over a network. If validated, the cloud based service establishes a secure connection between the client device and the on-premises component such that the user can access the enterprise's content without the enterprise having to share the authentication information with the cloud based service.Type: ApplicationFiled: June 27, 2014Publication date: January 8, 2015Inventors: Craig Robert William Forster, Daniel Thomas Greff, Crandall B.T. Chow, Phillip Goldenburg
-
Patent number: 8869250Abstract: An approach is provided that receives a first role selection from a client device. Each of the roles includes various user accounts provisioned to access various software applications. An authentication challenge is retrieved. The authentication challenge is based upon the role selection that was received from the client device. The authentication challenge is transmitted to the client device. An authentication submission is received from the client device. This authentication submission is authenticated and, if the authentication is successful, then the client device access is granted access to software applications using the provisioned user accounts that were included in the role selection. In addition, audit data of usage of the software applications by the client device is recorded. The audit data includes identification of the provisioned user accounts used to access the software applications using the role selection.Type: GrantFiled: August 23, 2012Date of Patent: October 21, 2014Assignee: International Business Machines CorporationInventors: Craig Robert William Forster, Christopher John Hockings
-
Publication number: 20140282831Abstract: A machine-implemented method for evaluating a context-based (e.g., XACML) policy having a set of attributes formulates a search against one or more existing external repositories using a query that is dynamically-generated based on the security policy being evaluated. The approach shifts the building of a candidate set of potentially-allowable resources to the authorization engine (e.g., a Policy Decision Point (PDP)). In operation, an application calls the PDP using an entitlement request and, in response, the PDP builds the candidate set of values based on the defined security policy by generating a query to an external data repository and receiving the results of that query. This approach enables a policy-driven entitlement query at runtime.Type: ApplicationFiled: March 15, 2013Publication date: September 18, 2014Inventors: Miguel Pedroza, Craig Robert William Forster, Umesh Prithviraj Adtani, Yogesh Suresh Shukla
-
Patent number: 8495701Abstract: In one embodiment, a computer implemented method for indexing security policies is provided. The computer implemented method determines a policy vocabulary to form a set of policy elements, and creates an index from the set of policy elements. The computer implemented method further receives a request to form requested policy elements, locates requested policy elements in the index to form a set of returned policy elements, and identifies a rule for use with the returned policy elements.Type: GrantFiled: June 5, 2008Date of Patent: July 23, 2013Assignee: International Business Machines CorporationInventor: Craig Robert William Forster
-
Patent number: 8458672Abstract: Computer implemented method, system and computer usable program code for facilitating utilization of data. A computer implemented method for facilitating utilization of data includes receiving data, wherein the received data is in a first representation. The received data is converted from the first representation to a common representation that is mapped to the first representation using an external configuration file. The common representation of the data is output to facilitate utilization of the data.Type: GrantFiled: July 17, 2007Date of Patent: June 4, 2013Assignee: International Business Machines CorporationInventors: Craig Robert William Forster, Kerry Robert Gunn, Vernon Murdoch, Miguel Pedroza
-
Patent number: 8346866Abstract: Special interest subgroups are formed by a group of participants by establishing a profile for each participant. The profile defines contribution attributes dealing with contributions the profiled participant might make to a subgroup and attribution attributes dealing with benefits the profile participant might receive from participating in the subgroup. For each possible pairing of participants in the group, an overall contribution score and an overall benefit score is calculated for each participant. A mutual benefit score is calculated by combining the benefit scores for both participants in the pair. Participants are assigned to subgroups as a function of participant contribution and mutual benefit scores.Type: GrantFiled: May 5, 2010Date of Patent: January 1, 2013Assignee: International Business Machines CorporationInventors: Simon Gilbert Canning, Craig Robert William Forster, Neil Ian Readshaw
-
Publication number: 20120324546Abstract: An approach is provided that receives a first role selection from a client device. Each of the roles includes various user accounts provisioned to access various software applications. An authentication challenge is retrieved. The authentication challenge is based upon the role selection that was received from the client device. The authentication challenge is transmitted to the client device. An authentication submission is received from the client device. This authentication submission is authenticated and, if the authentication is successful, then the client device access is granted access to software applications using the provisioned user accounts that were included in the role selection. In addition, audit data of usage of the software applications by the client device is recorded. The audit data includes identification of the provisioned user accounts used to access the software applications using the role selection.Type: ApplicationFiled: August 23, 2012Publication date: December 20, 2012Applicant: International Business Machines CorporationInventors: Craig Robert William Forster, Christopher John Hockings
-
Patent number: 8332917Abstract: An approach is provided that receives a first role selection from a client device. Each of the roles includes various user accounts provisioned to access various software applications. An authentication challenge is retrieved. The authentication challenge is based upon the role selection that was received from the client device. The authentication challenge is transmitted to the client device. An authentication submission is received from the client device. This authentication submission is authenticated and, if the authentication is successful, then the client device access is granted access to software applications using the provisioned user accounts that were included in the role selection. In addition, audit data of usage of the software applications by the client device is recorded. The audit data includes identification of the provisioned user accounts used to access the software applications using the role selection.Type: GrantFiled: December 29, 2009Date of Patent: December 11, 2012Assignee: International Business Machines CorporationInventors: Craig Robert William Forster, Christopher John Hockings
-
Publication number: 20110246498Abstract: A method, apparatus and computer program product for evaluating a context-based (e.g., XACML) policy having a set of attributes using a weighted index tree having one or more leaves extending from a root node. Each leaf of the tree represents a policy rule. A depth-first path down the leaf represents one or more attributes of the set of attributes that must be present in a request for the rule to be applicable. An input is evaluated against the weighted index tree to generate a response. One type of input is an authorization request, in which case the response is an authorization decision (e.g., permit or deny). Another type of input is a query for a set of entitlements, in which case the response is a set of entitlements.Type: ApplicationFiled: March 30, 2010Publication date: October 6, 2011Applicant: International Business Machines CorporationInventor: Craig Robert William Forster
-
Publication number: 20110162046Abstract: An approach is provided that receives a first role selection from a client device. Each of the roles includes various user accounts provisioned to access various software applications. An authentication challenge is retrieved. The authentication challenge is based upon the role selection that was received from the client device. The authentication challenge is transmitted to the client device. An authentication submission is received from the client device. This authentication submission is authenticated and, if the authentication is successful, then the client device access is granted access to software applications using the provisioned user accounts that were included in the role selection. In addition, audit data of usage of the software applications by the client device is recorded. The audit data includes identification of the provisioned user accounts used to access the software applications using the role selection.Type: ApplicationFiled: December 29, 2009Publication date: June 30, 2011Applicant: International Business Machines CorporationInventors: Craig Robert William Forster, Christopher John Hockings
-
Publication number: 20090307742Abstract: In one embodiment, a computer implemented method for indexing security policies is provided. The computer implemented method determines a policy vocabulary to form a set of policy elements, and creates an index from the set of policy elements. The computer implemented method further receives a request to form requested policy elements, locates requested policy elements in the index to form a set of returned policy elements, and identifies a rule for use with the returned policy elements.Type: ApplicationFiled: June 5, 2008Publication date: December 10, 2009Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventor: Craig Robert William Forster
-
Publication number: 20090024987Abstract: Computer implemented method, system and computer usable program code for facilitating utilization of data. A computer implemented method for facilitating utilization of data includes receiving data, wherein the received data is in a first representation. The received data is converted from the first representation to a common representation that is mapped to the first representation using an external configuration file. The common representation of the data is output to facilitate utilization of the data.Type: ApplicationFiled: July 17, 2007Publication date: January 22, 2009Inventors: Craig Robert William Forster, Kerry Robert Gunn, Vernon Murdoch, Miguel Pedroza