Automatic management of storage access control
First Claim
1. A method for controlling data storage access in an organization having users of a file system, said file system having storage elements, comprising the steps of:
- recording accesses of said users to said storage elements and deriving respective access profiles from said recorded accesses;
biclustering said users and said storage elements to define user clusters and data clusters, respectively, wherein said access profiles of said users in said user clusters are mutually similar, and said storage elements in said data clusters are accessed only by ones of said users having mutually similar said access profiles; and
responsively to said step of biclustering, defining a control policy for access to said storage elements by said users.
3 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems are provided for defining and creating an automatic file security policy and a semi-automatic method of managing file access control in organizations with multiple diverse access control models and multiple diverse file server protocols. The system monitors access to storage elements within the network. The recorded data traffic is analyzed to assess simultaneous data access groupings and user groupings, which reflect the actual organizational structure. The learned structure is then transformed into a dynamic file security policy, which is constantly adapted to organizational changes over time. The system provides a decision assistance interface for interactive management of the file access control and for tracking abnormal user behavior.
138 Citations
22 Claims
-
1. A method for controlling data storage access in an organization having users of a file system, said file system having storage elements, comprising the steps of:
-
recording accesses of said users to said storage elements and deriving respective access profiles from said recorded accesses;
biclustering said users and said storage elements to define user clusters and data clusters, respectively, wherein said access profiles of said users in said user clusters are mutually similar, and said storage elements in said data clusters are accessed only by ones of said users having mutually similar said access profiles; and
responsively to said step of biclustering, defining a control policy for access to said storage elements by said users. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computer software product, including a computer-readable medium in which computer program instructions are stored, which instructions, when read by a computer, cause the computer to perform a method for controlling data storage access in an organization having users of a file system, said file system having storage elements,comprising the steps of:
-
recording accesses of said users to said storage elements and deriving respective access profiles from said recorded accesses;
biclustering said users and said storage elements to define user clusters and data clusters, respectively, wherein said access profiles of said users in said user clusters are mutually similar, and said storage elements in said data clusters are accessed only by ones of said users having mutually similar said access profiles; and
responsively to said step of biclustering, defining a control policy for access to said storage elements by said users. - View Dependent Claims (13, 14, 15, 16, 17)
-
-
18. An apparatus for controlling data storage access in an organization having users of a file system, said file system having storage elements, comprising a computer system operative to perform the steps of:
-
recording accesses of said users to said storage elements and deriving respective access profiles from said recorded accesses;
biclustering said users and said storage elements to define user clusters and data clusters, respectively, wherein said access profiles of said users in said user clusters are mutually similar, and said storage elements in said data clusters are accessed only by ones of said users having mutually similar said access profiles; and
responsively to said step of biclustering, defining a control policy for access to said storage elements by said users. - View Dependent Claims (19, 20, 21, 22)
-
Specification