Holistic risk-based identity establishment for eligibility determinations in context of an application
First Claim
1. A computer-implemented data driven method for risk based identity establishment for eligibility determinations in context of an executing application comprising:
- within a service oriented architecture (SOA) environment, providing a plurality of SOA services comprising an identity service, an eligibility service, and a risk assessment service;
within the service oriented architecture environment, customizing each of the SOA services on an application specific basis for a plurality of different applications, wherein said customizing comprises for each of the different applications;
defining within a data store of the service oriented architecture a plurality of cases, each case representing an application specific context associated with a trigger-able event, where the application specific context requires a determination of user identity, eligibility, and security risk;
defining within the data store of the service oriented architecture application specific and case specific values for a plurality of different identity artifacts, where each identity artifact is a type of artifact for determining an identity of a user;
defining within the data store of the service oriented architecture application specific and case specific values representing configurable eligibility criteria;
defining within the data store of the service oriented architecture application specific and case specific values representing factors for security risk computations;
defining within the data store of the service oriented architecture application specific and case specific rules for calculating an identity, eligibility, and security risks;
for each of the different applications as the different applications execute, instantiating at least one instance of the identity service, the eligibility service, and the security risk assessment service responsive to an occurrence of an application specific event associated with one of the defined cases, when executing the instance of the identity service determining which of the different identity artifacts exist and computing an identity score based on existing identity artifacts, the case specific values stored for the different identity artifacts, and the stored case specific rules for calculating identity given the one case associated with the application specific event;
when executing the instance of the eligibility service determining which of the different eligibility criteria have been satisfied and computing an eligibility score based on the satisfied eligibility criteria and the stored case specific rules for calculating eligibility given the one case associated with the application specific event;
when executing the instance of the security risk assessment service determining which of the different factors are relevant and computing a security risk score based on values of the relevant factors and the stored case specific rules for calculating security risks given the one case associated with the application specific event; and
returning the computed identity score, the computed eligibility score, and the computed security risk score to the one of the different applications that instantiated the corresponding SOA services, wherein application execution logic of each of the different applications that instantiated the corresponding SOA services branch along different pathways depending on the computed identity score, the computed eligibility score, and the computed security risk score;
wherein the above steps are executed on the computer-processor.
1 Assignment
0 Petitions
Accused Products
Abstract
A set of Service Oriented Architecture (SOA) services can be utilized by applications executing in protected application environments external to a SOA environment. The SOA services can include an identity service, a eligibility service, and a security risk assessment service, each of which generates a percentage of risk when run. SOA services can be dependent on specific applications and application cases, each being a specific context of an application, so that results vary by application case. The SOA environment can store data, which is constantly being updated about people, which is used by the SOA services. In one embodiment, sensitive or confidential data can be maintained in the protected application environment and can be isolated from the SOA environment. Rules, criteria, factors, and the like used by the SOA services can be customized at an arbitrary level of complexity for specific applications and application cases.
14 Citations
17 Claims
-
1. A computer-implemented data driven method for risk based identity establishment for eligibility determinations in context of an executing application comprising:
-
within a service oriented architecture (SOA) environment, providing a plurality of SOA services comprising an identity service, an eligibility service, and a risk assessment service; within the service oriented architecture environment, customizing each of the SOA services on an application specific basis for a plurality of different applications, wherein said customizing comprises for each of the different applications; defining within a data store of the service oriented architecture a plurality of cases, each case representing an application specific context associated with a trigger-able event, where the application specific context requires a determination of user identity, eligibility, and security risk; defining within the data store of the service oriented architecture application specific and case specific values for a plurality of different identity artifacts, where each identity artifact is a type of artifact for determining an identity of a user; defining within the data store of the service oriented architecture application specific and case specific values representing configurable eligibility criteria; defining within the data store of the service oriented architecture application specific and case specific values representing factors for security risk computations; defining within the data store of the service oriented architecture application specific and case specific rules for calculating an identity, eligibility, and security risks; for each of the different applications as the different applications execute, instantiating at least one instance of the identity service, the eligibility service, and the security risk assessment service responsive to an occurrence of an application specific event associated with one of the defined cases, when executing the instance of the identity service determining which of the different identity artifacts exist and computing an identity score based on existing identity artifacts, the case specific values stored for the different identity artifacts, and the stored case specific rules for calculating identity given the one case associated with the application specific event; when executing the instance of the eligibility service determining which of the different eligibility criteria have been satisfied and computing an eligibility score based on the satisfied eligibility criteria and the stored case specific rules for calculating eligibility given the one case associated with the application specific event; when executing the instance of the security risk assessment service determining which of the different factors are relevant and computing a security risk score based on values of the relevant factors and the stored case specific rules for calculating security risks given the one case associated with the application specific event; and returning the computed identity score, the computed eligibility score, and the computed security risk score to the one of the different applications that instantiated the corresponding SOA services, wherein application execution logic of each of the different applications that instantiated the corresponding SOA services branch along different pathways depending on the computed identity score, the computed eligibility score, and the computed security risk score; wherein the above steps are executed on the computer-processor. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computer program product comprising a non-transitory computer readable storage medium having computer usable program code embodied therewith, the computer usable program code comprising:
-
computer usable program code being stored on a tangible storage medium, when executed by a processor being operable to, within a service oriented architecture (SOA) environment, provide a plurality of SOA services comprising an identity service, an eligibility service, and a risk assessment service; computer usable program code being stored on a tangible storage medium, when executed by a processor being operable to, within the service oriented architecture environment, customize each of the SOA services on an application specific basis for a plurality of different applications, wherein said customizing comprises;
computer usable program code being stored on a tangible storage medium, when executed by a processor being operable to, for each of the different applications;define within a data store of the service oriented architecture a plurality of cases, each case representing an application specific context associated with a trigger-able event, where the application specific context requires a determination of user identity, eligibility, and security risk; define within the data store of the service oriented architecture application specific and case specific values for a plurality of different identity artifacts, where each identity artifact is a type of artifact for determining an identity of a user; define within the data store of the service oriented architecture application specific and case specific values representing configurable eligibility criteria; define within the data store of the service oriented architecture application specific and case specific values representing factors for security risk computations; define within the data store of the service oriented architecture application specific and case specific rules for calculating an identity, eligibility, and security risks; for each of the different applications as the different applications execute, instantiating at least one instance of the identity service, the eligibility service, and the security risk assessment service responsive to an occurrence of an application specific event associated with one of the defined cases, computer usable program code being stored on a tangible storage medium, when executed by a processor being operable to, when executing the instance of the identity service, determine which of the different identity artifacts exist and compute an identity score based on existing identity artifacts, the case specific values stored for the different identity artifacts, and the stored case specific rules for calculating identity given the one case associated with the application specific event; computer usable program code being stored on a tangible storage medium, when executed by a processor being operable to, when executing the instance of the eligibility service determine which of the different eligibility criteria have been satisfied and compute an eligibility score based on the satisfied eligibility criteria and the stored case specific rules for calculating eligibility given the one case associated with the application specific event; computer usable program code being stored on a tangible storage medium, when executed by a processor being operable to, when executing the instance of the security risk assessment service, determine which of the different factors are relevant and compute a security risk score based on values of the relevant factors and the stored case specific rules for calculate security risks given the one case associated with the application specific event; and computer usable program code being stored on a tangible storage medium, when executed by a processor being operable to, return the computed identity score, the computed eligibility score, and the computed security risk score to the one of the different applications that instantiated the corresponding SOA services, wherein application execution logic of each of the different applications that instantiated the corresponding SOA services branch along different pathways depending on the computed identity score, the computed eligibility score, and the computed security risk score.
-
-
12. A software method for providing risk based security assessments as service oriented architecture (SOA) services, said method comprising:
-
executing an application in a protected enterprise environments, wherein execution of said application triggers an application event associated with a one of a plurality of previously defined application cases, wherein the plurality of previously defined application cases are organized in an n-ary tree hierarchy, wherein each application case represents an application specific context, wherein case specific rules and configured values are inherited among nodes in the n-ary tree hierarchy using object-oriented programming inheritance principles; responsive to the triggering of the application event, instantiating a plurality of SOA services executing in a service oriented architecture environment, wherein the one previously defined application case is passed as a parameter for each of the SOA services, where the service oriented architecture lacks exposure to specifics of application events, intra-application variables, and application specific processes other than explicitly provided through parameters of the SOA services; in response to the triggering of the SOA services; defining within a data store of the service oriented architecture the plurality of previously defined application cases; defining within the data store of the service oriented architecture application specific and case specific values for a plurality of different identity artifacts, where each identity artifact is a type of artifact for determining an identity of a user, which are used when computing the identity score; defining within the data store of the service oriented architecture application specific and case specific values representing configurable eligibility criteria, which are used when computing the eligibility score; defining within the data store of the service oriented architecture application specific and case specific values representing factors for security risk computations, which are used when computing the security risk score; defining within the data store of the service oriented architecture application specific and case specific rules for calculating the identity score, the eligibility score, and the security risk score; receiving the computed identity score, the computed eligibility score, and the computed security risk score, each score being computed by the SOA services executing in the service oriented architecture environment; and permitting or denying a user to access a user selected portion of the executing application associated with the one application case based upon whether the computed identity score, the computed eligibility score, and the computed security risk score exceed previously established score thresholds or not, wherein each score comprises a percentage denoting a risk associated with that score, wherein the executing, the instantiating, the defining, the receiving, and the permitting or denying are performed by at least one computer program when the at least one computer program is executed on the one client, wherein the at least one computer program is stored in a tangible, non-transitory storage medium. - View Dependent Claims (13, 14)
-
-
15. A software method for providing risk based security assessments as service oriented architecture services, said method comprising:
-
receiving a Web service initiation message to execute an identity service from an application executing in a protected enterprise environment, wherein the message specifies an application case as a parameter of the identity service; responsive to receiving the request for the identity service, executing the identity service within a service oriented architecture environment, wherein executing the identity service comprises; navigating a previously established n-ary tree hierarchy of application cases to locate the application case; using object oriented programming inheritance to determine previously configured application specific parameters for the application service and application case; computing an identity score based on the determined parameters; and returning the identity score to the application; receiving a Web service initiation message to execute an eligibility service from the application executing in a protected enterprise environment, wherein the message specifies an application case as a parameter of the eligibility service; responsive to receiving the request for the eligibility service, executing the eligibility service within the service oriented architecture environment, wherein executing the eligibility service comprises; navigating a previously established n-ary tree hierarchy of application cases to locate the application case; using object oriented programming inheritance to determine previously configured application specific parameters for the application service and application case; computing an eligibility score based on the determined parameters; and returning the eligibility score to the application; receiving a Web service initiation message to execute a risk assessment service from the application executing in the protected enterprise environment, wherein the message specifies an application case as a parameter of the security risk assessment service; responsive to receiving the request for the security risk assessment service, executing the security risk assessment service within the service oriented architecture environment, wherein executing the security risk assessment service comprises;
navigating a previously established n-ary tree hierarchy of application cases to locate the application case;using object oriented programming inheritance to determine previously configured application specific parameters for the application and application case; computing a security risk score based on the determined parameters; and
returning the security risk score to the application;wherein the service oriented architecture lacks exposure to specifics of application events, intra-application variables, and application specific processes occurring within the protected enterprise environment, and wherein application execution logic of the application branches along different pathways depending on the value of the identity score, the eligibility score, and the security risk score, wherein the receiving, executing, the navigating, the using, the computing, and the returning are performed by at least one computer program when the at least one computer program is executed on the one client, wherein the at least one computer program is stored in a tangible, non-transitory storage medium. - View Dependent Claims (16, 17)
-
Specification