AUTOMATED ACCESS CONTROL MANAGEMENT FOR COMPUTING SYSTEMS

US 20190327271A1
Filed: 04/19/2019
Published: 10/24/2019
Est. Priority Date: 04/20/2018
Status: Active Grant

First Claim

Patent Images

1. A processor-implemented method comprising:

obtaining one or more normalized access control policies associated with one or more first entities based on a stored access control policy representation governing access to a set of resources in an information technology (IT) infrastructure comprising a plurality of subsystems;

determining, based on the one or more normalized access control policies, at least one entity cluster associated with the one or more first entities;

determining one or more derived access control policies corresponding to the at least one entity cluster; and

determining a set of non-compliant access control policies, wherein the set of non-compliant access control policies comprises;

a first subset of the one or more normalized access control policies that are non-compliant with one or more stated access control policies applicable to the at least one entity cluster, ora subset of the one or more derived access control policies that are non-compliant with the one or more stated access control policies, ora combination thereof.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Normalized access control policies associated with entities in an information technology (IT) infrastructure comprising a plurality of subsystems may be obtained based on a stored access control policy representation governing access to resources in the IT infrastructure. Based on the normalized access control policies, entity clusters associated with the entities may be determined. Further, derived access control policies corresponding to the at least one entity cluster may be determined. A set of non-compliant access control policies may be determined where the set of non-compliant access control policies may comprise: a subset of the normalized access control policies that are non-compliant with stated access control policies applicable to the entity clusters, and/or a subset of the derived access control policies that are non-compliant with the stated access control policies. Machine learning and/or Artificial Intelligence techniques may be used to determine, maintain, and audit policies for the IT infrastructure.

74 Citations

27 Claims

1. A processor-implemented method comprising:
- obtaining one or more normalized access control policies associated with one or more first entities based on a stored access control policy representation governing access to a set of resources in an information technology (IT) infrastructure comprising a plurality of subsystems;
  
  determining, based on the one or more normalized access control policies, at least one entity cluster associated with the one or more first entities;
  
  determining one or more derived access control policies corresponding to the at least one entity cluster; and
  
  determining a set of non-compliant access control policies, wherein the set of non-compliant access control policies comprises;
  
  a first subset of the one or more normalized access control policies that are non-compliant with one or more stated access control policies applicable to the at least one entity cluster, ora subset of the one or more derived access control policies that are non-compliant with the one or more stated access control policies, ora combination thereof.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein the policy representation comprises one or more second entities with access to the one or more first entities, or one or more third entities accessible to the one or more first entities;
    - or a combination thereof.
  - 3. The method of claim 2, wherein each entity cluster in the at least one entity cluster is determined based on at least one attribute common to one or more of:
    - a subset of the one or more first entities, ora subset of the one or more second entities, ora subset of the one or more third entities.
  - 4. The method of claim 3, wherein the at least one attribute comprises at least one of:
    - an access privilege, oran access pattern, oran activity pattern, the activity pattern comprising one or more of;
      
      an activity type, or an activity volume over a time period, or an activity time, ora variance of one or more parameters associated with a current activity pattern in relation to corresponding parameters for a historical activity pattern, ora location, ora user or user group, ora role, ora device type, oran access domain associated with the IT infrastructure, ora combination thereof.
  - 5. The method of claim 1, wherein determining the one or more derived access control policies comprises:
    - determining, for the at least one entity cluster, one or more corresponding resource access patterns or one or more resource utilization patterns, or a combination thereof, for one or more resources associated with the at least one entity cluster, the one or more resources comprised in the set of resources; and
      
      determining, based on one or more of;
      
      the corresponding resource access patterns, or the resource utilization patterns, the one or more derived access control policies.
  - 6. The method of claim 5, wherein the one or more derived access control policies are determined using a machine learning model.
  - 7. The method of claim 1, wherein determining the first subset of the one or more normalized access control policies comprises:
    - determining one or more non-compliant entities in the at least one entity cluster with attributes that are inconsistent with access control parameters associated with a resource accessed by the at least one entity cluster in the set of resources, the access control parameters being specified in at least one stated access control policy applicable to the resource, andadding, for each non-compliant entity, corresponding normalized policies governing access to the resource to the first subset.
  - 8. The method of claim 1, further comprising:
    - determining a second subset of the one or more normalized access control policies applicable to entities in the at least one entity cluster that differ from;
      
      the one or more stated access control policies, or at least one stated access control policy applicable to a resource accessed by the entity cluster in the set of resources, or a combination thereof.
  - 9. The method of claim 1, wherein the one or more normalized access control policies are automatically configurable.
  - 10. The method of claim 1, wherein the stored access control policy representation comprises the stated access control policies and the derived access control policies.
  - 11. The method of claim 1, further comprising:
    - initiating at least one corrective action in relation to the set of non-compliant access control policies.
  - 12. The method of claim 11, wherein initiating the at least one corrective action in relation to the set of non-compliant access control policies comprises:
    - disabling the set of non-compliant access control policies;
      
      orinitiating transmission of a message identifying the set of non-compliant access control policies, orflagging the set of non-compliant access control policies for evaluation;
      
      orincreasing a risk score associated with each non-compliant access control policy in the set of non-compliant access control policies;
      
      a combination thereof.
  - 13. The method of claim 1, further comprising:
    - determining a third subset of the one or more normalized access control policies applicable to entities in the at least one entity cluster that differ from the one or more derived access control policies applicable to the at least one entity cluster.
  - 14. The method of claim 1, further comprising:
    - determining, for the one or more first entities, a set of unexercised normalized access control policies, the set of unexercised normalized access control policies comprising normalized access control policies associated with the one or more first entities that were not invoked over a time period.

15. A computing system comprising:
- a memory, and a processor coupled to the memory, wherein the processor is configured to;
  
  obtain one or more normalized access control policies associated with one or more first entities based on a stored access control policy representation governing access to a set of resources in an information technology (IT) infrastructure comprising a plurality of subsystems;
  
  determine, based on the one or more normalized access control policies, at least one entity cluster associated with the one or more first entities;
  
  determine one or more derived access control policies corresponding to the at least one entity cluster; and
  
  determine a set of non-compliant access control policies, wherein the set of non-compliant access control policies comprises;
  
  a first subset of the one or more normalized access control policies that are non-compliant with one or more stated access control policies applicable to the at least one entity cluster, ora subset of the one or more derived access control policies that are non-compliant with the one or more stated access control policies, ora combination thereof.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 16. The computing system of claim 15, wherein the policy representation comprises one or more second entities with access to the one or more first entities, or one or more third entities accessible to the one or more first entities;
    - or a combination thereof.
  - 17. The computing system of claim 16, wherein each entity cluster in the at least one entity cluster is determined based on at least one attribute common to one or more of:
    - a subset of the one or more first entities, ora subset of the one or more second entities, ora subset of the one or more third entities.
  - 18. The computing system of claim 17, wherein the at least one attribute comprises at least one of:
    - an access privilege, oran access pattern, oran activity pattern, the activity pattern comprising one or more of;
      
      an activity type, or an activity volume over a time period, or an activity time, ora variance of one or more parameters associated with a current activity pattern in relation to corresponding parameters for a historical activity pattern, ora location, ora user or user group, ora role, ora device type, oran access domain associated with the IT infrastructure, ora combination thereof.
  - 19. The computing system of claim 15, wherein to determine the one or more derived access control policies, the processor is configured to:
    - determine, for the at least one entity cluster, one or more corresponding resource access patterns or one or more resource utilization patterns, or a combination thereof, for one or more resources associated with the at least one entity cluster, the one or more resources comprised in the set of resources; and
      
      determine, based on one or more of;
      
      the corresponding resource access patterns, or the resource utilization patterns, the one or more derived access control policies.
  - 20. The computing system of claim 19, wherein the one or more derived access control policies are determined using a machine learning model.
  - 21. The computing system of claim 15, wherein to determine the first subset of the one or more normalized access control policies, the processor is configured to:
    - determine one or more non-compliant entities in the at least one entity cluster with attributes that are inconsistent with access control parameters associated with a resource accessed by the at least one entity cluster in the set of resources, the access control parameters being specified in at least one stated access control policy applicable to the resource, andadd, for each non-compliant entity, corresponding normalized policies governing access to the resource to the first subset.
  - 22. The computing system of claim 15, wherein the processor is further configured to:
    - determine a second subset of the one or more normalized access control policies applicable to entities in the at least one entity cluster that differ from;
      
      the one or more stated access control policies, or at least one stated access control policy applicable to a resource accessed by the at least one entity cluster in the set of resources, or a combination thereof.
  - 23. The computing system of claim 15, wherein the one or more normalized access control policies are automatically configurable.
  - 24. The computing system of claim 15, wherein the stored access control policy representation comprises the stated access control policies and the derived access control policies.
  - 25. The computing system of claim 15, further comprising:
    - initiating at least one corrective action in relation to the set of non-compliant access control policies.
  - 26. The computing system of claim 15, wherein the processor is further configured to:
    - determine a third subset of the one or more normalized access control policies applicable to entities in the at least one entity cluster that differ from the one or more derived access control policies applicable to the at least one entity cluster.

27. A non-transitory computer readable medium comprising instructions to configure a processor to:
- obtain one or more normalized access control policies associated with one or more first entities based on a stored access control policy representation governing access to a set of resources in an information technology (IT) infrastructure comprising a plurality of subsystems;
  
  determine, based on the one or more normalized access control policies, at least one entity cluster associated with the one or more first entities;
  
  determine one or more derived access control policies corresponding to the at least one entity cluster; and
  
  determine a set of non-compliant access control policies, wherein the set of non-compliant access control policies comprises;
  
  a first subset of the one or more normalized access control policies that are non-compliant with one or more stated access control policies applicable to the at least one entity cluster, ora subset of the one or more derived access control policies that are non-compliant with the one or more stated access control policies, ora combination thereof.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SailPoint Technologies, Inc. (SailPoint Technologies Holdings, Inc.)
Original Assignee
Orkus, Inc. (SailPoint Technologies Holdings, Inc.)
Inventors
Saxena, Abhishek, Manish

Granted Patent

US 11,178,182 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 3/04817   using icons graphical or vi...

G06F 3/0482   Interaction with lists of s...

G06F 8/38   for implementing user inter...

G06N 20/00   Machine learning

G06N 3/045   Combinations of networks

G06N 3/08   Learning methods

G06N 5/01   Dynamic search techniques; ...

G06N 5/046   Forward inferencing; Produc...

H04L 41/0894   Policy-based network config...

H04L 41/0895   Configuration of virtualise...

H04L 41/16   using machine learning or a...

H04L 41/22   comprising specially adapte...

H04L 41/40   using virtualisation of net...

H04L 63/0263   Rule management

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/104   Grouping of entities

H04L 63/20   for managing network securi...

AUTOMATED ACCESS CONTROL MANAGEMENT FOR COMPUTING SYSTEMS

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

74 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

AUTOMATED ACCESS CONTROL MANAGEMENT FOR COMPUTING SYSTEMS

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

74 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links