Incremental security policy development for an enterprise network

US 10,511,632 B2
Filed: 03/03/2017
Issued: 12/17/2019
Est. Priority Date: 03/03/2017
Status: Active Grant

First Claim

Patent Images

1. A system for prompting incremental security policy development for an enterprise network, the system comprising:

at least one processor; and

at least one memory in communication with the at least one processor, the at least one memory having computer-readable instructions stored thereupon that, when executed by the at least one processor, cause the at least one processor to;

obtain security policy data defining access permissions for a plurality of computing resources with respect to an enterprise data resource;

analyze a data request to identify a particular computing resource that is requesting access to the enterprise data resource, wherein the particular computing resource is a uniquely identifiable application or device that enables a user to at least one of view data files or manipulate the data files;

determine that the security policy data lacks both;

particular access permissions that expressly permit the particular computing resource to access the enterprise data resource, andparticular access restrictions that expressly restrict the particular computing resource from accessing the enterprise data resource;

in response to the security policy data lacking both the particular access permissions and the particular access restrictions, cause an entry that identifies the particular computing resource to be added to a policy learning log to indicate that the security policy data lacks both of the particular access permissions and the particular access restrictions for the particular computing resource with respect to the enterprise data resource; and

provide a policy gap notification that corresponds to the entry to a policy management service, wherein the policy gap notification is configured to prompt policy adjudication associated with the particular access permissions for the particular computing resource with respect to the enterprise data resource.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system may identify resources such as applications or network locations that are not adequately covered by an enterprise'"'"'s security policy to notify a network administrator of such deficiencies. An exemplary security policy may allow or deny access to individual functional resources (e.g. computing devices and/or applications) or groups of functional resources to individual data resources (e.g. enterprise network storage locations and/or enterprise data) or groups of data resources. The system may monitor enterprise network activity to identify when a security policy fails to define permissions corresponding to the use of particular resources. In response to identifying such gaps in the security policy, the system may enter policy enforcement event information into a policy learning log. The system may further generate a policy gap notification and transmit this notification to a policy management service to prompt a network administrator to take remedial action if appropriate.

61 Citations

View as Search Results

20 Claims

1. A system for prompting incremental security policy development for an enterprise network, the system comprising:
- at least one processor; and
  
  at least one memory in communication with the at least one processor, the at least one memory having computer-readable instructions stored thereupon that, when executed by the at least one processor, cause the at least one processor to;
  
  obtain security policy data defining access permissions for a plurality of computing resources with respect to an enterprise data resource;
  
  analyze a data request to identify a particular computing resource that is requesting access to the enterprise data resource, wherein the particular computing resource is a uniquely identifiable application or device that enables a user to at least one of view data files or manipulate the data files;
  
  determine that the security policy data lacks both;
  
  particular access permissions that expressly permit the particular computing resource to access the enterprise data resource, andparticular access restrictions that expressly restrict the particular computing resource from accessing the enterprise data resource;
  
  in response to the security policy data lacking both the particular access permissions and the particular access restrictions, cause an entry that identifies the particular computing resource to be added to a policy learning log to indicate that the security policy data lacks both of the particular access permissions and the particular access restrictions for the particular computing resource with respect to the enterprise data resource; and
  
  provide a policy gap notification that corresponds to the entry to a policy management service, wherein the policy gap notification is configured to prompt policy adjudication associated with the particular access permissions for the particular computing resource with respect to the enterprise data resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein the computer-readable instructions further cause the at least one processor to:
    - prevent, at a first time, the particular computing resource from accessing the enterprise data resource based on the security policy data not defining the particular access permissions; and
      
      record, within the policy learning log, an enforcement event that indicates that the particular computing resource was blocked from accessing the enterprise data resource, wherein the policy learning log is accessible by the policy management service for the policy adjudication.
  - 3. The system of claim 2, wherein the computer-readable instructions further cause the at least one processor to:
    - receive, from the policy management service based on the policy gap notification, updated security policy data corresponding to the policy adjudication, the updated security policy data defining the particular access permissions; and
      
      permit, at a second time, the particular computing resource to access the enterprise data resource based on the particular access permissions.
  - 4. The system of claim 1, wherein the computer-readable instructions further cause the at least one processor to:
    - determine resource characteristics corresponding to the particular computing resource, the resource characteristics including at least one of publisher information, resource type information, or resource delivery mechanism information; and
      
      determine, based on the resource characteristics, whether to prevent the particular computing resource from accessing the enterprise data resource in response to the security policy data not defining the particular access permissions.
  - 5. The system of claim 1, wherein the computer-readable instructions further cause the at least one processor to permit the particular computing resource to access the enterprise data resource based at least in part on the security policy data not defining the particular access permissions.
  - 6. The system of claim 1, wherein the policy management service is configured to aggregate the entry with a plurality of other entries that are received from a plurality of client devices based on the particular computing resource.
  - 7. The system of claim 1, wherein the policy management service is configured to determine an adjudication urgency score associated with the policy gap notification based on an aggregated number of other entries that bear similarities with the entry, and wherein the policy management service is configured to prompt the policy adjudication according to the adjudication urgency score.
  - 8. The system of claim 1, wherein the policy management service is configured to determine an adjudication urgency score associated with the policy gap notification based on an organizational hierarchy that indicates a level of one or more employees with an enterprise corresponding to the enterprise network, and wherein the policy management service is configured to prompt the policy adjudication according to the adjudication urgency score.

9. A computer-implemented method, comprising:
- obtaining security policy data defining disclosure permissions for a group of trusted resources associated with an enterprise network, the group of trusted resources including at least a trusted computing resource, wherein the trusted computing resource is a uniquely identifiable computing application or computing device;
  
  analyzing a disclosure request associated with the trusted computing resource to identify a particular network resource to which the trusted computing resource is requesting to disclose enterprise data;
  
  determining that the security policy data lacks particular disclosure permissions corresponding to the particular network resource to which the trusted computing resource is requesting to disclose the enterprise data;
  
  responsive to determining that the security policy data lacks the particular disclosure permissions corresponding to the particular network resource, causing an entry that designates the particular network resource as an unfamiliar network resource to be added to a policy learning log; and
  
  providing a policy gap notification that corresponds to the entry to a policy management service, wherein the policy gap notification is configured to prompt policy adjudication for generation of the particular disclosure permissions corresponding to the unfamiliar network resource.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The computer-implemented method of claim 9, further comprising:
    - determining one or more characteristics associated with the unfamiliar network resource; and
      
      determining whether to permit the trusted computing resource to disclose the enterprise data to the unfamiliar network resource based on the one or more characteristics.
  - 11. The computer-implemented method of claim 9, wherein the trusted computing resource is permitted to disclose the enterprise data to the unfamiliar network resource based on a trust level associated with the trusted computing resource.
  - 12. The computer-implemented method of claim 9, wherein the trusted computing resource is an adjudicated computer program, and wherein the unfamiliar network resource is an unadjudicated data storage resource.
  - 13. The computer-implemented method of claim 9, further comprising:
    - determining a unique identifier corresponding to the unfamiliar network resource to generate default disclosure permissions for the unfamiliar network resource; and
      
      causing the default disclosure permissions to be applied on at least one of a permanent basis or a temporary basis.
  - 14. The computer-implemented method of claim 9, further comprising pushing, based on the security policy data not defining the particular disclosure permissions, at least a portion of the security policy data to the unfamiliar network resource to cause the unfamiliar network resource to segregate the enterprise data based on a mobile device management protocol.
  - 15. The computer-implemented method of claim 9, further comprising:
    - preventing disclosure of the enterprise data via a first disclosure mechanism that corresponds to the disclosure request; and
      
      providing instructions associated with a second disclosure mechanism that are different than the first disclosure mechanism to enable the enterprise data to be disclosed via the second disclosure mechanism.

16. A computer-readable storage medium having computer-executable instructions stored thereupon which, when executed by one or more processors of a computing device, cause the one or more processors of the computing device to:
- obtain security policy data defining permissions for a plurality of computing resources that are configured to communicate enterprise data via an enterprise network;
  
  analyze a request to identify a particular computing resource that is attempting to disclose the enterprise data outside of the enterprise network, or access the enterprise data from the enterprise network, or both, wherein the particular computing resource is a uniquely identifiable application or device that enables a user to at least one of view data files or manipulate the data files;
  
  determine that the security policy data lacks at least one of;
  
  particular disclosure permissions that expressly permit the particular computing resource to disclose the enterprise data outside of the enterprise network, orparticular access permissions that expressly permit the particular computing resource to access the enterprise data from the enterprise network;
  
  designate the particular computing resource as an unfamiliar computing resource based on the security policy data lacking the particular disclosure permissions or the particular access permissions for the particular computing resource;
  
  determine that a delivery mechanism through which the unfamiliar computing resource was delivered to the computing device corresponds to one or more trusted delivery mechanisms associated with the enterprise network; and
  
  permit, based on the delivery mechanism corresponding to the one or more trusted delivery mechanisms, the request to enable the unfamiliar computing resource to disclose the enterprise data outside of the enterprise network, or access the enterprise data from the enterprise network, or both.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The computer-readable storage medium of claim 16, wherein the instructions further cause the one or more processors of the computing device to:
    - cause an entry that identifies the unfamiliar computing resource to be added to a policy learning log to indicate that the security policy data does not define the particular access permissions for the particular computing resource; and
      
      provide a policy gap notification that corresponds to the entry to a policy management service to prompt policy adjudication for the particular computing resource.
  - 18. The computer-readable storage medium of claim 16, wherein the instructions further cause the one or more processors of the computing device to automatically update the security policy data to include the particular disclosure permissions or the particular access permissions for the particular computing resource in response to the delivery mechanism corresponding to the one or more trusted delivery mechanisms.
  - 19. The computer-readable storage medium of claim 16, wherein the instructions further cause the one or more processors of the computing device to designate the particular computing resource as exempt from application of the permissions defined by the security policy data in response to the delivery mechanism corresponding to the one or more trusted delivery mechanisms.
  - 20. The computer-readable storage medium of claim 16, wherein the delivery mechanism includes the unfamiliar computing resource being delivered to the computing device in response to a user input that selects a link on a webpage of the enterprise network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Ward, Michael D., Adam, Preston Derek, Ureche, Octavian T., Agarwal, Vishal, Acharya, Narendra S.
Primary Examiner(s)
Korsak, Oleg

Application Number

US15/449,870
Publication Number

US 20180255102A1
Time in Patent Office

1,019 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/10 for controlling access to d...

H04L 63/20 for managing network securi...

Incremental security policy development for an enterprise network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

61 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Incremental security policy development for an enterprise network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

61 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others