Reducing risks associated with recertification of dormant accounts
First Claim
1. A method to improve an identity and access management (IAM) system to thereby reduce risk associated with recertification of an account having an access entitlement, comprising:
- providing a display interface of the IAM system to receive information configuring the IAM system to enable dormant accounts to be temporarily suspended prior to initiation of a recertification campaign;
selecting accounts for recertification in accordance with a recertification policy;
determining which of the selected accounts are dormant accounts;
for each of the determined dormant accounts, and responsive to the receipt of the information, automatically and temporarily suspending access to the determined dormant account prior to initiating recertification of the suspended dormant account;
while the suspended dormant account is temporarily suspended, and prior to the initiation of the recertification of the suspended dormant account, issuing a notification to an entity associated with the suspended dormant account to determine whether the entity has a continued access need with respect to the suspended dormant account, wherein the suspending access to the suspended dormant account prior to the initiation of the recertification of the suspended dormant account ensures the suspended dormant account is unable to be accessed by the entity and the notification is not used by the entity as an attack vector; and
responsive to a receipt of an indication that the entity has the continued access need, removing the temporary suspension of the suspended dormant account.
1 Assignment
0 Petitions
Accused Products
Abstract
An identity management system is augmented to provide for automated suspension of all dormant accounts before launching a re-certification campaign (pass). In one implementation, prior to receiving a recertification notice from the system, the affected user'"'"'s account is already suspended and thus cannot be accessed. Once the recertification succeeds, however, the account is restored. Preferably, the technique is exposed to an IAM system administrator through a simple interface, e.g., a one-click “suspend and re-certify” button in an administrative menu. When the administrator initiates the re-certification process, he or she may select the button for a particular account or user.
31 Citations
17 Claims
-
1. A method to improve an identity and access management (IAM) system to thereby reduce risk associated with recertification of an account having an access entitlement, comprising:
-
providing a display interface of the IAM system to receive information configuring the IAM system to enable dormant accounts to be temporarily suspended prior to initiation of a recertification campaign; selecting accounts for recertification in accordance with a recertification policy; determining which of the selected accounts are dormant accounts; for each of the determined dormant accounts, and responsive to the receipt of the information, automatically and temporarily suspending access to the determined dormant account prior to initiating recertification of the suspended dormant account; while the suspended dormant account is temporarily suspended, and prior to the initiation of the recertification of the suspended dormant account, issuing a notification to an entity associated with the suspended dormant account to determine whether the entity has a continued access need with respect to the suspended dormant account, wherein the suspending access to the suspended dormant account prior to the initiation of the recertification of the suspended dormant account ensures the suspended dormant account is unable to be accessed by the entity and the notification is not used by the entity as an attack vector; and responsive to a receipt of an indication that the entity has the continued access need, removing the temporary suspension of the suspended dormant account. - View Dependent Claims (2, 3, 4, 5)
-
-
6. An apparatus, comprising:
-
a processor; computer memory holding computer program instructions executed by the processor to improve an identity and access management (IAM) system to thereby reduce risk associated with recertification of an account having an access entitlement, the computer program instructions comprising; program code operative to provide a display interface of the IAM system to receive information configuring the IAM system to enable dormant accounts to be temporarily suspended prior to initiation of a recertification campaign; program code operative to select accounts for recertification in accordance with a recertification policy; program code operative to determine which of the selected accounts are dormant accounts; program code operative for each of the determined dormant accounts and responsive to the receipt of the information to automatically and temporarily suspend access to the determined dormant account prior to initiating recertification of the suspended dormant account; program code operative while the suspended dormant account is temporarily suspended, and prior to the initiation of the recertification of the suspended dormant account, to issue a notification to an entity associated with the suspended dormant account to determine whether the entity has a continued access need with respect to the suspended dormant account, wherein the suspending access to the suspended dormant account prior to the initiation of the recertification of the suspended dormant account ensures the suspended dormant account is unable to be accessed by the entity and the notification is not used by the entity as an attack vector; and program code operative in response to a receipt of an indication that the entity has the continued access need to remove the suspension of the suspended dormant account. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A computer program product in a non-transitory computer readable medium for use in a data processing system, the computer program product holding computer program instructions which, when executed by the data processing system, to improve an identity and access management (IAM) system to thereby reduce risk associated with recertification of an account having an access entitlement, the computer program instructions comprising:
-
program code operative to provide a display interface of the IAM system to receive information configuring the IAM system to enable dormant accounts to be temporarily suspended prior to initiation of a recertification campaign; program code operative to select accounts for recertification in accordance with a recertification policy; program code operative to determine which of the selected accounts are dormant accounts; program code operative for each of the determined dormant accounts and responsive to the receipt of the information to automatically and temporarily suspend access to the determined dormant account prior to initiating recertification of the suspended dormant account; program code operative while the suspended dormant account is temporarily suspended, and prior to the initiation of the recertification of the suspended dormant account, to issue a notification to an entity associated with the suspended dormant account to determine whether the entity has a continued access need with respect to the suspended dormant account, wherein the suspending access to the suspended dormant account prior to the initiation of the recertification of the suspended dormant account ensures the suspended dormant account is unable to be accessed by the entity and the notification is not used by the entity as an attack vector; and program code operative in response to a receipt of an indication that the entity has the continued access need to remove the suspension of the suspended dormant account. - View Dependent Claims (12, 13, 14, 15)
-
-
16. An apparatus for improving a security capability of an identity access and management (IAM) system, the IAM system having accounts, each account of the accounts having an access entitlement, comprising:
-
a hardware processor; computer memory holding computer program instructions executed by the hardware processor to provide account access recertification according to a recertification policy, the computer program instructions operative to receive a suspend-and-recertify control command via a display interface of the IAM system to enable dormant accounts to be temporarily suspended prior to initiation of a recertification campaign, responsive to the receipt of the suspend-and-recertify control command to select accounts for recertification in accordance with the recertification policy, to determine which of the selected accounts are dormant accounts, to automatically and temporarily suspend access to each of the determined dormant accounts prior to issuing a continued business need (CBN) notification to an entity associated with the suspended dormant account, and while the suspended dormant account is temporarily suspended and prior to initiating recertification of the suspended dormant account, to issue the CBN notification to the entity, wherein the suspending access to each of the determined dormant accounts prior to initiating the CBN notification ensures the suspended dormant account is unable to be accessed by the entity and that the CBN notification is not used by the entity as an attack vector. - View Dependent Claims (17)
-
Specification