Techniques to provide network security through just-in-time provisioned accounts
First Claim
1. An apparatus, comprising:
- a processor circuit; and
a server application for execution by the processor circuit, the server application comprising;
an account management component configured to receive a request from a client having a first account via a client device, the request being for creating a second account to access a server device in one or more server devices wherein the one or more server devices is segmented into a plurality of segments;
an account authorization component configured to;
identify a security group configured to grant access to at least one of the plurality of segments, the at least one of the plurality of segments comprising the server device, determine a scope and a role associated with the request,determine a scope and a role associated with the first account based on account information associated with the first account,authorize the request based at least in part on the scope and the role of the first account, andassociate the second account with the security group to enable the second account access to the server device;
an account provisioning component configured to create the second account to enable the client device to access the server device; and
an account notification component configured to provide account information associated with the second account to the client device.
0 Assignments
0 Petitions
Accused Products
Abstract
Techniques to contain lateral movement of attackers through just-in-time (JIT) provisioned accounts comprising an account management component to receive a request from a first account via a client device for a second account to access a server device in a set of server devices, an account authorization component to authorize the request for the second account based at least partially on account information associated with the first account, an account provisioning component to provision the second account to enable a client to access the server device, and an account notification component to provide account information associated with the second account to a client via the client device. Other embodiments are described and claimed.
62 Citations
17 Claims
-
1. An apparatus, comprising:
-
a processor circuit; and a server application for execution by the processor circuit, the server application comprising; an account management component configured to receive a request from a client having a first account via a client device, the request being for creating a second account to access a server device in one or more server devices wherein the one or more server devices is segmented into a plurality of segments; an account authorization component configured to; identify a security group configured to grant access to at least one of the plurality of segments, the at least one of the plurality of segments comprising the server device, determine a scope and a role associated with the request, determine a scope and a role associated with the first account based on account information associated with the first account, authorize the request based at least in part on the scope and the role of the first account, and associate the second account with the security group to enable the second account access to the server device; an account provisioning component configured to create the second account to enable the client device to access the server device; and an account notification component configured to provide account information associated with the second account to the client device. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer-implemented method, comprising:
-
receiving a request from a client having a first account via a client device for creating a second account with one or more access permissions, the second account being created to access a server device in one or more server devices wherein the one or more server devices is segmented into a plurality of segments; determining a request scope and a role associated with the request; determining an account scope and a role associated with the first account based on account information associated with the first account; authorizing, by circuitry, the request for creating the second account based at least partially on the scope and the role of the first account; provisioning the second account to enable the client device to access the server device wherein provisioning the second account further comprises; identifying a security group configured to grant access to one of the plurality of segments, the one of the plurality of segments comprising the server device, and associating the second account with the security group to enable the second account access to the server device in the one of the plurality of segments; and providing account information associated with the second account to the client device, the account information corresponding to authentication and authorization information of the client. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A non-transitory computer-readable storage hardware comprising instructions that, when executed, cause a system to:
-
receive a request from a client device for a just-in-time (JIT) account with one or more elevated access permissions to access a server device in one or more server devices, wherein the one or more server devices is segmented into a plurality of segments, the client device having an associated client account; determine a scope and a role associated with the request; determine a scope and a role associated with the client account based on client account information; authorize the request for the JIT account based at least partially on the scope and the role of the client account; create the JIT account to enable access to the server device by; identifying a security group configured to grant access to a segment of the plurality of segments comprising the server device, and associating the JIT account with the security group to enable the JIT account access to the server device in the segment; and provide account information associated with the JIT account to the client device. - View Dependent Claims (14, 15, 16, 17)
-
Specification