Reducing risks associated with recertification of dormant accounts

US 20170063873A1
Filed: 09/02/2015
Published: 03/02/2017
Est. Priority Date: 09/02/2015
Status: Active Grant

First Claim

Patent Images

1. A method to reduce risk associated with recertification of an account having an access entitlement, comprising:

selecting accounts for recertification in accordance with a recertification policy;

determining which of the selected accounts are dormant accounts;

for each dormant account so determined, suspending access to the dormant account;

while the dormant account is suspended, issuing a notification to an entity associated with the dormant account to determine whether the entity has a continued access need with respect thereto; and

responsive to receipt of an indication that the entity has a continued access need, removing the suspension.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An identity management system is augmented to provide for automated suspension of all dormant accounts before launching a re-certification campaign (pass). In one implementation, prior to receiving a recertification notice from the system, the affected user'"'"'s account is already suspended and thus cannot be accessed. Once the recertification succeeds, however, the account is restored. Preferably, the technique is exposed to an IAM system administrator through a simple interface, e.g., a one-click “suspend and re-certify” button in an administrative menu. When the administrator initiates the re-certification process, he or she may select the button for a particular account or user.

Citations

20 Claims

1. A method to reduce risk associated with recertification of an account having an access entitlement, comprising:
- selecting accounts for recertification in accordance with a recertification policy;
  
  determining which of the selected accounts are dormant accounts;
  
  for each dormant account so determined, suspending access to the dormant account;
  
  while the dormant account is suspended, issuing a notification to an entity associated with the dormant account to determine whether the entity has a continued access need with respect thereto; and
  
  responsive to receipt of an indication that the entity has a continued access need, removing the suspension.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method as described in claim 1 further including configuring an identity and access management system to enable dormant accounts to be temporarily suspended in association with a recertification campaign.
  - 3. The method as described in claim 2 further including receiving a control command that initiates a suspend-and-recertify operation with respect to one or more dormant accounts.
  - 4. The method as described in claim 1 wherein the notification is a continued business need (CBN) notice.
  - 5. The method as described in claim 1 wherein the step of determining which of the selected accounts are dormant accounts includes one of:
    - receiving a dormant account report identifying one or more dormant accounts, and querying a service to obtain last login data for a particular account associated with the service.
  - 6. The method as described in claim 1 further including:
    - responsive to receipt of an indication that the entity has no continued access need, de-associating the dormant account and the entity.

7. An apparatus, comprising:
- a processor;
  
  computer memory holding computer program instructions executed by the processor to reduce risk associated with recertification of an account having an access entitlement, the computer program instructions comprising;
  
  program code operative to select accounts for recertification in accordance with a recertification policy;
  
  program code operative to determine which of the selected accounts are dormant accounts;
  
  program code operative for each dormant account so determined to suspend access to the dormant account;
  
  program code operative while the dormant account is suspended to issue a notification to an entity associated with the dormant account to determine whether the entity has a continued access need with respect thereto; and
  
  program code operative in response to receipt of an indication that the entity has a continued access need to remove the suspension.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The apparatus as described in claim 7 wherein the computer program instructions further include program code operative to configure an identity and access management system to enable dormant accounts to be temporarily suspended in association with a recertification campaign.
  - 9. The apparatus as described in claim 8 wherein the computer program instructions are further operative to receive a control command that initiates a suspend-and-recertify operation with respect to one or more dormant accounts.
  - 10. The apparatus as described in claim 7 wherein the notification is a continued business need (CBN) notice.
  - 11. The apparatus as described in claim 7 wherein the computer program instructions operative to determine which of the selected accounts are dormant accounts includes program code further operative to receive a dormant account report identifying one or more dormant accounts or to query a service to obtain last login data for a particular account associated with the service.
  - 12. The apparatus as described in claim 7 wherein the computer program instructions are further operative in response to receipt of an indication that the entity has no continued access need to de-associate the dormant account and the entity.

13. A computer program product in a non-transitory computer readable medium for use in a data processing system, the computer program product holding computer program instructions which, when executed by the data processing system, to reduce risk associated with recertification of an account having an access entitlement, the computer program instructions comprising:
- program code operative to select accounts for recertification in accordance with a recertification policy;
  
  program code operative to determine which of the selected accounts are dormant accounts;
  
  program code operative for each dormant account so determined to suspend access to the dormant account;
  
  program code operative while the dormant account is suspended to issue a notification to an entity associated with the dormant account to determine whether the entity has a continued access need with respect thereto; and
  
  program code operative in response to receipt of an indication that the entity has a continued access need to remove the suspension.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The computer program product as described in claim 13 wherein the computer program instructions further include program code operative to configure an identity and access management system to enable dormant accounts to be temporarily suspended in association with a recertification campaign.
  - 15. The computer program product as described in claim 14 wherein the computer program instructions are further operative to receive a control command that initiates a suspend-and-recertify operation with respect to one or more dormant accounts.
  - 16. The computer program product as described in claim 13 wherein the notification is a continued business need (CBN) notice.
  - 17. The computer program product as described in claim 13 wherein the computer program instructions operative to determine which of the selected accounts are dormant accounts includes program code further operative to receive a dormant account report identifying one or more dormant accounts or to query a service to obtain last login data for a particular account associated with the service.
  - 18. The computer program product as described in claim 13 wherein the computer program instructions are further operative in response to receipt of an indication that the entity has no continued access need to de-associate the dormant account and the entity.

19. An apparatus for identity access and management, comprising:
- a hardware processor;
  
  computer memory holding computer program instructions executed by the hardware processor to provide account access certification according to a certification policy, the computer program instructions operative to receive a suspend-and-recertify control command and, responsive to receipt of the suspend-and-recertify control command, to automatically suspend access to one or more dormant accounts prior to issuing continued business need (CBN) notifications to entities associated with one or more dormant accounts.
- View Dependent Claims (20)
- - 20. The apparatus as described in claim 19 wherein the computer program instructions are further operative to restore access to a dormant account upon receipt of a given response to a CBN notification.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Hidden, Jean Elizabeth, Matthiesen, Brian Robert, Turcol, Stephen J., Chia, Gee Ngoo

Granted Patent

US 10,440,029 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/108   when the policy decisions a...

H04L 63/20   for managing network securi...

Reducing risks associated with recertification of dormant accounts

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Reducing risks associated with recertification of dormant accounts

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links