Systems and methods for automating security controls between computer networks

US 10,673,831 B2
Filed: 08/11/2017
Issued: 06/02/2020
Est. Priority Date: 08/11/2017
Status: Active Grant

First Claim

Patent Images

1. A security control (SC) system comprising one or more security control (SC) computing devices for automating security controls between computer networks, the one or more SC computing devices comprising at least one processor and a memory, the SC system configured to:

generate, using a declared dependency graph, a network topology based on service metadata identifying zones of the computer networks;

identify one or more computer systems included in the computer networks based on the network topology, wherein the identified one or more computer systems are one or more non-privileged access computer systems that do not require privileged access to a service controlled by the one or more SC computing devices;

receive a request to access the service including a system identifier, the system identifier identifies a candidate computer system requesting access to the service;

perform a lookup in the network topology for the candidate computer system;

determine that the candidate computer system is not one of the one or more non-privileged access computer systems based on results from the lookup;

in response to the determination, build a token request based on the received request;

download, from a policy administration point (PAP), at least one security policy and at least one public key, the at least one security policy and the at least one public key associated with the system identifier;

correlate the token request to the at least one security policy and the at least one public key;

generate an access token in response to the token request, wherein the access token is included in an authorization request;

invoke the service using the authorization request;

validate the access token using the at least one security policy and the at least one public key; and

authorize access to the service in response to the validation.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security control (SC) system including one or more security control (SC) computing devices for automating security controls between computer networks is provided. The SC system is configured to receive a request to access a service including a system identifier that identifies a computer system requesting access to a service controlled by the one or more SC computing devices, build a token request based on the request, and correlate the token request to at least one security policy associated with the system identifier. The SC system is also configured to generate an access token in response to the token request, wherein the access token is included in an authorization request, and invoke the service using the authorization request. The SC system is further configured to validate the access token using the at least one security policy and authorize access to the service based on the at least one security policy.

15 Citations

18 Claims

1. A security control (SC) system comprising one or more security control (SC) computing devices for automating security controls between computer networks, the one or more SC computing devices comprising at least one processor and a memory, the SC system configured to:
- generate, using a declared dependency graph, a network topology based on service metadata identifying zones of the computer networks;
  
  identify one or more computer systems included in the computer networks based on the network topology, wherein the identified one or more computer systems are one or more non-privileged access computer systems that do not require privileged access to a service controlled by the one or more SC computing devices;
  
  receive a request to access the service including a system identifier, the system identifier identifies a candidate computer system requesting access to the service;
  
  perform a lookup in the network topology for the candidate computer system;
  
  determine that the candidate computer system is not one of the one or more non-privileged access computer systems based on results from the lookup;
  
  in response to the determination, build a token request based on the received request;
  
  download, from a policy administration point (PAP), at least one security policy and at least one public key, the at least one security policy and the at least one public key associated with the system identifier;
  
  correlate the token request to the at least one security policy and the at least one public key;
  
  generate an access token in response to the token request, wherein the access token is included in an authorization request;
  
  invoke the service using the authorization request;
  
  validate the access token using the at least one security policy and the at least one public key; and
  
  authorize access to the service in response to the validation.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The SC system of claim 1 further configured to monitor a time stamp included in the access token.
  - 3. The SC system of claim 2 further configured to deny access to the service when the time stamp meets a predefined threshold.
  - 4. The SC system of claim 3 further configured to renew access to the service when the time stamp meets the predefined threshold and the at least one security policy enables to renew access to the service.
  - 5. The SC system of claim 1 further configured to generate the access token and encrypt the access token based on the at least one security policy.
  - 6. The SC system of claim 1 further configured to store data included in the access token in a database, wherein the database is in communication with the SC system.

7. A computer-implemented method for automating security controls between computer networks, the method implemented using one or more security control (SC) computing devices coupled to a memory device, the method comprising:
- generating, using a declared dependency graph, a network topology based on service metadata identifying zones of the computer networks;
  
  identifying one or more computer systems included in the computer networks based on the network topology, wherein the identified one or more computer systems are one or more non-privileged access computer systems that do not require privileged access to a service controlled by the one or more SC computing devices;
  
  receiving a request to access the service including a system identifier, the system identifier identifies a candidate computer system requesting access to the service;
  
  performing a lookup in the network topology for the candidate computer system;
  
  determining that the candidate computer system is not one of the one or more non-privileged access computer systems based on results from the lookup;
  
  in response to the determination, building a token request based on the received request;
  
  downloading, from a policy administration point (PAP), at least one security policy and at least one public key, the at least one security policy and the at least one public key associated with the system identifier;
  
  correlating the token request to the at least one security policy and the at least one public key;
  
  generating an access token in response to the token request, wherein the access token is included in an authorization request;
  
  invoking the service using the authorization request;
  
  validating the access token using the at least one security policy and the at least one public key; and
  
  authorizing access to the service in response to the validation.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7 further comprising monitoring a time stamp included in the access token.
  - 9. The method of claim 8 further comprising denying access to the service when the time stamp meets a predefined threshold.
  - 10. The method of claim 9 further comprising renewing access to the service when the time stamp meets the predefined threshold and the at least one security policy enables to renew access to the service.
  - 11. The method of claim 7 further comprising generating the access token and encrypt the access token based on the at least one security policy.
  - 12. The method of claim 7 further comprising storing data included in the access token in a database, wherein the database is in communication with the one or more SC computing devices.

13. A non-transitory computer-readable medium that includes computer-executable instructions for automating security controls between computer networks, wherein when executed by one or more security control (SC) computing devices comprising at least one processor in communication with at least one memory device, the computer-executable instructions cause the one or more SC computing devices to:
- generate, using a declared dependency graph, a network topology based on service metadata identifying zones of the computer networks;
  
  identify one or more computer systems included in the computer networks based on the network topology, wherein the identified one or more computer systems are one or more non-privileged access computer systems that do not require privileged access to a service controlled by the one or more SC computing devices;
  
  receive a request to access the service including a system identifier, the system identifier identifies a candidate computer system requesting access to service;
  
  perform a lookup in the network topology for the candidate computer system;
  
  determine that the candidate computer system is not one of the one or more non-privileged access computer systems based on results from the lookup;
  
  in response to the determination, build a token request based on the received request;
  
  download, from a policy administration point (PAP), at least one security policy and at least one public key, the at least one security policy and the at least one public key associated with the system identifier;
  
  correlate the token request to the at least one security policy and the at least one public key;
  
  generate an access token in response to the token request, wherein the access token is included in an authorization request;
  
  invoke the service using the authorization request;
  
  validate the access token using the at least one security policy and the at least one public key; and
  
  authorize access to the service in response to the validation.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The computer-readable medium of claim 13 wherein the computer-executable instructions further cause the one or more SC computing devices monitor a time stamp included in the access token.
  - 15. The computer-readable medium of claim 14 wherein the computer-executable instructions further cause the one or more SC computing devices to deny access to the service when the time stamp meets a predefined threshold.
  - 16. The computer-readable medium of claim 15 wherein the computer-executable instructions further cause the one or more SC computing devices to renew access to the service when the time stamp meets the predefined threshold and the at least one security policy enables to renew access to the service.
  - 17. The computer-readable medium of claim 13 wherein the computer-executable instructions further cause the one or more SC computing devices to generate the access token and encrypt the access token based on the at least one security policy.
  - 18. The computer-readable medium of claim 13 wherein the computer-executable instructions further cause the one or more SC computing devices to store data included in the access token in a database, wherein the database is in communication with the one or more SC computing devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Mastercard International Incorporated (MasterCard Incorporated)
Original Assignee
Mastercard International Incorporated (MasterCard Incorporated)
Inventors
Sahraei, Sasan, Sidhu, Navjot S., Alger, Eric G., Zhang, Jenny Qian
Primary Examiner(s)
Li, Meng

Application Number

US15/675,524
Publication Number

US 20190052621A1
Time in Patent Office

1,026 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0823   using certificates cryptogr...

H04L 63/10   for controlling access to d...

Systems and methods for automating security controls between computer networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

15 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for automating security controls between computer networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links