Dynamic Network Identity and Policy management
First Claim
1. Apparatus operable to manage network policies based at least in-part on identity comprising:
- an authentication session manager operable to monitor for state change events in user state and related network state, and obtain and validate user credentials; and
a policy manager operable in response to a state change event detected by the authentication session manager to select a policy based in-part on the user identity and related network information and security context obtained by the identity manager, and to prompt application of the selected policy, the policy being indicative of authorization entitlements and restrictions to utilization of certain network resources,whereby the policy is dynamically selected and enforced.
1 Assignment
0 Petitions
Accused Products
Abstract
Network policies are managed based at least in-part on user/entity identity information with: a state monitor operable to monitor for state change events in user/entity state and related, network state or in traffic pattern and traffic flow state; an identity manager operable to obtain and validate user credentials; and a policy manager operable in response to a state change event detected by the state monitor (either the identity manager or a defense center) to select a policy based in-part on the user identity obtained by the identity manager or security context obtained by the defense center, and to prompt application of the selected policy. The policies are indicative of user/device authorization entitlements and restrictions to utilization of certain network resources, network services or applications. Dynamic policy selection and targeted responses can be used, for example, against a user who gains network access with stolen user ID and password, and subsequently attempts malicious behavior. In particular, the malicious behavior is detected and identified, and the malicious user can then be restricted from abusing network resources without adversely affecting other users, groups, network devices, and other network services.
-
Citations
14 Claims
-
1. Apparatus operable to manage network policies based at least in-part on identity comprising:
-
an authentication session manager operable to monitor for state change events in user state and related network state, and obtain and validate user credentials; and a policy manager operable in response to a state change event detected by the authentication session manager to select a policy based in-part on the user identity and related network information and security context obtained by the identity manager, and to prompt application of the selected policy, the policy being indicative of authorization entitlements and restrictions to utilization of certain network resources, whereby the policy is dynamically selected and enforced. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method for managing network policies based at least in-part on identity context, comprising the steps of:
-
monitoring for state change events in user state and related network state with an identity manager'"'"'s authentication session manager; obtaining and validating user credentials with the authentication session manager; in response to a state change event detected by the identity manager, notifying, a policy manager, and prompting application of the corresponding policy, the policy being indicative of authorization entitlement and restrictions to utilization of certain network resources or network services, whereby the policy is dynamically selected and targeted for the network resource/network service/application. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A method for managing network policies based at least in-part on state change context, comprising the steps of:
-
monitoring for state change events traffic patterns and flows and related network state with either a defense center and threat protection systems/sensors or an environment state change monitor; notifying with state context to a policy manager, and prompting application of the corresponding policy, the policy being indicative of authorization entitlement and restrictions to utilization of certain network resources or network services, whereby the policy is dynamically selected and targeted for the network resource/network service/application.
-
Specification