SYSTEM AND METHOD FOR DATA SECURITY MANAGEMENT

US 20190327209A1
Filed: 03/01/2019
Published: 10/24/2019
Est. Priority Date: 03/07/2018
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for secure deployment of at least one application identity manager (AIM) security agent, the method comprising:

receiving a change request from a user;

using a secure request fingerprint validation process to authenticate the change request, wherein the secure request fingerprint validation process comprises the following steps;

(a) performing a reverse lookup of a source internet protocol (IP) address from a requesting server with a domain name server (DNS) to return a hostname registered in the DNS;

(b) confirming that the hostname returned from the DNS matches a name of the requesting server issuing the change request;

(c) confirming that the hostname asserted during the change request made by the user exists in a configuration management database (CMDB);

(d) confirming that the hostname asserted during the change request also has an approved change record for AIM security agent installation, as maintained by a change management database; and

(e) confirming that a change record for the AIM security agent installation is within a current deployment time window;

if all the secure request fingerprint validation process steps are confirmed, using an AIM web service to connect to a server that runs a command line interface proxy to create or reset a client registration passcode; and

sending the client registration passcode to the user making the change request to enable the user to download installation binaries from a distribution point to complete an installation.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention relates to a computer-implemented system and method for automating the secure deployment of application identity manager (AIM) security agents to ensure integrity of identity assertion during the security sensitive agent installation process, while providing significant cost and time savings in the deployment process. The invention also relates to a command line interface (CLI) to representational state transfer (REST) web services proxy, which provides a standards-based REST web service that interfaces with a Microsoft .NET MVC framework to enable cross platform automation and integration with vault management functions. The invention also relates to a multi-vault management platform comprising a graphical user interface-based portal to manage vault functions across a number of vaults with advanced error handling and process integration.

3 Citations

20 Claims

1. A computer-implemented method for secure deployment of at least one application identity manager (AIM) security agent, the method comprising:
- receiving a change request from a user;
  
  using a secure request fingerprint validation process to authenticate the change request, wherein the secure request fingerprint validation process comprises the following steps;
  
  (a) performing a reverse lookup of a source internet protocol (IP) address from a requesting server with a domain name server (DNS) to return a hostname registered in the DNS;
  
  (b) confirming that the hostname returned from the DNS matches a name of the requesting server issuing the change request;
  
  (c) confirming that the hostname asserted during the change request made by the user exists in a configuration management database (CMDB);
  
  (d) confirming that the hostname asserted during the change request also has an approved change record for AIM security agent installation, as maintained by a change management database; and
  
  (e) confirming that a change record for the AIM security agent installation is within a current deployment time window;
  
  if all the secure request fingerprint validation process steps are confirmed, using an AIM web service to connect to a server that runs a command line interface proxy to create or reset a client registration passcode; and
  
  sending the client registration passcode to the user making the change request to enable the user to download installation binaries from a distribution point to complete an installation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the command line interface proxy comprises a command line interface (CLI) to representational state transfer (REST) web service proxy that delivers a standards-based REST web service that interfaces with a Microsoft .NET MVC framework.
  - 3. The method of claim 2, wherein the client registration passcode comprises a temporary one-time use agent registration passcode.
  - 4. The method of claim 3, further comprising immediately invalidating the client registration passcode upon an initial connection with a password vault.
  - 5. The method of claim 4, further comprising generating with the AIM security agent a connection token that continuously changes.
  - 6. The method of claim 3, further comprising using the client registration passcode to securely register an AIM client with the password vault.
  - 7. The method of claim 1, wherein the installation binaries comprise AIM security agent code that runs a secure process to communicate with a password vault and to support secure password queries from application processes.
  - 8. The method of claim 2, wherein the command line interface proxy enables a user to use REST API calls that are available across a plurality of computer programming languages.
  - 9. The method of claim 8, wherein the command line interface proxy provides secure session management and pass-through authentication.
  - 10. The method of claim 1, further comprising:
    - using a super command line interface proxy to manage a plurality of password vaults, wherein the super command line interface proxy enforces organizational standards and rules so that vault administrators cannot perform unauthorized or non-standard functions.

11. A computer-implemented system for secure deployment of at least one application identity manager (AIM) security agent, the system comprising:
- an electronic memory; and
  
  a computer processor, wherein the computer process is programmed to;
  
  receiving a change request from a user;
  
  execute a secure request fingerprint validation process to authenticate the change request, wherein the secure request fingerprint validation process comprises the following steps;
  
  (a) perform a reverse lookup of a source internet protocol (IP) address from a requesting server with a domain name server (DNS) to return a hostname registered in the DNS;
  
  (b) confirm that the hostname returned from the DNS matches a name of the requesting server issuing the change request;
  
  (c) confirm that the hostname asserted during the change request made by the user exists in a configuration management database (CMDB);
  
  (d) confirm that the hostname asserted during the change request also has an approved change record for AIM security agent installation, as maintained by a change management database; and
  
  (e) confirm that a change record for the AIM security agent installation is within a current deployment time window;
  
  if all the secure request fingerprint validation process steps are confirmed, use a AIM web service to connect to a server that runs a command line interface proxy to create or reset a client registration passcode; and
  
  send the client registration passcode to the user making the change request to enable the user to download installation binaries from a distribution point to complete an installation.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, wherein the command line interface proxy comprises a command line interface (CLI) to representational state transfer (REST) web service proxy that delivers a standards-based REST web service that interfaces with a Microsoft .NET MVC framework.
  - 13. The system of claim 12, wherein the client registration passcode comprises a temporary one-time use agent registration passcode.
  - 14. The system of claim 13, wherein the computer process is further programmed to immediately invalidate the client registration passcode upon an initial connection with a password vault.
  - 15. The system of claim 14, wherein the computer processor is further programmed to generate with the AIM security agent a connection token that continuously changes.
  - 16. The system of claim 13, wherein the computer processor is further programmed to use the client registration passcode to securely register an AIM client with the password vault.
  - 17. The system of claim 11, wherein the installation binaries comprise AIM security agent code that runs a secure process to communicate with a password vault and to support secure password queries from application processes.
  - 18. The system of claim 12, wherein the command line interface proxy enables a user to use REST API calls that are available across a plurality of computer programming languages.
  - 19. The system of claim 18, wherein the command line interface proxy provides secure session management and pass-through authentication.
  - 20. The system of claim 11, wherein the computer processor is further programmed to use a super command line interface proxy to manage a plurality of password vaults, wherein the super command line interface proxy enforces organizational standards and rules so that vault administrators cannot perform unauthorized or non-standard functions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
JP Morgan Chase Bank, N.A. (JP Morgan Chase & Co)
Original Assignee
JP Morgan Chase Bank, N.A. (JP Morgan Chase & Co)
Inventors
SEFERIADIS, David John, COLLINS, Alexander M.

Granted Patent

US 11,252,130 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/45   Structures or tools for the...

G06F 2221/2117   User registration

G06F 8/61   Installation

H04L 61/4511   using domain name system [DNS]

H04L 61/5007   Internet protocol [IP] addr...

H04L 63/0281   Proxies

H04L 63/083   using passwords cryptograph...

H04L 63/0838   using one-time-passwords

H04L 63/20   for managing network securi...

SYSTEM AND METHOD FOR DATA SECURITY MANAGEMENT

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

3 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR DATA SECURITY MANAGEMENT

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

3 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links