Holistic risk-based identity establishment for eligibility determinations in context of an application

US 8,375,427 B2
Filed: 04/21/2010
Issued: 02/12/2013
Est. Priority Date: 04/21/2010
Status: Expired due to Fees

First Claim

Patent Images

1. A computer-implemented data driven method for risk based identity establishment for eligibility determinations in context of an executing application comprising:

within a service oriented architecture (SOA) environment, providing a plurality of SOA services comprising an identity service, an eligibility service, and a risk assessment service;

within the service oriented architecture environment, customizing each of the SOA services on an application specific basis for a plurality of different applications, wherein said customizing comprises for each of the different applications;

defining within a data store of the service oriented architecture a plurality of cases, each case representing an application specific context associated with a trigger-able event, where the application specific context requires a determination of user identity, eligibility, and security risk;

defining within the data store of the service oriented architecture application specific and case specific values for a plurality of different identity artifacts, where each identity artifact is a type of artifact for determining an identity of a user;

defining within the data store of the service oriented architecture application specific and case specific values representing configurable eligibility criteria;

defining within the data store of the service oriented architecture application specific and case specific values representing factors for security risk computations;

defining within the data store of the service oriented architecture application specific and case specific rules for calculating an identity, eligibility, and security risks;

for each of the different applications as the different applications execute, instantiating at least one instance of the identity service, the eligibility service, and the security risk assessment service responsive to an occurrence of an application specific event associated with one of the defined cases, when executing the instance of the identity service determining which of the different identity artifacts exist and computing an identity score based on existing identity artifacts, the case specific values stored for the different identity artifacts, and the stored case specific rules for calculating identity given the one case associated with the application specific event;

when executing the instance of the eligibility service determining which of the different eligibility criteria have been satisfied and computing an eligibility score based on the satisfied eligibility criteria and the stored case specific rules for calculating eligibility given the one case associated with the application specific event;

when executing the instance of the security risk assessment service determining which of the different factors are relevant and computing a security risk score based on values of the relevant factors and the stored case specific rules for calculating security risks given the one case associated with the application specific event; and

returning the computed identity score, the computed eligibility score, and the computed security risk score to the one of the different applications that instantiated the corresponding SOA services, wherein application execution logic of each of the different applications that instantiated the corresponding SOA services branch along different pathways depending on the computed identity score, the computed eligibility score, and the computed security risk score;

wherein the above steps are executed on the computer-processor.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A set of Service Oriented Architecture (SOA) services can be utilized by applications executing in protected application environments external to a SOA environment. The SOA services can include an identity service, a eligibility service, and a security risk assessment service, each of which generates a percentage of risk when run. SOA services can be dependent on specific applications and application cases, each being a specific context of an application, so that results vary by application case. The SOA environment can store data, which is constantly being updated about people, which is used by the SOA services. In one embodiment, sensitive or confidential data can be maintained in the protected application environment and can be isolated from the SOA environment. Rules, criteria, factors, and the like used by the SOA services can be customized at an arbitrary level of complexity for specific applications and application cases.

14 Citations

View as Search Results

17 Claims

1. A computer-implemented data driven method for risk based identity establishment for eligibility determinations in context of an executing application comprising:
- within a service oriented architecture (SOA) environment, providing a plurality of SOA services comprising an identity service, an eligibility service, and a risk assessment service;
  
  within the service oriented architecture environment, customizing each of the SOA services on an application specific basis for a plurality of different applications, wherein said customizing comprises for each of the different applications;
  
  defining within a data store of the service oriented architecture a plurality of cases, each case representing an application specific context associated with a trigger-able event, where the application specific context requires a determination of user identity, eligibility, and security risk;
  
  defining within the data store of the service oriented architecture application specific and case specific values for a plurality of different identity artifacts, where each identity artifact is a type of artifact for determining an identity of a user;
  
  defining within the data store of the service oriented architecture application specific and case specific values representing configurable eligibility criteria;
  
  defining within the data store of the service oriented architecture application specific and case specific values representing factors for security risk computations;
  
  defining within the data store of the service oriented architecture application specific and case specific rules for calculating an identity, eligibility, and security risks;
  
  for each of the different applications as the different applications execute, instantiating at least one instance of the identity service, the eligibility service, and the security risk assessment service responsive to an occurrence of an application specific event associated with one of the defined cases, when executing the instance of the identity service determining which of the different identity artifacts exist and computing an identity score based on existing identity artifacts, the case specific values stored for the different identity artifacts, and the stored case specific rules for calculating identity given the one case associated with the application specific event;
  
  when executing the instance of the eligibility service determining which of the different eligibility criteria have been satisfied and computing an eligibility score based on the satisfied eligibility criteria and the stored case specific rules for calculating eligibility given the one case associated with the application specific event;
  
  when executing the instance of the security risk assessment service determining which of the different factors are relevant and computing a security risk score based on values of the relevant factors and the stored case specific rules for calculating security risks given the one case associated with the application specific event; and
  
  returning the computed identity score, the computed eligibility score, and the computed security risk score to the one of the different applications that instantiated the corresponding SOA services, wherein application execution logic of each of the different applications that instantiated the corresponding SOA services branch along different pathways depending on the computed identity score, the computed eligibility score, and the computed security risk score;
  
  wherein the above steps are executed on the computer-processor.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein at least a portion of the different applications execute within protected enterprise environments external to the service oriented architecture, where the service oriented architecture lacks exposure to specifics of application events, intra-application variables, and application specific processes other than explicitly provided through parameters of the SOA services.
  - 3. The method of claim 2, wherein protected digital artifacts comprising confidential information of people are stored in the protected enterprise environments, wherein indicators of the existence or absence of the protected digital artifacts are stored in the service oriented architecture environment that otherwise lacks a copy of the protected digital artifacts, wherein the indicators of the existence or absence of the protected digital artifacts is used by the identity service and the eligibility service to compute the identity score and the eligibility score.
  - 4. The method of claim 2, wherein protected digital artifacts comprising confidential information of people are stored in the protected enterprise environments, wherein an address of the protected digital artifacts are stored in the service oriented architecture environment that otherwise lacks a copy of the protected digital artifacts, wherein the stored addresses are used to reference the protected digital artifacts during the execution of the identity service and the eligibility service, wherein the confidential information contained in the protected digital artifacts is not exposed to the service oriented architecture.
  - 5. The method of claim 1, wherein the defining each case within the data store of the service oriented architecture comprises:
    - defining an n-ary tree hierarchy of cases for each of the different applications, where each of the n-ary trees has a root node, wherein object-oriented programming inheritance is permitted among the nodes of the n-ary tree hierarchy permitting identity artifacts, eligibility criteria, security risk factors, and case specific rules for calculating identity, eligibility, and security risks to be inherited among nodes in the n-ary tree hierarchy.
  - 6. The method of claim 1, wherein each of the computed identity score, the computed eligibility score, and the computed security risk score comprise a percentage denoting a risk associated with that score.
  - 7. The method of claim 1, wherein the service oriented architecture environment retains individual data on a plurality of people from a plurality of different sources, wherein at least a portion of the retained data is extracted from identity artifacts, wherein the computed identity score is a weighed score computed based on the case specific rules, the cases specific values of the different identity artifacts, and the individual retained data.
  - 8. The method of claim 1, wherein each of the defined identity artifacts comprise a plurality of data elements, each data element having an associated trust score unique to the identity artifact, wherein each data element represents information about a person, wherein the trust score is used to weigh the data element relative to other data elements when the identity score is computed.
  - 9. The method of claim 1, wherein information pertaining to a person is continuously being updated and retained within the service oriented architecture, which causes results of otherwise identical executions of identity service instances, eligibility service instances, and security risk assessment instances to vary over time based on the continuously updated and retained data.
  - 10. The method of claim 1, wherein executing the instance of the identity service results in at least one of a plurality of available Web services executing within the service oriented architecture environment that determines an identity from biometric input, wherein the plurality of available Web service comprise a speaker identification and verification Web service based on audio, an identity recognition service that identifies a person based on image analysis technologies, and at least one of an iris identification, and a fingerprint identification service.

11. A computer program product comprising a non-transitory computer readable storage medium having computer usable program code embodied therewith, the computer usable program code comprising:
- computer usable program code being stored on a tangible storage medium, when executed by a processor being operable to, within a service oriented architecture (SOA) environment, provide a plurality of SOA services comprising an identity service, an eligibility service, and a risk assessment service;
  
  computer usable program code being stored on a tangible storage medium, when executed by a processor being operable to, within the service oriented architecture environment, customize each of the SOA services on an application specific basis for a plurality of different applications, wherein said customizing comprises;
  
  computer usable program code being stored on a tangible storage medium, when executed by a processor being operable to, for each of the different applications;
  
  define within a data store of the service oriented architecture a plurality of cases, each case representing an application specific context associated with a trigger-able event, where the application specific context requires a determination of user identity, eligibility, and security risk;
  
  define within the data store of the service oriented architecture application specific and case specific values for a plurality of different identity artifacts, where each identity artifact is a type of artifact for determining an identity of a user;
  
  define within the data store of the service oriented architecture application specific and case specific values representing configurable eligibility criteria;
  
  define within the data store of the service oriented architecture application specific and case specific values representing factors for security risk computations;
  
  define within the data store of the service oriented architecture application specific and case specific rules for calculating an identity, eligibility, and security risks;
  
  for each of the different applications as the different applications execute, instantiating at least one instance of the identity service, the eligibility service, and the security risk assessment service responsive to an occurrence of an application specific event associated with one of the defined cases, computer usable program code being stored on a tangible storage medium, when executed by a processor being operable to, when executing the instance of the identity service, determine which of the different identity artifacts exist and compute an identity score based on existing identity artifacts, the case specific values stored for the different identity artifacts, and the stored case specific rules for calculating identity given the one case associated with the application specific event;
  
  computer usable program code being stored on a tangible storage medium, when executed by a processor being operable to, when executing the instance of the eligibility service determine which of the different eligibility criteria have been satisfied and compute an eligibility score based on the satisfied eligibility criteria and the stored case specific rules for calculating eligibility given the one case associated with the application specific event;
  
  computer usable program code being stored on a tangible storage medium, when executed by a processor being operable to, when executing the instance of the security risk assessment service, determine which of the different factors are relevant and compute a security risk score based on values of the relevant factors and the stored case specific rules for calculate security risks given the one case associated with the application specific event; and
  
  computer usable program code being stored on a tangible storage medium, when executed by a processor being operable to, return the computed identity score, the computed eligibility score, and the computed security risk score to the one of the different applications that instantiated the corresponding SOA services, wherein application execution logic of each of the different applications that instantiated the corresponding SOA services branch along different pathways depending on the computed identity score, the computed eligibility score, and the computed security risk score.

12. A software method for providing risk based security assessments as service oriented architecture (SOA) services, said method comprising:
- executing an application in a protected enterprise environments, wherein execution of said application triggers an application event associated with a one of a plurality of previously defined application cases, wherein the plurality of previously defined application cases are organized in an n-ary tree hierarchy, wherein each application case represents an application specific context, wherein case specific rules and configured values are inherited among nodes in the n-ary tree hierarchy using object-oriented programming inheritance principles;
  
  responsive to the triggering of the application event, instantiating a plurality of SOA services executing in a service oriented architecture environment, wherein the one previously defined application case is passed as a parameter for each of the SOA services, where the service oriented architecture lacks exposure to specifics of application events, intra-application variables, and application specific processes other than explicitly provided through parameters of the SOA services;
  
  in response to the triggering of the SOA services;
  
  defining within a data store of the service oriented architecture the plurality of previously defined application cases;
  
  defining within the data store of the service oriented architecture application specific and case specific values for a plurality of different identity artifacts, where each identity artifact is a type of artifact for determining an identity of a user, which are used when computing the identity score;
  
  defining within the data store of the service oriented architecture application specific and case specific values representing configurable eligibility criteria, which are used when computing the eligibility score;
  
  defining within the data store of the service oriented architecture application specific and case specific values representing factors for security risk computations, which are used when computing the security risk score;
  
  defining within the data store of the service oriented architecture application specific and case specific rules for calculating the identity score, the eligibility score, and the security risk score;
  
  receiving the computed identity score, the computed eligibility score, and the computed security risk score, each score being computed by the SOA services executing in the service oriented architecture environment; and
  
  permitting or denying a user to access a user selected portion of the executing application associated with the one application case based upon whether the computed identity score, the computed eligibility score, and the computed security risk score exceed previously established score thresholds or not, wherein each score comprises a percentage denoting a risk associated with that score,wherein the executing, the instantiating, the defining, the receiving, and the permitting or denying are performed by at least one computer program when the at least one computer program is executed on the one client, wherein the at least one computer program is stored in a tangible, non-transitory storage medium.
- View Dependent Claims (13, 14)
- - 13. The method of claim 12, wherein the SOA services comprise an identity service, an eligibility service, and a risk assessment service, wherein the identity score is computed by the identity service, the eligibility score is computed by the eligibility service, and the security risk score is computed by the risk assessment service.
  - 14. The method of claim 12, wherein other than the defined parameters, the application lacks exposure to specifics of how the SOA services compute the identity score, the eligibility score, and the security risk score.

15. A software method for providing risk based security assessments as service oriented architecture services, said method comprising:
- receiving a Web service initiation message to execute an identity service from an application executing in a protected enterprise environment, wherein the message specifies an application case as a parameter of the identity service;
  
  responsive to receiving the request for the identity service, executing the identity service within a service oriented architecture environment, wherein executing the identity service comprises;
  
  navigating a previously established n-ary tree hierarchy of application cases to locate the application case;
  
  using object oriented programming inheritance to determine previously configured application specific parameters for the application service and application case;
  
  computing an identity score based on the determined parameters; and
  
  returning the identity score to the application;
  
  receiving a Web service initiation message to execute an eligibility service from the application executing in a protected enterprise environment, wherein the message specifies an application case as a parameter of the eligibility service;
  
  responsive to receiving the request for the eligibility service, executing the eligibility service within the service oriented architecture environment, wherein executing the eligibility service comprises;
  
  navigating a previously established n-ary tree hierarchy of application cases to locate the application case;
  
  using object oriented programming inheritance to determine previously configured application specific parameters for the application service and application case;
  
  computing an eligibility score based on the determined parameters; and
  
  returning the eligibility score to the application;
  
  receiving a Web service initiation message to execute a risk assessment service from the application executing in the protected enterprise environment, wherein the message specifies an application case as a parameter of the security risk assessment service;
  
  responsive to receiving the request for the security risk assessment service, executing the security risk assessment service within the service oriented architecture environment, wherein executing the security risk assessment service comprises;
  
  navigating a previously established n-ary tree hierarchy of application cases to locate the application case;
  
  using object oriented programming inheritance to determine previously configured application specific parameters for the application and application case;
  
  computing a security risk score based on the determined parameters; and
  
  returning the security risk score to the application;
  
  wherein the service oriented architecture lacks exposure to specifics of application events, intra-application variables, and application specific processes occurring within the protected enterprise environment, and wherein application execution logic of the application branches along different pathways depending on the value of the identity score, the eligibility score, and the security risk score,wherein the receiving, executing, the navigating, the using, the computing, and the returning are performed by at least one computer program when the at least one computer program is executed on the one client, wherein the at least one computer program is stored in a tangible, non-transitory storage medium.
- View Dependent Claims (16, 17)
- - 16. The method of claim 15, further comprising:
    - defining within a data store of the service oriented architecture a plurality of cases, each case representing an application specific context associated with a trigger-able event, where the application specific context requires a determination of user identity, eligibility, and security risk;
      
      defining within the data store of the service oriented architecture application specific and case specific values for a plurality of different identity artifacts, where each identity artifact is a type of artifact for determining an identity of a user;
      
      defining within the data store of the service oriented architecture application specific and case specific values representing configurable eligibility criteria;
      
      defining within the data store of the service oriented architecture application specific and case specific values representing factors for security risk computations; and
      
      defining within the data store of the service oriented architecture application specific and case specific rules for calculating an identity score, the eligibility score, and the security risk score;
      
      when executing the identity service determining which of the different identity artifacts exist and computing an identity score based on existing identity artifacts, the case specific values stored for the different identity artifacts, and the stored case specific rules for calculating identity given the application case;
      
      when executing the eligibility service determining which of the different eligibility criteria have been satisfied and computing an eligibility score based on the satisfied eligibility criteria and the stored case specific rules for calculating eligibility given the application case;
      
      when executing the security risk assessment service determining which of the different factors are relevant and computing a security risk score based on values of the relevant factors and the stored case specific rules for calculating security risks given the application case.
  - 17. The method of claim 15, wherein protected digital artifacts comprising confidential information of a person are stored in the protected enterprise environments, wherein indicators of the existence or absence of the protected digital artifacts are stored in the service oriented architecture environment that otherwise lacks a copy of the protected digital artifacts, wherein the indicators of the existence or absence of the protected digital artifacts is used by the identity service and the eligibility service to compute the identity score and the eligibility score.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Arunachalam, Ravi S., Carlton, Dennis A., Corcoran, Tim M., Willis, William F., Woodward, J. Gary, Alavandar, Narayanan, Kwan, Hung T.
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Tabor, Amare F

Application Number

US12/764,570
Publication Number

US 20110265162A1
Time in Patent Office

1,028 Days
Field of Search

726/7, 726/21, 726/25
US Class Current

726/7
CPC Class Codes

G06F 21/577 Assessing vulnerabilities a...

G06Q 99/00 Subject matter not provided...

Holistic risk-based identity establishment for eligibility determinations in context of an application

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

14 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Holistic risk-based identity establishment for eligibility determinations in context of an application

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links