Quorum-based access management

US 10,291,622 B1
Filed: 03/15/2016
Issued: 05/14/2019
Est. Priority Date: 03/15/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

receiving a request for access to one or more resources in a multi-tenant environment, the request including a first digital signature for a requestor;

determining, by an access manager, that at least one quorum rule applies to the request, the at least one quorum rule specifying at least a number of digital signatures needed for the access to be granted;

determining one or more potential signatories each capable of providing one of the digital signatures for the request;

determining a period of time, specified by the at least one quorum rule, over which the at least one quorum rule must be satisfied for the access to be granted in response to the request;

sending a notification to each of the potential signatories, the notification including at least information about the access, the requestor, and the period of time;

receiving, from one or more of the potential signatories, one or more calls associated with the request, each call of the one or more calls digitally signed by a respective signatory of the potential signatories;

determining, by the access manager, that the one or more calls together with the first request satisfied the at least one quorum rule within the period of time;

forwarding information for the request to an authorization manager; and

granting the access to the one or more resources.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A quorum-based access mechanism can require multiple entities to provide credentials over a determined period of time in order to obtain access to one or more resources in an electronic environment. This can include receiving a request that is signed by multiple signatories, or receiving multiple requests within a determined period that are each signed by a respective and authorized signatory. In some embodiments the receiving of a primary request causes notifications to be sent to other potential signatories, and a specified or minimum number must respond timely with a signed request to have the access granted. The quorum-based access mechanism can function as an additional authorization layer sitting in front of more conventional authorization and authentication mechanisms. In some embodiments a quorum token can be passed with the request, whereby resources in the environment can make access determinations based on the information in the token.

24 Citations

View as Search Results

19 Claims

1. A computer-implemented method, comprising:
- receiving a request for access to one or more resources in a multi-tenant environment, the request including a first digital signature for a requestor;
  
  determining, by an access manager, that at least one quorum rule applies to the request, the at least one quorum rule specifying at least a number of digital signatures needed for the access to be granted;
  
  determining one or more potential signatories each capable of providing one of the digital signatures for the request;
  
  determining a period of time, specified by the at least one quorum rule, over which the at least one quorum rule must be satisfied for the access to be granted in response to the request;
  
  sending a notification to each of the potential signatories, the notification including at least information about the access, the requestor, and the period of time;
  
  receiving, from one or more of the potential signatories, one or more calls associated with the request, each call of the one or more calls digitally signed by a respective signatory of the potential signatories;
  
  determining, by the access manager, that the one or more calls together with the first request satisfied the at least one quorum rule within the period of time;
  
  forwarding information for the request to an authorization manager; and
  
  granting the access to the one or more resources.
- View Dependent Claims (2, 3, 4)
- - 2. The computer-implemented method of claim 1, further comprising:
    - determining, per the at least one quorum rule, the number of digital signatures needed for the access, the number including at least one of a specified number, a minimum number, or a majority of the one or more of the potential signatories.
  - 3. The computer-implemented method of claim 1, further comprising:
    - determining that the at least one quorum rule specifies an order for the digital signatures needed for the access;
      
      determining that the first digital signature is a primary digital signature to be received first;
      
      determining an order for the one or more of the potential signatories; and
      
      causing notifications to be sent to the potential signatories according to the order.
  - 4. The computer-implemented method of claim 1, further comprising:
    - storing an audit record for the request, the audit record including at least a number of digital signatures received and an identification of signatories associated with the digital signatures.

5. A computer-implemented method, comprising:
- receiving a plurality of requests related to a task to be performed in an electronic environment to an application programming interface (API) associated with an access manager, the task requiring access to one or more computing resources in the electronic environment, and the access manager configured to temporarily store information for the plurality of requests over the specified period of time;
  
  determining that a quorum rule applies to the access, based at least in part on the task associated with the plurality of requests, the quorum rule specifying a number of digital signatures to be received within a specified period of time to obtain the access, the number of digital signatures requiring at least two digital signatures;
  
  determining, by the access manager, that the plurality of requests were received within the specified period of time and include at least the number of digital signatures to satisfy the quorum rule for the task; and
  
  providing the access for performing the task in the electronic environment.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 6. The computer-implemented method of claim 5, further comprising:
    - receiving a first request of the plurality of requests; and
      
      sending a notification to at least one other potential signatory regarding the access to be provided for the first request, the notification causing one or more signatories to each send a respective request of the plurality of requests during the specified period of time.
  - 7. The computer-implemented method of claim 6, further comprising:
    - determining an order specified by the quorum rule; and
      
      causing the notifications to be sent to the at least one other potential signatory according to the order.
  - 8. The computer-implemented method of claim 5, further comprising:
    - determining criteria for the at least one other potential signatory to which the notification is to be sent, the criteria specifying at least one of a type of a potential signatory, a location of a potential signatory, an address of a potential signatory, a device used on behalf of a potential signatory, or whether a proxy device can be used to submit a request on behalf of a potential signatory.
  - 9. The computer-implemented method of claim 5, further comprising:
    - generating a quorum token including at least the number of digital signatures received and identities of signatories from whom the digital signatures were received; and
      
      causing the quorum token to be transmitted with the request to the one or more resources.
  - 10. The computer-implemented method of claim 9, further comprising:
    - determining, based at least in part on the quorum token, a type of access to be provided for at least one resource of the one or more resources.
  - 11. The computer-implemented method of claim 5, further comprising:
    - determining that the digital signatures were each provided by a respective signatory authorized for the access for the task to be performed.
  - 12. The computer-implemented method of claim 5, further comprising:
    - forwarding information for the plurality of requests to an authorization service to determine to provide the access for performing the task in the electronic environment.
  - 13. The computer-implemented method of claim 5, wherein each signatory sending one of the plurality of requests has a portion of a split master cryptographic key for obtaining the access, all portions of the master cryptographic key required to be received in order to authorize the access.
  - 14. The computer-implemented method of claim 5, further comprising:
    - evaluating each request of the plurality of requests in the order in which the request is received.

15. A system, comprising:
- at least one processor; and
  
  memory including instructions that, when executed by the at least one processor, cause the system to;
  
  receive a plurality of requests related to a task to be performed in an electronic environment to an application programming interface (API) associated with an access manager, the task requiring access to one or more computing resources in the electronic environment, and the access manager configured to temporarily store information for the plurality of requests over the specified period of time;
  
  determine that a quorum rule applies to the access, based at least in part on the task associated with the plurality of requests, the quorum rule specifying a number of digital signatures to be received within a specified period of time to obtain the access, the number of digital signatures requiring at least two digital signatures;
  
  determine, by the access manager, that the plurality of requests were received within the specified period of time and include at least the number of digital signatures;
  
  to satisfy the quorum rule for the task; and
  
  provide the access for performing the task in the electronic environment.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The system of claim 15, wherein the instructions when executed further cause the system to:
    - determine to provide the access based upon at least one of an authorization privilege of a primary signatory or a multi-part authorization for each signatory for the plurality of requests.
  - 17. The system of claim 15, wherein the instructions when executed further cause the system to:
    - receive a first request of the plurality of requests; and
      
      send a notification to at least one other potential signatory regarding the access to be provided for the first request, the notification causing one or more signatories to each send a request of the plurality of requests during the specified period of time.
  - 18. The system of claim 17, wherein the instructions when executed further cause the system to:
    - determine an order specified by the quorum rule; and
      
      cause the notifications to be sent to the at least one other potential signatory according to the order.
  - 19. The system of claim 15, wherein the instructions when executed further cause the system to:
    - generate a quorum token including at least the number of digital signatures received and identities of signatories from whom the digital signatures were received; and
      
      cause the quorum token to be transmitted with the request to the one or more resources.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Rossman, Hart Matthew, Swensson, Erik Lee
Primary Examiner(s)
Vaughan, Michael R

Application Number

US15/070,915
Time in Patent Office

1,155 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/40   by quorum, i.e. whereby two...

H04L 63/0876   based on the identity of th...

H04L 63/102   Entity profiles

H04L 63/126   the source of the received ...

H04L 63/20   for managing network securi...

H04L 67/10   in which an application is ...

Quorum-based access management

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

24 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Quorum-based access management

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

24 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links