CA2525249A1 - Distributed filesystem network security extension - Google Patents

Distributed filesystem network security extension Download PDF

Info

Publication number
CA2525249A1
CA2525249A1 CA002525249A CA2525249A CA2525249A1 CA 2525249 A1 CA2525249 A1 CA 2525249A1 CA 002525249 A CA002525249 A CA 002525249A CA 2525249 A CA2525249 A CA 2525249A CA 2525249 A1 CA2525249 A1 CA 2525249A1
Authority
CA
Canada
Prior art keywords
file
port
access
logic
secure
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CA002525249A
Other languages
French (fr)
Other versions
CA2525249C (en
Inventor
Susann Marie Keohane
Gerald Francis Mcbrearty
Shawn Patrick Mullen
Jessica Kelley Murillo
Johnny Meng-Han Shieh
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
International Business Machines Corp
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Publication of CA2525249A1 publication Critical patent/CA2525249A1/en
Application granted granted Critical
Publication of CA2525249C publication Critical patent/CA2525249C/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/30Definitions, standards or architectural aspects of layered protocol stacks
    • H04L69/32Architecture of open systems interconnection [OSI] 7-layer type protocol stacks, e.g. the interfaces between the data link level and the physical level
    • H04L69/322Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions
    • H04L69/329Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions in the application layer [OSI layer 7]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F15/00Digital computers in general; Data processing equipment in general
    • G06F15/16Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F15/00Digital computers in general; Data processing equipment in general
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Abstract

A security protocol that dynamically implements enhanced mount security of a filesystem when access to sensitive files on a networked filesystem is requested. When the user of a client system attempts to access a specially-tagged sensitive file, the server hosting the filesystem executes a software code that terminates the current mount and reconfigures the server ports to accept a re-mount from the client via a more secure port. The server reconfigured server port is provided the IP address of the client and matches the IP address during the re-mount operation. The switch to a secure mount is completed in a seamless manner so that authorized users are allowed to access sensitive files without bogging down the server with costly encryption and other resource-intensive security features. No significant delay is experienced by the user, while the sensitive file is shielded from unauthorized capture during transmission to the client system.

Claims (20)

1. A method for providing security for transmission of at least a first file, the method being for use in a data processing system comprising (1) a storage medium on which is stored said at least a first file having a preset access permission, (2) at least a first standard port and a second secure port for connecting said data processing system to external client systems, and (3) logic for selectively routing transmission of said at least one file via said first port and said second port, said method comprising:
responsive to a request for access to said first file by said external client system, checking said preset access permission of said first file; and when said preset access permission of said first file indicates secured access is required for said first file, dynamically routing a transmission of said first file to external client system via said second port.
2. The method of Claim 1, further comprising:
routing said transmission of said first file via said first standard port when said preset access permission indicates a regular access is sufficient.
3. The method of Claim 1, further comprising:
enabling a first mount of said data processing system via said first standard port; and enabling a second mount of said data processing system via said second secure port only when said first file requires secured access.
4. The method of Claim 1, wherein said data processing system further comprises an encryption module associated with said second secured port, said dynamic routing step comprising:
first encrypting said first file utilising said encryption module.
5. The method of Claim 1, wherein said data processing system further comprises reconfiguration logic for configuring said first standard port and said second secured port for supporting a mount by said client system, said dynamic routing step comprising:
first configuring said second secure port to support a remount operation received from said client system;
terminating a current mount on said first standard port with said client system; and storing session parameters of said current mount to enable seamless continuation of said session on said second secure port.
6. The method of Claim 5, wherein said configuring and storing step includes:
retrieving an IP address of sand client system;
placing said IP address in a configuration of said second secure port, wherein said second secure port automatically recognises a remount operation from said client system and re-establishes the session with said client system.
7. The method of Claim 1, wherein said preset access permission is a bit within metadata linked to said first file and said method further comprises reading a value of said bit to evaluate whether said first file requires secure access.
8. The method of Claim 1, wherein said preset access permission includes an identification of which specific users are permitted to access said first file via a secured access, said method further comprising:
comparing a user of said client system with said specific users with permission to access said file; and when said user is one of said specific users, automatically initiating a re-routing of a transmission of said first file via said second secure port.
9. The method of Claim 1, wherein said first standard port connects to said client system via a first unsecured network and said second secure port connects to said client system via a second secured network.
10. The method of Claim 1, wherein:
said data processing system is a server within a network having a first subnet connecting said first standard port to said client system and a second subnet connecting said second secure port to said client system;
said first file is stored within a filesystem;
said checking step includes accessing said filesystem and locating said first file; and said routing step includes transmitting said file via said second subnet when said file requires secure access and transmitting said first file via said first subnet when said first file does not require secure access.
11. A system for providing security for transmission of at least a first file, for use in a data processing system comprising (1) a storage medium on which is stored said at least a first file having a preset access permission, (2) at least a first standard port and a second secure port for connecting said data processing system to external client systems, and (3) logic for selectively routing transmission of said at least one file via said first port and said second port, said system comprising:
logic, responsive to a request for access to said first file by said external client system, for checking said preset access permission of said first file; and when said preset access permission of said first file indicates secured access is required for said first file, logic for dynamically routing a transmission of said first file to external client system via said second port.
12. The system of Claim 11, further comprising:
logic for routing said transmission of said first file via said first standard port when said preset access permission indicates a regular access is sufficient.
13. The system of Claim 11, further comprising:
logic for enabling a first mount of said data processing system via said first standard port; and logic for enabling a second mount of said data processing system via said second secure port only when said first file requires secured access.
14. The system of Claim 11, wherein said data processing system further comprises an encryption module associated with said second secured port, said logic for dynamically routing comprising:
logic for first encrypting said first file utilising said encryption module.
15. The system of Claim 11, wherein said data processing system further comprising reconfiguration logic for configuring said first standard port and said second secured port for supporting a mount by said client system, said logic for dynamically routing comprising:
logic for first configuring said second secure port to support a remount operation received from said client system;
logic for terminating a current mount on said first standard port with said client system;
and
16 logic for storing session parameters of said current mount to enable seamless continuation of said session on said second secure port.
16. The system of Claim 15, wherein said configuring and storing step includes:
logic for retrieving an IP address of said client system;
logic for placing said IP address in a configuration of said second secure port, wherein said second secure port automatically recognises a remount operation from said client system and re-establishes the session with said client system.
17. The system of Claim 11, wherein said preset access permission is a bit within metadata linked to said first file and said system further comprises reading a value of said bit to evaluate whether said first file requires secure access.
18. The system of Claim 11, wherein said preset access permission includes an identification of which specific users are permitted to access said first file via a secured access, said system further comprising:
logic for comparing a user of said client system with said specific users with permission to access said file; and when said user is one of said specific users, logic for automatically initiating a re-routing of a transmission of said first file via said second secure port.
19. The system of Claim 11, wherein said first standard port connects to said client system via a first unsecured network and said second secure port connects to said client system via a second secured network.
20. The system of Claim 11, wherein:
said data processing system is a server within a network having a first subnet connecting said first standard port to said client system and a second subnet connecting said second secure port to said client system;
said first file is stored within a filesystem;
said logic for checking includes means for accessing said filesystem and locating said first file; and said logic for routing includes means for transmitting said file via said second subnet when said file requires secure access and transmitting said first file via said first subnet when said first file does not require secure access.
CA2525249A 2003-05-22 2004-04-15 Distributed filesystem network security extension Expired - Fee Related CA2525249C (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US10/443,675 2003-05-22
US10/443,675 US7917751B2 (en) 2003-05-22 2003-05-22 Distributed filesystem network security extension
PCT/GB2004/001629 WO2004104902A1 (en) 2003-05-22 2004-04-15 Distributed filesystem network security extension

Publications (2)

Publication Number Publication Date
CA2525249A1 true CA2525249A1 (en) 2004-12-02
CA2525249C CA2525249C (en) 2011-03-29

Family

ID=33450477

Family Applications (1)

Application Number Title Priority Date Filing Date
CA2525249A Expired - Fee Related CA2525249C (en) 2003-05-22 2004-04-15 Distributed filesystem network security extension

Country Status (12)

Country Link
US (1) US7917751B2 (en)
EP (1) EP1625524B1 (en)
JP (1) JP4602981B2 (en)
KR (1) KR100906119B1 (en)
CN (1) CN100530207C (en)
AT (1) ATE339733T1 (en)
BR (1) BRPI0410569B1 (en)
CA (1) CA2525249C (en)
DE (1) DE602004002401T2 (en)
IL (1) IL172054A (en)
TW (1) TWI282229B (en)
WO (1) WO2004104902A1 (en)

Families Citing this family (42)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7124171B1 (en) * 2002-05-23 2006-10-17 Emc Corporation In a networked computing cluster storage system and plurality of servers sharing files, in the event of server unavailability, transferring a floating IP network address from first server to second server to access area of data
US7480700B2 (en) * 2004-04-27 2009-01-20 Apple Inc. Method and system for retrieval and usage of remote entry points
US7827294B2 (en) 2004-05-06 2010-11-02 American Express Travel Related Services Company, Inc. System and method for dynamic security provisioning of computing resources
US20060031326A1 (en) * 2004-07-06 2006-02-09 Francis Ovenden Managing personal communications from a calendar scheduling application
US7640346B2 (en) * 2005-02-01 2009-12-29 Microsoft Corporation Dispatching network connections in user-mode
JP4722519B2 (en) * 2005-03-25 2011-07-13 株式会社日立製作所 Computer system, storage server, search server, terminal device, and search method
US7742498B2 (en) * 2005-05-17 2010-06-22 At&T Intellectual Property Ii, L.P. Method and apparatus for routing a call to a dual mode wireless device
US7895651B2 (en) 2005-07-29 2011-02-22 Bit 9, Inc. Content tracking in a network security system
US8984636B2 (en) 2005-07-29 2015-03-17 Bit9, Inc. Content extractor and analysis system
US8272058B2 (en) 2005-07-29 2012-09-18 Bit 9, Inc. Centralized timed analysis in a network security system
JP4600762B2 (en) * 2005-08-31 2010-12-15 ソニー株式会社 Information processing apparatus and method, and program
KR100810368B1 (en) * 2006-07-10 2008-03-07 주식회사 한글과 컴퓨터 System for preventing access and expose documents in group
US8874907B1 (en) * 2007-09-28 2014-10-28 Symantec Operating Corporation Controlling access to an NFS share
US8560833B2 (en) * 2010-10-29 2013-10-15 Aruba Networks, Inc. Automatic secure client access
US8959113B2 (en) 2011-03-30 2015-02-17 Open Text S.A. System, method and computer program product for managing tabulated metadata
US9501543B2 (en) 2011-09-23 2016-11-22 Hybrid Logic Ltd System for live-migration and automated recovery of applications in a distributed system
US9477739B2 (en) 2011-09-23 2016-10-25 Hybrid Logic Ltd System for live-migration and automated recovery of applications in a distributed system
GB2495079A (en) 2011-09-23 2013-04-03 Hybrid Logic Ltd Live migration of applications and file systems in a distributed system
US10311027B2 (en) 2011-09-23 2019-06-04 Open Invention Network, Llc System for live-migration and automated recovery of applications in a distributed system
US9547705B2 (en) * 2011-09-23 2017-01-17 Hybrid Logic Ltd System for live-migration and automated recovery of applications in a distributed system
US10331801B2 (en) 2011-09-23 2019-06-25 Open Invention Network, Llc System for live-migration and automated recovery of applications in a distributed system
US9483542B2 (en) 2011-09-23 2016-11-01 Hybrid Logic Ltd System for live-migration and automated recovery of applications in a distributed system
TW201351194A (en) * 2012-06-07 2013-12-16 Askey Computer Corp Data protection method for portable electronic device and computer program product for the same
US8635668B1 (en) * 2012-07-11 2014-01-21 International Business Machines Corporation Link analysis tool for security information handling system
US8806575B2 (en) 2012-07-11 2014-08-12 International Business Machines Corporation Network selection tool for information handling system
US8898769B2 (en) 2012-11-16 2014-11-25 At&T Intellectual Property I, Lp Methods for provisioning universal integrated circuit cards
US8959331B2 (en) 2012-11-19 2015-02-17 At&T Intellectual Property I, Lp Systems for provisioning universal integrated circuit cards
US9513803B2 (en) * 2012-12-21 2016-12-06 Intel Corporation Tagging in a storage device
US9699141B2 (en) * 2013-04-03 2017-07-04 Symantec Corporation Method and apparatus for integrating security context in network routing decisions
US9036820B2 (en) 2013-09-11 2015-05-19 At&T Intellectual Property I, Lp System and methods for UICC-based secure communication
US9124573B2 (en) 2013-10-04 2015-09-01 At&T Intellectual Property I, Lp Apparatus and method for managing use of secure tokens
US9208300B2 (en) 2013-10-23 2015-12-08 At&T Intellectual Property I, Lp Apparatus and method for secure authentication of a communication device
US9240994B2 (en) 2013-10-28 2016-01-19 At&T Intellectual Property I, Lp Apparatus and method for securely managing the accessibility to content and applications
US9240989B2 (en) 2013-11-01 2016-01-19 At&T Intellectual Property I, Lp Apparatus and method for secure over the air programming of a communication device
US9313660B2 (en) 2013-11-01 2016-04-12 At&T Intellectual Property I, Lp Apparatus and method for secure provisioning of a communication device
US9413759B2 (en) 2013-11-27 2016-08-09 At&T Intellectual Property I, Lp Apparatus and method for secure delivery of data from a communication device
CN103905466B (en) * 2014-04-22 2017-01-11 郭伟 Data access control system and method for storage system
US9713006B2 (en) 2014-05-01 2017-07-18 At&T Intellectual Property I, Lp Apparatus and method for managing security domains for a universal integrated circuit card
US9628486B2 (en) * 2014-10-23 2017-04-18 Vormetric, Inc. Access control for data blocks in a distributed filesystem
US10558818B2 (en) * 2017-02-22 2020-02-11 Red Hat, Inc. Supporting security access controls in an overlay filesystem
WO2020055968A1 (en) * 2018-09-11 2020-03-19 Amari.Ai Incorporated Secure communications gateway for trusted execution and secure communications
EP4106290A1 (en) * 2021-06-17 2022-12-21 Deutsche Telekom AG A method for operating a distributed application

Family Cites Families (32)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6850252B1 (en) * 1999-10-05 2005-02-01 Steven M. Hoffberg Intelligent electronic appliance system and method
US5758334A (en) 1995-07-05 1998-05-26 International Business Machines Corporation File system remount operation with selectable access modes that saves knowledge of the volume path and does not interrupt an executing process upon changing modes
US6006018A (en) * 1995-10-03 1999-12-21 International Business Machines Corporation Distributed file system translator with extended attribute support
US6081610A (en) * 1995-12-29 2000-06-27 International Business Machines Corporation System and method for verifying signatures on documents
JPH09305682A (en) 1996-05-13 1997-11-28 Sony Corp Communication equipment
JPH10124427A (en) 1996-06-19 1998-05-15 At & T Corp Automatic network reconfiguration system and method
US5903732A (en) * 1996-07-03 1999-05-11 Hewlett-Packard Company Trusted gateway agent for web server programs
JPH10171879A (en) 1996-12-06 1998-06-26 Purosupaa Kurieiteibu:Kk Merchandise sales system, and information communication method and storage medium for the same system
JPH10229459A (en) 1996-12-09 1998-08-25 Nippon Telegr & Teleph Corp <Ntt> Transmission method for pay information, equipment therefor and recording medium
CN1225186A (en) * 1996-12-18 1999-08-04 亚历山大S·奥伦斯坦 Secured system for accessing application services from a remote station
US5931947A (en) * 1997-09-11 1999-08-03 International Business Machines Corporation Secure array of remotely encrypted storage devices
US6405315B1 (en) * 1997-09-11 2002-06-11 International Business Machines Corporation Decentralized remotely encrypted file system
US6574661B1 (en) * 1997-09-26 2003-06-03 Mci Communications Corporation Integrated proxy interface for web based telecommunication toll-free network management using a network manager for downloading a call routing tree to client
US6058400A (en) * 1998-04-28 2000-05-02 Sun Microsystems, Inc. Highly available cluster coherent filesystem
JP2000010921A (en) 1998-06-19 2000-01-14 Nec Corp Communication method and system and recording medium
JP2000067120A (en) 1998-08-19 2000-03-03 Nec Corp Device and method for automatically establishing internet bypass route by downloading program
JP2000076336A (en) 1998-08-31 2000-03-14 Fujitsu Ltd Electronic settlement authentication system and electronic commerce service provider device
JP2002526830A (en) * 1998-09-28 2002-08-20 アーガス システムズ グループ,インク. Compartmentalized trust computer operating system
US6772333B1 (en) * 1999-09-01 2004-08-03 Dickens Coal Llc Atomic session-start operation combining clear-text and encrypted sessions to provide id visibility to middleware such as load-balancers
US6782418B1 (en) * 2000-01-24 2004-08-24 General Electric Company Method and apparatus for secure data file uploading
US6952780B2 (en) * 2000-01-28 2005-10-04 Safecom A/S System and method for ensuring secure transfer of a document from a client of a network to a printer
KR20010096814A (en) * 2000-04-14 2001-11-08 홍기융 Digital Signature Certificate Based Security Kernel Method for File System Protection
US6947556B1 (en) * 2000-08-21 2005-09-20 International Business Machines Corporation Secure data storage and retrieval with key management and user authentication
US7010689B1 (en) * 2000-08-21 2006-03-07 International Business Machines Corporation Secure data storage and retrieval in a client-server environment
US7089585B1 (en) * 2000-08-29 2006-08-08 Microsoft Corporation Method and system for authorizing a client computer to access a server computer
US7003799B2 (en) * 2001-01-30 2006-02-21 Hewlett-Packard Development Company, L.P. Secure routable file upload/download across the internet
US7073055B1 (en) * 2001-02-22 2006-07-04 3Com Corporation System and method for providing distributed and dynamic network services for remote access server users
US6931530B2 (en) * 2002-07-22 2005-08-16 Vormetric, Inc. Secure network file access controller implementing access control and auditing
US6678828B1 (en) * 2002-07-22 2004-01-13 Vormetric, Inc. Secure network file access control system
US7143288B2 (en) * 2002-10-16 2006-11-28 Vormetric, Inc. Secure file system server architecture and methods
US7565533B2 (en) * 2002-11-05 2009-07-21 Sun Microsystems, Inc. Systems and methods for providing object integrity and dynamic permission grants
US8683031B2 (en) * 2004-10-29 2014-03-25 Trustwave Holdings, Inc. Methods and systems for scanning and monitoring content on a network

Also Published As

Publication number Publication date
IL172054A0 (en) 2011-08-01
BRPI0410569A (en) 2006-06-20
US20040236745A1 (en) 2004-11-25
EP1625524A1 (en) 2006-02-15
JP2007503652A (en) 2007-02-22
EP1625524B1 (en) 2006-09-13
WO2004104902A1 (en) 2004-12-02
ATE339733T1 (en) 2006-10-15
CN100530207C (en) 2009-08-19
BRPI0410569B1 (en) 2016-08-23
IL172054A (en) 2012-09-24
KR20060015714A (en) 2006-02-20
US7917751B2 (en) 2011-03-29
DE602004002401D1 (en) 2006-10-26
DE602004002401T2 (en) 2007-09-20
CN1791878A (en) 2006-06-21
TWI282229B (en) 2007-06-01
KR100906119B1 (en) 2009-07-07
JP4602981B2 (en) 2010-12-22
TW200507570A (en) 2005-02-16
CA2525249C (en) 2011-03-29

Similar Documents

Publication Publication Date Title
CA2525249A1 (en) Distributed filesystem network security extension
JP2007503652A5 (en)
EP1130875B1 (en) A home gateway with a data backup service
US9510202B2 (en) Method of securing network access radio systems
WO2006088592A1 (en) Network-distributed data routing
JP6096376B2 (en) Access control method, apparatus, program, and recording medium
JP2003535398A (en) Integrated internal information leakage prevention system
WO2008097164A2 (en) Method and arrangement relating to encryption/decryption of a memory unit
US20060080517A1 (en) Accessing a protected area of a storage device
JP4320904B2 (en) Gateway and data communication method
US20070028305A1 (en) Method and apparatus for an encryption system
EP2028603B1 (en) External storage medium adapter
US20080104239A1 (en) Method and system of managing accounts by a network server
JP2003092567A (en) System and device for managing file and client terminal
JP3336969B2 (en) Method and system for controlling data storage device sharing among multiple computers
JP2000244481A (en) Access control method and system and recording medium storing access control program
JPH03152652A (en) Network security system

Legal Events

Date Code Title Description
EEER Examination request
MKLA Lapsed

Effective date: 20170418

MKLA Lapsed

Effective date: 20170418