Activity based access control in heterogeneous environments

US 10,454,934 B2
Filed: 04/07/2017
Issued: 10/22/2019
Est. Priority Date: 04/08/2016
Status: Active Grant

First Claim

Patent Images

1. A method for providing data security, the method comprising:

obtaining privilege data from a plurality of authorization systems authorizing access to a set of heterogeneous cloud-based services, the privilege data describing, for a user of the authorization systems, one or more of;

monitored activities, behaviors, privileges, and derived information for privileges;

transforming the privilege data to a common privilege information model, the common privilege information model normalizing the privilege data across the plurality of authorization systems;

monitoring an activity of the user when accessing any of the plurality of authorization systems over a period of time;

applying a security policy to the common privilege information model, the security policy determining adjustments to the privilege data in the common privilege information model based at least in part on the monitored activity; and

dynamically adjusting the common privilege information model based on the applied security policy,wherein the adjustment to the common privilege information model comprises at least one of;

a revocation of access to the user to a particular service of the plurality of authorization systems, anddynamically granting of access to the user to the particular service of the plurality of authorization systems.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, a system and/or an apparatus of activity based access control in heterogeneous information technology infrastructure is disclosed. The infrastructure security server authenticates that a user is authorized to access a set of heterogeneous cloud-based services using at least one heterogeneous authorization system. The method monitors an activity of the user when accessing any of the set of heterogeneous cloud-based services over a period of time using a processor and a memory. The method dynamically adjusts access privileges to the set of heterogeneous cloud-based services. The adjustment to the access privileges includes a revocation of access to the user to a particular service of the set of heterogeneous cloud-based services and/or dynamically granting of access to the user to the particular service of the set of heterogeneous cloud-based services.

223 Citations

14 Claims

1. A method for providing data security, the method comprising:
- obtaining privilege data from a plurality of authorization systems authorizing access to a set of heterogeneous cloud-based services, the privilege data describing, for a user of the authorization systems, one or more of;
  
  monitored activities, behaviors, privileges, and derived information for privileges;
  
  transforming the privilege data to a common privilege information model, the common privilege information model normalizing the privilege data across the plurality of authorization systems;
  
  monitoring an activity of the user when accessing any of the plurality of authorization systems over a period of time;
  
  applying a security policy to the common privilege information model, the security policy determining adjustments to the privilege data in the common privilege information model based at least in part on the monitored activity; and
  
  dynamically adjusting the common privilege information model based on the applied security policy,wherein the adjustment to the common privilege information model comprises at least one of;
  
  a revocation of access to the user to a particular service of the plurality of authorization systems, anddynamically granting of access to the user to the particular service of the plurality of authorization systems.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1,wherein the adjustment to the common privilege information model is at least one of a manual adjustment, a semi-automatic adjustment, and a fully automatic adjustment, andwherein the adjustment to the common privilege information model is performed to reduce a risk of at least one of a theft, a tampering, a hijacking, an accident, a modification, a deletion, an addition, and a destruction of a content accessible through the set of heterogeneous cloud-based services.
  - 3. The method of claim 1, wherein a role of the user is irrelevant when determining whether the revocation of the access to the user is necessary based on the monitored activity.
  - 4. The method of claim 1, whereinthe security policy is at least one of a time-based policy, a rule-based policy, a predictive policy, a role-based policy, a context-based policy, a risk-score based policy, a segment based policy, and a customized policy.
  - 5. The method of claim 1, wherein dynamically adjusting the common privilege information model comprises:
    - assigning Just Enough Privileges (JEP) to the users; and
      
      performing at least one of the following to remove unused privileges;
      
      finding a user permission, a role privilege, and a role access control list of the user,finding operations performed by the user from a user history,analyzing the operations performed by the user,predicting operations to be performed by the user frequently using a machine learning algorithm of a computer, the predictions based on historic use of operations for a time basis,finding the required privileges for the operations predicted to be performed by the user,creating a unique role specific to the user,updating user permission with the unique role for the user, andremoving any other roles assigned to the user.
  - 6. The method of claim 1, wherein the set of heterogeneous cloud-based services includes at least one of an infrastructure service, a platform service, and an application service.
  - 7. The method claim 1, wherein an adjustment to the common privilege information model comprises at least one of a newly granted access privilege including a time window beyond which the access privilege is revoked.
  - 8. The method of claim 1 whereinaccess to the user to a particular service of the plurality of authorization systems is revoked based on the monitored activity indicating that the user does not access the particular service within the period of time.
  - 9. The method of claim 1, further comprising:
    - analyzing security risk associated with the privilege data in the common privilege information model;
      
      computing a security risk score associated with the privilege data in the common privilege information model; and
      
      recommending at least one adjustment to the privilege data in the common privilege information model to reduce the security risk score.
  - 10. The method of claim 9,wherein the security risk score is at least one of a combination of an excessive privilege risk score, a configuration violation risk score, a common vulnerabilities risk score, an exposure risk score, a context based risk score, and a custom risk score.
  - 11. The method of claim 9, wherein the security risk score is based at least in part on one of a singular privilege, a group of privileges, an action, an operation, a software, an application, a device, a component, a machine, a system, an authorization system, a service, a network, a server device, a client device, a cloud-based device, a cloud-based service, an infrastructure, a user, a role, a task, a job, a function, a project, a group, a company, an enterprise, a geographic region, a logical region, a user privilege, a machine privilege, a cloud-based privilege, and a service privilege.
  - 12. The method of claim 9 wherein the security risk score is multi-dimensional across the plurality of authorization systems and the set of heterogeneous cloud-based services, with the multiple dimensions being at least one of:
    - a risk score based on a privilege,a risk score based on an action,a risk score based on an operation,a risk score based on a software,a risk score based on a hardware,a risk score based on a service,a risk score based on an application,a risk score based on a system,a risk score based on a configuration,a risk score based on a configuration violation,a risk score based on a common vulnerability,a risk score based on a risk exposure,a risk score based on a context,a risk score based on one of the heterogeneous cloud-based services,a risk score based on one of the authorization systems,a risk score based on a network,a risk score based on a geographic region,a risk score based on a logical region,a risk score based on an infrastructure,a risk score based on a role,a risk score based on a task,a risk score based on a function,a risk score based on a project,a risk score based on a group,a risk score based on a company, anda risk score based on an enterprise.

13. A system comprising:
- a computer processor for executing computer program instructions; and
  
  a non-transitory computer-readable storage medium storing computer program instructions executable by the processor to perform operations comprising;
  
  obtaining privilege data from a plurality of authorization systems authorizing access to a set of heterogeneous cloud-based services, the privilege data describing, for a user of the authorization systems, one or more of;
  
  monitored activities, behaviors, privileges, and derived information for privileges;
  
  transforming the privilege data to a common privilege information model, the common privilege information model normalizing the privilege data across the plurality of authorization systems;
  
  monitoring an activity of the user when accessing any of the plurality of authorization systems over a period of time;
  
  applying a security policy to the common privilege information model, the security policy determining adjustments to the privilege data in the common privilege information model based at least in part on the monitored activity; and
  
  dynamically adjusting the common privilege information model based on the applied security policy,wherein the adjustment to the common privilege information model comprises at least one of;
  
  a revocation of access to the user to a particular service of the plurality of authorization systems, anddynamically granting of access to the user to the particular service of the plurality of authorization systems.
- View Dependent Claims (14)
- - 14. The system of claim 13, wherein thesecurity policy is at least one of a time-based policy, a rule-based policy, a predictive policy, a role-based policy, a context-based policy, a risk-score based policy, a segment based policy, and a customized policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
CloudKnox Security, Inc. (Microsoft Corporation)
Inventors
Parimi, Balaji, Cherukuri, Koteswara Rao
Primary Examiner(s)
Pyzocha, Michael

Application Number

US15/481,485
Publication Number

US 20170295181A1
Time in Patent Office

928 Days
Field of Search
US Class Current
CPC Class Codes

G06N 20/00   Machine learning

G06N 5/022   Knowledge engineering; Know...

G06N 5/025   Extracting rules from data

H04L 63/10   for controlling access to d...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

H04L 67/01   Protocols

H04L 67/10   in which an application is ...

H04L 67/535   Tracking the activity of th...

Activity based access control in heterogeneous environments

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

223 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Activity based access control in heterogeneous environments

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

223 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links