Delegating security policy management authority to managed accounts

US 10,419,488 B2
Filed: 03/03/2017
Issued: 09/17/2019
Est. Priority Date: 03/03/2017
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

at least one processor; and

at least one memory in communication with the at least one processor, the at least one memory having computer-readable instructions stored thereupon that, when executed by the at least one processor, cause the at least one processor to;

obtain a security policy that includes application management settings that are generated from at least one administrative authority account that corresponds to a greater level of administrative rights than a managed account, wherein the application management settings indicate a set of permitted applications that are permitted to access one or more enterprise resources from the managed account;

receive a request to access a particular data resource through a particular application that is operating from the managed account;

determine, based on the request, that the particular data resource is tagged as an enterprise data resource and that the particular application is not included in the set of permitted applications;

expose an application exemption manager that is configured to enable a standard user to generate, from the managed account, an exemption instruction to at least partially exempt the particular application from the security policy, wherein the exemption instruction is generated from the managed account independently from the at least one administrative authority account; and

permit, based on the exemption instruction, the particular application to access the particular data resource from the managed account.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system may delegate authority to manage aspects of a security policy developed by administrative personnel to standard users (e.g. non-administrative personnel) corresponding to managed accounts within an administrative hierarchy. An exemplary security policy may include application management settings that allow or deny individual applications with access to various enterprise resources. The system may expose one or more user interfaces to standard users of an enterprise network to enable these standard users to modify the security policy being deployed for their managed account and/or to at least temporarily exempt a particular application from the enterprise'"'"'s security policy. For example, upon a standard user attempting to access enterprise data with a particular application that is not permitted such access, the system may enable this standard user to change the security policy as applied to her device or to simply exempt the particular application from the security policy.

Citations

19 Claims

1. A system comprising:
- at least one processor; and
  
  at least one memory in communication with the at least one processor, the at least one memory having computer-readable instructions stored thereupon that, when executed by the at least one processor, cause the at least one processor to;
  
  obtain a security policy that includes application management settings that are generated from at least one administrative authority account that corresponds to a greater level of administrative rights than a managed account, wherein the application management settings indicate a set of permitted applications that are permitted to access one or more enterprise resources from the managed account;
  
  receive a request to access a particular data resource through a particular application that is operating from the managed account;
  
  determine, based on the request, that the particular data resource is tagged as an enterprise data resource and that the particular application is not included in the set of permitted applications;
  
  expose an application exemption manager that is configured to enable a standard user to generate, from the managed account, an exemption instruction to at least partially exempt the particular application from the security policy, wherein the exemption instruction is generated from the managed account independently from the at least one administrative authority account; and
  
  permit, based on the exemption instruction, the particular application to access the particular data resource from the managed account.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein the computer-readable instructions further cause the at least one processor to analyze the particular application to identify an enlightenment status that indicates that the particular application is configured to communicate with a policy enforcement service to at least partially enforce the security policy, wherein permitting the particular application to access the particular data resource from the managed account is further based on the enlightenment status.
  - 3. The system of claim 2, wherein the computer-readable instructions further cause the at least one processor to analyze the particular application to:
    - identify a digital signature associated with the enlightenment status of the particular application; and
      
      determine that an origin of the digital signature corresponds to at least one trusted publisher of a predetermined set of trusted publishers, wherein permitting the particular application to access the particular data resource from the managed account is further based on the origin of the digital signature.
  - 4. The system of claim 1, wherein the application exemption manager is further configured to enable the standard user to assign a temporal applicability to the exemption instruction, wherein the temporal applicability indicates whether to apply the exemption instruction on a permanent basis or a temporary basis.
  - 5. The system of claim 1, wherein the computer-readable instructions further cause the at least one processor to cause an entry that corresponds to the exemption instruction to be added to a policy learning log that is accessible by a policy management service.
  - 6. The system of claim 1, wherein the computer-readable instructions further cause the at least one processor to prompt policy adjudication to generate particular application management settings corresponding to the particular application based on at least one of the exemption instruction or a temporal applicability assigned to the exemption instruction.
  - 7. The system of claim 1, wherein the computer-readable instructions further cause the at least one processor to:
    - generate, based on the exemption instruction, a contained computing environment that is configured to manage disclosures of the one or more enterprise resources according to the security policy; and
      
      launch the particular application within the contained computing environment to permit the particular application to access the particular data resource from the managed account.

8. A computer-implemented method, comprising:
- obtaining, from an administrative authority account, security policy data that indicates a set of approved applications that an administrative authority has approved for use to access enterprise resources from a managed account that corresponds to a standard user, wherein the administrative authority account is associated with a greater level of administrative rights than the managed account that corresponds to the standard user;
  
  determining, based on the security policy data, a default security policy that includes application management settings to indicate a set of permitted applications that are permitted to access the enterprise resources from the managed account;
  
  receiving a request associated with accessing the enterprise resources from the managed account through a particular application that is not included in the set of permitted applications;
  
  determining that the particular application is included in the set of approved applications;
  
  exposing, based at least in part on the request, a security policy customization interface to enable the standard user to generate, from the managed account, a custom security policy by modifying the application management settings to include the particular application within the set of permitted applications, wherein the custom security policy is generated from the managed account without prompting input from the administrative authority account; and
  
  permitting, based on the custom security policy, the particular application to access the enterprise resources from the managed account.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer-implemented method of claim 8, further comprising:
    - transmitting the custom security policy to a policy management service to prompt the administrative authority to perform policy adjudication with respect to the custom security policy; and
      
      receiving updated security policy data that is based at least in part on the policy adjudication.
  - 10. The computer-implemented method of claim 8, further comprising:
    - analyzing an administrative hierarchy to identify one or more other managed accounts that are associated with the managed account; and
      
      permitting, based on the custom security policy, the particular application to access the enterprise resources from the one or more other managed accounts.
  - 11. The computer-implemented method of claim 8, wherein the security policy data further indicates a set of denied applications that the administrative authority has disapproved for accessing the enterprise resources from the managed account, and wherein the security policy customization interface is configured to prevent the standard user from modifying the application management settings to include individual applications from the set of denied applications.
  - 12. The computer-implemented method of claim 9, further comprising:
    - determining a trust level corresponding to the managed account; and
      
      enabling the standard user to unilaterally deploy the custom security policy based on a trust level meeting or exceeding a threshold trust level.
  - 13. The computer-implemented method of claim 8, wherein the security policy customization interface is further configured to enable the standard user to indicate a predefined applicability interval associated with the custom security policy, and wherein permitting the particular application to access the enterprise resources from the managed account is limited to the predefined applicability interval.
  - 14. The computer-implemented method of claim 8, further comprising authenticating the standard user based on user credentials that correspond to the managed account, and wherein enabling the standard user to generate the custom security policy is further based on the authenticating the standard user.

15. A computer-implemented method, comprising:
- obtaining a security policy that includes application management settings that define a set of permitted applications that have been indicated as being permitted to access one or more enterprise resources from a managed account that corresponds to a standard user, wherein the application management settings are generated through an administrative authority account that corresponds to a greater level of administrative rights than the managed account that corresponds to the standard user;
  
  receiving a request to access a particular data resource through a particular application that is operating from the managed account that corresponds to the standard user;
  
  determining that the particular data resource is tagged as an enterprise data resource and that the particular application is not included in the set of permitted applications that have been indicated as being permitted to access the one or more enterprise resources from the managed account that corresponds to the standard user;
  
  exposing an application exemption manager that is configured to enable the standard user to generate, from the managed account without prompting input from the administrative authority account, an exemption instruction to at least partially exempt the particular application from the security policy; and
  
  permitting, based on the exemption instruction, the particular application to access the particular data resource from the managed account.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The computer-implemented method of claim 15, wherein the application exemption manager is further configured to enable the standard user to assign a temporal applicability to the exemption instruction.
  - 17. The computer-implemented method of claim 16, wherein the temporal applicability indicates whether to apply the exemption instruction on a permanent basis or a temporary basis.
  - 18. The computer-implemented method of claim 15, wherein permitting the particular application to access the particular data resource from the managed account based on the exemption instruction includes:
    - generating, based on the exemption instruction, a contained computing environment that is configured to manage disclosures of the one or more enterprise resources according to the security policy; and
      
      launching the particular application within the contained computing environment to permit the particular application to access the particular data resource from the managed account.
  - 19. The computer-implemented method of claim 15, further comprising causing an entry that corresponds to the exemption instruction to be added to a policy learning log that is accessible by a policy management service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Adam, Preston Derek, Barhudarian, Violet Anna, Acharya, Narendra S., June, Richard, Lahiri, Shayak, Wu, Qiongzhi
Primary Examiner(s)
Gracia, Gary S

Application Number

US15/449,847
Publication Number

US 20180255101A1
Time in Patent Office

928 Days
Field of Search

709226, 726 1, 726 2, 726 7, 713176
US Class Current
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

H04L 9/3247   involving digital signatures

Delegating security policy management authority to managed accounts

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Delegating security policy management authority to managed accounts

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links