METHOD AND SYSTEM FOR RISK-ADAPTIVE ACCESS CONTROL OF AN APPLICATION ACTION
First Claim
Patent Images
1. A method of controlling access to a resource, comprising:
- setting one or more security policies for controlling access to the resource of an application, wherein the one or more security policies associate each of a plurality of access levels with a corresponding value for a threat level attribute;
receiving at an access control server, threat detection data from a security system or process via a communication interface, wherein the security system or process monitors network traffic;
determining, by the access control server, based at least in part on the threat detection data received from the security system or process, a value for the threat level attribute;
receiving from the application, an access request that identifies a user of a client terminal, the resource of the application subject to the access request, and one or more actions requested associated with the resource of the application in response to the client terminal attempting to perform one or more actions with respect to the resource of the application over a is communication network; and
determining, by the access control server, an access level of the plurality of access levels to apply to the resource of the application in response to receiving a request from the client terminal to access the resource over the communication network,wherein the access level is determined based at least in part on one or more of the determined value for the threat level attribute, the identity of the user, the resource of the application subject to the request, the one or more actions requested associated with the resource of the application, and at least one of the one or more security policies.
8 Assignments
0 Petitions
Accused Products
Abstract
Risk-adaptive access control techniques are disclosed. In various embodiments, a value for a threat level attribute is determined based at least in part on threat detection data generated by a security system or process. The determined value for the threat level attribute is used to make, at least in part, an access control decision with respect to a request to access the resource. In various embodiments, the threat level attribute is used as an environment attribute provided as input to an XACML-based access control system.
-
Citations
20 Claims
-
1. A method of controlling access to a resource, comprising:
-
setting one or more security policies for controlling access to the resource of an application, wherein the one or more security policies associate each of a plurality of access levels with a corresponding value for a threat level attribute; receiving at an access control server, threat detection data from a security system or process via a communication interface, wherein the security system or process monitors network traffic; determining, by the access control server, based at least in part on the threat detection data received from the security system or process, a value for the threat level attribute; receiving from the application, an access request that identifies a user of a client terminal, the resource of the application subject to the access request, and one or more actions requested associated with the resource of the application in response to the client terminal attempting to perform one or more actions with respect to the resource of the application over a is communication network; and determining, by the access control server, an access level of the plurality of access levels to apply to the resource of the application in response to receiving a request from the client terminal to access the resource over the communication network, wherein the access level is determined based at least in part on one or more of the determined value for the threat level attribute, the identity of the user, the resource of the application subject to the request, the one or more actions requested associated with the resource of the application, and at least one of the one or more security policies. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system, comprising:
-
a processor configured to; set one or more security policies for controlling access to the resource of an application, wherein the one or more security policies associate each of a plurality of access levels with a corresponding value for a threat level attribute; receive threat detection data from a security system or process via a communication interface, wherein the security system or process monitors network traffic; determine, based at least in part on the threat detection data received from the security system or process, a value for the threat level attribute; receive from the application an access request that identifies a user of a client terminal, the resource of the application subject to the access request, and one or more actions requested associated with the resource of the application in response to the client terminal attempting to perform one or more actions with respect to the resource of the application over a communication network; and determine an access level of the plurality of access levels to apply to the resource of the application in response to receiving a request from the client terminal to access the resource over the communication network, wherein the access level is determined based at least in part on one or more of the determined value for the threat level attribute, the identity of the user, the resource of the application subject to the request, the one or more actions requested associated with the resource of the application, and at least one of the one or more security policies; and a memory or other storage device coupled to the processor and configured to store said threat detection data generated by said security system or process. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. A computer program product embodied in a tangible, non-transitory computer-readable storage medium, comprising computer instructions for:
-
setting one or more security policies for controlling access to the resource of an application, wherein the one or more security policies associate each of a plurality of access levels with a corresponding value for a threat level attribute; receiving at an access control server, threat detection data from a security system or process via a communication interface, wherein the security system or process monitors network traffic; determining, by the access control server, based at least in part on the threat detection data received from the security system or process, a value for the threat level attribute; receiving from the application, an access request that identifies a user of a client terminal, the resource of the application subject to the access request, and one or more actions requested associated with the resource of the application in response to the client terminal attempting to perform one or more actions with respect to the resource of the application over a communication network; and determining, by the access control server, an access level of the plurality of access levels to apply to the resource of the application in response to receiving a request from the client terminal to access the resource over the communication network, wherein the access level is determined based at least in part on one or more of the determined value for the threat level attribute, the identity of the user, the resource of the is application subject to the request, the one or more actions requested associated with the resource of the application, and at least one of the one or more security policies. - View Dependent Claims (17, 18, 19, 20)
-
Specification