Techniques for Reconciling Permission Usage with Security Policy for Policy Optimization and Monitoring Continuous Compliance
First Claim
1. An apparatus for managing a security policy having multiple policy items, the apparatus comprising:
- a memory; and
at least one processor device, coupled to the memory, operative to;
(a) map permissions to the policy items which apply to usage of the permissions so as to determine which of the permissions are granted to groups of users by each of the policy items;
(b) identify at least one of the policy items mapped in step (a) that is in violation of least privilege based on a comparison of an actual permission usage with the security policy;
(c) identify at least one of the policy items mapped in step (a) that increases operational risk;
(d) verify that policy constructs in the security policy are consistent with policy constructs inferred from the actual permission usage; and
(e) identify optimizations of the security policy based on output from one or more of steps (a)-(d).
5 Assignments
0 Petitions
Accused Products
Abstract
In one aspect, a method for managing a security policy having multiple policy items includes the steps of: (a) mapping permissions to the policy items which apply to usage of the permissions so as to determine which of the permissions are granted to groups of users by each of the policy items; (b) identifying at least one of the policy items mapped in step (a) that is in violation of least privilege based on a comparison of an actual permission usage with the security policy; (c) identifying at least one of the policy items mapped in step (a) that increases operational risk; (d) verifying that policy constructs in the security policy are consistent with policy constructs inferred from the actual permission usage; and (e) identifying optimizations of the security policy based on output from one or more of steps (a)-(d).
-
Citations
8 Claims
-
1. An apparatus for managing a security policy having multiple policy items, the apparatus comprising:
-
a memory; and at least one processor device, coupled to the memory, operative to; (a) map permissions to the policy items which apply to usage of the permissions so as to determine which of the permissions are granted to groups of users by each of the policy items; (b) identify at least one of the policy items mapped in step (a) that is in violation of least privilege based on a comparison of an actual permission usage with the security policy; (c) identify at least one of the policy items mapped in step (a) that increases operational risk; (d) verify that policy constructs in the security policy are consistent with policy constructs inferred from the actual permission usage; and (e) identify optimizations of the security policy based on output from one or more of steps (a)-(d). - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An article of manufacture for managing a security policy having multiple policy items, comprising a machine-readable recordable medium containing one or more programs which when executed implement the steps of:
-
(a) mapping permissions to the policy items which apply to usage of the permissions so as to determine which of the permissions are granted to groups of users by each of the policy items; (b) identifying at least one of the policy items mapped in step (a) that is in violation of least privilege based on a comparison of an actual permission usage with the security policy; (c) identifying at least one of the policy items mapped in step (a) that increases operational risk; (d) verifying that policy constructs in the security policy are consistent with policy constructs inferred from the actual permission usage; and (e) identifying optimizations of the security policy based on output from one or more of steps (a)-(d).
-
Specification