Process for removing stale users, accounts and entitlements from a networked computer environment

US 20060015930A1
Filed: 07/15/2004
Published: 01/19/2006
Est. Priority Date: 07/15/2004
Status: Abandoned Application

First Claim

Patent Images

1. A method for collecting, presenting to stake-holders, reviewing and cleansing data about users and their entitlements in a networked computer environment, called access certification, comprising the steps of:

(a) Periodically constructing an inventor, of login IDs by extracting this data from the internal user profile databases of a number of networked computer systems. (b) Periodically constructing an inventory of entitlements by extracting group membership and security attribute data from the internal user profile databases of some or all of the abovementioned networked computer systems. (c) Constructing a list of users by merging login IDs from one or more systems of record. (d) Identifying managers in the above mentioned list of users, by referring to an electronic representation of an organization chart, to identify users with one or more subordinates. (e) Checking the review status of each manager. At least three status codes are required;

unprompted, prompted and completed. (f) Sending electronic notification to unprompted managers, and reminders to prompted managers, requesting them to sign into an access certification application and to review the users, accounts and entitlements of their subordinates. (g) Authenticating managers when they sign in by accepting their login ID and password to some system of record, and requesting that system to check those values. (h) Displaying to each manager a list of their subordinates, login accounts and other user objects associated with each of their subordinates, and entitlements associated with each login account or user object, and asking each manager to identify suspicious or erroneous users, accounts and entitlements in the list. Conversely, managers may be asked to identify reasonable users, accounts and entitlements in the list, so that suspicious or erroneous ones can be inferred. (i) Displaying to each manager the review status of each of their subordinate managers, so that each manager will communicate with and cause their subordinate managers to complete the process as well. (j) Prompting each manager with no subordinate managers, upon completion of his/her review, to review the text of a legal agreement validating completion of the review process, and to electronically sign that legal agreement by re-authenticating (as in step 1g). (k) Prompting each manager whose subordinate managers have no subordinate managers of their own, and who have completed step 1j, upon completion of his/her review, to review the text of a legal agreement validating completion of the review process, and to electronically sign that legal agreement by re-authenticating (as in step 1g). (l) Repeating step 1k by traversing the organization chart from bottom to top, until at last all managers except the very top one have completed step 1k, and the top manager (e.g., in a private corporation typically the CFO or CEO) can certify the appropriateness of the users, accounts and entitlements of the people who report directly to him, and also can offer some assurance that every other manager in the organization has done likewise.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for collecting, presenting to stake-holders, reviewing and cleansing data about users and their entitlements in a networked computer environment, called access certification, is presented. This method begins with automated prompts sent to stake-holders, such as managers or application owners, asking them to review a list of their subordinates or users. Stake-holders are required to either certify or mark for later deletion each user. Next, stake-holders review the detailed security entitlements of each subordinate or user, again either certifying or flagging for deletion each item. Finally, stake-holders are asked to provide an electronic signature, indicating completion of their review process. To motivate stake-holder completion of the process, and to roll-up results across an organization, stake-holders are prevented from completing the signature step until all subordinate stake-holders have likewise completed. The present invention provides a feasible method for identifying and eliminating user accounts that are either no longer needed by their owners, or belong to owners who are no longer legitimate users of an organization'"'"'s computer systems. The same method is used to identify and eliminate entitlements assigned to users who no longer need them. Removal of such stale, obsolete or incorrect users, login accounts, user objects, group memberships and security, entitlements is essential in order to reduce the security exposure (attack surface) posed by excessive privileges and unused accounts, and to comply with government and other regulations stipulating effective internal controls, especially over financial data, and computer security best practices.

Citations

28 Claims

1. A method for collecting, presenting to stake-holders, reviewing and cleansing data about users and their entitlements in a networked computer environment, called access certification, comprising the steps of:
- (a) Periodically constructing an inventor, of login IDs by extracting this data from the internal user profile databases of a number of networked computer systems. (b) Periodically constructing an inventory of entitlements by extracting group membership and security attribute data from the internal user profile databases of some or all of the abovementioned networked computer systems. (c) Constructing a list of users by merging login IDs from one or more systems of record. (d) Identifying managers in the above mentioned list of users, by referring to an electronic representation of an organization chart, to identify users with one or more subordinates. (e) Checking the review status of each manager. At least three status codes are required;
  
  unprompted, prompted and completed. (f) Sending electronic notification to unprompted managers, and reminders to prompted managers, requesting them to sign into an access certification application and to review the users, accounts and entitlements of their subordinates. (g) Authenticating managers when they sign in by accepting their login ID and password to some system of record, and requesting that system to check those values. (h) Displaying to each manager a list of their subordinates, login accounts and other user objects associated with each of their subordinates, and entitlements associated with each login account or user object, and asking each manager to identify suspicious or erroneous users, accounts and entitlements in the list. Conversely, managers may be asked to identify reasonable users, accounts and entitlements in the list, so that suspicious or erroneous ones can be inferred. (i) Displaying to each manager the review status of each of their subordinate managers, so that each manager will communicate with and cause their subordinate managers to complete the process as well. (j) Prompting each manager with no subordinate managers, upon completion of his/her review, to review the text of a legal agreement validating completion of the review process, and to electronically sign that legal agreement by re-authenticating (as in step 1g). (k) Prompting each manager whose subordinate managers have no subordinate managers of their own, and who have completed step 1j, upon completion of his/her review, to review the text of a legal agreement validating completion of the review process, and to electronically sign that legal agreement by re-authenticating (as in step 1g). (l) Repeating step 1k by traversing the organization chart from bottom to top, until at last all managers except the very top one have completed step 1k, and the top manager (e.g., in a private corporation typically the CFO or CEO) can certify the appropriateness of the users, accounts and entitlements of the people who report directly to him, and also can offer some assurance that every other manager in the organization has done likewise.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 2. The method as set forth in claim 1, wherein at step 1a the inventory of login IDs extracted from each system is in the form of a list, where each list entrap consists of a unique system identifier plus a user identifier unique within that system.
  - 3. The method as set forth in claim 1 wherein at step 1a a variety of means may be used to extract the login ID inventory from each system, including:
    - (a) Use of an application programming interface (API) native to that system, (b) Installation of a specially constructed agent directly on that system, (c) Communication between the system executing the process described herein (hereinafter referred to as the identity management server), and the managed system, using an intermediate or proxy server. (d) Execution of some software or script directly on the managed system, with the resulting list placed in a file, and transferred to the identity management server.
  - 4. The method as set forth in claim 1, wherein at step 1b the inventory of user entitlements and user/group memberships extracted from each system is in the form of a list, where each list entry consists either of a unique system identifier plus a user identifier unique within that system and a group identifier unique within that system, or else a unique system identifier plus a user identifier unique within that system and a code uniquely specifying an entitlement within that system.
  - 5. The method as set forth in claim 1, wherein at step 1b the same variety of means may be used to extract user/group memberships and user entitlements from each system, as those described in step 3.
  - 6. The method as set forth in claim 1, wherein at step 1c each user profile is represented as a globally unique user identifier, a list of attributes that hold either globally or locally to some target system, a list of system identifier/login identifier pairs enumerating every system on which the user in question has an account or a user object, and a list of additional globally unique user identifiers, representing the subordinates who report to the first user in the organization.
  - 7. The method as set forth in claim 1, wherein at step 1c the attributes of each user either contain or may be used to calculate contact information for every user profile. For example, a login ID on a primary network login system may be used to contact a user by opening a web browser during that user'"'"'s network login sequence. Alternately, an e-mail address can be used to contact a user by sending that user an electronic mail message.
  - 8. The method as set forth in claim 1, wherein at step 1d every user profile is classified as either being a manager or not, depending on whether that user'"'"'s profile contains the globally unique identifiers of one or more subordinates, or not, respectively.
  - 9. The method as set forth in claim 1, wherein at step 1e every user profile is assigned a status code, or state. Initially, all user profiles are flagged as “
    - unprompted.”
      
      As subsequent steps are executed, the status assigned to any given user profile may, be changed to “
      
      prompted”
      
      or “
      
      completed.”
      
      Other status codes, such as “
      
      late”
      
      or “
      
      reminded,”
      
      may also be used to streamline the use of the method, but are not strictly required.
  - 10. The method as set forth in claim 1, wherein at step 1f notification sent to the user include a reference or link to the program the user must access to proceed to step 1g. This reference may, take manta forms, including that of an embedded uniform resource locator (URL).
  - 11. The method as set forth in claim 1, wherein at step 1f the frequency with which any given user is reminded to complete the process can be limited, so that the process does not become a nuisance to users.
  - 12. The method as set forth in claim 1, wherein at step 1f the total number of requests to complete the process sent to users per iteration of the process is limited, so that the process does not become an undue burden to the electronic communication infrastructure.
  - 13. The method as set forth in claim 1, wherein step 1f is executed at least once, but may be repeated numerous times—
    - e.g., once per day or even more often, over the course of weeks or months.
  - 14. The method as set forth in claim 1, wherein at step 1f notification sent to the user that registration is requested may take the form of any electronic communication, including electronic mail.
  - 15. The method as set forth in claim 1, wherein at step 1f some subset (and possibly all) of the users whose profiles have a status code of “
    - unprompted”
      
      are contacted by the software executing the method, and asked (prompted) to respond by authenticating to the system (as described in step 1g) and review the identities and entitlements of their subordinates (as described in step 1h).
  - 16. The method as set forth in claim 1, wherein at step 1f, after initial contact with each user, that user'"'"'s status code is changed from “
    - unprompted”
      
      to “
      
      prompted.”
  - 17. The method as set forth in claim 1, wherein at step 1f, additional contact may be made with some users, depending on the specific implementation and use of other status codes. For example, users who have been previously contacted (and so whose status code is “
    - prompted”
      
      ) but who have not responded in a timely fashion, may be contacted again, and have their status changed from “
      
      prompted”
      
      to “
      
      reminded.”
      
      Similarly, one or more managers of users whose status code is already set to “
      
      reminded”
      
      or other people, whose identity depends on implementation details, may be contacted in lieu of an unresponsive user, and a status code of “
      
      escalated to another user'"'"'s login ID”
      
      may be assigned in the unresponsive user'"'"'s profile.
  - 18. The method as set forth in claim 1, wherein at step 1g the user may be authenticated, proving his/her identity, using a number of alternative means, including:
    - (a) Typing his/her own network login ID and password. (b) Typing his/her own application login ID and password. (c) Using a cryptographic certificate, stored in hardware (e.g., a smart card) or software (e.g., on a computer workstation, perhaps in the operating system or web browser) (d) Using a hardware authentication tokens (e.g., one that uses a challenge/response algorithm or one that displays a new pseudo-random number every few seconds or minutes). (e) Providing a biometric sample (finger print, iris scan, voice print, etc.) (f) Answering one or more personal questions. (g) Any combination of the above authentication factors.
  - 19. The method as set forth in claim 1, wherein at steps 1h and 1j the computer program executing the method displays to the user (who authenticated in step 1g) a list of that user'"'"'s subordinates, a list of each subordinate'"'"'s login accounts and user objects, and a list of entitlements and group memberships associated on computer systems with each of those login accounts and entitlements.
  - 20. The method as set forth in claim 1, wherein at steps 1h and 1i the computer program executing the method indicates to the user (who authenticated in step 1g) which of his/her subordinates are themselves managers (by virtue of having their own subordinates), and the status of each of those managers (e.g., unprompted, prompted, reminded) and possibly other status codes (e.g., “
    - reminded,”
      
      “
      
      started but not completed,”
      
      “
      
      escalated,”
      
      etc.).
  - 21. The method as set forth in claim 1, wherein at step 1h each authenticated manager is required to indicate which of the users, accounts or objects, and group memberships or entitlements appear to be obsolete—
    - the user in question is no longer a valid user of any system, or the account in question is no longer relevant to the user'"'"'s responsibilities, or the entitlement in question is no longer relevant to the user'"'"'s responsibilities.
  - 22. The method as set forth in claim 1, wherein at step 1h, conversely to the above, each authenticated manager maw indicate which of the users, accounts or entitlements are still appropriate, rather than identifying those that appear to be no longer correct.
  - 23. The method as set forth in claim 1 wherein at step 1h, every user, account or entitlement that has been flagged as inappropriate, obsolete or otherwise incorrect by a manager may either be directly removed from the computer systems in question, or else a review/approvals workflow process may, be initiated, whereby appropriate stakeholders in the organization (who may themselves be higher level managers, system openers, security administrators, etc.) must first review the indicated change and approve it before it is finally applied to the computer systems in question.
  - 24. The method as set forth in claim 1, wherein at steps 1h and 1i each manager is expected or may be required to follow up with his/her subordinate managers, to expedite their completion of the process.
  - 25. The method as set forth in claim 1, wherein at step 1h each manager may be unable to complete his/her own review until all of his/her subordinate managers have completed their own reviews, of their own subordinates, and in turn their subordinate managers have completed their own reviews, etc. In other words, a manager may be unable to complete his/her own review of users, accounts and entitlements until all subordinate managers, regardless of how many steps down the organization chart they are from him, have also completed their own reviews.
  - 26. The method as set forth in claim 1, wherein at step 1j a manager with no subordinates can complete the review by reading legally binding text reaffirming completion of his/her review, and providing an electronic signature, such as a validated password to indicate acceptance of that legally binding text.
  - 27. The method as set forth in claim 1, wherein at step 1k a manager either with no subordinates or all of whose subordinates, and their subordinates in turn, have completed their own reviews and have completed step 1j, can complete his/her own review by reading legally binding text reaffirming completion of his/her review, and providing an electronic signature, such as a validated password to indicate acceptance of that legally binding text.
  - 28. The method as set forth in claim 1, wherein at step 1l completed reviews flow from the lowest level managers, one level of management at a time, up the organization tree, until at last all managers have completed the review process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
M-Tech Information Technology, Inc. (Hitachi, Ltd.)
Original Assignee
M-Tech Information Technology, Inc. (Hitachi, Ltd.)
Inventors
Shoham, Idan

Application Number

US10/890,902
Publication Number

US 20060015930A1
Time in Patent Office

Days
Field of Search
US Class Current

726/6
CPC Class Codes

H04L 63/0823   using certificates cryptogr...

H04L 63/126   the source of the received ...

H04L 63/20   for managing network securi...

Process for removing stale users, accounts and entitlements from a networked computer environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Process for removing stale users, accounts and entitlements from a networked computer environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links