Automatic management of storage access control

US 20060277184A1
Filed: 10/25/2005
Published: 12/07/2006
Est. Priority Date: 06/07/2005
Status: Active Grant

First Claim

Patent Images

1. A method for controlling data storage access in an organization having users of a file system, said file system having storage elements, comprising the steps of:

recording accesses of said users to said storage elements and deriving respective access profiles from said recorded accesses;

biclustering said users and said storage elements to define user clusters and data clusters, respectively, wherein said access profiles of said users in said user clusters are mutually similar, and said storage elements in said data clusters are accessed only by ones of said users having mutually similar said access profiles; and

responsively to said step of biclustering, defining a control policy for access to said storage elements by said users.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems are provided for defining and creating an automatic file security policy and a semi-automatic method of managing file access control in organizations with multiple diverse access control models and multiple diverse file server protocols. The system monitors access to storage elements within the network. The recorded data traffic is analyzed to assess simultaneous data access groupings and user groupings, which reflect the actual organizational structure. The learned structure is then transformed into a dynamic file security policy, which is constantly adapted to organizational changes over time. The system provides a decision assistance interface for interactive management of the file access control and for tracking abnormal user behavior.

138 Citations

22 Claims

1. A method for controlling data storage access in an organization having users of a file system, said file system having storage elements, comprising the steps of:
- recording accesses of said users to said storage elements and deriving respective access profiles from said recorded accesses;
  
  biclustering said users and said storage elements to define user clusters and data clusters, respectively, wherein said access profiles of said users in said user clusters are mutually similar, and said storage elements in said data clusters are accessed only by ones of said users having mutually similar said access profiles; and
  
  responsively to said step of biclustering, defining a control policy for access to said storage elements by said users.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method according to claim 1, wherein said control policy permits access by one of said users to said storage elements of one of said data clusters, only if at least one of said storage elements in said one data cluster has been accessed by said one user.
  - 3. The method according to claim 1, wherein said control policy permits access by said users of one of said user clusters to said storage elements of one of said data clusters, only if at least one of said storage elements in said one data cluster has been accessed by at least one of said users of said one user cluster.
  - 4. The method according to claim 1, further comprising the step of deriving a structure of said file system responsively to said step of biclustering.
  - 5. The method according to claim 1, further comprising the step of deriving patterns of usage of said file system by said users responsively to said step of biclustering.
  - 6. The method according to claim 5, further comprising the step of detecting aberrant ones of said patterns of usage.
  - 7. The method according to claim 1, wherein said step of biclustering is performed iteratively, wherein said access profiles are redetermined at each iteration thereof, and said control policy is updated following each said iteration.
  - 8. The method according to claim 1, wherein said step of defining a control policy comprises the steps of:
    - proposing a tentative version of said control policy;
      
      monitoring subsequent accesses to said storage elements by said users;
      
      determining that said subsequent accesses are in accordance with said tentative version of said control policy; and
      
      responsively to said step of determining approving said tentative version as a definitive version of said control policy.
  - 9. The method according to claim 1, further comprising the step of interactively modifying said control policy.
  - 10. The method according to claim 1, wherein said step of defining a control policy is performed automatically and substantially without human intervention.
  - 11. The method according to claim 1, further comprising the steps of:
    - referencing an access control list comprising at least one user set of said users and at least one data set of said storage elements, said users of said user set being included in respective ones of said user clusters, and said storage elements of said data set being included in respective ones of said data clusters;
      
      detecting an absence of accesses by members of said respective user clusters to members of said respective data clusters, and responsively to said step of detecting removing at least a portion of said users from said user set and removing at least a portion of said storage elements from said data set.

12. A computer software product, including a computer-readable medium in which computer program instructions are stored, which instructions, when read by a computer, cause the computer to perform a method for controlling data storage access in an organization having users of a file system, said file system having storage elements,comprising the steps of:
- recording accesses of said users to said storage elements and deriving respective access profiles from said recorded accesses;
  
  biclustering said users and said storage elements to define user clusters and data clusters, respectively, wherein said access profiles of said users in said user clusters are mutually similar, and said storage elements in said data clusters are accessed only by ones of said users having mutually similar said access profiles; and
  
  responsively to said step of biclustering, defining a control policy for access to said storage elements by said users.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The computer software product according to claim 12, wherein said control policy permits access by one of said users to said storage elements of one of said data clusters, only if at least one of said storage elements in said one data cluster has been accessed by said one user.
  - 14. The computer software product according to claim 12, wherein said control policy permits access by said users of one of said user clusters to said storage elements of one of said data clusters, only if at least one of said storage elements in said one data cluster has been accessed by at least one of said users of said one user cluster.
  - 15. The computer software product according to claim 12, wherein said step of biclustering is performed iteratively, wherein said access profiles are redetermined at each iteration thereof, and said control policy is updated following each said iteration.
  - 16. The computer software product according to claim 12, wherein said step of defining a control policy comprises the steps of:
    - proposing a tentative version of said control policy;
      
      monitoring subsequent accesses to said storage elements by said users;
      
      determining that said subsequent accesses are in accordance with said tentative version of said control policy; and
      
      responsively to said step of determining approving said tentative version as a definitive version of said control policy.
  - 17. The computer software product according to claim 12, further comprising the steps of:
    - referencing an access control list comprising at least one user set of said users and at least one data set of said storage elements, said users of said user set being included in respective ones of said user clusters, and said storage elements of said data set being included in respective ones of said data clusters;
      
      detecting an absence of accesses by members of said respective user clusters to members of said respective data clusters, and responsively to said step of detecting removing at least a portion of said users from said user set and removing at least a portion of said storage elements from said data set.

18. An apparatus for controlling data storage access in an organization having users of a file system, said file system having storage elements, comprising a computer system operative to perform the steps of:
- recording accesses of said users to said storage elements and deriving respective access profiles from said recorded accesses;
  
  biclustering said users and said storage elements to define user clusters and data clusters, respectively, wherein said access profiles of said users in said user clusters are mutually similar, and said storage elements in said data clusters are accessed only by ones of said users having mutually similar said access profiles; and
  
  responsively to said step of biclustering, defining a control policy for access to said storage elements by said users.
- View Dependent Claims (19, 20, 21, 22)
- - 19. The apparatus according to claim 18, wherein said control policy permits access by one of said users to said storage elements of one of said data clusters, only if at least one of said storage elements in said one data cluster has been accessed by said one user.
  - 20. The apparatus according to claim 18, wherein said control policy permits access by said users of one of said user clusters to said storage elements of one of said data clusters, only if at least one of said storage elements in said one data cluster has been accessed by at least one of said users of said one user cluster.
  - 21. The apparatus according to claim 18, wherein said step of defining a control policy comprises the steps of:
    - proposing a tentative version of said control policy;
      
      monitoring subsequent accesses to said storage elements by said users;
      
      determining that said subsequent accesses are in accordance with said tentative version of said control policy; and
      
      responsively to said step of determining approving said tentative version as a definitive version of said control policy.
  - 22. The apparatus according to claim 18, wherein said step of defining a control policy comprises the steps of:
    - referencing an access control list comprising at least one user set of said users and at least one data set of said storage elements, said users of said user set being included in respective ones of said user clusters, and said storage elements of said data set being included in respective ones of said data clusters;
      
      detecting an absence of accesses by members of said respective user clusters to members of said respective data clusters, and responsively to said step of detecting removing at least a portion of said users from said user set and removing at least a portion of said storage elements from said data set.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Varonis Systems, Inc.
Original Assignee
Varonis Systems Ltd. (Varonis Systems, Inc.)
Inventors
Faitelson, Yakov, Korkus, Ohad, Goldberger, Jacob

Granted Patent

US 7,606,801 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/316   by observing the pattern of...

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 2221/2101   Auditing as a secondary aspect

G06Q 20/382   insuring higher security of...

Y10S 707/99933   Query processing, i.e. sear...

Y10S 707/99938   Concurrency, e.g. lock mana...

Y10S 707/99939   Privileged access

Y10S 707/99945   Object-oriented database st...

Automatic management of storage access control

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

138 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Automatic management of storage access control

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

138 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links