Automatic management of storage access control

US 7,606,801 B2
Filed: 10/25/2005
Issued: 10/20/2009
Est. Priority Date: 06/07/2005
Status: Active Grant

First Claim

Patent Images

1. An access control method for dynamically establishing rules for governing control of access to data stored on at least one storage device by a multiplicity of persons in an organization, said method being implemented on at least one computer, said method comprising:

monitoring and recording actual access events of multiple persons to multiple data elements in said data stored on said at least one storage device over a learning period;

based on said monitoring and recording said actual access events of said multiple persons to said multiple data elements in said data stored on said at least one storage device over said learning period, creating a data access profile for each of said multiple persons and, based on said data access profiles, defining multiple groups each including a plurality of persons among said multiplicity of persons, each group being characterized by the extent of its monitored and recorded actual access events during said learning period to a corresponding aggregation of data elements in said data stored on said at least one storage deviceautomatically defining access rules permitting the plurality of persons in each of said multiple groups to access the corresponding aggregation of data elements in said data stored on said at least one storage device for which said monitored and recorded actual access events occurred during said learning period; and

during at least one period following said learning period, automatically redefining said access rules by narrowing said aggregation of data elements in said data stored on said at least one storage device accessible to the plurality of persons in a group by removing permission to access data elements in said data stored on said at least one storage device which were not accessed by persons in said group during said at least one period following said learning period, said step of defining multiple groups being performed iteratively, wherein said data access profiles are redetermined at each iteration thereof and said access rules are updated following each said iteration.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems are provided for defining and creating an automatic file security policy and a semi-automatic method of managing file access control in organizations with multiple diverse access control models and multiple diverse file server protocols. The system monitors access to storage elements within the network. The recorded data traffic is analyzed to assess simultaneous data access groupings and user groupings, which reflect the actual organizational structure. The learned structure is then transformed into a dynamic file security policy, which is constantly adapted to organizational changes over time. The system provides a decision assistance interface for interactive management of the file access control and for tracking abnormal user behavior.

111 Citations

View as Search Results

20 Claims

1. An access control method for dynamically establishing rules for governing control of access to data stored on at least one storage device by a multiplicity of persons in an organization, said method being implemented on at least one computer, said method comprising:
- monitoring and recording actual access events of multiple persons to multiple data elements in said data stored on said at least one storage device over a learning period;
  
  based on said monitoring and recording said actual access events of said multiple persons to said multiple data elements in said data stored on said at least one storage device over said learning period, creating a data access profile for each of said multiple persons and, based on said data access profiles, defining multiple groups each including a plurality of persons among said multiplicity of persons, each group being characterized by the extent of its monitored and recorded actual access events during said learning period to a corresponding aggregation of data elements in said data stored on said at least one storage deviceautomatically defining access rules permitting the plurality of persons in each of said multiple groups to access the corresponding aggregation of data elements in said data stored on said at least one storage device for which said monitored and recorded actual access events occurred during said learning period; and
  
  during at least one period following said learning period, automatically redefining said access rules by narrowing said aggregation of data elements in said data stored on said at least one storage device accessible to the plurality of persons in a group by removing permission to access data elements in said data stored on said at least one storage device which were not accessed by persons in said group during said at least one period following said learning period, said step of defining multiple groups being performed iteratively, wherein said data access profiles are redetermined at each iteration thereof and said access rules are updated following each said iteration.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method according to claim 1, wherein said access rules permit access by one of said plurality of persons in said group to said aggregation of data elements accessible to the plurality of persons in said group, only if at least one of said aggregation of data elements accessible to the plurality of persons in said group has been accessed by said one of said plurality of persons in said group.
  - 3. The method according to claim 1, wherein said access rules permit access by said plurality of persons in said group to said aggregation of data elements accessible to the plurality of persons in said group, only if at least one of said aggregation of data elements accessible to the plurality of persons in said group has been accessed by at least one of said plurality of persons in said group.
  - 4. The method according to claim 1, further comprising the step of deriving a structure of said data responsively to said step of defining multiple groups.
  - 5. The method according to claim 1, further comprising the step of deriving patterns of usage of said data by said users responsively to said step of defining multiple groups.
  - 6. The method according to claim 5, further comprising the step of detecting aberrant ones of said patterns of usage.
  - 7. The method according to claim 1, wherein said step of automatically defining access rules comprises the steps of:
    - proposing a tentative version of said access rules;
      
      monitoring and recording subsequent actual access events to said aggregation of data elements by said multiple persons;
      
      determining that said subsequent actual access events are in accordance with said tentative version of said access rules; and
      
      responsively to said step of determining approving said tentative version as a definitive version of said access rules.
  - 8. The method according to claim 1, further comprising the step of interactively modifying said access rules.
  - 9. The method according to claim 1, wherein said step of automatically defining access rules is performed substantially without human intervention.
  - 10. The method according to claim 1, further comprising the steps of:
    - referencing an access control list comprising at least one group of said multiple groups and said corresponding aggregation of data elements;
      
      detecting an absence of actual access events by members of said group to at least one data element in said corresponding aggregation of data elements; and
      
      responsively to said step of detecting, removing at least a portion of said plurality of persons from said group and removing at least a portion of said aggregation of data elements from said corresponding aggregation of data elements.

11. A computer software product, including a computer-readable storage medium in which computer program instructions are stored, which instructions, when read by a computer, cause the computer to perform a method for dynamically establishing rules which can be used to govern control of access to data stored on at least one storage device by a multiplicity of persons in an organization, said method comprising:
- monitoring and recording actual access events of multiple persons to multiple data elements in said data stored on said at least one storage device over a learning period;
  
  based on said monitoring and recording said actual access events of said multiple persons to said multiple data elements in said data stored on said at least one storage device over said learning period, creating a data access profile for each of said multiple persons and, based on said data access profiles, defining multiple groups each including a plurality of persons among said multiplicity of persons, each group being characterized by the extent of its monitored and recorded actual access events during said learning period to a corresponding aggregation of data elements in said data stored on said at least one storage device;
  
  automatically defining access rules permitting the plurality of persons in each of said multiple groups to access the corresponding aggregation of data elements in said data stored on said at least one storage device for which said monitored and recorded actual access events occurred during said learning period; and
  
  during at least one period following said learning period, automatically redefining said access rules by narrowing said aggregation of data elements in said data stored on said at least one storage device accessible to the plurality of persons in a group by removing permission to access data elements in said data stored on said at least one storage device which were not accessed by persons in said group during said at least one period following said learning period said step of defining multiple groups being performed iteratively, wherein said data access profiles are redetermined at each iteration thereof and said access rules are updated following each said iteration.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The computer software product according to claim 11, wherein said access rules permit access by one of said plurality of persons in said group to said aggregation of data elements accessible to the plurality of persons in said group, only if at least one of said aggregation of data elements accessible to the plurality of persons in said group has been accessed by said one of said plurality of persons in said group.
  - 13. The computer software product according to claim 11, wherein said access rules permit access by said plurality of persons in said group to said aggregation of data elements accessible to the plurality of persons in said group, only if at least one of said aggregation of data elements accessible to the plurality of persons in said group has been accessed by at least one of said plurality of persons in said group.
  - 14. The computer software product according to claim 11, wherein said step of automatically defining access rules comprises the steps of:
    - proposing a tentative version of said access rules;
      
      monitoring and recording subsequent actual access events to said aggregation of data elements by said multiple persons;
      
      determining that said subsequent actual access events are in accordance with said tentative version of said access rules; and
      
      responsively to said step of determining approving said tentative version as a definitive version of said access rules.
  - 15. The computer software product according to claim 11, wherein said step of automatically defining said access rules comprises the steps of:
    - referencing an access control list comprising at least one group of said multiple groups and said corresponding aggregation of data elements;
      
      detecting an absence of actual access events by members of said group to at least one data element in said corresponding aggregation of data elements; and
      
      responsively to said step of detecting, removing at least a portion of said plurality of persons from said group and removing at least a portion of said aggregation of data elements from said corresponding aggregation of data elements.

16. Apparatus for dynamically establishing rules which can be used to govern control of access to data by a multiplicity of persons in an organization, said apparatus comprising:
- at least one storage device operative to store said data; and
  
  at least one computer operative to perform the steps of;
  
  monitoring and recording actual access events of multiple persons to multiple data elements in said data stored on said at least one storage device over a learning period;
  
  based on said monitoring and recording said actual access events of said multiple persons to said multiple data elements in said data stored on said at least one storage device over said learning period creating a data access profile for each of said multiple persons and, based on said data access profiles, defining multiple groups each including a plurality of persons among said multiplicity of persons, each group being characterized by the extent of its monitored and recorded access events during said learning period to a corresponding aggregation of data elements in said data stored on said at least one storage device;
  
  automatically defining access rules permitting the plurality of persons in each of said multiple groups to access the corresponding aggregation of data elements in said data stored on said at least one storage device for which said monitored and recorded actual access events occurred during said learning period; and
  
  during at least one period following said learning period, automatically redefining said access rules by narrowing said aggregation of data elements in said data stored on said at least one storage device accessible to the plurality of persons in a group by removing permission to access data elements in said data stored on said at least one storage device which were not accessed by persons in said group during said at least one period following said learning period said step of defining multiple groups being performed iteratively, wherein said data access profiles are redetermined at each iteration thereof and said access rules are undated following each said iteration.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The apparatus according to claim 16, wherein said access rules permit access by one of said plurality of persons in said group to said aggregation of data elements accessible to the plurality of persons in said group, only if at least one of said aggregation of data elements accessible to the plurality of persons in said group has been accessed by said one of said plurality of persons in said group.
  - 18. The apparatus according to claim 16, wherein said access rules permit access by said plurality of persons in said group to said aggregation of data elements accessible to the plurality of persons in said group, only if at least one of said aggregation of data elements accessible to the plurality of persons in said group has been accessed by at least one of said plurality of persons in said group.
  - 19. The apparatus according to claim 16, wherein said step of automatically defining access rules comprises the steps of:
    - proposing a tentative version of said access rules;
      
      monitoring and recording subsequent actual access events to said aggregation of data elements by said multiple persons;
      
      determining that said subsequent actual access events are in accordance with said tentative version of said access rules; and
      
      responsively to said step of determining approving said tentative version as a definitive version of said access rules.
  - 20. The apparatus according to claim 16, wherein said step of automatically defining access rules comprises the steps of:
    - referencing an access control list comprising at least one group of said multiple groups and said corresponding aggregation of data elements;
      
      detecting an absence of actual access events by members of said group to at least one data element in said corresponding aggregation of data elements; and
      
      responsively to said step of detecting, removing at least a portion of said plurality of persons from said group and removing at least a portion of said aggregation of data elements from said corresponding aggregation of data elements.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Varonis Systems, Inc.
Original Assignee
Varonis Inc.
Inventors
Faitelson, Yakov, Korkus, Ohad, Goldberger, Jacob
Primary Examiner(s)
Mahmoudi; Tony
Assistant Examiner(s)
Uddin; Md. I

Application Number

US11/258,256
Publication Number

US 20060277184A1
Time in Patent Office

1,456 Days
Field of Search

707/9, 707/8, 707/6, 707/5, 707/7, 707/205, 707/3, 707/10, 705/50, 705/64, 705/67
US Class Current

1/1
CPC Class Codes

G06F 21/316   by observing the pattern of...

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 2221/2101   Auditing as a secondary aspect

G06Q 20/382   insuring higher security of...

Y10S 707/99933   Query processing, i.e. sear...

Y10S 707/99938   Concurrency, e.g. lock mana...

Y10S 707/99939   Privileged access

Y10S 707/99945   Object-oriented database st...

Automatic management of storage access control

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

111 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Automatic management of storage access control

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

111 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links