Enterprise environment analysis

US 20070061125A1
Filed: 10/31/2005
Published: 03/15/2007
Est. Priority Date: 08/12/2005
Status: Abandoned Application

First Claim

Patent Images

1. A system for analyzing an enterprise environment, comprising:

a modeling module that determines possible accesses to enterprise network services from a plurality of entities; and

a validation module that determines whether a possible access to an enterprise service by a particular entity violates an enterprise policy, the enterprise policy governing which entities are authorized to access one or more enterprise services.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the present disclosure provide systems and methods for analyzing an enterprise environment. Briefly described, one embodiment of the system for analyzing an enterprise environment comprises a modeling module that determines possible accesses to enterprise network services from a plurality of entities; and a validation module that determines whether a possible access to an enterprise service by a particular entity violates an enterprise policy, the enterprise policy governing which entities are authorized to access one or more enterprise services.

Citations

41 Claims

1. A system for analyzing an enterprise environment, comprising:
- a modeling module that determines possible accesses to enterprise network services from a plurality of entities; and
  
  a validation module that determines whether a possible access to an enterprise service by a particular entity violates an enterprise policy, the enterprise policy governing which entities are authorized to access one or more enterprise services.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, wherein the modeling module determines the possible accesses by considering configuration parameters of enterprise environment components.
  - 3. The system of claim 1, wherein the validation module compares the possible accesses against a set of enterprise policies, wherein the set of enterprise policies are positive and negative requirements for accessibility of services to enterprise entities.
  - 4. The system of claim 1, wherein the validation module reports policy violations to a system administrator.
  - 5. The system of claim 1, wherein the validation module computes configuration changes to restore compliance with an enterprise policy after violations are determined.
  - 6. The system of claim 5, wherein the validation module automatically changes the enterprise environment in accordance with the computer configuration changes.
  - 7. The system of claim 1, wherein the modeling module accepts input of configuration values and changes in existing configuration settings and enterprise policies such that the validation module determines whether current settings uphold current enterprise policies.
  - 8. The system of claim 1, wherein the validation module computes all the possible access paths that enterprise policy allows and blocks.
  - 9. The system of claim 1, wherein the validation module is configured to provide a choice of multiple compliant solutions to an administrator.
  - 10. The system of claim 1, wherein the validation module is configured to compute an impact of any change in a configuration setting to an enterprise policy without deploying the change.

11. A method for analyzing an enterprise environment, comprising the steps of:
- collecting configuration data from a collection of enterprise network components that characterize the enterprise environment;
  
  binding the configuration data of each enterprise network component to a model of that component; and
  
  computing a set of all possible accesses to the network components in the enterprise environment based on the configuration data and models.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The method of claim 11, further comprising the steps of:
    - comparing the accesses to a stated enterprise policy, the enterprise policy governing which entities are authorized to access one or more enterprise network components; and
      
      generating a report that describes if the enterprise environment is in compliance with the stated enterprise policy.
  - 13. The method of claim 11, further comprising the step of:
    - generating new configurations to one or more network components that will return the enterprise environment to compliance.
  - 14. The method of claim 13, further comprising the step of:
    - pushing new configuration data out to the network components to achieve compliance.
  - 15. The method of claim 14, further comprising the step of:
    - after the pushing step, collecting configuration data again to confirm enterprise policy compliance.
  - 16. The method of claim 15, further comprising the step of:
    - if compliance is not confirmed, repeating the process of collecting configuration data and generating new configuration settings in an attempt to achieve compliance.
  - 17. The method of claim 11, further comprising the step of:
    - accepting data describing a vulnerability in an existing network component.
  - 18. The method of claim 17, wherein the computing step also considers vulnerability data in computing the possible accesses.
  - 19. The method of claim 17, further comprising the step of:
    - reporting whether violations are caused by the vulnerability.

20. A computer readable medium having a computer program for analyzing an enterprise environment, the program having instructions for performing the steps of:
- collecting configuration data from a collection of enterprise network components that characterize the enterprise environment;
  
  binding the configuration data of each enterprise network component to a model of that component; and
  
  computing a set of all possible accesses to network components in the enterprise environment based on the configuration data and models.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28)
- - 21. The computer readable medium of claim 20, the program further performing the steps of:
    - comparing the accesses to a stated enterprise policy, the enterprise policy governing which entities are authorized to access one or more enterprise network components; and
      
      generating a report that describes if the enterprise environment is in compliance with the stated enterprise policy.
  - 22. The computer readable medium of claim 20, the program further performing the steps of:
    - generating new configurations to one or more network components that will return the enterprise environment to compliance.
  - 23. The computer readable medium of claim 22, the program further performing the step of:
    - pushing new configuration data out to the network components to achieve compliance.
  - 24. The computer readable medium of claim 23, the program further performing the step of:
    - after the pushing step, collecting configuration data again to confirm enterprise policy compliance.
  - 25. The computer readable medium of claim 24, the program further performing the step of:
    - if compliance is not confirmed, repeating the process of collecting configuration data and generating new configuration settings in an attempt to achieve compliance.
  - 26. The computer readable medium of claim 20, the program further performing the step of:
    - accepting data describing a vulnerability in an existing network component.
  - 27. The computer readable medium of claim 26, wherein the computing step also considers vulnerability data in computing the possible accesses.
  - 28. The computer readable medium of claim 26, the program further performing the step of:
    - reporting whether violations are caused by the vulnerability.

29. A method for analyzing a proposed enterprise environment, comprising the steps of:
- receiving a list of network components that are included in the proposed enterprise environment;
  
  receiving configuration values for the network components;
  
  receiving a set of enterprise policies that govern which entities are authorized to access the network components;
  
  detecting if the configuration values of the network components allow an enterprise policy to be violated; and
  
  providing an example violation that may occur if an enterprise policy violation has been detected.
- View Dependent Claims (30, 31)
- - 30. The method of claim 29, further comprising:
    - changing at least one configuration setting after detection of the enterprise policy violation; and
      
      determining if the change brings the proposed enterprise environment in compliance with the set of enterprise policies.
  - 31. The method of claim 29, further comprising:
    - changing at least one enterprise policy after detection of the enterprise policy violation; and
      
      determining if the change brings the current configuration settings in compliance with the new set of enterprise policies.

32. A system for analyzing an enterprise environment, comprising:
- means for determining possible accesses to enterprise network services from a plurality of entities; and
  
  means for determining whether a possible access to an enterprise service by a particular entity violates an enterprise policy, the enterprise policy governing which entities are authorized to access one or more enterprise services.
- View Dependent Claims (33, 34, 35, 36, 37, 38, 39, 40, 41)
- - 33. The system of claim 32, wherein the possible accesses are determined by considering configuration parameters of enterprise environment components.
  - 34. The system of claim 32, wherein the possible accesses are compared against a set of enterprise policies, wherein the set of enterprise policies are positive and negative requirements for accessibility of services to enterprise entities.
  - 35. The system of claim 32, wherein policy violations are reported to a system administrator.
  - 36. The system of claim 32, wherein configuration changes are computed to restore compliance with an enterprise policy after violations are determined.
  - 37. The system of claim 32, wherein the enterprise environment is automatically changed in accordance with the computer configuration changes.
  - 38. The system of claim 32, wherein input of configuration values and changes in existing configuration settings and enterprise policies are accepted and sued to determine whether current settings uphold current enterprise policies.
  - 39. The system of claim 32, wherein all possible access paths that enterprise policy allows and blocks are computed.
  - 40. The system of claim 32, wherein a choice of multiple compliant solutions is provided to an administrator.
  - 41. The system of claim 32, wherein an impact of any change in a configuration setting to an enterprise policy without deploying the change is computed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Horne, William, Rao, Prasad, Bhatt, Sandeep, Rajagopalan, Siva, Pato, Joseph

Application Number

US11/263,014
Publication Number

US 20070061125A1
Time in Patent Office

Days
Field of Search
US Class Current

703/20
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 21/604   Tools and structures for ma...

H04L 63/0227   Filtering policies mail mes...

H04L 63/102   Entity profiles

H04L 63/1433   Vulnerability analysis

Enterprise environment analysis

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

41 Claims

Specification

Solutions

Use Cases

Quick Links

Enterprise environment analysis

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

41 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links