Incremental security policy development for an enterprise network
First Claim
1. A system for prompting incremental security policy development for an enterprise network, the system comprising:
- at least one processor; and
at least one memory in communication with the at least one processor, the at least one memory having computer-readable instructions stored thereupon that, when executed by the at least one processor, cause the at least one processor to;
obtain security policy data defining access permissions for a plurality of computing resources with respect to an enterprise data resource;
analyze a data request to identify a particular computing resource that is requesting access to the enterprise data resource, wherein the particular computing resource is a uniquely identifiable application or device that enables a user to at least one of view data files or manipulate the data files;
determine that the security policy data lacks both;
particular access permissions that expressly permit the particular computing resource to access the enterprise data resource, andparticular access restrictions that expressly restrict the particular computing resource from accessing the enterprise data resource;
in response to the security policy data lacking both the particular access permissions and the particular access restrictions, cause an entry that identifies the particular computing resource to be added to a policy learning log to indicate that the security policy data lacks both of the particular access permissions and the particular access restrictions for the particular computing resource with respect to the enterprise data resource; and
provide a policy gap notification that corresponds to the entry to a policy management service, wherein the policy gap notification is configured to prompt policy adjudication associated with the particular access permissions for the particular computing resource with respect to the enterprise data resource.
1 Assignment
0 Petitions
Accused Products
Abstract
A system may identify resources such as applications or network locations that are not adequately covered by an enterprise'"'"'s security policy to notify a network administrator of such deficiencies. An exemplary security policy may allow or deny access to individual functional resources (e.g. computing devices and/or applications) or groups of functional resources to individual data resources (e.g. enterprise network storage locations and/or enterprise data) or groups of data resources. The system may monitor enterprise network activity to identify when a security policy fails to define permissions corresponding to the use of particular resources. In response to identifying such gaps in the security policy, the system may enter policy enforcement event information into a policy learning log. The system may further generate a policy gap notification and transmit this notification to a policy management service to prompt a network administrator to take remedial action if appropriate.
61 Citations
20 Claims
-
1. A system for prompting incremental security policy development for an enterprise network, the system comprising:
-
at least one processor; and at least one memory in communication with the at least one processor, the at least one memory having computer-readable instructions stored thereupon that, when executed by the at least one processor, cause the at least one processor to; obtain security policy data defining access permissions for a plurality of computing resources with respect to an enterprise data resource; analyze a data request to identify a particular computing resource that is requesting access to the enterprise data resource, wherein the particular computing resource is a uniquely identifiable application or device that enables a user to at least one of view data files or manipulate the data files; determine that the security policy data lacks both; particular access permissions that expressly permit the particular computing resource to access the enterprise data resource, and particular access restrictions that expressly restrict the particular computing resource from accessing the enterprise data resource; in response to the security policy data lacking both the particular access permissions and the particular access restrictions, cause an entry that identifies the particular computing resource to be added to a policy learning log to indicate that the security policy data lacks both of the particular access permissions and the particular access restrictions for the particular computing resource with respect to the enterprise data resource; and provide a policy gap notification that corresponds to the entry to a policy management service, wherein the policy gap notification is configured to prompt policy adjudication associated with the particular access permissions for the particular computing resource with respect to the enterprise data resource. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer-implemented method, comprising:
-
obtaining security policy data defining disclosure permissions for a group of trusted resources associated with an enterprise network, the group of trusted resources including at least a trusted computing resource, wherein the trusted computing resource is a uniquely identifiable computing application or computing device; analyzing a disclosure request associated with the trusted computing resource to identify a particular network resource to which the trusted computing resource is requesting to disclose enterprise data; determining that the security policy data lacks particular disclosure permissions corresponding to the particular network resource to which the trusted computing resource is requesting to disclose the enterprise data; responsive to determining that the security policy data lacks the particular disclosure permissions corresponding to the particular network resource, causing an entry that designates the particular network resource as an unfamiliar network resource to be added to a policy learning log; and providing a policy gap notification that corresponds to the entry to a policy management service, wherein the policy gap notification is configured to prompt policy adjudication for generation of the particular disclosure permissions corresponding to the unfamiliar network resource. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A computer-readable storage medium having computer-executable instructions stored thereupon which, when executed by one or more processors of a computing device, cause the one or more processors of the computing device to:
-
obtain security policy data defining permissions for a plurality of computing resources that are configured to communicate enterprise data via an enterprise network; analyze a request to identify a particular computing resource that is attempting to disclose the enterprise data outside of the enterprise network, or access the enterprise data from the enterprise network, or both, wherein the particular computing resource is a uniquely identifiable application or device that enables a user to at least one of view data files or manipulate the data files; determine that the security policy data lacks at least one of; particular disclosure permissions that expressly permit the particular computing resource to disclose the enterprise data outside of the enterprise network, or particular access permissions that expressly permit the particular computing resource to access the enterprise data from the enterprise network; designate the particular computing resource as an unfamiliar computing resource based on the security policy data lacking the particular disclosure permissions or the particular access permissions for the particular computing resource; determine that a delivery mechanism through which the unfamiliar computing resource was delivered to the computing device corresponds to one or more trusted delivery mechanisms associated with the enterprise network; and permit, based on the delivery mechanism corresponding to the one or more trusted delivery mechanisms, the request to enable the unfamiliar computing resource to disclose the enterprise data outside of the enterprise network, or access the enterprise data from the enterprise network, or both. - View Dependent Claims (17, 18, 19, 20)
-
Specification