DYNAMIC ENTERPRISE SECURITY CONTROL BASED ON USER RISK FACTORS

US 20160226911A1
Filed: 02/04/2015
Published: 08/04/2016
Est. Priority Date: 02/04/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for dynamically setting enterprise-level security rules as a function of assessing risk factors associated with a user, the method comprising executing on a computer processor the steps of:

determining risk values for respective ones of a plurality of different attributes of a user, wherein the risk values each represent a likelihood of loss of secure data of an enterprise as a function of association of the respective ones of the plurality of different attributes of the user;

adding the risk values together to generate a risk factor for the user;

in response to determining that the risk factor meets at least one off-site access threshold value, applying security settings associated with the user and granting access, pursuant to the applied security settings, to the enterprise secure data by the user from an off-site location of the user that is not within a local network of the enterprise;

in response to determining that the risk factor does not meet the at least one off-site access threshold value, determining whether at least one additional security enhancement is applicable to the user and not enabled within the applied security settings; and

in response to determining that at least one additional security enhancement is applicable to the user and not within the applied security settings, iteratively selecting one of the at least one additional security enhancements that is applicable to the user and not enabled within the applied security settings, revising the security settings by enabling the selected security enhancement, and revising the risk factor by a risk abrogation value of the selected security enhancement, until;

granting access to the user, pursuant to the revised security settings, to the enterprise secure data from the off-site location, in response to determining that the revised risk factor meets the at least one off-site access threshold value;

ordenying access to the user to the enterprise secure data from the off-site location, in response to determining that there is no additional at least one security enhancement applicable to the user and not enabled within the security settings.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Aspects dynamically set enterprise-level security rules by assessing risk factors associated with a user. Risk values representing likelihoods of loss of enterprise secure data are determined for different attributes of a user, and added together to generate a user risk factor. If the risk factor does not meet one or more off-site access threshold value(s), additional security enhancements applicable to the user and not enabled within currently applied security are iteratively selected and used to revise the security settings, and the risk factor is revised by a risk abrogation value of each of the selected security enhancements, until either the revised risk factor meets the off-site access threshold value(s) (wherein access is granted to the secure data from the off-site location pursuant to the revised security settings), or until no additional applicable security enhancements are available (wherein user access to the secure data from the off-site location is denied).

49 Citations

20 Claims

1. A computer-implemented method for dynamically setting enterprise-level security rules as a function of assessing risk factors associated with a user, the method comprising executing on a computer processor the steps of:
- determining risk values for respective ones of a plurality of different attributes of a user, wherein the risk values each represent a likelihood of loss of secure data of an enterprise as a function of association of the respective ones of the plurality of different attributes of the user;
  
  adding the risk values together to generate a risk factor for the user;
  
  in response to determining that the risk factor meets at least one off-site access threshold value, applying security settings associated with the user and granting access, pursuant to the applied security settings, to the enterprise secure data by the user from an off-site location of the user that is not within a local network of the enterprise;
  
  in response to determining that the risk factor does not meet the at least one off-site access threshold value, determining whether at least one additional security enhancement is applicable to the user and not enabled within the applied security settings; and
  
  in response to determining that at least one additional security enhancement is applicable to the user and not within the applied security settings, iteratively selecting one of the at least one additional security enhancements that is applicable to the user and not enabled within the applied security settings, revising the security settings by enabling the selected security enhancement, and revising the risk factor by a risk abrogation value of the selected security enhancement, until;
  
  granting access to the user, pursuant to the revised security settings, to the enterprise secure data from the off-site location, in response to determining that the revised risk factor meets the at least one off-site access threshold value;
  
  ordenying access to the user to the enterprise secure data from the off-site location, in response to determining that there is no additional at least one security enhancement applicable to the user and not enabled within the security settings.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the access granted to the enterprise secure data to the user from the off-site location, pursuant to either of the applied security settings and the revised security settings, is provided as a service in a cloud environment.
  - 3. The method of claim 1, further comprising:
    - integrating computer-readable program code into a computer system comprising a processor, a computer readable memory in circuit communication with the processor, and a computer readable storage medium in circuit communication with the processor; and
      
      wherein the processor executes program code instructions stored on the computer-readable storage medium via the computer readable memory and thereby performs the steps of determining the risk values for the respective ones of the plurality of different attributes of the user, adding the risk values together to generate the risk factor for the user, applying the security settings associated with the user and granting the access pursuant to the applied security settings to the enterprise secure data by the user from the off-site location of the user, determining whether the at least one additional security enhancement is applicable to the user and not enabled within the applied security settings, iteratively selecting the one of the at least one additional security enhancements that is applicable to the user and not enabled within the applied security settings, revising the security settings by enabling the selected security enhancement and revising the risk factor by the risk abrogation value of the selected security enhancement until granting the access to the user pursuant to the revised security settings to the enterprise secure data from the off-site location or denying access to the user to the enterprise secure data from the off-site location.
  - 4. The method of claim 1, wherein the step of determining the risk values for the respective ones of the plurality of different attributes of the user comprises:
    - assigning a first risk value to an enterprise title of the user in response to identifying that the user has access to a first quantity of trade secrets of the enterprise; and
      
      assigning a second risk value that is larger than the first risk value to the enterprise title of the user in response to identifying that the user has access to a second quantity of trade secrets of the enterprise that is larger than the first quantity of trade secrets.
  - 5. The method of claim 1, wherein the step of determining the risk values for the respective ones of the plurality of different attributes of the user comprises:
    - determining an exposure risk value for the user as a multiple of a number of mobile devices that the user has lost, or of a number of previous enterprise authentication breaches associated with credentials of the user.
  - 6. The method of claim 1, wherein the step of determining the risk values for the respective ones of the plurality of different attributes of the user comprises:
    - generating a time of access risk value for the user in response to determining that a time of a request by the user to access the enterprise secure data is outside of the historical time period that encompasses authorized accesses to the enterprise secure data.
  - 7. The method of claim 1, wherein the at least one off-site access threshold value comprises a home threshold value that is applicable to access to the enterprise secure data by the user from within a home network location of the user that is not within a local network of the enterprise, and a mobile threshold value that is different from the home threshold value and is applicable to access to the enterprise secure data by the user from a mobile location that is not within the home network or within the enterprise local network;
    - andwherein the step of iteratively selecting additional security enhancements further comprises;
      
      selecting a first of the at least one additional security enhancements in response to determining that the risk factor does not meet the home access threshold value; and
      
      selecting a second of the at least one additional security enhancements in response to determining that the risk factor does not meet the mobile access threshold value, wherein the second additional security enhancement is different from and more restrictive than the first additional security enhancement.
  - 8. The method of claim 7, wherein the selected first additional security enhancement is an additional password requirement, or increasing a frequency of locking an application used for the user for access to the enterprise secure data and requiring reentry of a password to continue access by the user to the enterprise secure data;
    - andthe selected second additional security enhancement comprises causing a mobile device of the user mobile device to turn off a universal serial bus port and a Blue Tooth connection.
  - 9. The method of claim 8, wherein the selected second additional security enhancement comprises at least one of forcing a virus scan to execute on the mobile device of the user, and shutting down the mobile device of the user until location data indicates that the mobile device of the user is relocated to another location that is within the home network or within the enterprise local area network.
  - 10. The method of claim 1, wherein the step of determining the risk values for the respective ones of the plurality of different attributes of the user comprises:
    - determining a social network risk value for the user as a function of a number of social network connections, followings or followers.
  - 11. The method of claim 10, wherein the step of determining the social network risk value for the user comprises:
    - increasing a value of the social network risk value in response to identifying a connection of the user to another who is associated with a competitor of the enterprise.

12. A system, comprising:
- a processor;
  
  a computer readable memory in circuit communication with the processor; and
  
  a computer readable storage medium in circuit communication with the processor;
  
  wherein the processor executes program instructions stored on the computer-readable storage medium via the computer readable memory and thereby;
  
  determines risk values for respective ones of a plurality of different attributes of a user, wherein the risk values each represent a likelihood of loss of secure data of an enterprise as a function of association of the respective one of the plurality of different attributes with the user;
  
  adds the risk values together to generate a risk factor for the user;
  
  in response to a determination that the risk factor meets at least one off-site access threshold value, applies security settings associated with the user and grants access, pursuant to the applied security settings, to the enterprise secure data by the user from an off-site location of the user that is not within a local network of the enterprise;
  
  in response to a determination that the risk factor does not meet the at least one off-site access threshold value, determines whether at least one additional security enhancement is applicable to the user and not enabled within the applied security settings; and
  
  in response to a determination that at least one additional security enhancement is applicable to the user and not within the applied security settings, iteratively selects one of the at least one additional security enhancements that is applicable to the user and not enabled within the applied security settings, revises the security settings by enabling the selected security enhancement, and revises the risk factor by a risk abrogation value of the selected security enhancement, until;
  
  granting access to the user, pursuant to the revised security settings, to the enterprise secure data from the off-site location, in response to determining that the revised risk factor meets the at least one off-site access threshold value;
  
  ordenying access to the user to the enterprise secure data from the off-site location, in response to determining that there is no additional at least one security enhancement applicable to the user and not enabled within the security settings.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The system of claim 12, wherein the processor executes the program instructions stored on the computer-readable storage medium via the computer readable memory and thereby further grants access to the user to the enterprise secure data from the off-site location, pursuant to either of the applied security settings and the revised security settings, as a service in a cloud environment.
  - 14. The system of claim 12, wherein the at least one off-site access threshold value comprises a home threshold value that is applicable to access to the enterprise secure data by the user from within a home network location of the user that is not within a local network of the enterprise, and a mobile threshold value that is different from the home threshold value and is applicable to access to the enterprise secure data by the user from a mobile location that is not within the home network or within the enterprise local network;
    - andwherein the processor executes the program instructions stored on the computer-readable storage medium via the computer readable memory and thereby further iteratively selects the additional security enhancements by;
      
      selecting a first of the at least one additional security enhancements in response to determining that the risk factor does not meet the home access threshold value; and
      
      selecting a second of the at least one additional security enhancements in response to determining that the risk factor does not meet the mobile access threshold value, wherein the second additional security enhancement is different from and more restrictive than the first additional security enhancement.
  - 15. The system of claim 14, wherein the selected first additional security enhancement is an additional password requirement, or increasing a frequency of locking an application used for the user for access to the enterprise secure data and requiring reentry of a password to continue access by the user to the enterprise secure data;
    - andthe selected second additional security enhancement comprises causing a mobile device of the user mobile device to turn off a universal serial bus port and a Blue Tooth connection.
  - 16. The system of claim 15, wherein the selected second additional security enhancement comprises at least one of forcing a virus scan to execute on the mobile device of the user, and shutting down the mobile device of the user until location data indicates that the mobile device of the user is relocated to another location that is within the home network or within the enterprise local area network.

17. A computer program product for dynamically setting enterprise-level security rules as function of assessing risk factors associated with a user, the computer program product comprising:
- a computer readable storage device having computer readable program code embodied therewith, wherein the computer readable storage device is not a transitory signal per se, the computer readable program code comprising instructions for execution by a processor that cause the processor to;
  
  determine risk values for respective ones of a plurality of different attributes of a user, wherein the risk values each represent a likelihood of loss of secure data of an enterprise as a function of association of the respective one of the plurality of different attributes with the user;
  
  add the risk values together to generate a risk factor for the user;
  
  in response to a determination that the risk factor meets at least one off-site access threshold value, apply security settings associated with the user and grant access, pursuant to the applied security settings, to the enterprise secure data by the user from an off-site location of the user that is not within a local network of the enterprise;
  
  in response to a determination that the risk factor does not meet the at least one off-site access threshold value, determine whether at least one additional security enhancement is applicable to the user and not enabled within the applied security settings; and
  
  in response to a determination that at least one additional security enhancement is applicable to the user and not within the applied security settings, iteratively select one of the at least one additional security enhancements that is applicable to the user and not enabled within the applied security settings, revise the security settings by enabling the selected security enhancement, and revise the risk factor by a risk abrogation value of the selected security enhancement, until;
  
  granting access to the user, pursuant to the revised security settings, to the enterprise secure data from the off-site location, in response to determining that the revised risk factor meets the at least one off-site access threshold value;
  
  ordenying access to the user to the enterprise secure data from the off-site location, in response to determining that there is no additional at least one security enhancement applicable to the user and not enabled within the security settings.
- View Dependent Claims (18, 19, 20)
- - 18. The computer program product of claim 17, wherein the at least one off-site access threshold value comprises a home threshold value that is applicable to access to the enterprise secure data by the user from within a home network location of the user that is not within a local network of the enterprise, and a mobile threshold value that is different from the home threshold value and is applicable to access to the enterprise secure data by the user from a mobile location that is not within the home network or within the enterprise local network;
    - andwherein the computer readable program code instructions for execution by the processor further cause the processor to iteratively select the additional security enhancements by;
      
      selecting a first of the at least one additional security enhancements in response to determining that the risk factor does not meet the home access threshold value; and
      
      selecting a second of the at least one additional security enhancements in response to determining that the risk factor does not meet the mobile access threshold value, wherein the second additional security enhancement is different from and more restrictive than the first additional security enhancement.
  - 19. The computer program product of claim 18, wherein the selected first additional security enhancement is an additional password requirement, or increasing a frequency of locking an application used for the user for access to the enterprise secure data and requiring reentry of a password to continue access by the user to the enterprise secure data;
    - andthe selected second additional security enhancement comprises causing a mobile device of the user mobile device to turn off a universal serial bus port and a Blue Tooth connection.
  - 20. The computer program product of claim 19, wherein the selected second additional security enhancement comprises at least one of forcing a virus scan to execute on the mobile device of the user, and shutting down the mobile device of the user until location data indicates that the mobile device of the user is relocated to another location that is within the home network or within the enterprise local area network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated
Original Assignee
International Business Machines Corporation
Inventors
JONES, ANDREW R., LINGAFELT, CHARLES S., MOORE, JOHN E. Jr., BOSS, GREGORY J., MCCONNELL, KEVIN C.

Granted Patent

US 9,413,786 B1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2111   Location-sensitive, e.g. ge...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2149   Restricted operating enviro...

G06Q 10/0635   Risk analysis of enterprise...

G06Q 50/01   Social networking

H04L 63/083   using passwords cryptograph...

H04L 63/10   for controlling access to d...

H04L 63/107   wherein the security polici...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

H04W 12/086   using security domains

DYNAMIC ENTERPRISE SECURITY CONTROL BASED ON USER RISK FACTORS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

49 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

DYNAMIC ENTERPRISE SECURITY CONTROL BASED ON USER RISK FACTORS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

49 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links