Automatic removal of global user security groups

US 10,318,751 B2
Filed: 12/19/2017
Issued: 06/11/2019
Est. Priority Date: 05/27/2010
Status: Active Grant

First Claim

Patent Images

1. An enterprise system for automatically replacing a user security group-based computer security policy by a computer security policy based at least partially on actual access, said system comprising:

a learned access permissions subsystem comprising at least one processor and at least one memory comprising computer code, said learned access permissions subsystem operative to learn current access permissions of users in an enterprise to network objects in an enterprise computer environment and to provide an indication of which users are members of which user security groups having access permissions to which network objects;

a learned actual access subsystem comprising at least one processor and at least one memory comprising computer code, said learned actual access subsystem operative to learn an actual access history of said users in the enterprise to said network objects and to provide an indication of which users have had actual access to which network objects; and

a computer security policy administration subsystem comprising at least one processor and at least one memory comprising computer code, said computer security policy administration subsystem operable for receiving said indications from said learned access permission subsystem and said learned actual access subsystem and being operative to automatically replace access permissions of a pre-selected user security group to said network objects by;

automatically removing all access permissions of said pre-selected user security group to said network objects, regardless of whether members of said pre-selected user security group have actually accessed said network objects; and

automatically providing access permissions to said network objects to automatically identified users of said network objects who earlier had actual access to said network objects, which access permissions were automatically removed in said automatically removing all access permissions step, said automatically providing access permissions comprising at least one of;

automatically granting membership to said automatically identified users of said network objects who earlier had actual access to said network objects to an existing user group having access permissions to said network objects; and

automatically creating a user group having access permissions to said network objects and automatically granting membership to said automatically identified users of said network objects who earlier had actual access to said network objects to said created user group having access permissions to said network objects;

said computer security policy administration subsystem also comprising a replacement initiator which automatically initiates said automatic replacement of pre-selected user-security group-based access permissions with at least partially actual access based accessed permissions based on a schedule predetermined by a human administrator.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for automatically replacing a user security group-based computer security policy by a computer security policy based at least partially on actual access, including a learned access permissions subsystem operative to learn current access permissions of users to network objects in an enterprise computer environment and to provide an indication of which users are members of which user security groups having access permissions to which network objects, a learned actual access subsystem operative to learn actual access history of users in the enterprise to the network objects and to provide indications of which users have had actual access to which network objects, and a computer security policy administration subsystem, receiving indications from the learned access permission subsystem and the learned actual access subsystem and being operative to automatically replace pre-selected user-security group-based access permissions with at least partially actual access-based access permissions without disrupting access to network objects.

Citations

18 Claims

1. An enterprise system for automatically replacing a user security group-based computer security policy by a computer security policy based at least partially on actual access, said system comprising:
- a learned access permissions subsystem comprising at least one processor and at least one memory comprising computer code, said learned access permissions subsystem operative to learn current access permissions of users in an enterprise to network objects in an enterprise computer environment and to provide an indication of which users are members of which user security groups having access permissions to which network objects;
  
  a learned actual access subsystem comprising at least one processor and at least one memory comprising computer code, said learned actual access subsystem operative to learn an actual access history of said users in the enterprise to said network objects and to provide an indication of which users have had actual access to which network objects; and
  
  a computer security policy administration subsystem comprising at least one processor and at least one memory comprising computer code, said computer security policy administration subsystem operable for receiving said indications from said learned access permission subsystem and said learned actual access subsystem and being operative to automatically replace access permissions of a pre-selected user security group to said network objects by;
  
  automatically removing all access permissions of said pre-selected user security group to said network objects, regardless of whether members of said pre-selected user security group have actually accessed said network objects; and
  
  automatically providing access permissions to said network objects to automatically identified users of said network objects who earlier had actual access to said network objects, which access permissions were automatically removed in said automatically removing all access permissions step, said automatically providing access permissions comprising at least one of;
  
  automatically granting membership to said automatically identified users of said network objects who earlier had actual access to said network objects to an existing user group having access permissions to said network objects; and
  
  automatically creating a user group having access permissions to said network objects and automatically granting membership to said automatically identified users of said network objects who earlier had actual access to said network objects to said created user group having access permissions to said network objects;
  
  said computer security policy administration subsystem also comprising a replacement initiator which automatically initiates said automatic replacement of pre-selected user-security group-based access permissions with at least partially actual access based accessed permissions based on a schedule predetermined by a human administrator.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. An enterprise system for automatically replacing a user security group-based computer security policy by a computer security policy based at least partially on actual access according to claim 1 and also comprising:
    - a pre-replacement notification and authorization subsystem comprising at least one processor and at least one memory comprising computer code, said pre-replacement notification and authorization subsystem automatically operative prior to execution of said replacement to notify predetermined stakeholders in predetermined ones of said network objects of changes in access permissions expected to take place as a result of said replacement, to request their authorization and in an absence of said authorization to prevent execution of said replacement in respect of at least some of said network objects and at least some of said users in the enterprise for which authorization was not received.
  - 3. An enterprise system for automatically replacing a user security group-based computer security policy by a computer security policy based at least partially on actual access according to claim 1 and wherein said pre-selected user security group comprises all users of said enterprise computer environment.
  - 4. An enterprise system for automatically replacing a user security group-based computer security policy by a computer security policy based at least partially on actual access according to claim 1 and wherein said computer security policy administration subsystem is operative to automatically replace said access permissions of said pre-selected user security group with access permissions partially based on actual access of said users in the enterprise and partially based on pre-existing access permissions which are not said access permissions of said pre-selected user security group.
  - 5. An enterprise system for automatically replacing a user security group-based computer security policy by a computer security policy based at least partially on actual access according to claim 1 and wherein said computer security policy administration subsystem is operative to automatically replace said access permissions of said pre-selected user security group with access permissions at least partially based on actual access of said users in the enterprise and at least partially based on similarity of actual access profiles of said users in the enterprise having had actual access.
  - 6. An enterprise system for automatically replacing a user security group-based computer security policy by a computer security policy based at least partially on actual access according to claim 1 and wherein said computer security policy administration subsystem is operative to automatically replace said access permissions of said pre-selected user security group with access permissions based on pre-existing access permissions which are not said access permissions of said pre-selected user security group.
  - 7. An enterprise system for automatically replacing a user security group-based computer security policy by a computer security policy based at least partially on actual access according to claim 1 and wherein said computer security policy administration subsystem includes a simulation initiator which automatically initiates simulation of said replacement of said access permissions of said pre-selected user security group with access permissions which are at least partially based on actual access of said users in the enterprise, based on said schedule predetermined by said administrator.

8. An enterprise system for simulating replacement of a user security group-based computer security policy by a computer security policy, said system comprising:
- a learned access permission subsystem comprising at least one processor and at least one memory comprising computer code, said learned access permissions subsystem operative to learn current access permissions of users in an enterprise to network objects in an enterprise computer environment and to provide an indication of which users are members of which user security groups having access permissions to which network objects;
  
  a learned actual access subsystem comprising at least one processor and at least one memory comprising computer code, said learned actual access subsystem operative to learn an actual access history of said users in the enterprise to said network objects and to provide an indication of which users have had actual access to which network objects;
  
  a computer security policy simulation subsystem comprising at least one processor and at least one memory comprising computer code, said computer security policy administration subsystem being operable for receiving said indications from said learned access permission subsystem and said learned actual access subsystem and being operative to automatically simulate replacing access permissions of a pre-selected user security group to said network objects by;
  
  automatically simulating removal of all access permissions of said pre-selected user security group to said network objects regardless of whether members of said pre-selected user security group have actually accessed said network objects; and
  
  automatically simulating providing access permissions to said network objects to automatically identified users of said network objects who earlier had actual access to said network objects, which access permissions were automatically removed in said automatically simulating removing all access permissions step, said automatically simulating providing access permissions comprising at least one of;
  
  automatically simulating granting membership to said automatically identified users of said network objects who earlier had actual access to said network objects to an existing user group having access permissions to said network objects; and
  
  automatically simulating creating a user group having access permissions to said network objects and automatically simulating granting membership to said automatically identified users of said network objects who earlier had actual access to said network objects to said created user group having access permissions to said network objects;
  
  a pre-replacement notification and authorization subsystem comprising at least one processor and at least one memory comprising computer code, said pre-replacement notification and authorization subsystem automatically operative to notify predetermined stakeholders in predetermined ones of the network objects of changes in access permissions expected to take place as the result of the replacement and to request their authorization; and
  
  a replacement initiator which, responsive to said authorization, automatically initiates automatic replacement of pre-selected user-security group-based access permissions with at least partially actual access based accessed permissions based on a schedule predetermined by a human administrator.
- View Dependent Claims (9)
- - 9. An enterprise system for simulating replacement of a user security group-based computer security policy by a computer security policy according to claim 8 and wherein said pre-selected user security group comprises all users of said enterprise computer environment.

10. A method for automatically replacing a user security group-based computer security policy by a computer security policy based at least partially on actual access, said method comprising using at least one processor to execute computer code stored in at least one memory for:
- learning current access permissions of users in an enterprise to network objects in an enterprise computer environment and to provide an indication of which users are members of which user security groups having access permissions to which network objects;
  
  learning an actual access history of said users in the enterprise to said network objects and to provide an indication of which users have had actual access to which network objects;
  
  receiving said indications and automatically replacing access permissions of a pre-selected user security group to said network objects by;
  
  automatically removing all access permissions of said pre-selected user security group to said network objects, regardless of whether members of said pre-selected user security group have actually accessed said network objects; and
  
  automatically providing access permissions to said network objects to automatically identified users of said network objects who earlier had actual access to said network objects, which access permissions were automatically removed in said automatically removing all access permissions step, said automatically providing access permissions comprising at least one of;
  
  automatically granting membership to said automatically identified users of said network objects who earlier had actual access to said network objects to an existing user group having access permissions to said network objects; and
  
  automatically creating a user group having access permissions to said network objects and automatically granting membership to said automatically identified users of said network objects who earlier had actual access to said network objects to said created user group having access permissions to said network objects; and
  
  automatically initiating said automatic replacement of pre-selected user-security group-based access permissions with at least partially actual access based accessed permissions based on a schedule predetermined by a human administrator.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. A method for automatically replacing a user security group-based computer security policy by a computer security policy based at least partially on actual access according to claim 10 and wherein said method also comprises using said at least one processor and said at least one memory comprising computer code for:
    - notifying, prior to execution of said replacement, predetermined stakeholders in predetermined ones of said network objects of changes in access permissions expected to take place as the a result of said replacement, to request their authorization and in an absence of said authorization to prevent execution of said replacement in respect of at least some of said network objects and at least some of said users in the enterprise for which authorization was not received.
  - 12. A method for automatically replacing a user security group-based computer security policy by a computer security policy based at least partially on actual access according to claim 10 and wherein said pre-selected user security group comprises all users of said enterprise computer environment.
  - 13. A method for automatically replacing a user security group-based computer security policy by a computer security policy based at least partially on actual access according to claim 10 and wherein said method also comprises using said at least one processor and said at least one memory comprising computer code for automatically replacing said access permissions of said pre-selected user security group with access permissions partially based on actual access of said users in the enterprise and partially based on pre-existing access permissions which are not said access permissions of said pre-selected user security group.
  - 14. A method for automatically replacing a user security group-based computer security policy by a computer security policy based at least partially on actual access according to claim 10 and wherein said method also comprises using said at least one processor and said at least one memory comprising computer code for automatically replacing said access permissions of said pre-selected user security group with access permissions at least partially based on actual access of said users in the enterprise and at least partially based on similarity of actual access profiles of said users in the enterprise having had actual access.
  - 15. A method for automatically replacing a user security group-based computer security policy by a computer security policy based at least partially on actual access according to claim 10 and wherein said method also comprises using said at least one processor and said at least one memory comprising computer code for automatically replacing said access permissions of said pre-selected user security group with access permissions based on pre-existing access permissions which are not said access permissions of said pre-selected user security group.
  - 16. A method for automatically replacing a user security group-based computer security policy by a computer security policy based at least partially on actual access according to claim 10 and wherein said method also comprises using said at least one processor and said at least one memory comprising computer code for automatically initiating simulation of said replacement of said access permissions of said pre-selected user security group with access permissions which are at least partially based on actual access of said users in the enterprise, based on said schedule predetermined by said administrator.

17. A method for simulating replacement of a user security group-based computer security policy by a computer security policy, said method comprising using at least one processor to execute computer code stored in at least one memory for:
- learning current access permissions of users in an enterprise to network objects in an enterprise computer environment and to provide an indication of which users are members of which user security groups having access permissions to which network objects;
  
  learning an actual access history of said users in the enterprise to said network objects and to provide an indication of which users have had actual access to which network objects;
  
  receiving said indications and automatically simulating replacing access permissions of a pre-selected user security group to said network objects by;
  
  automatically simulating removal of all access permissions of said pre-selected user security group to said network objects regardless of whether members of said pre-selected user security group have actually accessed said network objects; and
  
  automatically simulating providing access permissions to said network objects to automatically identified users of said network objects who earlier had actual access to said network objects, which access permissions were automatically removed in said automatically simulating removing all access permissions step, said automatically simulating providing access permissions comprising at least one of;
  
  automatically simulating granting membership to said automatically identified users of said network objects who earlier had actual access to said network objects to an existing user group having access permissions to said network objects; and
  
  automatically simulating creating a user group having access permissions to said network objects and automatically simulating granting membership to said automatically identified users of said network objects who earlier had actual access to said network objects to said created user group having access permissions to said network objects; and
  
  notifying predetermined stakeholders in predetermined ones of said network objects of changes in access permissions expected to take place as the result of said replacement, to request their authorization; and
  
  responsive to said authorization, automatically initiating automatic replacement of pre-selected user-security group-based access permissions with at least partially actual access based accessed permissions based on a schedule predetermined by a human administrator.
- View Dependent Claims (18)
- - 18. A method for simulating replacement of a user security group-based computer security policy by a computer security policy according to claim 17 and wherein said pre-selected user security group comprises all users of said enterprise computer environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Varonis Systems, Inc.
Original Assignee
Varonis Systems, Inc.
Inventors
Faitelson, Yakov, Korkus, Ohad, Kretzer-Katzir, Ophir, Bass, David
Primary Examiner(s)
Tsang, Henry

Application Number

US15/847,192
Publication Number

US 20180157861A1
Time in Patent Office

539 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 21/6263   during internet communicati...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2149   Restricted operating enviro...

G06Q 10/103   Workflow collaboration or p...

H04L 63/105   Multiple levels of security

Automatic removal of global user security groups

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Automatic removal of global user security groups

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links