Secure access infrastructure

US 8,819,814 B1
Filed: 04/13/2007
Issued: 08/26/2014
Est. Priority Date: 04/13/2007
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable medium having instructions for restricting use of service accounts, each service account allowing access to a respective resource within an enterprise, said computer-readable instructions comprising instructions for:

receiving a request from an application to use a service account of a plurality of service accounts each including a number of resource credentials, said resource credentials including a service account identification, configuration information needed for the service account, and a resource password, said request including an identification for said application;

determining, in response to receiving the request, whether said application is authorized to use said service account of the plurality of service accounts based on said identification for said application, wherein determining includes referencing;

a first database table including the plurality of service accounts and a respective number of resource credentials associated therewith, wherein said plurality of service accounts includes said service account; and

a second database table including applications that have been authorized to use at least one service account of said plurality of service accounts;

retrieving the number of resource credentials associated with said service account of the plurality of service accounts in response to determining that said application is authorized to use said service account of the plurality of service accounts;

connecting, utilizing the retrieved number of resource credentials associated with said service account, said application to an appropriate resource;

caching one or more of the retrieved number of resource credentials of said service account; and

allowing service account owners and security personnel to manage said plurality of service accounts, including;

establishing a secure identity for each application; and

granting authorization to said application to use said service account.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Method and system are disclosed for limiting use of a service account to only applications that have been authorized. The method and system provide a service account security infrastructure for verifying the identity of an application requesting credentials from a service account and for checking that the application is authorized to use the service account. The infrastructure also allows service account owners and security personnel to manage service accounts, including establishing a secure identity for each application and granting authorization to the application to use a service account.

Citations

19 Claims

1. A non-transitory computer-readable medium having instructions for restricting use of service accounts, each service account allowing access to a respective resource within an enterprise, said computer-readable instructions comprising instructions for:
- receiving a request from an application to use a service account of a plurality of service accounts each including a number of resource credentials, said resource credentials including a service account identification, configuration information needed for the service account, and a resource password, said request including an identification for said application;
  
  determining, in response to receiving the request, whether said application is authorized to use said service account of the plurality of service accounts based on said identification for said application, wherein determining includes referencing;
  
  a first database table including the plurality of service accounts and a respective number of resource credentials associated therewith, wherein said plurality of service accounts includes said service account; and
  
  a second database table including applications that have been authorized to use at least one service account of said plurality of service accounts;
  
  retrieving the number of resource credentials associated with said service account of the plurality of service accounts in response to determining that said application is authorized to use said service account of the plurality of service accounts;
  
  connecting, utilizing the retrieved number of resource credentials associated with said service account, said application to an appropriate resource;
  
  caching one or more of the retrieved number of resource credentials of said service account; and
  
  allowing service account owners and security personnel to manage said plurality of service accounts, including;
  
  establishing a secure identity for each application; and
  
  granting authorization to said application to use said service account.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The non-transitory computer-readable medium according to claim 1, wherein said instructions for determining that said application is authorized to use said service account comprises instructions for verifying that said identification is approved for said application.
  - 3. The non-transitory computer-readable medium according to claim 2, wherein the instructions for said verifying and said determining are performed using a restricted-access infrastructure.
  - 4. The non-transitory computer-readable medium according to claim 3, wherein the computer-readable instructions further comprise instructions for setting said identification on a restricted-access variable in said restricted-access infrastructure in response to said determining that said identification is approved for said application.
  - 5. The non-transitory computer-readable medium according to claim 1, wherein said service accounts allow access to one or more of the following enterprise resources:
    - a financial information database, an employee information database, and a product inventory database.
  - 6. The non-transitory computer-readable medium according to claim 1, wherein the computer-readable instructions further comprise instructions for returning said one or more credentials for said service account to said application in response to said determining that said application is authorized to use said service account.
  - 7. The non-transitory computer-readable medium according to claim 6, wherein one or more of said credentials are changed according to a predefined schedule.

8. A non-transitory computer-readable medium having computer-readable instructions for establishing identifications for applications, said computer-readable instructions comprising instructions for:
- receiving a request to let an application use a service account of a plurality of service accounts each including a number of resource credentials, said resource credentials including a service account identification, configuration information needed for the service account, and a resource password, said request including an identification for said application;
  
  mapping said identification for said application to a file system path for said application;
  
  storing said mapping of said identification to said file system path in a secure repository;
  
  storing a number of notes related to the mapping, including time of the request, reason for the request, and who made the request;
  
  determining, in response to receiving the request, whether said application is authorized to use the service account of the plurality of service accounts based on said identification for said application, wherein determining includes referencing;
  
  a first database table including the plurality of service accounts and a respective number of resource credentials associated therewith, wherein said plurality of service accounts includes said service account; and
  
  a second database table including applications that have been authorized to use at least one service account of said plurality of service accounts, wherein said plurality of service accounts includes said service account, said service account allowing access to a system resource within said enterprise application environment;
  
  retrieving the number of resource credentials associated with said service account of the plurality of service accounts in response to determining that said application is authorized to use said service account of the plurality of service accountsconnecting, utilizing the retrieved number of resource credentials associated with said service account, said application to an appropriate resource; and
  
  allowing service account owners and security personnel to manage said plurality of service accounts, including;
  
  establishing a secure identity for each application; and
  
  granting authorization to said application to use said service account of said plurality of service accounts.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The non-transitory computer-readable medium according to claim 8, wherein said computer-readable instructions further comprise instructions for using said mapping of said identification to said file system path to subsequently verify an identity of said application.
  - 10. The non-transitory computer-readable medium according to claim 8, wherein said file system path is a code base for said application.
  - 11. The non-transitory computer-readable medium according to claim 8, wherein said secure repository is a policy file that is accessible only to authorized personnel.
  - 12. The non-transitory computer-readable medium according to claim 8, wherein said computer-readable instructions further comprise instructions for determining whether said application may be allowed to use said identification.
  - 13. The non-transitory computer-readable medium according to claim 8, wherein said request is processed using a graphical user interface, said graphical user interface automatically putting said mapping of said identification to said file system path into a predefined format.

14. A non-transitory computer-readable medium storing instructions executable by a processing resource to cause a computer to:
- receive a request from an application to use a service account of a plurality of service accounts each including a number of resource credentials, said resource credentials including a service account identification, configuration information needed for the service account, and a resource password, said request including an identification for said application;
  
  determine, in response to receiving the request, whether said application is authorized to use said service account of the plurality of service accounts based on said identification for said application, wherein determining includes referencing;
  
  a first database table including the plurality of service accounts and a respective number of resource credentials associated therewith, wherein said plurality of service accounts includes said service account; and
  
  a second database table including applications that have been authorized to use at least one service account of said plurality of service accounts;
  
  retrieve the number of resource credentials associated with the service account of the plurality of service accounts in response to determining that said application is authorized to use said service account of the plurality of service accounts;
  
  connect, utilizing the retrieved number of resource credentials associated with the service account, said application to an appropriate resource;
  
  cache one or more of the retrieved number of resource credentials of said service account; and
  
  allow service account owners and security personnel to manage said plurality of service accounts, including;
  
  to establish a secure identity for each application; and
  
  to grant authorization to said application to use said service accountcreate a new service account for a corresponding resource within said enterprise;
  
  store said new service account and a corresponding plurality of resource credentials in the first database table;
  
  provide authorization to one or more applications within said enterprise to use said new service account to access said corresponding resource; and
  
  store an identification of said one or more applications and the corresponding authorization in the second database table.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The non-transitory computer-readable medium according to claim 14, including instructions executable by said processing resource to cause said computer to:
    - add an identification of a newly authorized application to said second database table, and remove an identification for an application no longer authorized to use said service account from said second database table.
  - 16. The non-transitory computer-readable medium according to claim 14, including instructions executable by said processing resource to cause said computer to store information regarding when said service account was most recently accessed in said service account database.
  - 17. The non-transitory computer-readable medium according to claim 14, including instructions executable by said processing resource to cause said computer to encrypt one or more credentials for said service account in said first database table.
  - 18. The non-transitory computer-readable medium according to claim 14, including instructions executable by said processing resource to cause said computer to search said first database table for said service account.
  - 19. The non-transitory computer-readable medium according to claim 14, including instructions executable by said processing resource to cause said computer to perform one or more of the following:
    - replace an existing service account with said new service account in said first database table, and convert an open-access service account in said first database table to an authorized-access service account in said first database table.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
United Services Automobile Association
Original Assignee
United Services Automobile Association
Inventors
Koehler, Kristopher Lee, Leach, Linda Karen
Primary Examiner(s)
THIAW, CATHERINE B

Application Number

US11/735,034
Time in Patent Office

2,692 Days
Field of Search

713/186, 713182-185, 711/108, 380/281, 709/202, 709/203, 709/225, 709/226, 726 3- 7, 726 20- 29
US Class Current

726/21
CPC Class Codes

G06F 21/121   Restricting unauthorised ex...

G06F 21/335   for accessing specific reso...

G06F 21/53   by executing in a restricte...

H04L 63/08   for authentication of entit...

H04L 63/101   Access control lists [ACL]

H04L 63/126   the source of the received ...

Secure access infrastructure

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Secure access infrastructure

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links