PHYSICAL SECURITY TRIGGERED DYNAMIC NETWORK AUTHENTICATION AND AUTHORIZATION

US 20080271109A1
Filed: 04/25/2007
Published: 10/30/2008
Est. Priority Date: 04/25/2007
Status: Active Grant

First Claim

Patent Images

1. A system that facilitates management of information in a network, comprising:

a unified access control component that can generate and enforce one or more network access policies associated with the network; and

a dynamic authentication component that is associated with the unified access control component and, after a subset of network access privileges have been granted to the user, requests re-authentication of the user if at least one of network access information or physical location information, or a combination thereof, indicates a change in at least one of physical location or network access privileges, or a combination thereof.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A unified access control component (UACC) can maintain information relating to network access information and physical location information associated with respective users who may access a network that can include network resources (e.g., applications, information). The UACC can cross reference the network access information (e.g., user network access events, credentials, and policy) and physical location information (e.g., user physical access events, credentials, and policy) and can generate and enforce a unified network access policy based on network access information and physical location information associated with a particular user. After network access privileges have been granted to a user, the UACC can continue to monitor the user. The UACC can include a dynamic authentication component that can request a user re-authenticate if a change in the physical location and/or network access associated with the user is detected, such that a re-computation of network access privileges is desired.

Citations

20 Claims

1. A system that facilitates management of information in a network, comprising:
- a unified access control component that can generate and enforce one or more network access policies associated with the network; and
  
  a dynamic authentication component that is associated with the unified access control component and, after a subset of network access privileges have been granted to the user, requests re-authentication of the user if at least one of network access information or physical location information, or a combination thereof, indicates a change in at least one of physical location or network access privileges, or a combination thereof.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The system of claim 1, the dynamic authentication component requests re-authentication if the change in at least one of physical location or network access privileges, or a combination thereof, is such that a subset of network access privileges associated with such change is different from the subset of network access privileges previously granted.
  - 3. The system of claim 1, the unified access control component generates one or more network access policies, and each respective network access policy can correspond to a respective subset of network access privileges that specifies particular information associated with the network that is available to be accessed by the user.
  - 4. The system of claim 3, each respective subset of network privileges is associated with a different security level associated with the information associated with the network.
  - 5. The system of claim 1, the network access information comprises information associated with at least one of a network access event, a network access credential, or a network access policy, or a combination thereof.
  - 6. The system of claim 1, the physical location information comprises information associated with at least one of a physical access event, a physical access credential, or a physical access policy, or a combination thereof.
  - 7. The system of claim 6, further comprising at least one access control device, the information associated with the physical access event is obtained from the at least one access control device that is placed at an ingress or egress point associated with at least one secure area of at least one facility.
  - 8. The system of claim 7, the at least one access control device is at least one of a card reader, a biometric reader, a keypad, or a location sensor, or a combination thereof.
  - 9. The system of claim 1, the electronic device comprises at least one of a computer, a personal digital assistant, a phone, a cellular phone, a smart phone, a copy machine, a television, a point-of-sale terminal, a manufacturing-related device, or a combination thereof.
  - 10. The system of claim 1, the unified access control component comprises one or more computers.
  - 11. The system of claim 1, the unified access control component generates a network access policy that corresponds to the network access information and physical location information.
  - 12. The system of claim 1, the unified access control component performs one of a suspension of network access or a termination of network access, if, after the network access privileges are granted, a change in physical location or network access is detected.

13. A method for managing access to resources in a network, comprising:
- monitoring at least one of network access information or physical access information, or a combination thereof, associated with a user who has been authenticated and granted access to a subset of the resources in the network; and
  
  dynamically requesting re-authentication of the user, if, after the user is granted access to the subset of the resources, a change is detected relating to at least one of network access information or physical access information, or a combination thereof, associated with the user.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The method of claim 13, further comprising:
    - generating a network access policy;
      
      enforcing the network access policy; and
      
      downloading the network access policy.
  - 15. The method of claim 13, further comprising:
    - receiving a network access credential;
      
      referencing a list of network access credentials;
      
      comparing the received network access credential to the list of network access credentials;
      
      validating the received network access credential;
      
      referencing a list of network access policies; and
      
      enforcing a network access policy associated with the received network access credential;
  - 16. The method of claim 15, further comprising:
    - reading a physical access credential associated with the user;
      
      referencing a list of physical access credentials;
      
      comparing the physical access credential to the list of physical access credentials;
      
      validating the read physical access credential;
      
      referencing a list of physical access policies; and
      
      enforcing a physical access policy associated with the read physical access credential.
  - 17. The method of claim 16, further comprising:
    - determining a physical location of the user associated with the read physical access credential;
      
      determining a level of network access to be granted to the user based on the physical location of the user, where the physical location is associated with a first security level, the level of network access is associated with a first subset of the resources.
  - 18. The method of claim 13, further comprising:
    - detecting a change in the physical location of the user;
      
      re-authenticating the user;
      
      determining a different level of network access to be granted to the user based on the change in the physical location of the user, where the changed physical location is associated with a second security level, the different level of network access is associated with a second subset of the resources.

19. A system for managing access to information in a network, comprising:
- means for monitoring network access, associated with the network, of a user who has been previously authenticated and granted network access privileges to a subset of the information in the network;
  
  means for monitoring physical access associated with the user; and
  
  means for dynamically requesting re-authentication of the user upon detecting a change in at least one of physical access or network access, or a combination thereof, associated with the user.
- View Dependent Claims (20)
- - 20. The system of claim 19, further comprising:
    - means for generating a network access policy; and
      
      means for enforcing the network access policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Bangalore, Manjunath S., Gopal, Prabandham Madan, Singh, Amit, Krishnan, Raman Shankara

Granted Patent

US 8,549,584 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 63/08 for authentication of entit...

H04L 63/102 Entity profiles

PHYSICAL SECURITY TRIGGERED DYNAMIC NETWORK AUTHENTICATION AND AUTHORIZATION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

PHYSICAL SECURITY TRIGGERED DYNAMIC NETWORK AUTHENTICATION AND AUTHORIZATION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links