Method and system for assessing cumulative access entitlements of an entity in a system

US 8,429,708 B1
Filed: 06/22/2007
Issued: 04/23/2013
Est. Priority Date: 06/23/2006
Status: Active Grant

First Claim

Patent Images

1. A method, performed by a computer, with regard to analyzing cumulative entitlements in an information system including a plurality of users, each user having a corresponding user account, the information system including a plurality of security groups, each security group including a subset of the users or other security groups, and wherein the information system includes a plurality of securable assets, each securable asset corresponding to an access control list, each access control list including access control entries that identify at least one security group or user account having access to the corresponding securable asset, wherein the securable assets include the user accounts, the method comprising:

in the computer, determining which security groups directly include or transitively include a given one of the users;

in the computer, determining a set of access control lists that identify any of the security groups or the given user;

in the computer, determining an effective system-level access granted to the given user in view of the access control entries in the set of access control lists, wherein determining the effective system-level access includes resolving any access conflicts as a function of operating system rules or according to access check methodologies, wherein an access check methodology is defined as the process by which access control mechanisms of the information system protect the securable assets, by subjecting a user'"'"'s access request to a given securable asset, to an access check that processes the user'"'"'s security affiliations as defined by the security groups and the access control list corresponding to the given securable asset to determine whether to allow the access requested; and

in the computer, mapping the effective system-level access granted to the given user into administrative tasks to determine a cumulative access entitlement set for the given user, wherein the cumulative access entitlement set includes administrative tasks that the given user is entitled to perform with regard to the securable assets corresponding to the set of access control lists.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system is provided for assessing the cumulative set of access entitlements to which an entity, of an information system, may be implicitly or explicitly authorized, by virtue of the universe of authorization intent specifications that exist across that information system, or a specified subset thereof, that specify access for that entity or for any entity collectives with which that entity may be directly or transitively affiliated. The effective system-level access granted to the user based upon operating system rules or according to access check methodologies is determined and mapped to administrative tasks to arrive at the cumulative set of access entitlements authorized for the user.

113 Citations

View as Search Results

28 Claims

1. A method, performed by a computer, with regard to analyzing cumulative entitlements in an information system including a plurality of users, each user having a corresponding user account, the information system including a plurality of security groups, each security group including a subset of the users or other security groups, and wherein the information system includes a plurality of securable assets, each securable asset corresponding to an access control list, each access control list including access control entries that identify at least one security group or user account having access to the corresponding securable asset, wherein the securable assets include the user accounts, the method comprising:
- in the computer, determining which security groups directly include or transitively include a given one of the users;
  
  in the computer, determining a set of access control lists that identify any of the security groups or the given user;
  
  in the computer, determining an effective system-level access granted to the given user in view of the access control entries in the set of access control lists, wherein determining the effective system-level access includes resolving any access conflicts as a function of operating system rules or according to access check methodologies, wherein an access check methodology is defined as the process by which access control mechanisms of the information system protect the securable assets, by subjecting a user'"'"'s access request to a given securable asset, to an access check that processes the user'"'"'s security affiliations as defined by the security groups and the access control list corresponding to the given securable asset to determine whether to allow the access requested; and
  
  in the computer, mapping the effective system-level access granted to the given user into administrative tasks to determine a cumulative access entitlement set for the given user, wherein the cumulative access entitlement set includes administrative tasks that the given user is entitled to perform with regard to the securable assets corresponding to the set of access control lists.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, further comprising determining a cumulative set of all tasks that all users in the information system are authorized to perform, in at least a portion of the information system.
  - 3. The method of claim 1, further comprising determining a subset of the users that are entitled to perform a specific administrative task in at least a portion of the information system.
  - 4. The method of claim 1, further comprising determining a set of the access control lists that authorize a second given one of the users to perform a specific administrative task.
  - 5. The method of claim 1, further comprising determining a set of all securable assets that a specific one of the users is authorized access to across at least a portion of the information system.
  - 6. The method of claim 4, further comprising determining whether the set of access control lists were a part of a default (system vendor specified) entitlements conferred upon the users of the information system.
  - 7. The method of claim 1, further comprising determining excessive entitlements granted to the given user, wherein the determination of excessive entitlements involves comparing a set of intended access entitlements with the given user'"'"'s cumulative access entitlement set.
  - 8. The method of claim 1, further comprising whether the given user'"'"'s cumulative access entitlement set is in compliance with a business security policy governing a protection of the securable assets.
  - 9. The method of claim 1, further comprising determining security vulnerabilities that exist as a result of the given user'"'"'s cumulative access entitlement set.
  - 10. The method of claim 1, further comprising determining a set of security privilege escalation paths that exist across at least a portion of the information system as a result of a presence of insecure access control lists pertaining to the given user'"'"'s cumulative access entitlement set.
  - 11. The method of claim 1, further comprising modifying a state of an assessed entitlement for the given user.
  - 12. The method of claim 1, further comprising determining access related security risk indicators, across at least a portion of the information system.
  - 13. The method of claim 1, further comprising determining time-period based differences in the cumulative entitlements for the given user.
  - 14. The method of claim 1, further comprising reporting the given user'"'"'s cumulative access entitlement set to a client of the information system.
  - 15. The method of claim 1, wherein at least some of the information for determining the given user'"'"'s cumulative entitlement set is obtained on a secure channel.

16. A computer-implemented system for analyzing cumulative entitlements in an information system including a plurality of users, each user having a corresponding user account, the information system including a plurality of security groups, each security group including a subset of the users or other security groups, and wherein the information system includes a plurality of securable assets, each securable asset corresponding to an access control list, each access control list including access control entries that identify at least one security group or user account having access to the corresponding securable asset, wherein the securable assets include the user account, comprising:
- a computing device configured to, for a given one of the users, determine which security groups directly include or transitively include the given user;
  
  the computing device being further configured to determine a set of access control lists that identify any of the security groups or the given user;
  
  the computing device being further configured to determine an effective system-level access granted to the given user in view of the access control entries in the set of access control lists, wherein the determination of the effective system-level access includes resolving any access conflicts as a function of operating system rules or according to access check methodologies, wherein an access check methodology is defined as the process by which access control mechanisms of the information system protect the securable assets, by subjecting a user'"'"'s access request to a given securable asset, to an access check that processes the user'"'"'s security affiliations as defined by the security groups and the access control list corresponding to the given securable asset to determine whether to allow the access requested; and
  
  the computing device being further configured to map the effective system-level access granted to the given user into administrative tasks to determine a cumulative access entitlement set for the given user, wherein the cumulative access entitlement set includes administrative tasks that the given user is entitled to perform with regard to the securable assets corresponding to the set of access control lists.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 17. The system of claim 16, wherein the computing device is further configured to determine a cumulative set of all tasks that all users in the information system are authorized to perform, in at least a portion of the information system.
  - 18. The system of claim 16, wherein the computing device is further configured to determine a subset of the users that are entitled to perform a specific administrative task in at least a portion of the information system.
  - 19. The system of claim 16, wherein the computing device is further configured to determine a set of the access control lists that authorize a second given one of the users to perform a specific administrative task.
  - 20. The system of claim 16, wherein the computing device is further configured to determine the set of all securable assets that a specific one of the users is authorized some form of access to across at least a portion of the information system.
  - 21. The system of claim 16, wherein the computing device is further configured to determine whether the set of access control lists were a part of a default (system vendor specified) entitlements conferred upon the users of the information system.
  - 22. The system of claim 16, wherein the computing device is further configured to determine excessive entitlements granted to the given user, wherein the determination of excessive entitlements involves comparing a set of intended access entitlements with the given user'"'"'s cumulative access entitlement set.
  - 23. The system of claim 16, wherein the computing device is further configured to determine whether the given user'"'"'s cumulative access entitlement set is in compliance with a business security policy governing a protection of the securable assets.
  - 24. The system of claim 16, wherein the computing device is further configured to determine security vulnerabilities that exist as a result of the given user'"'"'s cumulative access entitlement set.
  - 25. The system of claim 16, wherein the computing device is further configured to determine security privilege escalation paths that exist across at least a portion of the information system;
    - as a result of a presence of insecure access control lists pertaining to the given user'"'"'s cumulative access entitlement set.
  - 26. The system of claim 16, wherein the computing device is further configured to modify a state of an assessed entitlement for the given user.
  - 27. The system of claim 16, wherein the computing device is further configured to determine access related security risk indicators, across at least a portion of the information system.
  - 28. The system of claim 16 wherein the computing device is further configured to determine time-period based differences in the cumulative entitlements for the given user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sanjay Tandon
Original Assignee
Sanjay Tandon
Inventors
Tandon, Sanjay
Primary Examiner(s)
Mehedi, Morshed

Application Number

US11/767,351
Time in Patent Office

2,132 Days
Field of Search

713/166, 726/25, 726/1
US Class Current

726/1
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/31   User authentication

G06F 21/604   Tools and structures for ma...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2145   Inheriting rights or proper...

H04L 63/08   for authentication of entit...

H04L 63/101   Access control lists [ACL]

H04L 63/20   for managing network securi...

Method and system for assessing cumulative access entitlements of an entity in a system

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

113 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for assessing cumulative access entitlements of an entity in a system

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

113 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links