Reducing risks associated with recertification of dormant accounts

US 10,440,029 B2
Filed: 09/02/2015
Issued: 10/08/2019
Est. Priority Date: 09/02/2015
Status: Active Grant

First Claim

Patent Images

1. A method to improve an identity and access management (IAM) system to thereby reduce risk associated with recertification of an account having an access entitlement, comprising:

providing a display interface of the IAM system to receive information configuring the IAM system to enable dormant accounts to be temporarily suspended prior to initiation of a recertification campaign;

selecting accounts for recertification in accordance with a recertification policy;

determining which of the selected accounts are dormant accounts;

for each of the determined dormant accounts, and responsive to the receipt of the information, automatically and temporarily suspending access to the determined dormant account prior to initiating recertification of the suspended dormant account;

while the suspended dormant account is temporarily suspended, and prior to the initiation of the recertification of the suspended dormant account, issuing a notification to an entity associated with the suspended dormant account to determine whether the entity has a continued access need with respect to the suspended dormant account, wherein the suspending access to the suspended dormant account prior to the initiation of the recertification of the suspended dormant account ensures the suspended dormant account is unable to be accessed by the entity and the notification is not used by the entity as an attack vector; and

responsive to a receipt of an indication that the entity has the continued access need, removing the temporary suspension of the suspended dormant account.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An identity management system is augmented to provide for automated suspension of all dormant accounts before launching a re-certification campaign (pass). In one implementation, prior to receiving a recertification notice from the system, the affected user'"'"'s account is already suspended and thus cannot be accessed. Once the recertification succeeds, however, the account is restored. Preferably, the technique is exposed to an IAM system administrator through a simple interface, e.g., a one-click “suspend and re-certify” button in an administrative menu. When the administrator initiates the re-certification process, he or she may select the button for a particular account or user.

31 Citations

View as Search Results

17 Claims

1. A method to improve an identity and access management (IAM) system to thereby reduce risk associated with recertification of an account having an access entitlement, comprising:
- providing a display interface of the IAM system to receive information configuring the IAM system to enable dormant accounts to be temporarily suspended prior to initiation of a recertification campaign;
  
  selecting accounts for recertification in accordance with a recertification policy;
  
  determining which of the selected accounts are dormant accounts;
  
  for each of the determined dormant accounts, and responsive to the receipt of the information, automatically and temporarily suspending access to the determined dormant account prior to initiating recertification of the suspended dormant account;
  
  while the suspended dormant account is temporarily suspended, and prior to the initiation of the recertification of the suspended dormant account, issuing a notification to an entity associated with the suspended dormant account to determine whether the entity has a continued access need with respect to the suspended dormant account, wherein the suspending access to the suspended dormant account prior to the initiation of the recertification of the suspended dormant account ensures the suspended dormant account is unable to be accessed by the entity and the notification is not used by the entity as an attack vector; and
  
  responsive to a receipt of an indication that the entity has the continued access need, removing the temporary suspension of the suspended dormant account.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method as described in claim 1 wherein the information is a control command that initiates a suspend-and-recertify operation with respect to one or more dormant accounts.
  - 3. The method as described in claim 1 wherein the notification is a continued business need (CBN) notice.
  - 4. The method as described in claim 1 wherein the step of determining which of the selected accounts are dormant accounts includes one of:
    - receiving a dormant account report identifying one or more dormant accounts, and querying a service to obtain last login data for a particular account associated with the service.
  - 5. The method as described in claim 1 further including:
    - responsive to a receipt of an indication that the entity has no continued access need, de-associating the suspended dormant account and the entity.

6. An apparatus, comprising:
- a processor;
  
  computer memory holding computer program instructions executed by the processor to improve an identity and access management (IAM) system to thereby reduce risk associated with recertification of an account having an access entitlement, the computer program instructions comprising;
  
  program code operative to provide a display interface of the IAM system to receive information configuring the IAM system to enable dormant accounts to be temporarily suspended prior to initiation of a recertification campaign;
  
  program code operative to select accounts for recertification in accordance with a recertification policy;
  
  program code operative to determine which of the selected accounts are dormant accounts;
  
  program code operative for each of the determined dormant accounts and responsive to the receipt of the information to automatically and temporarily suspend access to the determined dormant account prior to initiating recertification of the suspended dormant account;
  
  program code operative while the suspended dormant account is temporarily suspended, and prior to the initiation of the recertification of the suspended dormant account, to issue a notification to an entity associated with the suspended dormant account to determine whether the entity has a continued access need with respect to the suspended dormant account, wherein the suspending access to the suspended dormant account prior to the initiation of the recertification of the suspended dormant account ensures the suspended dormant account is unable to be accessed by the entity and the notification is not used by the entity as an attack vector; and
  
  program code operative in response to a receipt of an indication that the entity has the continued access need to remove the suspension of the suspended dormant account.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The apparatus as described in claim 6 wherein the information is a control command that initiates a suspend-and-recertify operation with respect to one or more dormant accounts.
  - 8. The apparatus as described in claim 6 wherein the notification is a continued business need (CBN) notice.
  - 9. The apparatus as described in claim 6 wherein the computer program instructions operative to determine which of the selected accounts are dormant accounts include program code further operative to receive a dormant account report identifying one or more dormant accounts or to query a service to obtain last login data for a particular account associated with the service.
  - 10. The apparatus as described in claim 6 wherein the computer program instructions further include program code operative in response to a receipt of an indication that the entity has no continued access need to de-associate the suspended dormant account and the entity.

11. A computer program product in a non-transitory computer readable medium for use in a data processing system, the computer program product holding computer program instructions which, when executed by the data processing system, to improve an identity and access management (IAM) system to thereby reduce risk associated with recertification of an account having an access entitlement, the computer program instructions comprising:
- program code operative to provide a display interface of the IAM system to receive information configuring the IAM system to enable dormant accounts to be temporarily suspended prior to initiation of a recertification campaign;
  
  program code operative to select accounts for recertification in accordance with a recertification policy;
  
  program code operative to determine which of the selected accounts are dormant accounts;
  
  program code operative for each of the determined dormant accounts and responsive to the receipt of the information to automatically and temporarily suspend access to the determined dormant account prior to initiating recertification of the suspended dormant account;
  
  program code operative while the suspended dormant account is temporarily suspended, and prior to the initiation of the recertification of the suspended dormant account, to issue a notification to an entity associated with the suspended dormant account to determine whether the entity has a continued access need with respect to the suspended dormant account, wherein the suspending access to the suspended dormant account prior to the initiation of the recertification of the suspended dormant account ensures the suspended dormant account is unable to be accessed by the entity and the notification is not used by the entity as an attack vector; and
  
  program code operative in response to a receipt of an indication that the entity has the continued access need to remove the suspension of the suspended dormant account.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The computer program product as described in claim 11 wherein the information is a control command that initiates a suspend-and-recertify operation with respect to one or more dormant accounts.
  - 13. The computer program product as described in claim 11 wherein the notification is a continued business need (CBN) notice.
  - 14. The computer program product as described in claim 11 wherein the computer program instructions operative to determine which of the selected accounts are dormant accounts include program code further operative to receive a dormant account report identifying one or more dormant accounts or to query a service to obtain last login data for a particular account associated with the service.
  - 15. The computer program product as described in claim 11 wherein the computer program instructions further include program code operative in response to a receipt of an indication that the entity has no continued access need to de-associate the suspended dormant account and the entity.

16. An apparatus for improving a security capability of an identity access and management (IAM) system, the IAM system having accounts, each account of the accounts having an access entitlement, comprising:
- a hardware processor;
  
  computer memory holding computer program instructions executed by the hardware processor to provide account access recertification according to a recertification policy, the computer program instructions operative to receive a suspend-and-recertify control command via a display interface of the IAM system to enable dormant accounts to be temporarily suspended prior to initiation of a recertification campaign, responsive to the receipt of the suspend-and-recertify control command to select accounts for recertification in accordance with the recertification policy, to determine which of the selected accounts are dormant accounts, to automatically and temporarily suspend access to each of the determined dormant accounts prior to issuing a continued business need (CBN) notification to an entity associated with the suspended dormant account, and while the suspended dormant account is temporarily suspended and prior to initiating recertification of the suspended dormant account, to issue the CBN notification to the entity, wherein the suspending access to each of the determined dormant accounts prior to initiating the CBN notification ensures the suspended dormant account is unable to be accessed by the entity and that the CBN notification is not used by the entity as an attack vector.
- View Dependent Claims (17)
- - 17. The apparatus as described in claim 16 wherein the computer program instructions are further operative to restore access to a dormant account upon a receipt of a given response to a CBN notification.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Hidden, Jean Elizabeth, Chia, Gee Ngoo, Matthiesen, Brian Robert, Turcol, Stephen J.
Primary Examiner(s)
Nguyen, Trong H

Application Number

US14/842,889
Publication Number

US 20170063873A1
Time in Patent Office

1,497 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/108   when the policy decisions a...

H04L 63/20   for managing network securi...

Reducing risks associated with recertification of dormant accounts

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

31 Citations

17 Claims

Specification

Use Cases

Quick Links

Others

Reducing risks associated with recertification of dormant accounts

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

31 Citations

17 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others